Hacking with your Browser
Posted by Jhaddix in Uncategorized on August 13th, 2010
Today I rebuilt my Windows 7 partition. Amidst flurry of backing up I forgot to save my Firefox profiles. I figured this was a good time to review what I use addons-wise for all my day to day hacking needs.
First things first, most of these addons will have compatibility issues. To update a Firefox addon:
- download xpi (right click "save target as" from the download button on addons.mozilla.com)
- Open with with winrar
- Open install.rdf with a text editor
- Change the <em:maxVersion>3.xxx.xxx</em:maxVersion> line to your current Firefox build
- save
- open the xpi file with Firefox
Now, here is what I use regularly:
MultiProxySwitch or FoxyProxy - for fast switching to Burp or Tor
PassiveRecon - for OSINT style gathering
ShowIP – show server IP and additional possible IPs if load balanced, also can right click to get netcraft info
Live HTTP Headers – for checking for load balancing et al
Wappalyzer and Backend Software Information – To identify platforms, frameworks, and common apps
Hackbar – for fast submission of post requests without firing up Burp, also has great encoding support. I love Hackbar.
Add n Edit Cookies – invaluable for cookie inspection and testing
Firebug or WiderBug (thanks Andre!) – because its awesome
Lazarus – So i never accidentally forget an injection string i already tried
FxIF - Usually used for metadata analysis in CTF's
Fireforce - I usually use Burp Intruder to bruteforce forms based auth, but fireforce is still neat
Although i don't really use them much greasemonkey with Whiteacid's XSS assistant (careful with this one), XSSme, SQLinjectME, and SQL Injection! are all good addons for testing injection. They also have good injection regex's to steal for use in other tools.
For general browsery I use Readitlater and xmarks to keep up a good reading list across all my boxes
For Browser Scripting I use iMacros for Firefox
Caveats:
There was a presentation by Michael Schearer "theprez98" called "Pen Testing the Web with Firefox" , check that out. Also there is a huge mozilla collection called FireCAT by Securitydatabase.com. I like some of the tools but i feel installing the whole collection bloats my browser too much.
Anyways, that's all for now. Happy hacking!
Blackhat and Defcon Parties
Posted by Jhaddix in Uncategorized on July 17th, 2010
Every year we head to the desert to learn the newest attack/defenses in the world, to share groundbreaking ideas… but not least of all, to have some fun!
|
Who? |
When? (July) |
Time |
Where? | Link/RSVP | Why? |
| ModSecurity Happy Hour | Wednesday 28th | 4-6pm | munchbar @ Caesar's Palace | open to anyone | modsecurity is awesome |
| MAD & Nitro Security Party |
Wednesday 28th | 8PM-10PM | TBA | Invite only | Go to the Nitro Security booth for invite |
| Black Hat Crawl by Stonesoft |
Wednesday 28th | 6PM-9PM | Trevi Room, Caesar’s Palace | http://www2.stonegate.com/l/1912/2010-07-13/2895X |
pinata and ipad contests |
| Tenable Party | Wednesday 28th | 8:00 p.m. – 10:00 p.m | Margaritaville | http://www.tenable.com/bhparty2010/ |
Nessus is win, most of the time.
