• Nitesh Dhanjani (although I don't think you could call Nitesh an alumni anymore... here is a link to his blog
• Brian Holyfield, who is also at Gotham Digital Science
• Nate McFeters - you can find his blog here
• Billy Rios - his blog is here
• Kevin Stadmeyer
• And of course, me

First of all, I got my turbo talk to Blackhat USA in Las Vegas accepted, so I'll be speaking there again for the first time since 2004. The paper is called "SQL Injection Worms for Fun and Profit", and appears to be even more timely than I expected when submitting it considering what is still an ongoing problem. I'll be in Vegas for both Blackhat and Defcon if anyone wants to plan a catch up.

On other news, I've made little progress on rewriting SQLBrute in .NET due to a lack of time. I am, however, going to release SQLBrute 1.1 in Python in the not too distant future - I'm adding Sybase support, and cleaning up a few of the routines. Also, check out the port of Microsoft's AntiXSS library to Java - you can check it out on the GDS Tools page.

Thats all for now - more news and happenings soon!

Check out Nitesh's site, or Billy's site, check out the interview they did with Help Net Security, and see them talk about it at Black Hat Federal 2008 in DC on the 20th of February.

Although there isn't a lot there at the moment, we're going to be putting up a lot of tools we've been working on as time permits.

Check out the blog for interesting technical content, including lessons learned and tips from our source code review/application vulnerability remediation work, as well as for some of the tools we'll be releasing in the coming weeks.

The change in the law, which went into effect on August 10, criminalises the production, distribution, possession, and sale of tools that can be used to commit cybercrimes. Unfortunately, a strict interpretation of the changes would make possession of tools that could be used maliciously (such as nmap or Nessus for instance) illegal. While in reality, legal opinions are that the courts would differentiate between a cracker and a security researcher based on their intent, noone (unsurprisingly) seems to want to be the first test case.

The content for a number of projects have all but disappeared, such as the recent Month of PHP bugs, and the well known THC (The Hackers Choice) group, as well as smaller projects such as BtCrawler. Others are saying farewell to Germany and reestablishing themselves elsewhere such as the KisMac wifi scanner for OSX and the Phenoelit group.

All in all a hard strike against a country which has produced much valuable security research and expertise.

The reason for this is that in Windows XP Service Pack 2, Microsoft introduced a number of Network Protection Technologies for mitigating the spread of malware. One of these limits the number of simultaneous incomplete outbound TCP connection attempts to 10, with additional attempts being queued and potentially dropped. This impacts the reliability of at least port scanning, and possibly other security checks.

Unfortunately the scenario I was working with required me to be running Nessus through a VPN client (never ideal), in reality requiring me to be on XP. Tenable does, however, have some recommendations for running Nessus as reliably as possible on XP:

• Max number of hosts: 10
• Max number of security checks: 4
• Max number of packets per second for port scan: 50

The maximum hosts/security checks setting is standard in all of the Nessus clients I've used, however the packets per second setting seems to only be available within the client shipped with the Windows Nessus server. If you, like me, are using the new NessusClient 3.0 beta for Windows, you need to make the following change to the Nessus server's configuration to ensure that 50 is the default value:

• Go to the "config" directory in your Nessus server installation. By default this is C:\Program Files\Tenable\Nessus\config
• Open config.default.xml for editing - just use Notepad if you don't have an XML editor
• Find the SYN Scan:Max number of packets per second for port scan node, and edit the value (the CDATA bit) from 500 to 50

This value should now be the default for all new scans.

This worked well for me, however needless to say that running a Nessus scan in VMWare (slowdown factor one), over a VPN link (slowdown factor two), over a transatlantic Internet connection (slowdown factor three), the scan took quite a while to complete...

If setting the environment variable, on the Windows command line you can do this:

set http_proxy=myproxy:8080

Which should point it to your proxy. The same works for Unix/Linux with whatever export or set command is relevant for your shell.

The proxy support in urllib2 doesn't support authentication so if you have a proxy with authentication you might want to chain SQLBrute through your favourite local proxy (i.e. Burp, Paros etc) and have that handle the authentication for you. Enjoy!

This is going to be the final version of SQLBrute to be released in Python. I've started redevelopment as a .NET Windows Forms application, and all new features, exploit techniques, and fun stuff will be rolled into that version (more detail to come as I approach something releasable).

