LabRat = The first version Application Security Testing CD developed with the OWASP project.
3 straight weekends behind the pc and it is finally ready for testing. This process took MUCH longer than expected. I ended up testing about every distro and method for creating a live CD. I ended up using Morphix ( www.Morphix.org ) for the first version of LabRat.
LabRat v0.8 is based on debian and runs the 2.6.15 kernel and Morphix live cd modules. So far it just minimal branding and content. The goal now is to create a stable environment to build the Live CDs. Once that has been checked off the CD will take personality and start including tools to make it functional other than a coaster.
Current build includes;
PacketFocus/Owasp Wallpaper
Custom menu items
Desktop shortcuts to tools/pentest folder
OWASP HTML Guide
Tools:
Nmap
Metasploit 2.5
Tcpdump
Ethereal
Upcoming Changes:
Custom BootScreens
Custom KDE Theme
Redesigned Menu to include the OWASP methedology
Fuzzing Tools
Voip Tools
RFID Tools
WebScarab Proxy
WebGoat
You are more than welcome to download the CD and give it a go. However, I must warn you.. It is a large download and doesn't contain much content as of yet.
download LabRat version 0.8 www.packetfocus.com/hackos
Stay Tuned for the next version in June 2006
www.packetfocus.com
email: josh.perrymon @ packetfocus.com
-jp
Tuesday, May 16, 2006
RFID HAcking
Hmm... everyday I read something new about RFID. THis technology has been around for a little while but is really gaining Steam now.. I'm the US large entities like Wal-Mart and the DoD are really pushing this technology.
I'm no expert at RFID but I know what I'l like to do with it as it relates to penetration testing.
I'm working on a handhelp compaq IPaq with a RFID R/W card installed. This device would become invaluable for on-site and physical tests. The tester could hang out in front of the building or in the lobby and scan RFID ID cards as internal users walk by.
The tester could then write to a similar badge medium and have access into the building. THis is the type of attack I would use while performing a wireless audit. Having a badge gives a much better chance of getting building access than tailgating.. THis access is then used to place a wireless AP or similar device inside the building to establish communication channels outside.
So the RFID hack within itself may not bring a corp to it's knees.. using it along with another attack makes it deadly.
JP
I'm no expert at RFID but I know what I'l like to do with it as it relates to penetration testing.
I'm working on a handhelp compaq IPaq with a RFID R/W card installed. This device would become invaluable for on-site and physical tests. The tester could hang out in front of the building or in the lobby and scan RFID ID cards as internal users walk by.
The tester could then write to a similar badge medium and have access into the building. THis is the type of attack I would use while performing a wireless audit. Having a badge gives a much better chance of getting building access than tailgating.. THis access is then used to place a wireless AP or similar device inside the building to establish communication channels outside.
So the RFID hack within itself may not bring a corp to it's knees.. using it along with another attack makes it deadly.
JP
Direct Phishing Attacks
I have been doing a lot of penetration testing and the largest risk I see is Directed Phishing Attacks. I'm not talking about the normal phishing attack that sends out 10,000 million emails to random .@yahoo addresses asking the user to login to the "new" portal to make sure the password works...
I'm talking about a very small scale, hand-crafted attack. The attacker may spend days or weeks profiling and gathering information before sending an active attack. This is usually directed towards email addresses found on public websites or hardcopy documents captured via other channels. It's common to replicate an outward facing portal and spoof an email to users asking to login or verify credentials to ensure continuity. This stage is where creativity pays off.
The widget that gathers the passwords could be spoofed company newsletters, citrix , or remote email applications. Other advanced methods include creating a custom .exe installer with company logos and verbiage. The link is then passed to targets asking to install an update etc....
No matter the method of gathering the domain credentials... the attacker now has access to valid channels into the Target Intranet. To me.. this process is MUCH easier to execute than performing a multilayered SQL injection or certain overflows. But the obvious fact is that the attacker never triggers any IDS / IPS alarms. Valid remote access is obtained into the target network.
