Research
Another attempt at you-tube science, aka how to save 36c when changing the batteries on your remote!
ok.. so a long time ago we tried the you-tube mentos stuff and happily wasted time (and coke) in the office parking lot.. (of course this was after half assed attempts to mimic the experiments imperfectly.. given the typical office makeup, this ensured that we tried it with various other softdrinks, various other sweets and at one point even tried microwaving the drink cause roelof thought “the cold was ruining it”.)
Thunks from hacking games
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am, I looked at the book thoroughly on the plane on the way home. Fortunately I was able to verify that most of the pages were there and intact and that were no blatant spelling or grammatical errors – it wouldn’t do to give Herman a broken book.
Whilst I was checking the Herman’s gift *anyway* I figured it wouldn’t hurt to also read and absorb some of the content – just to make sure I wasn’t giving him nonsense (with all due respect to Greg and Gary). In particular what interested me was whether their thinking on online games held any lessons for the work we more traditionally do on online financial and e-commerce systems. I thought the book was fascinating, particularly in this context. What follows is a mind dump of some of the thoughts I had as I was reading.
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure.
More details on squeeza (the tool) can be found on the squeeza page, but in a nutshell is a sql injection tool that uses Metasploits concept of splitting exploit/payloads/etc with SQL Injection attacks. Current modules are written for MS-SQL server but include functionality for (user defined sql queries, some db schema enumeration, command execution, file-transfer, db_info) and the information is returned (channel selection) via one of (application error messages, DNS, Timing). The modularity’ness means that these all mix and match – I.e. if you write a module to “extract data from all tables that look like username*”, the results would be available on any of the available channels.. (Its a pretty neat tool.. and saved our bacon more than once) So check it out, and send feedback to research@sensepost.com
Squeeza: The SQL Injection Future?
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but have been getting a few requests already for the code, so here it is..
For those who missed the talk, squeeza is a SQL Injection tool, that once given an entry point can simply a bunch of things. Its the first tool i know of that facilitates full binary file transfers (download from the remote SQL Server), database enumeration, etc via a number of channels (Currently via DNS, via HTTP Error messages and Via Timing).
BlackHat Progress Report
(always wanted to say that!)
2 SensePost Training sessions are over, and as i type The weekday sessions are at about 50%. Feedback so far has been pretty cool and its been fun to meet new people / bump into some old friends..
The next “biggie” on the horizon is Wednesdays talk.. We have had a fair bit of interest so far and even though the slot has some stiff competition its seems like all will be well :). The talk should be interesting to developers, pen-testers and even just people with a vague interest in see’ing cool stuff.. Marco has been adding functionality to “squeeza” like a demon and as it stands its probably the only SQL Injection tool i know that will allow (file downloads, arb sql queries, database mining) all purely in T-Sql over a variety of transport channels (dns, error messages, timing). We will post the link to it for download just before we talk..
Viva Las Vegas!
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This year Marco and i will be taking a new look at some old attacks.. The bulk of the talk will focus (like its name suggests) on timing attacks, but we will be looking in general at timing, race conditions and other attacks that have not yet been packaged into tools and so are not yet prone to the type of over-fishing we have found with fuzzable bugs..
Threat Modelling Talk at CSI Phoenix
After a six hour delay due to technical problems *before* my journey
even started I’m finally on the plane and waiting for take off. Tag
an additional five hour delay due to a missed connection in New York
and this quickly become a very, very long trip. Perhaps my longest
ever. Ah well, the price we pay for living at the end of the world, I
guess.
Prev
Page 8 of 8