SSHatter is a Perl based tool for brute force guessing SSH login credentials. Since I last wrote about SSHatter several new versions have been released. The latest version is 1.0 which has several improvements, but which still suffers from a few bugs.
Cross site scripting (XSS) is a pervasive problem facing web applications these days. In a typical cross site scripting attack an attacker will utilize a portion of a web application to supply data that will result in the rendering of malicious HTML or JavaScript to other users. Many developers ask how to prevent XSS vulnerabilities in their applications quickly and easily. The simplest answer is to never trust user supplied data.
Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, however, reveals that Mallory offers functionality above and beyond traditional tools for packet inspection. Mallory looks like an exceptional tool that could be a valuable part of any software security assessor's toolkit.
Hydra is a powerful, multi-protocol brute force attack tool. Brute force attacks involve guessing authentication credentials in an attempt to gain access to a system. Brute force is, over time, the most successful way to break simple authentication. The main disadvantages of brute force attacks are the time required to try username and password combinations, and the fact that these types of attacks are extremely noisy. Noise, in this instance, means that brute force attacks generate a lot of traffic, and potentially quite a bit of evidence of the attack. It is even possible to perform a denial of service attack using brute force tools. By attempting authentication repetitively over periods of time it may be possible to tie up system resources to such an extent that legitimate users cannot access the resource.
I recently finished the latest installment of the LAMPSecurity.org Capture the Flag exercise. I've managed to get some feedback from folks and the reception is generally good. One review at the Preach Security Blog actually wanted the exercise to be harder :) The LAMPSecurity capture the flag exercises are an outgrowth of some of the training work that I'm doing at my work to train programmers and sysadmins about some common security vulnerabilities. The exercises are designed to simulate real world systems - they have multiple user accounts and each user has different privileges. Users have e-mail and home directories full of files that realistically simulate actual usage.
I looked forward to Chained Exploits: Advanced Hacking Attacks from Start to Finish by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented.
This week Google entered the web browser wars with a vengeance, releasing their own web browser, dubbed Chrome, as a free beta. Chrome (http://www.google.com/chrome) sports some impressive features and is being released as entirely free, open source software. Of particular interest are the new security features that are built in to chrome. Two extremely interesting security features are the browser privacy mode and the tabs in Chrome.
Two days ago OWASP announced the release of a new version of their DirBuster tool. DirBuster is a Java based web application scanner. Basically you give it a host and it scans that host for directories on the host. DirBuster can utilize a list of directories and files or it can brute force them. DirBuster is nice because it can find files directories that might not be directly linked to. This can be used to expose information on the host that you might not find otherwise. DirBuster will also parse the HTML of files that it does discover, allowing it to follow links present in discoverable files as well. You can find more information about DirBuster at the OWASP site at https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.
I just got word that I passed by CEPT (Certified Expert Penetration Tester) certification. CEPT is a certification offered by the IACRB (the Information Assurance Certification Review Board), a "An industry standard organization," "Formed by information security professionals.,"A not-for-profit legal entity with a sole mission to certify individuals.," which "Requires all exam candidates to pass a hands-on practical examination." I became familiar with the IACRB after attending a class offered by InfoSec Institute. I had never heard of the IACRB before, but the class included certification based on passing an exam that was given at the end of the class. The exam had two parts - the first was a multiple choice exam, which is standard for most certifications. The second part was a take home practical that was extremely challenging.
The Certified Ethical Penetration Tester (CEPT) certification is sponsored by the IACRB (Information Assurance Certification Review Board). The certification is a two part process. The first part is a 50 question multiple choice exam. You have to get 70% correct to pass that part. Once you've passed the multiple choice you're given a three part practical to complete in 60 days. The practical is advertised to consist of discovering and creating working exploit for a Windows vulnerability, discovering and creating a working exploit for a Linux vulnerability and reverse engineering a Windows binary.
