Dirbuster::Parser 0.02 released!

Another module that I mentioned during my presentation at OWASP NYC was Dirbuster::Parser. This modules provides an easy interface to Dirbuster data by parsing the XML output.

Here is an example of using Dirbuster Parser:

my $dpx = new Dirbuster::Parser;
my $parser = $dpx->parse_file('dirbuster.xml');
#a Dirbuster::Parser Object
my @results = $parser->get_all_results();
#an Array of Dirbuster::Parser::Result Objects
foreach my $h ( $parser->get_all_results()) ) {
     print "Type: " . $h->type . "\n";
     print "Path: " . $h->path . "\n";
     print "Response Code: " . $h->response_code . "\n";
}


Comments, suggestions and patches welcome!

Regards,
Jabra

Minor Updates for new modules

I received two bug reports today about Sslscan::Parser and Dirbuster::Parser. The bug reports said that I forgot to include Test::Class as a dependency for each of the modules. Therefore, I have updated both modules to version 0.02 to fix the issue.

The updated versions can be found here:

• Sslscan::Parser 0.02
• Dirbuster::Parser 0.02

If anyone has any comments or suggestions of any of the modules I have released recently please let me know. I’m happy to fix any bugs and improve the quality of the modules.

Regards,
Jabra

Sslscan::Parser 0.01 released!

Sslscan is a *nix utility for testing SSL Ciphers on services such as HTTP and SMTP. Building upon my recent efforts to raising the bar on the industry, I built an XML parser to parse sslscan scan data with Perl. The module is called Sslscan::Parser.

Sslscan::Parser 0.01 can be found at:
http://search.cpan.org/~jabra/Sslscan-Parser-0.01/lib/Sslscan/Parser.pod

Here is an example using Sslscan::Parser:

my $sslpx = new Sslscan::Parser;
my $parser = $sslpx->parse_file("test1.xml");
foreach my $h ( $parser->get_all_hosts() ){
    print "ip: " . $h->ip . "\n";
    foreach my $p ( $h->get_all_ports ) {
       print "port: " . $p->port . "\n";
       foreach my $i ( $p->get_all_ciphers() ) {
           print "version is " . $i->sslversion . "\n";
           print "ciphers is " . $i->cipher . "\n";
           print "bits is " . $i->bits . "\n";
           print "status is " . $i->status . "\n";
       }
    }
    print "---\n";
}


Zone Transfer on OWASP.org and OWASP.com

While doing some testing on Fierce, a friend of mine noticed something interesting on the owasp.org and owasp.com nameservers. Both servers were configured to allow the zone to be transfered remotely. FAIL! To be fair, this isn’t going to give us a remote root shell easily. It just looks bad to preach security and not actually secure our own stuff. Come on guys, fix the nameservers for the sake of the community!

Who was pentesting this stuff??? Definatly, wasn’t me…

Here are the details:

zone transfer on :

• owasp.org
• owasp.com

nameservers:

• ns1.secure.net
• ns2.secure.net


$ dig owasp.org axfr @ns2.secure.net



; <> DiG 9.5.0-P2 <> owasp.org axfr @ns2.secure.net
;; global options: printcmd
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
http://www.owasp.org. 86400 IN CNAME owasp.org.
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
;; Query time: 227 msec
;; SERVER: 192.220.125.10#53(192.220.125.10)
;; WHEN: Fri Oct 16 18:48:47 2009
;; XFR size: 31 records (messages 1, bytes 801)



$ dig owasp.org axfr @ns1.secure.net



; <> DiG 9.5.0-P2 <> owasp.org axfr @ns1.secure.net
;; global options: printcmd
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
http://www.owasp.org. 86400 IN CNAME owasp.org.
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
;; Query time: 127 msec
;; SERVER: 192.220.124.10#53(192.220.124.10)
;; WHEN: Fri Oct 16 18:49:57 2009
;; XFR size: 31 records (messages 1, bytes 801)



