The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS

WebCruiser - Web Vulnerability Scanner V2.4.1

Posted by — 2010-07-23T19:18:48-04:00

WebCruiser - Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.

It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool!

Key Features:
* Crawler(Site Directories And Files);
* Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.;
* SQL Injection Scanner;
* SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept);
* SQL Injection for SQL Server: PlainText/Union/Blind Injection;
* SQL Injection for MySQL: PlainText/Union/Blind Injection;
* SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection;
* SQL Injection for DB2: Union/Blind Injection;
* SQL Injection for Access: Union/Blind Injection;
* Post Data Resend;
* Cross Site Scripting Scanner and POC;
* XPath Injection Scanner and POC;
* Auto Get Cookie From Web Browser For Authentication;
* Report Output.

System Requirement: Windows with .Net Framework 2.0 or higher

Download WebCruiser - Web Vulnerability Scanner

WATOBO Open Source Web Vulnerability Scanner

Posted by — 2010-07-23T17:01:21-04:00

As seen on the fantastic:

Peter Van Eeckhoutte's Blog

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.

WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works like a local proxy, similar to Webscarab, Paros or BurpSuite

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

The functions of WATOBO:

Supports session management.
Detects logout and automatically takes a re-login.
Supports filter functions
Inline-Encoder/Decoder
Includes vulnerability scanner
Quick-scan for targeted scanning a URL
Full-scan to scan a whole session
Manual request editor with special functions
Session information is updated
Login can be done automatically
Transcoder
URL, Base64, MD5, SHA-1
Interceptor
Fuzzer
Free, Stable and Open source!
Script code easy to understand
Easy to extend / adapt
In real-world scenarios tested and developed
Speed / usability
Active and Passive checks
Runs under Windows, Linux, BackTrack, MacOS

All these great features and functions make WATOBO one of the top free web assessment tools.

You can download WATOBO here

As reported by peterve the original post at http://www.corelan.be:8800/index.php/2010/07/23/watobo-the-unofficial-manual/ [www.corelan.be:8800] contains a pdf file that explains how to set up and use watobo.

Metasploit Framework 3.4.1 Released

Posted by cdupuis — 2010-07-15T16:04:41-04:00

Downloads and more information at http://www.metasploit.com/

The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1. As always, you can get it from our downloads page, for Windows, Linux or as an OS-independent tarball.

This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month (http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html).

Rest assured that more is in store for Meterpreter on other platforms. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation.

For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines for making it easier.

This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment.

For more in-depth information about this release, see the 3.4.1 release notes at:

https://www.metasploit.com/redmine/projects/framework/wiki/Release_Notes_341

- The Metasploit Team

Call for Papers - Black Hat Abu Dhabi 2010

Posted by cdupuis — 2010-07-15T15:41:28-04:00

WHERE and WHEN:

Launched under the Patronage of His Highness Sheikh Mohammed bin Zayed Al Nahyan, Black Hat Abu Dhabi will take place on 8th to 11th November 2010 at Emirates Palace.

Black Hat has partnered with the UAE Telecoms Regulatory Authority to hold a three track, two day Briefings in Abu
Dhabi, the Middle East's first edition of the Las Vegas-based security summit.

WHAT:

The Call for Papers is now open at: https://cfp.blackhat.com/

Current number of speaking slots and the topics for them are:

2 talks on Physical Security
3 talks on Forensics
5 talks on Infrastructure
5 talks on Web Application Security
2 talks on Root Kits
3 talks on Hardware Hacking
2 talks on Cyber War and Legal Issues
3 talks on Cloud Security
2 talks on Attack Techniques
3 talks on Reverse Engineering

It should be a great time, we are trying to work out some cool things for the speakers to do. We have a lot of interest, from the top on down as you can see by the organizations supporting our first conference in the GCC countries.