You can also find SQLBrute, as well as my page showing an example of using SQLBrute (which is what I demoed) as well. Enjoy!

For those of you using the tool, I am planning to do a rewrite in the not too distant future. Amongst other things planned, I'm probably going to move to .NET, include a GUI, and in general make the tool a lot easier to use. More news on this as I get some time to do some coding.

I just spotted this article on the Tenable Blog in reading my morning RSS feeds - Tenable have added a plugin with the ability to interrogate Windows machines for the wireless SSID that they are currently associated to. Why would this be handy? How about to identify clients on your network that are bypassing network controls through using the local Starbucks' wireless network, and therefore providing a possible entry point back into your network.

This does of course have a few prerequisites:

• You need the Direct Feed (commercial) of Nessus plugins, or Security Center, to get this functionality. If you're a security professional using Nessus as a core tool you of course have this, don't you? Because then you get all sorts of useful stuff like SCADA plugins, and configuration/compliance auditing.
• You need to be doing a credentialed scan for the plugin to be able to use WMI to extract this information.

This should be able to give you a point in time view of whether hosts that you are scanning are connected to a wireless network when they are scanned. You can then match this against the list of known/authorised SSID's to identify where clients are associated to unauthorised access points (i.e. the local Starbucks).

Does this solve the problem of identifying clients bridging to a wireless network? Well, no - it has a couple of weaknesses:

• It is at a point in time, so you only have the view of what wireless networks your clients connect to when you're scanning them.
• This just identifies the SSID, not the access point itself (i.e. the access point's MAC address), so it's still possible it's a rogue access point.

However, it is certainly handy to have this kind of functionality for those who don't necessarily have a full blown wireless security solution in place.

First things first, you need to install a few libraries that aren't installed by default with Ubuntu:

sudo apt-get install python-imaging-tk python-serial python-crypto

This works nicely in Ubuntu 7.04 - for some reason the python-imaging-tk package seemed to be broken in Ubuntu 6.10 when I tried it (which is needed for the mrpkey.py tool which reads the passport).

Next step - edit the RFIDIOtconfig.py file to reflect the details of your RFID reader - in my case, this merely involved editing the first line to reflect the serial port (ttyS2 in my case):

# Out-of-Box Multi-ISO Serial
card= RFIDIOt.rfidiot(RFIDIOt.rfidiot.READER_ACG,'/dev/ttyS2',9600, 1)

So, first of all lets try performing a select on the passport - in this case, multiselect to perform multiple selects. This should tell us whether a New Zealand passport behaves like a UK passport in that there is ID generation going on.

[foo:~/Desktop/RFIDIOt-0.1k]$./multiselect.py 
multiselect v0.1f (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8

Apparently not - we get the same ID each time. Lets move on to trying to read the detail on the passport. This involves deriving some information from the Machine Readable Zone (MRZ) on the passport (if you've ever wondered what those two lines on the bottom of the passport photo pages translate to). For example (some information obscured), the second line of the MRZ on my daughter's passport (EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06), equates to:

• Passport number: EAnnnnnn
• Check Digit: 3
• Nationality: NZL
• Date Of Birth: 07nnnn
• Check Digit: 3
• Sex: F
• Expiry: 12nnnn
• Check Digit: 6
• Optional: <<<<<<<<<<<<<<
• Check Digit: 0
• Composite Check Digit: 6

So now we can run the the mrpkey tool to read the passport (note I had to edit TAG_TYPES, and change 6C to 6c and 6D to 6d for this to work):

[foo:~/Desktop/RFIDIOt-0.1k]$./mrpkey.py "EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06"
mrpkey v0.1g (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)

Passport number: EAnnnnnn<
Nationality: NZL
Date Of Birth: 07nnnn
Sex: F
Expiry: 12nnnn
Optional: <<<<<<<<<<<<<<

Generate local keys:

Key MRZ Info (kmrz): EAnnnnnn<307nnnn312nnnn6

Select Passport Application (AID):  OK
Select Master File:  Basic Access Control enforced!
Authenticating:  OK

Generate session keys: 

Kifd XOR Kicc (kseed):  1edfc8a6963509b658a131c582715ab4
Session Key ENC:  544929197fc7cdb96dae46e03876d6ce
Session Key MAC:  0b209e16f42c543743b97586016138d0

