Ask a Pentester - Recent questions and answers

Answered: How to know which CVEs affect my application?

Wed, 25 Jan 2012 20:09:40 +0000

Hello,

That is not that easy. You might want to find a vulnerability database which allows to find weaknesses affecting a specific product/version. The following databases allow a filter of this kind:

If you lookup your software in these databases, you might be able to get a list of all known vulnerabilities. Extracting IDs - and CVE too - is possible.

The limitations are, that not all vulnerability databases and/or contributors are providing the exact data. OSVDB is a good example: Althought the database structure is supporting clear identification of product name and version, most entries don't use these fields. This will cause a lot of false-negatives.

Regards,

Marc

Answered: Club Mate or Jolt Cola for Pen Testing?

Wed, 25 Jan 2012 05:05:11 +0000

Club Mate for sure.

Answered: What methodology you use in a pentest?

Wed, 25 Jan 2012 04:57:35 +0000

I use http://www.pentest-standard.org/index.php/Main_Page

Answered: What lab setup do you recommend real machines or virtual ones?

Wed, 25 Jan 2012 04:52:08 +0000

See my slide:

http://www.slideshare.net/firebits/c0c0n2010

Answered: LFI exploration files

Wed, 21 Dec 2011 10:21:54 +0000

I'm a big fan of the web fuzzing lists from the Fuzzdb:

http://code.google.com/p/fuzzdb/

http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2Fattack-payloads%2Flfi

also try this:

http://pastie.org/840199

Answered: Do you have any classes online you could recommend? Also, is there any certain degree in college I should get if I want to be a pentester?

Thu, 10 Nov 2011 07:13:35 +0000

I think you should have a look at the online training of Offensive Security (http://www.offensive-security.com). They have the WLAN training - WiFu, the typical pentesting training - PWB and one very advanced pentesting training CTB. If you have the possibility to choin them in the US you could also attend the most advanced training in exploit devel - AWE. You can also find lots of quite good trainings on the SANS webseite - https://www.sans.org/. have phun and good luck m-1-k-3

Answered: Entry level to Pen tester help

Fri, 21 Oct 2011 23:55:51 +0000

Thanks very much for your reply . I will take CCNA --> OSCP and then see how it goes from there , thanks agian appreciate it .

Answered: Could you recommend a ressource for images which have weak spots to learn more about Pentesting?

Fri, 09 Sep 2011 16:59:51 +0000

Wow, thank you, looks very good... :)

Answered: Can u suggest good exploit for Windows 7, like "ms08_067_netapi " in xp?

Sun, 14 Aug 2011 10:19:57 +0000

There's no magic exploit like the ms08_067_netaspi in Windows 7 or Vista. Even most of the Windows XP SP2 and above have got it patched these days .

What i try to do while pentesting is to look at the services running at the ports and try finding some of the exploits, if available for them.

Also, you could try focussing on Client Level Vuln while pentesting such as vulns in the flash player version, or adobe pdf reader or anything else your client is running.

Its not the path that matters more, all that matters is finding a way to get in.

Good Luck. :)

Answered: Do pentest tools slow down internet

Tue, 19 Jul 2011 11:23:41 +0000

Hello,

It depends on what kind of requests and responses are provoked by these tools. An high amount of data and/or connections may slow down certain network elements. For example my cheap D-Link router doesn't like a lot of concurrent connections (but has no problem with a single connection with a lot of bandwith usage). ZyWALL has a similar problem but only if QoS is enabled.

The best way would be to reproduce the problem by running the scanning utilities and analyzing the network traffic with a tool like Wireshark or tcpdump. If you see a slowdown, you might be able to determine the cause for this.

Regards,

Marc

Does Scapy support the LDAP protocol?

Thu, 07 Jul 2011 16:42:30 +0000

I'm new to Scapy and I can't find support for the LDAP protocol on it. Does anybody know if it's supported?

Maybe I need to install another package?

Thanks in advance!

what can we do with Local file download/ File download vuln. Windows ?

Sat, 02 Jul 2011 10:17:41 +0000

hi i want to know what are the security files which are imp. which lead it to hack the Server and get acess to CMD its on Server=Apache-Coyote/1.1

and i am able to download all files but not admin locked files so can anybody help me ?

Answered: What to learn first?

Mon, 27 Jun 2011 10:46:06 +0000

wow thanks, i have been learning python but just wante to make sure it was the right one. that python for grey hats is just what i need

Answered: Vulnerable Ports?

Mon, 27 Jun 2011 10:44:09 +0000

thanks very much, i saw the script earlier and tried it out its very good

Answered: What if you pentest someone who unkowingly to you lies that they have authority?

Mon, 27 Jun 2011 08:46:10 +0000

one thing you would expect is that he gives the the password first. then they try crack it. they shouldnt be giving anyone a password if they are not 100% sure they own the system in discussion. and a signed contract doesnt prove he owns it.

so i would say if thats how pentest companies work its their fault

Can any one help me to how to exploit windows 7?

