Saturday, October 31, 2009

Wapiti -Web application vulnerability scanner

Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

* File Handling Errors (Local and remote include/require, fopen, readfile...)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()...)
* CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities.
Wapiti prints a warning everytime it founds a script allowing HTTP uploads.
A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS)
Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications.
It does not provide a GUI for the moment and you must use it from a terminal.

You can download here:
http://sourceforge.net/projects/wapiti/

Small, medium firms cut security budgets

Small and medium businesses have, for the most part, frozen spending on security, despite an increase in perceived threats, according to a survey released this week by security firm McAfee.

The report, McAfee's first study of the small- and medium-sized business market, analyzes surveys from approximately 100 companies in each of nine different countries, focusing on firms with 51 to 1,000 employees. The surveys found that three-quarters of firms decided to cut or freeze their spending on information security in 2009, and two-thirds of companies spent less than three hours a week on security.

Read more at SecurityFocus

Saturday, October 24, 2009

FTK 3.0 Forensic Toolkit

FTK 3.0 delivers on a number of advanced capabilities, including greatly enhanced analytics, remote device acquisition and expanded reporting options. GUI speeds and processing time have also been dramatically improved.

Reengineered for Improved Performance:
* UI Performance: The FTK GUI is 10 times more responsive across the board, even on machines with only 4GB of RAM.
* Indexing: Indexes quickly and search results populate fast, even with large result sets.
* Distributed Processing: Every copy of FTK 3 comes with 4 workers, allowing you to leverage CPU resources from up to 4 computers (3 distributed workers and 1 worker on the main FTK examiner system).

Compelling New Capabilities:
* RAM Analysis: Enumerate all running processes from 32-bit machines, search memory strings, and process RAM captures for passwords, html pages, lnk files and MS Office documents.
* Mac Analysis: Many new capabilities, such as processing B-Trees attributes for metadata, decrypting Sparse Images or Sparse Bundles, PLIST support, SQLite support and more.
* Pornographic Image Identification: Enables the automated detection and identification of pornographic images by analyzing visual features in the image to assess its actual visual content.

Friday, October 09, 2009

Installing httpry in Backtrack 4

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.

What can you do with it? Here's a few ideas:
* See what users on your network are requesting online
* Check for proper server configuration (or improper, as the case may be)
* Research patterns in HTTP usage
* Watch for dangerous downloaded files
* Verify the enforcement of HTTP policy on your network
* Extract HTTP statistics out of saved capture files
* It's just plain fun to watch in realtime


Download httpry from this site:
root@zaha-desktop:~# wget http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
--2009-10-09 22:45:48-- http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
Resolving dumpsterventures.com... 198.107.5.17
Connecting to dumpsterventures.com|198.107.5.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44995 (44K) [application/x-tgz]
Saving to: `httpry-0.1.5.tar.gz'

100%[===================================================>] 44,995 39.3K/s in 1.1s

2009-10-09 22:45:50 (39.3 KB/s) - `httpry-0.1.5.tar.gz' saved [44995/44995]



After you download, you extract it:
root@zaha-desktop:~#
root@zaha-desktop:~# tar -xzvf httpry-0.1.5.tar.gz
httpry-0.1.5/
httpry-0.1.5/format.h
httpry-0.1.5/format.c
httpry-0.1.5/error.h
httpry-0.1.5/utility.c
httpry-0.1.5/Makefile
httpry-0.1.5/build/
httpry-0.1.5/build/httpry.spec
httpry-0.1.5/scripts/
httpry-0.1.5/scripts/parse_log.pl
httpry-0.1.5/scripts/perl-tools
httpry-0.1.5/scripts/plugins/
httpry-0.1.5/scripts/plugins/db_dump.mysql
httpry-0.1.5/scripts/plugins/find_proxies.pm
httpry-0.1.5/scripts/plugins/db_dump.cfg
httpry-0.1.5/scripts/plugins/content_analysis.pm
httpry-0.1.5/scripts/plugins/hostnames.pm
httpry-0.1.5/scripts/plugins/tokenize.pm
httpry-0.1.5/scripts/plugins/search_terms.pm
httpry-0.1.5/scripts/plugins/find_proxies.cfg
httpry-0.1.5/scripts/plugins/log_summary.pm
httpry-0.1.5/scripts/plugins/xml_output.css
httpry-0.1.5/scripts/plugins/hostnames.cfg
httpry-0.1.5/scripts/plugins/xml_output.pm
httpry-0.1.5/scripts/plugins/common_log.pm
httpry-0.1.5/scripts/plugins/xml_output.cfg
httpry-0.1.5/scripts/plugins/db_dump.pm
httpry-0.1.5/scripts/plugins/content_analysis.cfg
httpry-0.1.5/scripts/plugins/tokenize.cfg
httpry-0.1.5/scripts/plugins/search_terms.cfg
httpry-0.1.5/scripts/plugins/common_log.cfg
httpry-0.1.5/scripts/plugins/sample_plugin.pm
httpry-0.1.5/scripts/plugins/log_summary.cfg
httpry-0.1.5/methods.h
httpry-0.1.5/tcp.h
httpry-0.1.5/doc/
httpry-0.1.5/doc/ChangeLog
httpry-0.1.5/doc/method-string
httpry-0.1.5/doc/README
httpry-0.1.5/doc/COPYING
httpry-0.1.5/doc/format-string
httpry-0.1.5/doc/perl-tools
httpry-0.1.5/httpry.c
httpry-0.1.5/rc.httpry
httpry-0.1.5/README
httpry-0.1.5/httpry.1
httpry-0.1.5/config.h
httpry-0.1.5/utility.h
httpry-0.1.5/methods.c
httpry-0.1.5/test/
httpry-0.1.5/test/callgrind
httpry-0.1.5/test/massif
httpry-0.1.5/test/valgrind
httpry-0.1.5/test/format-names
root@zaha-desktop:~# cd httpry-0.1.5
root@zaha-desktop:~/httpry-0.1.5# ls
build doc format.c httpry.1 Makefile methods.h README tcp.h utility.c
config.h error.h format.h httpry.c methods.c rc.httpry scripts test utility.h
root@zaha-desktop:~/httpry-0.1.5#