Beer and Margaritaville's world famous margaritas will be served. The first 100 people through the doors will receive a Tenable Hawaiian Shirt and a Nessus Cigar. |
| IOActive Cocktail Party |
Wednesday 28th | 8:00 p.m. – 10:00 p.m | Spago | Invite only |
pick up invites at booth #63 |
| Mcafee Party |
Wednesday 28th | 8:00 p.m. – 11:00 p.m | Vanity @ Hard Rock Hotel | Invite only |
stop by McAfee booth #18 |
| Rapid 7 Party | Wednesday 28th | 9:00 p.m. – 02:00 a.m | Palms Fantasy tower | http://www.rapid7.com/forms/black-hat-rsvp.jsp |
Open Bar, GoGo Dancers, HD Moore. |
| Qualys Party | Wednesday 28th | 8:00 p.m. – 02:00 a.m | Jet Mirage Club | http://www.qualys.com/company/events/tradeshows/blackhat10/ |
Dance the night away to Tainted Love (a top 80's cover band) and DJ DIRTYHERTZ at one of the hottest Las Vegas nightclubs JET (JET is really nice) |
| Madiant Schmooze | Wednesday 28th | 7:00 p.m. – 09:00 p.m | Shadow Bar Inside Caesar's Palace | http://www.mandiant.com/news_events/forms/shadow_bar |
Random Google Find – dunno – open bar sounds like. |
| SourceFire VRT Adobe Haters Ball | Wednesday 28th | 8:00 pm to 11:00 pm | Casa Fuente, Caesars Palace | Invite only | beg @VRT_Sourcefire for an inv? I dunno -_- |
| NetWitness | Wednesday July 28 | 9 pm – 12 am | PURE @ ceasars | http://netwitness.com/resources/register/blackhat2010.aspx | ??? |
| FishNet | Wednesday July 28 | ? | Rhumbar | http://is.gd/dy4RY | ??? |
| Cenzic/Dasient | Wednesday July 28 | 9 pm – 12 am | Caesar's Rainman Suite | http://blog.cenzic.com/public/item/256749 | stop by the Cenzic booth (#38) |
| TippingPoint ZeroDayInitiative 5 Year Anniv Party |
Wednesday July 28 | 8 pm – 12 am | Hard Rock Hotel SkyBar | Invite only |
i hear ZDI throws a good party |
| BSides | Wednesday & Thur 28/29 · | ??? | 2810 East Quail Ave., Las Vegas, NV, 89120 | http://www.securitybsides.com/BSidesLasVegas |
While not an "official" party, Bsides is a party by itself. Ask around and i'm sure there will be something going down… I mean c'mon… it's Chris Nickerson running it! |
| WhiteHat & Accuvant | Thursday July 29 | ? | PURE @ ceasars |
Invite only |
"swing by the booth and say hi and if we have any left – grab an invite for our party at Pure for Thursday night" |
| Security Twits | Thursday July 29 | 8 pm – ? | Caesar's (suite TBD) | ??? | ??? |
| Defcon Fundraiser | Thursday July 29 | ??? | Riviera Penthouse | ??? | Cost $40 |
| KartCON | Thursday July 29 | 7:30pm – 11pm | FastLap – 4288 Polaris Avenue Las Vegas, NV 89103-8100 | http://kartcon2010-owasp.eventbrite.com/ |
50mph Gokart tourney, with bar… win. |
| Defcon Toxic BBQ | Thursday July 29 | 5:30pm – 9pm | Sunset Park 7.6 miles from Riviera | http://www.toxicbbq.com/ |
BYOBBQ and some utensils. People will cook for you if you bring meat! |
| EFF Vegas 2.0 Party | Thursday July 29 | ??? | Top of Riviera | Open to all, $40 at the door (donation) |
All monies go to the EFF (you get a 1 yr. membership for your donation). DualCore, Minibosses, raffle, open bar and much, much more |
| Microsoft Party | Thursday July 29 | 9 pm – 11 pm | Vanity | Invite Only | Speakers and top notch security researchers. |
| Core Security Party | Thursday July 29 | ??? | Sushi Roh | Invite Only | I've been to a CORE shindig before, they can sure throw a party, or atleast spend a grip of cash |
| ISEC Partners Party | Thursday July 29 | 10:00pm-TBD | V-Bar @ the Venetian | Invite Only | ISEC peeps are awesome. |
| Spiderlabs Party | Friday July 30 | 10:00 p.m. – TBDam | Riviera SkyBoxes | Invite Only (ask a lab spider for an inv) | DJ Keith Swiat, Open Bar, Spiders are 31337. |
| HackerPimps Party | Friday July 30 | ??? | Riviera SkyBoxes | Invite (email pimpsparty at gmail dot com) @hackerpimps |
Caption says it all… |
| Attack Research Party | Friday July 30 | 7pm – 2 am | Top of the Riv | Invite only. | Dr Raid, Dj Sailor Gloom , Thee Swank Bastards , Dj Dark Mark, Regenerator, Dj Style. |
| Ninja Party | Saturday July 31 | 9 pm – ? | Secret Offsite Loc | Invite Only – https://forum.defcon.org/showthread.php?t=11511&highlight=ninja | Last year i went as part of "the event that didn't happen" the EFF Sec Pillow fight. This year i might be SOL on an invite. The Ninja Party is the most 31337 party there is. I heard finding a ninja and asking them works well… but they are invisible! ='( |
| IOActive FreakShow | Saturday July 31 | 9 pm – 1 am | Top of the Riviera |
http://www.facebook.com/event.php?eid=135300963167159 & |
Tower of Bendy Girls, DJ Keith and Crew, the Return of the Bungee Run, and Gladiator Joust. |
This is what I know of atm, im sure im not privy to all the madness and will update accordingly. Also i heard @gattaca is gonna blog on parties too soon. =)
I'll be in Vegas from 23rd to the 1st. See ya there. Twitter DM's go to my mobile or you can email admin -a-t- securityaegis.com to meetup, shoot the sh*t, and have a good time!