Tue, 21 Jun 2011 07:39:46 +0000

hi cany any body help me how to exploit windows 7 ? i have tried it for last 3 months but no luck, i am new bee to metasploit pls help

thanx in advance!!

Answered: Identify HTTP or SSL running on non-standard ports

Fri, 17 Jun 2011 13:38:29 +0000

Hello,

We use the following Nmap NSE script to identify HTTP services[1]:

author = "Marc Ruef"
license = "(c) 2010 by Marc Ruef"
version = "1.0"
categories = {"default", "safe", "scip"}

require("http")

description = [[]]

portrule = function(host, port)
   if port.service == "http" and port.service ~= "ssl/http" and port.service ~= "https" and port.version.service_tunnel ~= "ssl" then
        return true
   elseif port.protocol == "tcp" and (port.number == 80 or port.number == 81) then
        return true
   else
        return false
   end
end

action = function(host, port)
   local response = http.get(host, port, "/")

   if response.rawheader ~= nil then
        sOutput = "Header:\n\n" .. stdnse.format_output(true, response.rawheader)
   elseif response.body ~= nil then
        if response.body ~= "" then
            sOutput = "Body:\n\n" .. response.body
        else
            sOutput = ""
        end
   else
        sOutput = "It was not possible to fetch a resource with a common http get request. This might be a false positive."
   end

   return sOutput
end

If you save this script in the scripts folder of your Nmap installation as webdetect.nse, you might want to use nmap -sS -sV --script=webdetect <target> to identify http servcies as quickly and accurate as possible.

Regards,

Marc

[1] http://www.scip.ch/?labs.20101119

Answered: What is the best book for learning Malware RE?

Thu, 12 May 2011 16:13:06 +0000

I think malware analyst's cookbook must be one of the best book for what you are looking.

But if you want much more sources to learn malware RE, you should seek informations about windows debugging, windows internals, or subjects like cracking software. All theses domains will bring you knowledge which is very usefull for malware RE

Answered: Can I scan for vulnerabilities with nmap?

Thu, 12 May 2011 16:09:45 +0000

As other people said, nmap NSE scripts are usefull to do vuln scanning.

But I think it's useless to do a huge base of NSE scripts just for trying to do vuln scanning, nmap is not a vuln scanning tool, just try to use another product (like nessus) to do this.

I think you should use each tool for what they have been created, instead of waiting for a lot of NSE scripts that reinvent the wheel.

Answered: Defensive Programming--Second Steps?

Wed, 04 May 2011 12:38:05 +0000

Hi,

I would say... ABSOLUTELY. Although a good start, it's not enough just the theory behind it.

By having compromised a system exploiting a programming error, your fingers will burn the moment you write a similar piece of code :)

This way could you not only reactively patch your code but spot some possible weakness before this code goes to production.

It's always better to have been on both sides of the fence... but you know this already :)

Hope this helps and good luck with your CS study!

Answered: How can I protect myself against Firesheep?

Tue, 05 Apr 2011 22:59:02 +0000

I leave my Wireless Network Connection disabled unless it's in use. When in use, I always tether to my Android phone, which provides a WPA2 connection that only I know the 52 character "graph" password to (and I change it every few days when it's convienient or I'm feeling compromised).

I don't connect to other networks, such as local networks or coffee shops (my Local Ethernet Connection is permanently disabled), and I find ways to access networks that I need access to in other ways.

Answered: has anyone ever done some sort of "Active Directory" forensics?

Tue, 05 Apr 2011 22:55:53 +0000

You could also utilize network signatures in an IDS such as Suricata (I prefer it over Snort and commercial ones).

You would need to build custom signatures. Have a look at this nmap NSE script (and the others it references) -- http://nmap.org/nsedoc/scripts/ldap-rootdse.html

If you could build a signature that captures these sorts of events, you'd be able to tell the src traffic that queries your AD infrastructure.

*** UPDATE ***

Oh crap -- check this out! -- http://ptresearch.blogspot.com/2011/04/backdoor-in-active-directory.html

Answered: Best (and updated) fuzzing tools?

Tue, 05 Apr 2011 22:52:11 +0000

PaiMei supports file fuzzing (along with code coverage!) and iSec Partners has a few file fuzzing tools (e.g. FileP and FileH) available on their website.

Microsoft also released one called MiniFuzz.

Symantec has built one called SEEAS, but it was never released to the public.

Answered: Tool / Method for unknown network binary protocol analysis?

Tue, 05 Apr 2011 22:50:39 +0000

Using Autodafe is described in "Gray Hat Hacking, Third Edition" (recently just came out!) under the SCADA hacking section.

There is also a great guide that discusses how to use The Peach Fuzzing Frameworks' peachshark along with Wireshark in the book "Hacking Exposed Windows, Third Edition".

If the protocol is MSRPC, it may be a little more difficult, but there are tools out there such as this one: http://wiki.austinhackers.org/2006-11-29-0x0003

You may want to try the ProxyFuzz script included with taof before anything else, as it if finds something -- then you are golden right away with almost no configuration or advanced fuzzing. If not, then you might want to move to reversing the application on both sides (client and server) and establishing your own rules about their protocol use. EFS (as shown in the last chapter of "Open-Source Fuzzing Tools") is a great way to utilize PIDA (Python IDA) files to do a lot of this work for you, as is CatchConv (a Valgrind plugin), also described in that chapter.

