I have only made one TOTW post since the inception of the idea a few months ago. I have been really busy and it only seems that my work load is going to increase. As such, I am going to me changing the TOTW to a once a month post. (Topic/Tool/Technique of the Month (TOTM)).
With these posts going to once a month, I think that I will be able to better meet the obligations that I have set forth with our blog viewers. If anyone has any thoughts..... comment!
Monday, December 28, 2009
Microsoft IIS ASP Extensions Security Bypass 0-day
This is a late post as I have been incredibly busy over the last two months (you can tell by the blog neglect :).
A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the IIS server fails to properly handle files that have multiple extensions separated by a semi-colon ";" (filename.asp;.jpg). This could be used by an attacker to abuse poor file upload implementations. This vulnerability does not work with ASP.Net.
The Microsoft Security Response Center (MSRC) has made a blog post about the vulnerability.
A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the IIS server fails to properly handle files that have multiple extensions separated by a semi-colon ";" (filename.asp;.jpg). This could be used by an attacker to abuse poor file upload implementations. This vulnerability does not work with ASP.Net.
The Microsoft Security Response Center (MSRC) has made a blog post about the vulnerability.
Tuesday, November 17, 2009
Metasploit Framework 3.3 Released
HD Moore made a blog post this morning about the release of Metasploit 3.3.
Here are some of the more notable feature enhancements (paraphrased from here):
- 446 exploits, 216 auxiliary modules, and hundreds of payloads.
- Windows payloads now support NX, DEP, IPv6, and the Windows 7 platform.
- More than 180 bugs were fixed since the release of version 3.2.
- Metasploit database functionality is enabled by default if a driver can be found and RubyGems is installed.
- Oracle and MS-SQL support has been integrated into the framework including working exploits and brute force dictionary password guessing has been worked into login modules.
- The payload encoding library can now embed Metasploit payloads into arbitrary executables.
- 64-bit support has been added for Windows and Linux platforms.
- Select payloads work with auxiliary modules and the database to select the right syscall numbers (making shellcode more adaptive) for each particular operating system revision.
- There is now support for JSP payloads.
- A simple fuzzer API has been integrated as a mixin including sample fuzzing modules.
- Support for the DECT COM-ON-AIR driver has been integrated into Metasploit.
- The Meterpreter can now capture network traffic from the compromised system.
The list goes on and on. I would suggest that you read the blog post if you want a more detailed description of some of the more major enhancements.
Wednesday, October 21, 2009
Rapid 7 Acquires Metasploit
HD Moore sent out an email this morning that Metasploit has been acquired by Rapid7. He is going to join their team full time as their CSO. There are also some other project members that will be joining him at Rapid7 to work on the project full time.
HD has promised that the project will remain Open Source, and he feels that this move is the best move for the project in terms of freeing up his time and the time of others to make project improvements.
Personally, I have mixed feelings about this. I believe that we will see many new improvements to the framework as a result of this acquisition. At the same time, with Rapid7 now maintaining the rights to Metasploit all the promises that have been made to HD are meaningless as they can do as they wish with the project. I would predict that initially project control will still be under the supervision of HD and in time his views of where the project should go will be overruled by the powers that be within Rapid7. Rapid7 is just like any other business, they are out to make money, and in the end this will drive the decisions that are made with regard to the project; not the security community.
There is talk about it everywhere and I am interested in seeing your comments.
You can read HD's email here.
You can read Rapid7's announcement here.
HD has promised that the project will remain Open Source, and he feels that this move is the best move for the project in terms of freeing up his time and the time of others to make project improvements.
Personally, I have mixed feelings about this. I believe that we will see many new improvements to the framework as a result of this acquisition. At the same time, with Rapid7 now maintaining the rights to Metasploit all the promises that have been made to HD are meaningless as they can do as they wish with the project. I would predict that initially project control will still be under the supervision of HD and in time his views of where the project should go will be overruled by the powers that be within Rapid7. Rapid7 is just like any other business, they are out to make money, and in the end this will drive the decisions that are made with regard to the project; not the security community.
You can read HD's email here.
You can read Rapid7's announcement here.
Friday, September 25, 2009
New Metasploit Payload Stager (windows/*/reverse_tcp_allports)
HD Moore made a blog post yesterday about a new Metasploit payload stager that was just added.
Taken from Metasploit Blog:
"The new payload stager (windows/*/reverse_tcp_allports) accepts the LPORT variable as a starting port, tries to connect to the host specified by LHOST, and if it fails, bumps the port up by one and starts all over again."
An example of this new payload stagers use is if you were trying to get a reverse connection back to a machine under your control in an environment that does aggressive egress filtering. You could determine which ports are allowed outbound from the compromised system using the stager and some IPTables magic.
You can find the complete post with more information about the new payload stager, use syntax, and IPTables configuration example here.
Taken from Metasploit Blog:
"The new payload stager (windows/*/reverse_tcp_allports) accepts the LPORT variable as a starting port, tries to connect to the host specified by LHOST, and if it fails, bumps the port up by one and starts all over again."
An example of this new payload stagers use is if you were trying to get a reverse connection back to a machine under your control in an environment that does aggressive egress filtering. You could determine which ports are allowed outbound from the compromised system using the stager and some IPTables magic.
You can find the complete post with more information about the new payload stager, use syntax, and IPTables configuration example here.
Sunday, September 13, 2009
Transmail - MBOX/Maildir Transactional Reporting Script
I wrote this script in response to a subpoena that I received requesting a transactional log of emails sent and received from a particular mailbox that was stored in MBOX/MailDir format. The script will go through a MBOX formatted file, put the date and time that the message was sent or received, the from address, to address, subject, the file that contains the mail entry, and the sha256 digest of the line entry in a comma separated list for easy parsing. The output data can also be opened up using common spreadsheet applications (excel, calc, etc.).
You can have the script traverse a MailDir directory stricture using the find command. Example:
find /home/USER/mbox -type -f -exec perl transmail.pl '{}' \; > /tmp/USER_trans.csv
I would be interested in any other open-source tools out there that have similar functionality, or any improvements that readers make to the script. (Please comment).
You can download here.
You can have the script traverse a MailDir directory stricture using the find command. Example:
find /home/USER/mbox -type -f -exec perl transmail.pl '{}' \; > /tmp/USER_trans.csv
I would be interested in any other open-source tools out there that have similar functionality, or any improvements that readers make to the script. (Please comment).
You can download here.
Updates this week
I had to fly out early to San Diego for SANS Network Security 2009 and will have a little bit of free time over the next couple of days.
I am hoping that I can get some good TOTW posts done (hopefully more than one to make up for my lack of posting :), and to possibly have the updated HoneyD web interface source posted. I also have some other miscellaneous scripts and tools that I need to clean up and get posted, so keep a lookout!
I am hoping that I can get some good TOTW posts done (hopefully more than one to make up for my lack of posting :), and to possibly have the updated HoneyD web interface source posted. I also have some other miscellaneous scripts and tools that I need to clean up and get posted, so keep a lookout!
Subscribe to:
Posts (Atom)
