Archive for July, 2010

[Release] ModularUrl Java Class

Posted in Research, Tools on July 30, 2010 by Skyler

So in the development of my Web Application fuzzer, I came upon the challenge of creating test cases from enumerated URLs. After fussing (play on words intended) around with some chunky logic, I had a palm-to-face moment. Perhaps it was that I had recently spent too much time in “procedural-language land”, but then the obvious object-oriented approach hit me.

The result was a quick creation of two java classes that would allow me to easily manipulate URLs and their parameters; essentially these classes do all the parsing for you. They are very simple, but quite effective. Perhaps it was the contrast of frustration to such a simple fix, but I feel like the release of this code could simply not wait to be released with my fuzzer.

UPDATED: The code here has been picked up by softpedia! you can get it here!

Here it is on sourceforge

And in typical Security Reliks fashion, a nasty copy&past version:

import java.util.ArrayList;
public class ModularUrl {
String base;
ArrayList<ModularUrlParameter> params;
public ModularUrl(String url){
String[] baseSplit = url.split(“[?]”);
base = baseSplit[0];
//split parameters up
String[] paramSplit = baseSplit[1].split(“&”);
params = new ArrayList<ModularUrlParameter>();
for(int i = 0; i < paramSplit.length; i++){
params.add(new ModularUrlParameter(paramSplit[i]));
}
}
public String getAllParametersAsString(){
StringBuilder result = new StringBuilder();

import java.util.ArrayList;
public class ModularUrl {
String base; ArrayList<ModularUrlParameter> params; public ModularUrl(String url){ String[] baseSplit = url.split(“[?]”); base = baseSplit[0]; //split parameters up String[] paramSplit = baseSplit[1].split(“&”); params = new ArrayList<ModularUrlParameter>(); for(int i = 0; i < paramSplit.length; i++){ params.add(new ModularUrlParameter(paramSplit[i])); } } public String getAllParametersAsString(){ StringBuilder result = new StringBuilder(); Continue reading

Hacking Web 2.0 with Firefox

Posted in Fu (a.k.a Tips), Research on July 30, 2010 by Skyler

Here is a great Symantec document relating to web 2.0 and its security vulnerabilities.

It outlines the security challenges related to testing, and then shows you some tools in Firefox to help do it.

Check it out here!

Python Tools for Pen Testers

Posted in Tools on July 29, 2010 by Skyler

I have started to delve into the realm of Python in order to improve my technical aptitude. In the search, I discovered this website which lists out Python pen testing tools. Check it out, its pretty handy!

Check it out here!

Testing RESTful services with AppScan

Posted in Fu (a.k.a Tips), Tools on July 28, 2010 by Skyler

AppScan is a pretty nifty Web App/Service vulnerability scanning tool. I believe it was originally developed by a company called Rational, which was later bought by IBM. AppScan can be used to test regular Web Applications, or Web Services like SOAP. The software carries a pretty hefty price tag, so you may or may not use it

At work, we use AppScan as part of our normal testing process. If you have used it before, you know that it has a pretty simple wizard to setup your scans. For web applications you simply plug in the url and simulate login. For SOAP, you give it the wsdl file and then just exercise the requests you want to test.

However, with REST its a bit different. There is no wsdl or web front end to attack. So to test REST, you have to do some fiddling. The method I am showing here uses manual exploration, the only way I know of to test REST. I am also going to involve using AppScan as a proxy for my requests. This may or may not be necessary, but I feel it is more solid.

Here it is:

Step 0: Generating test requests

– This step isn’t really a part of using AppScan, but its necessary. You have to determine which REST requests you want tested by AppScan. In my opinion, this is one of the benefits of a wadl.

– Create a list of requests that can recorded by AppScan for use in testing

– look through the wadl xml and identify the requests you are looking for. This may be difficult to those new at it, so here is a brief example:

<resources base=”http://your.webservice.base/rest/”&gt;

<resource path=”/”>

<resource path=”info”>

….

