HconSTF is an Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessment. It contains webtools which are capable of carrying out XSS attacks, SQL Injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. It could prove useful to anybody interested in the information security domain – students, security professionals, web developers and so on.
- Categorized and comprehensive toolset
- Contains hundreds of tools and features and script for different tasks like SQLi, XSS, Dorks, OSINT to name a few
- HconSTF webUI with online tools (same as the Aqua base version of HconSTF)
- Each and every option is configured for penetration testing and Vulnerability assessments
- Specially configured and enhanced for gaining easy & solid anonymity
- Works for web app testing assessments specially for OWASP top 10
- Easy to use & collaborative Operating System like interface
- Multi-Language support (feature in heavy development translators needed)
You can download HconSTF 0.4 beta here:
Or read more here.
Spurred by the conclusion of a recent report that said that given the fact that China is the de-facto manufacturer of most IT equipment in the world, it could easily backdoor any computer well before it’s shipped to its buyers, security researcher Jonathan Brossard decided to prove the practicality of such backdooring.
He set out to create a backdoor that is persistent, stealthy, portable, cheap, that allows remote updates and provide remote access, and whose creation and deployment cannot be attributed to any individual or state.
The result was Rakshasa (“demon” in Hindu), a proof-of-concept malware that is able both to replace a computer’s motherboard BIOS and to infect the firmware embedded in other peripheral devices through PCI expansion ROMs, thus ensuring its stealthiness and persistency in case the BIOS was ever flashed.
The malware is based on free and open source software, making it harder to detect by antivirus solutions, cheap, and - given the fact that its source code is available to anyone on the Internet - not attributable.
As the current computer architecture allows things like the firmware of a CD-ROM PCI device controlling a PCI network card and peripheral devices accessing RAM, even if the original motherboard BIOS is restored at one point, the rogue firmware on one of those peripheral devices can be used to return the rogue one.
This means that for the computer to be effectively cleaned, the original BIOS must be restored and all the peripherals reflashed simultaneously - not something that typical users know how or are able to do.
Brossard says that the backdoor can be easily added to the hardware when the attacker has physical access to it, and that in the great majority of cases, the remote attack method is also successful.
Rakshasa is comprised of a custom version of Coreboot for the BIOS backend, of a custom SeaBIOS BIOS-payload, a set of PCI expansion ROMs, and a custom active bootkit which is retrieved from the network.
This bootkit is not loaded in the hard disk’s Master Boot Record, but (remotely) into the RAM on each boot, making it both practically impossible to detect and easy to unload from memory once it has done what it set out to do, i.e. modify the kernel.
Unfortunately, says Brossard, computer architecture cannot be changed to prevent this type of attack without breaking backward compatibility, so the only thing that remains to do to prevent backdoored hardware to be delivered is to include PCI ROMs and BIOS firmwares in the security audits before usage.
Open-source software developer Kai Engert has proposed an overhaul to the Internet’s SSL authentication system, aiming to minimize the damage that would result from the compromise of one of the authorities trusted by major browsers.
Under version 2 (PDF) of Engert’s Mutually Endorsing CA Infrastructure proposal, people connecting to Google Mail, Twitter and other sites protected by SSL would draw on one of three randomly selected notaries to verify that the digital credential being presented is valid. By comparing the SSL certificate’s contents to data contained in the voucher returned by the notary, the person’s Web browser or e-mail program could quickly spot credentials that have been forged, even when they’ve been signed using the private key of a legitimate certificate authority. The notaries—or “voucher authorities” as they’re called—would be made up of existing CAs.
“The introduction and requirement of vouchers has the benefit that controlling a single CA will no longer be sufficient,” Engert, a software developer at Red Hat and a contributor to the Mozilla Project’s security team, wrote in the proposal. “If the presence of a valid voucher were mandatory, at least two CAs would have to be involved to create a working rogue identity, one CA signing the certificate, another CA using its VA to produce a voucher.”
At a minimum, the vouchers would contain a cryptographic hash of the certificate the end user wants to access, a single IP address used by the site, a timestamp recording when the data was collected, and a digital signature using the underlying VA’s private key. It might also include data concerning intermediate certificates used by the SSL certificate, recent OCSP—or online certificate status protocol—responses for the certificate and intermediate certificates, and proof that the VA signing certificate hasn’t been revoked.
