Online Penetration Testing Videos

I found this link to some really useful (but basic) videos online. They're particularly useful as they're tool-specific and give examples, rather than just discussing tools in a generic way. They may be a little to basic for more experienced testers, but they do also show some good tips and tricks you may not already know.

Business iPhone Use

Recently, Apple have been trying extra hard to increase their market share of the business space. Amid rumours of Apple server technology integrations around Snow Leopard Server, apple have are touting their iPhones as enterprise grade by highlighting apps that are integrated with enterprise-grade appliances. One such example is JUNOS Pulse, from Juniper Networks. This is an VPN client that negotiates sessions between the iPhone and the Juniper SA appliance. For more information see here.

How to Deploy HTTPS Correctly

I have found this guide on my Internet travels. It's incredibly well written, short and is a must-read for anyone deploying HTTPS, even experienced developers. Enjoy, http://goo.gl/lehmL

Programmable HID USB Keystroke Dongles (PHUKD)

(Inspired by blog entry on irongeek.com)

A topic I’ve wanted to blog about for a while is the use of PHUKDs as an attack vector in Penetration testing. Firstly, I’d like to discuss the background of how these devices work and why they have come into being.
A PHUKD is a USB device, which is configured in such a way that it is presented to the victim machine as a USB Keyboard/mouse. The reason this has been developed is so that even when the autorun.inf and U3s are disabled on a machine, malicious inputs can be delivered to the victim quickly, accurately and in an automated fashion. Therefore, the key benefits of these devices as delivery systems are that it cannot be blocked by U3 and autorun process blocking and keystrokes can be precompiled and run quickly on the target machine.
The key benefits to a pen tester as suggested by irongeek.com:

• Extremely fast keystrokes, without errors. This is important when physical access time to the target is limited.
• Works even if U3 autorun is turned off.
• Draws less attention than sitting down in front of the terminal would. The target turns their head for a minute, the pen-tester plugs in the PHUKD.
• The HID can also be set as a logic or time-bomb.
• It is possible to embed a hub and a flash drive in your package so that you have storage and the programmable USB HID into a single package.
• Embed your device in a USB toy or peripheral and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
• After your Trojan USB device is in place, program it to "wake up", mount on-board storage, run a program that fakes an error to cover what it is doing (fake BSOD for example).

A detailed guide on creating PHUKDs is available on the link provided above to irongeek’s blog post and a really interesting video from Defc0n is included below. It’s also worth noting that it’s possible to integrate this attack using Metasploit. The full details of their Teensy USB HID Attack Vector are available here.

Adobe Reader Protect Mode

Back in July this year, Adobe announced the release of a new security framework which will add a greater level of security to their Reader application. Adobe Reader, which is widely known to be one of (if not the) largest threat vectors in terms of remote exploits, now employs a sandboxing technique to mitigate the attacker’s ability to run malicious code on the host. Adobe states that the new design has three major effects:

• All PDF processing such as PDF and image parsing, JavaScript execution, font rendering, and 3D rendering happens in the sandbox.
• Processes that need to perform some action outside the sandbox boundary must do so through a trusted proxy called a “broker process.”
• The sandbox creates a new distinction of two security principals: the user principal, which is the context in which the user’s logon session runs, and the PDF principal, which is the isolated process that parses and renders the PDF. This distinction is established by a trust boundary at the process level between the sandbox process and the rest of the user’s logon session and the operating system.

For more detailed information on this, Adobe has started a blog thread pertaining to this new approach, which can be found here.

Firesheep and BlackSheep

Recently, there has been a huge amount of coverage of the ‘Firesheep’ add-on for Firefox. If you have missed the kerfuffle, Firesheep is a Firefox add-on which enables sidejacking (HTTP session hijacking) to be exploited over open wireless networks. One of the key reasons that this has been so popular, is that it doesn’t require any technical expertise on behalf of the attacker, as logins are sent directly to a console within Firefox and can be visited (and the user logged-in) upon double-clicking. The author, Eric Butler, released the application in order to highlight poor coding practices on social networking sites, with a particularly big ‘poke’ to Facebook.

A response to this, from a slightly surprising source (Zscaler, a cloud-based web proxy / email filtering vendor), has been another Firefox add-on called ‘BlackSheep’. The Zscaler add-on can detect if someone is using Firesheep on the network.

"BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network."

If BlackSheep identifies that a host has Firesheep installed on the network, it displays a banner indicating that someone has the add-on installed and shows their IP address (as below).



Un-ironically, BlackSheep and Firesheep cannot be installed on the same Firefox profile as they use a lot of the same code and will conflict.

Bye to BIOS

The end appears to be nigh for BIOS, as the 25-year-old start-up software is finally usurped by UEFI. According to its designers (the UEFI forum) “UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows or Linux. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.”

In an interview with the BBC, Mark Doran, head of the UEFI Forum he described the antiquated BIOS as “up there with some of the physical pieces of the chip set that have been kicking around the PC since 1979". The new UEFI specification will be de facto in all new specification builds from early 2011 - watch this space! For more information see: UEFI Homepage.