We will go in with a full Black Hat experience, with all the tech and none of the vendor fluff. Let's see if the UAE market
can handle it! Black Hat Abu Dhabi will offer a full range of sessions,including ten training classes running on 8th and 9th November, followed by three briefing tracks running simultaneously on 10th and 11th alongside the exhibition.

We are going to make early selections of about a third is the session in the next couple weeks so we have something to market with. Interested? Submit!

Jeff Moss

Haking 9 SECURING VOIP July edition available for FREE download

Posted by cdupuis — 2010-07-15T15:37:51-04:00

Securing VoIP -- New ONLINE issue

DOWNLOAD FOR FREE CLICK HERE

See the full list of articles at
hakin9 website

Download 2009/2010 archives of Hakin9 magazine

Click here!

1st Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x12

Posted by cdupuis — 2010-07-03T09:23:16-04:00

The CoreTex Team from Core Security is happy to announce the *1st Open Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!

Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundredths may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well.

But doing both things at DEFCON 0x12 could be a lot of fun!

If you liked to read about the exploits of C. Auguste Dupin, the devious Minister D. or even the n00b Prefect Monsieur G. [*] here's a chance to role-play all of them at DEFCON using your favorite coding and code auditing techniques.

Registration is now open at http://www.backdoorhiding.com

Questions, feedback, comments and general discussion at: https://forum.defcon.org/forumdisplay.php?f=520

Here are the details:

Quick intro

Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.

Contest Description

The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. The contest will be played in two rounds: a qualification round that starts before the conference and ends during the conference, and a second (smaller and shorter) round during the conference. Each round is a multi-player game, which is played in two stages. The timeline is included below.

Prizes will be announced shortly. We will give prizes for all those that get to the qualification round and special prizes for the winners of each contest.

Qualification round

Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.

Stage 2 (finding): There is new time to register for the backdoor finding game. All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.

The winners of each game are the ones that accumulate the most points. There is a table for computing points (which can be positive or negative) for the finding contest (X points if it was voted as backdoor and had a backdoor, Y points if it was voted as backdoor and hadn’t a backdoor, etc.).

For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The first participants of the backdoor hiding contest with the most points qualify for the second round.

Same with the finding contest.

Final Round

Stage 1: We provide a source code in C/C++ and describe the requirements it fulfills to all the players. We then describe an additional requirement, and players must write a patch to this source code such that all of the requirements are fulfilled and a backdoor is hidden in the code. They must also provide an explanation on how to use the backdoor.

Stage 2: Again, the organizers will add a few patches/source codes that fulfill the requirements but do not have backdoors. A jury composed of the winners of the hiding contest (1st stage), a small set of well-known security experts and the players of stage 1 (round 2) have 3 hours to cast their votes for each source code if it hides or does not hide a backdoor. Points are computed according to the same strategy as in the first round.

The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages since the non-backdoored programs will most probably be developed in C, C++, etc.

Timeline

-July 1, we open registration.
-July 19th, we open the 1st stage of the qualification round. Participants are allowed to register until before the July 29 deadline.
-Thursday July 29, 0hs, we stop receiving source codes. Registration for 2nd stage of the first round continues.
-Friday July 30th, 0hs, we open the 2nd stage of the qualification round: users are allowed to download the source code bundles; the site accepts votes (YES/NO)
-Saturday July 31st, 12hs, Registration and voting are closed. Shortly, we announce first round winners of the backdoor-hiding and backdoor-finding contests.
-Saturday July 31st, 16hs, we start the second (and final) round which will last less than two hours. Players have some time to write a patch for a given source code and include a backdoor.
-Saturday July 31st, 17:30hs, The eminence jury members (3-5 members, TBD), winners of the backdoor-hiding qualification round and the winners of the backdoor-finding qualification round are allowed to vote for the final round winner. They have 30 minutes.
-Sunday 1, 14hs. Winners are announced and prizes delivered in the DefCon Awards Ceremony.

Register now, have fun and see you at DEFCON-0x12 !