I have been keeping notes over the past couple years while performing these attacks and have recorded a 100% per engagement success in gaining valid credentials. This is successful due to an overal response rate of 65% which is probably a lot higher due to expired email addresses on the Internet.
How to protect from this Attack?
Well.. this is the hard part. Currently I don't know of an existing method that will protect against this type of attack. I have tested numerous Global Companies that had every device on the market in the network and this attack didn't raise one flag. However, PacketFocus is working to develop a new hybrid technology to protect organizations against this attack. This includes working on a prototype to be released depending current negotiations.
This new technology will push a new type of AI to detect and deter directed phishing attacks. However, it would be much eaiser if we could mark the internal usernames and passwords so a smart device could make sure they are not sent outside certain boundaries..
Until then..
Several of the following methods may minimize this risk but impact normal computing;
Enforcing Plain Text Email
Whitelisting Company Partners
Configuring Email servers to deny spoofed addresses
EMail Josh.Perrymon (at) packetfocus.com for more details.
www.packetfocus.com
I'm talking about a very small scale, hand-crafted attack. The attacker may spend days or weeks profiling and gathering information before sending an active attack. This is usually directed towards email addresses found on public websites or hardcopy documents captured via other channels. It's common to replicate an outward facing portal and spoof an email to users asking to login or verify credentials to ensure continuity. This stage is where creativity pays off.
The widget that gathers the passwords could be spoofed company newsletters, citrix , or remote email applications. Other advanced methods include creating a custom .exe installer with company logos and verbiage. The link is then passed to targets asking to install an update etc....
No matter the method of gathering the domain credentials... the attacker now has access to valid channels into the Target Intranet. To me.. this process is MUCH easier to execute than performing a multilayered SQL injection or certain overflows. But the obvious fact is that the attacker never triggers any IDS / IPS alarms. Valid remote access is obtained into the target network.
I have been keeping notes over the past couple years while performing these attacks and have recorded a 100% per engagement success in gaining valid credentials. This is successful due to an overal response rate of 65% which is probably a lot higher due to expired email addresses on the Internet.
How to protect from this Attack?
Well.. this is the hard part. Currently I don't know of an existing method that will protect against this type of attack. I have tested numerous Global Companies that had every device on the market in the network and this attack didn't raise one flag. However, PacketFocus is working to develop a new hybrid technology to protect organizations against this attack. This includes working on a prototype to be released depending current negotiations.
This new technology will push a new type of AI to detect and deter directed phishing attacks. However, it would be much eaiser if we could mark the internal usernames and passwords so a smart device could make sure they are not sent outside certain boundaries..
Until then..
Several of the following methods may minimize this risk but impact normal computing;
Enforcing Plain Text Email
Whitelisting Company Partners
Configuring Email servers to deny spoofed addresses
EMail Josh.Perrymon (at) packetfocus.com for more details.
www.packetfocus.com
Tuesday, May 09, 2006
Packet Focus Security Research
Packet Focus Security Research
Ok... the first version of the Distro is ready.. It is to be dubbed "labrat v0.8". This version is far from being slimmed down, weighing in at 587megs. It includes the KDE desktop with a lot of stock programs included. I thought that most of the packages were removed in the main module but a few snuck in.. :)
This Distro is being built off Morphix.. I must say it is a pleasure to work with. Two weekends and 30 install later I found morphix and had my first distro running in about 2 hours. My initial focus was to install a distro and create a mirror image bundled into the cd.. But now I found that the overlay approach works great and is very repeatable and scriptable.
So this is a Pre-Alpha/ Alpha version and has little bugs. So far it has worked great but did bomb out on a Optiplex 280 @ the Office. I think passing a boot paramater VGA=??? will fix it but I haven't tried yet.
I did notice the sound was LOUD when KDE starts on my laptop so remember to turn the sounds down if your using a laptop..
The /pentest/ directory has a few simple test directories installed including MetaSploit 2.5. This was just to understand how Morphix copies the files over.
A couple standard debian packages have been added;
Nmap
TCPdump
Ethereal
Stunnel
To name a few.
I copied over a theme but mispelled the directory.
Anyway, I hope to have time and work on the next version this week and put a beta version out in a month or so.
