Category Archives:

Scapy with WiFi monitor (rfmon) mode on OS X

After taking the 617 SANS class in Orlando I got curious and wanted to get Scapy working natively on OS X rather than messing about with a Virtual Linux image. A key motivator was the fact that I was running out of space on my Macbook Air and not only had to carry around an external USB WiFi adapter, but also a USB hard drive.

Continue reading

15 new nmap scripts

I just posted 15 new nmap scripts to the nmap-dev mailing list. For anyone curios to check them out have a look over here. I’ve been working on these new scripts for a while and they add yet more database support to nmap allowing users to perform password guessing against both Oracle and Informix servers. In addition custom SQL queries can be made to Informix servers directly from nmap.

I’ve also created a number of scripts which can be suitable when pen testing Lotus Domino. These scripts include support for collecting Internet password hashes and user ID files. ID files can be collected both as an authenticated user from the person web view or unauthenticated using the vulnerability CVE-2006-5835. Oh, and you can add Lotus Domino 8.5 to the list of vulnerable versions in that advisory. There are also two scripts that allow you to interact with the IBM Lotus Domino remote console. One script allows for password guessing, while the other one allows you to interact with the console ones your authenticated.

There’s a tiny script in the zip file that supports querying for registered objects in a ORB Naming Service using the GIOP protocol.

Last but not least I’ve created a framework for other password guessing scripts to use. The framework runs using multiple worker threads and does all the looping, iteration and other basic logic used by most of my previous brute scripts.

The zip file included in the nmap-dev post can be downloaded from here. Please help me out testing the scripts so that they can be added to the subversion version of nmap!

Nmap SIP version script

As I’ve been tinkering with VoIP for a while I decided to write a version detection script for Nmap. It’s my first stab at both Nmap scripting and the Lua programming language so don’t expect to much. The limited tests I have made show that it does a reasonable job and returns any version information present in the server response. The script can be found here.

Continue reading

smbat CLK_TCK patch

I must say that I am somewhat surprised that people still use the smbat suite for Windows security testing. Since I am doing most Windows testing from Windows now a days I have found myself using alternative tools instead.

I have recieved numerous of questions over time regarding compilation problems, the most common being. Why does smbat fail to compile with the following error message?

error: ‘CLK_TCK’ undeclared (first use in this function)

This is due to the CLK_TCK being deprecated and replaced by CLOCKS_PER_SEC. The following patch solves this problem. Apply it by running the following command from within the smbat directory:

patch -p1 < smbat_CLK_TCK.patch

Extracting information from OScanner reports

Even though I have barely touched oscanner for the last couple of years quite a few apparently still use it as a basic scanner against Oracle. Some have complained a bit about the annoying XML reporting format. Some have complained even more, mostly about the hassle of getting any of the discovered users, passwords and version information out of the report.

Therefore, four years after the initial release, I am releasing two small utilities. One that extracts a semicolon separated list of the hostname, instance, username and password from a given report file. The other tool simply prints the hostname and the first line from version banner retrieved from the database.

Installation is simple. Download the zip file to the oscanner installation directory an unzip it. The new tools take a single argument, the oscanner logfile:

java cqure.repeng.ExtractVersion oscanner_localhost_report.xml
java cqure.repeng.ExtractPasswords oscanner_localhost_report.xml

The tools are available here and have had very little testing, so don’t expect to much :)

Preparing for sec-t

Unfortunately I couldn’t make Vegas this year. According to friends and the slides I have been going through it looked as if there were quite a few really good and interesting talks this year at both Blackhat and Defcon.

I will be attending the first Swedish based Sec-t security conference here in Stockholm which I think might actually turn out really well. It will be held between the 11th and 12th of September.

I will be speaking at the last slot on Friday about what administrators can do in order to reduce the impact of web application vulnerabilities ie. system and application hardening.

More information regarding the event is available at the official web site

OWASP – Sweden meeting

My presentation from the Swedish OWASP meeting the other day is now online.
I spoke about SQL injection (again), efficient UNION exploitation, OOB channels and DNS-tunneling in MSSql, Oracle and MySQL.

The presentation, DNS-server tool and a minimal cheat sheet can be found here.
I had a great time and enjoyed meeting friends, colleagues and listening to the other speaches.

MSSQLScan 0.8 released

I made some minor adjustments and bugfixes to the 0.7 release and released 0.8. MSSQLScan should now support a graceous shutdown when doing a ctrl-break and not skip hosts when running out of sockets.

Get it here.