[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe
--
ariel, andres, Damian Saura, futo, ivan & pedro

The CoreTex team at Core Security Technologies

Protect yourself against ARP Poisoning attacks

Posted by cdupuis — 2010-06-08T14:39:20-04:00

Hi!

ArpON (Arp handler inspectiON) is a portable handler daemon that make Arp secure in order to avoid Arp Spoofing/Poisoning & co.
This is possible using two kinds of anti Arp Poisoning tecniques, the first is based on SARPI or "Static Arp Inspection", the second on DARPI or"Dynamic Arp Inspection" approach.

Features:

- It replaces Arpwatch & co; ArpON blocks;
- It detects and blocks Arp Poisoning/Spoofing attacks in statically configured networks;
- It detects and blocks Arp Poisoning/Spoofing attacks in dinamically configured (DHCP) networks;
- It detects and blocks unidirectional and bidirectional attacks;
- It manages the network interface into unplug, boot, hibernation and suspension OS features;
- Easily configurable via command line switches, provided that you have root permissions;
- It works in userspace for OS portability reasons;
- Tested against Ettercap, Cain & Abel, dsniff and other tools.

Links:

http://arpon.sourceforge.net
http://arpon.sourceforge.net/documentation.html
http://arpon.sourceforge.net/manpage.html
http://arpon.sourceforge.net/download.html

Thank you,

Andrea Di Pasqual

iPhone leak is getting bigger - Latest Update

Posted by cdupuis — 2010-06-07T07:50:00-04:00

As seen on the amazing web site of The H Security at:
http://www.h-online.com/security/news/item/iPhone-leak-is-getting-bigger-Update-1012575.html

Connecting an iPhone with Windows and iTunes allows a full backup of the device to be made.

The iPhone's data leak is even more extensive than initially assumed. In initial tests, encrypted and locked devices essentially only disclosed music and images. However, The H's associates at heise Security have now managed to connect an iPhone with iTunes under Windows and created a full backup, including such sensitive data as passwords in clear text.

The problem was initially discovered by Bernd Marienfeldt on an Ubuntu system. In that case the Ubuntu system displayed the various folders of a freshly booted iPhone although the phone was locked and had never had any contact with this Linux system before. A locked iPhone is supposed to refuse any communication with devices it doesn't know. However, if the iPhone is accessed while booting, this can frequently result in the phone pairing with unknown devices regardless of those protections. It appears that some system component hasn't finished booting when the connection request is made and, as a consequence, the iPhone's "lockdownd" daemon allows device pairing:

17:21:46 lockdown.c:818 lockdownd_do_pair(): ValidatePair success

The problem, though, is not with Linux or Windows, but with the iPhone. Using the same technique, heise Security also managed to pair a Windows Vista system with an iPhone. While with Linux only a few selected folders on the iPhone were displayed, Windows allowed full system access. For instance, it was no problem to create a complete backup using iTunes, including items such as notes, text messages and even plain text passwords.

Some text messages shouldn't be accessible by third parties

Pairing wasn't possible with all devices. What exactly it is that determines whether the iPhone accepts a connection request remains unclear. It certainly isn't determined by the device type, because heise Security managed to trick 3G systems as well as 3GS systems. At least in one case, unwanted pairing became impossible after the iPhone's information about already paired devices was deleted. Apple has not yet answered heise Security's questions about whether and when this problem will be solved.

Update: Hector Martin and a couple of developers of the Linux packages usbmuxd and libimobiledevice have done some further research on this issue. Martin has come to the conclusion that the problem only occurs if the iPhone was shut down from an unlocked state. During the wake up this state is restored and the device is "open" for a short period of time before the Springboard application wakes up and locks it down. This short period is sufficient for a pairing to occur that ensures permanent access. An iPhone that was shut down in a locked state does not accept the pairing – which corresponds to heise Security's observations. This reduces the risk somewhat, because a lost iPhone in a locked state cannot be tricked into pairing.

