Posted by agent0x0 on October 30, 2007 – 9:40 am
Very good article over at Dark Reading today about testing PoC exploit code and security tools before you use them in a production environment.
“…how do you know if the PoC (proof of concept) exploit code you downloaded from Milw0rm or Packet Storm includes a backdoor?”
The author also mentions some very good things to consider when planning a pen test and I have added a few of my own:
- Do you need to run the pen test in a production environment? While I think that you should to simulate a real attack..some companies are not comfortable with that. Always be sure to find out and include this in your contract and/or authorization letter.
- Review your toolkit and make sure that you are not using tools and exploits that will cause a DoS or system to crash. Of course systems do crash sometimes which are out of your control (hence the reason you have a authorization to test letter), however, as a pen tester you should be doing everything you can to make sure you don’t purposely crash or DoS systems. I suggest that at least 2-3 times a year your pen test team should meet for a few days and review your toolkit and perform detailed testing of these tools and code.
- Review and test PoC and exploit code before running it in a production environment. I don’t think the client would be too happy if you inadvertently Trojan’d their systems!
- Try to supplement your team tool kit with a commercial tool like Core Impact or Immunity Canvas as these exploits are tested and have options to help ensure a targeted system does not crash.
Posted by agent0x0 on October 26, 2007 – 4:19 pm
<%image(20071026-img_0518.jpg|425|154|A soldering gun)%>
One of my favorite web sites “Hack a Day” has a really good and detailed (with pictures) article on how to solder. While this may seem an easy task to some..it is a whole new experience for others. Now you can take apart and hack gadgets like the best of them! Click here for the article.
Posted by agent0x0 on October 26, 2007 – 4:05 pm
Pretty unique file encryption program available for Mac and Windows now available. It’s called Drop Secure Professional 2.0. What makes this program different then others is that it:
“…starts by dividing up the file into small chunks. By default, those chunks are 256 bytes long. Each chunk is encrypted with a separate cipher, using a separate password that is derived from a hash of information provided by the user, from the archive, and from the data being encrypted. This password is used only once for that one chunk of data, and then discarded. The chunks of data are placed in an archive file, with pertinent information encrypted again as a group.”
and…
“When used with one of the encryption types that support 256 bit key sizes, Drop Secure ProTM meets and exceeds recommendations for security and key strength set by DCSSI, BSI, and the NSA.”
Not a bad investment for $57. You can download a 30-day trail here.
Posted by agent0x0 on October 24, 2007 – 2:16 pm
<%image(20071024-psp.jpg|124|93|PSP)%>
Lots of new news on the latest PSP hacks! Below is a summary:
Cable allows easy hook-up of third party GPS systems
- Cool! Now you can use your PSP with GPS. From the website: “Thanks to the availability of MapThis mapping software (free) and GMDL map downloading software (free) PSP owners from most parts of the world can connect to other handheld/serial GPS for navigation through PSP.”
One Wire Pandora Battery — No Software Required
- From PSP Hacks: ““Pandoraize” your PSP Phat and/or Slim battery without any software related hacks; just take a close look at the diagrams provided by godzivan. If you have a steady hand, it only requires the soldering of one wire. Upon success, create your magic memory stick!”
- If you don’t know what the Pandora Battery is, check here.
PSP modded for internal camera, speakers
- Pretty cool mod..took lots of time..time most people don’t have! 
Posted by agent0x0 on October 24, 2007 – 10:26 am
I thought this article was very interesting. You can now harness the unique power of a GPU (Graphics Processing Unit) (ie: video card CPU) to crack password hashes. In the article a Moscow software company discovered that you can use a nVidia GeForce 8800 video card to crack Windows NTLM password hashes apparently 25 times faster then normal! From Elcomsoft’s website:
“Using the “brute force” technique of recovering passwords, it was possible, though time-consuming, to recover passwords from popular applications. For example, let’s assume that logon passwords for Windows Vista is composed of uppercase and lowercase alphabetic characters, and up to eight characters long. There are about 55 trillion (52 to the eighth power) possible passwords in this range. Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft’s new technology, the process would take only three to five days, depending upon the CPU and GPU.”