As promised here is my full review of The New School of Information Security by Adam Shostack and Andrew Stewart:
The New School of Information Security is one of the most timely and radical books on computer and information security that I've ever read. Adam Shostack and Andrew Stewart help to stimulate a significant paradigm shift that has been brewing in the infosec sphere for some time. With solid evidence and well grounded arguments Shostack and Stewart advocate for a new, and much needed, approach to information security: the New School.
I've been reading about botHunter, which is a recently announced free bot net detection utility. botHunter is a new system designed by researchers at the Georgia Institute of Technology and the Computer Science Laboratory of SRI International. It is an interesting approach to detecting bot infection in local networks. Designed to be deployed at the perimeter of a network, botHunter looks for patterns in dialogues between computers in search of well known sequences that indicate bot activity. Whereas typical bot detection is carried out by virus/worm detection tools like host based virus scanners and network intrusion detection tools using signature analysis, botHunter uses an analysis distributed over time rather than packets or files. The main advantage of botHunter, as I see it, is that it can extremely accurately identify hosts that conform to it's predefined behavior patterns.
The c99 shell is a somewhat notorious piece of PHP malware. C99 shell is often uploaded to a compromised web application to provide an interface to an attacker. The c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands on the server as the account under which PHP is running.
Kojoney (http://kojoney.sourceforge.net/) is a wonderful low interaction SSH honeypot written in Python. Honeypots are systems that are set up in a deliberately vulnerable state in order to capture and observe intruder behaviour. For more information about honeypots see the excellent HoneyNet Project (http://www.honeynet.org/). There are many reasons to run a honeypot, but for the purposes of this discussion we will assume that you want to run a honeypot to observe post compromise behavior in order to fingerprint patterns. This is useful because you can use fingerprints to set up alerting or protective mechanisms that can detect compromise quickly and aid in response. For instance, running a honeypot you might discover that most attackers, after compromising an apache web server, attempt to write a file into the /tmp directory. You can use this information to set up monitoring of the /tmp directory, and alert administrators whenever apache writes new files into /tmp. This can tip off systems administrators to a possible compromise, by alerting them that there is behavior occurring on their system that typically corresponds to post compromise attacker behavior.
OSSEC is an open source host based intrusion detection system (IDS). An IDS is one of the most important tools available to a security administrator. As a host based IDS (or HIDS), OSSEC is uniquely advantaged to monitor activity from the server side. Although a network based IDS may be able to spot malicious traffic and identify attacks based on traffic, a HIDS can look directly at log files and system behavior to spot oddities such as successful brute force attacks or evidence of rootkit installation. On February 27th, 2009 OSSEC announced the release of the much anticipated version 2.0. OSSEC fills a critical niche in any Linux security plan. OSSEC provides file integrity checking, so it can spot rootkits, in addition to real time log analysis. OSSEC can alert you to suspicious behavior and can even be configured to actively respond to threats.
Vulnerability assessors and code auditors are often faced with situations where a large volume of code needs to be audited quickly to enable a deployment. In these situations large web applications need to be reviewed in a fast and efficient manner. Although a code level analysis is often the most effective way to analyse the security of an application it is a time consuming process and not all practical.
Live CD's for penetration testing are becoming more prevalent these days, with a wider diversity of offerings. Live CD's allow testers the ability to run pre configured tools from operating systems they might not otherwise have easy access to. A live CD comes with a full operating system and several tools already installed on them. The Samurai Web Testing Framework is a bootable Linux CD that contains numerous tools specifically designed for web application penetration testing and vulnerability assessment.
SSHatter is a simple SSH brute forcer written in Perl. Although it is not a very robust tool, it is still useful when combined with other target enumeration tools such as NMAP.
I have to say the I really enjoy using my new Microsoft keyboard. Whatever faults the operating system division of Microsoft might have, their hardware (and games) consistently surprise me.
A review of the SanDisk Cruzer Micro USB drive and the enclosed U3 technology.