There are several talks at 28C3 regarding pentesting, research and countermeasures when exploring vulnerabilities. Most of the talks are in the next few days:
802.11 Packets in Packets (ID 4766)
SCADA and PLC Vulnerabilities in Correctional Facilities (ID 4661)
Defending mobile phones (ID 4736)
Black Ops of TCP/IP 2011 (ID 4930)
Dont' scan, just ask (ID 4770)
Effective Denial of Service attacks against web application platforms (ID 4680)
Reverse Engineering USB Devices (ID 4847)
The Science of Insecurity (ID 4763)
Time is on my Side (ID 4640)
Ein Mittelsmannangriff auf ein digitales Signiergerät (ID 4758)
Rootkits in your web application (ID 4811)
Reverse-engineering a Qualcomm baseband (ID 4735)
Post Memory Corruption Memory Analysis (ID 4660)
Taking control over the Tor network (ID 4581)
Security Log Visualization with a Correlation Engine (ID 4767)
Ooops I hacked my PBX (ID 4656)
Cellular protocol stacks for the Internet (ID 4663)
Implementation of MITM Attack on HDCP-Secured Links (ID 4686)
Print me if you dare (ID 4780)
The future of cryptology: which 3 letters algorithm(s) coud be our Titanic? (ID 4710)
New Ways I'm Going to Hack Your Web App (ID 4761)
Introducing Osmo-GMR (ID 4688)
Sovereign Keys (ID 4798)
Your Disaster/Crisis/Revolution just got Pwned (ID 4707)
Antiforensik (ID 4828)
The engineering part of social engineering (ID 4856)
Security Nightmares (ID 4898)
This list is just a subjective selection what I think is interesting. You can find more talks when looking in the track "hacking" or the in the schedule of the 28C3 (called "Fahrplan").
These talks and many others can either be seen live as a stream or downloaded later via http or rsync. Via the ID of the talk and the tag "28C3" you should also be able to find all the talks via torrent.
Here are some other interesting links regarding 28C3:
c3netmon (Network statistics at 28C3)
No Nerd left behind
Hacked
FTP Server
Chaos Bay
P.S.: Hacker Jeopardy (ID 4775) was also very funny in the last years. So this talks should be worth to download it :-)
Wednesday, 28 December 2011
Monday, 26 December 2011
Check SSL/TLS configuration
There are several tools for checking the safety of encrypted communication via HTTPS:
- sslscan
- sslyze
- SSL Audit (only available for Windows)
Nessus is also scanning for vulnerable SSL certificates and you can also see via Nmap weak configurations when using the SSL NSE Scripts available in Nmap. (e.g #nmap --script "*ssl*" <target>)
I always check the SSL configuration with sslscan, sslyze and also with Nessus and Nmap.
You can also make an online ssl scan of a website via Qualys, but the result will stay permanently in the Qualys database and is publicly available. If the results of the scan were pretty bad, the domain will also show up in the list "Recent Worst-Rated". So be aware of this fact, before you execute this kind of SaaS.
The most important recommendations, when using SSL/TLS are:
- Use a key >= 128 Bit
- Use strong cryptographic ciphers
- Do NOT use SSLv2 anymore
- Use TLS 1.0, as it it supported by every browser nowadays (even if this implementation is vulnerable to "BEAST" when using a block cipher)
- Use "Secure" Cookie Flag
- sslscan
- sslyze
- SSL Audit (only available for Windows)
Nessus is also scanning for vulnerable SSL certificates and you can also see via Nmap weak configurations when using the SSL NSE Scripts available in Nmap. (e.g #nmap --script "*ssl*" <target>)
I always check the SSL configuration with sslscan, sslyze and also with Nessus and Nmap.
You can also make an online ssl scan of a website via Qualys, but the result will stay permanently in the Qualys database and is publicly available. If the results of the scan were pretty bad, the domain will also show up in the list "Recent Worst-Rated". So be aware of this fact, before you execute this kind of SaaS.
The most important recommendations, when using SSL/TLS are:
- Use a key >= 128 Bit
- Use strong cryptographic ciphers
- Do NOT use SSLv2 anymore
- Use TLS 1.0, as it it supported by every browser nowadays (even if this implementation is vulnerable to "BEAST" when using a block cipher)
- Use "Secure" Cookie Flag
- Use an Appropriate Certificate Authority
- Only Support Secure Renegotiations
In a reverse conclusion everything that is not matching these recommendations is a finding in your pentest.
Further reading:
Testing for SSL (OWASP)
Transport Layer Protection Cheat Sheet (OWASP)
OWASP Application Security FAQ #SSL (OWASP)
BEAST Countermeasures
Still no fix in Windows to close Bug exploited by BEAST
- Only Support Secure Renegotiations
In a reverse conclusion everything that is not matching these recommendations is a finding in your pentest.
