jueves, 30 de enero de 2014

[How to] DLL Hijacking + tool + Attack example

DLL Hijacking is really a simple concept.

Applications load external code via DLLs (Dynamic Link Libraries). DLL Highjacking is a process by which malicious code is injected into an application via a malicious DLL with the same name as a DLL used by the application.

An application is vulnerable to DLL hijacking depending on how they reference their DLLs. One example is using relative paths instead of the absolute path to the DLL. Another is loading DLLs using environment variables that may not be set properly in which case the directory defaults to a relative path of the executing application.

So, let's pretend your system's DLL search path looks something like this:

If SafeDllSearchMode is enabled, the search order is as follows:
  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:
  1. The directory from which the application loaded.
  2. The current directory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

More details about this, you can read here - msdn

Here you can see a simple attack using Metasploit :)

DllHijackAuditor - checking application to this vulnerability can be found here

What about protection?
In older version of Windows (2000 - Xp is disabled by default) you can active SafeDllSearchMode in registry: 

          HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
From msdn.microsoft.com: Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2). 
I have Windows 7 Pro with all updates installed and I don't have this feature activated :(

While you are waiting for software patches there are a couple of things you can do to limit your exposure to DLL hijacking attacks.

Deploy the CWDIllegalInDllSearch Fix

The initial response by Microsoft to this class of vulnerabilities was to provide a registry modification that helps mitigate the attack by changing how dynamic DLL loading works. The fix should be deployed very carefully as it has the potential break the functionality of installed applications, but it’s worth testing if you are concerned about this attack vector. You can read up on the fix here.

Block Outbound SMB at the Perimeter

Most organizations should be doing this already, but if you aren’t then now is a good time to start. This will also help prevent against a few other types of attacks.

Uninstall the Vulnerable Software

This may not always be feasible, but if you are running a vulnerable application that is easily replaceable then the secure thing to do is make the switch.

Deploy Intrusion Detection Software

In some cases you simply won’t be able to mitigate the attack properly. As a result, the best thing you can hope to do is catch the attacker during post-exploitation. Using something like Snort is free (less the cost of the hardware) and does a really good job of detecting signatures of post exploitation activity that might occur after someone has exploit a vulnerable machine.


The advent of so many DLL hijacking vulnerabilities presents an interesting scenario because it’s not easily fixable by an operating system patch and it affects so many widely used applications. The best you can really do is to be sure you are educated and aware of how the vulnerability works, how to test if it exists on applications running in your network, and how to get the right information to the people who can issue a patch to fix it. This time, we all get to play the part of security vulnerability researcher.

martes, 28 de enero de 2014

A modern GNU/Linux firewall | Application layer firewall

Douane is a modern firewall filtering the outgoing network traffic per applications in order to protect your privacy by controlling the information going out of your GNU/Linux machine. At the moment only work on ubuntu/debial

The built-in features available in Douane

Simple as answering a question As soon as you have access to a network, applications will try to send whatever information. Behind your traffic (emails, social networks, online videos, ...) you will discover some activities that you did not expected. Douane will block all the unknown traffic and let you decide if you allow it or not via this dialog box. Clicking the Allow or Deny buttons will create the rule for you. 

A single place to control Douane

This is the control panel. 

It will allow you to start and stop the firewall, to enable/disable the firewall autostart at boot, let you configure the rules and keep you informed by showing you the latest tweets!

My experience with instalation on ubuntu

1) add repository
sudo apt-add-repository ppa:zedtux/douane

2) update sources
sudo apt-get update

3) download latest stable version from github
*in repository you only has a testing version, and for my is don't work


4) install douane-configurator
sudo apt-get install  douane-configurator

5) reboot your system and enjoy it :)


Best regards

martes, 14 de enero de 2014

[How to] Debugging python script step-by-step

You can found many solution of this, but quick solution can be:

1) As simple as add to your script:

import pdb

That will give you an interpreter prompt for debugging.

2) winpdb - A platform independent Python debugger. You can found tutorial here.

First solution source

Best regards

lunes, 13 de enero de 2014

HTTPie - a CLI, cURL-like tool for humans.

