Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: tools

Unsung Heros (the list)

Back in January I had this crazy idea to make a list of tools/scripts/programs that some people considered the best thing since slides bread, and others had never even heard of. Over the last couple of months I’ve received just over 30 entries from all areas of InfoSec… Not as much as I’d have liked, but still an few interesting gems in the mix.

As I said in the original post, I’ll be pulling a name out of the digital hat for a book from No starch… as I’ve just got finished reading the excellent “Tangled Web” I think it would make a great prize. I’ll be drawing and contacting the winner this week and will post their name on Twitter (unless they wish to remain anonymous).

I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things 😉

Category: Monitoring

  • pastebin.py (link)
    • Written by Xavier Garcia, this small python script continuously monitors pastebin.com, looking for interesting keywords (based on regex)
  • PasteLert (link)
    • PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries.
  • OSSIM (link)
    • OSSIM is the de facto standard Open Source SIEM
Category: Forensics / Incident-Response
  • Xmount (link)
    • xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE
  • PhotoREC (link)
    • Specifically designed for digital photo recovery.  Due to its algorithms for reconstructing files, it is also able to strip encryption from data in some cases.
  • TestDisk (link)
    • Great portable tool for performing a deep search and recovery of deleted partitions and files on physical drives and image files.  It’s simple and scriptable.
  • TCPflow (link)
    • Very handy for quick recovery of *data* (payload without ip/tcp headers, etc) traversing a network interface as well as different data flows.
  • Network Miner (link)
    • A great tool for extracting information and transferred files from sniffed network traffic.
  • Chaos Reader (link)
    • A freeware tool to trace TCP/UDP/… sessions and fetch application data from snoop or tcpdump logs.
Category: Systems Administration
  • Deep Freeze (link)
    • Deep Freeze provides the ultimate workstation protection by creating a “frozen” snapshot of a workstation’s configuration and settings. Each time you restart your machine, Deep Freeze restores your computer to this desired “frozen” state.
  • splitcap (link)
    • Tool for splitting PCAP files
  • rawcap (link)
    • RawCap makes it possible to sniff network traffic on Windows machines without WinPcap.
  • Log Parser (link)
    • Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
  • WOL-E (link)
    • WOL-E is a suite of tools for the Wake on LAN feature of network attached computers.
Category: End-point detection
  • GMER (link)
    • Application that detects and removes rootkits
  • Fail2Ban (link)
    • fail2ban checks log files for information on brute forcing attempts and exploit probing, and then temporarily “bans” the offending IP.
  • Sigtool (link)
    • Sigtool (part of clamav) lets you create your own signatures next to the “known” malware signatures. So when virustotal says “0/42”, you still can block the files.
Category: Penetration Testing
  • Ebrute (link)
    • Why is this your unsung hero: Windows domain username enumeration via Kerberos
  • Arachni (link)
    • Web application scanner
  • Keimpx (link)
    • Covering the gap of MSF psexec spraying the domain with dumped credentials (pass the hash)
  • NfSpy (link)
    • Takes all the hard work out of spoofing one’s uid in order to gain access to all the files on an NFS share. Additionally, supports all sorts of shortcuts to get around “security measures” like firewalling port 111.
  • ratproxy (link)
    • A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
  • ThickNET (link)
    • Thicknet is a TCP session manipulation and take-over framework. it is a great tool for internal penetration testing. It is modular which allows users to develop and customize the tool for their particular target protocols.
  • Tachyon (link)
    • Tachyon is a dead file scanner, written in python. The main goal of tachyon is to help webadmins find leftover files in their site installation, permission problems and web server configuration errors
  • SWFscan (link)
    • SwfScan decompiles Flash into source and checks it for security issues. Even if it doesn’t find security problems, discovery of additional server URLs, viewing application logic, and the opportunity to manually view the source for issues are invaluable. All done in a pretty nice GUI.
  • Mona (link)
    • Mona is a PyCommand for Immunity Debugger that replaces pvefindaddr.
  • UAtester (link)
    • A tool for testing web-site reactions to a range of User Agent strings. Useful for ensuring wide coverage of web applications.
  • Evilgrade (link)
    • Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
  • PMCMA [Post Memory Corruption Memory Analysis] (link)
    • Helps automating the process of finding a way to exploit a (known) memory arbitrary read/write vulnerabilities
  • MimiKatz (link)
    • Can recover clear text passwords of logged on users on a windows machine, by lsass injection.
  • OWTF (link)
    • The offensive Web Testing Framework – An awesome framework just recently developed to help better test passively and actively web applications.
  • Yeti (link)
    • A network foot printing tool from the Sensepost crew
  • Reaver-WPS (link)
    • A tool for exploiting WPA/WPA2 issues (in particular the WPS bug)
  • Dirfuzz (link)
    • Directory discovery and info gathering of web applications
  • MORF v0.3 — NINJA ENCODER (link)
    • Encoder with a wide range of supported encoding types (URL, HTTP, Base64, HEX, MD5, SHA1, UTF-7…)

