Blogs

MagicTree Beta Two Publicly Available

Here we go with the first public release of MagicTree, unimaginatively called Beta Two. MagicTree is a penetration tester productivity tool, it allows easy and straightforward data consolidation, querying, external command execution, and (yeah!) report generation. In case you wonder, “Tree” is because its stores all the data in a tree, and “Magic” because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting. See What is MagicTree for more details.

NAND Chip Reader/Writer Gadget

During a recent hardware hacking test I have used a very nice gadget -- NAND Reader sold by Russian company Soft Center. The tool is intended to be used to recover files from damaged thumb drives, but I have repurposed it to read and write the content NAND chips holding embedded OS of the appliance under test.

SSH Man-in-the-Middle Attack and Public-Key Authentication Method

SSH is a protocol for secure remote login and other secure network services over insecure networks. To detect man-in-the-middle attacks SSH clients are supposed to check the host key of the server, for example by comparing it with a known good key.

Windows vs Linux vs MacOS vs OpenBSD

Or Quality Vs. Quantity

It seems to be an unsolvable puzzle for programmers: why would users prefer a buggy and awkward operating system, like Windows, to an elegant and slim one, like Mac OS X? Or prefer a patchy and dirty Linux to clean and secure OpenBSD? Obviously a program that does a few tasks very well is better than a program that does a lot of things badly?

VMWare NATD Silent TTL Overwrite

Bloody (excuse my French) VMware NAT daemon silently overwrites TTL of DNS records! It sets TTL of 0-TTL records it proxies to 5 seconds. Right, normally it is not something to complain about. But it suddenly becomes a big deal if you are busy checking how different browsers respond to DNS rebinding attack... Uhhrr...

Apparently I'm not the first one who has noticed this, somebody else http://communities.vmware.com/thread/236511 had the same experience with Fusion.

DNS Rebinding Checklist

Recently I have done a couple of tests which made me consider DNS rebinding attack in details. Considering relatively large number of "moving parts" involved into the attack, I figured it worth making a checklist which can be used to do this kind of evaluation. Below is the draft which I am working on. In particular I intend to add references and explanations/testing guidelines to the checklist. Not sure about PoC exploits.

Build NetExpect on Ubuntu 10

I came across a nice tool, potentially useful for pen testing: TCP/IP-aware version of TCL expect. Written by Eloy Paris from Cisco Systems it is currently distributed in sources only. I didn't have much time to play with it yet, but it looks very promising. Tomorrow will try to use it for SIP REGISTER flooding, currently done with sipp. (In a way, SIPP is similar to NetExpect, can execute send-expect scenarios, but seems to be focused on SIP protocol.)

Exploiting cross-site scripting in Referer header

The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:

Tags: 

Windows Detours library for the people

Microsoft Detours library can be used to attach a hook to system functions invoked by Windows programs. You can write an arbitrary code which will get invoked when a program tries, for example, send something over SSL, or get a current timestamp, and handle it as it pleases you instead of (or in addition to) passing it to standard Windows libraries.

Hopefully notes below will be useful for fellas who, like myself, are not skilled Windows developers, but occasionally get thrown into the Windows world and need to intercept a function call or two.

Linux Routing Quirks

Recently I have spent some time trying to mess up a routing table of Linux appliance to trick it into leaking out certain network traffic I was interested in. In theory it looked reasonably simple, but not quite so in practice. While trying to screw up the appliance I have learned a couple of new things about Linux networking:

Pages

Subscribe to RSS - blogs