So, just a quick note. monstream00 has just released a buby script that takes nmap results and throws that into burp suite and then spiders those sites.

Check out his work over at his blog: http://monstream00.wordpress.com/2012/01/06/import-nmap-to-burp/

Good stuff and another example for anyone out there learning the ropes with buby.

Code, community buby, burp, nmap

It’s the holiday season once again and you’re trying to think of thoughtful gifts for your information security professional.  You need something that will give him/her a little bit of that hacker feeling, but not require too much time or effort.  Or, maybe just something to take the edge off fighting advanced persistent tigers.

Well, L1pht is here to help!

1. Traditions Black powder pistol kit – $179 to $260
    

   You’re infosec pro will have tremendous fun working with his hands as he puts together this pistol kit. If he keeps all of his fingers, the possibilities are endless.  Now that’s goin’ out in style!

2. Scotch – $75 to $250
   
   
3. A Year of Burp Suite Pro – $299
   If you’re information security professional doesn’t already have a copy of Burp Suite Pro, treat her to a year’s worth the web application hacking enjoyment. After all that scotch they’ll probably get belligerent and want to raise a ruckus. By going pro they’ll get no throttling, one of the best scanners on the planet and so much more. Show someone you love them with Burp!
4. Web Application Hackers Handbook 2nd Edition – $31.11
   
   A great stand alone gift or companion for #3, the Web Application Hackers Handbook is THE goto book for web application security testing.
   
5. Beer – $12 – $50
   Showing you care doesn’t have to break the bank. This will put a smile on that depressed little face. Pick up anything from Great Divide Brewing, Gulden Draak or St. Bernardus to help make someone’s holiday season a bit brighter and the pain a bit duller.

Feel free to drop other gift ideas.

Beer, community fluff, gifts, holidays

Just recently I’ve tested a number of web applications that made heavy use of Adobe Flash. Considering I didn’t find a whole lot when I was searching I thought I’d document my current workflow.

To be honest I’ve never gone too deep into hacking up SWF files. So, after finding a few bugs in the non-flash areas I decided to invest a bit of time in disassembling and reassembling SWF files.

Most web app folk are at least aware of the flare and flasm tools, the go-to tools featured in the 1st Ed. of Web Application Hacker’s Handbook. These were the tools I knew existed and I attempted to apply them. Unfortunately in my situation these were near useless. Apparently flare and flasm are dead projects and have no roadmap for supporting ActionScript 3. A quick look over at the OWASP Flash Security Project got me in touch with RABCDasm. There are more than a couple disassemblers, but tools supporting reassembly appear limited. This suite did pretty much everything I needed.

I also like using HP’s SWFScan.  Not really for the static analysis (your mileage will vary), but for the neatness and ease of a friendly AS3 format.

So, here it is:

1. Acquire SWF file
2. Run SWFScan on the file
3. Follow the RABCDasm usage to the point that you’ve disassembled the .abc files
4. grep -i -r these directories for keywords that you’ve located using the more readable AS3 in SWFScan
5. Make appropriate changes
6. Follow the RABCDasm usage for reassembly
7. Start up a python -m SimpleHTTPServer 80 in the reassembled SWF directory
8. In Burp, make a proxy replace rule to replace the normal content with your new file
9. In Burp, make a proxy replace rule to replace the AllowScriptAccess parameter from “sameDomain” to “always”

Anyway, given this setup it’s not entirely difficult to at least test and attempt to attack things like client-side input validation and controls. That said, learning some ABC is in order as I’m just flapping my fledgling flash flippers.

Comments and suggestions welcome.

Code, Exploitation actionscript, adobe, flash, web applications

I’ve got my training, briefings, hotel all booked up and flight locked in.  It’s finally starting to get real. I can almost feel that 104º F desert heat pouring down on the sidewalk.

This is about the time of year that I start penciling in what talks I want to make.  I know what you’re thinking, “who goes to talks at these things?  Aren’t you supposed to be sleeping off a night of vendor fueled debauchery, prepping for another?”. To that good sirs I remind you that I am not a normal human being. I still attend talks.

So, I should be wheels down at McCarran around 11:30am on July 29th.

First, the party plan:

• Accuvant/Palo Alto – The Crystal Ball -8/3/2011
• Fishnet – Rhumbar [Mirage] – 8/3/2011 9pm to Midnight – I’ve got some friends and know some talented folks at Fishnet, I’ll probably be soaking up their tab most of the night.
• Mandiant – Shadow Bar [Caesars] – 8/3/2011 8pm to 10pm -  Shadow Bar is a chill location, good opportunity to chat with some of the Mandiant guys.
• RSA NetWitness Party – JET [Mirage] – 8/3/2011 – Going to check this out before heading to Fishnet
• Blue Coat Dinner – Ceasars
• EFF theSummit -Rio Pavilion 1 – 8/4/2011 8:30pm – The EFF is a great organization that deserves your support.  Check it out.
• BSidesLV Epic Party!

So far I’m pretty open other than that, let me know what’s going down and where if you want to hang out.

What’s that?  Your not on any of the RSVP lists?  Get on the lists here.

Now for the talks Day 1:

• 10am – 11am // Hacking .Net Applications: The Black Arts
• 1:45pm – 3pm // Server-Side JavaScript Injection: Attacking NoSQL and Node.js
• 3:15pm – 4:30pm // Reverse Engineering Browser Components – Dissecting and Hacking Silverlight, HTML 5 and Flex
• 4:45pm – 6:00pm // Post Memory Corruption Memory Analysis

Day 2:

• 10am – 11am // Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers
• 11:15am – 12:30pm // SSL And The Future Of Authenticity
• 1:45pm – 3:00pm // Crypto for Pentesters (Maybe?)
• 3:15pm – 4:30pm // Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System (The only slot for which I wish I could be in 3 places at once)
• 4:45pm – 6:00pm // Sticking to the Facts: Scientific Study of Static Analysis Tools

Of course, this is likely to change once the BSidesLV schedule is posted.  With a great location like The Artisan (You might remember it from the 2009 Ninja Party) and a speaker list including HD Moore, Moxie, Egyp7, Val Smith and Mudge it’s hard not to bump something you can get on DVD.

I’m really looking forward to the training, I’ll writeup a review post afterward.  Look for it.

community, Travel blackhat, conference

I’ve been following the progress of the Web Exploitation Framework (wXf) for a while. It’s a cool idea with a ton of potential.

Recently cktricky has been putting out some great tutorials on using buby to extend and interact with Burp through wXf. The posts illustrate some of the flexibility of buby and just how easy it can be to integrate with wXf. I wanted to give it a try and thought I’d put a new spin on an old idea.

So, I went about implementing a custom wordlist creation module that would utilize the response data from the proxy history to pull words out of h1-h5, p, span, and title tags.

There are tools that produce a similar result, however they usually require that the tool spider the site. Spidering is far from perfect and when I’m assessing a web application I make a point of clicking every link and discovering every page manually. Why not use the information I already have?

The user can specify a minimum word length and gets output sorted and uniqued. Find the latest module here.

There’s nothing too fancy here, but I it might be useful. Git pull the wXf, play with buby, write some modules and have fun!

Check out the buby posts over at Attack Research Blog.

Code, passwords buby, passwords, ruby, wXf