Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

ITWeb Security Summit

Leave a Comment Posted by on May 10, 2012

It’s been a while since I last posted… between a trip to the UK (for BSides London) and a few days in bed with con-flu, it’s been a busy few weeks.

I’m flying out to South Africa this weekend to take part in the ITWeb Security Summit in Johannesburg. There are a lot of great speakers talking, and I was honoured to be asked to present some of my SAP research as part of the “Enterprise Resource Planning” track.

This will be the last time I’ll be presenting this material, so hopefully it will go down well. This research has been ongoing for the last year or so, and it was time to move my focus off onto some other projects I’ve got running. Plus, nobody likes to see research that’s old and busted. The information I’ll be presenting is “out there” for the community, so I’m happy to cover it one last time before I put it to bed. So much hacking, so little time ;)

If you’re attending the conference please come up and say hi… I only bite on request!

Conference, Security , ,

Security Forum 2012

Leave a Comment Posted by on April 19, 2012

The Security Forum is the annual IT-Security Conference in Hagenberg that addresses current issues in this domain. Traditionally it takes place over the course of two days in April. On the first day visitors are offered technical as well as management-oriented papers by representatives of business, research and public service.

After last years security forum I couldn’t very well miss this years event, and it didn’t disappoint. Although a number of the presentations were a little too management focused and light on technical details for my liking, these were overshadowed by great presentations from Scott Behrens from Neohapsis and the short but very interesting Security Insight talks that took place in the evening.

Just like last year the real benefit I feel came from the discussions between sessions. Talking to the presenters and attendees is always the high-point of these conferences I find.

Below is a few brief notes on the presentations I managed to attend and think are worth noting. Slides aren’t yet available for most talks as far as I’m aware.

Webshell Detection using NeoPI (Scott Behrens)

(https://www.securityforum.at/agenda-2/neopi/)

This talk concentrated on the issue of detecting webshells when performing incident response. When faced with a collection of servers and maybe more than 20,000 files present in a webroot, how can you find the needle amongst the needles. Scott demonstrated a number of analysis techniques that can be used to better discover webshells present on a system, and showed the abilities of the NeoPI script to dig into a webroot and point out discrepancies and possibly malicious webshells.

The NeoPI script is currently available on the Neohapsis github page and is looking for people to assist in future development and testing.

Security Insights (evening talks)

(https://www.securityforum.at/security-insights/)

The evening talks moved away from the more management style presentations during the day and focused more on technical projects. Three of the talks were of particular interest.

Sicherheit in der Bürgerkartenumgebung (Wolfgang Ettlinger)

In this talk Wolfgang discussed some of the issues he discovered when testing the security of the Austrian Citizen Card. In Austria this card can be used to officially sign documents and prove the identity of the holder. This includes the ability to sign-in to online banking using the card and a pin to prove the holder is who they say they are. Wolfgang showed a number of vulnerabilities in the BKU (the Java based environment that deals with PIN authentication and card communication) and showed the ability for an attacker to steal the PIN and use it to sign documents or perform actions as the user. A more detailed write-up is available on Wolfgang’s blog.

Covert Channel Protocol – verdeckte Informationsübertragung (Florian Preinstorfer)

Florian discussed his ongoing research into covert channels and in particular discussed his (PoC) implementation that uses both HTTP, ICMP and  DNS to transfer data covertly by using client and server-side proxies to alter traffic. Although the work is still ongoing I’m looking forward to seeing what the final result it, as the premise seems interesting. As soon as code is released or more information becomes available I’ll make sure to post it up in my [SuggestedReading] feed.

Oh noes! Another Android Malware Talk (Thomas Eder, Michael Rodler)

The final presentation of the night walked us through an analysis of Android malware (in particular an SMS application that sends premium rate SMS messages). The tools discussed were the usual fare, however the presenters are working together with a larger team to implemented a more automated and structured way to analyse Android malware called EPIC (DE). The project is still in it’s PoC phase, but seems to be something to keep an eye on!

Special thanks to the Hagenberger Kreis for making the conference such an enjoyable experience… Hope to see you all next year!

