Well it's been in the making for a while. Due to certain events and health issues we've had trouble being consistent. Good for us, we've been able to work on our pet project. A all French language podcast :)
Loosely styled around Pauldotcom security weekly's format, we try to inform and give out bits of information to people. We also try to entertain, but remember we are not professionals at this. No spoon feeding, you won't learn to hack, penetrate or compromise systems, but you will learn basic information and where to start if you're interested.
So far, we have 2 episodes available for download on iTunes, or direct links from our site.
Episode 1: We introduce ourselves, talk a bit about the Sulley Framework
Episode 2: Quick talk on Internet Explorer, Snort and Airdrop-ng
Here's the RSS feed if you wish.
Keep in mind we're knew at this, and will try to come out with new episodes once every 3 weeks to a month.
Also as a reminder, HackUS's CTF is very close so check them out and get registered.
Hackfest.ca 2010's Call for paper is also open, so if you're interested or have something to say drop them an email
Hope you enjoy the podcast,
Have a good one.
Tuesday, March 23, 2010
Saturday, March 13, 2010
Hackus.org CTF soon upon us
Well, it's almost time for Sherbrooke University's CTF. You can get all the information at the HackUS.org site.
Everyone from Kioptrix.com will be participating...yes all 2 of us.
This 3 day event will be my first CTF experience. Should be interesting to see how my new-ish skills stack up to more seasoned and experienced computer geeks. Although I don't consider myself a "hacker", I expect we'll do poorly compared to other teams. For example, the team from the Universite de Quebec a Montreal (UQAM) took first place at Hackfest.ca's CTF last novermber. I don't expect to even come close to these guys. Our goal? 1 point..at least.
Nothing really security related on this post, just wanted to inform to whom ever is reading this, we'll be reporting back from HackUS with a nice play-by-play of the CTF.
Remember to visit those sites I mentioned above, and also kioptrix.com
Have a good one,
LF
Everyone from Kioptrix.com will be participating...yes all 2 of us.
This 3 day event will be my first CTF experience. Should be interesting to see how my new-ish skills stack up to more seasoned and experienced computer geeks. Although I don't consider myself a "hacker", I expect we'll do poorly compared to other teams. For example, the team from the Universite de Quebec a Montreal (UQAM) took first place at Hackfest.ca's CTF last novermber. I don't expect to even come close to these guys. Our goal? 1 point..at least.
Nothing really security related on this post, just wanted to inform to whom ever is reading this, we'll be reporting back from HackUS with a nice play-by-play of the CTF.
Remember to visit those sites I mentioned above, and also kioptrix.com
Have a good one,
LF
Tuesday, March 9, 2010
Airdrop-ng.. what I've learned
It's been sometime since I've posted something, and I apologize. Changed jobs, then the training and getting used to the new people and work environment (which is still on going) has prevented me from investing time into learning new security related...stuff.
Well today I took the time to try out "airdrop-ng". The new de-authentication tool developed by TheX1le if I'm not mistaken. The basic premise behind this python application is pretty simple: prevent or allow connections to wireless access points to clients. Either by MAC address, vendor name etc. Or by the access point's MAC and vendor etc.
You can prevent 1 specific client to connect to any access point in your area, or allow only that 1 client to connect. The possibilities are enormous. In a nutshell, you're deciding who can connect, and to what they are connecting.
Here's the video presentation of airdrop-ng at Schmoocon 2010 - here -
Installing airdrop-ng is quite simple (as usual I'm using Backtrack 4):
I suggest reading the README file.
There you have it, it's installed. Take the time to read the README file and examples and explanations found in the docs folder.
Using airdrop-ng is pretty easy (so far). For now I can only test it using 1 wireless card (second is one the way). It works with the single card, but I can see why it would better with 2.
Using only 1 card, you kinda need to be specific in your rules file. For example, "d/ANY|ANY" won't work as well as "d/ANY|Apple". Since you need airodump-ng running the whole time airdrop-ng is. They seem to be battling each other for use of the card. Running the "d/ANY|ANY" with one card will generate lots of errors.
So "d/"AP MAC ADDY"|ANY " works also, but won't completely deny access to the access point. As far as my tests here, my laptop would lose 50% of it's pings. Although my laptop was still connected to the router, Internet access was pretty darn slow.
Guess that's all for my findings on airdrop-ng so far. Once I get my second wireless adapter, I'll be in a better position to experiment and report on it's usage. TheX1le's application is very nice, easy to use and understand. Besides a few typos in the documentation, it's an easy read and something I suggest you do.