*More party updates as they come… Thanks for reading!
* 7/18 Thanks for all the info from everyone on here and through twitter. Updated with toxic bbq, Qualys, Attack research, Sourcefire VRT.
*7/18 Massive update
*7/19 More parties added
*7/19 looking for info on mcafee party
*7/20 added 3 more parties by request of vendors…
*7/22 Added Mcafee party info
smpCTF – 2010 Hacker Olympics
Posted by Jhaddix in Uncategorized on July 11th, 2010
I just finished playing in the yearly smpCTF with team MRL. MRL is Midnight Research Labs based out of Boston, who do some really cool research/presentations/tools. You might remember them from their release of SEAT (Search Engine Assessment (Tool) a year or so back.
smpCTF is a yearly top tier CTF, akin to the Defcon CTF qualifiers, etc.
The challenge areas were: Web, Forensics, Crypto, Pwnables, Trivials, and Misc. Looks like we placed somewhere around 23rd out of 196 registered teams (76 of whom scored points).
Props to all the MRL people and other teamates who made this the best CTF i have played in: @sussurro @jaredbird @timmedin and more!
As writeups come i'll post =)
Writeups:
OSINT, because knowing is half the battle…
Posted by Jhaddix in Uncategorized on July 2nd, 2010
Profiling, or OSINT (open source intelligence), is an art. Private investigators have been doing it for years now but, it has just started to show real promise in application to Penetration Testing and Red Team Testing. A lot of work has been done recently by Chris Gates and Chris Nickerson on bringing it into the security world.
OSINT gathering is a far more manual process than general profiling. It is usually not included in a regular pentest or assessment, but sometimes is included for an extra fee (from what we’ve seen) .
Why OSINT? It opens up your attack surface and gives you a sprinting start before even sending any packets directly to your target. Just entering in some of the RS engineers' data i was able to get a list of previous addresses, blogs, twitter names, emails, phone numbers, parents names, news articles, etc. I'd say that's useful.
For a place holder, until we get done with a nice framework, we have compiled a list of links for OSINT gathering web sites we use, by target type; People and Organizational Targets and Infrastructure Targets :
- Infrastructure:
- Netcraft (Uptime Survey, server info)
- Domain Tools (Whois Lookup and Domain info)
- Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger)
- Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap)
- whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info)
- MSN IP Search
- SSL Labs – Projects / Public SSL Server Database – SSL Server Test
- SHODAN – Computer Search Engine (indexed port scans and banner grabs)
Don't forget to combine this kind of "research" with great tools like wikto, metagoofil, SEAT, FOCA, theHarvester, and Maltego. We also suggest you listen/watch to some of the collective presentations and video from Chris Nickerson and Chris Gates (btw Dale Pearson is the man for setting up the Brucon videos last year).
Also, i had been working with some browser scripting earlier and i made a quick OSINT script in iMacro. iMacro can record and script up your day to day browser activities. Sometimes this is easier to do than coding something in Ruby or Python due to the AJAX nature of these people search sites. Download the firefox plugin for iMacro here then make a new macro with the below code:
Interview: Hakin9, Ferruh Mavituna on Web Security
Posted by Jhaddix in Uncategorized on May 4th, 2010
A new interview with Ferruh focusing less on Netsparker and more on web security in general. Published in Hakin9 Magazine, Pages 56-58 =)
Download the issue!
http://download.hakin9.org/en/hakin9_04_2010_EN.pdf
Also, Since it was con-time near deadline-time, Ferruh might expand a bit here on some of the questions he didn't get to cover, so stay tuned.