After you download, read the manual about installing and using httpry:
root@zaha-desktop:~/httpry-0.1.5# less README
root@zaha-desktop:~/httpry-0.1.5#


After reading documentation, you can install it:
root@zaha-desktop:~/httpry-0.1.5# make
gcc -Wall -O3 -funroll-loops -I/usr/include/pcap -I/usr/local/include/pcap -o httpry httpry.c format.c methods.c utility.c -lpcap
root@zaha-desktop:~/httpry-0.1.5# make install
--------------------------------------------------
Installing httpry into /usr/sbin/
You can move the Perl scripts and other tools to
a location of your choosing manually
--------------------------------------------------
cp -f httpry /usr/sbin/
cp -f httpry.1 /usr/man/man1/ || cp -f httpry.1 /usr/local/man/man1/
root@zaha-desktop:~/httpry-0.1.5#



Running httpry (httpry -h show you how to use it)
root@zaha-desktop:~# httpry -i eth0 -o /home/zahar/zahar.txt
httpry version 0.1.5 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2009 Jason Bittel
Starting capture on eth0 interface
Writing output to file: /home/zahar/zahar.txt
^CCaught SIGINT, shutting down...
216 packets received, 0 packets dropped, 40 http packets parsed
563.5 packets/min, 104.3 http packets/min
root@zaha-desktop:~#



When you open that file, you can see http traffic of website that you have visited:
root@zaha-desktop:~# cd /home/zahar/
root@zaha-desktop:/home/zahar# ls
zahar.txt
root@zaha-desktop:/home/zahar# cat zahar.txt
# httpry version 0.1.5
# Fields: timestamp,source-ip,dest-ip,direction,method,host,request-uri,http-version,status-code,reason-phrase
2009-10-09 23:07:07 69.63.176.193 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:07 192.168.1.2 69.63.176.193 > GET 0.channel33.facebook.com /x/2319999860/false/p_1560360253=1 HTTP/1.1 --
2009-10-09 23:07:16 192.168.1.2 74.125.153.95 > GET ajax.googleapis.com /ajax/services/search/web?v=1.0&rsz=large&q=http%3A%2F%2Fwww.lifedork.net%2F HTTP/1.1 - -
2009-10-09 23:07:16 74.125.153.95 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:17 192.168.1.2 174.120.81.182 > GET www.lifedork.net / HTTP/1.1 - -
2009-10-09 23:07:17 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:18 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /js/infolinks_main.js HTTP/1.1 - -
2009-10-09 23:07:19 72.21.91.20 192.168.1.2 < - - -HTTP/1.1 304 Not Modified
2009-10-09 23:07:19 192.168.1.2 72.14.203.101 > GET www.google-analytics.com /__utm.gif?utmwv=4.5.7&utmn=84770406&utmhn=www.lifedork.net&utmcs=UTF-8&utmsr=1024x768&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&utmhid=1381620066&utmr=-&utmp=%2F&utmac=UA-2655140-3&utmcc=__utma%3D41342143.642009118.1255096268.1255096268.1255099260.2%3B%2B__utmz%3D41342143.1255096273.1.1.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dusing%2520Backtrack%25204%2520SQL%2520injection%3B HTTP/1.1 - -
2009-10-09 23:07:19 72.14.203.101 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:19 192.168.1.2 76.74.254.120 > GET stats.wordpress.com /g.gif?host=www.lifedork.net&rand=0.41899971236858347&blog=1730697&v=ext&post=0&ref= HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 174.120.81.182 > GET www.lifedork.net /page/2 HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 67.202.0.15 > GET router.infolinks.com /gsd/1255100950684?callback=resourcesCallback&pid=15399&wsid=0&pdom=www.lifedork.net HTTP/1.1 - -
2009-10-09 23:07:19 76.74.254.120 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 67.202.0.15 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /flash/request_manager_i18n.swf HTTP/1.1 - -
2009-10-09 23:07:20 192.168.1.2 58.27.186.106 > GET b.scorecardresearch.com /b?c1=8&c2=6416591&rn=0.4555189644582066&c7=http%3A%2F%2Fwww.lifedork.net%2F&c3=3113409433781933211&c4=&c5=&c6=&c15=&c16=&c8=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&c9=&cv=1.6 HTTP/1.1 - -
2009-10-09 23:07:20 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 58.27.186.106 192.168.1.2 < - - -HTTP/1.1 204 No Content



Im not expert in analysis, hope you all can test this tool.