HTTPie is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized responses. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.


The latest stable version of HTTPie can always be installed or updated to via pip (prefered) or easy_install:

$ pip install --upgrade httpie


$ easy_install httpie

World’s Best 50 Firefox Pentesting AddOns

We believe we have made the world’s most comprehensive penetration testing browser addons list. If you feel otherwise then please let us know in the comments below.

If you are a pentester, ethical hacker or work in the IT security information space then you obviously need tools to perform penetration tests. There are a million different tools out there – all of which essentially fall under one of these categories:

Password cracking tools, such as ophcrack and John the Ripper
Network scanning software, such as the legendary Nmap or NetScanTools
Network vulnerability scanning tools, with a good example being QualysGuard
Network analyzer software, Cain & Abel, Wireshark and OmniPeek
Wireless network analyzer and software, such as Aircrack-ng and CommView
File search software (mainly for forensics), an example being FileLocator Pro
Web application vulnerability scanning software, for example Acunetix and WebInspect
Database vulnerability security scanning software, like SQLPing3 or AppDetective
Exploit software with a solid example being the age-old proven and tested Metasploit

As an information security professional, knowledge of how to use these tools is obviously a critical skill you must have.

If you are just starting your career and are studying an IT security certification then you will have to learn how to use these tools effectively. A solid plan is to become familiar with a Linux pentesting security distro – of which there are many.

OK! So we all love Firefox right? Good – because this list came from their addons section!

1. Access Me
The first tool on our list is called “Access Me” which examines vulnerabilities in applications. This allows a pentester/ ethical hacker etc to access network or computer system resources without being authenticated. In short, Access Me is used to test for Access vulnerabilities.

2. JavaScript Deobfuscator
This pentesting addon tells you what JavaScript files are running within an HTML page or other, even if it is obfuscated and generated elsewhere. Simply open the JavaScript Deobfuscator app from the Firefox Tools menu and watch the scripts being compiled or executed. Kinda similar to NoScript. Should add that if this addon is on all the time then all code will render slower so you are best advised to only use it when you need it.

3. SQL Inject ME
Good ole SQL Injection vulnerabilities can cause a lot of damage to a web application as any good pentester will tell you. A malicious user can possibly view records, delete records, drop tables and basically go ahead and gain access to your server. SQL Inject-Me is tests for this – i.e. SQL Injection vulnerabilities.

4. FoxyProxy
FoxyProxy is an old hat, been around for a while now. There is tons of help on setting this up – just hit up YouTube and take a look. For the complete newbies reading this, FoxyProxy is an advanced proxy management tool that can replace Firefox’s proxying capabilities, (which are pretty limited). There are others out there, such as SwitchProxy, QuickProxy or the infamous TorButton.

5. Key Manager
This pentesting tool allows for Key Generation, Certificate Enrolment and Authority Delegation. In summary you can see encryption keys that are generated when you visit secure websites. You can also create your own encryption keys.

6. Selenium IDE
Got to be honest about this one, we don’t know too much about it. More detailed info here about Selenium IDE, but what we can tell you is what we read elsewhere, i.e. that this addon “is an integrated development environment for Selenium scripts. It is implemented as a Firefox extension, and allows you to record, edit, and debug tests.”

7. CookieSwap
This addon does exactly what its’ name suggests. From a pentesters point of view, being able to change your cookies allows you to identity and understand how sites treat you differently depending on who you are. For example, if a travel site recognizes you as a returning customer they give you a page showing similar flight choices for example. Google uses ‘Personalized Search’, where they modify their search results based on your personal identity. So if you have a Google account then you’ll be treated to a ‘Personalized Search.’ CookieSwap allows you to be anonymous. Quite a nice tool for those interested in SEO since Search Engine Results can differ.

8. FoxySpider
FoxySpider is a web crawler! This tool scrapes websites to find what you want. The tool can scan for videos, images, PDF’s etc. FoxySpider displays the located items in a well-structured thumbnail gallery for ease of use.

This tool hits the Open Source Vulnerability Database Search and gives you known security vulnerabilities. The community is great and stemmed from the Black Hat conferences. This is one of the best addons in our opinion.

