Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: penetration testing

UA-Tester 1.0 released: Now with 38% more pimp!

After a few months of playing around with the UA-Tester Alpha release, I’ve finally got the code to a point where I’m happy enough to do a 1.0 release… UA-Tester 1.0, codename Purple Pimp!

Changes since the alpha are far too many to list. However the new version does complete header matching, including some funky stuff like tracking cookie setting changes between user-agent strings (where HTTPonly or Secure might be set for 1 user-agent string, but not for another).

You can find a download link for the UA-Tester Python script, and a PDF of my BruCON lightening talk in the Tools/Scripts section above, or through the links below.

Feedback is always gratefully received…


[BruCON] Top 5 ways to destroy a company

Top 5 ways to destroy a company (Chris Nickerson)

No one cares about your findings. We work all day and the ignore your reports!

Well why does that happen?

  • What we give them isn’t important. Managers don’t care about shells!
  • They don’t care about what we care about!

What do they care about?

  • The product line
  • The brand
  • The employees
  • The bottom line

What do you know about the company’s product line? If you didn’t research it, then why not! Don’t you think you should care about what the company cares about.

How do you figure out whats important

  • Step 1: Your opinion doesn’t matter (unless you’re one of the execs that really are in the know)
  • Step 2: Think like them. You need to translate your speech to something they understand.
  • Step 3: Do work.. not on shells, on process, models, information

If you get paid to just go in and hack fuck somebody, then you’re a prostitute.

What kind of stuff are you looking for?

  • Secret
  • Confidential
  • Internal Use Only
  • Public

Going for the secret stuff is great, but what if the Confidential stuff gives you access to the secret stuff? what if the public stuff should be secret?

The business understand CIA (Confidentiality, Integrity, Availability)… all of these factors link into criticality. If you don’t do this, you’re a bad tester!

Customer needs to give you information on what assets exist, the risks, and therefore how critical it is to a company.

Sometimes you’re wrong… email isn’t the most important thing in your company!

You only have a limited time to test, you don’t have an unlimited time to test like blackhats do!

Top 5 ways to destroy a company

  • Tarnish the brand
  • Alter the product
  • Attack the employees
  • Effect financials directly
  • ** Your turn! **

Tarnish the brand (How to do it)

  • Understand the brand
  • Identify key words to market
  • Knowledge of the competitor advantage/disadvantage
  • Intelligence profiles on the “keepers of the brand”
    • Face of the brand
    • Executives
    • Key personnel
    • Entire marketing/design team
  • Reverse engineering the “go to market”
  • Take over the “indicators of quality”
    • False issues (product misdirection)
    • Negative reviews
    • Use by non standard customers
    • False company response

Alter the product (How to do it)

  • Compare listing of products/services depending on the organization
  • Chain of command for product development or service integrity
  • Historical review of the products timeline

Attack the product (How to do it)

Company specific!

  • Software companies
    • Create bugs
    • Make backdoor (then tell the media)
    • Cause errors in function
    • Add hidden features!
    • Divert their code to your servers….
  • Hospitals
    • Change patient diagnosis
    • Attack HVAC and crank the heat
    • Disable critical alerts
    • Attack crash carts to disable on the fly care
    • Attack narcotic dispensing stations
    • Alter patient doses
  • Manufacturing plants
    • Alter the product line (make something different)
    • Change design specs
    • Speed up the line… overflow
    • Slow down the line… underflow (deadlines)
    • Add or remove the product features
    • Decrease quality
    • Break shit.. a lot

Attack the employees (How to do it)

  • Profile who they are (Nessus doesn’t tell you that!)
  • Find out where they live
  • Figure out what “dangers” they might have at the office
  • Figure out there daily routine then make a kidnapping profile
  • Use the company against them
    • Food?
    • Manufacturing equipment?
    • General Terrorism
    • Release the horde?
  • Kill their benefits
  • Reduce their pay
  • Change their accounts (amex DOS)

If you affect their employees, you affect their money!

Directly affect the bottom line (What you will need)

  • Understand how they really make their $$$
  • Identify systems that generate income
  • Do they take credit cards?
  • Do they have cash?

No you know, go and take the money.

SQLi I can see your tables == Ineffective

SQLi I can see your tables to I made a new account and transferred all your money to == OMG!

What can we take away from this

  • Shell doesn’t do anything
  • Speak their language
  • Remove the white/black hat and do the work!
  • Stop trying trying to rationalize why you are right… and change the game!

We are not communication business impact… we are the ones that are ruining the world! It’s on us to fix it.


Deutsche Post | Security Cup

A friend of mine (thanks Wim) posted this on Twitter. Normally if Deutsche Post  announce the release of a new service, it’s nothing to write home about. Certainly when it comes to security. However Deutsche Post have come up with an interesting competition in the build-up to the release of their E-Postbrief service.

Working with some well-respected members of the Security Community, they’ve come up with the Security Cup, and are offering some nice prizes for people/teams who find vulnerabilities in their web application or infrastructure.

As you can imagine the scope is limited, no client-side attacks for example, but with the prizes on offer (Major bugs are awarded with EUR 5,000,  normal bugs are awarded with EUR 1,000) it looks like it’ll draw a crowd.

If you want to find out more information, head over to the Deutsche post Security Cup web-page and sign-up (via email). The sign-up phase runs through September, so there’s plenty of time!

[Defcon] You Spent All That Money And You Still Got Owned…

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

  • Firewalls are commonplace (perimeter and host based)
  • Anti-virus is smarter
  • Intrusion Detection / Prevention systems are hard to detect, let alone bypass
  • NAC Solutions are making their way into networks
  • IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

  • Server Header
  • Time/Date

Use DNS queries and Netcraft.com

Tools to do this

  • Load Balancer Detection – lbd.sh
  • Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.


DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit


  • Written in Perl, but still good.
  • Great from going from SQLi to shell


  • Written in Python
  • Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu


  • Smoketest
    • check your encoding and bypass techniques
    • find something that will bypass a lot of the rules


  • Also now offers a smoketest
  • Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions


  • Use Static

DHCP MAC Address REservations

  • Find a system, steal MAC

Port Security

  • Find a printer….

NAC Solutions

  • Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

  • net commands on Windows are great for finding network information
  • Script output and find the Administrators
  • Escalate to SYSTEM/Administrator
  • Run commands using psexec, pskill, …
  • Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!