Review: eLearnSecurity’s Penetration Testing Pro
My original review appeared over at http://www.ethicalhacker.net/content/view/307/24/
eLearnSecurity’s Penetration Testing Pro - What CEH Should Have Been
Recently the web has been abuzz with pentest training options. The CEH received new life as it was added to DoD Directive 8570 as well as revamped its courseware in version 6.0, Offensive Security rolled out their version 3.0 of “Pentesting With BackTrack,” and it seems like new training options are coming out almost every day in the field. That being said, I have been lucky enough to receive an advanced copy of the flagship course by eLearnSecurity, Penetration Testing Pro (PTP).
PTP is a three section presentation and video course authored by Armando Romeo (admin of hackerscenter.com), Brett D. Arion, Nitin Kumar, and Vipin Kumar. It has an optional certification component called the Certified Professional Penetration Tester or eCPPT for short. The target audience for the course is security engineers or penetration testers in the 0-3 year experience range. The course divides penetration testing into three categories: System Security, Network Security, and Web Application Security. Let’s take a look at each.
Netsparker Community Edition – “The Sparkler”
Posted by Jhaddix in Uncategorized on May 4th, 2010
Believe me when i say that we’ve used a lot of tools. We love scripts, we love things that free up our time to do the real analysis on a web application assessment. We have used w3af, nikto, Grendel Scan, etc, etc… We are really happy to see a new tool we have used in it’s pro version incarnation: Netsparker.
Netsparker announced today that it is releasing a community edition, lacking only a few features of the pro version. We highly appreciate this, especially its “free as in beer” type release. Yes it’s Windows only but we can forgive for a moment ![]()
Why is Netsparker valuable?
- It beats Appscan and Webinspect in injection tests most of the time
- Its spider is fast and furious
- Its configuration vulnerability database is up to date
- Its remediation advice is sound and technical
- It very rarely has false positives, and initial testing also shows low false negative results
CE doesn’t include some exploitation features and certain categories of Command injection, RFI, etc. Despite that it’s still a great tool to add to your utility belt, we recommend adding it you your security regiment for web applications =)
Check out the https://www.mavitunasecurity.com/pricing/ page to see the difference between pro and CE.
Finding Social Security Numbers in packet captures with grep and ngrep
Posted by Jhaddix in Uncategorized on May 4th, 2010
From @ap3r on the Redspin Labs Blog by Nathan Drier on Apr.16, 2010:
$ ngrep -I inet.pcap | grep '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}'GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-29-rm-eng_thumbnail.jpghttp://www.blogcdn.com/www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-4GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-12-rm-eng_thumbnail.jpghttp://www.blogcdn.com/www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-4GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-01-rm-eng_thumbnail.jppCO%20Update%288-57-423458293.emlRe%20Company%20Meetingl.com/exchange/john.doe/Deleted%20Items/CP%20Update%288-57-423458293.emlRelease: Burp Proxy to XML – BURP2XML
Posted by Jhaddix in Uncategorized on March 24th, 2010
With the incorporation of Burp Suite Professional into our audit processes, we (the redspin engineers) discovered that there was not an easy method to extract results from Burp’s session file without having to manually re-run Burp.
In order to automate this process, we have developed a standalone Python script to process Burp’s session files into XML, and have released it under the GPLv3 License here
XML will allow you to pull out all types of useful data and feed it to other tools or make scripting an output report much easier. We will be blogging about tips (here) to use this pretty soon, let us know what you think. Shoutout to Paul Hass for all the hard work =)
Skipfish, Google Enters the Web Scanner Fray
Posted by Jhaddix in Uncategorized on March 19th, 2010
Just wrote a quick review and jotted down some insights to Google's new web application security scanner. Skipfish. Read the whole thing at the link or just check out the "skinny"
We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google.
http://www.redspin.com/blog/2010/03/19/skipfish-google-enters-the-web-scanner-fray/