Further reading:
Testing for SSL (OWASP)
Transport Layer Protection Cheat Sheet (OWASP)
OWASP Application Security FAQ #SSL (OWASP)
BEAST Countermeasures
Still no fix in Windows to close Bug exploited by BEAST
Friday, 23 December 2011
Promise FastTrak TX 133
Just yesterday my "new" hardware was delivered, a Promise Ultra133 TX2. I think you can buy this piece of hardware since 2004 and I got it very cheap :-) I just installed it for testing purposes and I connected a old 80GB IDE HD. ESXi did recognize the Promise IDE controller and the attached hard drive and I could add the 80GB HD as datastore3.
If I need more cheap space in the future, I have now the option to add up to 4 IDE drives.
Thanks to vm-help.com and their list of supported hardware :-)
If I need more cheap space in the future, I have now the option to add up to 4 IDE drives.
Thanks to vm-help.com and their list of supported hardware :-)
Thursday, 22 December 2011
Virtual Machines prepared for executing a PenTest
- BackTrack
BackTrack 5 R1 Download
- Samurai WTF
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.I've been using BackTrack now for a year and I really like it because you can work very efficient with this distribution. In the future I just want to have a look at Samurai WTF, as I've never worked with it before.
Samurai WTF
- OWASP Live-CD
OWASP Live-CD Project
Deploying UltimateLAMP to ESXi
After downloading UltimateLAMP, I wanted to copy the VM to my ESXi server. I downloaded it to my MacBook that is running Mac OS X Lion. As VMware Infrastructure Client and VMware vCenter Converter Standalone is only available on Windows, I had to start my Windows XP VM on my MacBook in VMware Fusion.
Every time, when I wanted to use VMware vCenter Converter Standalone to convert UltimateLAMP to my ESXi Server I got the following error:
UltimateLAMP was all the time in my download folder in Mac OS X and Windows XP was just accessing it through a shared folder configured in VMware Fusion. The solution was, to copy the UltimateLAMP VM into my Windows XP VM and then I could use the VMware vCenter Converter Standalone to copy it to my ESXi server without any errors.
A little circuitous, but UltimateLAMP is now also running as a VM :-)
Every time, when I wanted to use VMware vCenter Converter Standalone to convert UltimateLAMP to my ESXi Server I got the following error:
Es können keine Hardwareinformationen für die ausgewählte Maschine abgerufen werden.Also uploading the UltimateLAMP VM to my ESXi via VMware Infrastructure Client didn't work. The upload was successful and I was able to add the VMX file, but I couldn't start the VM in ESXi.
UltimateLAMP was all the time in my download folder in Mac OS X and Windows XP was just accessing it through a shared folder configured in VMware Fusion. The solution was, to copy the UltimateLAMP VM into my Windows XP VM and then I could use the VMware vCenter Converter Standalone to copy it to my ESXi server without any errors.
A little circuitous, but UltimateLAMP is now also running as a VM :-)
Installation of Damn Vulnerable Linux (DVL)
The installation of DVL is quite easy. After booting the ISO, you just have to create a partition, format it, launch the BackTrack Installer and install the boot loader. To make a long story short, here is a very good installation instruction (you can jump to "3. Partition the disk"):
DVL Installation
The installationbar in the BackTrack Installer stalled for at least 5 Minutes at 85%, but I could see through
# iostat /dev/sda 1
that still some data has been written to the disk. So just be patient :-)
Another hint: I could not execute lilo -v as described in the link, of course I had to chroot to the DVL installation first. Then everybody worked as a charm.
DVL Installation
The installationbar in the BackTrack Installer stalled for at least 5 Minutes at 85%, but I could see through
# iostat /dev/sda 1
that still some data has been written to the disk. So just be patient :-)
Another hint: I could not execute lilo -v as described in the link, of course I had to chroot to the DVL installation first. Then everybody worked as a charm.
Wednesday, 21 December 2011
Change keyboard layout in BackTrack 5 R1 to German
After installing BackTrack 5 R1, I had to change the keyboard Layout in the Terminal, because it was set to English. With two commands the keyboard layout can be changed permanently:
#sudo /usr/sbin/locale-gen de_DE.UTF-8
#sudo /usr/sbin/update-locale LANG=de_DE.UTF-8
By executing locale, the configuration can be checked. It should look like this:
root@bt:/# locale
LANG=de_DE.UTF-8
LC_CTYPE="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_PAPER="de_DE.UTF-8"
LC_NAME="de_DE.UTF-8"
LC_ADDRESS="de_DE.UTF-8"
LC_TELEPHONE="de_DE.UTF-8"
LC_MEASUREMENT="de_DE.UTF-8"
LC_IDENTIFICATION="de_DE.UTF-8"
LC_ALL=
In BackTrack 5 R1 this worked for me, but not in R3.
In BackTrack 5 R3 I needed to execute:
# dpkg-reconfigure console-setup
Then I was able to change the keyboard layout.
#sudo /usr/sbin/locale-gen de_DE.UTF-8
#sudo /usr/sbin/update-locale LANG=de_DE.UTF-8
By executing locale, the configuration can be checked. It should look like this:
root@bt:/# locale
LANG=de_DE.UTF-8
LC_CTYPE="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_PAPER="de_DE.UTF-8"
LC_NAME="de_DE.UTF-8"
LC_ADDRESS="de_DE.UTF-8"
LC_TELEPHONE="de_DE.UTF-8"
LC_MEASUREMENT="de_DE.UTF-8"
LC_IDENTIFICATION="de_DE.UTF-8"
LC_ALL=
In BackTrack 5 R1 this worked for me, but not in R3.
In BackTrack 5 R3 I needed to execute:
# dpkg-reconfigure console-setup
Then I was able to change the keyboard layout.
Setting Up a Pen-Test Lab with vulnerable VMs
Since ESXi 3.5 is installed on my server, I was looking for already vulnerable VMs that can be deployed to it. The following list contains the VMs that I found via a google search:
Description of Metasploitable
PirateBay Link
Here is the description of the Homepage for UltimateLAMP:
Description of Ultimate LAMP
Direct download Link
Distrowatch
PirateBay Link
If you know more vulnerable VMs that can be used in a penetration testing lab, leave a comment. Thx.
Besides these VMs, the OWASP Project is also hosting a website called HackingLab. You just have to register and then you are able to connect into the HackingLab with an OpenVPN Client . The OWASP Project also provides an already configured VM that can be used to connect into the HackingLab. When you are connected you are able to execute several web application pentests against the HackingLab Test Environment. Here you can find the whole list of challenges.
URL:
How to set up a penetration testing Lab
- Metasploitable
PirateBay Link
- Ultimate LAMP
Here is the description of the Homepage for UltimateLAMP:
UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products.UltimateLAMP
Description of Ultimate LAMP
Direct download Link
- Damn Vulnerable Linux (DVL)
Distrowatch
PirateBay Link
If you know more vulnerable VMs that can be used in a penetration testing lab, leave a comment. Thx.
Besides these VMs, the OWASP Project is also hosting a website called HackingLab. You just have to register and then you are able to connect into the HackingLab with an OpenVPN Client . The OWASP Project also provides an already configured VM that can be used to connect into the HackingLab. When you are connected you are able to execute several web application pentests against the HackingLab Test Environment. Here you can find the whole list of challenges.
URL:
How to set up a penetration testing Lab
Dell PowerEdge 1600 SC
I've got a new machine for setting up a penetration testing lab at home. I just bought it recently for 50 Euro on a flea market and it was really a snip. It is a Dell PowerEdge 1600 SC.
Specification of my server:
2 x 2,8 Ghz Xeon CPU
4 x 1 GB ECC
Gigbabit Ethernet
1 x 32 GB Ultra 320 SCSI
After I checked the Windows XP installation on this machine (and I didn't found anything useful or interesting), I decided to install VMware ESX Server 3.5 immediately. This is the latest version that can be used on 32-Bit Hardware. Version 4 and 5 of ESX Server can only be operated on 64-Bit Hardware.
With this little hint by vm-help.com, I was able to install ESX Server 3.5 to an old 160 GB IDE HD.
Now I have an IDE datastore (datastore1) with 148 GB of space and a SCSI datastore (datastore2) with 29 GB of space.
Datastore2 will be used as space for ISOs, Datastore1 will be used as space for the virtual machines.
Links:
Official specification by Dell
Great information ressource for ESXi 3.5
Compatible Hardware with ESXi 3.5
Specification of my server:
2 x 2,8 Ghz Xeon CPU
4 x 1 GB ECC
Gigbabit Ethernet
1 x 32 GB Ultra 320 SCSI
After I checked the Windows XP installation on this machine (and I didn't found anything useful or interesting), I decided to install VMware ESX Server 3.5 immediately. This is the latest version that can be used on 32-Bit Hardware. Version 4 and 5 of ESX Server can only be operated on 64-Bit Hardware.
With this little hint by vm-help.com, I was able to install ESX Server 3.5 to an old 160 GB IDE HD.
Now I have an IDE datastore (datastore1) with 148 GB of space and a SCSI datastore (datastore2) with 29 GB of space.
Datastore2 will be used as space for ISOs, Datastore1 will be used as space for the virtual machines.
Links:
Official specification by Dell
Great information ressource for ESXi 3.5
Compatible Hardware with ESXi 3.5
Subscribe to:
Posts (Atom)