PIRANA is an exploitation framework that tests the security of a SMTP content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA’s goal is to test whether or not any vulnerability exists on the content filtering platform.

The tool is a PERL program, which builds email and attaches malicious payloads generated by various exploitation codes, then sends it to the target. Several techniques were developed to improve reliability and add discretion. The tool is modular and it is possible to add support for new vulnerabilities that could emerge in the future.

PIRANA’s author, Jean-Sébastien Guay-Leroux  wrote a paper (PDF en | fr ) that explains what are the vulnerabilities of a SMTP content filter. It also presents what techniques were used in PIRANA to improve reliability and stealthness.
The tool is GPL licensed and you can download the latest version pirana-0.3.3.tar.gz .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The Network Situational Awareness group at CERT (CERT/NetSA) has developed and maintains a suite of open source tools for monitoring large-scale networks using flow data. These tools have grown out of the work of the AirCERT project, the SiLK project and the effort to integrate this work into a unified, standards-compliant flow collection and analysis platform.

YAF - Yet Another Flow Sensor (YAF) processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process. YAF’s output can be used with the NetSA Aggregated Flow (NAF) toolchain and the SiLK tools.

NAF - The NetSA Aggregated Flow (NAF) tools create and manipulate the IPFIX-based NAF file format, designed as a common format for aggregate network flow analysis.

fixbuf - The fixbuf library provides a set of functions for processing the IPFIX protocol message format. Using fixbuf, developers can build IPFIX Collecting and Exporting Processes.

AirDBC - AirDBC is the AirCERT Database Connectivity abstraction layer for access to multiple RDBMS backends in C. It provides the database API used by CERT NetSA applications.

SiLK - The System for Internet Level Knowledge (SiLK) is an efficient network flow collection and storage infrastructure that will accept flow data from a variety of sensors. SiLK also provides a suite of efficient command-line tools for analysis.

RAVE - The Retrospective Analysis and Visualization Engine (RAVE) is an extensible analysis middleware platform based on Python that simplifies the task of building analysis environments on top of a network monitoring and collection infrastructure.

IPA - The IP Address Association library provides efficient data structures for manipulating labelings of IP addresses and IP address ranges.

Airframe - Airframe is an application utility library built on glib designed to ease the creation of command-line network data processing applications written in C. It is the mechanism by which the NAF tools have a common interface.

The whole suite is GPL licensed and don’t worry, there is full documentation on how to put all these modules together to work

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Vulnerability management outsourcing is not an easy concept to promote these days when information is the  new power currency. Today, however, I witnessed a Qualys demonstration and I must say I really enjoyed it.

I’m not affiliated with Qualys and this is not a sponsored review.

Whenever I walk into a customer’s office I put my consultant hat aside and I try to walk into the customer’s shoes for one mile. This is why I really liked the approach Qualys has taken in implementing their managed vulnerability management service.

In a nutshell :

• Qualys has built a Global Web Service Architecture developed from the ground up to automate network security auditing and vulnerability management.
• Qualys hosts a collection of Internet Scanners optimized to scan publicly facing devices globally via the Internet. 
• QualysGuard Scanners are appliance versions of the Internet Remote Scanners. Scanners enable customers to bring QualysGuard’s assessment capabilities to their internal networks.

While they are still fresh in my mind, these are the Top 10 reasons I liked Qualys (in no particular order) and why I would recommend it to my customers.

1. No hardware hassle - No storage troubles.
Ah, it feels so good to know that somebody else has to worry about the  Confidentiality, Integrity and Availability of your data . In you chose to also scan the internal network, all you need to worry about is to have the scanning appliance - which you rent- powered on and connected to your LAN. Sweet.

2. Full coverage of vulnerabilities lifecycle .
Qualys goes beyond vulnerability scanning. Instead, they opted for a fully  vulnerability management process and I guess one picture is worth 1000 words :

3. Great APIs and 3rd party integration support .
Being a full Web managed solution, integration with 3rd party security vendors is done very easily trough a fully documented XML API  interface.

4. Non-intrusive scans.
The most relevant vulnerability results are achieved using authenticated scans (both Windows and Unix / Linux are supported) and it seems that Qualys has set a top priority in investigating any crash report of a remotely scanned system or service. 

5. Everybody gets a VIP treatment .
One of my favorite feature is that whenever something is fixed for one customer, it is automatically available for everybody.And fast.  One other advantage of having a central SOC system is that all the scanners are up-to-date and rolling out a new version of the management interface is instantaneous. Just open up a new browser session.

