Re: I want the PT list back....

From: Andre Gironda (andreg@gmail.com)
Date: Sun Dec 16 2007 - 19:55:47 EST


On Dec 10, 2007 10:51 PM, Joseph McCray <joe@learnsecurityonline.com> wrote:
> * NAC Solutions (tricky, but not as tough as Host-based IPS - MAC/IP
> spoofing still gets by of the stuff I've run into)

kevin.sf.net ; osvdb2.0 (usual answer for everything - check out its
search capabilities -
http://dev.osvdb.org/trac/projects/osvdb_rails/wiki/osvdb2goodness )

> * Host-Based IPS Solutions (really tough to beat - at least for me)

slipfest.cr0.org ; immdbg -
http://www.immunityinc.com/downloads/Debugging_With_ID.odp

> * Wireless IPS Solutions (a joke)

host or network based? more people should be re-writing drivers so
that they ignore deauthentication messages

I'd be curious if these are any good (they're probably just zero-day
waiting to happen) -
hotspot defense kit - http://airsnarf.shmoo.com
http://www.airtightnetworks.net/products/sg_safe/sg_safe_registration_form.asp

In my opinion, if you aren't using at least WPA2-Personal (preferably
with HostAP, which will let you specify different passphrases on a
per-mac basis), then there is no point to WIDS/WIPS.

Most organizations will likely want to run PEAP or even PEAP-EAP-TLS
(very strong if done right!), but IMO these are over-complicated. Any
non-NSA organization is better off running a WPA2-Personal
infrastructure that allows different passphrases for different clients
(such as HostAP), but making damn sure every SSID and passphrase are
both complete to full-character set and pseudo-random. I suggest
using the following:
For SSID (this doesn't really matter as long as its a very unique value)
$ cat /dev/urandom | tr -cd [:alnum:] | fold -w 32 | head -1
H0m6sDFXsXGUUr7aO9FToEm3WrBLHa0h
For WPA2-PSK (this matters quite a lot)
$ cat /dev/urandom | tr -cd [:xdigit:] | tr [:lower:] [:upper:] | fold
-w 64 | head -1
7B47D2E19CD3317EADAAF0DFDAC3DECC88A42BA335C5BD93B32930FF6DEEFEAF
although just in case that happens to be a dictionary word you might
want to do this instead
$ cat /dev/urandom | tr -cd [:graph:] | fold -w 63 | head -1
@]p|+~Rg2@L5HR;8\*S*:|m:Hax;QGT%.-;?~ZEPN}[dmYjQ)1P"=NV+!k}A.\Z
I think in the case of using a string, it's hashed with the SSID and
some other material in order to produce the hex value, which is the
real PSK

If you're really paranoid, you could setup WKnock and change your SSID
often and simultaneously run FakeAP. I've always wanted to setup a
few radios to make a better FakeAP that appeared more realistic... a
WiFi honeynet so to speak

> * 802.1x - I haven't seen it on an assessment yet.

PEAP clients often don't validate server certificates, leading to
MITM. Wait for Josh Wright's new talk at Shmoocon -
http://www.willhackforsushi.com/Home/Entries/2007/11/12_Lining_Up_2008_Talks!.html
- to hear even more. Also see the Yersinia.net tool (send raw packets
and MITM)

> networks from the outside. Port scanning and VA tools are damn near
> useless from external.

Not if you hit port 80 or 443, or a web server running on a different
port. Do you ever run into Cisco routers open for SNMP, BGP, and
other things during assessments?

> For me web app, to back end server, to the LAN is so rare it might as
> well be non-existent. Web app to DB - yeah...but not to internal LAN for
> me very much.

