custom.dic could really end up being one.

Typing up a report tonight and i realized I had been adding a number of exceptions to my custom Microsoft Word dictionary (’Add to Dictionary’) . Thinking about this as an attack technique, i realized there’s a whole lot of information leakage in this text file. The (abbreviated) list below may not mean a whole lot to the casual observer, but contained within are a topics that are directly correlated with the work I do.  

Charles
Chris
Edward
Elizabeth
Frontpage
Gates
Halvar
hotsite
JATOBA
Metasploit
Nessus
NeXpose
netcat
nmap
Petrovski
RAPID7
Thayer
Tolson
Vulnerabilties

Are you forensics guys catching this? You can find the Microsoft Word custom dictionary here: C:\documents and settings\[username]\application data\microsoft\UProof\custom.dic  and the corresponding Vista+ path under \Users.

I did a quick search for a database of files that might be of interest in a forensics investigation. Nothing came up. Anybody know of a list of such files? Depending on the use of the machine under investigation and the software installed, this would certainly change. It may be sufficient to grab just the \documents and settings or  \users directory, but a list of database of  files relevant in most forensics investigations would be useful.

Google Voice (was Grand Central) is a pentester’s best friend

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.

Scoping a Penetration Test

Scoping a penetration test is difficult. This is why Statements of Work and Requests for Proposals are necessary evils. It’s not an exact science.

There’s a lot of factors that can be involved:

• Number / Complexity of Systems and Networks - Standard windows boxes? What about the patching system controlling their updates? Are they located in the DMZ, or would exploitation of the system drop you directly into the internal network?
• Number / Complexity of Applications - Number of pages (a horrible metric)? What technologies were involved? How many developers? In-house, or Third-Party? Remote Administration? The List goes on…
• Depth of Testing - How “deep” should the test go? Should we stop once we’ve run a vulnerability scan and confirmed / denied the results? What about brute forcing of authentication? What about attacking the users? What happens when we gain access? Should we continue?
• Focus Areas – Where should testing be focused? What systems are of critical importance? How are those systems used?

A number of helpful things to do:

• Define a goal. If you haven’t DEFINED a goal, you should start there. Some goals are obvious — Gain Domain Administrator access. Some are not so obvious: Gather document on sally from accounting’s desktop.
• Accept that each test is going to be different. Each time you do one of these, the goals are going to be slightly different. Disregard that fact at your own risk.
• Look at the system from the perspective of controls. Which controls are you trying to test? The firewall? The spam filter? The user’s intuition? (The danger of this method is testing to the control, not the gaps between them.)

In the end, it’s scoping == budgeting. You have to be able to make reasonable estimates about the time that you’re going to spend testing. How do you scope penetration tests and other services work? I’m interested in the tactical (and repeatable) metrics that you use!

Raising the Bar

I often hear technologies or controls disregarded on the basis of  “It can’t protect against X scenario.” or “It doesn’t completely protect me.”

For example, take a web application firewall. It can be boiled down to a regex, and possibly some fancy behavior analysis. It CAN be subverted. Encoding, session splicing, other types of evasion can defeat them.

That’s not to say technologies and products shouldn’t strive for more. It’s just accepting the reality of the situation that you can’t completely control your environment.

It’s not about creating a perfect defense. It’s about raising the bar.

Security only works as a process, only as defense-in-depth. There is no silver bullet that can protect against all scenarios. Everything breaks when its assumptions are violated.

The whole security industry is wrapped up in an arms race. As soon as you add another layer of protection, an attacker is forced to work that much harder, and they will.

The question becomes, does the arms race ever end? (Hopefully not. It’s paying my bills.)

Smarter people than i have written about this.

Back|Track 4 First Impressions

It’s damned liberating to take this distro and be able to update it. This, along with specialized security-tool repositories, is the killer feature of the new Back|Track 4 release. A

If you haven’t tried either the LiveCD or the VM version, give’m a shot.

My first impressions are extremely positive. I like the fact that you can choose your window manager, KDE or FVWM (FVWM is /sexy/). Most of the Ubuntu folk (myself included) are going to be used to using Gnome, but KDE will do.

It would be better if the distro would auto-generate a password on first load, rather than using the default of root:toor. Especially, now that the disk has become installable, and thus, more permanent. I look forward to owning a corporate auditor’s Backtrack box.

Good work all around. Now to get documentation on how to set up & maintain my own Debian/Backtrack tool repository! 

jcran

Just about right…

ShmooCon 2009 Wordle Visualization

ShmooCon 2009 Talks

Visualization of the 2009 Shmoocon talks created byWordle.net.

