Security talk at Reading Geek Night - FlasHack

Hi! Lovely summer, isnt it? :) I'm enjoying carrying out a lot of testing, researching and also a bit of developing.

But I always try to make time for sharing knowledge! I think sharing is the best part of the hacking community (and the Internet), people writing articles, blog posts and also twitts sharing their experience of computer security. And I love doing it when I can, especially as I know the people listening are passionate about the subject.

This is the reason I'm going to speak again at Reading Geek Night next week. I'll be doing a talk about how to decompile, modify, analyze and abuse Flash applications.

If you are interested in finding out how you can have some fun with Flash files and you can excuse my English and bad jokes, you are more than welcome to join me at another Reading Geek Night!

See you :)

XCampo

I'm very pleased to present you with a (more or less) usable version of XCampo!

What is XCampo? I decided to write this when I was coming back from the RootedCon conference in Madrid and it is intended to help me (and anyone who wants to use it) to generate better screenshots and demos for the report generation (and presentation) process.

Sometimes, when people generate security reports and they want to represent the risk of a XSS vulnerability they insert a simple script that shows an alert box with the name of the website or with text. This illustrates the possibility to execute anything we want and security people understand this....but do non technical people?

Using this PHP code you will get a nice page with some options to generate dynamically different payloads to your demos:

• Fake login: Generates a fake login form page to force the user to insert his login details.
• hax0r defacement: Try to generate an over-everything black layer with a text and an audio file.
• Form redirection: Redirect any form in the website to a specified URL.
• Password manager: Try to steal the login details stored in the browser when accessing to a specified webpage
• Cookie stealing: Perform a cookie steal sending the details to the URL we want.

As you can see this provides a good range of options to generate more "dangerous" demos in the presentation of the results.

Security challenges for the summer

Hello! The summer is here and the holidays are near!

Planning something to do? Too much free time as you don't have to do any exams in September? Looking for something to learn? Me too! :)

Each summer I plan something to learn, something to investigate... basically something to help me enjoy my free time! This summer I'm going to focus on:

• Firefox addons development (Check this Hackbar Google Code website)
• HTML5

I'll also try to keep my mind fit by playing online challenges games. If you want to practice and learn about security you can check the following websites:

• The Bright Shadows
• Try2Hack
• Hack This Site

Enjoy and keep out of direct sunlight ;)

A bit of information about TRACE and OPTIONS

Hi!! Another post here after a some time... I'm really busy at work right now but I also need these small breaks to carry out my own testing and share a bit of what we learn here at Pentura.

I want to write today about the TRACE, OPTIONS and others HTTP verbs. Sometimes in reports we can see that they discovered the TRACE verb active in our server. How they (us ;) ) do it? How do we test to understand if it's a real vulnerability? If it's a vulnerability... what is the risk?

First of all when we test a web application, we perform an OPTIONS request to the server to discover the verbs the server offers. It can be done using a simple telnet or ncat connection to the server but today we are going to use the Metasploit framework:

Using the auxiliary/scanner/http/options module we can easily discover the HTTP verbs we offer in www.pentura.com. In this case we only accept GET, HEAD, POST and OPTIONS :)

Sometimes we can also see the TRACE method listed in the OPTIONS request and programs will warn you about this. OK, but, is it a risk?

Before knowing if it's a risk or not we have to understand how can an attacker use the TRACE method to exploit your server. The attack is called XST or Cross Site Tracing. Using this, an attacker could steal our cookies and use them to hijack our session in the server. This is useful when the cookies have the httpOnly flag. This is a small attribute that can be applied to cookies to prevent the access to them using Javascript.

The TRACE method responds back with the same headers that we sent in the request so, if our request contains our cookies, they will come back in the TRACE response.

But... don't worry! Sometimes people add this to reports because the automatic scanner discovers it but they don't test manually if it's possible to exploit this vulnerability. I'll show you how to do it!

pedro@pedro:~$ ncat www.apache.org 80
OPTIONS / HTTP/1.1
Host:www.apache.org

HTTP/1.1 200 OK
Date: Wed, 09 Jun 2010 16:13:37 GMT
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.7d mod_wsgi/3.2 Python/2.6.5rc2
Allow: GET,HEAD,POST,OPTIONS,TRACE
Cache-Control: max-age=86400
Expires: Thu, 10 Jun 2010 16:13:37 GMT
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

pedro@pedro:~$ ncat www.apache.org 80
TRACE / HTTP/1.1
Host:www.apache.org
X-Header: Test

HTTP/1.1 200 OK
Date: Wed, 09 Jun 2010 16:14:49 GMT
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.7d mod_wsgi/3.2 Python/2.6.5rc2
Transfer-Encoding: chunked
Content-Type: message/http

TRACE / HTTP/1.1
Host: www.apache.org
X-Header: Test

As you can see, when we send the OPTIONS verb we see that the TRACE verb is allowed. This means that we need to test it, not only put in our report as a vulnerability. The next request I made is a TRACE request with the X-Header fake value. The server responds with a 200 OK code and with my fake header value. This is the proof that the risk is present in this server. If the response is other means that the server is not vulnerable to XST attacks.

