Blog
Everything i needed to know about managing hackers, i learnt from my DVD collection..
Ok.. so the title clearly isnt true.. but it made more sense than saying something about the altered geographic location of someone’s dairy products.
It is however true, that this particular blog rant is largely about the geek<-->suit relationship and thoughts that are brought to life with full surround sound while watching the movie Troy. (its ok if you are one of those highly cerebral types who look down with disdain on us humble movie watchers – u can think of this post in terms of “what we can learn about managing hackers from Homers Iliad“) (5 minutes after meeting the guys who work for us, a very obvious question is: “how do u manage a team of such bright individuals? isnt it like herding cats?” – this is one of the how-to’s (or how not to’s))
RE: Sensepost at Cebit 2008
“SensePost have once again been invited to join the South African Department
of Trade and Industry at Cebit, as one of 10 SA companies, to exhibit on
their pavilion. Visitors to this show range in the region of 500,000 and
approximately 5700 exhibitors fill the 27 Halls. Cebit is the biggest
information and technology show in Europe and attracts exhibitors and
visitors from all over the world.”
The Peltier Effect – Year in Review..
Peltier and Associates have released their massive “Peltier Effect – Year in Review 2007“.
The collection comes in at a whopping 156 pages from a wide array of authors so there should be somethign to read in it for everyone..
Our short article: “2007 – The Year Timing Attacks Made a Comeback” comes in on page 43 (or 52 depending on if you believe the page numbers or your pdf reader). Other contributions include a foreword by Marcus Ranum, and articles from Dave Aitel, Max Caceres and Ivan Arce.. humbling company..
DNS Tunnels (RE-REDUX)
On a recent assessment we came across the following scenario:
1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver
2) The box is firewalled only allowing 53 UDP ingress and egress
3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ
So we want to tunnel from the SensePost offices to Target Company’s internal machines, with this pretty restrictive setup. How did we accomplish this?
SNMP Joins Dark Side in New XSS Attack
-sigh- the topic is stolen directly from the [DarkReading Article]
-snip-
Itâ€s yet another new spin on a pervasive attack — this time using the old standby Simple Network Management Protocol (SNMP) to stage cross-site scripting (XSS) attacks.
-snip-
-sigh- a little while back while doing a pen-test on a 1U device, we found that a well poisoned SNMP string could easily result in XSS and even SQL Injection attacks.
Prof Felten (and friends) attack bitlocker/filevault (and friends)
So felten et al basically figured that cooling dram chips allows an attacker to move them to another machine where they can be leeched!
The geek in me cant help but say “COOL!”
According to the comments posted (by Eugene Spafford no less) this sort of attack is fairly well known.. but.. for this humble fanboy, i think its still pretty rocking!
Sorting your shoes like a whore!
(my first X-Rated blog post.. i should hook up ad-words and watch the money roll in!)
Ok.. our Zimbabwean recruit was posed the following question by some international academics:
Q:”How would you sort your shoes?”
He answered:
A: “I make the assumption that the shoes are positioned such that I can see their sizes, and that they are in a row of boxes. I would randomly pick a pair of shoes in a box and call them my ‘pivot point’. I would then reorder the shoes such that all shoes with sizes less than my pivot are on the left of it, and all shoes with a greater size are on the right of the pivot (perhaps having 2 piles of shoes next to me as I work, one for size less than, one for size greater than). This pivot pair of shoes would now be in their correct sorted position. I would then apply this same process to the left and right sets of shoes, and then to their left(left,right) and right(left,right) sets, continuing this process until all shoes have been ‘pivoted’ or there is only one or zero pair of shoes between two pivots. (i.e a set of only one pair).”
HTTP-Mangler QoW…
Many people took a crack at “what tool will work to replace mangler, out of the box” and so we have a bunch of new tools to play with..
Steven’s answer of MS-Word or PowerPoint left us scratching our heads a little, and rezn threw in the added complexity of the app requiring valid certs..
(to answer rezn, i think you could avoid the SSL complications with judicious use of a detours app or echo-mirage from bindshell.net).
Locating other sites on a virtually hosted box..
So everyone uses the live search engine with a ip: when trying to locate virtual hosts.
I used domaintools in the past with good results, till they went fully pay-per-use.
Checkout Reverse IP Domain Check , The 2 ips i’ve tested it on, gave reasonable results and at a great price!
WebScarab-NG HTTP Mangler Functionality
H said that there is a tool that will do the HTTP Mangler functionality out of the box.
So here goes. WebScarab-NG is the tool that will do the trick. First we select the feature that will allow us to setup the proxy listener as seen in the image below.
Then we need to configure the proxy listener to the ports etc we need as seen below.