Tools
WiFi De-authentication Rifle:
Wireless: it’s everywhere these days and yet owning it never gets boring.
As part of our annual SensePost hackathon, where we get time off projects and get to spend a week tinkering with tech and ideas, the team I was in, consisting of Dominic, Nathi and myself, decided on creating a wireless rifle de-authentication gun, which utilized a yagi antenna and a Raspberry Pi.
The idea was simple: simulate some of the tools available in aircrack-ng wireless hacking suite in one script but without utilizing aircrack-ng in the process.
Commercial Snoopy Launch! [ ShadowLightly ]
Hello world!
We’ve been busy squireling away on a much requested project – a commercial Snoopy offering. We’ve called it ShadowLightly, and we’d like to invite you to join the beta explorer program. We’re going to offer ten 3-month trials to the site (you’d need to buy sensors / build your own), and in return we’d ask that you help us debug any issues. To apply, please email explorer@shadowlightly.com – introduce yourself, and tell us a little about why you’d like to join the program.
Demonstrating ClickJacking with Jack
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack
To use Jack, load Jack’s HTML,CSS and JS files using the method of your choice and navigate to Jack’s index.html.
Jack comes with three additional pages; sandbox.html, targetLogin.html and targetRead.html. targetRead.html can be used to demonstrate Clickjacking that reads values from a page and sandbox.html is used to display the Clickjacking demonstration. Jack by default loads the “Read” html page with default CSS and Styles.
Associating an identity with HTTP requests – a Burp extension
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest reference I can find is almost exactly 5 years ago, and I’ve been thinking about it for longer, I’m sure.
Finally it has made it out of my head, and into the real world!
Be free! Be free!
So, what does it do, and how does it do it?
The core idea for this tool comes from the realisation that, when reviewing how web applications work, it would help immensely to be able to know which user was actually making specific requests, rather than trying to just keep track of that information in your head (or not at all). Once you have an identity associated with a request, that enables more powerful analysis of the requests which have been made.
Never mind the spies: the security gaps inside your phone
For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being leaked by a device that is always with you, powered on and often provided with a fast Internet connection. From this obsession, the Snoopy framework was born and released.
After 44con this year, Channel 4 contacted us to be part of a new experimental show named ‘Data Baby‘, whose main goal is to grab ideas from the security community, and transform them into an easy-to-understand concept screened to the public during the 7 o’clock news.
Snoopy Release
We blogged a little while back about the Snoopy demonstration given at 44Con London. A similar talk was given at ZaCon in South Africa. Whilst we’ve been promising a release for a while now, we wanted to make sure all the components were functioning as expected and easy to use. After an army of hundreds had tested it (ok, just a few), you may now obtain a copy of Snoopy from here. Below are some instructions on getting it running (check out the README file from the installer for additional info).
Mobile Security Summit 2011
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389).
Charl was the keynote speaker and presented his insight on the impact of the adoption of mobile devices throughout Africa and the subsequent rise of security related risks. During his talk, he addressed the following:
Understanding the need for mobile security to be taken seriously in Africa Analysing the broader implications for the user and the company The types of attacks occurring against mobile devices What does the future of mobile security look like and what are the potential threats to users? Understanding the particular threats posed by smartphones and other portable devices, e.g. tablets The presentation can be accessed via link below:
The Yeti is here
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses.
It’s called Yeti and it is a cross-platform, Java application. It’s predecessor, BidiBlah, was only available on Windows platforms and hopefully with Yeti we can now offer Internet intelligence gathering to everyone.
So what does Yeti do:
Top level domain expansion (tld expand) Forward lookups (mx,ns,a,cname and zone transfers) Reverse lookups (ptr records) Cert Extraction (getting the common name, and domain from ssl certificates) Bing IP/Site searches Report exports to xls format We invite you all to visit the Yeti community blog and to participate in either testing the tool or just to add comments. Usage instructions can be found on the spyeti blogspot.
Happy New Year gift: source code!
If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we’ve also ushered in a new year and in celebration SensePost is releasing source code for our in-house web proxy, Suru, under a BSD-style license.
When released in 2006, Suru introduced a number of unique features to the world of inline proxies including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements include timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own. Since then, most of these features have been incorporated into more full-featured commercial proxies, negating the need for Suru.
BlackHat Write-up: go-derper and mining memcaches
[Update: Disclosure and other points discussed in a little more detail here.]
Why memcached? At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly applicable, we focused on specific providers (overview). This year, we continued in the same vein except we focused on a particular piece of software used in numerous large-scale application including many cloud services. In the realm of “software that enables cloud services”, there appears to be a handful of “go to” applications that are consistently re-used, and it’s curious that a security practitioner’s perspective has not as yet been applied to them (disclaimer: I’m not aware of parallel work).