Making Linux network bridge transparent for 802.1x packets

Update 17/01/2011: If you are interested in 802.1x bridging, have a look at my Tapping 802.1x Links with Marvin blog post.

802.1x authentication messages are sent in Ethernet frames with destination MAC address set to 01:80:C2:00:00:03. This address belongs to “IEEE 802.1D MAC Bridge Filtered MAC Group Addresses” (01:80:C2:00:00:00 to 01:80:C2:00:00:0F) and such frames are not supposed to be relayed by bridges conforming to IEEE 802.1D [2]. For a number of reasons, you may want these frames to go through your bridge.

Russian Spying Operation Cracked

Passwords on post-it notes, unencrypted Wi-Fi, Windows hanging, laptops breaking and other IT misery

This article in Computerworld is absolutely hilarious.

Transparent Connection Interception Trick

Now when I have a blog for half a year I figured I should post something. So here goes description of using Linux (Ubuntu in my case) bridge configured to redirect selected TCP connections to intercepting proxy (Burp) and while letting the intercepting proxy communicate with the server. Quite useful when doing pentests of fat clients and appliances communicating over HTTP(S), especially in a situation when you can't tamper with client's /etc/hosts file or use other technique to redirect interesting traffic.

Worst security hole you've ever seen?

In a thread on StackOverflow people (programmers mostly) post about worst security holes they have ever seen. It's pretty interesting reading.

You know what's most interesting about it? If you are a practising pentester, you'll be bored half way through the first page, because you have seen most of those holes. Negative amount of pizza? You bet.

(Avoiding) SQL Injection In LIKE Clause

A lot of web developers have gotten the message about the SQL injection and are using parametrized statements. Still, there are a few cases where using parametrized statements is not quite straightforward, such as in LIKE clause.

Suppose you want to do something like this:

SELECT * FROM people WHERE name LIKE 'joe%'

and the string "joe" is supplied by the user. How do you do that? This won't work:

SELECT * FROM people WHERE name LIKE '?%'

Neither will this:

SELECT * FROM people WHERE name LIKE ?%

MagicTree Beta One Is Out

MagicTree Beta One is out!MagicTree Beta One is out!

They don't have <dance> or <jump-up-and-down-excitedly> tags in HTML or I'd use those too.

Enabling SSL/TLS Renegotiation in Java

All the crazy SSL servers seem to come my way - ones that only support weird combinations of protocols and ciphers, ones that require client certificates stored on PKCS#11 hardware, and ones that require SSL renegotiation.

Apache Foundation Hacked via Reflected Cross-Site Scripting

I am thoroughly impressed. A combination of reflected XSS, insecure file uploads and bad passwords allowed the attackers to gain root on one of the Apache Foundation's servers, and gain non-privileged shell on another one. Here is the story directly from Apache.

In my opinion the most interesting part here is the fact that reflected XSS was used as the initial step. I always thought XSS, particularly the reflected sort, is somewhat over-hyped. I don't think so any more.


Free Flash Decompiler

Supporting ActionScript 2 and ActionScript 3

During a recent test I have stumbled upon this wonderful tool: HP SWF Scan. It is positioned as a vulnerability scanner for Flash, but what it also does is decompiling. Here is a screenshot:

HP SWF Scan Screenshot

MagicTree Beta One Release Delayed

We are very sorry to say that we have to delay Beta One release of MagicTree. It was planned for the beginning of April, but due to unexpectedly high consulting workload we will have to delay it at least until the beginning of May.

There is just one major feature that is missing for the Beta. It is Microsoft Word reporting. We have reporting in OpenOffice format, but MS Word still needs to be implemented.


Subscribe to RSS - blogs