Check out his work over at his blog: http://monstream00.wordpress.com/2012/01/06/import-nmap-to-burp/

Good stuff and another example for anyone out there learning the ropes with buby.

Well, L1pht is here to help!

1. Traditions Black powder pistol kit – $179 to $260
    

   You’re infosec pro will have tremendous fun working with his hands as he puts together this pistol kit. If he keeps all of his fingers, the possibilities are endless.  Now that’s goin’ out in style!

2. Scotch – $75 to $250
   
   
3. A Year of Burp Suite Pro – $299
   If you’re information security professional doesn’t already have a copy of Burp Suite Pro, treat her to a year’s worth the web application hacking enjoyment. After all that scotch they’ll probably get belligerent and want to raise a ruckus. By going pro they’ll get no throttling, one of the best scanners on the planet and so much more. Show someone you love them with Burp!
4. Web Application Hackers Handbook 2nd Edition – $31.11
   
   A great stand alone gift or companion for #3, the Web Application Hackers Handbook is THE goto book for web application security testing.
   
5. Beer – $12 – $50
   Showing you care doesn’t have to break the bank. This will put a smile on that depressed little face. Pick up anything from Great Divide Brewing, Gulden Draak or St. Bernardus to help make someone’s holiday season a bit brighter and the pain a bit duller.

Feel free to drop other gift ideas.

To be honest I’ve never gone too deep into hacking up SWF files. So, after finding a few bugs in the non-flash areas I decided to invest a bit of time in disassembling and reassembling SWF files.

Most web app folk are at least aware of the flare and flasm tools, the go-to tools featured in the 1st Ed. of Web Application Hacker’s Handbook. These were the tools I knew existed and I attempted to apply them. Unfortunately in my situation these were near useless. Apparently flare and flasm are dead projects and have no roadmap for supporting ActionScript 3. A quick look over at the OWASP Flash Security Project got me in touch with RABCDasm. There are more than a couple disassemblers, but tools supporting reassembly appear limited. This suite did pretty much everything I needed.

I also like using HP’s SWFScan.  Not really for the static analysis (your mileage will vary), but for the neatness and ease of a friendly AS3 format.

So, here it is:

1. Acquire SWF file
2. Run SWFScan on the file
3. Follow the RABCDasm usage to the point that you’ve disassembled the .abc files
4. grep -i -r these directories for keywords that you’ve located using the more readable AS3 in SWFScan
5. Make appropriate changes
6. Follow the RABCDasm usage for reassembly
7. Start up a python -m SimpleHTTPServer 80 in the reassembled SWF directory
8. In Burp, make a proxy replace rule to replace the normal content with your new file
9. In Burp, make a proxy replace rule to replace the AllowScriptAccess parameter from “sameDomain” to “always”

Anyway, given this setup it’s not entirely difficult to at least test and attempt to attack things like client-side input validation and controls. That said, learning some ABC is in order as I’m just flapping my fledgling flash flippers.

Comments and suggestions welcome.

This is about the time of year that I start penciling in what talks I want to make.  I know what you’re thinking, “who goes to talks at these things?  Aren’t you supposed to be sleeping off a night of vendor fueled debauchery, prepping for another?”. To that good sirs I remind you that I am not a normal human being. I still attend talks.

So, I should be wheels down at McCarran around 11:30am on July 29th.

First, the party plan:

• Accuvant/Palo Alto – The Crystal Ball -8/3/2011
• Fishnet – Rhumbar [Mirage] – 8/3/2011 9pm to Midnight – I’ve got some friends and know some talented folks at Fishnet, I’ll probably be soaking up their tab most of the night.
• Mandiant – Shadow Bar [Caesars] – 8/3/2011 8pm to 10pm -  Shadow Bar is a chill location, good opportunity to chat with some of the Mandiant guys.
• RSA NetWitness Party – JET [Mirage] – 8/3/2011 – Going to check this out before heading to Fishnet
• Blue Coat Dinner – Ceasars
• EFF theSummit -Rio Pavilion 1 – 8/4/2011 8:30pm – The EFF is a great organization that deserves your support.  Check it out.
• BSidesLV Epic Party!

So far I’m pretty open other than that, let me know what’s going down and where if you want to hang out.

What’s that?  Your not on any of the RSVP lists?  Get on the lists here.