ShmooCon 2009 picks

Just arrived in DC for ShmooCon 2009. Here’s the move:

Day 1:

• Automated Mapping of Large
  Binary Objects
• Watching the Watcher:
  The Prevalence of Third-party Web Tracking

Day 2:

• Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
• Fail 2.0: Further Musings on Attacking Social Networks
• Next Generation Wireless Recon, Visualizing the Airwaves
• Man in the Middling Everything with The Middler
• All Your Packets are Belong To Us: Attacking Backbone Technologies
• The Fast-Track Suite: Advanced Penetration Techniques Made Easy

Day 3:

• Re-Playing with (Blind) SQL Injection
• EDL Cloning for $250
• Reinterpreting the Disclosure Debate for Web Infections
• Are bad times good for security professionals?

Lots of good talks this year. SecureState’s in the house, both David Kennedy and Matt Neely’s talks look interesting. Looking forward to learning more about Jay Beale’s Middler. The final talk, “Are bad times good for security professionals?” seems highly relevant, definitely looking forward to that.

jcran

john, meet amazon. amazon, john.

These are a rough set of notes I put together when figuring out Amazon’s EC2. I’ve been using the boxes quite extensively to crack passwords. This has turned out to be a godsend for me when i’m on the road, and i need to be able to set up heavy duty machines on the fly.

To get started:

Set up an Amazon account:

Chances are you probably already have one, but if necessary you can sign up here: http://aws.amazon.com/ You can use your regular Amazon.com account to get started with EC2.

• Take note of your key and secret key, you’ll need them in the next steps

Get & Configure ElasticFox Firefox Plugin

Though Amazon.com just released their own browser-based console to control machines, I prefer the ElasticFox plugin.

• download latest version of elasticfox (firefox plugin)
• open elasticfox
• firefox -> tools -> elasticfox
• click credentials
  • add your amazon credentials to the list
  • click okay
• select the new account from the drop-down

Create a New Instance

• Click the Amazon Machine Instances (AMI) and Instances tab
  • Hit the refresh button in the upper left (blue)
  • If you’re looking for a specific machine, type that in the search, and hit refresh
    • try the alestic ubuntu base (i386) machines – they’re vanilla, and rock-solid
  • right-click on the instance, say create

Selecting An Instance Type

• Amazon images come in a few flavors:
  • M1 – memory – $0.10 / hour (default)
  • M2 – memory2 – $0.40 / hour
  • M3 – memory3 – $0.80 / hour
  • C1 – cpu1 – $0.20 / hour
  • C2 – cpu2 – $0.80 / hour

Generate a Public/Private key pair

Amazon, by default, requires key-based authentication. ElasticFox makes the management of this fairly painless, except when you’re dealing with multiple PCs. The management of these keys is important.  If the key is lost, you WILL NOT be able to log into the machine created with the key.

• if you’re on linux, the pem file will work with the default terminal (if you’re on windows, a little extra work with putty / puttygen is needed here)
  • tested on ubuntu/gnome-terminal

Configuring an Elastic IP

• Elastic IPs can be used to give a temporarary static IP to a machine
  • This can be useful in the case of connect-backs
• Note that the machines a can always be accessed by public DNS name

Setting up the box

Now for the fun part.

• run the following:

  #!/bin/bash<br />apt-get update<br />apt-get upgrade<br />apt-get install john<br />

• Copy / Paste the hash file into the terminal
• Run john on the hash file
• ???
• Profit.

enjoy .

Top Web Hacking Techniques of 2008

Jeremiah Grossman & co’s “Top Web Hacking Techniques of 2008” have been released. Go check’m out, update your own techniques, and add anything they might have missed (I can’t think of any…).

Some of my favorites:

• Cross-Site Printing – By using only JavaScript, an Internet web site can remotely print to an internal network based printer by doing an HTTP POST. Handy for sending anonymous notes when your neighbor just won’t shut up.
• GIFARS – These files could be uploaded to sites that allow image uploading (such as many site’s member photos), to run code in the context of that site – getting around the “same origin policy” that browsers impose. Handy for spl0iting forums
• SQL Column Truncation - Interesting technique that j0e brought to my attention. Good for spl0iting your friendly neighborhood mysql app.
• Cross-Environment Hopping -  to be honest, i haven’t read the whole post here, but i think i’ve always wanted to cross-hop someone. sue me. (this is a REALLY nice explanation of current same-origin issues & how to utilize different IE / Firefox components to take advantage of variations in implementation, for what it’s worth).

Note to self: Don’t spend 45 mins trying to figure out how to unlink a word in ScribeFire. Entire linked paragraphs are /okay/ if it’s going to destroy your productivity (and your non-existent social life).