Ed Smiley's Blog

These are my links for June 30th through August 5th:

• Programatically Setting Password Policies | Krypted – Mac OS X, like many operating systems has a robust password policy engine. One that is not leveraged by default on either Mac OS X client or on Mac OS X Server. In Mac OS X Server, when using Open Directory, you can easily click on Open Directory in the SERVERS sidebar list of Server Admin and then click on the Settings icon in the Server Admin toolbar. Here, if you click on Policies you’ll see the available Policies for Open Directory accounts.
• BlindElephant Web Application Fingerprinter – The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
• DEF CON® Hacking Conference – Speaker’s Corner – Among the first questions you hear when teaching anyone to pick a lock is some variant of "What is this pick for?" I've heard it a dozen ways, "Which one should I use for this lock?", "Which one will open it fastest?" and "How does this one work?" I know that answering this question in print won't keep me from having to answer it a million more times, but at the very least it will help me collect my thoughts and hopefully serve as a primer to new pickers who come across it.
• Adam Muntner’s Weblog: Updated Web Application Security Testing Collection for Firefox –
• grand stream dreams: Sexy USB Boots (Win PE style) –
• Vulnerability Assessment Testing Automation Part I, (Tue, Jun 29th) – described how and why to automate parts of the security testing process.
• Demonstrating XSS with BeEF – Cross-site scripting (XSS) is a type of web application vulnerability that enables malicious attackers to inject client-side script into web pages viewed by other users. The idea is that in a vulnerable page, you can include your own code that runs in other people’s browsers. The non-persistent, or reflected, cross-site scripting vulnerability is the most common and easily detected type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response.

These are my links for June 26th through June 30th:

• UATester Alpha – A number of high-profile sites (twitter, facebook, google, and even Microsoft) offer mobile versions of their sites and functionality. Normally this wouldn’t be something you’d care about, but as a penetration tester or security researcher, you need to make sure you’re covering all the bases and getting full coverage when looking at web applications.
• HolisticInfoSec.org: CSRF flaws that pack a punch –
• infond: tutorial SQL injection – LampSecurity CTF 6 –
• Infosec Events – Covering the Information Security Economy –
• Adding Bookmarklets on iPad and iPhone –
• Forensic Control – Computer misuse and dispute specialists – The table below lists a selection of free software which may be of use to professional computer forensic practitioners. It is the end user's responsibility to check the licensing agreements of each one before use.
• andiparos – Project Hosting on Google Code – Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc.<br />
  <br />
  The advantage of Andiparos is mainly the support of Client Certificates on Smartcards. Moreover it has several small interface enhancements, making the life easier for penetration testers…

These are my links for June 10th through June 23rd:

• FoxAnalysis – Firefox 3 Forensics – FoxAnalysis is a software tool enabling analysis of internet history data generated using Mozilla Firefox 3. This tool was developed to assist in forensic examinations.
• neXCSer – DigiNinja – neXCSer was originally going to be a way to allow multiple auditors to merge their Nessus results into a single file that could then be parsed through by hand or in a spreadsheet to help with further testing or report writing, however once I started writing it I realised that it could help more than that by allowing different sections of the results file to be broken down into their own parts.
• ICCIDs IMSIs and iPads, Oh My! « Chris Paget’s Blog – A few days ago Apple suffered a security breach – the ICCIDs and email adresses for 114,000 iPad users were hacked, leading to widespread press coverage and speculation. The general consensus seems to be that the ICCID (being the serial number that’s printed onto the SIM card) has no real security consequences to its disclosure, and that the bigger problem is the associated email addresses. The consensus is badly wrong – here’s why.
• Spsa – Cryptolife – Here you can find the Snorby preconfigured security applications, this make effortless for anyone to use Snorby, the new and modern Snort IDS front-end. With (SPSA) Snorby Preconfigured Security Applications, it is possible to get Snorby and Snort up and running out of the box within a few minutes. Feedbacks and info are welcome by email at:
• Uninformed – vol 10 article 3 – Exploiting Tomorrow’s Internet Today Penetration Testing with IPv6 – Exploiting Tomorrow's Internet Today Penetration Testing with IPv6
• Social engineering techniques: 4 ways criminal outsiders get inside – Your security plan goes from locked down to wide open when a social engineer pulls off these techniques to gain insider access
• StorefrontBacktalk » Blog Archive » Complying With Visa’s July 1 PA-DSS Mandate – PA-DSS applies to third-party applications that store, process or transmit cardholder data as part of the authorization and settlement process. Importantly, this definition includes both standalone applications and payment modules of larger enterprise resource planning (ERP) systems. In all cases, though, you license and host these applications internally.

