System7 » pentest

Hacking to pwn a cop car

Sun, 08 May 2011 11:54:02 +0000

My boy Kevin Finisterre recently made headlines while doing a penetration test on a city’s infrastructure.

(Kevin and I knew each other from past lives)

It turns out Kevin discovered a way to access video dumps from a police dash cam. After a little more digging he was able to tap into “real time GPS tagged live audio and video from the cruiser.”

Kevin has a nice writeup of the exercise here, Owning a Cop Car.

Simplifying Information Security Risk Assessments

Tue, 19 Apr 2011 18:41:47 +0000

There’s a free webcast available from Accuvant’s Doug Landoll on Simplifying your Risk Assessments available here.

Some of the highlights are:

First, data and system owners need to be included on discussions to set protection requirements based on their criticality of their data (regulations can act as minimum baseline)
Hopefully you’re using a robust risk assessment method. I strongly recommend reading How To Measure Anything. Too many risk assessments result in Green, Yellow or Red traffic light graphics —- what does that really mean?
Common challenges that the webinar addresses: High number of machines and monolithic vs. diverse environments (std. images across your enterprise or a free for all?)

The Power of GPU’s

Tue, 14 Sep 2010 19:03:28 +0000

There’s been a lot of talk recently about using graphics processing units (GPU) to crack passwords. This was due to a recent paper published by a researchers from the Georgia Tech Research Institute. Long story short: Make sure your passwords are now a minimum of 12 characters in length. Optimally, you should choose passwords from a universe of 4 character sets (Uppercase, lowercase, numbers, spec!al ch@racters).

One of the GTRI researchers who authored the paper was interviewed on the Cyber Jungle SU Root #164. The audio file is 25 minutes long.

On another note, the alternative uses of GPU’s won’t be going away anytime soon but could be renamed. Both large chip makers, AMD and Intel, are working on or have already released hybrid CPU/GPU chips. Read more here.

win32 memory capture & analysis cheat sheet

Mon, 14 Jun 2010 12:33:25 +0000

A high level overview to perform live memory captures and analysis:

capture memory via moonsol’s win32dd
parse memory snapshot with mandiant’s memoryze
analyze results via audit viewer
or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

One more vulnerable web project….

Fri, 02 Apr 2010 15:24:20 +0000

Back in November I posted a list of intentionally vulnerable web applications for educational purposes. You can find that list here: http://www.system7.org/2009/11/05/test-your-web-pentest-skillz/

A new one to add to the list is OWASP’s Broken Web Application Project. There was a great talk at Shmoocon about the project. This project might end up taking the gold medal in vulnerable web application projects. They plan to include versions of actual applications you see in the wild (Yazd, WordPress, phpBB) and all of the other web app testing projects (Damn Vulnerable Web App, Mutillidae, WebGoat).

Quickly assess your PHP infrastructure security: PHPSecInfo

Tue, 26 Jan 2010 02:57:54 +0000

From their homepage: PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Combine this tool with my ‘Assault on PHP Applications’ blog entry and this recent ‘Web Security‘ article and you’ll be a fairly competent web pen-tester.

Pen Testing 101 Presentation

Wed, 09 Dec 2009 11:19:40 +0000

PaulDotCom has an excellent penetration testing presentation covering your primary 6 tools: nmap, nessus, hydra, pass-the-hash, metasploit, and cain & abel. Check it out here: http://pauldotcom.com/TriplePlay-NetworkPenTestingTools.pdf

Successfully running De-Ice on a virtual machine….

Sat, 21 Nov 2009 12:25:22 +0000

I’ve seen several folks wondering how to setup the De-Ice pentest environments in a virtual machine. It’s actually a fairly simple setup and I’ve included the steps needed below….

Here’s the config I used to get level 1(1.100) working:

Configure the De-Ice VM Guest for Host Only networking
Modify routing on host VM: “ifconfig 192.168.1.X vboxnet0” — X can be anything that’s not in use; vboxnet0 would be the name of the virtual interface – in this case I’m using Virtual Box.
Modify host routing table: route -add host 192.168.1.100 vboxnet0 — – this is biggest problem for people; make sure your host is using the correct interface to find De-Ice

Here’s the config I used to get level 2 (2.100) working:

Configure the De-Ice VM Guest for Host Only networking
Modify routing on host VM: ifconfig 192.168.2.X vboxnet0
Modify host routing table: route -add host 192.168.2.100 vboxnet0

Penentration Test Scenario’s

Tue, 13 Jan 2009 06:52:06 +0000

I’ve recently been trying to teach my young cousin the basics of computer security. I started by having him get the Backtrack live-cd which is geared for penetration testing.

Once you have Backtrack running you need a dummy machine to test against. People have packaged live-cd’s and virtual machines that are running some combination of the following:

Unpatched operating systems (Win XP SP1)
Unpatched applications (httpd, ftpd, etc)

You can find these ready to be exploited packages here:

http://de-ice.net/ (see PwnOS and Pen Test Training)
http://www.damnvulnerablelinux.org/

Old softwares with bugs:
https://www.securinfos.info/old_softwares_vulnerable.php

Do you have an old disc of Windows 9x or Redhat 6.2 lying around?

Install VirtualBox
Create your own virtual machine with those old OS discs that are now collecting dust

Have fun & remember to keep this limited to dummy machines