US authorities file charges against three scareware authors

Posted by cdupuis — 2010-06-07T07:42:28-04:00

As seen on the H Online mailing list:

31 May 2010, 10:55

The FBI has filed charges against three men[1] accused of raking in some $100 million from Internet users misled into buying scareware in more than 60 countries. Such software scares visitors into thinking their computers are infected with viruses or malware. These unfounded warnings are displayed when victims visit particular websites and they are then urged to purchase dubious anti-spyware and antivirus products; but the software does not usually have any actual function, and on installation merely reports successful disinfection of the PC – regardless of whether or not it was actually infected.

Such fraud[2] was essentially outlawed at the end of 2008, when the Federal Trade Commission (FTC) got a US court to prevent two manufacturers of scareware from continuing to sell their products. The three men now facing charges did business from the US and the Ukraine via such companies as "Byte Hosting Internet Services" and "Innovative Marketing"; the applications had such names as "Malware Alarm", "Antivirus 2008" and "VirusRemover 2008".

In its written statement on the charges, the FBI says that scareware is one of the fastest-growing types of fraud on the internet. Google also recently drew attention to the issue when it found[3] that some 15 percent of all malware is now scareware and that this percentage is still rising. Information on recognising scareware, protecting yourself from it and removing it can be found in the article "Thieves and charlatans[4]" on The H.

URL of this Article:
http://www.h-online.com/security/news/item/US-authorities-file-charges-against-three-scareware-authors-1011679.html

Links in this Article:
  [1] http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm
  [2] http://www.h-online.com/news/item/US-court-halts-the-sale-of-scareware-739313.html
  [3] http://www.h-online.com/news/item/Scareware-Nocebo-instead-of-placebo-979608.html
  [4] http://www.h-online.com/security/features/Rogue-anti-virus-products-746219.html

New Open-Source OS Will Feature 'Disposable' Virtual Machines

Posted by cdupuis — 2010-06-04T09:14:32-04:00

As seen on the great darkreading web site at:

http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=225300299

New Open-Source OS Will Feature 'Disposable' Virtual Machines

Invisible Things Lab building secure OS that better locks down the VM environment

By Kelly Jackson Higgins, DarkReading
June 3, 2010
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=225300299

A new open-source operating system will come with the option of creating one-time, disposable virtual machines on the fly as a way to protect against malicious files.

Invisible Things Lab is creating these lightweight, throwaway VMs that work with traditional virtual machines in Qubes, the open-source, Xen-based OS it plans to release in beta later this summer. Qubes was architected to minimize the attack surface in the VM environment.

Disposable VMs don't provide persistent storage and are launched on a per-document basis to open a PDF, PowerPoint, or music or video file, for instance, according to Joanna Rutkowska, founder and CEO of Invisible Things Lab. They provide a safe sandbox for opening a file or attachment: If a file opened by a disposable VM is infected, the only thing it can hurt is the throwaway VM itself, not any other applications or files.

The disposable VM is clean, and its only purpose is for viewing the file, for instance; then it gets tossed away. "You still run your email client in a 'work' AppVM -- which is not disposable [because] you need to store your email client configuration, archived emails, your documents, etc. -- but you open attachments in disposable VMs," Rutkowska says.

Invisible Things Lab also plans to ultimately release a commercial version of the OS, Qubes Pro, that can run Windows applications using Windows-based application VMs.

"Our goal with Qubes is to make it usable not only by Linux geeks, but also by people like lawyers, doctors, businesspeople, and anybody who is concerned about potential compromise of their data," Rutkowska says. Making Qubes easy to use is one of our two main goals -- the other being exceptional security."

Rutkowska, who announced the disposable VM feature in a blog post this week, says the temporary VMs run under the Xen hypervisor in Qubes. Qubes' architecture helps prevent attacks where malware escapes from a VM and infects other applications or data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.