I'll try and whip up a video of it in action in the next few weeks.
Thanks for reading, and remember to visit us at kioptrix.com
Well today I took the time to try out "airdrop-ng". The new de-authentication tool developed by TheX1le if I'm not mistaken. The basic premise behind this python application is pretty simple: prevent or allow connections to wireless access points to clients. Either by MAC address, vendor name etc. Or by the access point's MAC and vendor etc.
You can prevent 1 specific client to connect to any access point in your area, or allow only that 1 client to connect. The possibilities are enormous. In a nutshell, you're deciding who can connect, and to what they are connecting.
Here's the video presentation of airdrop-ng at Schmoocon 2010 - here -
Installing airdrop-ng is quite simple (as usual I'm using Backtrack 4):
I suggest reading the README file.
root@bt:~# apt-get install python-psyco
root@bt:~# cd /pentest/wireless/
root@bt:/pentest/wireless# svn co http://trac.aircrack-ng.org/svn/trunk/scripts/airdrop-ng
root@bt:/pentest/wireless/airdrop-ng/python install.py
root@bt:/pentest/wireless/airdrop-ng/airdrop-ng -u #this is to update the OUI text file
There you have it, it's installed. Take the time to read the README file and examples and explanations found in the docs folder.
Using airdrop-ng is pretty easy (so far). For now I can only test it using 1 wireless card (second is one the way). It works with the single card, but I can see why it would better with 2.
Using only 1 card, you kinda need to be specific in your rules file. For example, "d/ANY|ANY" won't work as well as "d/ANY|Apple". Since you need airodump-ng running the whole time airdrop-ng is. They seem to be battling each other for use of the card. Running the "d/ANY|ANY" with one card will generate lots of errors.
So "d/"AP MAC ADDY"
Guess that's all for my findings on airdrop-ng so far. Once I get my second wireless adapter, I'll be in a better position to experiment and report on it's usage. TheX1le's application is very nice, easy to use and understand. Besides a few typos in the documentation, it's an easy read and something I suggest you do.
I'll try and whip up a video of it in action in the next few weeks.
Thanks for reading, and remember to visit us at kioptrix.com
Sunday, February 21, 2010
Sulley Framework Resquet Files
The Sulley Framework is a great fuzzing tool. One of the best out there in my opinion. Unfortunately, as far as I can tell anyway, development has stopped. Meaning nothing new to the framework... For last few months, I've been doing my best to learn this framework. Let me tell you, it hasn't been always easy. Not much information out there besides a few basic tutorials.
Something else that is missing are request files. The request file is, in sense, what makes fuzzing an application possible. There are a few files that come stock with Sulley, but not many. So I'm gonna try and re-mediate the situation by posting/sharing request files I've been able to find and/or create with the help of a few friends.
Sulley Request Files
The Sulley Framework Request File Repository; My hopes (in time) is to build a nice collection of files so people trying to learn and use Sulley can have a starting point. I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they've crafted over time. The site is pretty new, and I'm not web designer. I'll do my best to update the file list when new ones are created, or sent in.
So I call out to everyone that has experience with this framework, and to help out the new guys.
Thank you,
loneferret
www.kioptrix.com
Something else that is missing are request files. The request file is, in sense, what makes fuzzing an application possible. There are a few files that come stock with Sulley, but not many. So I'm gonna try and re-mediate the situation by posting/sharing request files I've been able to find and/or create with the help of a few friends.
Sulley Request Files
The Sulley Framework Request File Repository; My hopes (in time) is to build a nice collection of files so people trying to learn and use Sulley can have a starting point. I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they've crafted over time. The site is pretty new, and I'm not web designer. I'll do my best to update the file list when new ones are created, or sent in.
So I call out to everyone that has experience with this framework, and to help out the new guys.
Thank you,
loneferret
www.kioptrix.com
Sunday, February 14, 2010
Automated tool Dependency
I while ago, when I was doing the OSCP course. I learned about shellcodes and exploits. During this time, usage of Metasploit's online shellcode generator was really useful. When it came down to exam time, well the site was down... No more automated tool, and this during my 24 hour exam. What did I do? A little google search and presto found how to correctly use msfpayload + msfencode. All was well.
Since then, I've gone back to using the online tool. Bad idea.. I say this because recently, I've had to generate some shellcode for an exploit. Of course the automated online tool was down. This forced me once again to re-learn the command line tool. This made me realize two things.
