Tools
Go-derper: mining your memcacheds
Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up properly but here’s a link to the tool for the moment.
tl;dr: if you find a memcached, you can dump the cache and manipulate entries in the cache.
HTTP Methods per Directory
A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory.
In its most basic form, HackRack will determine which HTTP methods are allowed on various web or CGI directories by calling the OPTIONS methods per directory. On its own it is not always significant but as soon as you have directories that allow for PUT or DELETE, and weak directory permissions are in place, the picture can become much more colourful.
SensePost Corporate Threat(Risk) Modeler
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle behind the tool, first released in 2007 at CSI NetSec, was to throw out existing threat modeling techniques (it’s really attack-focused risk) and start from scratch. It’s a good idea and the SensePost approach fits nicely between the heavily formalised models like Octave and the quick-n-dirty’s like attack trees. It allows fairly simple modeling of the organisation/system to quickly produce an exponentially larger list of possible risks and rank them.
I know what your cert did last summer
Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then often report on findings such as weak cyphers in use (critical if the client has to adhere to PCI DSS), mismatching cert names and domain names, and then expired certs.
Now, this is easy to check and re-check when you have a couple of single hosts and openssl foo. But, a couple of hundred sites and things get interesting and time consuming.
SensePost J-Baah
I’m pleased to announce the release of J-Baah – the port of CrowBar (our generic HTTP Fuzzing tool) to Java.
If you’ve used CrowBar before, using J-Baah should be a breeze. If you haven’t, it actually has a help section. :P
You can grab a copy of J-Baah from here.
Password Strength Checker & Generator
In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I licensed them under the GPL, and I think it’s about time they saw the light of day.
There are a couple of tools, which I will explain below. They’re all written in JavaScript, primarily because it is cross-platform, but can be centrally hosted. They all work in Firefox and Internet Explorer, although the automatic copy to clipboard functionality of the service desk tool is IE only.
GlypeAhead: Portscanning through PHP Glype proxies
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes from their proxy networks.
Although ‘proxy’ is normally thought to imply some sort of daemonized application, such as Squid (or a SOCKS) daemon, the last couple of years have heralded in the age of CGI proxies and more commonly, their PHP variants.
These PHP proxies are extremely trivial to deploy and configure, especially since most hosting environments have PHP installed by default. When development of PHProxy (a popular PHP proxy) ceased, many devoted fans starting releasing their own customised PHProxy fixes and variants. In recent years, however, many proxy owners have gravitated towards Glype since it seemed to be well maintained (though the current status may be questionable).
MonSoen.py
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness.
So, WinGate proxy includes a remote management agent which is accessed via a client utility called GateKeeper. This allows one to configure the WinGate server across the network. However, its not enabled to listen on the network by default, and only listens on 127.0.0.1:808. From my perusal of the documentation, the remote administrative facility should only be available to enterprise and professional license holders, and those firms using standard edition licenses will have to configure their proxy software locally.
BiDiBLAH Case Study (Part 2)
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal with it… Herewith, part 2. All the scenarios can be downloaded from the BiDiBLAH home page.
Scenario:
We have a class B network internally. Many of the users run FTP servers on their machines. We do not allow this – but how do I identify these machines?
Solution:
Using BiDiBLAH, define your network as netblocks.
SPUD reminder(s)
After some queries regarding SPUD, I thought it would be a good idea to blog this reminder:
* Spud can only be run as an administrative user.
* Spud cannot be run by directly accessing the .exe. You should run SPUD from the shortcut provided. The reason being: SPUD cannot start from the \bin directory, but only from the \bin parent directory. (default: Program Files\SensePost SPUD). I.e, run “bin\SPUD.exe” from the installation directory as below: