Wednesday, 28 December 2011


There are several talks at 28C3 regarding pentesting, research and countermeasures when exploring vulnerabilities. Most of the talks are in the next few days:

802.11 Packets in Packets (ID 4766)
SCADA and PLC Vulnerabilities in Correctional Facilities (ID 4661)
Defending mobile phones (ID 4736)
Black Ops of TCP/IP 2011 (ID 4930)
Dont' scan, just ask (ID 4770)
Effective Denial of Service attacks against web application platforms (ID 4680)
Reverse Engineering USB Devices (ID 4847)
The Science of Insecurity (ID 4763)
Time is on my Side (ID 4640)
Ein Mittelsmannangriff auf ein digitales Signiergerät (ID 4758)
Rootkits in your web application (ID 4811)
Reverse-engineering a Qualcomm baseband (ID 4735)
Post Memory Corruption Memory Analysis (ID 4660)
Taking control over the Tor network (ID 4581)
Security Log Visualization with a Correlation Engine (ID 4767)
Ooops I hacked my PBX (ID 4656)
Cellular protocol stacks for the Internet (ID 4663)
Implementation of MITM Attack on HDCP-Secured Links (ID 4686)
Print me if you dare (ID 4780)
The future of cryptology: which 3 letters algorithm(s) coud be our Titanic? (ID 4710)
New Ways I'm Going to Hack Your Web App (ID 4761)
Introducing Osmo-GMR (ID 4688)
Sovereign Keys (ID 4798)
Your Disaster/Crisis/Revolution just got Pwned (ID 4707)
Antiforensik (ID 4828)
The engineering part of social engineering (ID 4856)
Security Nightmares (ID 4898)

This list is just a subjective selection what I think is interesting. You can find more talks when looking in the track "hacking" or the in the schedule of the 28C3 (called "Fahrplan").

These talks and many others can either be seen live as a stream or downloaded later via http or rsync. Via the ID of the talk and the tag "28C3" you should also be able to find all the talks via torrent.

Here are some other interesting links regarding 28C3:

c3netmon (Network statistics at 28C3)
No Nerd left behind
FTP Server
Chaos Bay

P.S.: Hacker Jeopardy (ID 4775) was also very funny in the last years. So this talks should be worth to download it :-)

Monday, 26 December 2011

Check SSL/TLS configuration

There are several tools for checking the safety of encrypted communication via HTTPS:

- sslyze
- SSL Audit (only available for Windows)

Nessus is also scanning for vulnerable SSL certificates and you can also see via Nmap weak configurations when using the SSL NSE Scripts available in Nmap. (e.g #nmap --script "*ssl*" <target>)

I always check the SSL configuration with sslscan, sslyze and also with Nessus and Nmap.

You can also make an online ssl scan of a website via Qualys, but the result will stay permanently in the Qualys database and is publicly available. If the results of the scan were pretty bad, the domain will also show up in the list "Recent Worst-Rated". So be aware of this fact, before you execute this kind of SaaS.

The most important recommendations, when using SSL/TLS are:

- Use a key >= 128 Bit
- Use strong cryptographic ciphers
- Do NOT use SSLv2 anymore
- Use TLS 1.0, as it it supported by every browser nowadays (even if this implementation is vulnerable to "BEAST" when using a block cipher)
- Use "Secure" Cookie Flag
- Use an Appropriate Certificate Authority
Only Support Secure Renegotiations

In a reverse conclusion everything that is not matching these recommendations is a finding in your pentest.

Further reading:
Testing for SSL (OWASP)
Transport Layer Protection Cheat Sheet (OWASP)
OWASP Application Security FAQ #SSL (OWASP)
BEAST Countermeasures
Still no fix in Windows to close Bug exploited by BEAST

Friday, 23 December 2011

Promise FastTrak TX 133

Just yesterday my "new" hardware was delivered, a Promise Ultra133 TX2. I think you can buy this piece of hardware since 2004 and I got it very cheap :-) I just installed it for testing purposes and I connected a old 80GB IDE HD. ESXi did recognize the Promise IDE controller and the attached hard drive and I could add the 80GB HD as datastore3.

If I need more cheap space in the future, I have now the option to add up to 4 IDE drives.

Thanks to and their list of supported hardware :-)

Thursday, 22 December 2011

Virtual Machines prepared for executing a PenTest

  • BackTrack
To penetrate the vulnerable VMs on my ESXi server, I downloaded and installed BackTrack 5 R1 (32-Bit, Gnome). After an optional registration it is possible to choose between a 32-Bit and 64-Bit ISO. It is also possible to download a virtual machine already installed with BackTrack. I wanted to install BackTrack also on USB Flash-Drive, so I downloaded the ISO.

BackTrack 5 R1 Download
  • Samurai WTF
Additionaly I also downloaded and installed the latest version of Samurai WTF (Web Testing Framework).  Here you can find a short description copied of the Samurai website:
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
I've been using BackTrack now for a year and I really like it because you can work very efficient with this distribution. In the future I just want to have a look at Samurai WTF, as I've never worked with it before.

Samurai WTF
  • OWASP Live-CD
Last but not least, I found also a Live CD provided by the OWASP project for executing web application pentesting. There was no update in the last 2 1/2 years, but maybe it's worth a loook, so I also deployed it to the ESXi.