1: We rely way too much on automated tools
2: Laziness kicks in so very fast.
I mean, it isn't that hard to use, and remember. Just need to type it a few times to get the syntax burned into that gray matter of ours.
msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x2f\x5c' -e x86/shikata_ga_nai -t c
Here's an example of using both msfpayload and msfencode.
The payload is windows/exec, the CMD is calc.exe and we output the raw code. We pipe that into msfencode.
The "-b" is the list of bad characters the -e is the encoder (this case shikata ga nai) and we output to C format using the "-t" switch.
There are plenty of online resources that can show you how to use it. This is true for every automated tool we are used to use.
Bottom line, if it's command line and there's an automated tool.... learn the command line first.
You never know when that automated one will be pulled off the air.
Since then, I've gone back to using the online tool. Bad idea.. I say this because recently, I've had to generate some shellcode for an exploit. Of course the automated online tool was down. This forced me once again to re-learn the command line tool. This made me realize two things.
1: We rely way too much on automated tools
2: Laziness kicks in so very fast.
I mean, it isn't that hard to use, and remember. Just need to type it a few times to get the syntax burned into that gray matter of ours.
msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x2f\x5c' -e x86/shikata_ga_nai -t c
Here's an example of using both msfpayload and msfencode.
The payload is windows/exec, the CMD is calc.exe and we output the raw code. We pipe that into msfencode.
The "-b" is the list of bad characters the -e is the encoder (this case shikata ga nai) and we output to C format using the "-t" switch.
There are plenty of online resources that can show you how to use it. This is true for every automated tool we are used to use.
Bottom line, if it's command line and there's an automated tool.... learn the command line first.
You never know when that automated one will be pulled off the air.
Thursday, February 4, 2010
The Sulley Framework -Basic part 2-
In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server. This time we'll look at what we need to have and do to fuzz a TFTP server. The big difference is one uses the TCP protocol and the other UDP.
By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.
from sulley import * # import everything from Sulley
from requests import tftp
sess = sessions.session(session_filename="audits/tftpserver.session",proto="udp")
#Target IP xxx.xxx.xxx.xxx
target = sessions.target("xxx.xxx.xxx.xxx", <PORT#>)
target.netmon = pedrpc.client("xxx.xxx.xxx.xxx", 26001)
target.procmon = pedrpc.client("xxx.xxx.xxx.xxx", 26002)
target.procmon_options = { "proc_name" : "<PROCESS NAME>" }
sess.add_target(target)
sess.connect(s_get("tftp"))
sess.fuzz()
Once you've specified the "proto" parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you'll need a request file. I found this basic file TFTP request file on the Internet here.
Now that we have our session and request file. There's one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:
c:\sulley>python network_monitor.py -d X -f "src or dst port XX" -P \\path
Well since this is UDP and the traffic is only one way, the pcap string won't capture anything. So you'll need to enter it this way:
c:\sulley>python network_monitor.py -d X -f "udp dst port XX" -P \\path
As with anything script related, this can be improved.
So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz... Here's a nice little list from exploit-db that you can have fun with.
As always, I'll try and get a video up demonstrating this. Always fun to make those, and perhaps I'll actually put the "Benny Hill" theme song... or just sound. One day perhaps.
Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com
By default Sulley will connect to TCP ports. We need to specify that we are trying to fuzz UDP. This is specified in our session file.
from sulley import * # import everything from Sulley
from requests import tftp
sess = sessions.session(session_filename="audits/tftpserver.session",proto="udp")
#Target IP xxx.xxx.xxx.xxx
target = sessions.target("xxx.xxx.xxx.xxx", <PORT#>)
target.netmon = pedrpc.client("xxx.xxx.xxx.xxx", 26001)
target.procmon = pedrpc.client("xxx.xxx.xxx.xxx", 26002)
target.procmon_options = { "proc_name" : "<PROCESS NAME>" }
sess.add_target(target)
sess.connect(s_get("tftp"))
sess.fuzz()
Once you've specified the "proto" parameter, the rest of the session file is pretty much the same as fuzzing any other protocol. Now that you have you session file configured for UDP connections, you'll need a request file. I found this basic file TFTP request file on the Internet here.
Now that we have our session and request file. There's one more change that needs to be done before we can appreciate all of this. When fuzzing a TCP protocol, you would run the network_monitor script like so:
c:\sulley>python network_monitor.py -d X -f "src or dst port XX" -P \\path
Well since this is UDP and the traffic is only one way, the pcap string won't capture anything. So you'll need to enter it this way:
c:\sulley>python network_monitor.py -d X -f "udp dst port XX" -P \\path
As with anything script related, this can be improved.