In the WASC project on honeyproxies, the data/stats are showing that
Command Injection, Dynamic Execution, and File Inclusion are much more
successful than common attacks such as XSS or SQLi. CORE IMPACT
supports SQLi, File Inclusion, and Command Injection (but not XSS
yet). Mail command injection appears to be very common e.g.
andreg+pentest@gmail.com%0aRCPT%20to:%20all@corp.com

Here's a cross-platform command injection available from WAHH -
|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 &
(if the app pauses for 30 seconds, you probably are on to something)
Try the above with single pipes, semi-colons, ampersands, backticks,
and LF's (%0a)

The FOSS tool, w3af, supports much of the above easily - and is going
to perform multi-stage attacks (integration with metasploit, using
source to extend attacks, using RFI to stage a new attack
automatically, etc). See -
http://w3af.sourceforge.net/documentation/user/w3af-T2.pdf and check
out the tutorials on this blog -
http://pentesterconfessions.blogspot.com

Remote file inclusion means that you'll need to host the PHP (or other
dynamic script) somewhere. It's incredibly easy to find both runtime
and with source - probably easier than finding URL redirection.

I have a huge list of source code scanners for PHP on
http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
starting with "Inspekt, Pixy, RATS, SWAAT, PHP-SAT, PHPSecAudit, PSA3,
and FIS (File Inclusion Scanner, with the extended tool, WebSpidah)".

> Spear phishing with or without client-side exploits is it for me for
> external to internal. <-- How about you guys?

ClientVA.org (mentions Mr. T and Metagoofil)
Secunia PSI
Aruba (Josh Wright) WiFiDEnum
Snort/Sourcefire OfficeCat
GNUCITIZEN.org

Spear phishing tests are great because you ask the security team if
you can own them by sending them links to click on. They should just
assume that anyone in the company will click any link you send - so
don't bother with "zero-knowledge"... just let the security pro's use
their builds. This will also let them play with live exploits, so
they can honeypot trap with Argos - http://www.few.vu.nl/argos/ - or
perform mock incident response.

> Internal networks are still a mess, riddled with old vulnerabilities -
> even when the customer has patch management solutions. I can't be as
> noisy trying to find them like the good old days - but they are still
> there - the bigger the company the more legacy crap they have.

Sounds like a job for XSS tunneling

> Rarely I find a Linux box on the client's network that I can use to set
> up shop these days so I've had to develop a collection of command-line
> windows tools. Anybody else in this boat? If so what's in your toolkit?
> I started with meta.cab from Phoenix 2600 and have been customizing it.

Oh I hang out with those guys. We're trying to re-vitalize Phoenix
2600 because the meetings have died down a lot. Are lots of people
using this?

> For wireless I pretty much just use Kisment/Aircrack-NG, but I'm really
> interested in wicrawl. Anyone using it on pentests yet?

Up until this past DefCon release of wicrawl, it was really poor from
what I hear from WiFi auditors and assesors. I haven't had time to
play with it in the last 5 months, but I do recommend that people try
it.

I assume that Kismet, wicrawl, aircrack-ng, and aircrack-ptw are all
on the Backtrack 3 CD/USB ISO's. Certainly these are the best tools
to use, but there is a lot more out there. My laptop I used to type
this is sitting on top of Hacking Exposed Wireless; great book

Be sure to check out this video, too -
http://www.youtube.com/watch?v=bGiWOogdJho

For WiFi, it's more about hardware - and that's why I think investing
in Nokia N800/N810 gear, Soekris boards running Pyramid Linux, and CM9
cards - http://www.netgate.com/product_info.php?cPath=26_34&products_id=126
are a really good idea. Both make ideal platforms to run WiFiZoo and
KARMA, in addition to all the tools already mentioned. WiFiZoo on the
iPhone would also be nice, if it's even possible

> Inguma looks interesting, I run into Oracle on tests a lot. Is anyone
> using it - if so what do you think?

Also http://www.imperva.com/scuba/ and
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOWNLOAD.html

> Some attacks that look really interesting - but I don't know of anyone
> doing them in assessments? Can someone shed some light?
> * Remote SQL/PHP Shell Injection

See above

> I look forward to hearing from you guys....let me know what you are
> running into.

http://www.tssci-security.com/archives/2007/12/02/why-pen-testing-doesnt-matter/

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:16 EDT