10. Tamper Data
Tamper Data acts as a proxy in a MITM way – by inserting itself between the user (client) and the web site or application. This tool allows the IT security professional to investigate all elements of HTTP – especially all the GET’s and POST’s that can be manipulated without the constraints imposed by the user interface normally seen in the browser.

11. Domain Details
Its’ name says it all – this is a nice and simple addon because it displays the server type, headers, precise IP address and location and whois.

12. Live HTTP Headers
If your interested in headers then also take a look at Tamper Data (a few above this one). Live HTTP headers shows headers of the actual page or application that you are browsing.

13. URL Flipper
URL allows the pentester to increment or decrement a section of a URL without having to manually edit the string in the location field within FireFox.

14. Greasmonkey
This is a classic and a very popular addon – which allows you to manipulate a web page by using small bits of JavaScript.

15. PassiveRecon
PassiveRecon provides information IT security professionals with the ability to execute “packetless” discovery of target resources utilizing publicly available information. Used with the Open Source Vulnerability Database Search for maximum affect.

16. User Agent Switcher
The User Agent Switcher allows the switching of user agent data of a browser.

17. Groundspeed
Groundspeed allows security testers to manipulate the application user interface to eliminate possible limitations and client-side restrictions that interfere with penetration testing.

18. Poster
This tool allows you to interact with web services and other web resources by showing HTTP requests, entity body commands, and content type. See also Live HTTP Headers.

19. Firebug
Probably the best known addon in our 2013 Concise Courses Pentesting Firefox addon list. This addon works well for developers, designers and Security Professionals equally since the user can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. It is one of those apps that once you get started with it you’ll always use it.

20. HackBar
This is one of our most highly recommended addons for Firefox. Hackbar is not an exploitation penetration tool – rather, it is helps you with your work flow. This toolbar will help to test sql injections, XSS holes and overall site security.

21. RESTClient
Similar to Live HTTP Headers, RESTClient supports all HTTP methods RFC2616 (HTTP/1.1) and RFC2518 (WebDAV). You can construct custom HTTP requests.

22. Wappalyzer
Wappalyzer identifies software on websites. Again, can be used with Open Source Vulnerability Database Search.

23. Host Spy
Useful if you want to know if your neighbour is spitting out spam since you can see who is on the same IP as you are.

24. Firecookie
Firecookie works alongside Firebug. Rather similar to SwapCookies, this addon creates and deletes existing cookies.

25. HttpFox
Got to love this one. If you like Wireshark then this addon is your friend. HttpFox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.

26. RefControl
You are able to create a list of sites, and the referrer that should be sent for each site. You can select to send that referrer unconditionally or only for third-party requests. Alternatively, you can specify the default behavior for any site not on your generated list.

27. XSS-Me
XSS-Me is a security pentesting exploitation tool designed to test for Cross-Site Scripting (XSS). The addon looks for possible entry points for an attack against a system.

28. XSSed Search
Related to the addon above, this allows for the searching of cross-site scripting vulnerabilities at the XSSed database.

29. Firesheep
This addon got a lot of publicity. This addon highlights HTTP session hijacking (when a hacker gets their hands on a user’s cookies). There is a similar tool called Facesniff for Android. As cookies are transmitted over networks, this tool, which is a packet sniffer, can discover identities and allows the pentester to take on the log-in credentials of the user or victim.

30. JSview
JSview allows you to access all Javascript.

31. NoScript
Probably the best known addon within this list – NoScript provides massive protection to Firefox by denying JavaScript, Java and other executable content. This protects against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts. Pretty cool.

32. Proxybar
Similar to FoxyProxy. The user can change proxy.

33. Cookie Watcher
This tool probably helps the developer more than the pentester – because it can quickly wipe ‘session’ cookies. The main purpose of this though is to help identify cluster nodes by cookie values.

34. WOT
Another highly popular addon. The Web of Trust shows you “trusted sites” – from a pentesters point of view it allows for a snapshot of the credibility of backlinks or otherwise.

35. Google Site Indexer
This tool generates site maps based on Google queries which can be useful for both Penetration Testing and Search Engine Optimization. The tool sends zero packets to the host making it anonymous.