So know you can pretty much follow my previous blog post on Sully or view the video on kioptrix.com and start fuzzing UDP. Try downloading a known vulnerable TFTP server and watch it fuzz... Here's a nice little list from exploit-db that you can have fun with.
As always, I'll try and get a video up demonstrating this. Always fun to make those, and perhaps I'll actually put the "Benny Hill" theme song... or just sound. One day perhaps.
Thanks again, hope you enjoyed this little read and remember to visit us at www.kioptrix.com
Saturday, January 30, 2010
Java Signed Applets
Been pretty busy these past few weeks, and finding the time to post stuff up is getting difficult. But I do bring something fun to watch.
If you administer users, you should have a look at this video:
Java Signed Applet
If you want a little more information on how to test this exploit in a controlled environment.
Head over to pauldotcom
The screencast is a little more "complete" then mine. I just wanted to prove a point.
Hope you enjoy it.
If you administer users, you should have a look at this video:
Java Signed Applet
If you want a little more information on how to test this exploit in a controlled environment.
Head over to pauldotcom
The screencast is a little more "complete" then mine. I just wanted to prove a point.
Hope you enjoy it.
Tuesday, January 19, 2010
Windows wide open ?
With recent attacks on Google/Adobe and Yahoo (just to name a few) thanks to the Aurora exploit. Internet Explorer is something to be avoided at the moment. Unless you're running version 5.01, I would suggest switching to FireFox for the time being. As far as I know, Microsoft has not released a patch for this one. Let's hope they do.
As far as I can tell, and with a little info from exploit-db, remote code execution is only functional under Windows XP running Internet Explorer 6. That doesn't mean newer versions of Internet Explorer are not effected... we just don't know about it yet. IE 7/8 will crash under Windows XP, and the DEP under Vista/7 should stop the crash in time.
So it's a good idea to listen to Microsoft and enable DEP and everything else under the sun to protect your system(s)... Especially now there's another exploit that basically guarantees privilege escalation.
The Ring-Zero exploit
Is the latest one, and let me tell you. I've tested this privilege escalation exploit on Windows XP sp2/xp3, Windows Server 2008 Enterprise and Windows 7. Dookie from exploit-db tested it on Windows Server 2003...
We all got System shell... Not scared yet? You should be. You can read more about it in the link I provided just above.
Does this mean Windows is wide open at the moment? Should we close down the Internet and our corporate networks? Well even if that would be a great solution, it's impossible. There is one way to protect one's self (or help reduce the risk/damage). DON'T RELY ON JUST A FIREWALL! Let your network administrators install snort. Let them monitor inbound as well as outbound traffic. Don't close your eyes and say "there's no reason to get hacked.. we're a small company" (of course this is more for any managers reading this). Like to meet the guy that said Linux is less secure now...
So good luck this week, and lets hope Microsoft comes up with something soon. I need to scare the pants off my boss tomorrow. Need to work on a nice scenario to really convince him...
Again, good luck... All of you
As far as I can tell, and with a little info from exploit-db, remote code execution is only functional under Windows XP running Internet Explorer 6. That doesn't mean newer versions of Internet Explorer are not effected... we just don't know about it yet. IE 7/8 will crash under Windows XP, and the DEP under Vista/7 should stop the crash in time.
So it's a good idea to listen to Microsoft and enable DEP and everything else under the sun to protect your system(s)... Especially now there's another exploit that basically guarantees privilege escalation.
The Ring-Zero exploit
Is the latest one, and let me tell you. I've tested this privilege escalation exploit on Windows XP sp2/xp3, Windows Server 2008 Enterprise and Windows 7. Dookie from exploit-db tested it on Windows Server 2003...
We all got System shell... Not scared yet? You should be. You can read more about it in the link I provided just above.
Does this mean Windows is wide open at the moment? Should we close down the Internet and our corporate networks? Well even if that would be a great solution, it's impossible. There is one way to protect one's self (or help reduce the risk/damage). DON'T RELY ON JUST A FIREWALL! Let your network administrators install snort. Let them monitor inbound as well as outbound traffic. Don't close your eyes and say "there's no reason to get hacked.. we're a small company" (of course this is more for any managers reading this). Like to meet the guy that said Linux is less secure now...