These are my links for May 28th through June 9th:

• Tactical Web Application Security: Zone-H Defacement Statistics Report for Q1 2010 – Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in websites. Unfortunately, most people focus too much on the impact or outcome of these attacks (the defacement) rather than the fact that their web applications are vulnerable to this level of exploitation. People are forgetting the standard Risk equation -<br />
  <br />
  RISK = THREAT x VULNERABILITY x IMPACT<br />
  <br />
  The resulting risk of a web defacement might be low because the the impact may not be deemed a high enough severity for particular organizations. What most people are missing, however, is that the threat and vulnerability components of the equation still exist. What happens if the defacers decided to not simply alter some homepage content and instead decided to do something more damaging such as adding malicious code to infect clients?
• NFI Defraser | Download NFI Defraser software for free at SourceForge.net – Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial audio/video files in datastreams (for instance, unallocated diskspace)
• Penetration Testing and Vulnerability Analysis – Careers – Information Security Careers Cheatsheet – These are my views on careers in information security careers based on the experience I've had and your mileage may vary. The information below will be most appropriate if you live in New York City, you're interested in application security, pentesting, or reversing, and you are early on in your career in information security.
• WMIC for incident response – Earlier this week, I posted about using psexec during incident response. I mentioned at the end of that post that I’ve been using WMIC in place of psexec and that I’d have more on that later. This post, is a follow up to the psexec post.
• The Digital Standard: Crack-a-Lacka – OK…so you may have heard that’s it pretty easy to crack SAM hives using tools like Cain & Able or Ophcrack, but, you have never done it before, you don’t know where to start looking, and you feel like a dolt. No worries my friend, I am here to help.
• Groundspeed :: Add-ons for Firefox – Groundspeed is an add-on that allows security testers to manipulate the application user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration tests.
• SIPVicious: New tool in the works: TFTPTheft – Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.

These are my links for May 20th through May 27th:

• WebCruiser – Web Security – WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.<br />
  <br />
  It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!
• Stealing a photo from remote webcam | nullpointer.dk – Ever wanted to capture a photo from a remote webcam? Like from one of your friends perhaps. Probably if you've a little hacker in your belly.. This is another demonstration of the use of Metasploit like I did in my previous article Exploiting SMB on Windows. Therefore, I won't talk about installing the framework and running the supplied program msfconsole.
• PaulDotCom: Archives – Metasploit has A LOT of exploits, but from time to time you will very likely need to use exploits that are not part of the framework. Whether it is an exploit from www.exploit-db.com that spawns a shell or a netcat listener you can still use the framework to control the host. As long as you have a shell bound to a TCP port you can use metasploit to interact with that victim. What's more, you can upgrade that shell to a meterpreter session so you can benefit from the full power of the framework.
• Tenable Network Security: Common Platform Enumeration (CPE) with Nessus – Recently a Nessus plugin (and associated library) was developed that includes CPE information about supported targets. If no entry exists in the CPE database, the plugin will attempt to create one and apply all of the appropriate information in the CPE defined format. I ran a scan against my test network and then filtered for CPE entries:
• security.crudtastic.com » Test Lab Version 1.0 –
• Dailymotion – Practical Exploitation – Null Session Enum – a College video – 3 tools that do enumeration using null sessions
• SkullSecurity » Blog Archive » Defeating expensive lockdowns with cheap shellscripts – Recently, I was given the opportunity to work with an embedded Linux OS that was locked down to prevent unauthorized access. I was able to obtain a shell fairly quickly, but then I ran into a number of security mechanisms. Fortunately, I found creative ways to overcome each of them.

