Friday 21 May 2010

Defcon CTF Prequals

Short post today to share with you my happiness as tonight start the Defcon prequals to gain access to the Las Vegas event!
I'm playing with some Spanish mates in a very small team (we are three and usually Top 10 teams are 10+ players) with a lot of illusion to enjoy at least the same as the last year.
They usually do cracking, reversing, web, exploiting, forensic, etc. challenges and we will do our best to solve them. Even if you don't complete a challenge you always learn something new in the process.
I'll make next week a resume about how we did in the prequals and how to solve some of the challenges we manage to complete (if we can complete at least one...)
Ahh!! I almost forget!! You can still register in the competition!!

Thursday 20 May 2010

HOWTO: Using MBSA remotely

When it comes to performing a security assessment of Windows servers (SQL, ISA, IIS etc), the Microsoft Baseline Security Analyzer (MBSA) tool provides a good idea of the key security settings implemented on the Windows server being audited. 
 MBSA v2.1

One drawback though is MBSA v2.1 needs admin privileges on the remote Window server and offers no way of specifying alternate admin credentials in its GUI...what if you're MBSA client isn't even in the same domain??........

Using the "runas" command from Windows Command Prompt, its possible to specify the remote servers admin credentials for use with the MBSA executable:

'runas' command with custom credentials and mbsa.exe
In this screenshot, we used the local admin account on 'WIN2K3TESTSVR' rather than a domain account.

NOTE:  The '/netonly' switch is a must, this tells your client to use these credentials when making a remote connection.  If you dont use this switch, when you hit Enter, wWndows will try and verify these credentials which will most likely fail.

When MBSA starts, specify the IP address of the remote server 'WIN2K3TESTSVR' and click 'Scan'.  MBSA will now use the credentials you specified on the command line.

NOTE:  If you are scanning IIS servers, you will need to have the IIS Common Files installed on your MBSA machine so that a number of the IIS scripts will run correctly.  MBSA will soon let you know that a scan was incomplete because it could run the necessary IIS checks.


Monday 17 May 2010

New version of Wfuzz!

I don't like automatic tools. Full stop. Well... not full... I like some semi-automatic tools.
One of these tools is wfuzz. I love this python script to perform a quick look over all the directories in a website and sometimes to test against some basic authorization bypass fuzzing a numeric parameter.
The use of this tool is very easy and I'm not going to explain here, you can read the README file from the package but I'm going to explain you some of the changes in this new version.
First of all if you want to download it you will need a subversion client as they are starting to use Google Code to distribute wfuzz and they don't offer any zip file right now.
Then you can test it as I show in the screenshot:
python wfuzz.py -z file -f wordlist/general/common.txt --hc 404 -c -t 1 http://test.acunetix.com/FUZZ
If you are a wfuzz user you already notice the inclusion of the chars column in the result output. This can be useful when either lines and words are the same in a specific page. First new feature!! You can filter using the number of chars with the --hh parameter
Other of the differences in this new version is the inclusion of more dictionaries. Now they add more and split them into categories:
pedro@pedro:~/wfuzz$ tree wordlist/
wordlist/
|-- general
|   |-- admin-panels.txt
|   |-- big.txt
|   |-- catala.txt
|   |-- common.txt
|   |-- euskera.txt
|   |-- extensions_common.txt
|   |-- medium.txt
|   |-- megabeast.txt
|   |-- mutations_common.txt
|   |-- spanish.txt
|   `-- test.txt
|-- Injections
|   |-- All_attack.txt
|   |-- bad_chars.txt
|   |-- SQL.txt
|   |-- Traversal.txt
|   |-- XML.txt
|   `-- XSS.txt
|-- others
|   |-- common_pass.txt
|   `-- names.txt
|-- stress
|   |-- alphanum_case_extra.txt
|   |-- alphanum_case.txt
|   |-- char.txt
|   |-- doble_uri_hex.txt
|   |-- test_ext.txt
|   `-- uri_hex.txt
|-- vulns
|   |-- apache.txt
|   |-- cgis.txt
|   |-- coldfusion.txt
|   |-- dirTraversal-nix.txt
|   |-- dirTraversal.txt
|   |-- dirTraversal-win.txt
|   |-- domino.txt
|   |-- fatwire_pagenames.txt
|   |-- fatwire.txt
|   |-- frontpage.txt
|   |-- iis.txt
|   |-- iplanet.txt
|   |-- jrun.txt
|   |-- netware.txt
|   |-- oracle9i.txt
|   |-- sharepoint.txt
|   |-- sql_inj.txt
|   |-- sunas.txt
|   |-- tests.txt
|   |-- tomcat.txt
|   |-- vignette.txt
|   |-- weblogic.txt
|   `-- websphere.txt
`-- webservicces
    |-- ws-dirs.txt
    `-- ws-files.txt
They also add three points to the changelog:
  • Added hexa-rand payload (Thanks to Alice Kaerast)
  • Fixed encoding problems (Thanks to Osama Elnaggar)
  • Fixed problems in the headers parsing (Thanks to Osama Elnaggar) 
I just update my tools folder with this new version and now we can keep our version update using svn :) Nice work guys!!

Monday 10 May 2010

Infosec'10 metadata (I)

Wops! A long time without writing here... A lot of work and not too much time to write. But I'm going to try to fix it shortly!

Two weeks ago was the Infosec event at London. Our company had a very nice stand and I spent a good time Wednesday talking with some people about what we do and, more specifically, what I do as application tester at Pentura. But I can not stop thinking about security in any moment...

Others companies in the event were giving some CDs with documentation and programs. As I know that sometimes people don't take care about what they copy into the CDs when they make the copies so I took some of them to analyze :) They had been burning in my backpack for two weeks!! But today, when I inserted the first one, it makes my day.

The CD is from (ISC)2 and they call it Green disc. They have a lot of docs I'll analyze some point this week but I discovered something very funny. They are using WS_FTP. How I know it? They left the WS_FTP.LOG files in some of the folders. Take a look:



This file contains the local path of the file (you can get the user name), the remote path of the upload (you get the path) and the IP of the remote server (need I say more?) You can found a lot of WS_FTP.LOG files at Google or, if you got the CD from the (ISC)2, have a quick look to these files ;)

Cheers!!

P.D. Maybe is not a (ISC)2 IP but still funny (and not very secure...), isn't it? :)