Now for the talks Day 1:

• 10am – 11am // Hacking .Net Applications: The Black Arts
• 1:45pm – 3pm // Server-Side JavaScript Injection: Attacking NoSQL and Node.js
• 3:15pm – 4:30pm // Reverse Engineering Browser Components – Dissecting and Hacking Silverlight, HTML 5 and Flex
• 4:45pm – 6:00pm // Post Memory Corruption Memory Analysis

Day 2:

• 10am – 11am // Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers
• 11:15am – 12:30pm // SSL And The Future Of Authenticity
• 1:45pm – 3:00pm // Crypto for Pentesters (Maybe?)
• 3:15pm – 4:30pm // Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System (The only slot for which I wish I could be in 3 places at once)
• 4:45pm – 6:00pm // Sticking to the Facts: Scientific Study of Static Analysis Tools

Of course, this is likely to change once the BSidesLV schedule is posted.  With a great location like The Artisan (You might remember it from the 2009 Ninja Party) and a speaker list including HD Moore, Moxie, Egyp7, Val Smith and Mudge it’s hard not to bump something you can get on DVD.

I’m really looking forward to the training, I’ll writeup a review post afterward.  Look for it.

Recently cktricky has been putting out some great tutorials on using buby to extend and interact with Burp through wXf. The posts illustrate some of the flexibility of buby and just how easy it can be to integrate with wXf. I wanted to give it a try and thought I’d put a new spin on an old idea.

So, I went about implementing a custom wordlist creation module that would utilize the response data from the proxy history to pull words out of h1-h5, p, span, and title tags.

There are tools that produce a similar result, however they usually require that the tool spider the site. Spidering is far from perfect and when I’m assessing a web application I make a point of clicking every link and discovering every page manually. Why not use the information I already have?

The user can specify a minimum word length and gets output sorted and uniqued. Find the latest module here.

There’s nothing too fancy here, but I it might be useful. Git pull the wXf, play with buby, write some modules and have fun!

Check out the buby posts over at Attack Research Blog.

From the “Beauty Users” file, which contains 20,912 records:

Sorted and uniqued passwords only here.

From the “Delboca Users” file, which contains 17,786 records:

Sorted and uniqued passwords only here.

From the “Netherlands” file, which contains 596 records:

Sorted and uniqued passwords only here.

Go follow @LulzSec on twitter for more information on when the Lulz Boat might be making another run.

UPDATE: About 2 hours after my initial post my RSS reader brought me Troy Hunt’s A brief Sony password analysis. This post has quite a bit more substance and I recommend checking it out.

Many of you have by now made use of Greasemonkey to add functionality or alter webpages on-the-fly.  Since it’s release in 2005 Greasemonkey has been a friend to anyone wanting to control the way their user experience works.  That said, I tend to forget all about it and have written only a handful of scripts.

My reasons:

1. Lazy
2. Weak JavaScript Fu
3. Not annoyed by issue quite enough
4. See item 1.

So, nist.gov provides a handy CVSSv2 calculator available @ http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2.  The calculator works fine (or at least as well as the scoring system and provides the user with a shortened form of the values used to calculate the score.  A not so obvious fact is that it is possible to pass this shortened form to the calculator using the vector= parameter to dynamically load the values.

The notation and ability to link dynamically is a useful communication tool when delivering scores to stakeholders and supports transparency in how a score was determined.

Unfortunately, nist.gov provides the notation, a means to pass it to the calculator, but no link to tie the two together.  So, I wrote a quick Greasemonkey script to make this happen.

// ==UserScript==
// @name           CVSSv2 Link Creator
// @namespace      http://www.l1pht.com
// @description    Creates a Link for the CVSSv2 Notation on nvd.nist.gov calculator site
// @include        http://nvd.nist.gov/*
// ==/UserScript==
// RETRIEVE THE HTML BODY CODE
var text = document.body.innerHTML;
// Feel free to tighten this RE up, but no that the full notation is not always displayed.
var searchregex = /\s+\(AV:.{15,100}\)/gi;
var CVSSnotation = text.match(searchregex);

// Building a link that works and includes the vector
link = "<a href='http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector="+CVSSnotation[0]+"'>"+CVSSnotation[0]+"</a>";

// Now replacing the old text with the link
document.body.innerHTML= document.body.innerHTML.replace(searchregex,link);

So, for someone who needs these links on a regular basis this might be a help. A suggestion to add this functionality into the calculator has been made to nist, until then, there’s Greasemonkey!

Download cvssv2_link_creator.user.js

Everyone knows I’m fond of using Burp Suite and I’ve been rocking it with the fuzzdb project as an additional step of my testing.  After using this more than a few times I’ve noticed there are a few minor annoyances I’ve run into as well as a couple of areas that I think might possibly be improved, I’ll explain.

The first item is that when using the fuzzdb as-is with Burp we load the file and it’s imported with all the comments.  Now we have to either go through and cleanup the payload list or send a wasted request containing “# credit to rsnake’ or the like each time we come to it.  We have similar choices of writing ignore logic or not when scripting the file.  Neither is a huge deal, but why?  My feeling is to pull comments that are unnecessary.  Credit is being given in the _readme.txt file and I think that’s probably where it should live, out and away from the data.

