Well it's been in the making for a while. Due to certain events and health issues we've had trouble being consistent. Good for us, we've been able to work on our pet project. A all French language podcast :)
Loosely styled around Pauldotcom security weekly's format, we try to inform and give out bits of information to people. We also try to entertain, but remember we are not professionals at this. No spoon feeding, you won't learn to hack, penetrate or compromise systems, but you will learn basic information and where to start if you're interested.
So far, we have 2 episodes available for download on iTunes, or direct links from our site.
Episode 1: We introduce ourselves, talk a bit about the Sulley Framework
Episode 2: Quick talk on Internet Explorer, Snort and Airdrop-ng
Here's the RSS feed if you wish.
Keep in mind we're knew at this, and will try to come out with new episodes once every 3 weeks to a month.
Also as a reminder, HackUS's CTF is very close so check them out and get registered.
Hackfest.ca 2010's Call for paper is also open, so if you're interested or have something to say drop them an email
Hope you enjoy the podcast,
Have a good one.
Tuesday, March 23, 2010
Saturday, March 13, 2010
Hackus.org CTF soon upon us
Well, it's almost time for Sherbrooke University's CTF. You can get all the information at the HackUS.org site.
Everyone from Kioptrix.com will be participating...yes all 2 of us.
This 3 day event will be my first CTF experience. Should be interesting to see how my new-ish skills stack up to more seasoned and experienced computer geeks. Although I don't consider myself a "hacker", I expect we'll do poorly compared to other teams. For example, the team from the Universite de Quebec a Montreal (UQAM) took first place at Hackfest.ca's CTF last novermber. I don't expect to even come close to these guys. Our goal? 1 point..at least.
Nothing really security related on this post, just wanted to inform to whom ever is reading this, we'll be reporting back from HackUS with a nice play-by-play of the CTF.
Remember to visit those sites I mentioned above, and also kioptrix.com
Have a good one,
LF
Everyone from Kioptrix.com will be participating...yes all 2 of us.
This 3 day event will be my first CTF experience. Should be interesting to see how my new-ish skills stack up to more seasoned and experienced computer geeks. Although I don't consider myself a "hacker", I expect we'll do poorly compared to other teams. For example, the team from the Universite de Quebec a Montreal (UQAM) took first place at Hackfest.ca's CTF last novermber. I don't expect to even come close to these guys. Our goal? 1 point..at least.
Nothing really security related on this post, just wanted to inform to whom ever is reading this, we'll be reporting back from HackUS with a nice play-by-play of the CTF.
Remember to visit those sites I mentioned above, and also kioptrix.com
Have a good one,
LF
Tuesday, March 9, 2010
Airdrop-ng.. what I've learned
It's been sometime since I've posted something, and I apologize. Changed jobs, then the training and getting used to the new people and work environment (which is still on going) has prevented me from investing time into learning new security related...stuff.
Well today I took the time to try out "airdrop-ng". The new de-authentication tool developed by TheX1le if I'm not mistaken. The basic premise behind this python application is pretty simple: prevent or allow connections to wireless access points to clients. Either by MAC address, vendor name etc. Or by the access point's MAC and vendor etc.
You can prevent 1 specific client to connect to any access point in your area, or allow only that 1 client to connect. The possibilities are enormous. In a nutshell, you're deciding who can connect, and to what they are connecting.
Here's the video presentation of airdrop-ng at Schmoocon 2010 - here -
Installing airdrop-ng is quite simple (as usual I'm using Backtrack 4):
I suggest reading the README file.
There you have it, it's installed. Take the time to read the README file and examples and explanations found in the docs folder.
Using airdrop-ng is pretty easy (so far). For now I can only test it using 1 wireless card (second is one the way). It works with the single card, but I can see why it would better with 2.
Using only 1 card, you kinda need to be specific in your rules file. For example, "d/ANY|ANY" won't work as well as "d/ANY|Apple". Since you need airodump-ng running the whole time airdrop-ng is. They seem to be battling each other for use of the card. Running the "d/ANY|ANY" with one card will generate lots of errors.
So "d/"AP MAC ADDY"|ANY " works also, but won't completely deny access to the access point. As far as my tests here, my laptop would lose 50% of it's pings. Although my laptop was still connected to the router, Internet access was pretty darn slow.
Guess that's all for my findings on airdrop-ng so far. Once I get my second wireless adapter, I'll be in a better position to experiment and report on it's usage. TheX1le's application is very nice, easy to use and understand. Besides a few typos in the documentation, it's an easy read and something I suggest you do.
I'll try and whip up a video of it in action in the next few weeks.