These are my links for April 19th through May 19th:

• Dasient Blog: Q1’10 web-based malware data and trends – Each quarter we pull together data for web-based malware attacks from across the web. Our proprietary malware analysis platform allows us to monitor millions of websites and draw results from a wealth of data which we summarize in this blog. What we continue to see is that the web malware threat continues to grow significantly. Hackers are becoming increasingly sophisticated and bold in their attacks, which means that legitimate websites are more threatened than ever. Putting web site security best practices in place such as malware monitoring and containment is becoming an absolute must if businesses do not want to expose themselves and their customers to these attacks. A particularly interesting observation has been an increase in 'malvertising' attacks in which hackers plant malicious ads on high-profile ad networks and websites
• SkullSecurity » Blog Archive » Taking apart the Energizer trojan – Part 1: setup – As most of you know, a Trojan was recently discovered in the software for Energizer's USB battery charger. Following its release, I wrote an Nmap probe to detect the Trojan and HDMoore wrote a Metasploit module to exploit it.<br />
  <br />
  I mentioned in my last post that it was a nice sample to study and learn from. The author made absolutely no attempt to conceal its purpose, once installed, besides a weak XOR encoding for communication. Some conspiracy theorists even think this may have been legitimate management software gone wrong — and who knows, really? In any case, I offered to write a tutorial on how I wrote the Nmap probe, and had a lot of positive feedback, so here it is!<br />
  <br />
  Just be sure to take this for what it is. This is *not* intended to show any new methods or techniques or anything like that. It's a reverse engineering guide targeted, as much as I could, for people who've never opened IDA or Windbg in their lives. I'd love to hear your comments!
• Security Breach Notification Laws – Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
• YouTube – Bogota Review –
• YouTube – CUSTOM BOGATA LOCKPICKING INSTRUCTIONAL VIDEO – CUSTOM BOGATA LOCKPICKING INSTRUCTIONAL VIDEO:<br />
  this is a reference instructional video<br />
  on my custom-made bogata rakes,<br />
  made for the "tutorials" thread @ www.keypicking.com<br />
  in this video i use a Titanium-shackle Wison-Bohannan,a 45mm Guard,& a 50mm Garrison,as picking subjects<br />
  NOTE: these custom rakes are entirely hand-made, and do occasionally become available through me.
• MySQL Security Best Practices (Hardening MySQL Tips) |  GreenSQL – The MySQL database has become the world's most popular open source database because of its consistent fast performance, high reliability and ease of use. MySQL is used on every continent – yes, even in Antarctica! – by individuals, Web developers, as well as many of the world's largest and fastest-growing organizations such as industry leaders Yahoo!, Alcatel-Lucent, Google, Nokia, YouTube and others to save time and money powering their high-volume websites, business-critical systems, and packaged software.<br />
  <br />
  As most products do, MySQL comes "ready-to-work" out of the box. Usually, security is not a major consideration when installing this kind of product. Often, the most important issue is to get it up and running as quickly as possible so that the organization can benefit. This document is intended as a quick security manual to help you bring an installed MySQL database server into conformity with best security practices.
• PANscan – SecurityMetrics – PANscan simplifies the testing process by enabling non-technical merchants to quickly find prohibited credit card data on their systems. It will:<br />
  <br />
  * Search the local system for cardholder data.<br />
  * Triple-check all threats to ensure they are valid.<br />
  * Run 10 times faster than a normal disk scan.<br />
  * Report summary results immediately.<br />
  * Allow scans to be performed as frequently as desired on any number of merchant machines.<br />
  <br />
  Free downloads available in May

These are my links for April 2nd through April 18th:

• Understanding Man-in-the-Middle Attacks – ARP Cache Poisoning (Part 1) – One of the most prevalent network attacks used against individuals and large organizations alike are man-in-the-middle (MITM) attacks. Considered an active eavesdropping attack, MITM works by establishing connections to victim machines and relaying messages between them. In cases like these, one victim believes it is communicating directly with another victim, when in reality the communication flows through the host performing the attack. The end result is that the attacking host can not only intercept sensitive data, but can also inject and manipulate a data stream to gain further control of its victims.
• Are You Making a Security Career or Working a Job? – In his first column as CSO's Career Catalyst, Michael Santarcangelo outlines three essentials everyone needs to consider to make security work more than just a job
• VRT: Matt’s Primer for PDF Analysis – For obvious reasons, the VRT has been spending a lot of time on the PDF format lately. While the attack researchers have been concentrating on fuzzing, reverse engineering and data flow analysis, the defense researchers have been automating the backend analysis of PDF submissions. As part of this effort, we've had to do a very deep dive on the PDF format. I thought it might be useful to share some of what we're seeing come in our data feeds, and what you should look for when reviewing PDF files.
• More “hotel door hacking” and lockcon « Blackbag, Barry’s weblog – Times are pretty hectic so Charlotte and I decided to take off to one of Europe’s nicest cities for a relaxing weekend without the kids. When we entered our hotel room I was thrilled to see it had a chain on the inside … (see my previous post on hotel doors to read why). The chain is a weak link by itself as it was obvious if had been broken and repaired many times before. In my opinion it is not necessary to use force on the chain as it can be bypassed relatively simple.
• Vulnerable Web Applications for learning « Security Thoughts – Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:
• bing-ip2hosts – Bing-IP2hosts – Enumerate hostnames for an IP using bing.com. This is useful during the reconnaissance phase of a penetration test and for website hosting provider research.
• vividmachines dot com » shellcode –

These are my links for April 1st through April 2nd:

• SkullSecurity » Blog Archive » VM Stealing: The Nmap way (CVE-2009-3733 exploit) – If you were at Shmoocon this past weekend, you might remember a talk on Friday, done by Justin Morehouse and Tony Flick, on VMWare Guest Stealing. If you don't, you probably started drinking too early. <br />
  <br />
  Anyway, somebody in the audience asked if there was a Nessus or Nmap script to detect this vulnerability. If I was the kind to yell things out, I would have yelled "there will be!" — and now, there is. It'll be included in the next full version of Nmap, but in the meantime here's how you can do it yourself.
• Security-Shell: BackendInfo – Detect Website Backends – BackendInfo is a lightweight (24kb) Firefox extension that detects name and version of backends behind websites
• Firefox search add-ons for Security-Nerds™ « ©атсн²² (in)sесuяitу – After looking over the slidedeck from Michael “theprez98″ Schearer’s Blackhat Webcast, I decided (like a lot of people I’m sure) to have a quick look at what Firefox add-ons were available to make penetration testing using the browser a little easier. My portable Firefox edition already has a number of extensions installed for the usual stuff. Things like FoxyProxy, Web Developer Toolbar, Fire/FlashBug and the SQL Inject Me, Access Me and XSS Me tools from Security Compass have been installed for a long time. They come in useful for specific tasks, even when I’m not doing Web app testing. One thing I’d not really looked at though was the possibility of adding to the search providers list (found in the upper right-hand corner).
• "I’ll show you the route (root) so that you will have **command**": Turning your laptop into a wireless AP – I'm just gonna go over some simple code and tools that you can use to transform your laptop running linux into a wireless access point where wireless clients can connect to. The programs that i will be using are airmon-ng, airbase-ng, dhcpd-server and dnsmasq just to name a few. Other utilities will be used in my example here but they are mostly complementary tools that may not be deemed necessary.
• Viruslist.com – Analyst’s Diary – Insightful explanation of how ZeuS wires money out bank accounts despite dongles/cards
• Configuration is Half the Battle: ASP.NET and Cross-Site Scripting – The HP Security Laboratory Blog - – Although it's not a new problem, a recent advisory and BlackHat presentation have brought attention to an ASP.NET mis-configuration that can leave you wide open to Cross-Site Scripting (XSS) attacks, even if you are diligently sanitizing your other user-supplied data. If the view state is not cryptographically signed, it is possible for an attacker to overwrite properties of any of your server-side controls and modify HTML returned to the user, opening a vector for XSS.
• iPad Security – Does the Enterprise Care? – With the introduction of the iPad, Apple is again hitting the consumer market with an innovative product that may have security implications for enterprise IT teams. Although based on the iPhone OS, the use cases identified by Apple for the iPad (especially as an electronic document reader) portend a wide range of business uses that would not be viable on the small iPhone screen.
• USBDeview – View all installed/connected USB devices on your system – USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used. For each USB device, exteneded information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more…
• ‘Scraping’ our time servers – The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers' clients and it naturally grabbed our attention. The humming was started by HD Moore recently where he revealed that it is possible to query NTP servers to get lists of addresses and using the information for fun and profit. He also mentioned that he will be releasing a paper describing all this and how he can create a sizable DDOS using NTP, without giving too much detail about it.