Category: Miscellaneous

  • xdotool (link)
    • This tool lets you simulate keyboard input and mouse activity, move and resize windows, etc. It does this using X11’s XTEST extension and other Xlib functions.
  • Risu (link)
    • Risu is a Nessus parser, that converts the generated reports into a ActiveRecord database, this allows for easy report generation and vulnerability verification.
  • Thinkst – Infosec Conference Collector (link)
    • An online tool for searching prior and upcoming conference talks. Useful for  attribution, reference checking, and trend spotting. Doesn’t cover everything, but a good starting point.

I hope there’s at least 1 or 2 unsung heroes on the list for everybody… and if you have any additions, feel free to leave them in the comments, and I’ll update the post when I can! Thanks to all those who took part… this list if yours after all, not mine!

P.S: Thanks to the generous person who suggested UAtester… even if it was a joke 😉

Unsung heros

tl;dr : I’m searching for your suggestions for the unsung heroes of security tools (not the usual things we talk about every day). Please send your entries via the form HERE… there will be a random prize for people taking part.

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… if you’re anything like me then it happens all to often. As an industry we have more ideas, methods and tiny tools/scripts than we know what to do with. Every time a conference rolls around (which is almost daily now it seems – Is the answer more InfoSec Conferences?) people are eager to pimp their wares (I’m no different), and sometimes it’s needed to show proof of concept, new technique or something else equally mind-blowing. Some (and only some) of those new techniques, methods, attacks, … will make the jump from niche tool into a framework (such as Metasploit or nmap). Some others will live on in individual tools/scripts. Projects like Backtrack Linux try to gather the most well-known of these tools into a central distribution, but inevitably there’s always the one or two real gems that fall between the gaps. You can’t cram everything into any single framework or distribution, otherwise it becomes unusable.

So where does that leave us? It’s leaves us with Google (or Bing, if you’re really hard up) as the only hope for finding those niche solutions for testing that funky web app that you didn’t even know would run on AIX 5.2.

Previously some very nice people have gone out of their way to document and bring these niche tools together, lest they be lost to the annuls of time. A few years back @mubix took the time to catalogue the tools released at just one conference. The Defcon Tools page shows the tools that could be catalogued after the Defcon 18 conference. That’s a lot of tools for a 3 day period! No wonder we skip over some of the ones we should be paying attention to… and there I finally get to the point of this blog post.

No GIF for you.... bad panda!

I’m attempting to (and I say attempting, as it relies on you the readers to help out) gather suggestions for your “unsung hero” of the tools world. As we work in Infosec I’m looking specifically to gather a list of tools that aren’t on ever penetration tester, or forensic investigators list, but that you have respect for. We all love Metasploit, nmap and the other popular tools voted for on the SecTool TOP 125 list. However I’m looking for something a bit different here, something off the beat and track.

So, if you’ve got a favourite tool (or 2) that you think are your unsung heroes, I want to hear about it. Don’t wait, don’t even think… you’ve got one in mind right now… just fill in that form and click submit!

Oh, did I forget to mention! I’ll be doing a random draw of 1 of the entries and sending you a book. Not sure what just yet, but I’m sure you’ll like it 😉 You’ve gotta be in it to win it!

Please share this link with your friends, work colleagues, drinking buddies, or hobos… the more the merrier!