So good luck this week, and lets hope Microsoft comes up with something soon. I need to scare the pants off my boss tomorrow. Need to work on a nice scenario to really convince him...
Again, good luck... All of you
Saturday, January 16, 2010
Happy new year
Happy new year ! (I know I'm late...)
Been a busy new year for me, which is basically a continuation of how 2009 finished. Either being sick or extremely busy at work and family life. Personal projects and other testing took a back seat unfortunately.
Since I don't have much of anything to write up, here's part of SANS' newsletter. One article, in m opinion, is worth reading. Skoudis' comment is on the money. It's too bad that the powers that be (management) probably never read this stuff...
--Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others
(January 14, 2010)
Attackers exploited a zero-day vulnerability in Internet Explorer (IE)
to launch attacks on Adobe, Google and about 30 other US companies. The
flaw reportedly affects all versions of IE. Microsoft became aware of
the vulnerability on January 13 and plans to issued an advisory on
January 14. The memory corruption vulnerability allows attackers to
inject malware onto users' computers. So far, the flaw has been
exploited only in targeted attacks. While there have been reports that
the attackers also used maliciously crafted PDF files to launch their
attacks against the companies, now it is believed that only the IE flaw
was used in the attacks.
http://www.wired.com/threatlevel/2010/01/hack-of-adob
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
http://www.computerworld.com/s/article/9144844/Hackers_used_IE_zero_day_not_PDF_in_China_Google_attacks?source=rss_security
Microsoft advisory: http://www.microsoft.com/technet/security/advisory/979267.mspx
Storm Center: http://isc.sans.org/diary.html?storyid=7993
[Editor's Note (Skoudis): The news this week about Google, China, and
advanced persistent threats illuminates an important change in security.
The threatscape has been shifting from cyber crime to more insidious
attacks over the past couple of years, but in a way that didn't garner
a lot of attention. Until now. I think it's a good thing to see folks
finally waking up to this issue, rather than pretending it doesn't
exist.
(Honan): This vulnerability when exploited uses the same user levels as
the logged on user; maybe it is time to convince your management and
users that they do not need local administrator access.]
On another note, Kioptrix will be tapping it's first pod-cast this evening. Must warn you, it's in French... It's going to be available for download soon. Bare in mind, this is our first crack at this.
As always, visit us at kioptrix.com and check out our media section and VM download section. A few things are in the works that we hope people will enjoy. Also pretty soon, I'll be moving this blog post to it's new home permanently.
Have a good one.
LF
Been a busy new year for me, which is basically a continuation of how 2009 finished. Either being sick or extremely busy at work and family life. Personal projects and other testing took a back seat unfortunately.
Since I don't have much of anything to write up, here's part of SANS' newsletter. One article, in m opinion, is worth reading. Skoudis' comment is on the money. It's too bad that the powers that be (management) probably never read this stuff...
--Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others
(January 14, 2010)
Attackers exploited a zero-day vulnerability in Internet Explorer (IE)
to launch attacks on Adobe, Google and about 30 other US companies. The
flaw reportedly affects all versions of IE. Microsoft became aware of
the vulnerability on January 13 and plans to issued an advisory on
January 14. The memory corruption vulnerability allows attackers to
inject malware onto users' computers. So far, the flaw has been
exploited only in targeted attacks. While there have been reports that
the attackers also used maliciously crafted PDF files to launch their
attacks against the companies, now it is believed that only the IE flaw
was used in the attacks.
http://www.wired.com/
http://www.theregister.co.uk/
http://www.computerworld.com/
Microsoft advisory: http://www.microsoft.com/
Storm Center: http://isc.sans.org/diary.
[Editor's Note (Skoudis): The news this week about Google, China, and
advanced persistent threats illuminates an important change in security.
The threatscape has been shifting from cyber crime to more insidious
attacks over the past couple of years, but in a way that didn't garner
a lot of attention. Until now. I think it's a good thing to see folks
finally waking up to this issue, rather than pretending it doesn't
exist.
(Honan): This vulnerability when exploited uses the same user levels as
the logged on user; maybe it is time to convince your management and
users that they do not need local administrator access.]
On another note, Kioptrix will be tapping it's first pod-cast this evening. Must warn you, it's in French... It's going to be available for download soon. Bare in mind, this is our first crack at this.
As always, visit us at kioptrix.com and check out our media section and VM download section. A few things are in the works that we hope people will enjoy. Also pretty soon, I'll be moving this blog post to it's new home permanently.
Have a good one.
LF
Subscribe to:
Posts (Atom)