Fractures in the Web’s foundation of trust
Critics have complained for years that the web of trust used to prevent eavesdropping on webmail, banking transactions, and other sensitive Internet-based sessions is hopelessly broken. With more than 600 entities authorized to mint certificates that are trusted by major browsers, all it takes is the compromise of one of them for an attacker to forge a credential for any site. That point was dramatically underscored last year when hackers breached Netherlands-based DigiNotar and created counterfeit credentials for Google Mail, Mozilla’s add-ons download site, and other sensitive services. The Gmail certificate alone was used to snoop on an estimated 300,000 Gmail users, an audit later showed.
Since then, a flurry of competing alternatives and enhancements to the fractured SSL system have surfaced. Among them is Convergence, proposed by Moxie Marlinspike, a researcher who has repeatedly exposed serious flaws in the underlying SSL protocol. Convergence relies on a loose confederation of notaries that independently vouch for the validity of a given SSL certificate. One of the key benefits of the system is a “trust agility” that allows users to query specific notaries they trust.
It also provides privacy protections not available with regular SSL. Under the current system, certificate authorities track huge numbers of requests for SSL-protected websites and map them to individual IP addresses. Convergence uses two separate notaries that are intentionally kept in the dark when vouching for a certificate. One notary gets to see the IP address of the Convergence user but not the SSL certificate she wants validated. The other one sees the certificate but not the IP address.
Last year, Convergence got a strong endorsement from security firm Qualys, when it deployed two notary servers. Developers for the Google Chrome, meanwhile, have said they have no plans to add it to the browser.
Google researchers have proposed their own fixes (PDF) for the ailing SSL system. Under their new system, CAs would be required to publish the cryptographic details of every credential they sign to a publicly accessible log that’s also been cryptographically signed to guarantee its accuracy. Some CAs have baulked at the proposal, saying it would require them to part with proprietary customer data. The Google plan would also place technical burdens on websites and browser makers, these critics have said.
The latest proposal comes a day after Ivan Ristic of Qualys released a set of SSL/TLS deployment best practices (PDF) that administrators can follow to avoid common configuration mistakes. He said that his company has conducted surveys and found that two-thirds of all SSL servers are badly set up and that of the remaining third “many have application-level issues that fully compromise SSL.”
“The truth is that most experts are attracted to the CA trust problem, but, in reality, most SSL installations fail because of configuration and implementation errors,” he added.
“Like speaking with a corpse in your mouth”
The changes envisioned by Engert are in many ways similar to Convergence, except that notaries would be limited to existing CAs and would be chosen randomly by the client software rather than by the end user. Marlinspike characterized the difference as a major shortcoming.
“This is just Convergence without the good parts,” he wrote in an email. “The problem we need to solve is the lack of trust agility in the CA system. Speaking about solutions to the CA system which don’t provide trust agility is like speaking with a corpse in your mouth.”
The proposed fix is also receiving a chilly reception from some CAs. Comodo Senior Scientist Phillip Hallam Baker wrote: “It might help if implemented. But probably not very much. Having two parties do essentially the same check in the same way is not likely to result in much reduction in risk.”
In his own email to Ars, Engert said the proposal is an update to one he first floated (PDF) at a security conference late last year.
“The document v2 is the result of thinking about the initial ideas more, taking into consideration the thoughts and feedback that I had received from various sources,” he wrote. “I’m hoping my proposal can be helpful inspiration for finding a solution for the trust problem.”
Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education.This update fixes many bugs. Supports for the following protocols have been updated – BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP.
md5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is similar to the md5sum program found in the GNU Coreutils package.
hashdeep is a program to compute, match, and audit hashsets. With traditional matching, programs report if an input file matched one in a set of knows or if the input file did not match. It’s hard to get a complete sense of the state of the input files compared to the set of knowns. It’s possible to have matched files, missing files, files that have moved in the set, and to find new files not in the set. Hashdeep can report all of these conditions. It can even spot hash collisions, when an input file matches a known file in one hash algorithm but not in others. The results are displayed in an audit report.
The programs are distributed as binaries for Microsoft Windows (7, Vista, XP, 2003, and 2000 are supported) and as source code. The source code should compile nicely on just about any platform, including Cygwin, Linux, FreeBSD, OpenBSD, Mac OS X, OpenSolaris, HP/UX, etc.
Download or Read More
Trailrunner7 writes “Remote timing attacks have been a problem for cryptosystems for more than 20 years. A new paper shows that such attacks are still practical … The researchers, Billy Bob Brumley and Nicola Tuveri of Aalto University School of Science, focused their efforts on OpenSSL’s implementation of the elliptic curve digital signature algorithm, and they were able to develop an attack that allowed them to steal the private key of an OpenSSL server.”