Download www.packetfocus.com
Ok... the first version of the Distro is ready.. It is to be dubbed "labrat v0.8". This version is far from being slimmed down, weighing in at 587megs. It includes the KDE desktop with a lot of stock programs included. I thought that most of the packages were removed in the main module but a few snuck in.. :)
This Distro is being built off Morphix.. I must say it is a pleasure to work with. Two weekends and 30 install later I found morphix and had my first distro running in about 2 hours. My initial focus was to install a distro and create a mirror image bundled into the cd.. But now I found that the overlay approach works great and is very repeatable and scriptable.
So this is a Pre-Alpha/ Alpha version and has little bugs. So far it has worked great but did bomb out on a Optiplex 280 @ the Office. I think passing a boot paramater VGA=??? will fix it but I haven't tried yet.
I did notice the sound was LOUD when KDE starts on my laptop so remember to turn the sounds down if your using a laptop..
The /pentest/ directory has a few simple test directories installed including MetaSploit 2.5. This was just to understand how Morphix copies the files over.
A couple standard debian packages have been added;
Nmap
TCPdump
Ethereal
Stunnel
To name a few.
I copied over a theme but mispelled the directory.
Anyway, I hope to have time and work on the next version this week and put a beta version out in a month or so.
Download www.packetfocus.com
Tuesday, May 02, 2006
Teaming up with OWASP for a Live Linux CD..
We have been working with The Open Web Application Security Project (OWASP) to develop a Linux-based LIVE CD. The goals of the project are to create a Live/Bootable platform to perform application security testing. The core of the project is the depth of information and research tools that OWASP has developed or is in with direct affiliation. Training is also a HUGE benefit of this tool. It can be used in most stages of the SDLC.
Including:
OWASP Guide
Mono .Net Libraries for Linux
OWASP Pen-testing guide
WebGoat
WebScarab
Etc.
References:
WebServers
Coding
DNS
Etc.
Tools from PacketFocus;
Nmap
Nessus
MetaSpoit Project ( 2.5 and 3)
Hping2
TCPDump
Yersinia
Amap
Queso
Hydra
John
Dictionaries
TCPReplay
NIkto
Stunnel
RFIDtools
VOIP Tools
PAROS
Exploits:
Security Focus and Milw0rm Archives
PacketFocus "cool tools" collection for pen-testing
Correlation
STIF Framework
This is just a brief list off the top of my head. Project should be formalized once initial testing of the base live OS is complete.
So far choice is a Debian based Morphix derivative. Slackware 10.2 was a great platform but didn't work well working from a laptop. So this first release will probably be on whatever OS works first.... Again, so far that has been Morphix. We are looking forward to the new release of the Morphing CD. After everything is stable we will do a test of SLAX vs. Morhpix to see what happens.
Be on the lookout for the first release in about a month or so. Check the website www.packetfocus.com for details.
JP
Including:
OWASP Guide
Mono .Net Libraries for Linux
OWASP Pen-testing guide
WebGoat
WebScarab
Etc.
References:
WebServers
Coding
DNS
Etc.
Tools from PacketFocus;
Nmap
Nessus
MetaSpoit Project ( 2.5 and 3)
Hping2
TCPDump
Yersinia
Amap
Queso
Hydra
John
Dictionaries
TCPReplay
NIkto
Stunnel
RFIDtools
VOIP Tools
PAROS
Exploits:
Security Focus and Milw0rm Archives
PacketFocus "cool tools" collection for pen-testing
Correlation
STIF Framework
This is just a brief list off the top of my head. Project should be formalized once initial testing of the base live OS is complete.
So far choice is a Debian based Morphix derivative. Slackware 10.2 was a great platform but didn't work well working from a laptop. So this first release will probably be on whatever OS works first.... Again, so far that has been Morphix. We are looking forward to the new release of the Morphing CD. After everything is stable we will do a test of SLAX vs. Morhpix to see what happens.
Be on the lookout for the first release in about a month or so. Check the website www.packetfocus.com for details.
JP
Subscribe to:
Posts (Atom)