justinclarke.com

A friend and old colleague of mine has been working on a tool for quite a while now, and he has recently released it publicly. It is called Oedipus, and is a tool for penetration testers for web application security pentesting. It is available here.

The reporting functionality is pretty basic at the moment, but the testing framework seems to be pretty robust. The entire thing is written in Ruby, and is designed on a modular plugin basis to enable easy maintenance and extension. I'll probably be covering more on it sometime soon as I have an opportunity to peek under the bonnet :-)

I've added a Google Toolbar button for my blog - if you're interested click this link to add justinclarke.com to your Google Toolbar. You'll need the latest beta version of the toolbar for this to work.

I got sent a link to LinkedIn about a week and a half ago. In the mean time I've located lots of former colleagues, clients, and friends on the system. It seems to me to be a whole lot more useful than most of the social networking sites I've seen, and has the added bonus that lots of the security industry has accounts on it.

You can find my LinkedIn profile here.

I was just ego searching on Google for references to the book Nitesh and I wrote (Network Security Tools). I found a few new reviews indexed by Google - including one in the IEEE Cipher Newsletter, Dave King's TheSecure.net blog, and we may even be (according to the Google indexed course proposal) required reading at a Network Security course at the University of Colorado at Boulder. It's always nice to know as an author that someone actually does read your book :-)

I note that Nitesh has some details about a service available in the US to allow you to do Caller ID spoofing very easilly using a calling card. This is somewhat easier than having your own PABX and programming the outbound number :-)

The first annual EUSecWest conference (from the organisers of PacSec and CanSecWest) kicks off in London tomorrow. I'll be there, speaking on Tuesday, and blogging some detail about each of the talks. These are the talks that have been accepted:

• van Hauser THC / n.runs GmbH
  Attacking the IPv6 protocol suite
• Javier Burroni & Carlos Sarraute - Core Security Technologies
  Analyzing OS fingerprints using Neural Networks and Statistical Machinery
• Nguyen Anh Quynh - Keio University
  XEBEK: A Next Generation Honeypot Monitoring System
• Fred Raynal - EADS
  Malicious Crypto
• Cesar Cerrudo - Argeniss
  Windows Local Shellcode Injection
• Andrew Cushman - Microsoft
  Microsoft Security Fundamentals
• Shreeraj Shah - Net Square
  Advanced Web Hacking - Attacks & Defense
• Justin Clarke - Ernst & Young LLP
  Practical Automated Web Application Attack Techniques
• Andy Davis - IRM PLC
  ColdFusion Security
• Tim Hurman - Pentest Ltd.
  ARMed Combat: The Fight For Personal Security
• Raffael Marty - ArcSight
  A Visual Approach to Security Event Management
• Michael Boman - KPMG Singapore
  Network Security Monitoring: Theory and Practice
• Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks
  Protecting the Infrastructure
• Andrea Barisani - Inverse Path
  Lessons in Open Source Security: The Tale of a 0-Day Incident

More details here tomorrow :-)

Here are my notes from day one of the first annual EUSecWest/core06 security conference in London:

van Hauser from The Hacker's Choice talked about IPv6 vulnerabilities, including the differences, and similarities of performing certain types of exploits in IPv4 and IPv6, and some of the new issues raised by the introduction of IPv6. The presentation can be downloaded from here.

Some of the interesting highlights from my point of view were:

• IPv6 is not in widespread use right now in Europe or the US (it is in Japan and South Korea).  A lot of the people using IPv6 (especially over IPv4) at the moment are Blackhats
• A lot of the IPv4 reconnaissance techniques (such as ping sweeping) are not possible on IPv6 due to the number of IP's in the space - DNS is going to become key in identifying systems
  • Once we can compromise a "public" server (i.e. one we can find through DNS) we can use IPv6 multicast to find systems on that subnet
  • OSPFv3 relies on IPSec.... so we'd better be running it, or use another routing protocol
• vh has written a toolset (library?) for testing IPv6, and created a whole host of tools as part of the IPv6 attack suite:
  • alive6 - for "alive" checking of hosts. If you are on the local subnet. Ping sweeping the Internet for live hosts is not going to be feasible in an IPv6 world
  • parasite6 - for Man-in-the-middle attacks, leveraging weaknesses in Neighbour Discovery protocol (the IPv6 replacement for ARP)
  • dos-new-ipv6 - for preventing people from joining the network by claiming all IPs are already taken
  • fake_router6 - for Man-in-the-middle attacks using Router Advertisements
  • smurf6 - local subnet DoS using multicast
  • rsmurf6 - remote DoS for broken Linux IPv6 implementation
  • redir6 - route implanting using "secure" ICMPv6 redirects
  • toobig6 - reduce client's MTU
• vh tested various IPv6 implementations (Windows XP SP2, Linux 2.6, OpenBSD, FreeBSD 5.3), and found that all of the implementations were vulnerable to one or more issues
• Source routing may make a comeback, as all of the OS's tested passed on source routed packets, and these can be disguised by putting a fragmentation header in front of the routing packet, hence passing routers.