</resource>

<resource path=”doStuff”>

<param name=”id” style=”query” type=”xs:string” />

</resource>

</resource>

….

In this case, you might have some requests that look like:

thats a pretty brief example, but hopefully it makes sense. Essentially, you take the value of <resources base=…>, and begin to append values to it depending on the nesting of the xml. i.e, the <resource path=”/”> tells us to append a “/” to the end of the resources base value. We then can append a /info, which (not shown) has a <request> node directly beneat it. Etc.

In the second request we also see <param…> values that need to be appended. The first is always preceeded by a ?, while each following param is separated by an & sign.

Step 1: Setup AppScan for proxying

Open up AppScan.

– Exit the new scan wizard

– Scan -> Scan Configuration -> Communication and Proxy. Set ‘Don’t use Proxy’. Click OK.

– Tools -> Options. Make note (or set) the ‘AppScan Proxy port:’ value. Click OK.

– Go to Internet Explorer-> Internet Options -> Connections ->LAN Settings. Clikc the ‘use a proxy server…’ box. Set the address to 127.0.0.1 or localhost, and the port as was discovered in the previous step (NOTE: This port will change in AppScan every time it restarts). Click OK.

– Close Internet Explorer

Step 2: Dealing with values

Here is a reference to assist my explanation.

– Scan Configuration > Parameters and Cookies > Advanced: Custom Parameters.

– Add a custom param (+ sign in the top right)

– Enter a regular expression to match what will be found in the recorded request. If all of the params are user created, you may want to create a default/standard replace string.

– Select Path as the Location value.

– Click OK

– Return to the Parameters and Cookies tab. Add a custom parameter.

– Set type to Custom Parameter

– Under Reference name select the expression you previously created.

– Enable Track this parameters during scan

Set the Track type to whatever you need (usually Dynamic).

– Click OK

Step 3: Setup endpoint

–  In AppScan, Go to Scan -> Manual Explore. Click “yes” on the prompt if it appears.

– Enter the services starting URL. This is the base url of your service, or maybe your wadl file if you have one. i.e:

http://restws.myservice.net/ws/service/rest?_wadl&_type=xml

– You may also want to setup the appropriate test policy. This will make sure you dont use more tests than you desire. This can be found under the Policy header in the left menu.

Step 4: Manual Exploration

With the Manual Exploration recorder open, now open an internet explorer page.

– Go ahead and browse to each of the test requests you had previously created. Make sure that the parameters can be identified by the Custom Parameters filters we set up in Step 2.

– Once you are done, close IE, and the Manual Exploration browser.

– Click Okay (or signify which requests you want to use or not).

– AppScan then does it’s thing to generate tests for your requests. (you know if its working by looking at the bottem of AppScan and look for the “Completed Tests” portion. If the number is 0/0, it didn’t work).

– Go to scan -> test only

-voila!

Enjoy! let me know if it doesn’t work right!!

[Review] Hacking By Numbers: Combat Edition by SensePost

Posted in Certifications, Reviews on July 28, 2010 by Skyler

I just returned from the training portion of Black Hat in Las Vegas. This was my second Black Hat, and it was just as good as the first. I took the Combat edition of the Hacking By Numbers course, here is my review:

Review

The Hacking By Numbers courses are a series of trainings done by SensePost, a South African security company. The courses are presented as Cadet, Bootcamp, Web 2.0, Combat, and Chief of Staff editions. I had previously attended the Bootcamp edition (which reminds me, I need to write a review on that), which is the recommended pre-req for Combat edition.

Here is the overview found on the Black Hat website:

This course is the flagship course of the established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. In the SensePost tradition, the solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures.

The “Capture the Flag” exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way. Students will have to deal with multiple firewalls, IDS devices and home spun red herrings in their quests to complete the challenge. During the exercises SensePost’s leading technical specialists will discuss possible attacks, possible alternatives and even possible defenses for the scenario in question.

