Wednesday, April 27, 2011

EAP-MD5 Offline password attacks

This post from Pauldotcom explains how to perform dictionary offline attacks against EAP-MD5 (802.1X protected networks)  authentication packets.

Once we have a packet capture with the authentication packets, the post offers two possibilities:
- Patched version of xtest to read the passwords through a pipe (John the Ripper produces the password list)
- A small Scapy script  called 

Converting Unicode to Shellcode

Some nice shell-fu to decode  Unicode encoded  shellcode.  It is common to find  these kind of payloads in Microsoft Office and PDF files that contain exploits and these techniques always come in  handy.

Wednesday, April 20, 2011

Attacking Oracle Web Applications With Metasploit

Excellent presentation by Chris Gates (carnal0wnage) on Attacking Oracle Web Applications With Metasploit [PDF]

TCP Split Handshake

I have found the following whitepaper  that explains the TCP Split Handshake [PDF] and its implications.

Layer 2 attacks on IPv6

Via the Internet Storm Center.

NDP Spoofing is the equivalent to ARP spoofing in IPv4 and can be used to play MITM.

RA Spoofing  (DHCP attacks) can be used to impersonate routers and assign IP addresses to the victim.

RawCap Windows Sniffer

RawCap is a sniffer for Windows systems that does not need any external library or DLL to run, being really useful for penetration tasting.

         Here are some highlights of why RawCap is a great tool to have in your toolset:
  • Can sniff any interface that has got an IP address, including (localhost/loopback) 
  • RawCap.exe is just 17 kB
  • No external libraries or DLL's needed
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use

Wednesday, April 13, 2011

Malware analysis with ClamAV and YARA

Via Infosec Resources

YARA is an extremely flexible identification and classification engine written by Victor Manuel Alvarez of Hipasec Sistemas. It runs on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
YARA rules are easy to write and understand. They have a syntax that resembles a C struct declaration. However creating thousands of rules takes a lot of time and effort. That’s why it makes more sense to use ClamAV signatures. Usually ClamAV signatures can be found under /usr/local/share/clamav or /usr/lib/clamav on Linux systems. This is where you will find the main.cld and daily.cld. Alternately, they may have .cvd extensions, main.cld file contains the primary base of signatures and daily.cld contains incremental daily updates

These tools are well explained in the Malware Analyst's Cookbook and DVD book.

IPv6 Pen-testing


Rick Hayes - Assessing and Pen-Testing IPv6 Networks from Adrian Crenshaw on Vimeo.

Monday, April 11, 2011

Anatomy of the RSA compromise

This blog post from the RSA explains how the attackers gained access to their data.

In a nutshell, the attackers used social engineering to let an employee open an Excel Spreadsheet that contained a Flash object  ( zero-day CVE-2011-0609). Once they back-doored the computer, they used the credentials to gain further access on the network (privileged accounts and systems) and they stole the data.

Analyzing a Stuxnet infection with the Sysinternals Tools

A really good blog post  on technet that  explains how a machine is infected with Stuxnet and how the infection process can be analyzed with the Sysinternals Tools

An overview of Rustock

It is known that Rustock has been taken down, but it is always a good idea to understand how a computer is infected with malware, specially if you have to respond to this kind of incidents and/or design the defenses.

This nice post from fireeye blog gives a good overview of how computer can be infected with Rustock.