Wednesday, June 24, 2009

PickAXE – Pragmatic Ruby

http://whytheluckystiff.net/ruby/pickaxe/

An awesome online resource for learning Ruby

Windows Heap Overflows using Process Environment Block (PEB)

After a bunch of googling to find out what PEB was I happened upon this old milw0rm paper, which answered that question and the one I was going to ask next: How is it used in exploitation:

http://milw0rm.org/papers/66

LordPE eat your heart out

Explorer Suite is awesome, here is their description:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

http://ntcore.com/exsuite.php

System Call Ordinals for XP SP2 x64

http://indefinitestudies.org/2009/01/22/digging-up-system-calls-ordinals-on-xp-x64/

I apologize for not remembering who tweeted this to thank them. But thanks to Daniel Reynaud for posting it.

Tuesday, June 23, 2009

Nessus SCTP scanning

Stolen from: http://blog.tenablesecurity.com/2009/05/scanning-monitoring-for-sctp.html

Paul goes into a lot of meat and potatoes about SCTP but the juice is here:

To scan for SCTP on your network and check if you are vulnerable using Nessue:

Enable “IP Protocols Scan” under the “Misc” plug-in family, and check “Thorough tests(slow)” in the Advanced tab of the scan policy under “Global Variable Settings”.

Monday, June 22, 2009

Dan Guido’s Videos

At the current time of posting, there are a 10 videos that as a security professional, you NEED to watch. It’s free training from some of the best in the biz. Bookmark it.

http://www.vimeo.com/dguido

Fiddler and Watcher

Fiddler is a web debugger, and watcher is a plug-in that adds security testing options to Fiddler.

http://www.fiddler2.com/fiddler2/

Watcher (Fiddler plug-in): http://websecuritytool.codeplex.com/

HTTP over SMTP proxy

http://sectechno.wordpress.com/2009/06/10/http-over-smtp-proxy/

Thursday, June 18, 2009

“Compile” python to a single executable

Here is a script David Kennedy (ReL1K) sent me a while back when we wrote a trojan for the Cyber Collegiate Defense Competition:

Just download py2exe, python setup.py install, then you have py2exe installed....

Say you have a file moo.py you want to compile, just take the code below and put it in a file called compile.py or something, modify it to change 'moo.py' to whatever py you want to compile and run python compile.py build py2exe and your all done. Super simple.


from distutils.core import setup
import py2exe, sys, os
# Hot Sex
sys.argv.append('py2exe')

setup(
    options = {'py2exe': {'bundle_files': 1}},
    console= [{'script': "moo.py"}],
    zipfile = None,
)

Pastebin has evolved.

Etherpad is a pastebin like site where you can edit on the fly… and so can a dozen other people. They actually do a REALLY good job at monitoring changes from everyone. There is also a chat feature, that way you aren’t notepad chatting, and an IMPORT functionality. Importing is great when your clipboard buffer just might not be good enough:

http://etherpad.com/

.. just wow.. (Google check them out, they nailed something you are STILL having problems with, but of course, you are still in BETA)

Wednesday, June 17, 2009

Web App Sec Testing Firefox Extension Collection

A really good list of extensions. The best way to do this is keep multiple copies of Portable Firefox with the addons. I would suggest naming the directories for each copy of Firefox accordingly and also editing their configuration to allow simultaneous starting and altering the title bar so that you can differentiate between the multiple instances.

https://addons.mozilla.org/en-US/firefox/collection/webappsec

Tuesday, June 16, 2009

Phenoelit

Tired of hitting the main site, and making the jump..

http://www.phenoelit-us.org/index.html

Windows functions to open a socket/connection

I hope to be using these links to use as part of .. you know what… I forgot, but I know it will come back to me and I’ll need these links, so I am storing them here. Muhahahah..

http://msdn.microsoft.com/en-us/library/ms738545(VS.85).aspx

http://www.ntkernel.com/w&p.php?id=7

CORE Security IE Zone Bypass MS09-019

CORE’s write-up + code: http://www.coresecurity.com/content/ie-security-zone-bypass

MS09-019 advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx

5 Security Holes at the Office (Video)

CSO interviewed Chris Nickerson and he showed a reporter 5 security problems a random office building had before he ever entered the building:

http://www.csoonline.com/article/494464/Social_Engineering_Security_Holes_at_the_Office_Includes_Video_

Wednesday, June 10, 2009

Pluses and Minuses of forced SmartCard login

Registry Key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption

Off Setting: DWORD=0
On Setting: DWORD=1

This option can make Kon-boot, OFFLINE NT PASSWORD RESET and some of HIREN’s PASSWORD tools pretty useless. But wait.. Can’t you edit the registry offline? Yup! (Be sure to pull the plug because “Computer” policies are applied BEFORE the logon prompt appears)

Tuesday, June 9, 2009

Monday, June 8, 2009

ARPFreeze: Protection against ARP spoofing – Iron Geek style

So IronGeek puts out tons of videos and some pretty sweet tools. This one is no less awesome:

http://www.irongeek.com/i.php?page=security/arpfreeze-static-arp-poisoning

 

Technitium MAC Address Changer

So, yes, it can change your MAC address on your Windows box, but it does A LOT more. Definitely something to pull around with you on a USB stick.

http://www.technitium.com/tmac/index.html

WEPBuster – Perl Autohacking

A perl script that automates the whole process of WEP cracking.

http://code.google.com/p/wepbuster/

GNS3 Network Simulator

http://www.gns3.net/

Probably the best way of getting hands on a Cisco without buying one off of eBay. Tons of features and probably the only sim I’ve worked with that has the complete feature set of the actual devices. (Probably because you have to supply it with a real IOS file)

Sunday, June 7, 2009

Crypto for Pentesters

Chris Eng does  a good job at explaining what you need to know:

http://video.google.com/videoplay?docid=-5187022592682372937

ISO Standards translated to “Plain English”

I don’t work with ISO standards, but definitely worth keeping the link

http://www.praxiom.com/

And on twitter: http://twitter.com/praxiom

Metasploit online payload generator

Just for those who didn’t know it was there:

http://metasploit.com:55555/PAYLOADS

New version of iKAT

iKat is a “Kiosk Attack Tool” the page is certainly NSFW:

http://ikat2.ha.cked.net

Thursday, June 4, 2009

10 Questions you don’t want to ask in interviews

http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2009/04/19/JOBSryan.DTL

  1. "What does your company do?"
  2. "Are you going to do a background check?"
  3. "When will I be eligible for a raise?"
  4. "Do you have any other jobs available?"
  5. "How soon can I transfer to another position?"
  6. "Can you tell me about bus lines to your facility?"
  7. "Do you have smoking breaks?"
  8. "Is [my medical condition] covered under your insurance?"
  9. "Do you do a drug test?"
  10. "If you hire me, can I wait until [more than three weeks from now] to start the job?"

Sandcat – Advanced Web App Sec Tester

There are tons of scanners/testers on the market, but this one’s feature set kinda caught my eye:

http://pentestit.com/2009/06/04/sandcat-advanced-web-application-security-tester/

As of now, the SandCat will scan for these fault injections:
* Buffer Overflow
* Cookie Manipulation
* Command Execution
* CRLF Injection
* Cross Frame Scripting
* Cross-Site Scripting (XSS)
* Default Account
* Directory Listing
* Directory Traversal
* File Inclusion
* Information Disclosure
* LDAP Injection
* MX Injection
* Password Disclosure
* Path Disclosure
* PHP Code Injection
* Server-Specific Vulnerabilities: IIS / iPlanet / Others
* Source Code Disclosure
* SQL Injection
* XPath Injection
* Miscellaneous