6. Robust ,tamper proof appliance
The scanning appliance is truly a black box . You plug it in, set up the IP address, username / password using a front mounted LCD and you are good to go. End to end SSL encryption fits in nicely in any modern network without much firewall re-configuration.

7. Single point of management .
Role based administration can be modeled upon your organization’s structure and having a web based console means  you can check out the appliances status, the scans themselves and the reports from anywhere. Who wouldn’t want to have instant access to those pesky compliance reports whenever the auditor asks for them ? Fire up any available browser and you’re done.  

8 . OVAL Support
I know that not many people want to write their own vulnerability checks, but hey, what better way to check for violations in you uber cool security policy ? Qualys integrates new OVAL vulnerability definitions very easy.

9. Real Time scan reporting
I really hate when a full subnet scan is been running for 2 hours and suddenly something goes bad and you have to restart the scan from the beginning. It must have been frustrating for Qualys as well, because they implemented a real time partial scan report so you don’t lose any data from an ongoing scan in case of unexpected halt.

10. Audit trails, own remediation ticketing system.
Ever wondered why some vulnerabilities slip by unresolved for weeks ? Well, although a remediation ticket has been opened, it might happen that a sysadmin forgot to patch a system or worse, he marked the bug as fixed hoping no one will notice.

Guess what : during the next scan, the vulnerability will be found and the ticket will be re-opened and because the system allows history audit trail analysis, you can see exactly who swept the garbage under the carpet hoping to get away with it.

Maybe the Qualys engineer was very convincing during the 3hrs presentation and live demo, but I really liked the product and I can’t wait to test it myself. Just in case you were wondering, Qualys offers 14 days free trial . All you need to do is provide a public IP address.

How about you ? Do you have some real-world experiences with Qualys ? Is it as good as a presales presentation put it ? I’m very interested in finding out the downfalls of deploying an outsourced vulnerability management service like Qualys.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I’m writing about a new SQL injection tool called PRIAMOS. It is fully automated and very easy to use. First, you will scan the application for vulnerable parameters and then launch the SQL injection attack against selected vulnerable  parameter. The SQL automated injection reminds me of Absinthe or SQL PowerInjector and it can map and enumerate the complete SQL Server database structure .

Just in case you want to check how it works, there is a live demo movie available.

Download it and give it a spin !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

WiFiDEnum is the WiFi Driver Enumerator, a Windows tool that assesses wireless driver information on local and remote Windows workstations. Using a database of known wireless vulnerabilities, WiFiDEnum assesses the versions of installed drivers and produces a vulnerability report, identifying systems and specific drivers that are at risk to wireless driver exploit attacks.

WiFiDEnum scans Windows hosts over the infrastructure network (e.g. wired or wireless connections) using the Windows Management Instrumentation (WMI) API. Using the current user or alternate specified authentication credentials, WiFiDEnum extracts registry information on a remote host to identify the wireless drivers that are installed, and the associated version information for each driver.

With the driver version information, WiFiDEnum examines a local MS Access database file that identifies several vulnerable Windows drivers. Using this database information, WiFiDEnum assesses each driver to determine if it is vulnerable, and reports it appropriately.

Once the scan is finished, the user can generate a simple HTML report that identifies all the stations scanner, the wireless driver and version information for each workstation, and any vulnerabilities discovered, along with CVE and WVE links for more information about the vulnerability (wherever possible).

Sounds pretty cool . The software is freely available for download and I invite you to give it a spin! .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’m a bit late writing about the release of the new Common Vulnerability Scoring System  CVSS 2.0 released earlier this month.
It is a valuable addition to the  already established MITRE OVAL Open Vulnerability and Assessment Language and WASC Web Security Threat Classification.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score.

• The Base group represents the intrinsic qualities of a vulnerability. 
• The Temporal group reflects the characteristics of a vulnerability that change over time. 
• The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. 

CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

I’m glad to see that ArcSight, one of my favorite security vendors, is one of the CVSS Adopters

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today it’s time to present another web testing tool called FunkLoad. This python application can be used for functional and regression testing of web applications.

FunkLoad can also be used as a stress / performance testing tool which functions like a fuzzing engine and it gives you reports on application response.