Calculate Send Sequence Counter: 

SSC:  e73e5c97ee24ba0e
60165f01
File Length:  24
Reading: 00000
EF.COM:  Length:  22
Tag: 5f01 (LDS Version)
  Length:  4
    Data:  30313037
Tag: 5f36 (Unicode Version)
  Length:  6
    Data:  303430303030
Tag: 5c (Tag List)
  Length:  4
    Data Group:  61 (EF.DG1 Data Recorded in MRZ)
    Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)
    Data Group:  6c (EF.DG12 Additional Document Detail(s))
    Data Group:  6d (EF.DG13 Optional Detail(s))
EF.COM stored in /tmp/EF_COM.BIN

Select EF.SOD:  File Length:  2055
Reading: 00000
EF.SOD stored in /tmp/EF_SOD.BIN

Select DG1: 
615b5f1f
File Length:  93
Reading: 00000
EF.DG1 stored in /tmp/EF_DG1.BIN
EF.DG1:  Data Length:  88
  Decoded Data: P<NZLCLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<EAnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06
    Document code:  P<
    Issuing State or organisation:  NZL
    Name:  CLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<
    Passport Number:  EAnnnnnn<
    Check Digit:  3
    Nationality:  NZL
    Date of Birth:  07nnnn
    Check Digit:  3
    Sex:  F
    Date of Expiry:  12nnnn
    Check Digit:  6
    Personal Number or other optional elements:  <<<<<<<<<<<<<<
    Check Digit:  0
    Composite Check Digit:  6

Select DG2: 
File Length:  14517
Reading: 00000
EF.DG2:  JPEG image stored in /tmp/EF_DG2.JPG
EF.DG2 stored in /tmp/EF_DG2.BIN

And voila! Passport read...

1. Cain - a subset of the handy functionality available in Cain & Abel, including cracking support for LM, NTLM, MD2, MD4, MD5, SHA1, RIPEMD160, CiscoPIX and MySQL hashes, decoders for Base64, Cisco Type 7 passwords, Cisco VPN Client passwords, and VNC passwords, and support for dumping ActiveSync, Pocket IE, Pocket Outlook and Pocket MSN passwords from the device. Very handy set of tools, although the practicality of cracking hashes on a Pocket PC is dubious.
   
2. btCrawler - a simple and easy to use Bluetooth scanner, bluejacking and bluesnarfing tool for devices with Microsoft Bluetooth stacks. Note that most of the exploit functionality is disabled by default until you add some custom registry entries.
   
3. vxUtil Personal - a suite of network utilities , including DNS lookups, finger, IP subnet calculator, ping and ping sweep, a port scanner, and more.
   
4. WiFiFoFum - a wardriving and wireless scanning tool. Supports all wireless cards, wired and Bluetooth GPS units, and multiple export formats including text, Wi-scan, Tom Tom POI, MemoryMap and Netstumbler (ns1) formats.
   
5. Spybot - Search & Destroy - the Pocket PC version of the popular Windows spyware scanner.
   
6. Netcat for CE - the "network swiss army knife", for Pocket PC. Not everything works quite as it does on Windows or Linux, but the main functionality is there.
   
7. NBTStat CE - find those NetBIOS shares quickly using the Pocket PC version of NBTStat.
   
8. VNC Viewer - complete the trio of GUI clients by downloading this handy little VNC viewer. Supports both VNC 3.x and 4.x servers, full screen mode, and screen rotation.
   
9. OpenVPN - VPN into your home network (or other networks running OpenVPN) from your Pocket PC.
   
10. Citrix ICA client - Supporting most of the same functionality as the Windows client, this allows you to login to those Citrix machines you need to access.

Honourable mentions also need to go to:

• PocketConsole which allows you to unlock the power of the console, since Microsoft doesn't ship a console application with Windows Mobile. This also allows you to run text applications ported to PocketPC such as Pocket GnuPG and SNMPUtils. Unfortunately for me, it doesn't seem to work on my phone.
• Pocket PuTTY - Pocket PC port of the PuTTY ssh and telnet client.
• Skype - not a security tool per se, but since a lot of security professionals use Skype, its a must have on the Pocket PC.
• ppcPodcast - not strictly security, but allows you to download those security podcasts directly to your phone.