Posted by & filed under Secure Development, Security News.

Microsoft has confirmed that millions ow ASP.Net web applications are vulerable to attacks that could potentionally let the attacker decrypt data and read arbitary files on the remote web server. The vulnerability dubbed “oracle padding” is in the .Net framework, details here, tool (POET) here.

 Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software. They has also released a tool to test for vulnerable web applications. That will definitely be included in my pentest kit.

Posted by & filed under /dev/random.

RSnake has a nice writeup on the effect of snake oil security. When discussing two hypothetical banks where one of them are running snake oil security, he writes:

This goes back to the bear in the woods analogy that I personally hate. The story goes that you don’t have to run faster than the bear, you just have to run faster than the guy next to you. While that’s a funny story, that only works if there are two people and you only encounter one bear. In a true ecosystem you have many many people in the same business, and you have many attackers. If you leave your competitor(s) out to dry that may seem good for you in the short term, but in reality you’re feeding your attacker(s). Ultimately you are allowing the attacker ecosystem to thrive by not reducing the total amount of fraud globally. Yes, this means if you really care about fixing your own problem you have to help your competitors.

This reminded me of the book The New School of Information Security that I read a couple of years ago. While it was a quick read, it made a convincing point about why people within information security should share [statistics of] their incidents and hacker attacks. This resonates well with the reasoning of RSnake above; in a hostile environment, the best thing to reduce the hostility is to cooperate, if not, you’re feeding the troll.

However, my personal experience indicates that little or few information security incidents are publicly reported. Sure enough, a couple of days later RSnake posted this post, confirming my suspicion. How can the total number of incidents go down when everybody in the infosec community reports the opposite?

I think IT and information security people should be more eager to share information about breaches and far less concerned about their company’s good name and “zero incidents reputation”. If we were more focused on sharing data about the incidents, malware attacks and fraud attempts we’re experiencing, that would truly make a difference. That way we could actually gather some real-time statistics on what businesses really are facing, both externally and internally. By sharing this information with everyone, one would potentially reduce the hostility of the surrounding environment, or at least make it difficult for the bad guys out there to survive.

After all, this is proven theory in other scientific (?) fields, like in economics. Anyone remember the Nash Equilibrium?

Lots of parts of the community already feel that openness is essential to security. I think willing to share real-time information on internal and external security trends will be vital in the future.

Posted by & filed under Hacks.

I tried installing LaTeX using the MacTex distribution, but had trouble using it with the excellent text editor TextMate, it simply could not find pdflatex or any of the other binaries needed to compile my paper. The error message I got was simply

pdflatex not found

After some fumbling I was able to specify the whereabouts of pdflatex by using TextMate’s shell variables (Under Preferences->Advanced), only to find that it still could not find the needed binaries:

kpsewhich: command not found

The LaTeX bundle manual indicated that the MacTeX installer should modify the path environment variable, but it did not modify mine. The solution was to modify /etc/profile’s path variable by changing

PATH=”/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin”

to

PATH=”/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/texbin”

Log in and out, and test it by pressing Command-R in TextMate. Voila!

Posted by & filed under /dev/random, Hacking & Pentesting, Tools & Methodology.

I wanted to learn how to use scapy, specifically to craft some packets that could confuse IDS operators at a blue team/red team exercise at SANS Boston. Now, I’ve used packETH for this before (and it works like a charm), but I wanted to learn something that could be scripted on the command line.

So I installed scapy from the repositories in Ubuntu (or I could have fetched it from the above link). I wanted to play around and craft some ICMP ping packets with custom payloads, just to see if the IDS guys in the other room really was listening on the wire:

ans,unans = sr(IP(dst="10.246.144.1-254")/ICMP()/"PING! If you can read this, you're on the *wrong* OSI layer. O_o Zombies ahead!! Greetings from the SEC542 class")

Posted by & filed under Hacking & Pentesting, Tools & Methodology.

I’m attending the SANS SEC542 course this week in Boston, and during one of the exercises I managed to extract some MySQL password hashes via a SQL injection.

Needless to say, I wanted to get the password for the database users, so I thought I’d feed it to my trusty friend John the Ripper for some serious cracking. But since version 4.1, MySQL has started to use significantly more secure hashes, namely (raw) SHA-1. And, John does not support these out of the box.

So here’s how you recompile John with the socalled “jumbo patch” to enable cracking of MySQL >= 4.1 password hashes (and loads of other hashing algorithms as well) on Ubuntu:

First, make sure that you have the necessary build tools, header source and libraries:

sudo apt-get install build-essential linux-headers-$(uname -r) libssl-dev

Now, we need to fetch the latest source code for John (at the time of writing, 1.7.6), so switch into a suitable working directory and get it by fetching it from openwall.com as shown here:

cd
mkdir src
cd src/
mkdir john-bigpatch
cd john-bigpatch/
wget http://openwall.com/john/g/john-1.7.6.tar.gz
tar xvf john-1.7.6.tar.gz

The last command will expand the fetched archive and create a folder called john-x, cd into it and get the corresponding “jumbo patch“:

cd john-1.7.6/
wget http://openwall.com/john/contrib/john-1.7.6-jumbo-6.diff.gz
gunzip john-1.7.6-jumbo-6.diff.gz

Now we’ll patch John up and compile the patched version:

patch -p1 < john-1.7.6-jumbo-6.diff
cd src/
make clean linux-x86-any

If you’re on a 64-bit platform, you can use the linux-x86-64 option instead, this fixed compiling for me on my laptop:

make clean linux-x86-64

That’s it. Now John is ready to chew on password files with SHA-1 hashes:

cd ../run/
./john hashes.txt

The simple command over is just the start, it will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode. Check out these great tutorials or the documentation to learn more on how to utilize John at his full potential. Happy cracking!