usefulfor.com/security

Recently I had to go through the ruleset of a Lucent firewall, and the truth is that the export format of the rules is everything but easy to read.

The information is split into three files:

• rules file: Contains the rules, each one takes about 72 lines (rules have many properties, each property is written in a separate line). Rules match source hosts with destination hosts and services, no surprise there, but the value of any of this three key fields can be an alias.
• hosts file: in this file the aliases for host groups are defined.
• services file: service groups are defined here.

So the challenge here is: how do we merge this three files into something meaningful?

I know that purists can do this with a bash one-liner that uses grep, awk and sed, but ruby is my weapon of choice, so I created the lucent_metaparser.rb script. It basically takes the three files and applies some regular expressions to extract the information and store it into data structures and then outputs the rules in format that is easy to go through. Here is an example:-

1047: (CH43) 10.0.1.12 ---(both)--- RF400 [permit https - change 43] - enabled | pass
CH43: tcp/443/* ()
10.0.1.12
RF400: 192.168.1.140-192.168.1.145;192.252.1.155;192.252.1.120;
1048: (tcp/80) RF132 ---(both)--- PK012 [web traffic to the dmz - change 74] - enabled | pass
tcp/80
RF132: 172.0.1.38-172.0.1.226 (external reverse proxies)
PK012: 10.15.2.1;10.15.2.2; (internal servers)

I know that it is not perfect and there is room for improvement, but the idea is that the script can be used as a starting point for the review process, and hopefully this will save us some time in the future

In adition to the changes released on the 4^th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

• in the client:
  • export to XML module is now part of the standard module set.
  • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
  • fixed the window.rb:159 bug.
• in the server:
  • a slightly less annoying implementation of the web interface auto refresh functionality.
  • the services added through the web interface can have a name now
  • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

A new version of dradis, the information sharing tool for security teams, was released on the 29^th of February. Some major changes were introduced from the first release back on December:-

• New client GUI that runs in Linux, Windows and Mac OS (screenshots).
• New web interface.
• Improved step-by-step installation instructions.
• New contributed modules:
  • Export your Knowledge Base to an XML file.
  • run nmap from dradis and store the results in the knowledge base.

If you want to give it a try, go to the download page. And please let me know any thoughts or feedback (remember that you can use the dradis development mailing list: dradis-devel).
(more…)

This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport).

The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.

Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.

update: slides available here
(more…)

dradis is a tool for sharing information during a pentest. If you are part of a team of testers working against the same set of targets, you will need to comunicate with each other. The most efficient this communication the more chances of a successful breach you will have.
(more…)