Source: Uber Gizmo
Computer scientists have come up with a way to develop software which will be able to stash away highly sensitive data on hard drives – all without requiring the use of any form of encryption. This is made possible by controlling the precise disk locations that will hold the file’s data fragments. The application will be released as a form of open-source software (hooray!), where it will rely on steganography – which is similar to the ancient art of hiding secret information in plain sight. This technique has been employed since time immemorial to make sure that sensitive data remains safely out of the hands of adversaries. This clever use of encryption, is extremely easy to detect, where you are able to tip off adversaries that a hard drive or other piece of media contains information considered secret.
This software makes sure that the individual disk clusters which will hold the sensitive data fragments will be positioned in a way that has been predetermined by their code. Whoever wants to read said secret information will be required to use a similar application to reassemble the file. According to the inventors, their method makes it very possible to stealthily store a 20MB message on a 160GB portable hard drive.
An anonymous reader writes
“There has been a growing tide of support for replacing SSL’s Certificate Authorities with an alternative authentication mechanism. Moxie Marlinspike, the security researcher who has repeatedly published attacks against SSL, has written an in-depth piece about the questions we should be asking as we move forward, and urges strong caution about adopting DNSSEC for this task.”
You’ve probably heard or read about next-generation firewalls recently. Whether it’s your existing firewall vendor or an analyst firm like Gartner, everyone is talking about next-generation firewalls as the greatest innovation in the network security market in over a decade. While many vendors are beginning to market next-generation firewalls, their initial offerings do not address enterprise requirements for granular application visibility and control, high-speed integrated threat prevention, and roaming users and devices. As the leader and pioneer of the category, Palo Alto Networks would like to share what we have learned from securing over 3,500 enterprise networks in the past few years. This paper depicts the top 10 technical requirements you should demand in your next firewall purchase.
This whitepaper will thoroughly examine:
- How a next-generation firewall is required to safely enable business - Applications aren’t threats;
- Business cases and technical requirements for each of the ten things;
- Architectural elements that matter for next-generation firewalls - and why.
SQL Injection is a vulnerability that is often missed by web application security scanners, and it’s a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.
“Advanced SQL Injection” is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
IDS/Web Application Firewall Evasion
Re-Enabling stored procedures
Obtaining an interactive command-shell
Data Exfiltration via DNS
Joseph McCray is a leader when it comes to penetration testing. Joseph currently acts as Assessment Practice Manager at Rapid7 and is the founder of LearnSecurityOnline.com. At Rapid7, he manages and performs Blackbox & Whitebox, Wireless and VoIP Penetration Testing,as well as performing Social Engineering.
[EDIT: Click The Topic For The Entire Cheat Sheet]
This talk titled “Cracking A5 GSM encryption” was given by Karsten at Hacking at Random (HAR) 2009.
The A5/1 algorithm is one of the ciphers used in GSM networks. It is used to encrypt both voice and signaling data.In the GSM network, A5/1 is applied both in the handset and the BTS on the corner of the network. The first phase of communication including radio resource allocation and authentication is unencrypted. Dialing and voice is encrypted. The attack on the A5/1 demoed at HAR 2009 is a reimplementation of the attack by THC, which was done in early 2008. Their approach differs slightly, as they use more common hardware to generate the tables, namely graphics cards with GPGPU capability and attempt to build a distributed infrastructure of nodes where each node donates both a small portion of diskspace for a part of the table and some kind of fast hardware for the generation of and lookup in its own table. They also took this project as a motivation to design and code a general purpose TMTO library. The attack itself is still the same and we owe THC much for their pioneering work. Also take a look at http://airprobe.org for information and software on the sniffing of GSM data. You can download the presentation here. The project page can be visited here.
Speaker Bio: Karsten is a security researcher and hardware hacker. Karsten’s academic research deals with privacy protection, while his hacking projects focus on cryptographic hardware. In the past year, Karsten presented on smart-card security and embedded cryptography at 25C3, USENIX Security, BlackHat, CanSecWest, Toorcon, and the HOPE conference. Karsten is a security researcher and hardware hacker. Karsten’s academic research deals with privacy protection, while his hacking projects focus on cryptographic hardware. In the past year, Karsten presented on smart-card security and embedded cryptography at 25C3, USENIX Security, BlackHat, CanSecWest, Toorcon, and the HOPE conference.
Special thanks go out to @agentgambell for helping us with the video upload.