The main FunkLoad features are:

• Functional test are pure Python scripts using the pyUnit framework like normal unit test. Python enable complex scenarios to handle real world applications.
• Truly emulates a web browser (single-threaded) using Richard Jones’ webunit:
• Advanced test runner with many command-line options:
• Turn a functional test into a load test: just by invoking the bench runner you can identify scalability and performance problems.
• Detailed bench reports in ReST or HTML (and PDF via ps2pdf) containing:
• Easy test customization using a configuration file or command line options.
• Easy test creation using TCPWatch as proxy recorder, so you can use your web browser and produce a FunkLoad test automatically.
• Provides web assertion helpers.
• Provides a funkload.CPSTestCase to ease Zope and Nuxeo CPS testing.
• Easy to install (EasyInstall) and use, see examples in the demo folder.

FunkLoad is released under GPL license, so go ahead download it and give it a spin !  

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

If you work in the application QA & QC you know how much you have to rely on the stress testing tools you use in order to get realistic and meaningful test  results. The world of open source stress testing tools has been drastically changed on April 11 when RadView   released it’s flaghip product WebLOAD under a GPL license .

WebLOAD Open Source, licensed under the GNU Public License (GPL) version 2, is based on WebLOAD, the company’s flagship product that is already deployed at 1,600 sites. Immediately available for free download and use, WebLOAD is a commercial-grade open source project with more than 250 engineering years of product development.

The WebLOAD.org open community’s goals are set to build a common knowledge base freely available for all professional performance testers and at the same time to perfect and enhance the WebLOAD tesing suite. 

With its open source approach, WebLOAD.org aims to facilitate a significant increase in the implementation of performance testing procedures earlier in the development lifecycle, particularly in the programming phase. Ultimately, this will have the effect of introducing internet applications of higher quality to the benefit of all users.

I have downloaded and installed  WebLOAD and so far it looks great. The easiest way to use the product is to record all user navigation trough it’s built in proxy and set up different replay scenarios.

The tests are written in Javascript and one can easily embed   Java, ActiveX or COM objects in the test script. The flexible framework of WebLOAD easily enables its expansion in support of other protocols, using the WebLOAD Extensibility SDK.

I encourage you to register as member (it’s free) , download the tool and give it a spin. Feedback is welcome !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Do you know about a very interesting squid proxy whitelisting plugin called White Trash ?

It is very common today for malware to "call home" upon infecting a victim computer and this is exactly where White Trash kicks in : It is a user driven dynamic white listing system that guarantees that the outgoing HTTP connections have been initiated by real users. A nice side effect is holding the users responsible for all the browsing history recorded by the system.

The usage scenarios are very simple and robust:

Scenario - URL in the database

• Client sends get request to Squid.
• Squid writes URL to stdin of whitelist.py running as a squid redirector.
• whitelist.py checks for URL in db, finds it, and returns newline (tells squid to use url as is).
• Squid loads page and then any further elements from the server using the same procedure.

Scenario - Add new URL to the database

• Client sends get request to Squid
• Squid writes URL to stdin of whitelist.py running as a squid redirector
• whitelist.py checks for URL in db, doesn’t find it, and returns http://whitelistproxy/generate_form.py
• User is redirected to generate_form.py which is served by servecgi.py
• generate_form.py presents a user with a form, all values filled in
• User clicks "I Agree" and form is submitted to whitelist_add.py
• servecgi.py processes the POST to whitelist_add.py and adds the proxy authentication information.
• whitelist_add.py adds the domain, username etc. to the database and refreshes the page to deliver the user to their requested URL.

Scenario - View the whitelist

• A cron runs whitelist_report.py every hour. This script builds a html representation of the whitelist from the database.
• Apache serves the static html page.

One other evil usage of this tool would be enforcing the AUP and other security policies. I mean, one has to think twice about adding an URL to the intranet database thus leaving traces about his visit all over the place:)

Technically , the solution looks great, but one of the biggest risks of implementing this system would be the user frustration about being monitored; it’s the the old saying "the more you squeeze the employees, the more they leak". Balance has to be reached for both parties.

In order to see how White Tash works in real life, check out the flash demo or download White Trash  yourself . Free . As in GPL.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I came across an interesting combination of blackhat SEO and "knowledge belongs to the people" hacker attitude. It’s about storing unique MD5 hashes in the title of numerous pages spidered by Google . You may call it an implementation of an hash search engine using Google.

Unlike other implementations, the aim here is to get Google to store the word and associated hash. We do this by putting them into the title where it will always be stored by Google’s spider. Dynamically generating them means they’re only there when Google’s spider wants them.

If I read it right they present different content to humans vs. search engines, isn’t this a cloaking blackhat SEO technique?
Anyway it’s a nice PoC of the ubiquity of Google search, but I still think that GData’s free online MD5 cracker kicks ass with it’s 168,678,430 unique entries.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!