$ dig owasp.com axfr @ns1.secure.net



; <> DiG 9.5.0-P2 <> owasp.com axfr @ns1.secure.net
;; global options: printcmd
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
owasp.com. 86400 IN A 216.48.3.18
owasp.com. 86400 IN NS ns1.secure.net.
owasp.com. 86400 IN NS ns2.secure.net.
owasp.com. 86400 IN MX 10 216.48.3.22.owasp.com.
localhost.owasp.com. 86400 IN A 127.0.0.1
http://www.owasp.com. 86400 IN CNAME owasp.com.
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
;; Query time: 112 msec
;; SERVER: 192.220.124.10#53(192.220.124.10)
;; WHEN: Fri Oct 16 18:52:53 2009
;; XFR size: 8 records (messages 1, bytes 244)


$ dig owasp.com axfr @ns2.secure.net



; <> DiG 9.5.0-P2 <> owasp.com axfr @ns2.secure.net
;; global options: printcmd
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
owasp.com. 86400 IN A 216.48.3.18
owasp.com. 86400 IN NS ns1.secure.net.
owasp.com. 86400 IN NS ns2.secure.net.
owasp.com. 86400 IN MX 10 216.48.3.22.owasp.com.
localhost.owasp.com. 86400 IN A 127.0.0.1
http://www.owasp.com. 86400 IN CNAME owasp.com.
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
;; Query time: 94 msec
;; SERVER: 192.220.125.10#53(192.220.125.10)
;; WHEN: Fri Oct 16 18:52:58 2009
;; XFR size: 8 records (messages 1, bytes 244)


Nikto::Parser 0.01

Recently, I released several new security modules on CPAN. One of the modules is Nikto::Parser. It provides a module for extracting information from nikto so that users can build powerful web application testing tools. Nikto::Parser can be found here.

Here is an example of performing a nikto scan and then parsing the results with Nikto::Parser:


my $npx = new Nikto::Parser;
my @ips;
push(@ips,"127.0.0.1");
my $parser = $npx->parse_scan("/pentest/svn/nikto/", "", @ips);
foreach my $h ( $parser->get_all_hosts() ) {
    print "ip: " . $h->ip . "\n";
    foreach my $p ( $h->get_all_ports() ) {
        print "port: " . $p->port . "\n";
        print "banner: " . $p->banner . "\n";
        foreach my $i ( $p->get_all_items ) {
             print "Description:\n" . $i->description . "\n";
        }
    }
    print "---\n";
}

Burpsuite::Parser 0.01

Just to get everyone excited for my talk, “Synergy! A world where the tools communicate” at OWASP NYC today, I decided to release Burpsuite::Parser 0.01 a little early.

Here is an example of using the module:


my $bpx = new Burpsuite::Parser;
my $parser = $bpx->parse_file('burpsuite.xml');
#a Burpsuite::Parser Object
my @results = $parser->get_all_issues();
#an Array of Burpsuite::Parser::Issue Objects
foreach my $h ( @results ) {
     print "Severity: " . $h->severity . "\n";
     print "Host: " . $h->host . "\n";
     print "Name: " . $h->name . "\n";
     print "Path: " . $h->path . "\n";
     print "Proof of Concept:\n " . $h->issue_detail . "\n";
}


Version 0.01 of the module can be found at http://search.cpan.org/~jabra/Burpsuite-Parser-0.01/lib/Burpsuite/Parser.pod

One good thing to note, all of the request/responses are automatically included in the XML. To reduce the size of the XML, it may be helpful to generate an XML file without them. This will make parsing faster.

Enjoy!
Jabra

Physical Security Fail!

Last night, I was thinking of a good example of a physical security failure that the average person could understand.

Then I remembered “The Robber” episode from Seinfeld in which Kramer leaves the door to Jerry’s apartment open.

Jerry: You left the lock open or the door open?

Kramer: The door. You have insurance, don’t you?

Jerry: No, I spent it on the lock. It has only one flaw: The door must be closed!

Epic security fail!!!