The next talk was by Barnaby Jack (from eEye Digital Security) about exploiting embedded systems.  This one was pretty interesting, and he was using a standard D-Link DI-604 broadband router as the exploit target.  Here are some notes:

• A lot of embedded systems use ARM architectures, and real time OS's such as ThreadX
• By using a JTAG emulator, and with some soldering, you can hook up a debugger to the device and start debugging the firmware as it runs
  • Because of the watchdog timer, the device may need a patch to prevent the watchdog from resetting the device
  • Modifying firmware involves figuring out how it is encoded and checksummed by the vendor - from debugging the web server code
• The demo was pretty impressive
  • It used a LAN-side 0day bug in a function in the uPnP code for the router - the exploit removed the admin password, and enabled the external WAN side admin port
  • Uploaded modified firmware with a "payload" that modified every .exe file downloaded through the router (popped up a command prompt with "OWNED" on it)

Javier Burroni and Carlos Sarraute from CORE Security gave a quite interesting talk on using statistical methods and neural networks to more accurately determine operating system versions from the network.  They talked about a couple of different tools:

• An improved DCE-RPC endpoint mapper, which much more reliably determined what Windows version and service pack was running
• An OS detection tool using the nmap OS signature database, designed to reduce false positives, and "improbable" results that you can get with nmap
  • first neural network to determine whether it is a "relevant" OS or not (i.e. one we have exploits for)
• second neural network to determine what OS family the system is - i.e. Linux, Windows, OpenBSD, FreeBSD, NetBSD, Solaris
• neural networks for each OS family to determine what version is running.

Nguyen Anh Quynh from Keio University in Japan (he is involved with development of Xen) gave a talk on next generation honeypot technology using Xen.

He talked about the weaknesses with Sebek in a honeynet environment - specifically that there are several ways to detect that you are in a honeypot, from detecting the presence of Sebek, to detecting the traffic that it sends on the network.

He then talked about "Xebek", which uses Xen to run honeypot systems as virtual machines ("user domains") within Xen, with the Xebek server running on the "Domain 0" (host/first VM) on the machine.  Apparently this, patching the system calls in the kernel, and using shared memory to share data with the server will fix most of the weaknesses with Sebek.

There was a spirited discussion in the Q&A about how detectable this approach will be versus the approach of Sebek.  Quynh did note that they are not attempting to hide the fact that the system in running in Xen, on the assumption that enough production systems will be running Xen that it will not be suspicious.

Frederick Raynal from the EADS Corporate Research Centre talked about the (ab)use of crypto.  This included discussion of a number of scenarios where crypto, humans, and trust could be abused, such as:

• breaking the crypto (mis)used in the SuckIt rootkit versions 1 and 2 to take over a network of systems with SuckIt installed
• using the trust relations, and information stored in a user's directory to theorise the possibility of a SSH worm.  This included noting the use of existing sessions and other methods of capturing or leveraging existing access
• looked at methods/possibilities for preventing the analysis of a binary through the use of crypto, including differing situations over keys and decryption
• looked at scenarios for performing Man-in-the-Middle attacks against Skype.

Cesar Cerrudo from Argeniss talked about Windows local shellcode injection.  The technique he was demonstrating was based on the use of LPC named ports.  You can see these things using Process Explorer from SysInternals.  He went through the process of connecting to a process's LPC port (including some of the problems, like how to find the name of the port), create a shared memory section, and use the shared section to put shellcode into the process's memory space.  This also returns you a pointer to where the shellcode resides, making exploit even easier, more portable, and Windows version independant.