Thursday, October 08, 2009

Operation Phish Phry hooks 100 in U.S. and Egypt

Computerworld - More than 50 people in Southern California, Las Vegas and Charlotte, N.C., were indicted by a grand jury in Los Angeles for scheming to steal bank account information from thousands of people in the U.S. using phishing techniques.

U.S. authorities today arrested 33 of those named in the indictments and are on the lookout for the other 20.

In addition, authorities in Egypt charged another 47 co-conspirators in connection with the same scheme, bringing the total number of people charged to 100 -- the largest number of defendants ever charged for the same cybercrime, according to the FBI.

The indictments stem from a two-year operation dubbed "Phish Phry," which involved the FBI, the U.S. Attorney's Office, the Electronic Crimes Task Force in Los Angeles and Egyptian law enforcement authorities.

The arrests were announced in Los Angeles by Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, George Cardona, acting U.S. Attorney in Los Angeles, and Egyptian law enforcement authorities.

The 51-count indictment, which was unsealed today, accused all of the defendants with conspiracy to commit wire fraud and bank fraud. Some of those named were also charged with aggravated identity theft, unauthorized access to protected computers and money laundering.

Phishing is a form of social engineering in which attackers send e-mails made to look like legitimate correspondence from reputable institutions such as banks. Victims are directed to Web sites that look authentic but are actually fakes. Once there, they are asked to enter information that can later be used to break into accounts or to commit identity theft.

According to the indictment, hackers in Egypt used phishing techniques to obtain bank account numbers and related personal data from thousands of bank customers in the U.S. The information was then used to break into customer accounts at two U.S. banks, Bank of America and Wells Fargo.

The Egyptian hackers then recruited individuals in the U.S. to help transfer funds from the compromised accounts to newly created accounts. The U.S. part of the crime ring was allegedly managed by Kenneth Lucas, Nichole Merzi and Jonathan Clark, all of whom are residents of California, the FBI said in statement.

The three individuals are alleged to have directed associates to recruit "runners" to establish bank accounts to which funds stolen from the compromised accounts could be transferred. A portion of the funds was wired to the conspirators in Egypt.

The alleged conspirators typically withdrew amounts ranging from a few hundred dollars to more than $2,000 from compromised bank accounts and then transferred the money into the new accounts.

"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," Bolcar said in a statement. The operations of the group had a significant impact on the operations of two banks and caused "huge headaches" for the victims, the statement added.

All of the individuals charged in the U.S face prison terms of up to 20 years if they are convicted.

John Harrison, a group product manager for security vendor Symantec Corp. said the arrests highlight the truly global nature of phishing operations. Despite heightened awareness of the problem, phishing schemes continue to thrive on the Internet, he said.

Last year, Symantec counted more than 55,000 phishing sites. That figure represented an increase of more than 60% from 2007 levels, Harrison said. The growing availability of sophisticated phishing tool kits is adding to the problem by making it much simpler for would-be phishers to create spoofed Web sites that can be used to trick victims into parting with confidential information, he said.

Static Binary Analysis of Recent SMBv2 Vulnerability

The recent SMBv2 vulnerability (CVE-2009-3103) in Microsoft Windows has gotten a lot of attention in the past few weeks. We decided that given the publicity and nature of the vulnerability, it would be interesting to post a threat analysis. With the release of Stephen Fewer's Metasploit module to exploit this vulnerability, technical details of the vulnerability are now publicly available.

Details:http://www.secureworks.com/research/threats/windows-0day/?threat=windows-0day

Sunday, October 04, 2009

File Carving and File Recovery with DiskDigger

DiskDigger is a tool that allows you to recover deleted files off of a FAT or NTFS drive. It has two modes of operation: In the first it merely looks in the FAT/MFT to find files marked as deleted, in much the same way that the tool called Restoration does. In the 2nd mode it does a file carve down the drive looking at the raw bits and finding the know headers and footers of various file types, much like PhotoRec. While PhotoRec seems a little more powerful, DiskDigger is easier to use and its preview functionality is quite nice. This video will cover the basics of recovering deleted files with DiskDigger.

See this video:
http://www.irongeek.com/videos/file-carving-and-file-recovery-with-diskdigger.swf

Saturday, October 03, 2009

FOSS.my 2009 (24-25 October 2009)

FOSS.my 2009 is Malaysia’s premier Free and Open Source Software (FOSS) event. FOSS.my 2009 is our second such conference, we aim for this to be an annual event bringing together professionals and enthusiasts from Malaysia, Singapore, Asia and the rest of the world for a two day grassroots driven FOSS conference.
http://foss.my/2009/schedule/