Google Voice (was Grand Central) is a pentester’s best friend

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.

New DOS attack technique: sockstress

The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack bandwidth (read: cable modem).

According to the podcast,  the tool does “some evil things” during the negotiation of the handshake. It’s definitely not a SYN flood or a SYN cookie.

The attack uses a concept called ‘reverse SYN cookies‘ to encode information about the client’s TCP session in the packets. This allows the attacker to attack without ever keeping track of state. The packets themselves keep track of state and what phase the attack is in.

Approximately 10 packets are needed to disable a single service. No system is known to withstand the attack.

The podcast is the best source of information at this point. (English starts after 5 mins)
More information here:

• http://www.t2.fi/2008/08/27/jack-c-louis-and-robert-e-lee-to-talk-about-new-dos-attack-vectors/
• http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
• http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939

webFileScanner.pl – simple file & directory brute-force utility

Here’s a simple utility i coded up using perl + lwp to blindly request files from a webserver + print the status code that’s returned. Functionally, it’s similar to the excellent ‘Dirbuster,’ but without the overhead of Java.

Usage:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl
Usage: ./webFileScanner.pl [ip or hostname] [file with urls] [https?])]


Example:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl http://0x0e.com ../../wordlist/directory-list-1.0.txt


Output:

jcran@marzban:~/toolkit-new/nix/brute-web$
...
url: http://0x0e.com/healthyliving - status: 404
url: http://0x0e.com/healthy_living - status: 404
url: http://0x0e.com/pl0p - status: 200
url: http://0x0e.com/relationships - status: 404
url: http://0x0e.com/his - status: 404
url: http://0x0e.com/history - status: 404
url: http://0x0e.com/ancient - status: 404
url: http://0x0e.com/family - status: 404
...


The output is grep-able & LWP makes it quite simple to add additional features as needed. For instance, you could quickly instruct LWP to save ’status: 200′ pages to disk.

You can download the file here.