These are my links for March 18th through March 31st:

• Using Nessus Thorough Checks for In-depth Audits –
• Google, Microsoft Push Feds to Fix Privacy Laws | Threat Level | Wired.com –
• Digital Forensics Framework – Dff is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works, including files recovery due to error or crash, evidence research and analysis, etc. The source code is written in C++ and Python, allowing performances and great extensibility.
• Top Ten One-Liners from CommandLineFu Explained – good coders code, great reuse – I love working in the shell. Mastery of shell lets you get things done in seconds, rather than minutes or hours, if you chose to write a program instead.
• Install the Kindle for PC application on your Linux computer – Here is a quick HOW-TO to install Kindle on your Linux computer, and read books from Amazon.com without impacting your existing WINE installation. The assumption is that you are using Debian or a Debian based desktop such as Eeebuntu, Ubuntu, Mint, etc.
• Web Application Security Penetration Testing :: Add-ons for Firefox – The most complete collection of pentest and hacking tools for Firefox<br />
  <br />
  Browser proxies, page analysis, SQL & XSS injection scanners, google dorking, decoding, fuzzing
• jimmy.thinking: PyCon 2010: Python in the browser –

Here are some interesting articles from this week:

- Google releases Skipfish – Skipfish is a open source and automated web application scanner.  It is written in C and can run on Linux, FreeBSD, Mac OS X, and Windows.  Have not had a chance to try it out yet, but appears to be similar to Nikto.  The Redspin Blog has a good initial write up on the install and some basic features.

- The Security Ninja has posted some great tutorials on the Burp Suite.  If you have not tried Burp Suite, what are you waiting for??  It allows you to attack web applications with both manual and automated techniques.  It is available for free with some higher level functionality disabled.  However, it is quite cheap for what it does at $225/year.  Anyhow, the tutorials on the SN site are excellent and cover the intruder, repeater and comparer tools and plans to go over the rest of the suite.  Check it out!

- SecurityTube Launches SecurityTube Questions - SecurityTube Questions has launched and is aimed to helping hackers, infosec professionals, enthusiasts and students solve security related problems. There are quite a few questions and lots of great answers.  Something to keep bookmarked and check back often.

- Pen Testing the Web with Firefox - Slides to the excellent Black Hat webinar given by Michael “theprez98″ Schaerer describing lots of great plugins to allow you to Pen Test websites.  There is also a great list of Web Application Security Penetration testing plugins found here.

- Looking for the Bad Stuff, Part 1 - Yet another great post from Harlan Carvey about searching Windows drives for bad things.  Gives lots of great tips on where to start, which log files to look though and many others.  Check out the comments section for some more great discussion.  As mentioned before, Harlan’s Windows Forensics Analysis is a MUST READ, along with his site.