Conference, Security ,

PrintJob MITM – Testers Wanted

Leave a Comment Posted by on April 11, 2012

I had some time over the long weekend to tweak a Metasploit script I’ve had lying around for a few months years. When I wrote the Python prn-2-me script I also drew up the basics of a printjob MITM module for Metasploit but never managed to finish it up.

The Python version is limited in that it was designed to handle RAW print streams only… it was also really badly written (like most of my early Python stuff). The Metasploit Module I’m testing currently should also handle LPR/LPD printjobs by sitting in the middle and passing communications backwards and forwards between the client and the printer. I’ve also begun to look at implementing some IPP sniffing as well, using the same technique as LPR/LPD (streaming the data to the printer and sniffing out the printjob and Metadata).

This is still a work in progress, and handling LPR/LPD and IPP is a bit more tricky than RAW printjobs.

A couple of helpful folks have been testing out the module for me… if you want to assist please take a look at the module and see what you think (download link below). If you have any problems please do a packet capture so I can see what’s not working correctly and adapt the module. As the various printers and drivers handle things slightly differently the idea is to look at as many models as possibly (not just HP!).

Links:

Metasploit, Penetration Test, Security , , , , ,

Getting your message across: Screenshots

2 Comments Posted by on April 7, 2012

Since I’ve finally started doing something with pentestreports.com I thought it was time to write-up some interesting content. Seeing as this one has been bugging me for a while, I thought it would make an interesting starting point. As always, comments are welcomed and encouraged!

Getting the message across in a penetration testing report isn’t always the easiest thing. Explain in 500 words or less, to somebody who may or may not know what TCP is, how you used a forged HTTP request header to inject falsified log requests into their database and perform stored cross-site scripting on administrators… yeah, it’s not easy. So, a picture is worth a thousand words, and we’re going to need to use all the options available to us to convey the issue at hand.

The problem is… people don’t always spend as much time thinking about that picture as they would writing 500 words! and they should! Here’s a few of the screenshot-crimes I’ve seen over the last 10 years or so in technology. These aren’t restricted to Penetration Testing… so should be applicable for any graphical representation!

The lazyboy

Well I guess it gets the message across… but I’m not really sure what that message really is! A screenshot is designed to help get a message across and prove that something was achieved. This kind of screenshot does nothing more than show that you can press a few keys and take a screenshot. Did I perform an XSS in your website, was it reflective? stored? second-order? Who knows…

This screenshot shows nothing.

Full-on

Is that bigfoot? Nope, it’s hard to see, but that’s actually a screenshot! Crop people… no, don’t think, just crop. At least you’re getting more of the message across than the lazyboy, but you’re not helping yourself here. Make sure that when you take a screenshot everything you NEED to show is in a small area that will be easily visible and readable when the screenshot is cropped. A full screen capture is fine for note taking, but the final version needs to be cropped and annotated if needed.

The OTT

OMG where do I look first! 3 screenshots layered one on top of the other… does it tell a story? without any annotation or further information then it’s just a jumbled mess of text. This is a perfect candidate for multiple screenshots, or at the very least a few boxes to focus the reader in on the places where the REAL information is!

Side-note: Screenshots of code are mostly a waste of time… copy/paste the effected code and highlight the section effected.

Click Happy

You may think I’ve gone off the deep-end on this one… but I’m afraid not. Some people actually think that photos are a replacement for a good, well-formed screenshot! Sometimes you just can’t avoid a photo, but think carefully. Easy to do badly! Hard to pull off.

Exceptions to this last one are obvious really. Physical security tests/results, or anything that can’t be screenshotted. Just remember, if you can use a screenshot, it’s going to look a whole lot better than a photo.

Note: If you NEED to do photos… don’t use your phone! Buy a digital camera and learn how to use it!

Conclusion

Take time to think out your screenshots. Not only if you need one, but how you can best show the issue(s) and how a reader will view it. The viewer may not have your technical knowledge, and may not know what the issue really is. Make that screenshot count!

Penetration Test, Security , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 36 other followers