Saturday, March 29, 2008

Blackhat Europe Briefings Day 2

Second day talks that I attended to were:
  • The URI abuse talk. This was a talk which lists different attack vectors that apply to URI's. The speakers demoed a Picasa vulnerability that relies on DNS rebinding to be able to expose images from your Picasa to the evil hacker and his little brother. Then they talked about an iPhoto format string vuln that can be exploited via the photo:// URI. More information about this can be found at the speaker's blog. There was also mention of some tools which can help with finding new URI flaws, like duh4mac.c which lists all URI's on a Mac and the associated applications. While this talk had nothing which was not already available elsewhere, I thought that it was well delivered and inspiring.
  • The LDAP injection talk touched on an interesting subject that hasn't been covered much elsewhere except for a few scattered papers. While the subject matter was good, the speakers took long to get to the interesting part, which was a demo of a vulnerable web app and how they could manipulate to do privilege escalation on a web application. The most interesting part was when they showed how specifying an asterisk for a username can give access to the 1st user that matches. Then the speakers went on to describe more complex things such as blind injection, which took approaches similar to blind SQL injection.
    Finally, the speakers did not really expand on solutions and what do to to prevent such attacks. Their suggestion was to filter out malicious characters, such as the "*". However on further discussion with the speakers, they agreed that having a whitelist of characters might be a much better solution.
  • The Dtrace talk was well delivered. You could see that people got excited at the thought of being able to use that when doing reverse engineering on a Mac. Quotes like "dont think of draces as just gdb on steriods" were thrown at us when the speakers were explaining why making use of dtrace is better than making use of gdb or pydbg. And finally they presented a ruby wrapper around dtrace, making it all even more powerful. I know that I'll be adding dtrace to my arsenal of tools ;-)
  • Then it was time for the GSM cracking talk. This was a sort of update on how the whole project is going. They reminded us that there's a hell lot more GSM phones than computers, and that is one reason why their research is useful. As people who follow these security conferences know, these guys are making use of Pico computing's FPGAs to be able to generate rainbow tables that help with the cracking of GSM. They only got another month to go until their rainbow table is complete. Then they finally announced that they are considering selling a kit that allows you to crack GSM and we were left with the interesting question of "who is your target market?"
  • Hacking Secondlife talk: I found this talk to be a bit frustrating because the author took his time to arrive to the juicy stuff and when he actually did, then things were not as exciting as I would have liked them to be. In my opinion, the speaker should have named the talk "Hacking with SecondLife" instead of "hacking SecondLife", because his demonstrations were about making use of the scripting in SecondLife to get other Avatars to send http requests to a target website. He showed off slikto, which scans websites for known vulnerable scripts just like nikto, but makes use of Avatars on SecondLife that click on the evil ball. Least that I can say is that I wasn't impressed, and this sort of thing can be done on a much larger scale and much more efficiently with botnets, or by making use of DNS rebinding attacks and many other ways.
  • The final talk that I went to was the Maltego talk about investigating people by making use of open source information. Actually I wanted to watch the PDF malware talk, but started snoozing and decided that I'd rather switch track. The Maltego talk was very well delivered, the speakers were entertaining and showed some real funky visualization in the next version of their application. The talk was mostly about presentation of data to turn that into useful information (or intelligence). They also talked about bypassing google's human verification checks and the legal problems that they had with various search engines.

Friday, March 28, 2008

Blackhat Europe Briefings Day 1

These are some of the talks I've been @ :
  • Keynote by the Angel of Doom was on Digital Security and why it will fail. His conclusion is that we are in the right business and that we got job security. He gave ideas about how security solutions that do not take the big picture into perspective are bound to fail. Had a chat with him during lunch, very interesting conversation.
  • The talk from the GNUcitizen people called Client-side security was enjoyable. They were presenting stuff that (i think all) was publicly available either on their site or their friend's site. Most of their exploits seem to have one thing in common - they use multiple technologies to abuse the system.
  • Attacking Anti-virus talk by SoWhat was interesting. It was not flowing but the subject material was good. By making use of fuzzing of filetypes, he gave live demos of AV software crashing. Some of the vulnerabilities seem to be exploitable to run arbitrary code and SoWhat was able to show a few unpatched vulnerabilities as well.
  • The Cisco IOS Forensics talk was very well researched. We learned about how the base OS on IOS works - there is no real kernel, there are no separate processes. If one thing crashes, the whole box goes down. We also learned that some of the issues are warez/illegally downloaded IOS updates which contain 3rd party modifications (i.e. backdoors). TCL backdoors were also mentioned. These are most of the times created by legitimate users for later use and abuse (read getting things done or disgruntled ex-employees). Recurity-labs's new project called CIR would allow us to inspect Cisco crash dumps and identify all this and more. It is available online for free at
  • The Multimedia fuzzing talk was ok. They talked about fuzzing codecs and mp3 tags and all that. Also showed a demo of flac123 spawning shellcode exploiting an overflow. The same guys who gave the talk have released 2 tools of interest:
    • Fuzzbox, which allows you to create different fuzzed samples based on a valid media file.
    • RTPInject, which allows one to inject arbitrary audio in a VoIP conversation.
  • Managed to grab the Iron Chef Challenge in the last minute when they were presenting the results. The teams were draw and there was no clear winner. All the flaws identified were theoretical :-(
  • Started watching the 0day patch talk but all the graphs got to my head and I quickly switched to the lockpicking talk. Mr. Ollam gave an excellent talk as usual and updated us with the latest details on the locks and safes.
After that we went to the Microsoft party, which was okey. Met a few interesting chaps from the AV industry and the Pentest business.

Thursday, March 27, 2008

Blackhat Europe && Twitter

The briefings started today and till now its been a very interesting experience. I'll be updating my twitter account on BH Europe at:

Sunday, March 23, 2008

Blackhat Europe

In the next few days I'll be visiting Amsterdam and going to be at the Blackhat briefings. If any readers are around drop me a message ;-)

Friday, March 21, 2008

SIPVicious tool suite on Backtrack 3 beta

Backtrack, the popular live cd that comes with lots of Penetration Testing tools now includes SIPVicious tools in its list of packages. The latest is the BT 3 beta which has a corrupt version of
SIPVicious. A quick fix is posted on the Backtrack forums themselves here.

Archangel Amael was also kind enough to write up a short guide to SIPVicious.

Saturday, March 15, 2008

Using OSSEC to detect attacks on an Asterisk box

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:
  • User/Extension enumeration
  • Password cracking attacks
The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:


Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">

<decoder name="asterisk-denied">
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>

Do not forget to restart OSSEC. Typically done by executing the following command:
/etc/init.d/ossec restart
Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:
echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart
Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

Friday, March 14, 2008

Swatters using VoIP to spoof caller id

Its no news really to whoever is familiar with swatting, but this is something that recently came into the light in the public media as a few people have been found guilty of this real bad prank.

What is swatting? It's basically someone calling the 911 service, spoofing the callerid and pretending to be under attack from some maniac. What happens then is that a SWAT team is sent to the residence on which the spoofed phone number is registered. Obviously the end result is the SWAT team end up harassing the family / residents living there on behalf of the person who spoofed the call in the first place.

Quite a nasty joke if you ask me - and VoIP caller-id spoofing makes it very easy to pull off.