The second item is an issue that I see with the XSS payloads.  There are currently 73 pattern lines in the rsnake-xss.txt  file.  Almost all of these result in the same payload being executed if the attack is successful.  The majority of the time this results in an alert box containing the string ‘XSS’.

Our attempts to inject these attack patterns may result in three alert boxes triggered for a given browser.  It may be of some value to be able to communicate which ones bypassed filtering or encoding functionality and triggered the events, but now all we know is that of the 73 we have 3 in that pile that made it happen.

My solution to this was to tag every payload uniquely by scripting a replacement of all XSS values to a naming convention of  rs1, rs2, etc. (rs as a tip of the hat to rsnake who contributed the list).  Additionally there are external payloads that make multiple references to non-unique js/xml/css files and of course result in a smaller, but similar issue of  the ‘XSS’ tag.  Here I have created a unique js/xml/css file for each attack pattern and a payload inside of these files should indicate which pattern was referenced.  These files are named rsx# to indicate rsnake external file execution.

examples:

• http://www.l1pht.com/rsx1.js
• http://www.l1pht.com/rsx2.js
• …
• http://www.l1pht.com/rsx11.html
• http://www.l1pht.com/rsx12.css
• http://www.l1pht.com/rsx16.xml
• http://www.l1pht.com/rsx17.jpg

That just nearly solved what I wanted to do, leaving only the encoded payloads.  I’m toying with this as you can see with the String.fromCharCode() example, in which I’ve changed the XSS char codes to the char codes for the string ‘CharCode’, an indicator to me of what attack pattern might be triggering the alert box.  Depending on how this works out, there may be more to come.

There are likely leeter ways to do what I’ve done, feel free to let me know.  If you’d like to get a better idea of what I’ve done check it out @ http://www.l1pht.com/code/misc/fuzzdbnaked-0.2.tar.gz

I’m not sure just how maintained I’m going to try to keep my version or if I’ll just let it rot and copy over my rsnake-xss.txt each time I svn up fuzzdb, but we’ll see.  I guess it depends on how much stripping I do

Fuzzing is a lazy man’s game.  We’re like toothless hill people, sitting on the porch of our minds in a rocking chair, a shotgun loaded with crackable data resting soundly on our filthy little laps.  Waiting.  Sippin’ our shine.  The unfortunate thing is that we have to be conscious so much of the time.  You know, to fetch more shine and what not.  What if we could just rot out by the still, relieving ourselves where we fancy?

I’m talking about generating data models without all the fuss of actually investing time and reading the specs.

So, the first thing to do is target an application that will consume an xml file format.

Modeling this normally would involve looking at the spec, writing out each string, maybe as was my case a ridiculous amount of XML encoding to get a good crack.  Getting into this I thought, there has to be a better way.  Just then Saint Eddington smiled down upon me and said “xml.XmlAnalyzer”.

Basically, Peach will take an xml file of our choosing and spit out a reasonable pit file.  Seriously.

peach --analyzer=xml.XmlAnalyzer xmlfile=samplefile.xml out=readytorumblepit.xml

You might think you can throw all your boilerplate StateModel, Monitor, Publisher stuff on as usual. You can, the only caveat being that you cannot crack data into pits with XmlElement nodes. Though, this doesn’t matter too much as you’re newly minted pit will contain all the seed data from your sample.

That’s all there is to it. Now go take the banjo down to the still and Rip Van Winkle yourself.

This post is in no way meant to discourage the motivated from modeling out non-xml formats, but more to encourage the most of awful of you to fire up a fuzzer more often.

Recipe:

• 9lbs – Northern Brewer’s Organic Light Malt Syrup
• 1lb – Briess Caramel 20L
• 1lb – Briess Organic Crysal 120L
• .75lb – Simpsons Chocolate
• .25lb – Simpsons Roasted Barley
• .5lb – Crisp Brown Malt
• 1oz – Centennial pellets
• 1oz – Northern Brewer pellets
• 3oz – Cluster pellets
• White Labs WLP001 California Ale

We steep the malts at 150*F for 30 minutes.  Add extract and bring to boil.  Add the cluster hops and a bit of Irish moss for 60 minutes.  Add the Nothern Brewer and centennial hops just before the end of the boil (last 2 minutes).  After this, it’s back to business as usual.

This was the first beer that I got to use a yeast starter and my immersion chiller.   It turned out well and has some of the Old Rasputin roasty notes with a big upfront sweetness.  Find me at a meeting for a sample.  Slainte!