OWASP Live-CD Project

Deploying UltimateLAMP to ESXi

After downloading UltimateLAMP, I wanted to copy the VM to my ESXi server. I downloaded it to my MacBook that is running Mac OS X Lion. As VMware Infrastructure Client and VMware vCenter Converter Standalone is only available on Windows, I had to start my Windows XP VM on my MacBook in VMware Fusion.

Every time, when I wanted to use VMware vCenter Converter Standalone to convert UltimateLAMP to my ESXi Server I got the following error:

Es können keine Hardwareinformationen für die ausgewählte Maschine abgerufen werden.
Also uploading the UltimateLAMP VM to my ESXi via VMware Infrastructure Client didn't work. The upload was successful and I was able to add the VMX file, but I couldn't start the VM in ESXi.

UltimateLAMP was all the time in my download folder in Mac OS X and Windows XP was just accessing it through a shared folder configured in VMware Fusion. The solution was, to copy the UltimateLAMP VM into my Windows XP VM and then I could use the VMware vCenter Converter Standalone to copy it to my ESXi server without any errors.

A little circuitous, but UltimateLAMP is now also running as a VM :-)

Installation of Damn Vulnerable Linux (DVL)

The installation of DVL is quite easy. After booting the ISO, you just have to create a partition, format it,  launch the BackTrack Installer and install the boot loader. To make a long story short, here is a very good installation instruction (you can jump to "3. Partition the disk"):

DVL Installation 

The installationbar in the BackTrack Installer stalled for at least 5 Minutes at 85%, but I could see through

# iostat /dev/sda 1

that still some data has been written to the disk. So just be patient :-)

Another hint: I could not execute lilo -v as described in the link, of course I had to chroot to the DVL installation first. Then everybody worked as a charm.

Wednesday, 21 December 2011

Change keyboard layout in BackTrack 5 R1 to German

After installing BackTrack 5 R1, I had to change the keyboard Layout in the Terminal, because it was set to English. With two commands the keyboard layout can be changed permanently:

#sudo /usr/sbin/locale-gen de_DE.UTF-8

#sudo /usr/sbin/update-locale LANG=de_DE.UTF-8

By executing locale, the configuration can be checked. It should look like this:

root@bt:/# locale

In BackTrack 5 R1 this worked for me, but not in R3.

In BackTrack 5 R3 I needed to execute:

# dpkg-reconfigure console-setup

Then I was able to change the keyboard layout. 

Setting Up a Pen-Test Lab with vulnerable VMs

Since ESXi 3.5 is installed on my server, I was looking for already vulnerable VMs that can be deployed to it. The following list contains the VMs that I found via a google search:

  • Metasploitable
It's a VM that is provided by Rapid 7, the owner of Metasploit. Metasploitable is a Virtual Machine (running Ubuntu 8.04) with a lot of vulnerabilities, that can be used to test the Metasploit framework and execute attacks against it.

Description of Metasploitable
PirateBay Link

  • Ultimate LAMP
The purpose of Ultimate LAMP was not to be vulnerable, but the VM is pretty old, it is from Mai 2006 (so it should contain some vulnerabilities :-).

Here is the description of the Homepage for UltimateLAMP:
UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products.
Description of Ultimate LAMP
Direct download Link

  • Damn Vulnerable Linux (DVL)
DVL is a VM that, as the name already implies, is damn vulnerable and is based on Slackware. Unfortunately the Homepage is under constructions for several months now and I didn't found any direct download link. But there is a torrent available. DVL is based on BackTrack 2.

PirateBay Link

If you know more vulnerable VMs that can be used in a penetration testing lab, leave a comment. Thx.

Besides these VMs, the OWASP Project is also hosting a website called HackingLab. You just have to register and then you are able to connect into the HackingLab with an OpenVPN Client . The OWASP Project also provides an already configured VM that can be used to connect into the HackingLab. When you are connected you are able to execute several web application pentests against the HackingLab Test Environment. Here you can find the whole list of challenges.

How to set up a penetration testing Lab

Dell PowerEdge 1600 SC

I've got a new machine for setting up a penetration testing lab at home. I just bought it recently for 50 Euro on a flea market and it was really a snip. It is a Dell PowerEdge 1600 SC.

Specification of my server:

2 x 2,8 Ghz Xeon CPU
4 x 1 GB ECC
Gigbabit Ethernet
1 x 32 GB Ultra 320 SCSI

After I checked the Windows XP installation on this machine (and I didn't found anything useful or interesting), I decided to install VMware ESX Server 3.5 immediately. This is the latest version that can be used on 32-Bit Hardware. Version 4 and 5 of ESX Server can only be operated on 64-Bit Hardware.

With this little hint by, I was able to install ESX Server 3.5 to an old 160 GB IDE HD.

Now I have an IDE datastore (datastore1) with 148 GB of space and a SCSI datastore (datastore2) with 29 GB of space.

Datastore2 will be used as space for ISOs, Datastore1 will be used as space for the virtual machines.

Official specification by Dell
Great information ressource for ESXi 3.5
Compatible Hardware with ESXi 3.5