I hope this helps you understand better whats means these TRACE enabled vulnerability in the reports :)

P.D. For those Firefox lovers... Check this extension to test the OPTIONS headers inside your browser: HTTP Resource Test

Defcon CTF Prequals

Short post today to share with you my happiness as tonight start the Defcon prequals to gain access to the Las Vegas event!

I'm playing with some Spanish mates in a very small team (we are three and usually Top 10 teams are 10+ players) with a lot of illusion to enjoy at least the same as the last year.

They usually do cracking, reversing, web, exploiting, forensic, etc. challenges and we will do our best to solve them. Even if you don't complete a challenge you always learn something new in the process.

I'll make next week a resume about how we did in the prequals and how to solve some of the challenges we manage to complete (if we can complete at least one...)

Ahh!! I almost forget!! You can still register in the competition!!

HOWTO: Using MBSA remotely

When it comes to performing a security assessment of Windows servers (SQL, ISA, IIS etc), the Microsoft Baseline Security Analyzer (MBSA) tool provides a good idea of the key security settings implemented on the Windows server being audited. 

 MBSA v2.1

One drawback though is MBSA v2.1 needs admin privileges on the remote Window server and offers no way of specifying alternate admin credentials in its GUI...what if you're MBSA client isn't even in the same domain??........

Using the "runas" command from Windows Command Prompt, its possible to specify the remote servers admin credentials for use with the MBSA executable:

'runas' command with custom credentials and mbsa.exe

In this screenshot, we used the local admin account on 'WIN2K3TESTSVR' rather than a domain account.

NOTE:  The '/netonly' switch is a must, this tells your client to use these credentials when making a remote connection.  If you dont use this switch, when you hit Enter, wWndows will try and verify these credentials which will most likely fail.

When MBSA starts, specify the IP address of the remote server 'WIN2K3TESTSVR' and click 'Scan'.  MBSA will now use the credentials you specified on the command line.

NOTE:  If you are scanning IIS servers, you will need to have the IIS Common Files installed on your MBSA machine so that a number of the IIS scripts will run correctly.  MBSA will soon let you know that a scan was incomplete because it could run the necessary IIS checks.

New version of Wfuzz!

I don't like automatic tools. Full stop. Well... not full... I like some semi-automatic tools.

One of these tools is wfuzz. I love this python script to perform a quick look over all the directories in a website and sometimes to test against some basic authorization bypass fuzzing a numeric parameter.

The use of this tool is very easy and I'm not going to explain here, you can read the README file from the package but I'm going to explain you some of the changes in this new version.

First of all if you want to download it you will need a subversion client as they are starting to use Google Code to distribute wfuzz and they don't offer any zip file right now.

Then you can test it as I show in the screenshot:

python wfuzz.py -z file -f wordlist/general/common.txt --hc 404 -c -t 1 http://test.acunetix.com/FUZZ

If you are a wfuzz user you already notice the inclusion of the chars column in the result output. This can be useful when either lines and words are the same in a specific page. First new feature!! You can filter using the number of chars with the --hh parameter

Other of the differences in this new version is the inclusion of more dictionaries. Now they add more and split them into categories:

pedro@pedro:~/wfuzz$ tree wordlist/
wordlist/
|-- general
|   |-- admin-panels.txt
|   |-- big.txt
|   |-- catala.txt
|   |-- common.txt
|   |-- euskera.txt
|   |-- extensions_common.txt
|   |-- medium.txt
|   |-- megabeast.txt
|   |-- mutations_common.txt
|   |-- spanish.txt
|   `-- test.txt
|-- Injections
|   |-- All_attack.txt
|   |-- bad_chars.txt
|   |-- SQL.txt
|   |-- Traversal.txt
|   |-- XML.txt
|   `-- XSS.txt
|-- others
|   |-- common_pass.txt
|   `-- names.txt
|-- stress
|   |-- alphanum_case_extra.txt
|   |-- alphanum_case.txt
|   |-- char.txt
|   |-- doble_uri_hex.txt
|   |-- test_ext.txt
|   `-- uri_hex.txt
|-- vulns
|   |-- apache.txt
|   |-- cgis.txt
|   |-- coldfusion.txt
|   |-- dirTraversal-nix.txt
|   |-- dirTraversal.txt
|   |-- dirTraversal-win.txt
|   |-- domino.txt
|   |-- fatwire_pagenames.txt
|   |-- fatwire.txt
|   |-- frontpage.txt
|   |-- iis.txt
|   |-- iplanet.txt
|   |-- jrun.txt
|   |-- netware.txt
|   |-- oracle9i.txt
|   |-- sharepoint.txt
|   |-- sql_inj.txt
|   |-- sunas.txt
|   |-- tests.txt
|   |-- tomcat.txt
|   |-- vignette.txt
|   |-- weblogic.txt
|   `-- websphere.txt
`-- webservicces
    |-- ws-dirs.txt
    `-- ws-files.txt

They also add three points to the changelog:

• Added hexa-rand payload (Thanks to Alice Kaerast)
• Fixed encoding problems (Thanks to Osama Elnaggar)
• Fixed problems in the headers parsing (Thanks to Osama Elnaggar) 

I just update my tools folder with this new version and now we can keep our version update using svn :) Nice work guys!!