Tools
Strange Entries in your wbeserver logs, Wikto and questions about our Gender!
Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:
10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 –
Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:
-snip-
I sniffed the traffic going out from my host going to the target host and infact this is the result:
HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0
All the requests are full of this… Well, at this point the questions are two:
1) You have a strange sense of humor.
2) You have been compromised. Waiting for a feedback,
Wikto 2 Bugfix
A seasonal Wikto version was released on the 22nd (Version 2.0.2911-20215) which has an issue with the web spider funtionality.
HTTPS requests are being made in plain text, and this obviously means that attempts to spider such sites will not work.
A bug fix for this is available from www.sensepost.com
Thanks to Mark Murdock for the heads up.
Wikto Updates
A new version of Wikto is also available, which provides a more reliable web spider and also includes some minor bugfixes.
More details regarding Wikto are available at http://www.sensepost.com/research/wikto
Suru Version 2.0
We are pleased to announce the release of Suru version 2.0, our MITM proxy.
Suru has now been rewritten to work with the .Net 2 runtime environment and includes all the features of the original 1.x stream, as well as numbers of enhancements and upgrades.
Features which have been added since the last 1.1 stable release include the following:
Upstream proxy support Response timing for timing-based attacks Highlighting of search terms in the request editor and the browser Neater and sortable request and fuzz list boxes Request interception There is currently a known bug when using Suru 2.0 with Mac OS/X and Parallels, but we hope to have the issue ironed out as soon as possible and will release a fix for this in the very near future.
Introducing Hex-Rays…
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has proven itself so valuable at reversing that its near impossible to find texts that fail to mention it. (Even ancient texts from fravia and woodman will make reference to it).
Well.. for a long long time people have wondered why ilfak (ida’s main author) didnt get into the point and click vuln finding / point-and-click disassembler business.. For a long time he (and datarescue stayed out of it), till now..
Alas.. i could have made squillions (aka – Amazon MTURK)
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up a network of street=kids with basic education to handle tasks computers still struggled with. At the time we were concerned with low-false positive, agentless remote detection of defaced web-sites, but also ran into the idea when we first built e-or, our early web application scanner. I suspect i didnt broach the subject with enough sensitivity (and in retrospect suggesting that remote controls for automatic gates could be replaced by 2 low cost street-kids (one as a spare)) might not have helped my cause..
BMC Video on DTrace..
BMC did his 90 minute engedu talk on DTrace at google to show some of its coolness (and from the looks of things to help get a Linux port going). DTrace looks awesome for system instrumentation (like strace on steroids)(although limiting it like that does it no justice at all). From the DTrace Page: “DTrace is a comprehensive dynamic tracing framework for the Solaris Operating Environment. DTrace provides a powerful infrastructure to permit administrators, developers, and service personnel to concisely answer arbitrary questions about the behavior of the operating system and user programs.”
Its the #1 thing that has me all excited about leopard (shipping with dtrace by default) and i genuinely cant wait (maybe now ill spend the extra minutes finding out how growlNotify manages to occasionally hose my box ;> )
Core Release Pass the Hash Toolkit..
Hernan Ochoa from Core has released the Pass the Hash Toolkit which is very cool.. It basically means that you dont have to bother cracking a password on a taken machine anymore, you can simply use his iam.exe to associate the captured hash with your current session.. Its accompanying whoisthere.exe means you can grab hashes easily and the fact that its all released with source means you should be able to use it on a customer network without a sinking feeling in your stomach :>
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure.
More details on squeeza (the tool) can be found on the squeeza page, but in a nutshell is a sql injection tool that uses Metasploits concept of splitting exploit/payloads/etc with SQL Injection attacks. Current modules are written for MS-SQL server but include functionality for (user defined sql queries, some db schema enumeration, command execution, file-transfer, db_info) and the information is returned (channel selection) via one of (application error messages, DNS, Timing). The modularity’ness means that these all mix and match – I.e. if you write a module to “extract data from all tables that look like username*”, the results would be available on any of the available channels.. (Its a pretty neat tool.. and saved our bacon more than once) So check it out, and send feedback to research@sensepost.com
Squeeza: The SQL Injection Future?
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but have been getting a few requests already for the code, so here it is..
For those who missed the talk, squeeza is a SQL Injection tool, that once given an entry point can simply a bunch of things. Its the first tool i know of that facilitates full binary file transfers (download from the remote SQL Server), database enumeration, etc via a number of channels (Currently via DNS, via HTTP Error messages and Via Timing).