Cesar then went through and demonstrated his exploits for MS05-12 and MS05-40 that leverage this approach.  

Andrew Cushman from Microsoft came and talked about the work that MS is putting in on the security front over their products.  Andrew went through a lot of the efforts that are going into Vista, as well as an interesting talk about the Microsoft response to the WMF bug.

Today I am speaking at the EUSecWest/core06 security conference in London on "Practical Automated Web Application Attack Techniques". You can find my presentation here.

Also, here are the example files, parseLog.pl (which for some reason is not on the O'Reilly site), simpleScanner.pl, and extendedScanner.pl.

The second and last day of EUSecWest has been and gone. It turned out to be a fun experience, with a lot of valuable and interesting information shared by the speakers, and a lot of interesting folks met at the conferece. Here are my notes from the main speakers today (I haven't included the lightning talks or vendors because I was busy drinking beer by that stage...):

Shreeraj Shah from net-square talked about web application attacks and defences.  He introduced and demonstrated a number of tools he has written for the enumeration of information from the MSN Search engine, as well as some cool tools for web services testing and penetration, including:

• MSNPawn - discovery and enumeration of information about HTTP hosts (including discovering running hosts by the server IP address) from querying using the MSN Search web service
• MSNKnight - for building a profile about the site, by acting as a local proxy
• wsPawn - for footprinting web services
• wsKnight - for interacting with the web service using a WSDL file
• wsAudit - for performing attack fuzzing on web services

Justin Clarke (me) from Ernst & Young talked about automating web application assessment and exploitation.  The talk seemed to go down fairly well.  I demonstrated some of the tools that were written for Network Security Tools, as well as one tool (SQLBrute) that is available from my site.  I also completely forgot to demonstrate one small tool (IEnterceptor)... whoops.

Andy Davis from Information Risk Management talked about ColdFusion security.  They have been doing a lot of research on version 7, 6.1 and 6.0 of CF, and talked about some of the issues (especially in the admin interface) that can be leveraged for nefarious purposes.  Some of the issues they found haven't been fixed yet (in the services etc that ship with CF), so we can look forward to more once Adobe release the fixes.

Tim Hurman from Pentest Limited talked about the security over personal ARM devices, such as common PDAs.  This covered some similar ground to Barnaby Jack's talk yesterday, with the differences that Tim was using JTAG to debug IPAQ's and the like, and went on to demo an "always on" vulnerability in (I think) the vCal parsing via Bluetooth OBEX file transfer on a (I think) HP 5xxx IPAQ running Windows Mobile 2003.  The exploit was a nice Window showing "0wn3d".  Tim mentioned how this type of issue could be used to formulate an "airborne virus" that you could pick up from an infected device, which would attack your desktop PC when in the sync cradle, and attack other mobile devices via Bluetooth when not attached.  Nice :-)

Raffael Marty from ArcSight talked about visual security event analysis using the Afterglow toolset.  Raff went through a number of visualisation examples, and these did look very useful for this type of application.  I will definitely be having a look into these sometime soon.

Michael Boman from KPMG Singapore talked about network security monitoring theory and practice, and also the SGUIL network monitoring console.  This looked pretty useful, and a possible alternative to some of the (expensive) commercial consoles that are becoming more available.

Jim DeLeskie from Teleglobe & Danny McPherson from Arbor Networks, talked about securing the infrastructure from the point of view of the service provider.  This was pretty interesting to me as well, especially when talking about the provider techniques and limitations when responding (or not) to DDOS attacks.

Andrea Barisani from Inverse Path (and the Gentoo team) talked about the Gentoo rsync server compromise that happened in December 2003 (of a core portage rsync server), the detection of the compromise, analysis of what happened (including identification of the flaw in rsync), and the coordination of working with the rsync developers in fixing the flaw.  Very informative.

I have started contributing to the Oedipus Web App Vulnerability Scanner project on Rubyforge. The project is progressing pretty fast - there is a GUI in CVS, and a lot of functionality going into the project in the near future.

I am working on less common HTTP methods, and plugins testing permissions on directories for stuff like HTTP PUT and WebDAV. You don't find them often, but when they are there they can be devastating from a defacement point of view. More details coming soon ...