Also note that the product used distributed processing in a client/server architecture so it can harness the power of multiple GPU’s when cracking passwords. A 20 client license is only $599 US. Read more about this product here.
Password-cracking chip causes security concerns – tech – 24 October 2007 – New Scientist Tech
Posted by agent0x0 on October 23, 2007 – 12:07 pm
Stumbled upon a very good social experiment by another blogger today in which he researched the identity of a “anonymous” Craigslist poster. While Craigslist does have a decent system for providing anonymous postings it goes to show you that there is always going to be human error..or just plain stupidity. (Note the last link…this was a “sex baiting prank” which goes to show you that people will gladly give out their personal information to complete strangers.)
Posted by agent0x0 on October 23, 2007 – 11:08 am
Yet another example of vulnerabilities in client software (ie: drive by downloads)..which is a huge attack vector. I can’t remember when the last remotely exploitable vulnerability was. As usual, IE ActiveX is to blame (when running RealPlayer 10.5 or 11 beta). Below is an article about the vulnerability:
Attacks exploiting RealPlayer zero-day in progress
Security Focus BID here.
Patch located here.
If you haven’t already..as a reminder stop using IE and use Firefox or another non-ActiveX browser. You may also want to disable ActiveX even if you don’t use IE on your Windows PC to mitigate the potential risk of future exploits.
Posted by agent0x0 on October 22, 2007 – 4:37 pm
Demonstrated at the Toorcon hacking conference in San Diego over the weekend is a new way to attack laptops that use WEP encryption. Typically, the way to attack WEP was to sniff the wireless network traffic and crack the WEP key while in range of a legitimate access point. With this new technique you can now attack the client itself, no real AP needed. In basic terms how does this work?
1. Setup your laptop as a fake access point.
2. Find out the SSID’s that the victim laptops are trying to communicate to.
3. Crack the WEP keystream with gathered traffic.
4. Trick victim laptops into sending lots of messages to your fake AP(like 70,000-80,000) using ARP.
5. Crack WEP keys and enjoy….!
You can download the full Toorcon presentation here.
Cafe Latte attack steals data from Wi-Fi PCs – Yahoo! News
Posted by agent0x0 on October 19, 2007 – 9:46 am
<%image(20071019-ImaPC..ImaMac.jpg|400|350|Mac Ad)%>
I’m a pretty big Apple fan boy and love my iPod and my PowerBook G4 (hope to upgrade to a Intel Macbook Pro one of these days). One of the misconceptions about Mac’s is that they are more secure then Windows…while in a way this is true (they are not as targeted as Windows because of a lower market share), however, they are still vulnerable to recent OS exploits if not patched and other things that are easily overlooked by the average Mac user.
Here is a good article talking about basic security procedures you should use for your Mac. These are things easily overlooked like creating a non-administrator account for daily use and locking up your Mac with a security cable in a shared or public area.
Posted by agent0x0 on October 18, 2007 – 10:32 am
I have been seeing lots of recent articles about using Firefox as a hacking tool. Basically, you can download extensions (ie: plugins) for use in Firefox to manipulate and hack web pages.
I have listed some extensions that are worthwhile to use for web application testing:
Tamper Data – This extension works a lot like Paros Proxy but you don’t have to configure your proxy settings. If you don’t know what Paros Proxy is…it’s a proxy tool that allows you to intercept a request to a web server and then allow you to manipulate the request and send it on to the server.
Web Developer - A ton of features in this one! Great for taking apart a web page and manipulating stuff in a WYSIWYG.
HackBar – A nice little extension to conduct SQL injections and more.
Note: There are of many more tools!
Where to get these tools and more?
A real comprehensive list of tools is called FireCAT (now at v1.2). FireCAT is a mapping of hacking extensions for Firefox broken up into several different areas like Proxying, Auditing, Encryption, Malware Scanner, Information Gathering, Network Utilities, etc…You can easily download the html files and click on the extensions you want to install. Very easy. Even easier if you have FreeMind installed.