Ideally, you would want to understand both the runtime and static (i.e. deadlist) views of the target apps including their infrastructure. Different tools call for different measures. You can dump your DRAM. You can hook system or library calls that access the network. You can locally proxy a network connection. You can attach debuggers, software/system-call/library-call tracers, or fault-monitors of various types. You can run it through emulation, or inside a virtual machine. You can watch CPU registers. You can trace instructions or functions. You can implement dynamic binary instrumentation to insert your own code into the code, in order to understand the baseline code better.

Some of this is dependent on the level of indirection you're working with. Is it managed code? Does it implement its own virtual machine or p-code? Is it a PE or ELF file? Can you identify how the program is installed, and what files and registry settings it affects when installed? Does it install any protocol handlers (ViewPlgs.exe may help)? Does it register or call any services? What libraries does it depend on? Does it contain any strings in the binary that appear to be banned functions (you can do this using BinScope under Windows)? Do you have debugging info, or is the binary stripped? Do you have a symbol table, or can you identify them or download/import them? Does the code contain any easily identifiable or interesting components (you can use signsrch to help with this)? Can you inject shared libraries and what is their affect? Is the binary or its source code using any self-modifying or self-checking code (again, signsrch may help here)? Is there an underlying protocol with a known specification (e.g. IETF RFC) available, or can it be elicited or reverse engineered easily?

If you've come this far with a few conclusions (but no results), you will need to design a methodology for code audting. I suggest checking out chapter 4 of "The Art of Software Security Assessment" in order to learn about external flow sensitivity and tracing direction. You'll probably want to consume all of the information available here -- http://pentest.cryptocity.net/reverse-engineering/

Answered: hey guys....is their any documentation on XSSF for metasploit?

Tue, 05 Apr 2011 22:45:23 +0000

This is the best resource about how to accomplish installing XSSF with Metasploit:

http://securitystreetknowledge.com/?p=445

Answered: SVN update via a web proxy?

Tue, 05 Apr 2011 22:43:46 +0000

You can setup your own rouge git or svn server inside a company/organization that has a pedantic firewall configuration by using chownat

Answered: Wget download ONLY PHP file

Tue, 05 Apr 2011 22:40:57 +0000

The easiest way to grab a PHP file if you do not already have access to the web server is to either brute-force SSH/etc access (depending on open ports available on that server) or to find a file read inclusion vulnerability, PHP eval vulnerability, or a SQL injection vulnerability that allows for, say, a MySQL load file operation.

Shortcuts:

./fimap.py -v 3 -u "http://owaspbwa/mutillidae/index.php?page=index.php" -b -x

./wapiti.py http://owaspbwa/peruggia/ -v 2 -b folder -f txt -o p2.txt -m "-all,blindsql,sql"

./sqlmap.py -v 6 --delay=0 --predict-output --keep-alive --null-connection --dbms=MySQL -u "http://owaspbwa/peruggia/index.php?action=comment&pic_id=1" -p pic_id --level 5 --risk 3 --sql-query="load_file('/var/www/peruggia/index.php')"

./sqlmap.py -v 6 --delay=0 --predict-output --keep-alive --dbms=MySQL -u "http://owaspbwa/peruggia/index.php?action=login&check=1" --data "username=a" -p username --level 5 --risk 3 --sql-query="load_file('/var/www/peruggia/index.php')"

Answered: THE question: CEH or OSCP?

Tue, 05 Apr 2011 22:33:14 +0000

CREST Team Leader / Team Member

Answered: Which guide would you recommend to understand Backtrack

Tue, 05 Apr 2011 22:23:03 +0000

There is a book coming out soon on BackTrack -- http://www.amazon.com/BackTrack-Assuring-Security-Penetration-Testing/dp/1849513945/

SAP security research, first steps?

Tue, 18 Jan 2011 09:17:46 +0000

Hi everyone,

I would like to start learning and experimenting with SAP security because... well, because one can do a lot of money in the field, I've heard ;)

Unfortunately I find it quite difficult to get either SAP software or documentation.

Could anyone please give me some advice?

I would appreciate it very much!

Rey Misterio

Could anybody explain me how does a "bit flipping" attack work?

Wed, 05 Jan 2011 13:29:11 +0000

Hi,

I'm auditing a custom web application for a customer, concretely the crypto part of it. I've managed to get some encrypted data in transit from a client browser to the webserver. Since I know the format of the cleartext (it's documented) a colleague suggested that we could try a "bit flipping" attack.

I've read about it online but I don't quite grasp it.

Could anybody please explain it to me (with as little algebra as possible? ;))

Thanks in advance!

Rey Misterio

About "NOP" slides in JS Heap Overflows

Sun, 12 Dec 2010 14:55:06 +0000

I don't understand how 0x0c0c can be used as a "NOP" slide in Javascript's Heap Overflows. Can anybody please explain it to me?

Thanks in advance! :)