Short link –> http://c22.cc/heroes

* Why do I request your email address… simple, at some point (if this goes to plan) there will be a vote. I’m happy to email out links to the vote as and when… then again, if you don’t want to give me your email address, that’s fine too. Not like I’m gonna sell it 😉

[BSidesLV] Fuck Tools

Fuck Tools – frank^2

Doing stuff on your own makes you learn stuff.

Tools Rule

  • They make things easier
  • They make things faster
  • They make it so that you don’t have to learn the deep details

but….

  • They make it so you don’t know the deep details
  • They also force you to think in a very controlled environment
  • Tools are sometimes too focused

At the end you end up with a bunch of tools that don’t do quite what you need unless you string them all together

Why write your own tool? You could be smarter, you could be cleverer, or the tool might not exist.

So you could write your own tool…

But that could be SLOW, maybe you don’t have the experience either… do you have the right resources to accomplish this?

So what do you do?

By developing a tool you’re learning things. Some things stay in memory after all.

This means next time you’ll be better, quicker!

plus you get to learn how the program, flaw and tool really works. Knowledge is power.

Knowing the ins and outs of how to exploit something will always be better than knowing how to use a tool.

Why?

Because you want to learn

A toolkit cluster fuck is much less elegant than a custom coded script to do the job

Other tools are buggy

Why wait for another sucker to write your tool?

Why shouldn’t you?

Because sometime reinventing the wheel isn’t worth it?

How will your tool be better? Maybe it won’t!

Do It Yourself vs riding that tool

OllyDBG vs PyDBG

Stuck in the boundaries of what the coder wants, vs doing what you want!

PyDBG lets you control what you want and how you want to do it.

PyDBG simple presents you with the tools by which to perform debugging, then expects YOU to write what you want next!

You get to learn how programs really run

You open your mind!

Fuzzers vs Peach v You

If you download a fuzzer you’re doing it wrong!

If you run another persons fuzzer, you’re finding the same bugs he found

Peach however lets you tailor what you want to fuzz and how you want to do it.

But Peach is still a tool, doing its things, its way

There are all sorts of bugs that fuzzers won’t find… Maybe it’s best to write your own fuzzer?

Fuzzers: Great for low hanging fruit

Peach: When you’re looking for fuzzable bugs

You: When you want to be a ninja

Metasploit

How does point-click-own make you a better tester!

Metasploit gives you a lot of other features… use them

Great framework for creating shellcode and creating PoC

Metasploit can help you become a ninja

The Bottom Line

There’s a fine line between using a tool and writing your own

When there’s no time and resources to learn or there’s nothing to learn, then just use a tool

When you have the time, want to learn and be a ninja, write your own tool

If you learn how a task is solved, instead of learning how a tool works you’ll be better for it!

Typo3 Weak Encryption Key

rtemagicc_typo3-logoA few months back I discovered a vulnerabilty in the core of Typo3 (versions  4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3). Now that the Typo3 security team have responded with a patch against this issue (see the official Security Note from the Typo3 security team) I can release the details of the vulnerability, as well as some proof-of-concept python scripts that I’ve been holding onto now for a while. The Typo3 Security Team were very quick to respond to the issue, and I found them very good to work with during the disclosure process. If only some larger companies were so easyto work with, and responsive.

The following announcement has been made public in co-ordination with the Typo3 Security Team.

Technical Details <— link to release information

PoC Tools <— Link to tools

For those looking for a brief overview in 100 words or less .:

The default encryption key used by Typo3 is create at time of setup using inadequate sources of entropy. This design flaw resulted in there only being 1000 possible keys. If an administrator manually changes the Encryption Key through the administrative install console, then this vulnerability can be avoided.

Alongside this flaw, Typo3 also uses the Enryption Key to create MD5 hashes to protect URL links from being manipulated (see full release information for more details and examples). In this case, the Encryption Key is the only peice of information not directly available to the end-user. This allows an attacker to perform an offline brute-force against the Encryption Key. Breaking this key could allow an attacker to form malicious URL’s containing script commands of their choice.

The PoC scripts for this are available for demonstration purposes only. Any comments are gratefully received.