Category Archives: cqure.net

New blog

I have launched a new blog with “random thoughts about random things” … The reason why I’m launching a new site when barely keeping up with this one is that I want to keep this one security oriented while the new one a bit more “random”. The new blog can be found here http://patrik.cqure.net.

I’m guessing we might have to outdated blogs in a couple of weeks 🙂

Simplifying enumeration by error messages

I have been experimenting with SQL-injection and information enumeration through error messages for a while.
The idea was to simplify the process of extracting data so that very little application logic would be needed to perform the task. Ideally a simple 3-5 line bash-script wrapping wget or curl should do the trick.

Continue reading

MSSQLScan 0.6 release

I finally got to publishing a tool, which due to a number of reasons, has not happened for quite some time now. The MSSQLScan tool scans for Microsoft SQL Server *surprise*. It does so by using UDP which means that it can either discover servers by hitting a broadcast address or by querying each and everyone. This will make sure that you find all instances and servers that no longer use the 1433 TCP port due to dynamic port allocations.

As usual your more than welcome to provide me with feedback, suggestions or bug reports.

T2 Security Conference

I attended the T2 security conference last Friday where I presented a talk on SQL injection and out-of-band channelling. Unfortunately I wasn’t able to stay for the whole conference but the talks I attended were very good. Make sure to check it out next year. Hopefully, I will have a chance to publish my updated slides during this week.

Oracle 11g password security

Finally, Oracle has made changes to the way they store passwords. Oracle 11g introduces a different algorithm (SHA1), supports mixed-case passwords and adds salts to stored passwords. This all sounds great EXCEPT that the old weaker hashes are still being stored in the sys.user$ table.

It seems as if several different people have been looking in to this at more or less the same time and have documented their efforts. One of them is Pete Finnigan http://www.petefinnigan.com/weblog/archives/00001097.htm. Recurity Labs have done a more technical analysis of the 150Mb Oracle Linux binary http://www.phenoelit.net/lablog/oracle.sl and conclude their work with this excellent comment:

“And we would like to welcome Oracle Corp. in the year 2007, the century of highly advanced, mixed-case passwords. 🙂 It should be noted that Oracle, in fine tradition, makes the same mistake Microsoft did a decade ago when they put the insecure LANMAN hash next to the brand new NTLM one. The table sys.user$ still holds the case insensitive DES encrypted password version next to the new one.”

Passing-the-hash for everyone

Core security released their PSH (passing-the-hash) toolkit today. Even though the concept of passing-the-hash is old, few tools putting it into practise have been available to the public. A number of companies working within security industry have had their own tools, some being more proud of them than others 😉 I myself attempted to write a generic proxy implementation for this in 2001 and published it here on cqure.net. It worked alright at the time, but has not done so for quite a while now.

In short passing-the-hash allows you to extract encrypted passwords (hashes) from a Windows system and use the hashes, without knowing the password, in order to authenticate to other Windows systems with users having the same passwords. The risk associated with this should be obvious to most people.

Defcon 15 again

Even though I missed some of the great presentations at Defcon I had a chance to see quite a few. Here is a brief summary of the most inspiring.

“MQ Jumping” by Martyn Ruks. This was a great presentation of IBM Websphere MQ and some of it’s security problems. Martyn presented a number of ways to remotely own the system of an unhardened MQ installation using some in-house developed tools. He mentioned publishing the python classes and some sample code once he got back. So keep an eye out for that.

“CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript” by Daniel Peck and Ben Feinstein. The topic says it all! The tool (CaffeineMonkey) is released under GPL3 and is available here. The talk was pretty impressive especially the parts where malicious javascript was illustrated in graphs showing the amount of times specific function calls were made. This allowed for malicious javascript to be pinpointed by just looking at the graphs.

“HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)” by Dan Hubbard. A very entertaining talk on deployment of bots in web communities which aid in identifying and tracking of malicious code. The audience was introduced to both passive and active bots which were both used in order to collect data in the environment and alert in case of suspicious activity. A talk on a very interesting topic delivered by a great speaker with the right amount of humor.