The exercises range from simple layer one attacks to more complex attacks requiring combinations of web application vulnerabilities and TCP/IP covert channels. All tools, documentation and required reading material will be provided to the students.

Structure

The course is two-days in length, and is completely hands on. The instructor, Marco, did a fantastic job as a guide, rather than a lecturer. The entire course is a series of “pracs”, in which a different pen testing technique is exercised. It is important to note that these “pracs” were created based on real world assessments. After a 20 minute intro which primarily included pearls of wisdom gleaned from SensePost’s experience, we were thrown straight into the fray; just as advertised, this course was all hack.

For each “prac” you are given three things: the Objective, Recommended tools, and Obscure hints. The objective gives you the endpoint, as well as the end goal. Most of the end goals was to place yourself on a Wall of Fame (typical of CTF challenges). The recommended tools portion is meant to be a very basic hint if you had no idea where to start. The obscure hints were just that. They served a valuable purpose in the end learning objective of the course. After the completion of the “prac”, a review of the hints would show a clear reverse thinking process that would serve you well on a pen test if you were to internalize it.

As a hurdle would be overcome during a “prac”, the instructor would start giving assistance to those struggling. In some cases he would give further clues, but mostly he would help describe the underlying technology being used for those unfamiliar with it. This ensured that you could get the most out of the exercise by not getting hung-up on step-one. Otherwise you might end up missing out on the rest of the fun.

After each “prac”, the instructor would then poll the class on the methods they used to achieve the objective. I was amazed at his ability to instantly recreate and model a student’s method on multiple platforms. Unlike many trainings in which you can get board waiting for a demo to work, the instructor was in complete sync with the pace of the students, not going too fast, nor dragging on the time.

Content

The content was definitely the masterpiece of this training. Some trainings are simply over priced “script kiddie” tutorials that could be found on YouTube. However, HBN: Combat was nothing like this. Not once did I touch Nessus, Metasploit, or any other framework. I was pleasantly surprised at the small span of tools utilized during the whole process. Mostly it was a mixture of Wireshark, Nmap, some sort of inline proxy, and your CLI.

While speaking with one of the SensePost testers, he explained to me that one of the issues within the industry is the limited “sight” of the testers. So many pen tests are conducted by running Nessus, CANVAS, or some other vulnerability scanner, and dumping the report on their client. Even if they do go on to verify vulnerabilities, it is usually done using Metasploit, Impact or another exploitation framework. This obviously leaves many false positives, and even worse, false negatives. This is why HBN: Combat is so effective. The course is built upon the principle that no system is completely secure; you simply need to find the hole that takes real skill to discover.

In line with that principle, the exercises were highly technical, and very clever; they only required recognizing patterns and thinking outside the box. Some of my favorite practices involved doing:

  • IPS bypass
  • Protocol Reversing
  • Security measure bypassing
  • chained exploitation
  • system misconfiguration
  • Thick app attacks

Overall, I left the course feeling very well equipped and much better prepared.

Conclusion

This was a fantastic course! It was essentially two days of learning pen testing skills gleaned from real world assessments. I feel like I have a better understanding  of the underlying technology in common (and uncommon) implementations. There were very few (if any) technical issues, and the instructor was friendly, and a true expert; he demonstrated an exhaustive understanding of all technologies used. I highly recommend that everyone take this course. It will definetly widen your “sight” in your pen tests, while also teaching you awesome little tricks.

Visit SensePost’s webiste here!

Black Hat!

Posted in News on July 25, 2010 by Skyler

Hey everyone! I’m on my way to Black Hat! I’ll give you my report when I get back!!

Techtionary

Posted in Reviews on July 22, 2010 by Skyler

If you have ever needed a more visual example of a certain technology, there is now a place where you can find it. Techtionary is a web based visual dictionary. Containing a huge list of topics, you can view animated demonstrations on almost anything you are looking for. This makes the site perfect for those seeking a real understanding of some usual difficult concepts.The only downside is that it seems like it can go a little slower than preferred. A small price to pay for good information.

check it out here!