Burpsuite::Parser Example Script

For those know don’t already know… Portswigger released XML support for Burpsuite last week! Once I heard about this, I started working on a Perl XML parsing module. After the long weekend I have a version that is ready to be considered alpha quality. I plan to release the beta version on October 15th at during my presentation at OWASP NYC. Here is an example script demonstrating how easy it is to use Burpsuite::Parser:
#!/usr/bin/perl -w
use strict;
use Burpsuite::Parser;
my $bparser = new Burpsuite::Parser;
my $file;
if ( $ARGV[0] ) {
    $file = $ARGV[0];
}
else {
    print "usage: $0 [file.xml]\n";
    exit;
}
my $parser = $bparser->parse_file("$file");
foreach my $h ( $parser->get_all_issues() ) {
    print "Type: " . $h->type . "\n";
    print "Serial: " . $h->serial_number . "\n";
    print "Severity: " . $h->severity . "\n";
    print "Host: " . $h->host . "\n";
    print "Name: " . $h->name . "\n";
    print "Location: " . $h->location . "\n";
    print "Path: " . $h->path . "\n";
    print "Issue Background: " . $h->issue_background . "\n";
    print "Remediation Background: " . $h->remediation_background . "\n";
    print "Issue Detail: " . $h->issue_detail . "\n";
}

DM me on twitter(jabra), if you would like to help test the module.

Regards,
Jabra

Client-Side Certs – Oh my!

One of the techniques demonstrated during the BlackHat/DefCon talk I gave with RSnake was utilizing client-side certificates. Client-side certificates allow for a client to gain a certain amount of trust for the server in which they are connecting. They are used by companies that don’t want to worry about using tokens, so instead they use client-side certificates. Client-side certificates are also used by several sslvpn devices.

To demonstrate client-side certificates, I first needed to create a few certificates so the client could connect to the server.

Using openssl, I created the certificate:
openssl req \
-x509 -nodes -days 365 \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem

Next, I needed to setup the server to use the certificate. I started thinking about he easiest way to accomplish this goal. It occurred to me that instead of using Apache, I should use the built-in webserver in openssl. This made setup easier, since I replaced Apache with a single command

Here is an example:
openssl s_server -accept 443 -cert mycert.pem -www -verify 10


Finally, I setup a client and verified that the browser contained a client-side certificate for ANOTHER server. Therefore, there is no trust relationship between the public key within the client’s browser and the openssl server. The key is the browser, will ask to send the public key everytime! The only thing an attacker needs to do, is to be listening on the wire and intercept the public key.

Now you may ask, “who cares about the information in a public key?” Well, client-side certificates can contain the following information:

• Email Address (perhaps a valid username)
• Hostname and maybe OS of the server
• Date the Certificate was Issued
• Date the Certificate Expires

Sometimes, the email address being used contains the user’s name. For example, many organizations standardize on a common email schema to construct email addresses. For example, they may use some variation of the first and last name of the employee.

Example:

• [firstname].[lastname]@domain.com
• [firstname]-[lastname]@domain.com
• [firstname]_lastname]@domain.com

If this is the case, an attacker can extract this information and now the attacker knows the user’s full name. For the purposes of achieving remote access, it is only a piece of the puzzle.
The next piece of information was the date the certificate expires. Since we know of a valid email, it is possible this is also a valid username for a network based attacks. Putting both the username and dates together means that the attacker has a greater likelihood for performing a successful attack.

OWASP NYC – Raising the bar on Pentesting!

I will be giving a talk at OWASP NYC/NJ this coming Thursday(October 15, 2009). The talk is heavily focused on improving the penetration testing process. It is important for the tools that are used during a penetration assessment to communicate because it will allow for the assessment to streamline much of the tasks that have been manual in the past. The goal of this presentation is to discuss the need for communication between security tools and to demonstrate several examples in which integration can provide the ability to reduce the amount of time spent manually correlating information. This will improve the penetration testing process! If you were to perform an assessment manually (ie without any tools communicating) and compare the results to an assessment in-which all the tools were communicating, the results would clearly demonstrate that communication between tools leads to a better assessment. Therefore, all security assessments need to move in this direction.

For this presentation, I will be demonstrating several modules that I have been working on to provide communication abilities to many of the most popular security testing tools for pentesting and web application security assessments. This presentation will be filled with tons of new tools and modules that I will be releasing for the first time. Many of these tools will make pentesting easier and help to automate much of the tedious tasks of security testing.

I look forward to hanging out with people after the talk and getting their feedback on ways to improve the functionality that I have built.

-Jabra