Thanks for reading, and remember to visit us at kioptrix.com
Well today I took the time to try out "airdrop-ng". The new de-authentication tool developed by TheX1le if I'm not mistaken. The basic premise behind this python application is pretty simple: prevent or allow connections to wireless access points to clients. Either by MAC address, vendor name etc. Or by the access point's MAC and vendor etc.
You can prevent 1 specific client to connect to any access point in your area, or allow only that 1 client to connect. The possibilities are enormous. In a nutshell, you're deciding who can connect, and to what they are connecting.
Here's the video presentation of airdrop-ng at Schmoocon 2010 - here -
Installing airdrop-ng is quite simple (as usual I'm using Backtrack 4):
I suggest reading the README file.
root@bt:~# apt-get install python-psyco
root@bt:~# cd /pentest/wireless/
root@bt:/pentest/wireless# svn co http://trac.aircrack-ng.org/svn/trunk/scripts/airdrop-ng
root@bt:/pentest/wireless/airdrop-ng/python install.py
root@bt:/pentest/wireless/airdrop-ng/airdrop-ng -u #this is to update the OUI text file
There you have it, it's installed. Take the time to read the README file and examples and explanations found in the docs folder.
Using airdrop-ng is pretty easy (so far). For now I can only test it using 1 wireless card (second is one the way). It works with the single card, but I can see why it would better with 2.
Using only 1 card, you kinda need to be specific in your rules file. For example, "d/ANY|ANY" won't work as well as "d/ANY|Apple". Since you need airodump-ng running the whole time airdrop-ng is. They seem to be battling each other for use of the card. Running the "d/ANY|ANY" with one card will generate lots of errors.
So "d/"AP MAC ADDY"
Guess that's all for my findings on airdrop-ng so far. Once I get my second wireless adapter, I'll be in a better position to experiment and report on it's usage. TheX1le's application is very nice, easy to use and understand. Besides a few typos in the documentation, it's an easy read and something I suggest you do.
I'll try and whip up a video of it in action in the next few weeks.
Thanks for reading, and remember to visit us at kioptrix.com
Sunday, February 21, 2010
Sulley Framework Resquet Files
The Sulley Framework is a great fuzzing tool. One of the best out there in my opinion. Unfortunately, as far as I can tell anyway, development has stopped. Meaning nothing new to the framework... For last few months, I've been doing my best to learn this framework. Let me tell you, it hasn't been always easy. Not much information out there besides a few basic tutorials.
Something else that is missing are request files. The request file is, in sense, what makes fuzzing an application possible. There are a few files that come stock with Sulley, but not many. So I'm gonna try and re-mediate the situation by posting/sharing request files I've been able to find and/or create with the help of a few friends.
Sulley Request Files
The Sulley Framework Request File Repository; My hopes (in time) is to build a nice collection of files so people trying to learn and use Sulley can have a starting point. I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they've crafted over time. The site is pretty new, and I'm not web designer. I'll do my best to update the file list when new ones are created, or sent in.
So I call out to everyone that has experience with this framework, and to help out the new guys.
Thank you,
loneferret
www.kioptrix.com
Something else that is missing are request files. The request file is, in sense, what makes fuzzing an application possible. There are a few files that come stock with Sulley, but not many. So I'm gonna try and re-mediate the situation by posting/sharing request files I've been able to find and/or create with the help of a few friends.
Sulley Request Files
The Sulley Framework Request File Repository; My hopes (in time) is to build a nice collection of files so people trying to learn and use Sulley can have a starting point. I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they've crafted over time. The site is pretty new, and I'm not web designer. I'll do my best to update the file list when new ones are created, or sent in.
So I call out to everyone that has experience with this framework, and to help out the new guys.
Thank you,
loneferret
www.kioptrix.com
Sunday, February 14, 2010
Automated tool Dependency
I while ago, when I was doing the OSCP course. I learned about shellcodes and exploits. During this time, usage of Metasploit's online shellcode generator was really useful. When it came down to exam time, well the site was down... No more automated tool, and this during my 24 hour exam. What did I do? A little google search and presto found how to correctly use msfpayload + msfencode. All was well.
Since then, I've gone back to using the online tool. Bad idea.. I say this because recently, I've had to generate some shellcode for an exploit. Of course the automated online tool was down. This forced me once again to re-learn the command line tool. This made me realize two things.
1: We rely way too much on automated tools
2: Laziness kicks in so very fast.
I mean, it isn't that hard to use, and remember. Just need to type it a few times to get the syntax burned into that gray matter of ours.
msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x2f\x5c' -e x86/shikata_ga_nai -t c
Here's an example of using both msfpayload and msfencode.
The payload is windows/exec, the CMD is calc.exe and we output the raw code. We pipe that into msfencode.
The "-b" is the list of bad characters the -e is the encoder (this case shikata ga nai) and we output to C format using the "-t" switch.
There are plenty of online resources that can show you how to use it. This is true for every automated tool we are used to use.
Bottom line, if it's command line and there's an automated tool.... learn the command line first.
You never know when that automated one will be pulled off the air.
Since then, I've gone back to using the online tool. Bad idea.. I say this because recently, I've had to generate some shellcode for an exploit. Of course the automated online tool was down. This forced me once again to re-learn the command line tool. This made me realize two things.
1: We rely way too much on automated tools
2: Laziness kicks in so very fast.
I mean, it isn't that hard to use, and remember. Just need to type it a few times to get the syntax burned into that gray matter of ours.
msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x2f\x5c' -e x86/shikata_ga_nai -t c
Here's an example of using both msfpayload and msfencode.
The payload is windows/exec, the CMD is calc.exe and we output the raw code. We pipe that into msfencode.
The "-b" is the list of bad characters the -e is the encoder (this case shikata ga nai) and we output to C format using the "-t" switch.
There are plenty of online resources that can show you how to use it. This is true for every automated tool we are used to use.
Bottom line, if it's command line and there's an automated tool.... learn the command line first.
You never know when that automated one will be pulled off the air.
Thursday, February 4, 2010
The Sulley Framework -Basic part 2-
In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server. This time we'll look at what we need to have and do to fuzz a TFTP server. The big difference is one uses the TCP protocol and the other UDP.
By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.
from sulley import * # import everything from Sulley
from requests import tftp
sess = sessions.session(session_filename="audits/tftpserver.session",proto="udp")
#Target IP xxx.xxx.xxx.xxx
target = sessions.target("xxx.xxx.xxx.xxx", <PORT#>)
target.netmon = pedrpc.client("xxx.xxx.xxx.xxx", 26001)
target.procmon = pedrpc.client("xxx.xxx.xxx.xxx", 26002)
target.procmon_options = { "proc_name" : "<PROCESS NAME>" }
sess.add_target(target)
sess.connect(s_get("tftp"))
sess.fuzz()
Once you've specified the "proto" parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you'll need a request file. I found this basic file TFTP request file on the Internet here.
Now that we have our session and request file. There's one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:
c:\sulley>python network_monitor.py -d X -f "src or dst port XX" -P \\path
Well since this is UDP and the traffic is only one way, the pcap string won't capture anything. So you'll need to enter it this way:
c:\sulley>python network_monitor.py -d X -f "udp dst port XX" -P \\path
As with anything script related, this can be improved.
So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz... Here's a nice little list from exploit-db that you can have fun with.
As always, I'll try and get a video up demonstrating this. Always fun to make those, and perhaps I'll actually put the "Benny Hill" theme song... or just sound. One day perhaps.
Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com
By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.
from sulley import * # import everything from Sulley
from requests import tftp
sess = sessions.session(session_filename="audits/tftpserver.session",proto="udp")
#Target IP xxx.xxx.xxx.xxx
target = sessions.target("xxx.xxx.xxx.xxx", <PORT#>)
target.netmon = pedrpc.client("xxx.xxx.xxx.xxx", 26001)
target.procmon = pedrpc.client("xxx.xxx.xxx.xxx", 26002)
target.procmon_options = { "proc_name" : "<PROCESS NAME>" }
sess.add_target(target)
sess.connect(s_get("tftp"))
sess.fuzz()
Once you've specified the "proto" parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you'll need a request file. I found this basic file TFTP request file on the Internet here.
Now that we have our session and request file. There's one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:
c:\sulley>python network_monitor.py -d X -f "src or dst port XX" -P \\path
Well since this is UDP and the traffic is only one way, the pcap string won't capture anything. So you'll need to enter it this way:
c:\sulley>python network_monitor.py -d X -f "udp dst port XX" -P \\path
As with anything script related, this can be improved.
So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz... Here's a nice little list from exploit-db that you can have fun with.
As always, I'll try and get a video up demonstrating this. Always fun to make those, and perhaps I'll actually put the "Benny Hill" theme song... or just sound. One day perhaps.
Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com
Saturday, January 30, 2010
Java Signed Applets
Been pretty busy these past few weeks, and finding the time to post stuff up is getting difficult. But I do bring something fun to watch.
If you administer users, you should have a look at this video:
Java Signed Applet
If you want a little more information on how to test this exploit in a controlled environment.
Head over to pauldotcom
The screencast is a little more "complete" then mine. I just wanted to prove a point.
Hope you enjoy it.
If you administer users, you should have a look at this video:
Java Signed Applet
If you want a little more information on how to test this exploit in a controlled environment.
Head over to pauldotcom
The screencast is a little more "complete" then mine. I just wanted to prove a point.
Hope you enjoy it.
Subscribe to:
Posts (Atom)