36. refspoof
Allows for URL Spoofing by pretending to origin from any site by overriding the url referrer in an HTTP request.

37. ShowIP
Shows the IP of the current page in the status bar. Also bundles info like hostname, ISP, country and the city.

38. Packet Storm search plugin
This allows the ethical hacker or pentester to search the packet storm database for exploits, tools and advisories.

39. Offsec Exploit-db Search
Allows for the ability to search the Exploit-db Archive – similar to the Open Source Vulnerability Database Search addon.

40. Security Focus Vulnerabilities Search Plugin
Allows for the ability to search the Security Focus – similar to the Open Source Vulnerability Database Search and Exploit-db Archive addons.

41. Cookie Watcher
Watch the selected cookie behavior direct in the status bar.

42. XML Developer Toolbar
This addon allows for XML Developer standard tools from within Firefox.

43. CipherFox
CipherFox allows you to view the specific SSL cipher that is being used to encrypt connections to a web site. The addon displays the keysize of the cipher and also allows for RC4 to be disabled.

44. FlagFox
Similarto ShowIP this addon displays a country flag for the location of a web server and other useful information.

45. ViewStatePeeker
ViewStatePeeker decodes and displays viewstate contents of an *.aspx page

46. CryptoFox
CryptoFox is an encryption/ decryption tool for cracking MD5 passwords. Great for pentesters and those working in IT Security.

47. Server Spy
As the name suggests, this addon tells you the technology of the web server (Apache, Samba, IIS etc) of the client you are working for.

48. Default Passwords
This addon searches the CIRT.net default password database.

49. Snort IDS Rule Search
This addon works with Snort’s open source network-based intrusion detection system (NIDS) which can perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Take a look at HttpFox if you are interested in this.

50. Header Spy
Similar to Live HTTP Headers – this addon shows HTTP Headers live on the status bar.

In summary
All these addons are really helpful. If you developed one of the addons within our list we’d love to hear from you. If we missed any out please get in touch with us!

We used Firefox as our browser of choice since we feel that it is the best loved amongst hackers – possibly because of its plug-in friendly design.


miércoles, 8 de enero de 2014

[How-to] New life to deprecated Apple device - Whited00r

All-new iOS7 look and feel.

Whited00r 7 brings the look and feel of iOS7 to older devices no longer supported by Apple. Our firmware has been engineered to replicate iOS7 down to the smallest detail. Whited00r's first priority is speed. None of the modifications Whited00r makes to your device will slow it down.

I'm not Apple fun, but have some devices, one of them is Ipod Touch 1g(2008), is not supported anymore by Apple from around 2010, so I keep with version 3.1.3, last official version from Apple, but as I start from 1.1.1 is not bad :)

On Android we have many custom Roms if device not supported anymore, as Cyanogenmod, AOPK, etc...

But here is more dificult, but we have a good solution :)

I tried Whited00r before and it work very well, so I just finish to update to the latest version WD7

Source: whited00r.com

Add the Needed Repositories for Kali Linux

In this article I will show you how to add the needed repositories for Kali Linux.

As you may know, Kali is a penetration Linux System based on Debian. It is developed by the Backtrack team.

To add repositories, open the /etc/apt/sources.list file in your favourite text editor as root, and paste the following lines:

$ gksudo /etc/apt/sources.list

Paste this:

deb http://http.kali.org/ /kali main contrib non-free
deb http://http.kali.org/ /wheezy main contrib non-free
deb http://http.kali.org/kali kali-dev main contrib non-free
deb http://http.kali.org/kali kali-dev main/debian-installer
deb-src http://http.kali.org/kali kali-dev main contrib non-free
deb http://http.kali.org/kali kali main contrib non-free
deb http://http.kali.org/kali kali main/debian-installer
deb-src http://http.kali.org/kali kali main contrib non-free
deb http://security.kali.org/kali-security kali/updates main contrib non-free
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
deb http://repo.kali.org/kali kali-bleeding-edge main

Save and update the system:

$ sudo apt-get update

Now, you are ready to go.

Source: linuxg