Portcullis Labs - All Content

VulnApp | Content

Tue, 27 Mar 2012 18:36:52 GMT

Recently myself and a colleague were asked to give some training to some training to some ASP.net developers. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After looking at some of the existing ASP.net applications I decided I'd like to write my own. The result of this is VulnApp, a BSD licensed ASP.net application implementing some of the most common applications we come across on our penetration testing engagements. The source is also available from my CVS server so that others can, if they like, contribute.

To make it easier for developers to learn, I've logged tickets for all of the intentional vulnerabilities I've introduced along the way. Be aware that there might be others I've missed, particularly gaps in the enforcement of ACLs and logic bugs. I'd encourage you to log any other vulnerabilies you find along the way.

Breaking the links: Exploiting the linker | Content

Tue, 27 Mar 2012 01:26:35 GMT

Presentation on exploiting linkers based on my paper (as given at Uncon 0x12 and CRESTCon 2010).

I am currently working on an update to the paper which will focus on other UNIX like OS with the aim of sharing some of my findings at a future conference.

HTML 5 Good Practice Guide | Content

Tue, 27 Mar 2012 00:18:18 GMT

This document is not intended to be a definitive guide, but more of a review of the speci?c security issues resulting from the use of HTML 5.

Portcullis was asked to provide consultancy in the form of analysis and good practice recommendations with respect to migrations from Flash to HTML 5.

Whilst this document is not intended to be a definitive guide, Portcullis believes that it should provide a high level summary of the pros and cons of the proposed migration.

Web Application Password Reset Good Practice Guide | Content

Sat, 24 Mar 2012 19:01:21 GMT

This guide aims to detail the key features of secure password reset procedures which can be used within web applications. As well as detailing these feature is gives examples of how the reset can be done.

secdump | Content

Sat, 24 Mar 2012 17:52:38 GMT

secdump is a simple meterpreter module uploads and runs gsecdump from truesec.

     
meterpreter > run secdump
UploadExec gsecdump

OPTIONS:

    -a        Dump all creds
    -h        Help menu.
    -l        Dump LSA Secrets
    -p        Path on target to upload executable, default is %TEMP%.
    -s        Dump hashes from SAM/AD
    -u        Dump Active logon session hashes
    -w        Dump Wireless Creds {NOT IMPLEMENTED}

nopc | Content

Sat, 24 Mar 2012 17:15:33 GMT

Ever been trying to perform a patch analysis of a Unix based machine without network access to it? I have and it used to be a wrestling match to make reasonable sense of the output from tools like "rpm -qa --qf patchlist.txt".

Out of this came nopc. Nopc utalises the ability of Nessus to perform an accurate patch analysis once it has extracted the information from the system, but instructs you on how to manually recover this same information. Below is an example usage for a Redhat patch review.

d@p:~/src$ ./nopc.sh
[+] What type of system have you got the patch output for?
 1 - Redhat
 2 - OSX
 3 - Debian
 4 - Ubuntu
 5 - Slackware *
 6 - Solaris *
 7 - AIX 
 8 - HP-UX *
 9 - FreeBSD *

 * UNTESTED!!

Enter 1-9? 1
[+] Redhat Selected
[+] Run '/bin/rpm -qa --qf patchlist.txt' 
[+] Enter Location of file: patchlist.txt
[+] Enter the Contents of /etc/redhat-release 
[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5
[+] To run this in a script the command would be:

./nopc.sh -s '1' 'patchlist.txt' 'Red Hat Enterprise Linux Server release 5'

[+] Locating Nasls
....

Attacking Windows Domains | Content

Fri, 23 Mar 2012 13:23:10 GMT

Windows Domains use a single sign on system, authenticate to one machine, you can then use that machine to access all of your available resources accross that domain. This is great for users but also for attackers. This presentation covers a number fo techniques and tools that be used to take control of a windows domain without ever needing to run time consuming password cracking.

Apple iOS In the Workplace | Content

Wed, 16 Feb 2011 12:45:23 GMT

This whitepaper discusses the security of Apple iOS with particular focus on its usage in the workplace.

The intended audience for this is technical/managerial, that is to say, in parts it will be moderately technical, but the key focus will be the provision of information to those planning or evaluating roll outs of iOS based devices in order that they are able to accurately understand the risks associated with this.

SSHatter | Content

Wed, 16 Feb 2011 12:19:48 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

Firefox Lockdown | Content

Tue, 23 Jun 2009 15:02:12 GMT

With Firefox's popularity rising on a day-by-day basis, many corporate environments are starting to employ the power of Firefox as their default browser. But without sufficient restrictions or lock-downs Firefox becomes a powerful client controlled web browser that a sophisticated user can manipulate for their own benefits.

Firefox can be locked down similar to Internet Explorer, and this guide will give you the relevant information that is needed to create a secure, locked-down configuration, to restrict knowledgeable users actions into manipulating Firefox for their own needs.

Introducing Heyoka: DNS Tunneling 2.0 | Content

Tue, 24 Mar 2009 14:45:47 GMT

Slides from SOURCE Boston 2009, presenting heyoka, a new DNS tunneling tool that uses spoofed traffic to avoid detection and multiple encodings to improve speed. By Alberto Revelli and Nico Leidecker.

Heyoka | Download

Tue, 24 Mar 2009 14:37:27 GMT

/download/Heyoka-SOURCEBoston2009.pdf

OWASP AU 2009 Slides | Content

Thu, 19 Mar 2009 13:14:32 GMT

Slides from OWASP Australia 2009.

Owasp Au Rev4

View more presentations from sumsid1234.

Insecure Trends in Web 2.0 Applications | Content

Fri, 31 Oct 2008 16:08:40 GMT

Non technical talk about insecure trends in Web 2.0 applications. Explains what's wrong with today's Web 2.0 applications and why new comers keep repeating these.

Flash Security | Content

Fri, 31 Oct 2008 16:00:50 GMT

This presentation given at RIATalks, it's about fundamental flash security issues, attack surface of Flash and secure development.

During the presentation there was stealing data through vulnerable Crossdomain.xml files, you can download source code of this file - FlashSecurityCrossdomain.zip.

MS08-067 check | Content

Tue, 18 Nov 2008 12:22:54 GMT

This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 issue (Vulnerability in Server Service Could Allow Remote Code Execution).

Usage

$ python ms08-067_check.py -h
Usage: ms08-067_check.py [option] {-t |-l }

Options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -d          show description and exit
  -t TARGET   target IP or hostname
  -l LIST     text file with list of targets
  -s          be silent

Example

$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE

Note

On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the svchost.exe process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.

References

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

polenum | Content

Thu, 30 Oct 2008 11:54:12 GMT

polenum is a python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.

features

can extract password and associated information from a windows machine
will connect over a NULL or authenticated share
supports encrypted/signed sessions

limitations

no NTLMv2 support
has a problem with domain connected workstations

download

download polenum

vessl | Content

Thu, 30 Oct 2008 11:51:42 GMT

vessl is a simple wrapper script that connects, extracts and then verifies the ssl certificate of an encrypted service. It was originally written in order to script up the ability to verify ssl certificates across a large network.

features

vessl will connect to any service that openssl can
it will extract and verify against a given CA Pem file
it will check that certificate matches the host it is on
it produce a map going from ip's to hostname
checks to see if certificate is based on a blacklisted debian key

dependencies

openssl
ping
openssl-vulnkey
mktemp
CA Pem File

download

download vessl

BSQL Hacker | Content

Wed, 29 Oct 2008 15:28:02 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Source Code Repository

Public SVN Server (including nightly builds development environment)

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly