tag:blogger.com,1999:blog-27735363508937852302024-02-21T06:27:59.637+01:00TaddongSecurity in DepthRaul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.comBlogger48125tag:blogger.com,1999:blog-2773536350893785230.post-59113148120986900132013-11-11T14:05:00.000+01:002013-11-14T15:32:07.053+01:00After almost four years, Taddong’s expedition comes to an end…<p>Much like the four historic and meritable expeditions that went into the Challenger Deep reached their destination, today we announce that Taddong's adventures will hit bottom next December 2013.</p>
<p>Almost four years ago we embarked on a journey that has allowed us to accomplish the challenges that we defined at the beginning. We left the surface and delved deep into different security aspects of a range of current complex information technologies, by developing research activities and offering our professional services.</p>
<p>We hope that we have been able to shed some light on the different areas of information security that we have worked on, by means of our direct collaboration, by sharing our findings and knowledge when participating in security conferences, and through the posts in <a href="http://blog.taddong.com/">our blog</a> and the tools and articles we published in <a href="http://www.taddong.com/en/lab.html">our lab</a>.</p>
<p>As of 2014, Taddong members will be starting two new adventures, motivated by the quest for new and more advanced technical challenges and committed to continue their journey to find, who knows, new abysses or deeper places that the ones found to date.
David and Jose will continue their activities from <a href="http://www.layakk.com/">Layakk</a>, whereas Monica and Raul will do it from <a href="http://www.dinosec.com/">DinoSec</a>. If you want to stay informed about our activities, don't hesitate to follow us in our (personal and professional) webpages, blogs and twitter accounts:</p>
<ul style="list-style: disc; margin-left: 100px;">
<li>LAYAKK: <a href="http://www.layakk.com/">www.layakk.com</a> (<a href="http://blog.layakk.com/">blog.layakk.com</a>) <a href="http://www.twitter.com/layakk">@layakk</a></li>
<br />
<li>DinoSec: <a href="http://www.dinosec.com/">www.dinosec.com</a> (<a href="http://blog.dinosec.com/">blog.dinosec.com</a>) <a href="http://www.twitter.com/dinosec">@dinosec</a></li>
<br />
<li style="list-style: circle; margin-left: 40px;">Raúl Siles: <a href="http://www.raulsiles.com/">www.raulsiles.com</a> <a href="http://www.twitter.com/raulsiles">@raulsiles</a></li>
</ul>infohttp://www.blogger.com/profile/13903300539206428928noreply@blogger.com1tag:blogger.com,1999:blog-2773536350893785230.post-19719372860236010782013-06-09T14:19:00.000+02:002013-06-09T23:23:27.422+02:00iStupid: Advanced UsageThis is a follow up of the original <a href="http://blog.taddong.com/2013/05/istupid.html">iStupid introduction</a> and the <a href="http://blog.taddong.com/2013/05/istupid-setup-basic-usage.html">iStupid setup & basic usage</a> blog posts. The simplest way of launching iStupid is by specifying the local Wi-Fi interface in monitor mode (e.g. mon0). However, this is not a very useful alternative for the main purpose of the tool, as it will start announcing a random SSID (or network name) that will hardly match any entry on the target iOS mobile device PNL:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMbsK-w3pyZUAcIWJ88PqGaNDAb7dm8nDM3p5McvqXcKl1PH3_iGzNXpBgM51DQVlNGmL84Z68QMvoyDT6RicmMAmAxMSHmfE1rBX1-lqW_uyDLzjEAZ3mCaPMuHXKIPe9iObcKMSIFGJ2/s1600/iStupid_simplest.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMbsK-w3pyZUAcIWJ88PqGaNDAb7dm8nDM3p5McvqXcKl1PH3_iGzNXpBgM51DQVlNGmL84Z68QMvoyDT6RicmMAmAxMSHmfE1rBX1-lqW_uyDLzjEAZ3mCaPMuHXKIPe9iObcKMSIFGJ2/s1600/iStupid_simplest.png" /></a></div>
<br />
The "-v" (or verbose) option allows you to see how iStupid continuously generates 802.11 beacon frames (as it displays dots while sending 802.11 frames; see image above) and can be combined with any other option.<br />
<br />
iStupid also allows you to set the channel ("-c" option) for the impersonated Wi-Fi
network (not required, as Wi-Fi clients monitor
networks and send probe requests through all the different channels), specify the BSSID of the Wi-Fi network via the "-b" option (random by default), set the beacon interval ("-i" option; 100 ms by default), and set the 802.11 rates (11b or 11g; "-t" option). The "-h" option provides help and all the details about these command line switches.<br />
<br />
The most interesting command line switch is "-m". When the "-m" option is used, iStupid will monitor specific probe requests sent by Wi-Fi clients for the same SSID that it is announcing. This feature allows iStupid to automatically identify the security type of the Wi-Fi network stored on the target iOS mobile device for a given SSID, complementing the manual security type detection process described on the <a href="http://blog.taddong.com/2013/05/istupid-setup-basic-usage.html">iStupid basic usage</a> blog post.<br />
<br />
In order to accurately and quickly use iStupid automatic detection capabilities through the "-m" option, due to the way iOS mobile devices scan for Wi-Fi networks and based on the research I performed, the best option is to ensure the iOS mobile device cannot currently connect to any nearby network (turn off the known Wi-Fi access points, if any). Then, execute these steps in the following order:<br />
<ol>
<li>Disable the Wi-Fi interface in the target iOS device.</li>
<li>Launch iStupid with the desired options (e.g. "--loop" and "-m").</li>
<li>Enable the Wi-Fi interface in the target iOS device. </li>
</ol>
After turning on the Wi-Fi interface, the iOS mobile device will start scanning for the currently available Wi-Fi networks, it will find the iStupid impersonated network, and if it is available on its PNL (same name and security type), it will send particular 802.11 probe requests for that network. As a result, iStupid will print out the MAC address of the iOS device. iStupid allows monitoring a single Wi-Fi client MAC address (e.g. "-m
00:01:02:03:04:05") or multiple clients, in reality, all nearby clients through the "-m
ff:ff:ff:ff:ff:ff" option.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxh4ifPMyHhhZka5VBEkHzt4R5HAV_CKz97wfLHOp6IErGCthD9E2TYgevO1RB6xR7UOP7K4S3aypX925lH4yT111i9AjuZe9dvcwrknCdAAenkvyZYVLYu-fPwGHtwiRBG9_1yjO9DuwC/s1600/iStupid_loop_one_client.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxh4ifPMyHhhZka5VBEkHzt4R5HAV_CKz97wfLHOp6IErGCthD9E2TYgevO1RB6xR7UOP7K4S3aypX925lH4yT111i9AjuZe9dvcwrknCdAAenkvyZYVLYu-fPwGHtwiRBG9_1yjO9DuwC/s1600/iStupid_loop_one_client.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijeC9HeFp-njJa2AhyaDXf5DqKf1VA9Y5cH97t3BuCNmMlV4PDkTEBXN9-sBb87CCUfFp1nFRRPTsiTtRUkUs6T1m4LkUmnyTifyS3C2m9Tt-NNO1JwlRPXkolizgAmEDEpsgoz32S-Az7/s1600/iStupid_loop_any_client.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijeC9HeFp-njJa2AhyaDXf5DqKf1VA9Y5cH97t3BuCNmMlV4PDkTEBXN9-sBb87CCUfFp1nFRRPTsiTtRUkUs6T1m4LkUmnyTifyS3C2m9Tt-NNO1JwlRPXkolizgAmEDEpsgoz32S-Az7/s1600/iStupid_loop_any_client.png" /></a></div>
<br />
As the network security type is initially unknown, by combining the "-m" and the "--loop" options iStupid will iterate through the different security types and, once the iOS device identifies the network available on its PNL, it will specifically probe for it and its MAC address will be displayed on the right hand side of the corresponding security type, automatically disclosing the security type of the legitimate network [0].<br />
<br />
Additionally, the time iStupid spends on each security type can be adjusted through the "--loop_interval" option. The default value of 30 seconds works pretty well to allow iOS devices to rescan for new Wi-Fi networks.<br />
<br />
Once the security type of the network has been identified, you can
directly delete the network from the device PNL or easily relaunch iStupid with that specific security type (instead of "--loop") and proceed to
delete the associated entry from the hidden PNL... slowly :-)<br />
<br />
Something else I discovered when developing iStupid is that iOS might present weird GUI behaviors when the same network name is switching over different security types. As a result, the lock that indicates that a network is "secure" might dance, that is, appear on the top left hand side of the network name :-)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJvVQ38EcnL2EsRcABFbBwx64ww9S0n-ZejuaBMTGZAaXnUKqCNlJ022ZxVTQ_CypTZshSMB2LVuusMq0ba15aYeVJv4SEXSEkyhle49g-QUIVS96zxO20k9s0tyIR93JGkTSOEmRwVG3S/s1600/iOS_lock_dancing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJvVQ38EcnL2EsRcABFbBwx64ww9S0n-ZejuaBMTGZAaXnUKqCNlJ022ZxVTQ_CypTZshSMB2LVuusMq0ba15aYeVJv4SEXSEkyhle49g-QUIVS96zxO20k9s0tyIR93JGkTSOEmRwVG3S/s200/iOS_lock_dancing.png" /></a></div>
<br />
Nowadays, iStupid can also be used to manage and remove the entries from the Windows 8 hidden PNL, although you can use the "netsh" command line tool (e.g. "netsh wlan show profiles") too or the <a href="http://www.thewindowsclub.com/wifi-profile-manager-windows-8">WiFi Profile Manager 8</a> graphical tool (<i>Thanks Dennis Weber - Bechtle BISS - for the heads up!</i>). Surprisingly, Windows 8 does not include the "Manage wireless networks" option available within the "Network and Sharing Center" in Windows 7. It does not include either the "advanced" button that allows managing the PNL in Windows Phone 8 (see slide 8 of my <a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi">RootedCON 2013 presentation</a> for a screenshot sample). As with iOS, only when the Wi-Fi network is in range you can right-click on it from the list of currently available networks in the default Windows 8 graphical interface and access the advanced options to manage the PNL.<br />
<br />
<b>Shameless plug</b>: <i>I will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in </i><a href="https://www.sans.org/event/tokyo-autumn-2013/course/mobile-device-security-ethical-hacking"><i>Tokyo (October 21-26, 2013)</i></a><i> and <a href="https://www.sans.org/event/london-2013/course/mobile-device-security-ethical-hacking">London (November 18-23, 2013)</a>.</i><br />
<br />
[0] <i>iStupid does not use </i><i><i>advanced </i>multi-thread locks and synchronization, so potentially the MAC address of the Wi-Fi client could be printed on a nearby security type. This can also occurs if the target iOS device decides to probe for the network at any given time, such as when it wakes up from an idle state</i>.<br />
<br />Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-24217716384462734232013-05-31T15:01:00.001+02:002013-06-09T14:36:49.352+02:00iStupid: Setup & Basic Usage<b>iStupid</b>, <b><u>i</u>ndescreet <u>S</u>SID <u>t</u>ool (for the) <u>u</u>nknown <u>P</u>NL (on) <u>i</u>OS <u>d</u>evices</b>, is a Python-based tool for Linux that allows deleting Wi-Fi network entries from the hidden PNL of iOS mobile devices. For more details see <a href="http://blog.taddong.com/2013/05/istupid.html">the original iStupid blog post</a>, and it can be downloaded, as usual, from <a href="http://www.taddong.com/en/lab.html#iStupid">Tadddong's lab</a>. <br />
<br />
<u><b>Setup & Requirements</b></u><br />
iStupid directly runs in some of the most famous security Linux distributions, such as <a href="http://www.kali.org/">Kali Linux</a>, <a href="http://www.backtrack-linux.org/">BackTrack</a> Linux (BT5R3), <strike>or <a href="http://sourceforge.net/projects/mobisec/">MobiSec</a> (v1.1)</strike> [0]. If you are interested on running iStupid on a different Linux system the main two requirements are <a href="http://www.python.org/">Python</a> 2.7.x and <a href="http://www.secdev.org/projects/scapy/">Scapy</a>. The next two commands allow you to easily check the Python and Scapy versions (e.g. Kali):<br />
<span style="font-family: Courier New, Courier, monospace;"><span style="font-size: small;"># python -V<br />Python 2.7.3<br /># dpkg -l | grep -i scapy<br />ii python-scapy 2.2.0-1 all Packet generator/sniffer and network scanner/discovery</span> </span><br />
<br />
Before running iStupid you need to put your Wi-Fi network interface or card in monitor mode. You can use the well-known "airmon-ng start wlan0" command (from the aircrak-ng suite), or preferably use the following Linux commands, adjusting accordingly your network interface names (e.g. phy11, wlan0, and mon0):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwcYJ6VvehyphenhyphenNzNCugniKCJpXRDc5CgvGGsdLbbHkv60DAiA6tlPBV9QviELaDyejttr2MovBA9LMKGFdSdjvQlbw7Yz85GNIPVcecno1WOwN7FsKpoEtzD8L6oFHsgDwiwpd2QxWSXvgXL/s1600/Monitor_mode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwcYJ6VvehyphenhyphenNzNCugniKCJpXRDc5CgvGGsdLbbHkv60DAiA6tlPBV9QviELaDyejttr2MovBA9LMKGFdSdjvQlbw7Yz85GNIPVcecno1WOwN7FsKpoEtzD8L6oFHsgDwiwpd2QxWSXvgXL/s1600/Monitor_mode.png" /></a></div>
<br />
<u><b>Usage</b></u><br />
<br />
To run iStupid (as root or using "sudo") you simply need to provide the SSID (or network name) of the Wi-Fi network to impersonate (through the "-s" option) and the local monitor mode Wi-Fi network interface (e.g. mon0):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjFT-v1GIslGkIAixm89J2l2FI0mBFOenqn5OqdvFo95HuKtd6Kbi_gxFOPNRbODWBZ3FO2Cs2rTgPDbSGTuOWPpxSWP4El_WZES7NKJ4KDI6aYbMqpVWuXfo_jJb-FRwy1fkO5IxJKblL/s1600/iStupid_basic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjFT-v1GIslGkIAixm89J2l2FI0mBFOenqn5OqdvFo95HuKtd6Kbi_gxFOPNRbODWBZ3FO2Cs2rTgPDbSGTuOWPpxSWP4El_WZES7NKJ4KDI6aYbMqpVWuXfo_jJb-FRwy1fkO5IxJKblL/s1600/iStupid_basic.png" /></a></div>
<br />
In the example above, iStupid will emulate that a Wi-Fi network called "Taddong" is available, allowing you to delete it from iOS mobile devices. The default security type used for the network is OPEN, very common for public Wi-Fi networks and hotspots. However, the Wi-Fi network security type can be easily changed by specifying one of the different security options: OPEN (--open), WEP (--wep), WPA-Personal (--wpa), WPA2-Personal (--wpa2), WPA-Enterprise (--wpa-enterprise), or WPA2-Enterprise (--wpa2-enterprise). Example for a WPA2-Personal (or PSK) network:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ4w-7gwx_1wnofS05KdMY6r1n-3NbZf5zqTnNyq573snrPp8nFjplli6O2wkqR7Kx6s8X6DmrzeH0LA-BTXsA7U_y1iExjmz_Y4xFORsiqRSE1ZTeSf6BQVrjZWt2d4mgNlxpgXaKGjZu/s1600/iStupid_basic_wpa2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ4w-7gwx_1wnofS05KdMY6r1n-3NbZf5zqTnNyq573snrPp8nFjplli6O2wkqR7Kx6s8X6DmrzeH0LA-BTXsA7U_y1iExjmz_Y4xFORsiqRSE1ZTeSf6BQVrjZWt2d4mgNlxpgXaKGjZu/s1600/iStupid_basic_wpa2.png" /></a></div>
<br />
Therefore, the first requirement to be able to remove a Wi-Fi network from iOS mobile devices is to know at least the name of the Wi-Fi network you connected to in the past, which was saved inside the hidden PNL. As a recommended practice, every time you connect to a new network
you could take a screenshot of the Wi-Fi screen on iOS (by pressing both the Power and Home
buttons simultaneously) in order to easily remember the network name:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjybWtBm25zA4tVVw6jZhn4AH0O9sK-FDCH_kZTp6xkipnCxHWChKqooE8jRddbHcHka0t5mDta2O7GyAffREF7iTwp92HLVM9bJgoajnsWnWs2UrnLvdcpQfuyNzGymaxwrBPQLFgmcdjO/s1600/Wi-Fi_srcreenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjybWtBm25zA4tVVw6jZhn4AH0O9sK-FDCH_kZTp6xkipnCxHWChKqooE8jRddbHcHka0t5mDta2O7GyAffREF7iTwp92HLVM9bJgoajnsWnWs2UrnLvdcpQfuyNzGymaxwrBPQLFgmcdjO/s320/Wi-Fi_srcreenshot.png" height="320" width="213" /></a></div>
<br />
The second requirement is to know the Wi-Fi network security type. A very common scenario for end users is to remember the SSID they connected to and (at most) if it was an open or a secure network. Unfortunately, if it was a secure network, iOS does not help the user to differentiate between the multiple security types, as all them are represented by a lock (see the image above). <br />
<br />
For this reason, iStupid implements the "--loop" option. When used, iStupid will loop through the different security types, spending by default 30 seconds on each of them. This amount of time allows iOS to re-scan for new networks and identify the new security type, allowing you to manually remove the associated entry from the hidden PNL:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1_TjBncMy60h286tv7sNm8-f0l0IxSwH9JWuRQbyXvfkJijqZBaDm7_P1S7oPc9oYEy56-pVpjMtcNYaRbe59yBtcyBd3tlMED46NLnfqxHYkp0m8gT9afwCRucMoVLjFJhU5fXtJdGrI/s1600/iStupid_loop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1_TjBncMy60h286tv7sNm8-f0l0IxSwH9JWuRQbyXvfkJijqZBaDm7_P1S7oPc9oYEy56-pVpjMtcNYaRbe59yBtcyBd3tlMED46NLnfqxHYkp0m8gT9afwCRucMoVLjFJhU5fXtJdGrI/s1600/iStupid_loop.png" /></a></div>
<br />
If you don't know the security type, this iStupid basic usage requires you to manually check if the network can be removed from the iOS mobile device, through the blue arrow button available at the right of the network name and the "Forget this network" option, every time the security type changes on the iStupid output. Once you see a new security type printed by iStupid (between curly braces), go to the iOS device, wait until it re-scans for networks (via the spinning wheel at the right of the "Choose a Network..." label), and try to remove the network from the hidden PNL:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7vufxNSc71bXK18GE61tzQaY9Apljlxlh5qLvCaqagCZx7aCQsbQSUMNP8X3FxMHCxsc9pLZo76-KHt9zPStsNO96lAXGciWHA8VdXGHtKz-eLvLubIkIYNyENmU37_WMiqJIuK7RVPO/s1600/iOS_Forget_this_network.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7vufxNSc71bXK18GE61tzQaY9Apljlxlh5qLvCaqagCZx7aCQsbQSUMNP8X3FxMHCxsc9pLZo76-KHt9zPStsNO96lAXGciWHA8VdXGHtKz-eLvLubIkIYNyENmU37_WMiqJIuK7RVPO/s200/iOS_Forget_this_network.png" height="126" width="200" /></a></div>
<br />
The loop interval, that is, the amount of time iStupid spends on every security type, can be changed through the "-l" (or "--loop_interval") option. The <a href="http://blog.taddong.com/2013/06/istupid-advanced-usage.html">next blog post in this series</a> will demonstrate <a href="http://blog.taddong.com/2013/06/istupid-advanced-usage.html">iStupid advanced usage </a>through some additional command line switches (check the help with "iStupid -h"), like the one that tries to identify automatically the security type of the original Wi-Fi network.<br />
<br />
<b>Shameless plug</b>: <i>I will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in </i><a href="https://www.sans.org/event/tokyo-autumn-2013/course/mobile-device-security-ethical-hacking"><i>Tokyo (October 21-26, 2013)</i></a><i> and <a href="https://www.sans.org/event/london-2013/course/mobile-device-security-ethical-hacking">London (November 18-23, 2013)</a>.</i><br />
<br />
[0] <i>Mobisec v1.1 by default uses Python 2.6.5 and will complaint about not having the "argparse" module. You need to update it to Python 2.7.x in order for iStupid to work.</i>Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-25784388826306813002013-05-31T15:00:00.000+02:002013-06-09T14:34:08.884+02:00iStupidOne of the tools I demonstrated during the last <a href="http://www.rootedcon.es/">RootedCON 2013 conference</a> in Madrid as part of my "<a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi">Wi-Fi: Why iOS (Android, and others) Fail inexplicably?</a>" talk was <b>iStupid</b>: <b><u>i</u>ndescreet <u>S</u>SID <u>t</u>ool (for the) <u>u</u>nknown <u>P</u>NL (on) <u>i</u>OS <u>d</u>evices</b>. Apple mobile devices, based on iOS (such as iPhone, iPad or iPad mini, and iPod Touch), do not provide capabilities to manage their Wi-Fi Preferred Network List (PNL). This deficiency is something I talked about on my "<a href="http://www.taddong.com/docs/Wi-Fi_(In)Security_GOVCERT-2010_RaulSiles_Taddong_v1.0_2pages.pdf">Wi-Fi (In)Security - All Your Air Are Belong To...</a>" presentation in 2010, almost three years ago (back to iOS 2.x, 3.x, 4.x...), and the situation has not changed :(<br />
<br />
Unfortunately, the existence of other vulnerabilities where <a href="http://blog.taddong.com/2013/04/how-to-add-wi-fi-networks-to-mobile.html">mobile devices disclose their PNL in the air</a> (specifically TAD-2013-001 for iOS devices; <i>see note below</i>) makes mandatory to have capabilities to manage the PNL (view, add, delete, and edit PNL entries) in order to be able to check and increase the security of Wi-Fi clients. Besides that, the PNL management capabilities should also allow the user (or security administrators) to easily define the connection priority order when multiple known Wi-Fi networks are available, plus allow defining if the client should automatically connect to known Wi-Fi networks, being able to disable or configure that behavior per network individually. Additionally, it would be very interesting for mobile vendors not to force the user to have to enable the Wi-Fi interface in order to be able to manage the PNL (and change or configure other Wi-Fi settings), as the device might temporarily be exposed unnecessarily until a secure Wi-Fi setup is completed.<br />
<br />
iOS mobile devices allow to easily add entries to the hidden PNL: every time you connect to a new network. However, the user cannot remove entries from the hidden PNL unless the Wi-Fi network is in range. Only if the user is in the area of coverage of the original Wi-Fi network, by selecting the blue arrow button available at the right of the network name, the "Forget this network" option will be available, which allows removing the network from the hidden PNL... WTF! (Without Traveling Faraway... where the original network is really available).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLmRC8k_7m-CdJJHSS_wn8UZN49yB9w2OAUesMZL_sR8AmXt5q4fj-XO_Cvh-60jEp2vMRQXmBhjmlQ56WupVdkMmnDEzqE9Yl4Evkf_qTw8AvHAoXf5G4VgIejKVp0UmWJFDpdm_U-dra/s1600/iOS_Wi-Fi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLmRC8k_7m-CdJJHSS_wn8UZN49yB9w2OAUesMZL_sR8AmXt5q4fj-XO_Cvh-60jEp2vMRQXmBhjmlQ56WupVdkMmnDEzqE9Yl4Evkf_qTw8AvHAoXf5G4VgIejKVp0UmWJFDpdm_U-dra/s320/iOS_Wi-Fi.png" height="320" width="215" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf4f4gIJf6w7Jv245BPMIoeypQIJWD9bHLvsiCxkyyWqCiarfM5vfa_fiZZu1FkZEGZtOVWmHD6aGZccV-ijFWPTzYSiETGX5-Y03rlb6PrkJUKhcZy3kbGOYQ-L2Cb8KtMW1Cwlw-oWTN/s1600/iOS_Forget_this_network.png" imageanchor="1" style="clear: right; display: inline !important; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf4f4gIJf6w7Jv245BPMIoeypQIJWD9bHLvsiCxkyyWqCiarfM5vfa_fiZZu1FkZEGZtOVWmHD6aGZccV-ijFWPTzYSiETGX5-Y03rlb6PrkJUKhcZy3kbGOYQ-L2Cb8KtMW1Cwlw-oWTN/s200/iOS_Forget_this_network.png" height="126" width="215" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Trying to overcome this limitation in iOS devices, we thought about developing an iOS app (mobile application) to be able to manage the PNL. However, as you can see on slide 12 of <a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi">my RootedCON 2013 presentation</a>, for non-jailbroken devices there is no iOS SDK public API (or library) that allows accessing the PNL. Therefore, iStupid is NOT an iOS app :( Please, do not confuse the iStupid security tool (Python-based) with the <a href="https://itunes.apple.com/us/app/istupid/id389735862">iStupid app</a> (entertainment) available on the Apple Store since 2010.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUxAnhJM3A8yZKnd_E3OPDtYdymmoJ_87mEsFWsnSTCBfLevKEJK8cfCx6fVQRlcDmUhCEeowXW56oe3KhMt2gps5EKTw7CZzyxfKCUShBKlnmkV0dCPlH_xy6bEIXPj_pS7Le8oR6GJyO/s1600/AppStore.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUxAnhJM3A8yZKnd_E3OPDtYdymmoJ_87mEsFWsnSTCBfLevKEJK8cfCx6fVQRlcDmUhCEeowXW56oe3KhMt2gps5EKTw7CZzyxfKCUShBKlnmkV0dCPlH_xy6bEIXPj_pS7Le8oR6GJyO/s200/AppStore.jpg" height="65" width="69" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1b17xle1dsOByb9hDR9oLpCjZIcGQfo1eivRmhunXDHZh4uKV9oWyckuuSQ7myqTFTPxYnULgEc9URRuGY95PE9xsUJx1olB6iRGpuerTpPNvo6BsgBqvnjAVeon57aGMk-N6GyXjzXxs/s1600/Passion.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1b17xle1dsOByb9hDR9oLpCjZIcGQfo1eivRmhunXDHZh4uKV9oWyckuuSQ7myqTFTPxYnULgEc9URRuGY95PE9xsUJx1olB6iRGpuerTpPNvo6BsgBqvnjAVeon57aGMk-N6GyXjzXxs/s200/Passion.jpg" height="100" width="100" /></a></div>
<br />
As a result, the other alternative I came up with was to develop <b>iStupid</b>, <b><u>i</u>ndescreet <u>S</u>SID <u>t</u>ool (for the) <u>u</u>nknown <u>P</u>NL (on) <u>i</u>OS <u>d</u>evices</b>, a Python-based tool (for Linux) <a href="http://www.taddong.com/en/lab.html#iStupid">available in Taddong's lab starting today</a> (v1.0). It generates Wi-Fi (802.11) beacons frames for one or multiple SSID's, so that a previously known Wi-Fi network is available <b>here and now</b> and, thus, can be easily removed from the hidden PNL of iOS mobile devices. The tool provides multiple configuration options for the advanced user (check the help with "iStupid -h"), such as selecting the Wi-Fi network SSID, channel, BSSID, beacon interval, 802.11 rates, security settings (Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise), and much more. Future versions of the tool might include an option to perform dictionary and brute force Wi-Fi network impersonation on the SSID, and potentially, support for other operating systems, such as Mac OS X (as there are lots of iOS mobile device owners that are Mac OS X users).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5D8TXyHoNmME2dvZP5UnWRgPeSGS10vycpAzEbZ4dNhnZPA_6Zj1LfwlSfsHS9c15zcf6HKSp9q7yICqH-wur2AuB6MRolLjZtiHWeMpzBHP5pFMdVd62kDZleuq0t7dLE4UXta5VnFc/s1600/iStupid_help.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF5D8TXyHoNmME2dvZP5UnWRgPeSGS10vycpAzEbZ4dNhnZPA_6Zj1LfwlSfsHS9c15zcf6HKSp9q7yICqH-wur2AuB6MRolLjZtiHWeMpzBHP5pFMdVd62kDZleuq0t7dLE4UXta5VnFc/s1600/iStupid_help.png" /></a></div>
<br />
Mobile devices perform network identification, that is, they consider a currently available Wi-Fi network to be the same as a previously known Wi-Fi network, based on two factors: the <b>SSID</b> (or network name) <b>and </b>the Wi-Fi network <b>security type</b>.<br />
<br />
During my initial testing I discovered that for iOS mobile devices it is not relevant if the network is based on WPA or WPA2, or if it uses TKIP or AES-CCMP. iOS allows the user to remove a WPA2 network from the PNL even if it appears as WPA, and viceversa.<br />
<br />
The version I showed at RootedCON (v0.9) has been slightly improved by version 1.0 with additional capabilities that are detailed in the two upcoming <a href="http://blog.taddong.com/">Taddong's blog</a> posts: "<a href="http://blog.taddong.com/2013/05/istupid-setup-basic-usage.html">iStupid: Setup & Basic Usage</a>", and "<a href="http://blog.taddong.com/2013/06/istupid-advanced-usage.html">iStupid: Advanced Usage</a>".<br />
<br />
<u><i>NOTE</i></u>: I'm wondering if the recently published <a href="https://www.sans.org/press/wi-fi-client-security-weaknesses-still-prevalent-as-mobile-vendors-ignore-the-issue.php">press</a> <a href="https://www.net-security.org/secworld.php?id=14934">release</a> covering this PNL disclosure issue on modern mobile devices will finally help to motivate vendors to fix it? Am I holding my breath? No.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-70721234540836965872013-04-17T18:27:00.002+02:002013-04-17T18:27:56.850+02:00How To Add Wi-Fi Networks To Mobile Devices?<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">One of the
first things I learned during my recently published Wi-Fi security research is
that mobile vendors do not read <a href="http://blog.taddong.com/">Taddong's Security Blog</a> ;-) During the <a href="http://www.rootedcon.es/">RootedCON2013 conference</a> celebrated in Madrid last month, March 7-9, I talked about the still prevalent Wi-Fi
weaknesses, or vulnerabilities (depending on how relevant you think they are),
in mobile devices. T</span><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">he full presentation, called
"<a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi"><b>Wi-Fi: Why iOS (Android, and others) Fail inexplicably?</b></a>", has been
published in <a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi">Taddong's lab</a>, and <a href="http://www.slideshare.net/rootedcon/ral-siles-wifi-why-ios-android-and-others-fail-inexplicably-rooted-con-2013">by the RootedCON organization</a> (check <a href="http://www.slideshare.net/rootedcon/tag/rooted2013">the other great presentations too</a>). The
minimalism applied to the user interface in </span><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">mobile platforms </span>clearly impacts, still nowadays, their
Wi-Fi capabilities and security stance.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3r4EGOjSMdmmpAqpPb458KNQyu7LzeR4fjcaFhrQ_S88iTcFya8Tzuhic1VrDT_CHG_nlMI_cJkyfH7-S0Z2PJhN1ohCwh1jCcJTbfREV2XcRiu1b3dbvvwvSrBmNXA2hyphenhyphenxpfZvKXDzgo/s1600/ieee80211.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3r4EGOjSMdmmpAqpPb458KNQyu7LzeR4fjcaFhrQ_S88iTcFya8Tzuhic1VrDT_CHG_nlMI_cJkyfH7-S0Z2PJhN1ohCwh1jCcJTbfREV2XcRiu1b3dbvvwvSrBmNXA2hyphenhyphenxpfZvKXDzgo/s1600/ieee80211.png" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fHTX1nB0KYT8j12Faf0qyn5Z4ZuRLHKOzZMeSDAg9Ci_9_QD0hV4__fTstTUr1vP3EjT3BP1kVwWF_uyUSp-b3zhGVXj7ENrJp1V7OiBW235WcZIN1g_6i7sb4KgpypX8gvlb-IPLJN0/s1600/wifi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fHTX1nB0KYT8j12Faf0qyn5Z4ZuRLHKOzZMeSDAg9Ci_9_QD0hV4__fTstTUr1vP3EjT3BP1kVwWF_uyUSp-b3zhGVXj7ENrJp1V7OiBW235WcZIN1g_6i7sb4KgpypX8gvlb-IPLJN0/s1600/wifi.png" /></a>
</div>
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">In 2010 I
published a <a href="http://blog.taddong.com/2010/09/vulnerability-in-indiscreet-wi-fi.html">Windows Mobile 6.5 vulnerability in its indiscreet Wi-Fi interface</a> (TAD-2010-003) in which the "This is a hidden network"
configuration setting didn't have any effect. In the same way this setting existed since the
Windows XP SP2 days and through all the subsequent Windows versions (Vista, 7, 8…), it was not working for Windows Mobile, so all Wi-Fi networks were managed as hidden and disclosed for free by the device.BTW, this behavior does not affect Windows Phone 7.x or 8.</span><br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"> </span>
<br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">This
insecure Wi-Fi client behavior is well known since 2004, when <a href="http://theta44.org/karma/index.html">the original Karma-like attack</a> were published (<i>so old that link does not exist anymore</i> :-), and was fixed in 2007 in Windows XP
through the</span><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"> <a href="http://support.microsoft.com/kb/917021">KB917021</a></span> optional update. <b>Why in 2013 most mobile platforms still expose
client devices to Wi-Fi network impersonation attacks…?</b></span><br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><b> </b></span>
<br />
In 2011 I published a <a href="http://blog.taddong.com/2011/05/vulnerability-in-android-to-add-or-not.html">similar Preferred Network List (PNL) disclosure vulnerability for Android 2.x-3.x</a> (TAD-2011-003) depending on how you add a Wi-Fi network to the mobile device: automatically from the list of available Wi-Fi networks (expected behavior) by selecting it, or manually from the "Add Wi-Fi network" button (now the "+" button in Android 4.x) at the bottom of that list (vulnerable behavior, as the network is considered as hidden again).<br />
<br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">During
2012 I explored new vulnerability research and disclosure approaches and
strategies. Due to the fact vendors (IMHO) do not pay enough attention to and do not spend
enough time on these issues, I decided to mimic them and not to spend too much
time on thoroughly reporting and documenting these vulnerabilities though a
detailed security advisory, <a href="http://blog.taddong.com/p/security-advisories.html">as I did in the past</a>. Instead, I notified the vendors, and the <a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi">conference presentation</a> (from page 5-24 of 68) plus this blog post
become the technical report for these vulnerabilities that affect the main mobile
platforms still today. I simply gave each of them a vulnerability ID to
keep track of them (if required):</span>
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"> </span><br />
<ul>
<li><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><b>TAD-2013-001</b>: PNL disclosure in iOS 1.x-6.x when adding Wi-Fi networks manually.</span> </li>
<li><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><b>TAD-2013-002</b>: </span><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">PNL disclosure in BlackBerry 7.x when adding Wi-Fi networks manually (at least it can be changed afterwards from the advanced Wi-Fi settings, and in particular, through the "SSID broadcasted" option).</span><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><b> </b></span></li>
<li><span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;"><b><a href="http://blog.taddong.com/2011/05/vulnerability-in-android-to-add-or-not.html">TAD-2011-003</a></b> still applies to the latest Android 4.x versions, and has not been fixed since Android 2.x-3.x (2011).</span>
</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcteqBWzUh5gu1BI0vhK_hU0ft7HTKGnrNEo82a_8VQp45GqrVhDXWs4vX60fPfuq7QHwO7HlRGdp6y8hkB-wsyT4ay51rRuYXgqnTPzkUE_ryzFfKYuqEHIsFdZhKs1bAHEFAo8a3PAhn/s1600/android.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcteqBWzUh5gu1BI0vhK_hU0ft7HTKGnrNEo82a_8VQp45GqrVhDXWs4vX60fPfuq7QHwO7HlRGdp6y8hkB-wsyT4ay51rRuYXgqnTPzkUE_ryzFfKYuqEHIsFdZhKs1bAHEFAo8a3PAhn/s1600/android.png" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7uFyEOeUvdlwmK_OZd1bi89af0RYhCtDNk_5z77O0bsl8F68j6X6BlF-dV1xt9XZAgjhc9lkhioR-iIVumDPS8qRAymB5cCDxDPKuWhRUvBLk6Ah3msvzbkqwo2USiUJB1oYiwCCiNbmJ/s1600/apple.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7uFyEOeUvdlwmK_OZd1bi89af0RYhCtDNk_5z77O0bsl8F68j6X6BlF-dV1xt9XZAgjhc9lkhioR-iIVumDPS8qRAymB5cCDxDPKuWhRUvBLk6Ah3msvzbkqwo2USiUJB1oYiwCCiNbmJ/s1600/apple.png" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlh7u6FgWgd_1oqiXjJFC_aZxwWjMgVibjZuYNtf5hf6AtnFuTJDqzQeVqszTyI5PPS0avM-GXeFuGy0Brp0-S8EDTLtbEzmncVVDASmH45XoFbMsOLZWdCvZyavy2qiHGW5ibUUX18wwP/s1600/bb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlh7u6FgWgd_1oqiXjJFC_aZxwWjMgVibjZuYNtf5hf6AtnFuTJDqzQeVqszTyI5PPS0avM-GXeFuGy0Brp0-S8EDTLtbEzmncVVDASmH45XoFbMsOLZWdCvZyavy2qiHGW5ibUUX18wwP/s1600/bb.png" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-WJaA-PSbAq30kYaqGGoDJ-HMPH_haDRjYrMcBhCY5a3xACD8bpw-VHIR8fwODMCPC7ioQ4TD9_nvuxCOZGgULMCOXMHzfSHzrkGCSJuKYdIedz8EKErhlwjNReL6uMpPlWoO2Kxsnxw/s1600/wp8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-WJaA-PSbAq30kYaqGGoDJ-HMPH_haDRjYrMcBhCY5a3xACD8bpw-VHIR8fwODMCPC7ioQ4TD9_nvuxCOZGgULMCOXMHzfSHzrkGCSJuKYdIedz8EKErhlwjNReL6uMpPlWoO2Kxsnxw/s1600/wp8.png" /></a>
</div>
<br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">Apart from
manually adding new Wi-Fi networks to the device, there are other weird situations where mobile devices might disclose their PNL… by mistake. Mobile vendors need to pay close attention to this issue and avoid their devices became easy victims of Karma-like attacks, where an attacker impersonates the legitimate Wi-Fi network and shares the network at layer 2 with the victim for further attacks (independently of the Wi-Fi network security settings, as there are ways to get the network key just interacting with the Wi-Fi clients). I also suggest mobile vendors to include an option to easily determine if a Wi-Fi network is considered as hidden or not by the device, as we have in the traditional operating systems.<span style="mso-spacerun: yes;"> </span></span>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPWRoOlnky9arhWmIvsneh8db3_eS981P27syz7pdKsZiiedkPbg-WNBiL395778MIMDKXYHLPtALTAula3130BNFOqc9qvclFwBdpywBAmfjgx3BjBZ012ZtGhyphenhyphenfnLwrthSNo66nvwGrW/s1600/war_standing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPWRoOlnky9arhWmIvsneh8db3_eS981P27syz7pdKsZiiedkPbg-WNBiL395778MIMDKXYHLPtALTAula3130BNFOqc9qvclFwBdpywBAmfjgx3BjBZ012ZtGhyphenhyphenfnLwrthSNo66nvwGrW/s1600/war_standing.png" height="200" width="140" /></a></div>
<div style="text-align: center;">
<br /></div>
This specific vulnerable behavior associated to Wi-Fi clients is reflected in the <a href="https://www.owisam.org/en/OWISAM_Top_10">OWISAM Top 10 </a>methodology, as "OWISAM-TR-009: Client trying to connect to insecure networks". <a href="https://www.owisam.org/">OWISAM</a> is a new Wi-Fi project by <a href="http://www.tarlogic.com/?lang=en">Tarlogic</a> that was also presented during <a href="http://www.slideshare.net/rootedcon/andrs-tarasco-y-miguel-tarasco-owisam-open-wireless-security-assessment-methodology-rooted-con-2013">RootedCON 2013 (OWISAM)</a>. If you are working on Wi-Fi security I recommend you to get involved.
<br />
<br />
<span style="font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-bidi-font-family: Helvetica;">The tools I demoed during the presentation, such as iStupid (indescreet SSID Tool (for the) Unknown PNL (on) iOS Devices), will be released in the upcoming weeks. Other mobile device Wi-Fi vulnerabilities that affect Wi-Fi enterprise networks are covered on my<a href="http://www.taddong.com/en/lab.html#Rooted2013WiFi"> RootedCON 2013 presentation</a> (pages 40-60 of 68), and potentially, on a future blog post.</span>
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F1.bp.blogspot.com%2F-VMl6u0j7K8Y%2FUW7HLqoDBKI%2FAAAAAAAAAI0%2F-5FOKOkq38M%2Fs1600%2Fbb.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlh7u6FgWgd_1oqiXjJFC_aZxwWjMgVibjZuYNtf5hf6AtnFuTJDqzQeVqszTyI5PPS0avM-GXeFuGy0Brp0-S8EDTLtbEzmncVVDASmH45XoFbMsOLZWdCvZyavy2qiHGW5ibUUX18wwP/s1600/bb.png" -->Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com2tag:blogger.com,1999:blog-2773536350893785230.post-37445016193168903942013-03-11T12:05:00.000+01:002013-03-11T12:16:41.252+01:00Wireshark SMB2 file extraction feature now available<br />
Our <a href="http://blog.taddong.com/2013/02/wireshark-smb2-file-extraction-feature.html">SMB2 object exporting functionality</a> has been included in the Wireshark development trunk from SVN rev. 48210 on. <br />
<br />
Source code and binaries for the supported platforms are publicly available at the <a href="http://www.wireshark.org/download/automated/">automated build section of Wireshark</a>.<br />
<br />
NOTE: As this is a development version, use it with caution.Jose Picohttp://www.blogger.com/profile/11351143259307490487noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-84333917241392151742013-02-20T12:15:00.000+01:002013-02-20T14:02:08.073+01:00Wireshark SMB2 file extraction featureSome time ago <a href="http://blog.taddong.com/2010/05/capturing-smb-files-with-wireshark.html">we contributed to Wireshark the SMB file extraction feature</a>, which enabled the tool to extract a file (or portions of it) from the SMB traffic contained in a network traffic capture. From the moment when the plugin was published, we have received several requests to extend this funtionality to support SMB2 traffic as well, and we have also seen the need for that functionality in every pentest that we have done since then, but we haven't had the time to write the code. During a recent engagement we finally decided the time had arrived to go and write it.<br />
<br />
Although SMB2 support was our main objective, we took the time to implement some other functionalities that we have detected that were
necessary.<br />
<br />
<b>SMB2 support for ExportObjects->SMB</b><br />
The major part of work to write SMB2 support has been finding out where the needed information can be found in smb2 dissector and, for
those pieces of information not already there, how to store them in the right place to integrate, as far as we can, into the wireshark code structures. The rest of the code (the part where the file is built from the chunks that are extracted from each packet) has been almost completely reused. We have implemented the minimum functionality to be able to make a proof of concept, but we have tested it against a lot of real captures and it seems to be stable. You can see what it looks like in the following screenshot.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXekpJOglBwEwkz9_STkpVWNTyfe1Kra_nanIIyoUJr0CGhZJwZhBscbP53p-03DXX2W1kEDy5zAhxzSwgNGtOD4KS6zw66igVxbCwFk1QV-3EMLdCYMgtPy7c72F9RgR6niSGq56IIhwv/s1600/PluginInAction_shadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXekpJOglBwEwkz9_STkpVWNTyfe1Kra_nanIIyoUJr0CGhZJwZhBscbP53p-03DXX2W1kEDy5zAhxzSwgNGtOD4KS6zw66igVxbCwFk1QV-3EMLdCYMgtPy7c72F9RgR6niSGq56IIhwv/s640/PluginInAction_shadow.png" width="640" /></a></div>
<br />
<b>Other major changes</b><br />
<i><u>The "File ID" vs. "File Name" dilemma</u></i><br />
There was another important issue flying around our minds since we wrote the first plugin. SMB and SMB2 identify a file based on a File ID (which has different formats and meanings in SMB and SMB2). It is usual to find the same file (i.e. same tree_id AND same file_name) several times in the same capture file. That means that it is possible that some parts of a big file are associated with one file_id and other parts of the same file are associated with a different file_id. In that case the plugin, as it was, would report that it knew a percentage of two different files. We were wondering if taking the "tree_id+file_name" as the file identifier could make the plugin to capture the whole file or at least a bigger part of it.<br />
<br />
This seemed to make sense, because the plugin builds the final file by inserting the chunks that it receives in the order that appear in the capture, and so it overwrites older parts of the file with newer ones. Yet, we were not completely sure that was the best solution, and finally decided to make it an option for the user, available at<br />
<span style="font-family: Courier New, Courier, monospace;">Edit->Preferences->Protocols->SMB</span> and <span style="font-family: Courier New, Courier, monospace;">Edit->Preferences->Protocols->SMB2</span><br />
for that purpose:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOPSV7J0FAJ-7JPlhnOHubIdUZsA-IYtZ1X4rLidvJ2nxoTIN_hJ25TCWAe8zAP5aDX0beUzB7UIPrHhDvV-0R7LMUEQsEWmlDSbW27mR7uPi8Mm9Tg-0G7JxoYXyu_m3D1iaLGwZqxXiE/s1600/UseFileNameAsFileID.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOPSV7J0FAJ-7JPlhnOHubIdUZsA-IYtZ1X4rLidvJ2nxoTIN_hJ25TCWAe8zAP5aDX0beUzB7UIPrHhDvV-0R7LMUEQsEWmlDSbW27mR7uPi8Mm9Tg-0G7JxoYXyu_m3D1iaLGwZqxXiE/s640/UseFileNameAsFileID.png" width="640" /></a></div>
<br />
<i><u>Support for other SMB dialects</u></i><br />
Some time ago Paul Santangelo pointed out that the plugin didn't work under some circumstances. After studying the capture file that he sent us, we concluded that he was right: we had implemented the extract capability for *_ANDX SMB commands, but not for the original SMB_COM_CREATE, SMB_COM_OPEN, SMB_COM_READ and SMB_COM_WRITE commands. Although according to Microsoft <a href="http://msdn.microsoft.com/en-us/library/ee442008.aspx">these commands are deprecated</a>, we decided to include support for them because wireshark smb dissector supports it and also because that way the plugin can be used in rare but existing old environments. By the way, Paul, we loved the example pdf file extracted from your capture!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Ayc5QbGFqOn1wUAqdJ_ujCz7T6r9d-Xybn2FRzoDUMAD9vEkaVAWEowIrKYL2t5GWhW_O4r0NrC_KWw6fZosLfQOlsHaQ6HocCpvt0-RomirE5BHfxbf2lDXKaSrMscUyda5ii6unBYU/s1600/PaulsFile_shadow_v4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Ayc5QbGFqOn1wUAqdJ_ujCz7T6r9d-Xybn2FRzoDUMAD9vEkaVAWEowIrKYL2t5GWhW_O4r0NrC_KWw6fZosLfQOlsHaQ6HocCpvt0-RomirE5BHfxbf2lDXKaSrMscUyda5ii6unBYU/s640/PaulsFile_shadow_v4.png" width="640" /></a></div>
<br />
<b>Other minor changes</b><br />
We have also include some minor improvements to the plugin.<br />
The first one is a bit of cleaning in the way that file names are shown. Wireshark uses UTF-8 enconding to show strings in the ExportObjects->SMB window, but SMB uses some flavour of UTF-16. We have ensured that the string passed to that window is encoded in UTF-8 schema, and all non printable characters coming from UTF-16/UNICODE have been transformed into a single '?'. It is not a perfect solution, but it is a bit cleaner.<br />
The last change we added has to do with tree id names and filenames. Until now, when the plugin was not able to find the tree id it just showed TREEID_UNKNOWN or TREEEID_XXX (where XXX was the ID number of the tree). Now, the server IP address has been added to the tree pseudo-name, so that the user doesn't have to dive into the packet trace to find it.<br />
Regarding filenames, we have decided to show the full pathname instead of the basename, because we think that this provides better information.<br />
<br />
<b>Coming next</b><br />
In a few days we will send the patch to wireshark for inclusion in the deveolpment trunk, so we hope it will be publicly available soon. As usual, we will then publish a windows compiled version of wireshark including all this. So stay tuned if you want this feature in your Wireshark!Jose Picohttp://www.blogger.com/profile/11351143259307490487noreply@blogger.com1tag:blogger.com,1999:blog-2773536350893785230.post-90858119382782376362013-02-01T09:47:00.002+01:002013-02-01T09:47:47.023+01:00TLSSLed v1.3After more than one year since <a href="http://blog.taddong.com/2011/10/tlssled-v12.html">the previous TLSSLed version</a>, we are happy to announce <b>TLSSLed v1.3</b>!<br />
<br />
This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild (see the changelog inside the tool/script: "New in version 1.3" section). In several of my "<a href="http://www.taddong.com/en/lab.html">Security of National eID (smartcard-based) Web Application</a>" talks during the last year I mentioned that an upcoming TLSSLed version was going to be released... so here it is! :) Additionally, the tool output has been changed for easy reading and to provide quick information for each finding: negative [-], positive [+], or informational [.] (as well as grouping tests [*] and highlight warning and error messages [!]).<br />
<br />
The tool usage has not changed. Simply run the tool by providing the target hostname or IP address plus the target port:<br />
<span style="font-family: "Courier New",Courier,monospace;">$ ./TLSSLed_v1.3.sh <hostname or IP_address> <port></span> <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPM8tnnGcccTYm2ggZkvih-UTTRcLQD7npQDnNoGgdzL2olwTR4KBgODvcx7WsikqMnr53Etux9n5qrSh02WUxnfiqMl3awPoVYJBgOi256ObchGGw22wgKTko0fcij0xaNEW0cH-h-9ie/s1600/https.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPM8tnnGcccTYm2ggZkvih-UTTRcLQD7npQDnNoGgdzL2olwTR4KBgODvcx7WsikqMnr53Etux9n5qrSh02WUxnfiqMl3awPoVYJBgOi256ObchGGw22wgKTko0fcij0xaNEW0cH-h-9ie/s1600/https.jpg" width="200" /></a><a href="http://www.blogger.com/blogger.g?blogID=2773536350893785230" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
</div>
This version has been tested on updated versions of <a href="http://www.samurai-wtf.org/">Samurai WTF 2.0</a> (running openssl 1.0.1 and sslscan 1.8.2), <a href="http://www.backtrack-linux.org/">Backtrack5 R3</a> (running openssl 0.9.8k and sslscan 1.8.2), and Mac OS X Mountain Lion 10.8.x (running openssl 0.9.8r and sslscan 1.8.2; it requires to add and compile sslscan manually, see below). Samurai WTF 2.0 is the only one of these three that includes openssl v1.0.x by default, providing support for the TLS v1.1 and v1.2 protocol tests.<br />
<br />
Instructions to get and compile sslscan for Mac OS X are available on <a href="https://www.titania-security.com/labs/sslscan">the original webpage</a>, although for Mountain Lion, if you have Xcode installed (or even without it?), you simply need to run the following command and ignore the openssl deprecated warnings:<br />
<span style="font-family: "Courier New",Courier,monospace;">$ gcc -lssl -lcrypto -o sslscan sslscan.c</span><br />
<a href="http://www.blogger.com/blogger.g?blogID=2773536350893785230" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><br />
Additionally,
TLSSLed v1.3 has also been recently tested with a newest sslscan fork
project that was released to better support STARTTLS, currently at
version 1.8.3rc3, and available at <a href="https://github.com/ioerror/sslscan">GitHub</a>.<br />
<br />
If you find any bug, misbehavior, openssl/sslscan version combination, or target HTTPS (SSL/TLS) implementation that cannot be properly tested, please let us know so that we can fix it and add new features. Enjoy it!<br />
<br />
TLSSLed v1.3 can be downloaded, as usual, from <a href="http://www.taddong.com/en/lab.html#TLSSLED">Taddong's lab</a>.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-5937421861261419902013-01-24T12:33:00.001+01:002013-02-20T10:45:37.667+01:00Apple's Skimpy Software Update Descriptions<i><b>UPDATE: January 28, 2013</b></i><br />
Coincidentally, i<a href="https://support.apple.com/kb/HT5642">OS 6.1 includes a security fix</a> for a DoS Wi-Fi vulnerability (CVE-2012-2619) whose <a href="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisory&name=CORE-2012-0718">advisory</a> was published on October 23, 2012, by <a href="http://www.coresecurity.com/content/broadcom-input-validation-BCM4325-BCM4329">Core Security</a> (<i>including a PoC</i>), affecting the Broadcom Wi-Fi chipset of iPhone 3GS (BCM4325), iPhone 4, <u>iPad</u> and iPad 2 (BCM4329), as well as other Apple and non-Apple mobile devices.<br />
<br />
<i>NOTE:</i> <i>This article was cross-posted on the <a href="http://pen-testing.sans.org/blog/pen-testing/2013/01/18/apples-skimpy-software-update-descriptions">SANS Penetration Testing blog</a> edited by Ed Skoudis.</i><br />
<br />
This blog post is a follow up about the concerns regarding Apple's iOS updates and potential improvements from <a href="http://pen-testing.sans.org/blog/pen-testing/2012/10/08/apples-combined-patching">a previous SANS Penetration Testing blog post</a> by Josh Wright, titled "<a href="http://pen-testing.sans.org/blog/pen-testing/2012/10/08/apples-combined-patching">Apple's Combined Patching</a>", published in October 2012.<br />
<br />
Since the release of iOS 6 last year, Apple has published iOS 6.0.1 and then iOS 6.0.2. The main concern with<a href="http://support.apple.com/kb/HT5503"> iOS 6</a>
(Sep 19, 2012) was the huge amount of security flaws fixed on a single
version (197), plus the combination of platform changes and security
patches rolled into a single update. The <a href="https://support.apple.com/kb/HT5567">iOS 6.0.1 update</a>
(Nov 1, 2012) included fixes for four specific security flaws, with
their corresponding CVEs, plus other non-security rated bug fixes, like
one that <a href="https://support.apple.com/kb/DL1606">improves Wi-Fi reliability for WPA2 networks</a>. And then... iOS 6.0.2 was released on Dec 18, 2012, one month ago today.<br />
<br />
<a href="https://support.apple.com/kb/DL1621">The iOS 6.0.2 update</a> is neither listed on the <a href="https://support.apple.com/kb/HT1222">Apple Security Updates</a> webpage nor on the <a href="https://lists.apple.com/mailman/listinfo/security-announce">Apple Product Security Announce mailing list</a>,
so one could assume it is a non-security related update, but... are we
sure? The truth is - We as a community don't really know, as Apple
hasn't provided any information about security issues addressed in this
update! The iOS 6.0.2 update page only says (it) "Fixes a bug that could
impact Wi-Fi.":<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHmyfQuZUfd8Sgi8jRljvW-GLr-7PASdnSl6h7-7ex6PxM0VbnE-VFf1uVxsDivSQ9JTF1wvW77y0Ui2NlB-H2L-0YS2LZNBzoMcMnJZd9IycxQzorcs2McVow8IKkRaaMw9-d8ZjAAuet/s1600/6.0.2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHmyfQuZUfd8Sgi8jRljvW-GLr-7PASdnSl6h7-7ex6PxM0VbnE-VFf1uVxsDivSQ9JTF1wvW77y0Ui2NlB-H2L-0YS2LZNBzoMcMnJZd9IycxQzorcs2McVow8IKkRaaMw9-d8ZjAAuet/s1600/6.0.2.png" width="640" /></a></div>
<br />
Gosh! Thanks for almost nothing, guys. It is hard to think about a
software update description that can be less useful, unless you remove
the last four words leaving simply "Fixes a bug". Still today, one month
after its release date, a significant number of IT people are not aware
of the update, and hardly anybody has any related details. In the same
way we learned a decade ago about the importance of separating
functionality updates from security patches, we also learned about the
importance of getting descriptive and actionable security update
details.<br />
<br />
With such limited information, if one turns to the
community (sometimes a questionable source of trustworthy information)
trying to find more details about the update, you can find all kind of
reports and very long Apple <a href="mailto:https://discussions.apple.com/thread/4310121%3Fstart=0%26tstart=0">forums</a> <a href="https://discussions.apple.com/thread/4322714?start=0&tstart=0">threads</a>:
from people whose iOS 6 device couldn't connect to any Wi-Fi network
and required 6.0.2 to use Wi-Fi, to just the opposite, people that
cannot connect after updating to 6.0.2. Supposedly the 6.0.2 update
fixes various Wi-Fi connectivity issues introduced by iOS 6, but it
additionally <a href="http://tidbits.com/article/13474">may impact battery life</a>,
an issue that could be associated to a change in the Wi-Fi behavior
related to the mysterious bug that shall not be named (at least by our
friends in Cupertino in their patch description).<br />
<br />
Back to the
original question... are there any security implications to this
software update considering it fixes an undocumented Wi-Fi related bug?
Wi-Fi is one of the most, if not the most (together with 2/3/4G mobile
communications), relevant communication mechanism for mobile devices
today. As we cover in detail in the <a href="https://www.sans.org/course/mobile-device-security-ethical-hacking">SANS SEC575: Mobile Device Security and Ethical Hacking training class</a>,
modern mobile devices are affected by various security weaknesses in
their Wi-Fi capabilities, even when using enterprise Wi-Fi networks.
Since we do not have official details about this update... when is a
software update considered security related?<br />
<br />
By default, when multiple known Wi-Fi networks are available, iOS devices connect to the last-used network. However, there are <a href="http://forums.imore.com/ios-6/242605-ios-6-wifi-defaults-open-networks.html">reports</a>
of iOS 6 devices prioritizing open networks over secure networks. From
my perspective, this behavior has some rather serious security
implications. It is not possible to know yet if this is the bug fixed by
6.0.2, or any other of the multiple Wi-Fi connection issues reported
all over the Internet (not including here the fact that the <a href="http://www.apple.com/library/test/success.html">Apple web testing page</a>
used by iOS devices to discover if they are under a Wi-Fi captive
portal was not available for some time and was the cause of some of
these connectivity problems). Troubleshooting Wi-Fi issues is not a
trivial task, as multiple factors can influence the testing, such as
nearby signals, radio frequency glitches, or even the frequency band
used by the access points (2.4 or 5 GHz).<br />
<br />
In the SANS SEC575
class, when we cover the security of the iOS mobile device platform,
people frequently try to validate the following statement: "So, can we
say that the latest (mobile device) hardware models are more secure?" If
they can answer in the affirmative, they have a solid business argument
to ask their boss for the latest and greatest mobile device model! In
many cases, the statement is indeed true, as earlier models are left in
the dust unable to run the latest patched versions of mobile device
software. Leaving business and marketing strategies aside, today's
mobile device security is a mix of hardware, firmware, and software
updates, where the latest hardware models implement security protections
not available in previous models. But, the update cycle is shockingly
small, making the PC upgrade cycle of two-to-four years look like a
snails pace.<br />
<br />
Besides Apple, other mobile device platforms also
present relevant weaknesses in their security update processes. Platform
fragmentation and the lack of timely updates are a major concern,
especially for Android devices. Unfortunately, the security maturity
level of the mobile world today is still a decade behind in many
aspects. We need to learn from history, and apply, to the mobile world,
the best practices we have learned!<br />
<br />
Should users and enterprises
update to iOS 6.0.2 for security reasons? The truth is: we don't know!
Should Apple provide more detailed descriptions about software updates?
Yes, absolutely. For the love of all things Apple and the security
community: please, please, please arm us with the information we need to
make intelligent decisions about patching and security our devices. Am I
holding my breath? No.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-48707691497543601222012-11-07T13:06:00.001+01:002012-11-07T19:47:40.958+01:00Video: Owning a PC via GPRS/EDGEWe have decided to make public a video that we have used on several talks in the past, demonstrating a network attack against a PC, performed via GPRS/EDGE (which is the important point here), using a fake GSM/GPRS/EDGE base station. The video is available for online viewing at our <a href="http://www.youtube.com/user/TaddongTube">YouTube channel</a> (direct link <a href="http://www.youtube.com/watch?v=FXNDhcHUfcs">here</a>), and for direct download, at <a href="http://www.taddong.com/en/lab.html#VideoOwiningPCviaGPRS">our lab</a>.<br />
<br />
The point of the video is to show that GPRS/EDGE communications are as easy to intercept, manipulate, and take advantage of, as GSM (voice and SMS) communications, using a fake GSM/GPRS/EDGE base station.<br />
<br />
In the past, we have explained the underlying GSM/GPRS/EDGE vulnerabilities and shown this kind of attack, live. If you are interested in this details, check out <i>"<a href="http://www.taddong.com/en/lab.html#GPRSBH2011">A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications</a>"</i> (English) and <i>"<a href="http://www.taddong.com/en/lab.html#UAPCCMRC2011">Un ataque práctico contra comunicaciones móviles</a>"</i> (Spanish).<br />
<br />
With the publication of this video we hope to contribute in creating awareness of this problem, and help organizations realize it is necessary to take into account these weaknesses when performing a risk assessment.<br />
<br />
The example shown in the video is a victim PC, running XP SP3 with a version of Java Runtime Environment (JRE) prior to version 6 update 24. The victim connects to the Internet using a 3G/2G modem, getting EDGE service from a rogue base station that the attacker has set up using the open source suite <a href="http://openbsc.osmocom.org/">OpenBSC</a>+<a href="http://openbsc.osmocom.org/trac/wiki/osmo-sgsn">OsmoSGSN</a>+<a href="http://sourceforge.net/projects/ggsn/">OpenGGSN</a>+<a href="http://isdn.eversberg.eu/">LCR</a>.<br />
<br />
The attacker then injects HTML content in the HTTP traffic of the victim, redirecting his browser to the <a href="http://www.metasploit.com/">Metasploit</a> exploit "<a href="http://www.metasploit.com/modules/exploit/windows/browser/java_codebase_trust">java_codebase_trust</a>". This allows him to get a Meterpreter session in the victim PC, giving him full control over the victim PC.<br />
<br />
To demonstrate the control over the victim's PC, the attacker obtains a screenshot of the victim PC. Then, the attacker scrolls up and down through the list of available commands offered by Meterpreter, and the video ends when the attacker invokes a shell (cmd.exe) of the victim PC.<br />
<br />
The point of the video is not that this particular java vulnerability, which is quite old, can be exploited by an attacker. The point is that any remote vulnerability that you might have in your systems, either well known or zero day, could be exploited by an attacker using a fake GSM/GPRS/EDGE base station, if you use such communication.<br />
<br />
If you want to avoid this path of attack, make sure all of your mobile devices use 3G (UMTS) and (and this is critical) do not accept 2G service (GSM/GPRS/EDGE) under any circumstances, and/or protect all of your network traffic at a higher level.<br />
<br />
<br />
<br />
<br />
<br />David Perezhttp://www.blogger.com/profile/10328474868613935733noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-67657966614846209002012-09-17T08:02:00.001+02:002012-09-17T08:02:06.489+02:00SamuraiWTF 2.0 SVN Repository & Bug TrackerWith the recent release of <a href="http://www.samurai-wtf.org/">SamuraiWTF 2.0</a> we have introduced significant changes to the official SamuraiWTF SVN repository, available at
<a href="http://svn.code.sf.net/p/samurai/code/trunk/">http://svn.code.sf.net/p/samurai/code/trunk/</a> (check the new SourceForge.net <a href="https://sourceforge.net/p/samurai/code/">project code section</a>). This repository was mainly used in the past by the development team, thus these changes try to open up the repository to any user interested on updating the latest official SamuraiWTF version available from the <a href="http://sourceforge.net/projects/samurai/files/">project downloads section</a>. As part of all these 2.0 related changes, we have also migrated the project to the new SourceForge.net (SF.net) platform, so the project web page look & feel and layout have changed, as well as some project's links (all the links in this post point to the new platform).<br />
<br />
The idea is to use the SVN repository to provide fixes for known bugs between major SamuraiWTF releases, as well as updates for new features and tools (in future SVN revisions). Therefore, the current SVN repository contents include fixes for a few well known bugs associated to the SamuraiWTF 2.0 version in the form of individual bash scripts. These fixes will be included in the next SamuraiWTF version, 2.1, but meanwhile you can apply them to your private SamuraiWTF 2.0 instance.<br />
<br />
The SVN repository contains a main script to apply all the available fixes ("fix.sh"), and a "fixes" directory. The "fixes" directory contains two types of scripts, those starting with "fix_" and a number, which corresponds to the ID associated to the bug the script fixes from the official <a href="https://sourceforge.net/p/samurai/bugs/">SamuraiWTF bug tracker</a> (eg. 25, after the migration), plus a descriptive text at the end of the filename, and those without a number, as the fix applies to a bug that has not been reported through the bug tracker.<br />
<br />
In order to apply all the available fixes you simply need to follow these steps:<br />
1. Start with a clean SamuraiWTF 2.0 instance (Live DVD or VM; take a look at the previous blog posts explaining how to create a SamuraiWTF 2.0 virtual machine in VMware <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual.html">Fusion</a>, <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_10.html">Workstation</a>, and <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_14.html">Player</a>).<br />
2. Perform an initial checkout to retrieve the current SVN trunk contents from the official SamuraiWTF repository:<br />
<span style="font-family: Courier New, Courier, monospace;">$ </span><span style="font-family: 'Courier New', Courier, monospace;">svn co http://svn.code.sf.net/p/samurai/code/trunk samurai</span><br />
3. Step into the new local SVN copy and run the "fix.sh" script using sudo:<br />
<span style="font-family: Courier New, Courier, monospace;">$ cd samurai</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ sudo ./fix.sh</span><br />
<br />
The following screenshot shows the initial SVN process:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk0JVzcUDIbB6Ir9izlA_wsM1TUudbsw4qdlS6tLUdu66zNg8d7C5cf3LcHVzmFTDTVU5tLVIg8TKQ9vOJ8twmA-dHw4wT8BvW18r-8-5oV_Al1-drzSIt3XgDswBNz1zZ1D-nvSnEnjH3/s1600/fix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk0JVzcUDIbB6Ir9izlA_wsM1TUudbsw4qdlS6tLUdu66zNg8d7C5cf3LcHVzmFTDTVU5tLVIg8TKQ9vOJ8twmA-dHw4wT8BvW18r-8-5oV_Al1-drzSIt3XgDswBNz1zZ1D-nvSnEnjH3/s640/fix.png" width="640" /></a></div>
The main "fix.sh" script keeps a log of the fixes already applied, with the idea of avoiding applying the same fix every time the "fix.sh" script is executed. Thus, you can periodically update your local SVN copy ("svn up") with the most recent SVN contents and fixes, and run the script again:<br />
<span style="font-family: Courier New, Courier, monospace;">$ cd samurai</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ svn up</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ sudo ./fix.sh</span><br />
<br />
The following screenshot shows the SVN update process:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuSw2rtOHq9Ef02iW00xYdL4xMJPqjtJF244g8k39-dm_HbE4C2Kj8dPxqiqDORGCUtPFBKNvhrCVoKTf5O_jPdkckrK02Q_vY1JqWzYLTNRQGkwgVrens8xckml-vjr-uZrkLaIQEGD7i/s1600/fix_updates.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuSw2rtOHq9Ef02iW00xYdL4xMJPqjtJF244g8k39-dm_HbE4C2Kj8dPxqiqDORGCUtPFBKNvhrCVoKTf5O_jPdkckrK02Q_vY1JqWzYLTNRQGkwgVrens8xckml-vjr-uZrkLaIQEGD7i/s640/fix_updates.png" width="640" /></a></div>
As new bugs are discovered and reported in<a href="https://sourceforge.net/p/samurai/bugs/"> the official SamuraiWTF bug tracker</a> (please use the "v2.0" group to report all SamuraiWTF 2.0 issues), the plan is to create fix scripts for them and add those to the SVN repository. Bugs (or tickets) will remain in the "open" status till we find a solution for them, and once we have a fix script ready, they will be moved to the "pending" status till they are implemented on the next release, such as 2.1.<br />
<br />
Additionally, in a near future we plan to add to SVN a similar "update.sh" script, plus the corresponding "updates" directory, to be able to provide updates for other SamuraiWTF features and tools (that you can request and report via <a href="https://sourceforge.net/p/samurai/feature-requests/">the official SamuraiWTF feature requests tracker</a>). When adding new feature requests use the "Next Release" milestone so that we can evaluate what release it will be added to.<br />
<br />
We encourage you to use <a href="http://www.samurai-wtf.org/">SamuraiWTF 2.0</a>, apply the fixes from the SVN repository, and help us by reporting bugs and solutions to the <a href="https://sourceforge.net/p/samurai/mailman/">mailing-list</a>, and more importantly, though the <a href="https://sourceforge.net/p/samurai/bugs/">bug tracker</a> and <a href="https://sourceforge.net/p/samurai/feature-requests/">feature requests tracker</a>. In order to create new bug and feature requests tickets you need to authenticate in the SF.net platform.<br />
<br />
An interesting conclusion from the weekly stats download count: Although the SamuraiWTF 2.0 ISO image has been downloaded 1,169 times, the corresponding MD5 file has been downloaded only 19 times. It seems that less than 2% of users check the ISO image MD5 hash (...unless you know it from the top of your head) :o)<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEildPw7yN7l698wZMFYaduKF5ATmOS0lNXR3PMPHvcR8x-E-AabCx9W-WRbxbcFCkYuxg98lY3LMGdPxAUmA_I3uttdd62MNnBzCm_kr4Nro898mL3swtpoL6pCJn8VFCVc5xXe7ksBuBHl/s1600/samurai_stats.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEildPw7yN7l698wZMFYaduKF5ATmOS0lNXR3PMPHvcR8x-E-AabCx9W-WRbxbcFCkYuxg98lY3LMGdPxAUmA_I3uttdd62MNnBzCm_kr4Nro898mL3swtpoL6pCJn8VFCVc5xXe7ksBuBHl/s640/samurai_stats.png" width="640" /></a></div>
<br />
<b>Appendix: SVN SamuraiWTF Commands</b><br />
<br />
With the recent project migration to the new SourceForge.net platform it is possible to perform a checkout of the SVN contents using SVN or HTTP (both unencrypted):<br />
<span style="font-family: Courier New, Courier, monospace;">$ svn co svn://svn.code.sf.net/p/samurai/code/trunk samurai</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai</span><br />
<br />
Unfortunately, there is no encrypted alternative to checkout the SVN contents anonymously, as there was in the past (the command below, based on HTTPS, doesn't work anymore and requests user credentials):<br />
<span style="font-family: Courier New, Courier, monospace;">$ svn co https://svn.code.sf.net/p/samurai/code/trunk samurai</span><br />
<br />
However, the encrypted option that still works (I don't know for how long it will be available...) is the one that retrieves the contents from the old SVN repository via HTTPS (I recommend you <b><u>NOT</u></b> to use it - I included it here just for documentation purposes):<br />
<span style="font-family: 'Courier New', Courier, monospace;">$ svn co https://samurai.svn.sourceforge.net/svnroot/samurai/trunk/ samurai</span><br />
<br />
Additionally, as a project developer, it is possible to get encrypted and authenticated read-write (RW) SVN checkout access via SVN+SSH (replace USER with your SF.net username; <a href="https://sourceforge.net/p/samurai/code">check all these new options in the project code section</a>):<br />
<span style="font-family: Courier New, Courier, monospace;">$ svn checkout --username=USER svn+ssh://USER@svn.code.sf.net/p/samurai/code/trunk samurai</span><br />
<br />Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com2tag:blogger.com,1999:blog-2773536350893785230.post-77884907025437827532012-09-14T10:39:00.000+02:002012-09-14T10:39:32.668+02:00How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Player<br />
The <a href="http://www.samurai-wtf.org/">SamuraiWTF (Web Testing Framework)</a> can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - <a href="http://blog.secureideas.net/2012/08/samuraiwtf-20-what-happened-to-10.html">Why there was no SamuraiWTF 1.0 version</a>? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Player 5 (5.0.0) over Windows 7 (64-bits) and Windows XP (32-bits). The steps required for VMware Player over Linux would be very similar.<br />
<br />
<b>Creating a New Virtual Machine</b><br />
<br />
Open VMware Player and create a new virtual machine (VM): [Player] Menu - File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "I will install the operating system later.", and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".<br />
<br />
The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". In the "Specify Disk Capacity" screen define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >".<br />
<br />
Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and allows you to modify other settings through the "Customize Hardware..." button. Click this button and access the "Memory" section. Change the amount of RAM to 2048 MB or more from the default of 1024 MB. Access the "New CD/DVD (IDE)" section, select "Use ISO image file:", and browse to the ISO file for SamuraiWTF 2.0 ("<a href="http://sourceforge.net/projects/samurai/files/SamuraiWTF%202.0%20Branch/SamuraiWTF-2.0-i386.iso/download">SamuraiWTF-2.0-i386.iso</a>") from the "Browse..." button. Once the amount of RAM and the CD/DVD location have been changed, click "Close".Optionally, you can also adjust other settings, such as the network interface type (by default, NAT). From the "Ready to Create Virtual Machine" screen, as the VM is ready to boot, click the "Finish" button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiXbO59L3cCWo5YMz8Ua-pY180nNGi1ncoA5NAHjWYChjp8OFng2SxJbw-4jK1hng61uoO_InNxIdR5e86xzEW3Nyl3VcQUG139hq2LMlrPyRq0Yo7I1TuKMczLg6ZDXcnQ9-HIHmoqH4e/s1600/VM_player_settings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiXbO59L3cCWo5YMz8Ua-pY180nNGi1ncoA5NAHjWYChjp8OFng2SxJbw-4jK1hng61uoO_InNxIdR5e86xzEW3Nyl3VcQUG139hq2LMlrPyRq0Yo7I1TuKMczLg6ZDXcnQ9-HIHmoqH4e/s320/VM_player_settings.PNG" width="320" /></a></div>
<br />
You need to click the "Power On" button (or "Play virtual machine" link) to power on the VM after creation.<br />
<br />
<b>Booting SamuraiWTF 2.0</b><br />
<br />
The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtAUepfC_E1WlEi5u7EMcfnkdm94EM7lHmz2UQ8Eo5IioN16xaGWwA6HW976Q7qDDYCPJqJ71hLgxTaybtADzDNioZt1szVGtIyaYhRCNcNsILO7wAFx9is0oAZDxHcXyZUhP-fLUKOm90/s1600/samurai_desktop_player.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtAUepfC_E1WlEi5u7EMcfnkdm94EM7lHmz2UQ8Eo5IioN16xaGWwA6HW976Q7qDDYCPJqJ71hLgxTaybtADzDNioZt1szVGtIyaYhRCNcNsILO7wAFx9is0oAZDxHcXyZUhP-fLUKOm90/s320/samurai_desktop_player.PNG" width="320" /></a></div>
<br />
<b>Installing SamuraiWTF 2.0 to the hard disk</b><br />
<br />
<u>NOTE:</u> <i>The screenshots below correspond to <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_10.html">VMware Workstation</a> as they are the same exact ones for VMware Player, so I tried not to duplicate work from <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_10.html">the previous blog post</a> :o)</i><br />
<br />
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hasNTTaac89vLDDwIGfafIfagtBhmrv1LSEDRfvct6jec62zfxSsvmbmOf0ZrkQe19z-7VcYs3IMyylM873GdUUBlLmwlAKCnbGBgB-UkptkfgbGTOqb1FW6oZ49mosImoPZ_WFs7lvq/s1600/samurai_hd_1_language.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hasNTTaac89vLDDwIGfafIfagtBhmrv1LSEDRfvct6jec62zfxSsvmbmOf0ZrkQe19z-7VcYs3IMyylM873GdUUBlLmwlAKCnbGBgB-UkptkfgbGTOqb1FW6oZ49mosImoPZ_WFs7lvq/s320/samurai_hd_1_language.png" width="320" /></a></div>
<br />
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2HgJKBg-3qoSYrR7sfr4oYVL__TJc7EDOGh9fX0cLWCn-uu86Eb2DOvTToTnCScKbXf4wGYI7HcKJmSysqFkffIihohsxBXf24cP2Hmvdvkb4Is_MgP0viITipRiRTgq9GGOgEWPevK4e/s1600/samurai_hd_2_prepare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2HgJKBg-3qoSYrR7sfr4oYVL__TJc7EDOGh9fX0cLWCn-uu86Eb2DOvTToTnCScKbXf4wGYI7HcKJmSysqFkffIihohsxBXf24cP2Hmvdvkb4Is_MgP0viITipRiRTgq9GGOgEWPevK4e/s320/samurai_hd_2_prepare.png" width="320" /></a></div>
<br />
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_TF7qrgr6AiIQYLPOEsEHXELAuGXbZ-H_HojJlvXcJM9bUtsCOaeqKGMx5j-sAo6nodUgPjWiSZhJ_BzLaF-K7mbW5Dt_aTsSOV9ICFbfAIHpyqXFm2rNW75YX55HWiBT1c838ZD-0HRh/s1600/samurai_hd_3_disk-setup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_TF7qrgr6AiIQYLPOEsEHXELAuGXbZ-H_HojJlvXcJM9bUtsCOaeqKGMx5j-sAo6nodUgPjWiSZhJ_BzLaF-K7mbW5Dt_aTsSOV9ICFbfAIHpyqXFm2rNW75YX55HWiBT1c838ZD-0HRh/s320/samurai_hd_3_disk-setup.png" width="320" /></a></div>
<br />
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7riXZQtIzJSMifBc0nOFlvyvOq4DO45MPFdO8emeAJxh-nWGnoQ-fBb3AB_9E1khZ0sGlWEYps6_3K_KAkyAceoUs-AMAff1OxfIGG_RqjIxiVDOQtTbyj_gSsC_9zCTnT4VwgpQiJIQ/s1600/samurai_hd_4_timezone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7riXZQtIzJSMifBc0nOFlvyvOq4DO45MPFdO8emeAJxh-nWGnoQ-fBb3AB_9E1khZ0sGlWEYps6_3K_KAkyAceoUs-AMAff1OxfIGG_RqjIxiVDOQtTbyj_gSsC_9zCTnT4VwgpQiJIQ/s320/samurai_hd_4_timezone.png" width="320" /></a></div>
<br />
On the "Keyboard" screen select your keyboard layout and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQUAGvB04WNtt67eWvR2oKrjqR9OMwy1RCeHw3u3oAu7UqsLd0EUWcruS0YQWomdLNWFhWRhAS4OtAvBbmPY_7DG0ruUyl53Ssz-QGpjx4yDKSuJSY8kRj1mQFqY-R1uQVv5tluXz_weIT/s1600/samurai_hd_5_keyboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQUAGvB04WNtt67eWvR2oKrjqR9OMwy1RCeHw3u3oAu7UqsLd0EUWcruS0YQWomdLNWFhWRhAS4OtAvBbmPY_7DG0ruUyl53Ssz-QGpjx4yDKSuJSY8kRj1mQFqY-R1uQVv5tluXz_weIT/s320/samurai_hd_5_keyboard.png" width="320" /></a></div>
<br />
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - <a href="http://www.whatisthesamuraipassword.com/">www.whatisthesamuraipassword.com</a>) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-v4uXUbYMdTrp_nOQpNOIZJ3GsFsf5dZssDFY6S0UFbSdpG3UFF2OqdRT6qxAa_d9IaxRIoSxLBZaWdg3vaxs_kFq7g0hL0xF5_HG2Hq_3tNQJr_SsKDVSreAd3DUs9n0U-zNyqsor-3z/s1600/samurai_hd_6_user-info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-v4uXUbYMdTrp_nOQpNOIZJ3GsFsf5dZssDFY6S0UFbSdpG3UFF2OqdRT6qxAa_d9IaxRIoSxLBZaWdg3vaxs_kFq7g0hL0xF5_HG2Hq_3tNQJr_SsKDVSreAd3DUs9n0U-zNyqsor-3z/s320/samurai_hd_6_user-info.png" width="320" /></a></div>
<br />
<u><em>NOTE:</em></u> A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.<br />
<br />
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzqtM6QSn_F98z0-tZ9lkjDpDbswrqSK4RQ8cvSy0maeCEQLjXg-0m0r20xsiizDJH_Qdob5CbCMlbNHea3HH-OQMovzZDI9DstH50v40nU6LpjpEAprkbUVQWc_4q7Gk1M5QfTW7jeFgY/s1600/samurai_hd_7_install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzqtM6QSn_F98z0-tZ9lkjDpDbswrqSK4RQ8cvSy0maeCEQLjXg-0m0r20xsiizDJH_Qdob5CbCMlbNHea3HH-OQMovzZDI9DstH50v40nU6LpjpEAprkbUVQWc_4q7Gk1M5QfTW7jeFgY/s320/samurai_hd_7_install.png" width="320" /></a></div>
<br />
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RE9hNb7oJBSD-7aygyxkHvIG5W8sGTZ0ES2pGz-SaDinEo9XDoWlTR4yOTkxOkJa40zR5lhs2J-2qOw6Sh501-tJLDZqIoeLDFkNsc0aQoTdO0zPNyE3Agw369oEKvjLzaAevRHp_a3j/s1600/samurai_hd_install_complete.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RE9hNb7oJBSD-7aygyxkHvIG5W8sGTZ0ES2pGz-SaDinEo9XDoWlTR4yOTkxOkJa40zR5lhs2J-2qOw6Sh501-tJLDZqIoeLDFkNsc0aQoTdO0zPNyE3Agw369oEKvjLzaAevRHp_a3j/s320/samurai_hd_install_complete.png" width="320" /></a></div>
<br />
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoyF1wqBtgteprLO6sq4C2u2QPQGwgn49R7hv1GfT8cV9LTzKgPm0Tl23YXTLBH8GM3-AdPe0nuh4GX0m8CfndE3IAEUhV85mrgSDpB7Ol5R0QQk6aJzYCCrv2WuC7DwwX1ffski9eDYii/s1600/samurai_shutdown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoyF1wqBtgteprLO6sq4C2u2QPQGwgn49R7hv1GfT8cV9LTzKgPm0Tl23YXTLBH8GM3-AdPe0nuh4GX0m8CfndE3IAEUhV85mrgSDpB7Ol5R0QQk6aJzYCCrv2WuC7DwwX1ffski9eDYii/s320/samurai_shutdown.png" width="320" /></a></div>
<br />
After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the "[Player] Menu - Removable Devices - CD/DVD (IDE) - Settings..." option and selecting "Use physical drive".<br />
<br />
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - <em>see more details about upcoming training sessions below</em>) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsXo7s4xOK0ArlYIPvLKtOt6_wGkVVMDYSM0vgyCwVe8-umM1EWyOiA0JjNwi7XVylsT0YV89FDFBPH1qv5a3p91QImdNqhBdryhZZVMquosGTyCz9Ey1a6r1_5BTHV7VwWJmwv9uZz-J/s1600/samurai_hd_desktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsXo7s4xOK0ArlYIPvLKtOt6_wGkVVMDYSM0vgyCwVe8-umM1EWyOiA0JjNwi7XVylsT0YV89FDFBPH1qv5a3p91QImdNqhBdryhZZVMquosGTyCz9Ey1a6r1_5BTHV7VwWJmwv9uZz-J/s320/samurai_hd_desktop.png" width="320" /></a></div>
<br />
If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Player).<br />
<br />
<strong>Updating VMware Tools</strong><br />
<br />
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.<br />
<br />
Go to the "[Player] Menu - Manage - Update VMware Tools..." menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download and Install" button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjslJLsora5XbSJuVzEQhpVs7pypxAJuh5N5OSTbRjh4-THjuHS1llmMgHiOTkJIXIUhFGryU3Os08BlDT-nx-IUzJdIqK23cIwY7HGlOV931zAQmfJlFIddZDP_H-ZFXPIKnI0WuR_psk2/s1600/vmware_player_download_vmware_tools.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjslJLsora5XbSJuVzEQhpVs7pypxAJuh5N5OSTbRjh4-THjuHS1llmMgHiOTkJIXIUhFGryU3Os08BlDT-nx-IUzJdIqK23cIwY7HGlOV931zAQmfJlFIddZDP_H-ZFXPIKnI0WuR_psk2/s1600/vmware_player_download_vmware_tools.PNG" /></a></div>
<br />
The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (<a href="http://partnerweb.vmware.com/GOSIG/Ubuntu_12_04.html#Tools">see related VMware doc</a>), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$ sudo mount /dev/cdrom /media/cdrom</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ cd /tmp</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ tar xvzf /media/cdrom/VMwareTools-9.0.2-799703.tar.gz</span><br />
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ cd vmware-tools-distrib/</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ sudo ./vmware-install.pl</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
Follow the installation process and reply with the default answer to all the questions:</div>
<div>
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]</div>
<div>
- In which directory do you want to install the binary files? [/usr/bin]</div>
<div>
...</div>
<div>
- Would you like to enable VMware automatic kernel modules? [yes]<br />
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]</div>
<br />
<strong>Post installation steps</strong><br />
<br />
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:<br />
<span style="font-family: "Courier New", Courier, monospace;">$ > $HOME/.bash_history</span><br />
<span style="font-family: Courier New;">$ exit</span><br />
<br />
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.<br />
<br />
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! The main constraint in VMware Player (hey... it is free :-) is that you cannot take a VMware snapshot in case you need to restore back to this clean state.<br />
<br />
The instructions to create a SamuraiWTF 2.0 virtual machine in <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual.html">VMware Fusion</a> or in <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_10.html">VMware Workstation</a> are available on previous blog posts.<br />
<br />
<strong>Shameless Training Plug</strong><br />
<br />
This is an introductory guide to the <a href="http://2012.brucon.org/index.php/Training_Samurai-WTF">official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training</a> I will be running at the <a href="http://2012.brucon.org/">BruCON 2012 conference</a> during <strong>September 24-25 in Ghent (Belgium)</strong>. This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a <a href="http://lists.owasp.org/pipermail/owasp-belgium/2012-September/000373.html">10% discount on the training fee</a>.<br />
Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-697179881307232092012-09-10T19:03:00.000+02:002012-09-14T10:49:34.426+02:00How to Create a SamuraiWTF 2.0 Virtual Machine in VMware WorkstationThe <a href="http://www.samurai-wtf.org/">SamuraiWTF (Web Testing Framework)</a> can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - <a href="http://blog.secureideas.net/2012/08/samuraiwtf-20-what-happened-to-10.html">Why there was no SamuraiWTF 1.0 version</a>? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Workstation 8 (8.0.4, although version 9 is available) over Windows 7 (64-bits). The steps required for VMware Workstation over Linux would be very similar.<br />
<br />
<b>Creating a New Virtual Machine</b><br />
<br />
Open VMware Workstation and create a new virtual machine (VM): File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "Custom (advanced)", and click "Next >". Choose the VM hardware compatibility as "Workstation 8.0" (default), and click "Next >". In the "Guest Operating System Installation" step, select "Installer disc image file (iso)", browse to the ISO file for SamuraiWTF 2.0 ("<a href="http://sourceforge.net/projects/samurai/files/SamuraiWTF%202.0%20Branch/SamuraiWTF-2.0-i386.iso/download">SamuraiWTF-2.0-i386.iso</a>"), and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >". <br />
<br />
The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". The "Processor Configuration" screen allows you to select the number of processors and cores, where the default of "1:1" is fine, for a total of 1 processor core. Click "Next >". The next "Memory for the Virtual Machine" screen allows you to change the amount of RAM to 2048 MB or more from the default of 1024 MB. Click "Next >". In the "Network Type" screen it is possible to select the network interface type (by default, NAT). Click "Next >". The "Select I/O Controllers Type" can be left with the default SCSI controller: "LSI Logic". Click "Next >". In the "Select a Disk" screen it is recommended to "Create a new virtual disk", click "Next >", leave the default disk type in the next screen ("SCSI"), click "Next >", and define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >". The "Specify Disk File" allows you to provide the exact filename to be used for the VM disk (eg. "SamuraiWTF-2.0.vmdk"). Click "Next >". Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and by default will automatically power on the VM after creation.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0TsaDs3ivxKh3HA1_E9OpPtFawBT3SGitsRg1I8l7GOLtJrhxKMlRUWLF8iAhIMHwBDVaTnkW70VJyyk-aQ9XCWWdktlpJNCPiFmDUXdbrAPuHF4frf9C8_LkHTC1_WozfDqRvRAeNT4K/s1600/vmware_ready_to_create_VM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0TsaDs3ivxKh3HA1_E9OpPtFawBT3SGitsRg1I8l7GOLtJrhxKMlRUWLF8iAhIMHwBDVaTnkW70VJyyk-aQ9XCWWdktlpJNCPiFmDUXdbrAPuHF4frf9C8_LkHTC1_WozfDqRvRAeNT4K/s320/vmware_ready_to_create_VM.png" width="320" /></a></div>
<br />
As the VM is ready to boot, click the "Finish" button.<br />
<br />
<b>Booting SamuraiWTF 2.0</b><br />
<br />
The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFW7VY1z5T0DP4miMYJsBPhY2Ma4anmzX0e-flRBuuohJXXOAGJo7V0IJC4YZzCHecd4VJ6vSPNbeB54M3hNtkkPKtDsyc7HZZSL9NlRr0L_0Xiv7ZozvjYsJ7leGYsmiPg4214nga7xFQ/s1600/samurai_desktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFW7VY1z5T0DP4miMYJsBPhY2Ma4anmzX0e-flRBuuohJXXOAGJo7V0IJC4YZzCHecd4VJ6vSPNbeB54M3hNtkkPKtDsyc7HZZSL9NlRr0L_0Xiv7ZozvjYsJ7leGYsmiPg4214nga7xFQ/s320/samurai_desktop.png" width="320" /></a></div>
<br />
<b>Installing SamuraiWTF 2.0 to the hard disk</b><br />
<br />
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hasNTTaac89vLDDwIGfafIfagtBhmrv1LSEDRfvct6jec62zfxSsvmbmOf0ZrkQe19z-7VcYs3IMyylM873GdUUBlLmwlAKCnbGBgB-UkptkfgbGTOqb1FW6oZ49mosImoPZ_WFs7lvq/s1600/samurai_hd_1_language.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4hasNTTaac89vLDDwIGfafIfagtBhmrv1LSEDRfvct6jec62zfxSsvmbmOf0ZrkQe19z-7VcYs3IMyylM873GdUUBlLmwlAKCnbGBgB-UkptkfgbGTOqb1FW6oZ49mosImoPZ_WFs7lvq/s320/samurai_hd_1_language.png" width="320" /></a></div>
<br />
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2HgJKBg-3qoSYrR7sfr4oYVL__TJc7EDOGh9fX0cLWCn-uu86Eb2DOvTToTnCScKbXf4wGYI7HcKJmSysqFkffIihohsxBXf24cP2Hmvdvkb4Is_MgP0viITipRiRTgq9GGOgEWPevK4e/s1600/samurai_hd_2_prepare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2HgJKBg-3qoSYrR7sfr4oYVL__TJc7EDOGh9fX0cLWCn-uu86Eb2DOvTToTnCScKbXf4wGYI7HcKJmSysqFkffIihohsxBXf24cP2Hmvdvkb4Is_MgP0viITipRiRTgq9GGOgEWPevK4e/s320/samurai_hd_2_prepare.png" width="320" /></a></div>
<br />
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_TF7qrgr6AiIQYLPOEsEHXELAuGXbZ-H_HojJlvXcJM9bUtsCOaeqKGMx5j-sAo6nodUgPjWiSZhJ_BzLaF-K7mbW5Dt_aTsSOV9ICFbfAIHpyqXFm2rNW75YX55HWiBT1c838ZD-0HRh/s1600/samurai_hd_3_disk-setup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_TF7qrgr6AiIQYLPOEsEHXELAuGXbZ-H_HojJlvXcJM9bUtsCOaeqKGMx5j-sAo6nodUgPjWiSZhJ_BzLaF-K7mbW5Dt_aTsSOV9ICFbfAIHpyqXFm2rNW75YX55HWiBT1c838ZD-0HRh/s320/samurai_hd_3_disk-setup.png" width="320" /></a></div>
<br />
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7riXZQtIzJSMifBc0nOFlvyvOq4DO45MPFdO8emeAJxh-nWGnoQ-fBb3AB_9E1khZ0sGlWEYps6_3K_KAkyAceoUs-AMAff1OxfIGG_RqjIxiVDOQtTbyj_gSsC_9zCTnT4VwgpQiJIQ/s1600/samurai_hd_4_timezone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7riXZQtIzJSMifBc0nOFlvyvOq4DO45MPFdO8emeAJxh-nWGnoQ-fBb3AB_9E1khZ0sGlWEYps6_3K_KAkyAceoUs-AMAff1OxfIGG_RqjIxiVDOQtTbyj_gSsC_9zCTnT4VwgpQiJIQ/s320/samurai_hd_4_timezone.png" width="320" /></a></div>
<br />
On the "Keyboard" screen select your keyboard layout and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQUAGvB04WNtt67eWvR2oKrjqR9OMwy1RCeHw3u3oAu7UqsLd0EUWcruS0YQWomdLNWFhWRhAS4OtAvBbmPY_7DG0ruUyl53Ssz-QGpjx4yDKSuJSY8kRj1mQFqY-R1uQVv5tluXz_weIT/s1600/samurai_hd_5_keyboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQUAGvB04WNtt67eWvR2oKrjqR9OMwy1RCeHw3u3oAu7UqsLd0EUWcruS0YQWomdLNWFhWRhAS4OtAvBbmPY_7DG0ruUyl53Ssz-QGpjx4yDKSuJSY8kRj1mQFqY-R1uQVv5tluXz_weIT/s320/samurai_hd_5_keyboard.png" width="320" /></a></div>
<br />
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - <a href="http://www.whatisthesamuraipassword.com/">www.whatisthesamuraipassword.com</a>) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-v4uXUbYMdTrp_nOQpNOIZJ3GsFsf5dZssDFY6S0UFbSdpG3UFF2OqdRT6qxAa_d9IaxRIoSxLBZaWdg3vaxs_kFq7g0hL0xF5_HG2Hq_3tNQJr_SsKDVSreAd3DUs9n0U-zNyqsor-3z/s1600/samurai_hd_6_user-info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-v4uXUbYMdTrp_nOQpNOIZJ3GsFsf5dZssDFY6S0UFbSdpG3UFF2OqdRT6qxAa_d9IaxRIoSxLBZaWdg3vaxs_kFq7g0hL0xF5_HG2Hq_3tNQJr_SsKDVSreAd3DUs9n0U-zNyqsor-3z/s320/samurai_hd_6_user-info.png" width="320" /></a></div>
<br />
<u><em>NOTE:</em></u> A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.<br />
<br />
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzqtM6QSn_F98z0-tZ9lkjDpDbswrqSK4RQ8cvSy0maeCEQLjXg-0m0r20xsiizDJH_Qdob5CbCMlbNHea3HH-OQMovzZDI9DstH50v40nU6LpjpEAprkbUVQWc_4q7Gk1M5QfTW7jeFgY/s1600/samurai_hd_7_install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzqtM6QSn_F98z0-tZ9lkjDpDbswrqSK4RQ8cvSy0maeCEQLjXg-0m0r20xsiizDJH_Qdob5CbCMlbNHea3HH-OQMovzZDI9DstH50v40nU6LpjpEAprkbUVQWc_4q7Gk1M5QfTW7jeFgY/s320/samurai_hd_7_install.png" width="320" /></a></div>
<br />
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RE9hNb7oJBSD-7aygyxkHvIG5W8sGTZ0ES2pGz-SaDinEo9XDoWlTR4yOTkxOkJa40zR5lhs2J-2qOw6Sh501-tJLDZqIoeLDFkNsc0aQoTdO0zPNyE3Agw369oEKvjLzaAevRHp_a3j/s1600/samurai_hd_install_complete.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RE9hNb7oJBSD-7aygyxkHvIG5W8sGTZ0ES2pGz-SaDinEo9XDoWlTR4yOTkxOkJa40zR5lhs2J-2qOw6Sh501-tJLDZqIoeLDFkNsc0aQoTdO0zPNyE3Agw369oEKvjLzaAevRHp_a3j/s320/samurai_hd_install_complete.png" width="320" /></a></div>
<br />
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoyF1wqBtgteprLO6sq4C2u2QPQGwgn49R7hv1GfT8cV9LTzKgPm0Tl23YXTLBH8GM3-AdPe0nuh4GX0m8CfndE3IAEUhV85mrgSDpB7Ol5R0QQk6aJzYCCrv2WuC7DwwX1ffski9eDYii/s1600/samurai_shutdown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoyF1wqBtgteprLO6sq4C2u2QPQGwgn49R7hv1GfT8cV9LTzKgPm0Tl23YXTLBH8GM3-AdPe0nuh4GX0m8CfndE3IAEUhV85mrgSDpB7Ol5R0QQk6aJzYCCrv2WuC7DwwX1ffski9eDYii/s320/samurai_shutdown.png" width="320" /></a></div>
<br />
After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting "Use physical drive".<br />
<br />
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - <em>see more details about upcoming training sessions below</em>) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsXo7s4xOK0ArlYIPvLKtOt6_wGkVVMDYSM0vgyCwVe8-umM1EWyOiA0JjNwi7XVylsT0YV89FDFBPH1qv5a3p91QImdNqhBdryhZZVMquosGTyCz9Ey1a6r1_5BTHV7VwWJmwv9uZz-J/s1600/samurai_hd_desktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsXo7s4xOK0ArlYIPvLKtOt6_wGkVVMDYSM0vgyCwVe8-umM1EWyOiA0JjNwi7XVylsT0YV89FDFBPH1qv5a3p91QImdNqhBdryhZZVMquosGTyCz9Ey1a6r1_5BTHV7VwWJmwv9uZz-J/s320/samurai_hd_desktop.png" width="320" /></a></div>
<br />
If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Workstation).<br />
<br />
<strong>Updating VMware Tools</strong><br />
<br />
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.<br />
<br />
Go to the "VM - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button. Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. <br />
<br />
The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (<a href="http://partnerweb.vmware.com/GOSIG/Ubuntu_12_04.html#Tools">see related VMware doc</a>), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$ sudo mount /dev/cdrom /media/cdrom</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ cd /tmp</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ tar xvzf /media/cdrom/VMwareTools-8.8.4-743747.tar.gz</span><br />
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ cd vmware-tools-distrib/</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ sudo ./vmware-install.pl</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
Follow the installation process and reply with the default answer to all the questions:</div>
<div>
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]</div>
<div>
- In which directory do you want to install the binary files? [/usr/bin]</div>
<div>
...</div>
<div>
- Would you like to enable VMware automatic kernel modules? [yes]</div>
<br />
<strong>Post installation steps</strong><br />
<br />
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:<br />
<span style="font-family: "Courier New", Courier, monospace;">$ > $HOME/.bash_history</span><br />
<span style="font-family: Courier New;">$ exit</span><br />
<br />
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.<br />
<br />
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.<br />
<br />
The instructions to <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual.html">create a SamuraiWTF 2.0 virtual machine in VMware Fusion are available on a previous blog post</a>, as well as for <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_14.html">VMware Player</a>.<br />
<br />
<strong>Shameless Training Plug</strong><br />
<br />
This is an introductory guide to the <a href="http://2012.brucon.org/index.php/Training_Samurai-WTF">official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training</a> I will be running at the <a href="http://2012.brucon.org/">BruCON 2012 conference</a> during <strong>September 24-25 in Ghent (Belgium)</strong>. This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a <a href="http://lists.owasp.org/pipermail/owasp-belgium/2012-September/000373.html">10% discount on the training fee</a>.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-12330491301645284722012-09-10T19:01:00.000+02:002012-09-14T10:49:03.883+02:00How to Create a SamuraiWTF 2.0 Virtual Machine in VMware FusionThe <a href="http://www.samurai-wtf.org/">SamuraiWTF (Web Testing Framework)</a> can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - <a href="http://blog.secureideas.net/2012/08/samuraiwtf-20-what-happened-to-10.html">Why there was no SamuraiWTF 1.0 version</a>? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Fusion 5 over Mac OS X Mountain Lion (10.8). The steps required for VMware Fusion 4.x would be very similar, if not the same exact ones.<br />
<br />
<b>Creating a New Virtual Machine</b><br />
<br />
Open VMware Fusion and create a new virtual machine (VM): File - New... This will launch the "New Virtual Machine Assistant". In the "Introduction" screen click on "Continue without disc". Select "Create a custom virtual machine" from the "Installation Media" screen, and click "Continue". In the "Operating System" step, select Linux as the "Operating System" and Ubuntu as the "Version", and click "Continue". The "Finish" screen details the VM settings selected.<br />
<br />
Click on "Customize Settings" and indicate where you want to save the new VM (directory and filename, such as "SamuraiWTF-2.0.vmwarevm"). VMware will open the settings window. Click on "Processors & Memory" from the "System Settings" section to change the amount of RAM to 2048 MB or more (by default, 1024 MB). You can also adjust other settings, such as the hard disk size (by default, 20 GB), or the network interface type (by default, NAT).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_VTUFppzrGj5zabP-CeeyqwSOlN_Ky9nIYNKDIkUHCKFwkhi_Cvm0byuYFP2jmt84VN9dDvYHLZ5Igaxgo5OAfHQdyTTEcyRmhBij6mL5b9MkLJEwQ226OidpRuJpXCZz1m7BRZaTWdRv/s1600/VM_settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_VTUFppzrGj5zabP-CeeyqwSOlN_Ky9nIYNKDIkUHCKFwkhi_Cvm0byuYFP2jmt84VN9dDvYHLZ5Igaxgo5OAfHQdyTTEcyRmhBij6mL5b9MkLJEwQ226OidpRuJpXCZz1m7BRZaTWdRv/s320/VM_settings.png" width="320" /></a></div>
<br />
From the "Removable Devices" section, click on "CD/DVD (IDE)", and select the built-in CD/DVD (such as "SuperDrive"). Click on "Chose a disc or disc image..." and select the ISO file for SamuraiWTF 2.0 ("<a href="http://sourceforge.net/projects/samurai/files/SamuraiWTF%202.0%20Branch/SamuraiWTF-2.0-i386.iso/download">SamuraiWTF-2.0-i386.iso</a>"). Go back to the the settings window, which can be closed at this point, as the VM is ready to boot.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTLhwB2x77JPVyLhdoZsMKpH_IqQo8CWiNySGQHKFHrucxn5ilGt-W2VAwcxkWfSu6COERQHNnBK7vSSHqoqIc25rryQwz1sZb1LPvQkpo0XPao3HuGj8MNtYnOjzLMMc0Q0QuPXrgj4Af/s1600/CD-DVD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTLhwB2x77JPVyLhdoZsMKpH_IqQo8CWiNySGQHKFHrucxn5ilGt-W2VAwcxkWfSu6COERQHNnBK7vSSHqoqIc25rryQwz1sZb1LPvQkpo0XPao3HuGj8MNtYnOjzLMMc0Q0QuPXrgj4Af/s320/CD-DVD.png" width="320" /></a></div>
<br />
<b>Booting SamuraiWTF 2.0</b><br />
<br />
Start up the recently created VM, using the default Linux boot option, "Start SamuraiWTF", and wait till the SamuraiWTF desktop shows up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMHqAJWTaa_V_BgdVIBV2FSQUNes45T6IJTMUyJoBs130eqb84nmoxIU2qizR8Wm9tlpgVauPoe9C63diPKAeexODYCeQX4sGvOqIdx81AMDV4x7xmH2fHoxNzRqG8NDwqaDl7tH3A7W3r/s1600/Samurai_desktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMHqAJWTaa_V_BgdVIBV2FSQUNes45T6IJTMUyJoBs130eqb84nmoxIU2qizR8Wm9tlpgVauPoe9C63diPKAeexODYCeQX4sGvOqIdx81AMDV4x7xmH2fHoxNzRqG8NDwqaDl7tH3A7W3r/s320/Samurai_desktop.png" width="320" /></a></div>
<br />
<b>Installing SamuraiWTF 2.0 to the hard disk</b><br />
<br />
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOAUBtMKnJUWpPDu8vB96XiU3R1grCEWqQddf56tPC9ivcuBQ4COhyi4CkHWdehl9fnWdeqzG0GDsqOsLipfOMmSoAmAZqHGLMe3XB6V5P95cMYR_j3eTOrV3cmUiCZOqXgK5f4prbS4jQ/s1600/samurai_hd_1_language.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOAUBtMKnJUWpPDu8vB96XiU3R1grCEWqQddf56tPC9ivcuBQ4COhyi4CkHWdehl9fnWdeqzG0GDsqOsLipfOMmSoAmAZqHGLMe3XB6V5P95cMYR_j3eTOrV3cmUiCZOqXgK5f4prbS4jQ/s320/samurai_hd_1_language.png" width="320" /></a></div>
<br />
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVtw4D-teAFDjsJ6KKMY3F3Aw4YuqH49Pl7lY8lj_lt_2wMX0QDaQc0pzkMV4IkoLLo9c5y8KJEt4nCA1eGSReMVkKNq43jWCHRHLWK_Nv3cFVZrhQyy16pgBxt0TBEB4OY9SdfGvjMfeP/s1600/samurai_hd_2_prepare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVtw4D-teAFDjsJ6KKMY3F3Aw4YuqH49Pl7lY8lj_lt_2wMX0QDaQc0pzkMV4IkoLLo9c5y8KJEt4nCA1eGSReMVkKNq43jWCHRHLWK_Nv3cFVZrhQyy16pgBxt0TBEB4OY9SdfGvjMfeP/s320/samurai_hd_2_prepare.png" width="320" /></a></div>
<br />
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssBu5pwhl-SKh37OWEKBssGbdPcNBj99Uuvo5NxNThP6hON1G_nkwg3Vhi0-IY8jGPfNqsYD7GxmgGTT9c2dOGnCFvWgmALS89x1KzRfDI59yB6fgIwr6afEZD9PaCy0pq4e5CLdliLyU/s1600/samurai_hd_3_disk-setup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssBu5pwhl-SKh37OWEKBssGbdPcNBj99Uuvo5NxNThP6hON1G_nkwg3Vhi0-IY8jGPfNqsYD7GxmgGTT9c2dOGnCFvWgmALS89x1KzRfDI59yB6fgIwr6afEZD9PaCy0pq4e5CLdliLyU/s320/samurai_hd_3_disk-setup.png" width="320" /></a></div>
<br />
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic8aV6IfHhOVByNiV0h7kH3EyO1BFz9NRjR2PACax6jyFoXaIKgwFl-F7Tc6CDZOUafs-aSNBNH74w8CGBMl-WQxCokNmB5ateCPRmiMvOXfJegdEXE7lK42h7-Ia1d6vmQMugkkO8ow-H/s1600/samurai_hd_4_timezone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic8aV6IfHhOVByNiV0h7kH3EyO1BFz9NRjR2PACax6jyFoXaIKgwFl-F7Tc6CDZOUafs-aSNBNH74w8CGBMl-WQxCokNmB5ateCPRmiMvOXfJegdEXE7lK42h7-Ia1d6vmQMugkkO8ow-H/s320/samurai_hd_4_timezone.png" width="320" /></a></div>
<br />
On the "Keyboard" screen select your keyboard layout and click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJkDsSaXlG50zpVSB3fEjatJ2k2JfUwdmLAlQdT30E5zaFwFV6ZkUYw39l50vUWT3ymrzFeU77jblgChkKWHkAvfVz4QHRacvPKpPRut-6rbfJr8CJ-UDmOJARWRzhgfTNW4KPWO49IThe/s1600/samurai_hd_5_keyboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJkDsSaXlG50zpVSB3fEjatJ2k2JfUwdmLAlQdT30E5zaFwFV6ZkUYw39l50vUWT3ymrzFeU77jblgChkKWHkAvfVz4QHRacvPKpPRut-6rbfJr8CJ-UDmOJARWRzhgfTNW4KPWO49IThe/s320/samurai_hd_5_keyboard.png" width="320" /></a></div>
<br />
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - <a href="http://www.whatisthesamuraipassword.com/">www.whatisthesamuraipassword.com</a>) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNFnmZDjeiAegMGEfLHLBsbEfuOvDBvRnfcPJM6zmcidmSHUshMZyrhMHFc2x-DOKJQGFEnkO959mYRs9Duhm_dhTLzlNVPI7YEtIsA_oqLezjQCfPuglMaGkEOheN9GE7M8hhbaMzAZR/s1600/samurai_hd_6_user_info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXNFnmZDjeiAegMGEfLHLBsbEfuOvDBvRnfcPJM6zmcidmSHUshMZyrhMHFc2x-DOKJQGFEnkO959mYRs9Duhm_dhTLzlNVPI7YEtIsA_oqLezjQCfPuglMaGkEOheN9GE7M8hhbaMzAZR/s320/samurai_hd_6_user_info.png" width="320" /></a></div>
<br />
<em><u>NOTE:</u></em> A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.<br />
<br />
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2N6feOkH__Mph2QcPQktGF7JbXzT_priigmqVuT7VuV5zZkR-PaaTj0GUEOkZt-LTGBjxLaTq_ber5H4QSRFB_O2S0zOJmpsh6Qw7YVCEYvedWNHpoXnIjOU83URrMlq-qBsJPfM970FF/s1600/samurai_hd_7_install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2N6feOkH__Mph2QcPQktGF7JbXzT_priigmqVuT7VuV5zZkR-PaaTj0GUEOkZt-LTGBjxLaTq_ber5H4QSRFB_O2S0zOJmpsh6Qw7YVCEYvedWNHpoXnIjOU83URrMlq-qBsJPfM970FF/s320/samurai_hd_7_install.png" width="320" /></a></div>
<br />
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimWJDmO1gxBmZtn15iUO3LN_ARPiaU17NROUEBiW8XnrxLIi2UJ8LAGOy3HuV-BiQCaBuvYCcHFi-BvAlxhgG7EiEQFWm8jryjl2b5xTIbS8WK4l6_H8IlQUii_rJUDmgdB7Vj3vKGEBSy/s1600/samurai_hd_install_complete.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimWJDmO1gxBmZtn15iUO3LN_ARPiaU17NROUEBiW8XnrxLIi2UJ8LAGOy3HuV-BiQCaBuvYCcHFi-BvAlxhgG7EiEQFWm8jryjl2b5xTIbS8WK4l6_H8IlQUii_rJUDmgdB7Vj3vKGEBSy/s320/samurai_hd_install_complete.png" width="320" /></a></div>
<br />
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV2FeyWcZ5-TxAsHc-KjQT9708rj4aco5B-68R48Gv2Ukx7_rtdI3cqFH7yfz2OqQQ3-l-nOaBfZS7OJmi_oJEOClqmUdQNB1qq6CTqj_CDZPnnh1zzvnA9av72a8kRl5wm1K_64pp2fxb/s1600/samurai_live_shutdown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV2FeyWcZ5-TxAsHc-KjQT9708rj4aco5B-68R48Gv2Ukx7_rtdI3cqFH7yfz2OqQQ3-l-nOaBfZS7OJmi_oJEOClqmUdQNB1qq6CTqj_CDZPnnh1zzvnA9av72a8kRl5wm1K_64pp2fxb/s320/samurai_live_shutdown.png" width="320" /></a></div>
<br />
After rebooting, the VM CD/DVD is automatically turned off, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting the physical drive.<br />
<br />
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - <em>see more details about upcoming training sessions below</em>) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz8vM0JNnvyXhdYWdfs5uvz70RQcF5oaCE8Yrt18onqEhzh2fQMdFT1LdOIe2hQEmZsRV0_JfFDsA5CtFQ8qOMiTNFFw37sx668U44A4ki4IGEKz_q7dsq0xKw7_Dri-VtSVif73GOX0FK/s1600/samurai_hd_desktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz8vM0JNnvyXhdYWdfs5uvz70RQcF5oaCE8Yrt18onqEhzh2fQMdFT1LdOIe2hQEmZsRV0_JfFDsA5CtFQ8qOMiTNFFw37sx668U44A4ki4IGEKz_q7dsq0xKw7_Dri-VtSVif73GOX0FK/s320/samurai_hd_desktop.png" width="320" /></a></div>
<br />
<strong>Updating VMware Tools</strong><br />
<br />
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.<br />
<br />
Go to the "Virtual Machine - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQ7EgHove7gbyv0ZuM9sKh3AmkiFZogxeGMYSz18WsLd_tpWbbpbJ0w9AnLQjVMO5PyiRdI2DsEw9GBXqs29SNN-z3pquK5ssx9x2zRHnhoM48BxbsZo76O1UDIt7IKmjYdppwpMFAjBu/s1600/vmware_fusion_download_vmware_tools.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQ7EgHove7gbyv0ZuM9sKh3AmkiFZogxeGMYSz18WsLd_tpWbbpbJ0w9AnLQjVMO5PyiRdI2DsEw9GBXqs29SNN-z3pquK5ssx9x2zRHnhoM48BxbsZo76O1UDIt7IKmjYdppwpMFAjBu/s320/vmware_fusion_download_vmware_tools.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYQ3BV75ouhOfTehlfyRuAY2BDF7G4tp4g0nSVjCzVRtpi8hBmv0_ZVW7pIlphx0rw5MZk35w00kIIKEZCOzI9jaDbbHiQS5vVcBF3E-V9lUsDc_CTEfv4M3zzQUxhMzG3fklfi_VusGsd/s1600/vmware_tools_connect_CD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYQ3BV75ouhOfTehlfyRuAY2BDF7G4tp4g0nSVjCzVRtpi8hBmv0_ZVW7pIlphx0rw5MZk35w00kIIKEZCOzI9jaDbbHiQS5vVcBF3E-V9lUsDc_CTEfv4M3zzQUxhMzG3fklfi_VusGsd/s320/vmware_tools_connect_CD.png" width="320" /></a></div>
<br />
Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (<a href="http://partnerweb.vmware.com/GOSIG/Ubuntu_12_04.html#Tools">see related VMware doc</a>), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$ sudo mount /dev/cdrom /media/cdrom</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ cd /tmp</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$ tar xvzf /media/cdrom/VMwareTools-9.2.1-818201.tar.gz</span><br />
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ cd vmware-tools-distrib/</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">$ sudo ./vmware-install.pl</span></div>
<div>
<span style="font-family: "Courier New", Courier, monospace;">...</span></div>
<div>
<br /></div>
<div>
Follow the installation process and reply with the default answer to all the questions:</div>
<div>
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]</div>
<div>
- In which directory do you want to install the binary files? [/usr/bin]</div>
<div>
...</div>
<div>
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]</div>
<br />
<strong>Post installation steps</strong><br />
<br />
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:<br />
<span style="font-family: "Courier New", Courier, monospace;">$ > $HOME/.bash_history</span><br />
<span style="font-family: Courier New;">$ exit</span><br />
<br />
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.<br />
<br />
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.<br />
<br />
The instructions to <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_10.html">create a SamuraiWTF 2.0 virtual machine in VMware Workstation are available on another blog post</a>, as well as for <a href="http://blog.taddong.com/2012/09/how-to-create-samuraiwtf-20-virtual_14.html">VMware Player</a>.<br />
<br />
<strong>Shameless Training Plug</strong><br />
<br />
This is an introductory guide to the <a href="http://2012.brucon.org/index.php/Training_Samurai-WTF">official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training</a> I will be running at the <a href="http://2012.brucon.org/">BruCON 2012 conference</a> during <strong>September 24-25 in Ghent (Belgium)</strong>. This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a <a href="http://lists.owasp.org/pipermail/owasp-belgium/2012-September/000373.html">10% discount on the training fee</a>.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com4tag:blogger.com,1999:blog-2773536350893785230.post-84751606085992748872012-04-23T16:08:00.000+02:002012-04-24T16:04:15.211+02:00OWASP ZAP SmartCard Project<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">OWASP ZAP</a> (Zed Attack Proxy) has become THE open-source web application interception proxy and security auditing tool, replacing well known open-source players in this field we have been using all over the last decade, such as Paros, WebScarab, or AndiParos. The tool is under active development nowadays, with new features and fixes added every other month, and with more to come, for example, from <a href="https://www.owasp.org/index.php/GSoC2012_Ideas#ZAP_Proxy">GSoC 2012</a>. As a result of this tool progression and consolidation, ZAP was recently awarded the <a href="http://holisticinfosec.blogspot.com.es/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html">Toolsmith of the Year for 2011</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRiWh3_UoZ7S5VN5uauNGa6bsg-KP9UtQBDieO5MVJ6mNPDhxPNirUjp5jwWR11SMt1mp9dJ8ziuqZoANK_eHYCA93z3vf9lFbvgil2lA7MbX0lZA22KUzC2a-PjrTv4Hou09Fm7CnY4g-/s1600/zap_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRiWh3_UoZ7S5VN5uauNGa6bsg-KP9UtQBDieO5MVJ6mNPDhxPNirUjp5jwWR11SMt1mp9dJ8ziuqZoANK_eHYCA93z3vf9lFbvgil2lA7MbX0lZA22KUzC2a-PjrTv4Hou09Fm7CnY4g-/s200/zap_logo.png" width="69" /></a></div>
<br />
Some time after Paros was discontinued (v3.2.13 back in August 2006), new fork projects derived from Paros' source code were born. Surprisingly, as this behavior is not common in our industry, <a href="http://pentest4devs.blogspot.com/">Psiinon (author of the original ZAP tool)</a> and <a href="http://code.google.com/p/andiparos/">Axel (author of AndiParos)</a>, left their egos apart :-) and took a really smart decision: They joined forces to develop a single and powerful web application security tool, instead of developing two very similar but less powerful tools. The result is what we know today as OWASP ZAP!<br />
<br />
However, inexplicably still today Paros is downloaded <a href="http://sourceforge.net/projects/paros/">more than 2,500 times per week from the SourceForge.net project page</a>, while <a href="http://code.google.com/p/zaproxy/downloads/list?can=1&q=1.3.4&colspec=Filename+Summary+Uploaded+ReleaseDate+Size+DownloadCount">the latest ZAP stable version (1.3.4) has been downloaded only 15,000 times in total</a> during the last 5 months (<i>based on the official open-source platforms statistics</i>). This demonstrates people are used to their routines, and that there is still a lot of work to do to promote and spread the word about the existence of ZAP, its features, and benefits.<br />
<br />
ZAP considerably and brightly stays on top of other commercial and open-source web application security tools and web interception proxies when assessing the security of web applications making use of smartcard-based authentication. When a target web application requests client authentication through digital certificates during the SSL/TLS handshake (re)negotiation, ZAP is able to access the local smartcard and authenticate the user as she would do when no interception proxy is in place. ZAP provides support for multiple smartcard types under different operating systems (Windows, Linux, and Mac OS X) thanks to the Java smartcard built-in capabilities and its integration with PKCS#11 hardware modules. <a href="http://code.google.com/p/zaproxy/wiki/HelpReleases1_1_0">The original ZAP smartcard support (from version 1.1.0)</a> was merged by Axel from Andiparos. The current ZAP smartcard support has been greatly simplified through the drivers.xml configuration file. This XML file offers a centralized and extensible architecture to easily add support for new smartcards.<br />
<br />
Although other security tools provide support for client digital certificates (x.509 certificates obtained from a file, referred as PKCS#12), we have identified both significant and subtle differences in several target web applications in the way they interact and authenticate the user when using a standard client digital certificate versus a smartcard. Hence, the need to be able to assess how the application behaves when a smartcard is involved.<br />
<br />
ZAP smartcard support can be found under the "Tools - Options" menu, within the "Certificate" category, and specifically, on the "PCKS#11" tab:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCk8wqBskLKLfcFZcOjlXr4QOYY5-npBrK-ZmdHl6tiVKTQon_WxpaxNMhY3Dp8tnwkbqxrX8-8WwolAr4ga8aYon60-FhqPzpXPmCOsipwSKreAHMIxuLVlPC_dPdMXyYnqCKVQlh9_wQ/s1600/ZAP_smartcard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCk8wqBskLKLfcFZcOjlXr4QOYY5-npBrK-ZmdHl6tiVKTQon_WxpaxNMhY3Dp8tnwkbqxrX8-8WwolAr4ga8aYon60-FhqPzpXPmCOsipwSKreAHMIxuLVlPC_dPdMXyYnqCKVQlh9_wQ/s400/ZAP_smartcard.png" width="400" /></a></div>
<br />
As a result of my research focused on the <a href="http://blog.taddong.com/2012/04/dnie-based-web-applications-security.html">security of web applications based on the DNIe</a>, I have been working on and committing code to ZAP to improve the stability and usage of smartcards, using the Spanish national eID (DNIe) as a reference. For example, capabilities to interact with target web applications that still provide support for unsafe SSL/TLS (HTTPS) renegotiation have been added (<a href="http://blog.taddong.com/2010/04/certificate-based-client-authentication.html">see my original blog post on this topic from two years ago</a>), as well as minor fixes for several bugs and issues found during the execution of <a href="http://blog.taddong.com/2012/04/dnie-based-web-applications-security.html">multiple web application penetration tests on DNIe-based environments</a>. One of the key fixes was an improvement to overcome PKCS#11 concurrency access conflicts between ZAP and web browsers (such as Firefox).<br />
<br />
Additionally, the Spanish DNIe implements brute-force protection capabilities by blocking the smartcard after three login attempts when the user fails to enter the associated access PIN or passcode. Once the DNIe is locked, the only chance to unlock it requires Spanish citizens to go to the police station and follow a custom unlocking procedure. There (in the police station), you can find proprietary DNIe kiosks that allow citizens to authenticate through their fingerprint, stored within a secure area of the smartcard at issuing time, and proceed to change the DNIe access PIN or passcode. In order to avoid frequent visits to the police station by security auditors and pentesters using their DNIe (or any other eID smartcard) while assessing the security of web applications, and entering by mistake the wrong PIN or passcode in ZAP, the tool now implements specific checks and warning messages to alert the user about failed login attempts, trying to avoid blocking the smartcard after three failed access attempts.<br />
<br />
All this DNIe-related functionality has been available on the <a href="https://code.google.com/p/zaproxy/source/detail?r=1209">official ZAP SVN repository since revision 1209</a>, live at RootedCON 2012 (<a href="http://blog.taddong.com/2012/02/building-owasp-zap-using-eclipse-ide.html">check how to build ZAP from source code</a>), and is currently available on the <a href="http://code.google.com/p/zaproxy/downloads/list">latest downloadable version, ZAP 1.4.0.1</a>.<br />
<br />
To extend this previous research and the implementation already available within ZAP, I have launched a new ZAP-related project focused on improving the support of smartcard-based authentication within ZAP to other eID cards. More information about the <a href="https://code.google.com/p/zaproxy/wiki/SmartCards">"OWASP ZAP SmartCard Project"</a> can be found at ZAP's official wiki.<br />
<br />
The purpose of this project is to extend the currently available smartcard support within ZAP to other national eID cards worldwide (apart from the Belgium, Swiss, and Spanish eID's), as well as, to other proprietary smartcard solutions from commercial vendors (apart from ActivIdentity, Aladdin, or Axalto). The goal is for ZAP to provide the widest smartcard support within the web application security industry to be able to assess the security of any web application using smartcards and eIDs for authentication purposes through HTTPS (SSL/TLS). Besides that and based on my previous experience, the complementary goal is to extend ZAP with new features that might be required to deal with and manage the different smartcard types.<br />
<br />
The current set of supported smartcards within ZAP can be found at <a href="https://code.google.com/p/zaproxy/wiki/SmartCards">ZAP's official wiki</a>. This wiki page will be updated as soon as we add support for new smartcards within ZAP, although you can always directly check <a href="https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/drivers.xml">the "drivers.xml" file from the latest SVN revision</a>. The draft list of countries that already provide eIDs (electronic-based identification for their citizens) I am aware of is available on the same page (we hope to add support for all or most of them over the following months with the help of the web application development and security communities).<br />
<br />
The new "OWASP ZAP SmartCard Project" requires the implication of the community around the world to provide details and help to test new smartcard types. If you are interested on contributing to it, send me an e-mail or write to the <a href="http://groups.google.com/group/zaproxy-develop">OWASP ZAP Google group (mailing list)</a>. You can contribute in very different ways: from providing details about the existence of a new smartcard that is used in your country of origin or residence (or commercial smartcards used) for web-based authentication, as well as using ZAP to evaluate the security of smartcard-based web applications and <a href="https://code.google.com/p/zaproxy/issues/list">report bugs or any other issues you may find</a>, up to contributing new drivers.xml entries for new smartcards or additional operating systems.<br />
<br />
At the end of September I will be talking about the "Security of National eID (smartcard-based) Web Applications" during the <a href="http://2012.brucon.org/">BruCON 2012 security conference</a> in Ghent (Belgium) - <i><a href="http://blog.brucon.org/2012/04/registrations-are-open.html">first talks</a> pre-release</i> - and running the <a href="http://2012.brucon.org/index.php/Training#Assessing_and_Exploiting_Web_Applications_with_Samurai-WTF_by_Raul_Siles">"Assessing and Exploiting Web Applications with Samurai-WTF"</a> training.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-78895256949619775522012-04-10T08:03:00.000+02:002012-04-10T08:05:43.144+02:00DNIe-based Web Applications SecurityEarly last month the third edition of <a href="http://www.rootedcon.es/">Rooted CON</a> took place in Madrid, Rooted CON 2012, with great contents and very interesting topics. During the last day of the conference I presented the results of the research I've been involved in during 2011 and early 2012, focused on the security of web applications based on the Spanish electronic identity card or eID (electronic ID) smartcard, called DNIe ("Documento Nacional de Identidad electrónico", electronic National Identity Card).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhef_dVm5n8zicbOmrWxDO26-jPP6IsctKHMTU0RoaNT3iddZcjPEKSCqWupJm1eBhNPGuGDPuS9IL6qx9hchnsDHStNtxK5-y1lxJz8ZaawsACf4TYt3rKWgNZDwHLkKr9Mb-_0tKQeL6/s1600/DNIe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhef_dVm5n8zicbOmrWxDO26-jPP6IsctKHMTU0RoaNT3iddZcjPEKSCqWupJm1eBhNPGuGDPuS9IL6qx9hchnsDHStNtxK5-y1lxJz8ZaawsACf4TYt3rKWgNZDwHLkKr9Mb-_0tKQeL6/s200/DNIe.png" width="200" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLmAIK1WYpGQyoOCbRZ7Y_ZkFtH2J_U0VC_eTK-uvZYHFpD8rQEq6T603Cb17L6Xr_cICoQTqvJJn3EuVw0ivs2qzTqZK4LQbN25yPahf7_YjKT-BV0H_EcuGuQS1lZs4p4Mgif8hus4N/s1600/DNIe_smartcard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLmAIK1WYpGQyoOCbRZ7Y_ZkFtH2J_U0VC_eTK-uvZYHFpD8rQEq6T603Cb17L6Xr_cICoQTqvJJn3EuVw0ivs2qzTqZK4LQbN25yPahf7_YjKT-BV0H_EcuGuQS1lZs4p4Mgif8hus4N/s200/DNIe_smartcard.png" width="200" /></a></div>
<br />
The DNIe (or eDNI) is the electronic version of the national ID card for Spanish citizens, and it is currently used to access a great variety of digital services from public and private sectors all over the country, including eGovernment services and web portals plus services from financial institutions, insurance and telecomunication companies, or utility companies (gas, water, electricity...).<br />
<br />
Therefore, the DNIe is a key element to authenticate and identify users (Spanish citizens) within private and public critical web applications and services in today's information society in Spain. However, due to the limitations to interact with smartcards and, in particular, the DNIe of the currently available web auditing and pen-testing security tools... ¿are we really sure that the DNIe-based web application and services are secure? The DNIe is (assumed to be) secure, but... ¿is it used in a secure way? ¿Are the web-based client components associated to the DNIe secure? The presentation explored all these questions through new tools, real-world scenarios, and practical demonstrations.<br />
<br />
The DNIe is an ISO 7816 smartcard (an evolution from PCKS#15), that contains a pair of X.509 digital certificates plus the associated public and private keys. One certificate is used for authentication/identification purposes (<span class="Apple-style-span" style="font-size: 16px;">KeyUsage = Digital Signature</span>) while the other is used for signature purposes (<span class="Apple-style-span" style="font-size: 16px;">KeyUsage = contentCommitment</span>). It is important to emphasize that the latter has legal validity, similar to a traditional manuscript signature, what makes the DNIe a recognized <span class="Apple-style-span" style="font-size: 16px;">CWA 14169 </span>secure signature-creation device<span class="Apple-style-span" style="font-size: 16px;"> (EAL4+).</span><br />
<br />
So far, the main DNIe (or generally speaking, smartcard) security threats assume the attacker was able to get physical access to the smartcard and the associated PIN/passcode, or was able to compromise the victim's computer where the smartcard is plugged to and used from. A couple of examples are last year's Rooted CON 2011 research on using a DNIe remotely through a proxying computer, <span class="Apple-style-span" style="font-size: 16px;"><a href="http://www.rootedcon.es/index.php/rooted-con-2011/">“Man-In-Remote: PKCS11 for fun and non-profit”</a> by </span><span class="Apple-style-span" style="font-size: 16px;">Gabriel González</span>, or the <a href="http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs/">Sykipot trojan</a>, targeting US DoD smartcards (ActivClient), reported by AlienVault.<br />
<br />
Considering Spain is the worldwide leader on digital identity and signature, with <a href="http://www.mir.es/press/la-policia-nacional-supera-los-25-%20millones-de-dni-electronicos-expedidos-12920">more than 25 million DNIe issued as of September 29, 2011</a> (since this +341 million euros project started in 2005), I feel we should lead too the security implications of web applications making use of the DNIe and similar smartcard solutions. In the same way Spain was significantly ahead on the <a href="http://www.eaccessibility-monitoring.eu/descargas/MeAC2_Annual_Report_2011vfinal.docx">"Monitoring eAccessibility in Europe: 2011 Annual Report"</a>, we must be ahead on the next eSecurity report (if any) too, both on the public and private sectors. It seems there are at least 26 countries worldwide providing smartcard-based (or digital certificate based) identification and signature solutions to their citizens, therefore this research has to be extended to other smartcard types and scenarios (<i>see [0]</i>).<br />
<br />
I presented together with the smart and fun José A. Guasch, <span class="Apple-style-span" style="font-size: 16px;">security researcher and one of the editors of the security-related S</span><span class="Apple-style-span" style="font-size: 16px;">panish blog <a href="http://www.securitybydefault.com/">Security By Default</a></span>, as a while ago we realized we were researching about different (but related) security aspects of DNIe-based web applications, so our findings fit perfectly for a joint presentation on this topic.<br />
<br />
From a technical side, I talked about the authentication and signature capabilities of web applications based on the DNIe, and the three main vulnerable areas: HTTPS (SSL/TLS), user authentication and registration through the DNIe, and session management in web applications. I have published details and tools previously on the <a href="http://blog.taddong.com/2011/10/tlssled-v12.html">first (HTTPS)</a> and <a href="http://blog.taddong.com/2012/02/owasp-session-management-cheat-sheet.html">last (session management)</a> topics, so the main focus was on the web interaction with the DNIe (and smartcards in general). During the talk I published live the new DNIe capabilities for web application pen-testers through the OWASP ZAP SVN repository (<a href="https://code.google.com/p/zaproxy/source/detail?r=1209">SVN official revision 1209 - drivers.xml file</a>). These new capabilities are available on the <a href="https://code.google.com/p/zaproxy/source/checkout">ZAP SVN branch</a> as well as the <a href="https://code.google.com/p/zaproxy/downloads/list">OWASP ZAP 1.4.x version</a>, published yesterday (<i>see [0]</i>).<br />
<br />
The presentation covers in depth how to interact with PKCS#11 smartcard devices from Java, and how ZAP smartcard support has been enhanced with DNIe capabilities, stability fixes, and new functionality for the three most common pen-testing platforms: Windows, Linux, and Mac OS X. Additionally, the second portion of my talk presented the results and statistics (plus the associated recommendations) obtained from pen-testing the DNIe capabilities of 15 critical web applications during 2011. The impact of the different vulnerabilities and weaknesses identified on this type of applications is very significant, specially considering the perceived extra security and confidence in the usage of smartcard authentication. If DNIe-based web applications are not securely architected and developed, an attacker can decrypt the victim's web traffic, launch Man-in-the-Middle (MitM) attacks, and manipulate the user registration and authentication processes, plus the user session, to fully impersonate legitimate users in the target web application. Unfortunately, based on the results obtained from these pen-tests there is still a long way to walk to be able to assert that relevant web applications making use of the DNIe are secure.<br />
<br />
José talked about the overall security, as well as specific vulnerabilities, that can be found on the client-side components used by web applications (Java applets and ActiveX controls) that interact with the DNIe. These components access the DNIe to (sometimes) provide authentication capabilities and (mainly) verify and generate digital signatures. More information is available on <a href="http://www.securitybydefault.com/2012/04/seguridad-en-componentes-cliente-de.html">the associated Security By Default blog post(s)</a> (in Spanish).<br />
<br />
This research, plus the additions we are currently working on, are going to be contributed over time to the <a href="https://www.owasp.org/index.php/Spain/Projects/DNIe">OWASP DNIe project</a> (in Spanish). This open initiative was launched in June 2011 with the goal of evaluating and improving the security of web applications based on the DNIe.<br />
<br />
The presentation (in Spanish) can be downloaded from <a href="http://www.taddong.com/docs/RootedCon2012-Seguridad_de_aplicaciones_web_basadas_en_el_DNIe-v1.0.pdf">Taddong's lab in PDF format</a> and it is also available on-line (SlideShare) from the <a href="http://www.rootedcon.es/index.php/ponencias/#dniesec">Rooted CON papers/talks archive</a>.<br />
<br />
[0]: <i>More specific smartcard and DNIe-related ZAP details, as well as extended research</i><i> I'm working on, </i><i>will be published on a near future Taddong's blog post.</i>Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com1tag:blogger.com,1999:blog-2773536350893785230.post-22328099462932262372012-02-19T14:07:00.002+01:002012-02-19T14:07:46.224+01:00OWASP Session Management Cheat Sheet (v2.0) & Podcast<span class="Apple-style-span" style="font-family: Helvetica;">On July 2011 the <a href="http://blog.taddong.com/2011/07/owasp-session-management-cheat-sheet.html">OWASP Session Management CheatSheet</a> was released with the main goal of becoming a useful security reference for web application architects, developers, and security professionals. The document tries to summarize in a concise way all the best practices, recommendations, and countermeasures required to improve the security of today's session management implementations in web applications. The results on our web application penetration tests over the last few years, unfortunately, ratify that session management vulnerabilities are very common and widely prevalent in critical web applications still today.</span><br />
<span class="Apple-style-span" style="font-family: Helvetica;"><br />
<a href="https://www.owasp.org/index.php/User:Jmanico">Jim Manico</a> gave me the opportunity to include this content in the famous <a href="https://www.owasp.org/index.php/Category:Cheatsheets">OWASP CheatSheet series</a> and talk about this topic. As a result, <a href="https://www.owasp.org/download/jmanico/owasp_podcast_90.mp3">OWASP Podcast number 90, "Raul Siles"</a>, has been released (check the whole <a href="https://www.owasp.org/index.php/OWASP_Podcast">OWASP Podcast series</a>). Thanks Jim!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Helvetica;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWVhS5vdy_7zFZK09nuZ_fsdjDTt8kmxXcZmU06z-9XnZz8TK6lxIgB3J3BqRhOgpjHTcW43X21mYc0iOfJ7d6S4_lWJTmt-zsnE_aIJOwaEz8gnFTqE4kXymjY9UdIz0nBPWCLazX7V00/s1600/podcast.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWVhS5vdy_7zFZK09nuZ_fsdjDTt8kmxXcZmU06z-9XnZz8TK6lxIgB3J3BqRhOgpjHTcW43X21mYc0iOfJ7d6S4_lWJTmt-zsnE_aIJOwaEz8gnFTqE4kXymjY9UdIz0nBPWCLazX7V00/s200/podcast.jpg" width="100" /></a></span></div>
<span class="Apple-style-span" style="font-family: Helvetica;">
Around October 2011 I slightly updated the official CheatSheet version in the <a href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet">OWASP Wiki</a>, and last week, in sync with the podcast release, I've published a new version (v2.0). This updated <a href="http://www.taddong.com/en/lab.html#OWASPSESSMGMT2">downloadable version (in PDF format)</a> includes the updates from October (check the Wiki and document changelog) plus a new feature I plan to expand in future versions of this document: It includes additional session management references to attacks, pen-testing and auditing techniques, tools, and demonstrations complementing the original security countermeasures and defensive recommendations. </span><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="font-family: Helvetica;"><span class="Apple-style-span" style="font-size: small; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2aceERua8KAiR3fOrLNi8NiYMcupwJvGmDUit_fumcQHxdjgYFFytVvMTF9cG554dhWqSz2E0SIRo7DjEtaVr8EDwy5-rqhtM3eL8Tn3s_b9K6AB5vLEQc60rrCAyUsw-VDMCngzQYGUA/s1600/cookie-monster.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2aceERua8KAiR3fOrLNi8NiYMcupwJvGmDUit_fumcQHxdjgYFFytVvMTF9cG554dhWqSz2E0SIRo7DjEtaVr8EDwy5-rqhtM3eL8Tn3s_b9K6AB5vLEQc60rrCAyUsw-VDMCngzQYGUA/s200/cookie-monster.jpg" width="200" /></a></span></span></div>
<span class="Apple-style-span" style="font-family: Helvetica;">
This new version, v2.0, includes the first 10 references/demos, including the OWASP Cookie Database Project, the <a href="http://blog.taddong.com/2011/12/cookie-decoder-f5-big-ip.html">BIG-‐IP_cookie_decoder.py</a> and <a href="http://blog.taddong.com/2011/10/tlssled-v12.html">TLSSLed</a> tools, the OddJob session hijacking banking trojan, and more.</span><br />
<div>
<span class="Apple-style-span" style="font-family: Helvetica;"><br />
I encourage everybody involved in web applications security to review the OWASP Session Management CheatSheet, apply its contents to the currently available web applications and implementations, help spreading the word and <a href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet">contribute to it</a>.</span><br />
<div>
<span class="Apple-style-span" style="font-size: xx-small;">Image src: http://www.gabrielwoo.com/cookie-monster.jpg</span></div>
</div>
</div>Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-65748886216618533692012-02-10T19:24:00.000+01:002012-02-10T19:24:46.192+01:00Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers (v2.0)The <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">OWASP Zed Attack Proxy (ZAP)</a> is the <a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html">Toolsmith Tool of the Year for 2011</a>. Last Summer, the "<a href="http://blog.taddong.com/2011/08/building-owasp-zap-using-eclipse-ide.html">Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers</a>" (version 1.0) was published, and as the beggining of 2012 seems to be the time for second editions of my work ;-) (<i>check the upcoming blog post with v2.0 of the "OWASP Session Management CheatSheet"</i>), a new version of the guide has been released.<br />
<br />
This new "<strong><a href="http://www.taddong.com/en/lab.html#BUILDINGZAP2">Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers</a></strong>" (version 2.0), available for download from <a href="http://www.taddong.com/en/lab.html">Taddong's Lab</a>, includes significant changes from the first version. It provides an updated development environment not only to get and build the latest ZAP version from the official SVN repository, but to easily commit your changes if you want to contribute to the ZAP project. The proposed environment is more user friendly than in the first version, without requiring any external SVN client. Eclipse and Subclipse provide all the development and SVN capabilities integrated into the same tool. The guide also references the recent <a href="https://code.google.com/p/zap-extensions/">OWASP ZAP Extensions</a> project and provides guidance to manage Java (JRE or JDK) updates in Eclipse.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRiWh3_UoZ7S5VN5uauNGa6bsg-KP9UtQBDieO5MVJ6mNPDhxPNirUjp5jwWR11SMt1mp9dJ8ziuqZoANK_eHYCA93z3vf9lFbvgil2lA7MbX0lZA22KUzC2a-PjrTv4Hou09Fm7CnY4g-/s1600/zap_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRiWh3_UoZ7S5VN5uauNGa6bsg-KP9UtQBDieO5MVJ6mNPDhxPNirUjp5jwWR11SMt1mp9dJ8ziuqZoANK_eHYCA93z3vf9lFbvgil2lA7MbX0lZA22KUzC2a-PjrTv4Hou09Fm7CnY4g-/s200/zap_logo.png" width="69" /></a></div>
<br />
I encourage everyone involved in Web Application Security, from architects to developers, Q&A, auditors, and pen-testers, to take a look at <a href="https://code.google.com/p/zaproxy/">OWASP ZAP</a>, the <a href="https://code.google.com/p/zap-extensions/">OWASP ZAP Extensions</a>, and use this new building ZAP guide to enjoy the most current version from SVN and contribute to the project. The official <a href="https://code.google.com/p/zaproxy/wiki/Building">"Building ZAP" Wiki</a> has been updated to link to both versions of this guide.<br />
<br />
<strong><u>NOTE:</u></strong> I will be talking about OWASP ZAP and release new smartcard features during my <a href="http://www.rootedcon.es/index.php/agenda/">Rooted CON 2012</a> talk: "Security of Web Applications using the (Spanish) eID" ("<em>Seguridad de aplicaciones web basadas en el DNIe</em>", in <em>Spanish</em>).Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com1tag:blogger.com,1999:blog-2773536350893785230.post-62756103449103818742011-12-06T23:42:00.001+01:002011-12-07T00:56:32.042+01:00Cookie decoder: F5 BIG-IPI still remember with excitement the first time I found my first F5 BIG-IP load balancer persistent cookie, disclosing the network details of the internal hosts: IP address and TCP port. Although it was a few years ago during a pen-test, still today is very common to find them on lots of target environments. The BIG-IP cookie value (used by the F5 devices to balance the client web traffic load) <a href="http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html">is encoded using a public algorithm</a> (since May 2007) designed by F5 ("<a href="http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html">SOL6917: Overview of BIG-IP persistence cookie encoding</a>").<br />
<br />
As it is clearly described in the "<a href="http://blog.taddong.com/2011/07/owasp-session-management-cheat-sheet.html">OWASP Session Management Cheat Sheet</a>" I published this Summer (section "2.4. Session ID Content (or Value)"), it is not a very good practice to include any meaningful or sensitive data inside the session ID, or cookie in this case. At some point, someone will figure out how to decode it :-)... so, instead of encoding the data, it is better to use other kind of session ID values. F5 provides a solution to this issue based on encrypting these persistent cookies: "<a href="http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html">SOL7784: Overview of cookie encryption</a>".<br />
<br />
It is possible to decode the cookies manually reversing the F5 algorithm used to encode the data, but when you are dealing with multiple load balancers and/or internal servers, it is better to use a tool to help in decoding all the cookie values gathered. Although this is an old and well known issue, based on the <a href="http://penturalabs.wordpress.com/2011/03/29/how-to-decode-big-ip-f5-persistence-cookie-values/">Python script published by dusty</a> on March 29, 2011, we decided to release a extended version of the script, called "BIG-IP_cookie_decoder.py" and <a href="http://www.taddong.com/tools/BIG-IP_cookie_decoder.zip">available here</a> (in ZIP format), that decodes both, the internal host IP address and TCP port. Usage example (as root - in fact not required ;-):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXEYa2lsHTqml7ykemY_oT2N1e4jbHggnYDKhGxp-ZVuDgvAcQyv-8iM9e2cHTwBkvozHa9ip93Es3PphEzGm35xm0ja3aGe5-r7d7oJCk68xbRCiXkucuovFYI9rIzYWIWK5cig_R6fYW/s1600/BIG-IP_cookie_decoder.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXEYa2lsHTqml7ykemY_oT2N1e4jbHggnYDKhGxp-ZVuDgvAcQyv-8iM9e2cHTwBkvozHa9ip93Es3PphEzGm35xm0ja3aGe5-r7d7oJCk68xbRCiXkucuovFYI9rIzYWIWK5cig_R6fYW/s1600/BIG-IP_cookie_decoder.png" /></a></div>
<br />
Enjoy it!Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com1tag:blogger.com,1999:blog-2773536350893785230.post-2770396040452815062011-10-29T02:19:00.001+02:002013-12-05T14:34:22.057+01:00Hacking Vulnerable Web Applications Without Going To Jail<div>
(<b>LAST UPDATE</b><i>: 2013-10-20</i>)<br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>ES</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Shameless plug</span></i><span lang="EN-US" style="mso-ansi-language: EN-US;">: I will be teaching the 6-day SANS SEC575
training, "SEC575: Mobile Device Security and Ethical Hacking", in <a href="http://www.sans.org/event/abu-dhabi-2014/course/mobile-device-security-ethical-hacking">Abu
Dhabi, UAE (Apr 26, 2014 - May 1, 2014)</a> and <a href="http://www.sans.org/event/pentest-berlin-2014/course/mobile-device-security-ethical-hacking">Berlin,
Germany (Jun 16-21, 2014)</a>.</span></div>
<div class="MsoNormal">
<br /></div>
<i><b><u>LAST UPDATE:</u></b></i> Since October 18, 2013, this list of vulnerable web applications has been moved to a new OWASP project: "<a href="https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project">OWASP Vulnerable Web Applications Directory (VWAD) Project</a>".<br />
<i><br /></i>
While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "<i>How and where can I (legally) put in practice all the knowledge and </i><i>test all </i><i>the different tools we have covered during the training (while preparing for the next real-world engagement)?</i>" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.</div>
<div>
<br /></div>
<div>
This blog post provides an extensive and updated list (as of October 20, 2011) of vulnerable web applications you can test your web hacking knowledge, pen-testing tools, skills, and kung-fu on, with an added bonus... <b>without going to jail</b> :) The vulnerable web applications have been classified in three categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically.</div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6u5cAHucTWDzmVOFBD5_KG2Uxh0FaWEJoQq23hBeAmAmglh91nQvJEbL7OeRhWAPP3C4a_qwYsLYhXlYNXi_K0DTtotB4TezHg1DhmteNHGobIB3j7gUrBlugCj8jVVfaxSHvVo6MHVBt/s1600/get-out-of-jail.jpg"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5664968240196018018" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6u5cAHucTWDzmVOFBD5_KG2Uxh0FaWEJoQq23hBeAmAmglh91nQvJEbL7OeRhWAPP3C4a_qwYsLYhXlYNXi_K0DTtotB4TezHg1DhmteNHGobIB3j7gUrBlugCj8jVVfaxSHvVo6MHVBt/s320/get-out-of-jail.jpg" style="cursor: pointer; display: block; height: 214px; margin: 0px auto 10px; text-align: center; width: 320px;" /></a></div>
<div style="text-align: left;">
<b>Offline</b>: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).</div>
<ul>
<li>The <b>BodgeIt Store</b> (Java): <a href="http://code.google.com/p/bodgeit/">http://code.google.com/p/bodgeit/</a> (<a href="http://code.google.com/p/bodgeit/downloads/list">download</a>)</li>
<li>OWASP <b>Bricks</b> (PHP): <a href="http://sechow.com/bricks/index.html">http://sechow.com/bricks/index.html</a> (<a href="http://sechow.com/bricks/download.html">download</a> & <a href="http://sechow.com/bricks/docs/">docs</a>)</li>
<li>The <b>ButterFly Security</b> Project (PHP): <a href="http://sourceforge.net/projects/thebutterflytmp/">http://sourceforge.net/projects/thebutterflytmp/</a> (<a href="http://sourceforge.net/projects/thebutterflytmp/files/">download</a>)</li>
<li><b>bWAPP</b> - an extremely buggy web application! (PHP): <a href="http://www.itsecgames.com/">http://www.itsecgames.com</a> (<a href="http://sourceforge.net/projects/bwapp/files/">download</a>) (<a href="http://itsecgames.blogspot.be/2013/01/bwapp-installation.html">docs</a>)</li>
<li>Damn Vulnerable Web Application - <b>DVWA</b> (PHP): <a href="http://www.dvwa.co.uk/">http://www.dvwa.co.uk</a> (<a href="http://code.google.com/p/dvwa/downloads/list">download</a>) </li>
<li>Damn Vulnerable Web Services - <b>DVWS</b> (PHP): <a href="http://dvws.secureideas.net/">http://dvws.secureideas.net</a> (<a href="http://dvws.secureideas.net/downloads/files/dvws.tgz">download</a>)</li>
<li>OWASP <b>Hackademic Challenges</b> Project (PHP): <a href="https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project">https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project</a> (<a href="https://code.google.com/p/owasp-hackademic-challenges/">download</a>)</li>
<li>Google <b>Gruyere</b> (Python): <a href="http://google-gruyere.appspot.com/">http://google-gruyere.appspot.com</a> (<a href="http://google-gruyere.appspot.com/gruyere-code.zip">download</a>)</li>
<li><b>Hacme Bank</b> (.NET): <a href="http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx">http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx</a> (<a href="http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx">download</a>)</li>
<li><b>Hacme Books</b> (Java): <a href="http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx">http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx</a> (<a href="http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx">download</a>)</li>
<li><b>Hacme Casino</b> (Ruby on Rails): <a href="http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx">http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx</a> (<a href="http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx">download</a>)</li>
<li><b>Hacme Shipping</b> (ColdFusion): <a href="http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx">http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx</a> (<a href="http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx">download</a>)</li>
<li><b>Hacme Travel</b> (C++): <a href="http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx">http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx</a> (<a href="http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx">download</a>)</li>
<li>OWASP <b>Insecure Web App</b> Project (Java): <a href="https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project">https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project</a> (<a href="http://sourceforge.net/projects/insecurewebapp/files/">download</a> - <i>orphaned</i>)</li>
<li><b>Mutillidae</b> (PHP): <a href="http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10">http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10</a> (<a href="http://www.irongeek.com/mutillidae/">download</a>)</li>
<li>OWASP <b>.NET Goat</b> (C#): <a href="https://owasp.codeplex.com/">https://owasp.codeplex.com</a> (<a href="https://owasp.codeplex.com/SourceControl/list/changesets#">download</a>)</li>
<li><b>Peruggia</b> (PHP): <a href="http://peruggia.sourceforge.net/">http://peruggia.sourceforge.net</a> (<a href="http://sourceforge.net/projects/peruggia/files/">download</a>)</li>
<li><b>Puzzlemall</b> (Java): <a href="https://code.google.com/p/puzzlemall/">https://code.google.com/p/puzzlemall/</a> (<a href="https://code.google.com/p/puzzlemall/downloads/list">download</a>) (<a href="https://code.google.com/p/puzzlemall/downloads/list">docs</a>)</li>
<li>Stanford <b>Securibench</b> (Java) & <a href="http://suif.stanford.edu/~livshits/work/securibench-micro/">Micro</a>: <a href="http://suif.stanford.edu/~livshits/securibench/">http://suif.stanford.edu/~livshits/securibench/</a> (<a href="http://suif.stanford.edu/~livshits/securibench/download.html">download</a>)</li>
<li><b>SQLI-labs</b> (PHP): <a href="https://github.com/Audi-1/sqli-labs">https://github.com/Audi-1/sqli-labs</a> (<a href="https://github.com/Audi-1/sqli-labs/archive/master.zip">download</a>) (<a href="http://dummy2dummies.blogspot.com/">blog</a>)</li>
<li><b>SQLol</b> (PHP): <a href="https://github.com/SpiderLabs/SQLol">https://github.com/SpiderLabs/SQLol</a> (<a href="https://github.com/SpiderLabs/SQLol/archive/master.zip">download</a>)</li>
<li>OWASP <b>Vicnum</b> Project (Perl & PHP): <a href="https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project">https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project</a> (<a href="http://sourceforge.net/projects/vicnum/files/">download</a>)</li>
<li><b>VulnApp</b> (.NET): <a href="http://www.nth-dimension.org.uk/blog.php?id=88">http://www.nth-dimension.org.uk/blog.php?id=88</a> (<a href="http://projects.nth-dimension.org.uk/dir?d=VulnApp">CVS download</a> & <a href="http://projects.nth-dimension.org.uk/rptview?rn=6">vulns</a>)</li>
<li><b>WackoPicko</b> (PHP): <a href="https://github.com/adamdoupe/WackoPicko">https://github.com/adamdoupe/WackoPicko</a> (<a href="https://github.com/adamdoupe/WackoPicko/zipball/master">download</a>) (<a href="http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf">whitepaper</a>)</li>
<li>OWASP <b>WebGoat</b> (Java): <a href="https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project">https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project</a> (<a href="http://code.google.com/p/webgoat/downloads/list">download</a>) (<a href="https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents">guide</a>)</li>
<li>OWASP ZAP <b>WAVE</b> - Web Application Vulnerability Examples (Java): <a href="http://code.google.com/p/zaproxy/downloads/list">http://code.google.com/p/zaproxy/downloads/list</a></li>
<li><b>Wavsep</b> - Web Application Vulnerability Scanner Evaluation Project (Java): <a href="https://code.google.com/p/wavsep/">https://code.google.com/p/wavsep/</a> (<a href="https://code.google.com/p/wavsep/downloads/list">download</a>) (<a href="https://code.google.com/p/wavsep/downloads/list">docs</a>)</li>
<li><b>WIVET</b> - Web Input Vector Extractor Teaser: <a href="https://code.google.com/p/wivet/">https://code.google.com/p/wivet/</a> (<a href="http://www.webguvenligi.org/projeler/wivet">download</a>) (<a href="https://code.google.com/p/wivet/downloads/list?can=1&q=">tests</a>)</li>
</ul>
<b>Virtual Machines (VMs) or ISO images</b>: The following list references preinstalled and ready to use virtual machines (VMs) or ISO images that contain one or multiple vulnerable web applications to play with.<br />
<div>
<div>
<ul>
<li><b>BadStore</b> (ISO): <a href="http://www.badstore.net/">http://www.badstore.net</a> (<a href="http://www.badstore.net/register.htm">download</a> - registration required)</li>
<li><b>Bee-Box</b> (bWAPP VMware): <a href="http://sourceforge.net/projects/bwapp/files/bee-box/">http://sourceforge.net/projects/bwapp/files/bee-box/</a></li>
<li>OWASP <b>BWA</b> - Broken Web Applications Project (VMware - <a href="http://code.google.com/p/owaspbwa/wiki/ProjectSummary">list</a>): <a href="https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project">https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project</a> (<a href="http://code.google.com/p/owaspbwa/wiki/Downloads">download</a>)</li>
<li><b>Drunk Admin Web Hacking Challenge</b> (VMware): <a href="https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/">https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/</a> (<a href="http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip">download</a>) </li>
<li><b>Exploit.co.il</b> Vuln Web App (VMware): <a href="http://exploit.co.il/projects/vuln-web-app/">http://exploit.co.il/projects/vuln-web-app/</a> (<a href="http://sourceforge.net/projects/exploitcoilvuln/files/">download</a>)</li>
<li><b>GameOver</b> (VMware): <a href="http://sourceforge.net/projects/null-gameover/">http://sourceforge.net/projects/null-gameover/</a> (<a href="http://sourceforge.net/projects/null-gameover/files/">download</a>)</li>
<li><b>Hackxor</b> (VMware): <a href="http://hackxor.sourceforge.net/cgi-bin/index.pl">http://hackxor.sourceforge.net/cgi-bin/index.pl</a> (<a href="http://sourceforge.net/projects/hackxor/files/">download</a>) (<a href="http://hackxor.sourceforge.net/cgi-bin/hints.pl">hints&tips</a>)</li>
<li><b>Hacme Bank Prebuilt VM </b>(VMware): <a href="http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/">http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/</a> (<a href="http://dc121.4shared.com/download/wwPhUxMQ/hackme_bank_vm_Ninja-Sec.zip">download</a>)</li>
<li><b>Kioptrix4</b> (VMware & Hyper-V): <a href="http://www.kioptrix.com/blog/?p=604">http://www.kioptrix.com/blog/?p=604</a> (<a href="http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar">download</a>) </li>
<li><b>LAMPSecurity</b> (VMware): <a href="http://sourceforge.net/projects/lampsecurity/">http://sourceforge.net/projects/lampsecurity/</a> (<a href="http://sourceforge.net/projects/lampsecurity/files/">download</a>) (<a href="http://sourceforge.net/projects/lampsecurity/files/Documentation/">doc</a>)</li>
<li><b>Metasploitable</b> (VMware): <a href="http://blog.metasploit.com/2010/05/introducing-metasploitable.html">http://blog.metasploit.com/2010/05/introducing-metasploitable.html</a> (<a href="http://updates.metasploit.com/data/Metasploitable.zip.torrent">download</a> - torrent) (<a href="http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp">doc</a>)</li>
<li><b>Metasploitable 2</b> (VMware):
<a href="https://community.rapid7.com/docs/DOC-1875">https://community.rapid7.com/docs/DOC-1875</a> (<a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/">download</a>)</li>
<li><b>Moth</b> (VMware): <a href="http://www.bonsai-sec.com/en/research/moth.php">http://www.bonsai-sec.com/en/research/moth.php</a> (<a href="http://sourceforge.net/projects/w3af/files/moth/moth/">download</a>)</li>
<li><b>PentesterLab</b> - The Exercises (ISO & PDF): <a href="https://www.pentesterlab.com/exercises/">https://www.pentesterlab.com/exercises/</a> </li>
<li><b>PHDays I-Bank</b> (VMware):
<a href="http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html">http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html</a> (<a href="http://downloads.phdays.com/phdays_ibank_vm.zip">download</a>)</li>
<li><b>Samurai WTF</b> (ISO - list): <a href="http://www.samurai-wtf.org/">http://www.samurai-wtf.org</a> (<a href="http://sourceforge.net/projects/samurai/files/">download</a>)</li>
<li><b>Sauron</b> (Quemu) [<i>Spanish</i>]: <a href="http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html">http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html</a> (<a href="http://sg6-labs.blogspot.com/search/label/SecGame">solutions</a>)</li>
<li><b>UltimateLAMP</b> (VMware - <a href="http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp">list</a>): <a href="http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/">http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/</a> (<a href="http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip">download</a>)</li>
<li><b>Virtual Hacking Lab</b> (ZIP): <a href="http://sourceforge.net/projects/virtualhacking/">http://sourceforge.net/projects/virtualhacking/</a> (<a href="http://sourceforge.net/projects/virtualhacking/files/">download</a>)</li>
<li><b>Web Security Dojo</b> (VMware, VirtualBox - <a href="http://www.mavensecurity.com/web_security_dojo/">list</a>): <a href="http://www.mavensecurity.com/web_security_dojo/">http://www.mavensecurity.com/web_security_dojo/</a> (<a href="http://sourceforge.net/projects/websecuritydojo/files/">download</a>)</li>
</ul>
<b>Online/Live</b>: The following list references online and live vulnerable web applications available on the Internet to play with.<br />
<ul>
<li>Acunetix:</li>
<ul>
<li><a href="http://testasp.vulnweb.com/">http://testasp.vulnweb.com</a> (Forum - ASP)</li>
<li><a href="http://testaspnet.vulnweb.com/">http://testaspnet.vulnweb.com</a> (Blog - .NET)</li>
<li><a href="http://testphp.vulnweb.com/">http://testphp.vulnweb.com</a> (Art shopping - PHP)</li>
</ul>
<li>Cenzic CrackMeBank: <a href="http://crackme.cenzic.com/">http://crackme.cenzic.com</a></li>
<li>Google Gruyere (Python): <span class="Apple-style-span"><u><a href="http://google-gruyere.appspot.com/start">http://google-gruyere.appspot.com/start</a></u></span></li>
<li><span class="Apple-style-span">Hacking-Lab (eg. OWASP Top 10): <a href="https://www.hacking-lab.com/events/registerform.html?eventid=245">https://www.hacking-lab.com/events/registerform.html?eventid=245</a></span></li>
<li>Hack.me (beta): <a href="https://hack.me/">https://hack.me</a></li>
<li><span class="Apple-style-span">HackThisSite (HTS - Basic & Realistic (web) Missions): <a href="http://www.hackthissite.org/">http://www.hackthissite.org</a></span></li>
<li>Hackxor online demo: <a href="http://hackxor.sourceforge.net/cgi-bin/index.pl#demo">http://hackxor.sourceforge.net/cgi-bin/index.pl#demo</a> (algo/smurf)</li>
<li>HP/SpiDynamics Free Bank Online: <a href="http://zero.webappsecurity.com/">http://zero.webappsecurity.com</a> (admin/admin) </li>
<li>IBM/Watchfire AltoroMutual: <a href="http://demo.testfire.net/">http://demo.testfire.net</a> (jsmith/Demo1234)</li>
<li>NTOSpider Web Scanner Test Site: <a href="http://www.webscantest.com/">http://www.webscantest.com</a> (testuser/testpass)</li>
<li>OWASP Hackademic Challenges Project - Live (PHP - Joomla): <a href="http://hackademic1.teilar.gr/">http://hackademic1.teilar.gr</a></li>
<li>Pentester Academy: <a href="http://pentesteracademylab.appspot.com/">http://pentesteracademylab.appspot.com</a></li>
</ul>
For completeness, there have been <a href="https://www.owasp.org/index.php/Phoenix/Tools">some</a> <a href="http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security">other</a> <a href="http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/">similar</a> lists published in the past that I'm aware of, and also some "in-the-cloud" commercial training lab options are getting popular (let's call them "pay-per-hack" :-). Enjoy all these different web vulnerable environments and sharp your web app pen-testing skills and tools practicing with them!</div>
</div>
<div>
<br />
<b>Updates</b>: <b>(</b><i>Thanks to everybody that sent me new vulnerable web-apps</i>)<br />
2011-10-31: Added VulnApp (.NET) & Sauron (Quemu).<br />
2012-06-17: Added Metasploitable 2, Positive Hack Days (PHDays) I-Bank, and Hacme Bank Prebuilt VM.<br />
2012-07-23: Added GameOver, Virtual Hacking Lab, and Hacking-Lab.<br />
2012-12-19: Added SQLol, SQLI-labs, and WIVET.<br />
2012-12-27: Hack.me (beta).<br />
2013-01-21: bWAPP.<br />
2013-01-31: Drunk Admin Web Hacking Challenge, Hackxor online demo, Kioptrix4, and check <a href="http://www.scriptjunkie.us/2012/04/the-hacker-games/">The Hacker Games</a> (VM) - <i>some new additions via</i> <a href="http://vulnhub.com/">vulnhub.com</a>.<br />
2013-03-15: DVWS.<br />
2013-09-09: Added PentesterLab and OWASP Bricks (<i>thanks to m0wgli</i>).<br />
2013-10-08: Added Pentester Academy (<i>thanks to m0wgli</i>) and Bee-Box, and updated bWAPP homepage.<br />
2013-10-20: List moved to <a href="https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project">OWASP VWAD project</a>.<br />
<br />
<b>NOTE</b>: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners. WIVET main goal is to statistically analyze web link extractors.</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="font-size: xx-small;">Image source: http://www.headhacker.net/wp-content/uploads/2010/04/get-out-of-jail.jpg</span></div>
Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-2773536350893785230.post-14111969056737196112011-10-12T23:28:00.028+02:002011-10-19T02:40:39.520+02:00TLSSLed v1.2<div>TLSSLed v1.2 has been released and can be downloaded, as usual, from <a href="http://www.taddong.com/en/lab.html#TLSSLED">Taddong's lab</a>.</div><div><br /></div><div>This new version incorporates feedback from several people, as well as new features, including support for Mac OS X (TLSSLed should now run in both Linux and Mac OS X; check <a href="https://www.titania-security.com/labs/sslscan">how to build sslscan on Mac OS X</a> first), an initial check to verify if the target service speaks SSL/TLS (finishing its execution if it does not), a few other optimizations and error checks, and new tests for TLS v1.1 and v1.2.</div><div><br /></div><div>The latter feature has been added as a result of the recent BEAST vulnerability and research, CVE-2011-3389. In order to be able to check for TLS v1.1 and v1.2 you need to use openssl-1.0.1-stable, available from <a href="ftp://ftp.openssl.org/snapshot/">the openssl snapshot repository</a>. TLSSLed identifies if the target service supports TLS v1.1 and v1.2, if it does not, or if your local openssl version does not support these TLS versions. </div><div><br /></div><div>This new test simply checks if the target service supports these two TLS versions, however, this does not mean the implementation is secure from a BEAST perspective, as lots of other factors can influence this, such as: </div><div><ul><li>The implementation could downgrade from TLS v1.1 or v1.2 to TLS v1.0 or SSLv3 if these versions are also supported by the server and a client requests it. </li><li>The implementation can use RC4 instead of AES CBC to mitigate this vulnerability.</li><li>Certain SSL/TLS implementations might not be vulnerable to BEAST, such as openssl since version 0.9.6d, as <a href="http://www.openssl.org/~bodo/tls-cbc.txt">they already added empty plaintext fragments (problem #2)</a> - if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS <a href="http://www.mail-archive.com/openssl-dev@openssl.org/msg29718.html">is not set</a>. </li></ul>The first two scenarios can be easily verified through the new "Testing for SSLv3 and TLSv1 support first ..." test. If you know how to remotely check for the third scenario using the openssl binary, I would love to hear about it and implement that inside the tool... Therefore, a careful and thorough brain-based analysis is still required :)</div><div><br /></div><div>The output below shows this new feature against "tls.woodgrovebank.com", an SSL/TLS public Interop Test Server from Microsoft, using openssl 1.0.1-dev:</div><br /><table bg="" border="1" style="border-collapse: collapse;"><tbody><tr><td><div style="color: black; font-family: "Courier New",Courier,monospace;"><span style="font-size: small;"><b>$ ./TLSSLed.sh tls.woodgrovebank.com 443</b></span><br /><pre><span style="font-size: small;">------------------------------------------------------<br />TLSSLed - (1.2) based on sslscan and openssl<br /> by Raul Siles (www.taddong.com)<br />------------------------------------------------------<br />+ openssl version: OpenSSL 1.0.1-dev xx XXX xxxx<br />+ sslscan version 1.8.2<br />------------------------------------------------------<br /><br />[-] Analyzing SSL/TLS on tls.woodgrovebank.com:443 ..<br /><br />[*] The target service tls.woodgrovebank.com:443 seems to speak SSL/TLS...<br /><br /><br />[-] Running sslscan on tls.woodgrovebank.com:443...<br /><br />[*] Testing for SSLv2 ...<br /> Accepted SSLv2 168 bits DES-CBC3-MD5<br /> Accepted SSLv2 128 bits RC4-MD5<br /><br />[*] Testing for NULL cipher ...<br /><br />[*] Testing for weak ciphers (based on key length) ...<br /><br /><br />[*] Testing for strong ciphers (AES) ...<br /> Accepted TLSv1 256 bits AES256-SHA<br /> Accepted TLSv1 128 bits AES128-SHA<br /><br />[*] Testing for MD5 signed certificate ...<br /><br />[*] Testing for certificate public key length ...<br /> RSA Public Key: (2048 bit)<br /><br />[*] Testing for certificate subject ...<br /> Subject: /C=US/ST=WA/L=Redmond/O=Microsoft/CN=tls.woodgrovebank.com<br /><br />[*] Testing for certificate CA issuer ...<br /> Issuer: /CN=RSACERTSRV<br /><br />[*] Testing for certificate validity period ...<br /> Today: Wed Oct 12 00:50:07 UTC 2011<br /> Not valid before: Feb 14 22:52:50 2011 GMT<br /> Not valid after: Feb 14 23:02:50 2012 GMT<br /><br />[*] Checking preferred server ciphers ...<br />Prefered Server Cipher(s):<br /> SSLv2 168 bits DES-CBC3-MD5<br /> SSLv3 128 bits RC4-SHA<br /> TLSv1 128 bits AES128-SHA<br /><br /><br /><br />[-] Testing for SSLv3/TLSv1 renegotiation vuln. (CVE-2009-3555) ...<br /><br />[*] Testing for secure renegotiation ...<br />Secure Renegotiation IS supported<br /><br /><br />[-] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 aka BEAST) ...<br /><br />[*] Testing for SSLv3 and TLSv1 first ...<br /> Accepted SSLv3 168 bits DES-CBC3-SHA<br /> Accepted SSLv3 128 bits RC4-SHA<br /> Accepted SSLv3 128 bits RC4-MD5<br /> Accepted TLSv1 256 bits AES256-SHA<br /> Accepted TLSv1 128 bits AES128-SHA<br /> Accepted TLSv1 168 bits DES-CBC3-SHA<br /> Accepted TLSv1 128 bits RC4-SHA<br /> Accepted TLSv1 128 bits RC4-MD5<br /><br />[*] Testing for TLS v1.1 support ...<br />TLS v1.1 IS supported<br /><br />[*] Testing for TLS v1.2 support ...<br />TLS v1.2 IS supported<br /><br /><br />[-] Testing for SSL/TLS security headers ...<br /><br />[*] Testing for Strict-Transport-Security (STS) header ...<br /><br />[*] Testing for cookies with the secure flag ...<br /><br />[*] Testing for cookies without the secure flag ...<br /><br /><br />[-] New files created:<br />-rw-r--r-- 1 root root 5684 2011-10-18 20:50 sslscan_tls...com:443_2011-10-18_20:49:23.log<br />-rw-r--r-- 1 root root 2675 2011-10-18 20:50 openssl_HEAD_tls...com:443_2011-10-18_20:49:23.log<br />-rw-r--r-- 1 root root 2408 2011-10-18 20:49 openssl_RENEG_tls...com:443_2011-10-18_20:49:23.log<br />-rw-r--r-- 1 root root 540 2011-10-18 20:49 openssl_RENEG_tls...com:443_2011-10-18_20:49:23.err<br />-rw-r--r-- 1 root root 523 2011-10-18 20:50 openssl_HEAD_tls...com:443_2011-10-18_20:49:23.err<br /><br /><br />[-] done<br /></span></pre></div></td></tr></tbody></table><br /><div style="text-align: -webkit-auto;"></div><div>If the target service does not support TLS v1.1 or v1.2 it will say "... IS NOT supported" instead. If your local openssl version does not support TLS v1.1 and v1.2, you will get the following output:</div><br /><table bg="" border="1" style="border-collapse: collapse;"><tbody><tr><td><div style="color: black; font-family: "Courier New",Courier,monospace;"><span style="font-size: small;"><b>$ ./TLSSLed.sh www.example.com 443</b></span><br /><pre><span style="font-size: small;">...<br />[-] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 aka BEAST) ...<br />...<br />[*] Testing for TLS v1.1 support ...<br />The local openssl version does NOT support TLS v1.1<br /><br />[*] Testing for TLS v1.2 support ...<br />The local openssl version does NOT support TLS v1.2<br />...<br /></span></pre></div></td></tr></tbody></table><br /><div></div><div>Some people suggested new additions to TLSSLed based on adding checks from other already available SSL/TLS related tools, such as <a href="http://wiki.debian.org/SSLkeys">openssl-blacklist</a> or <a href="http://unspecific.com/ssl/">ssl-cipher-check.pl</a>. After a careful thought and detailed analysis process, TLSSLed will remain loyal to its original spirit and design, trying to keep to a minimum the prerequisites to run it (just openssl and sslscan since version 1.0). Therefore, the goal is not to make use of any additional tools from within TLSSLed except openssl and sslscan, unless there is a very critical security test that cannot be accomplished with these two. However, I'm open to implementing other missing tests using these two tools.</div><div><br /></div><div> </div><div>One of the future releases will include an associated user guide that briefly explains the different TLSSLed results and their meaning, so that you can easily understand the security implications of the findings reported by the tool without been well versed on SSL/TLS (HTTPS).</div><div><br /></div><div>Remember, the tool is open to comments, suggestions, improvements, and new tests from the community. Do not hesitate to contact me with ideas! Thanks to Abraham Aranguren and others that want to remain anonymous for their feedback!</div>Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-22961585159155466402011-08-29T16:27:00.036+02:002012-04-11T15:28:53.843+02:00Using Signal to Detect Rogue Cellular Base Stations (Part Two)<b>Can Signal be used as a rogue base station detector?</b><div></div><br />For starters, this answer is subjected to the reliability and updating rate of the information source where Signal obtains the geographical location from.<div></div><br />Provided that the previous condition is met, we can distinguish three different cases:<br /><ol><li><b>If the attacker uses a non-existing cell identifier</b>, the application will not provide any geographical information of it, and thus we will assume that the serving cell is false.</li><li><b>If the attacker uses an existing cell identifier, belonging to a tower that is located far away from the place where the attacker is located</b>, then Signal will report that we are in a location that does not match our real position. This fact will indicate that the serving cell is not legitimate.</li><li><b>If the attacker configures his base station pretending to be one of the neighbor cells and achieves that the terminal registers to his base station</b> (by emitting a signal that is perceived by the victim's terminal as much "better"), then Signal will not show any clue about the legitimacy of the cell. We must say that, in this situation, it is much more difficult for the attacker to force the terminal to register to his base station, due to the fact that the victim's terminal probably can see two radio signals with the same cell identifier (we don't know the terminal behavior in this case). To overcome this obstacle, the attacker could choose the identifier of an existing nearby cell, for which the terminal is not perceiving power at all.</li></ol><div></div>Our conclusion is that this application can help detecting whether the service that our terminal is receiving is legitimate or not, and it makes much more difficult for the attacker to maintain his attack undetected. However, it cannot be considered a 100% reliable method.<div></div><br />Even so, we think that the use of the tower geographical location provides a very good way to help detecting rogue base station attacks, and it should be combined with other techniques as, for example, the GPS information of the terminal, the analysis of other parameters of the radio signal or the detection of some functionalities that a false network will not tipically implement.<div></div><br /><b>Network traffic analysis</b><div></div><br />For each one of the performed tests we have obtained the corresponding traffic capture using Wireshark. We have done so because, if there is an information source from which one can extract the geographical location of a mobile base station, of course we want to know it.<div></div><br />After analyzing some of the captures, we reach the conclusion that the source of such information was Google (what a surprise!). Also, we could realize that the answer/response has this appearence:<div></div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFH_W2tNIR6-Zm4bzQboPhpXMmQ6c-cXu9Ic27-oeiVjIM-iXidx7zwtl2e4ZxD5uR1Ge3zErVU7RiaT3tuCfn6ue4bE_qAUsBNHRmShvEgkz2uBNc1KzuFd0W7svsGwJWo-n0okQHMjNC/s1600/TCPStream.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; cursor: pointer; width: 400px; height: 266px; text-align: center; " src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFH_W2tNIR6-Zm4bzQboPhpXMmQ6c-cXu9Ic27-oeiVjIM-iXidx7zwtl2e4ZxD5uR1Ge3zErVU7RiaT3tuCfn6ue4bE_qAUsBNHRmShvEgkz2uBNc1KzuFd0W7svsGwJWo-n0okQHMjNC/s400/TCPStream.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5647138734090719586" /></a><div></div><br />In the previous picture you can see that the request is qualified by the cell identifier (MCC, MNC, LAC and CI), and that the answer comes in "longitude/lattitude" format.<br />The "User-Agent" field reflects that we are using "wget" (instead of "Signal" as it would reflect any capture of the application traffic). This is because instead of using Signal we have written a little software tool to access this information, as explained below.<div></div><br /><b>tadbsl.sh tool</b><div></div><br />This application is a shell script that, taking the cell identifier as input data, performs the correctly-formatted request to Google, using wget. Once the answer from Google comes, it shows the longitude and latitude on the console and, optionally, it starts a web browser showing the geographical location of the tower in Google maps.<div></div><br />The use instructions of the tool are shown here:<br /><table bg="" border="1" style="border-collapse: collapse;"><tbody><tr><td><div style="color: black; font-family: "Courier New",Courier,monospace;"><span style="font-size: small;"><b>$ ./tadbsl.sh --help</b></span><br /><pre><span style="font-size: small;">tadbsl.sh --MCC=<mcc> --MNC=<mnc> --LAC=<lac> --CI=<ci> [-s | --show_in_browser]<br />tadbsl.sh [-h | --help]<br /> Description: this script asks Google for a particular<br /> Cellular Base Station Location and shows the Google's answer.<br /> (Based on the traffic analysis of Signal Cydia application<br /> from PlanetBeing)<br /> Arguments:<br /> MCC: Mobile Country Code of the carrier owning the Base Station<br /> MNC: Mobile Network Code of the carrier owning the Base Staion<br /> LAC: Location Area Code of the Base Station<br /> CI: Cell Identificator of the Base Station<br /> Options:<br /> -h | --help<br /> Shows this help.<br /> -s | --show_in_browser<br /> If you specify this options the script will launch<br /> your browser with the obtained coordinates.<br /> You can configure your browser location in a<br /> configuration variable inside the script.<br /></ci></lac></mnc></mcc></span></pre></div></td></tr></tbody></table><br />An example of use is shown below:<table bg="" border="1" style="border-collapse: collapse;"><tbody><tr><td><div style="color: black; font-family: "Courier New",Courier,monospace;"><pre><span style="font-size: small;">tad3@ubuntu:~/tadbsl$ ./tadbsl.sh --MCC=302 --MNC=720 --LAC=65010 --CI=48626<br />LOCATION: 49.1560525 , -123.1586519<br /></span></pre></div></td></tr></tbody></table><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmdiboCz38iEiqvtER-g_LIi1t8TBtSzQjmFRjZch54b0Cw9sOvxSEaHoFczOO4kh8rs2vtQM_roYRaP8SauHOUolo4iHXVMcLsPFRKL6r0uvTbsfVg8jCCrGFYv51XXYcXrBWCk3NOEXd/s1600/tadbsl_use.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 225px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmdiboCz38iEiqvtER-g_LIi1t8TBtSzQjmFRjZch54b0Cw9sOvxSEaHoFczOO4kh8rs2vtQM_roYRaP8SauHOUolo4iHXVMcLsPFRKL6r0uvTbsfVg8jCCrGFYv51XXYcXrBWCk3NOEXd/s400/tadbsl_use.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5647144157272562930" /></a><br /><br />This tool is available at <a href="http://www.taddong.com/en/lab.html#tadbsl">our lab</a>.<div><br /><span style="font-size:small;"><b>NOTE: We first published this article, in Spanish, in <a href="http://www.seguridadapple.com/2011/08/signal-y-la-deteccion-de-estaciones_13.html">this post</a> of the blog <a href="http://www.seguridadapple.com/">“Seguridad Apple”</a></b></span></div>Jose Picohttp://www.blogger.com/profile/11351143259307490487noreply@blogger.com2tag:blogger.com,1999:blog-2773536350893785230.post-35250319080280564222011-08-26T17:53:00.032+02:002012-04-11T15:29:13.471+02:00Using Signal to Detect Rogue Cellular Base Stations (Part One)<div style="text-align: justify;">Some days ago Chema Alonso informed us that an application was able to show the geographical location of the tower that was providing service to an iPhone, as well as that of adjacent towers. The application also showed some technical data about these towers. Chema's question was whether this application could be used to detect a rogue base station attack or not. To be able to answer that question, we performed some tests. Some of them are explained in this article, as well as the conclusions and other things that we have obtained along the way.</div><div></div><br />The application is called Signal (available on Cydia) and has been written by PlanetBeing. The purpose of the authors is to create a map of nearby towers, measure their power and provide technical data about them.<div></div><br /><b>Test I: testing the application with and without Internet access</b><div></div><br /><u>Testing Lab</u><div></div><br />To perform the tests, we set up the laboratory shown in the picture:<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCeAZjZd7Dn0esnaNoBAEwwV1b3NE0t55CY5-pVKOGGomAzOHVRmNtaohw45ivJ8QNgHRP79KakbbAKAzjaIJWzN2G3ndCEjPOdKv0ozon4pYxzlG_Fy6ZeaiY8SOs5B58zw95S4vMShOd/s1600/TestingLabI+-+English.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 155px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCeAZjZd7Dn0esnaNoBAEwwV1b3NE0t55CY5-pVKOGGomAzOHVRmNtaohw45ivJ8QNgHRP79KakbbAKAzjaIJWzN2G3ndCEjPOdKv0ozon4pYxzlG_Fy6ZeaiY8SOs5B58zw95S4vMShOd/s400/TestingLabI+-+English.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5647121836520981650" /></a><br />The main objective of this set up was to be able to analyze the traffic generated by the application so that we could obtain preliminary conclusions before deciding what tests would follow.<div></div><br /><u>Installation and first execution</u><div></div><br />After jaiblreaking our iPhone and installing Cydia, we configured the device in the following way:<ul><li>We disabled 3G service to only accept GSM (this way it would be easier to provide service using our rogue base station)</li><li>The first time the application is launched, it asks if we want to use localization services. We answered "no" because we wanted to limit the available resources for the software to calculate its location, i.e., no GPS in the game.</li></ul><br />Afterwards, we could see the application showing a map with the location of the towers nearby our position (somewhere in Valencia area), and a number that represents the perceived power in dBm. We checked that the geographical location really showed our position:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWGQmKnGrojkKqyCleL7iR2xz76VTEuZt6ATGD4xcB0PZc3pdvLE7ZB_-YQfnhtJ4EtJMIl7V9Y9mE6ZuV0ZadMT6EoXBThyj13WzUpc5zF1ttX_iZyXqsVwmmJ5HQxL40GLZc6fjYu59M/s1600/MapI.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 214px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWGQmKnGrojkKqyCleL7iR2xz76VTEuZt6ATGD4xcB0PZc3pdvLE7ZB_-YQfnhtJ4EtJMIl7V9Y9mE6ZuV0ZadMT6EoXBThyj13WzUpc5zF1ttX_iZyXqsVwmmJ5HQxL40GLZc6fjYu59M/s320/MapI.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5646907148643926994" /></a><br /><div></div><br /><u>Running the application without Internet access</u><div></div><br />Since we suspected that the application obtained the geographical location of the towers from the Internet, we disabled all data services of the iPhone, including GPRS and WiFi.<br />In these conditions, as soon as the application started, we could see that the serving cell was detected and data and parameters belonging to it were reported. Also, the geographical location of a set of nearby towers was shown in the map, but with a different format, as we can see in the following picture:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDJK5edY1dU-039Qwfw_F03FrZa34C_felpYCZk9QNJAOtM9UGdZvAFkFXdv5EcOxKpx-7IV2Pt6qxZoWd_JT9NGNpTxKjFFwa46Z-Czx-SZoLsLMn5eLbMp-iG2PNZCfAw8DbBXYWAuLC/s1600/MapII.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 214px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDJK5edY1dU-039Qwfw_F03FrZa34C_felpYCZk9QNJAOtM9UGdZvAFkFXdv5EcOxKpx-7IV2Pt6qxZoWd_JT9NGNpTxKjFFwa46Z-Czx-SZoLsLMn5eLbMp-iG2PNZCfAw8DbBXYWAuLC/s320/MapII.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5646907537851028882" /></a><br />The legend of color codes in the application reads as follows:<ul><li>Blue: Visible towers</li><li>Red: Connected tower</li><li>Gray: Unlocatable tower</li><li>Yellow: Previously seen tower</li></ul>It seemed to us that Signal kept some kind of cache where it stored information about previously seen towers. As the application has the ability to “Reset tower data”, we checked that when we chose this option, all geographical information was lost, and it didn't come back after several runs of the application.<div></div><br /><u>Running the application with Internet access</u><div></div><br />After enabling WiFi, we started again the application and at that moment it detected again where the towers were in our geographical area.<div></div><br /><u>Conclusions obtained in Testing Phase I</u><div></div><br />From the tests performed we can infer that:<ul><li>Signal obtains the geographical information about cellular base sations from the Internet</li><li>The application holds a cache where it stores geographical information of the towers that he has previously seen; this cache can be erased by using the “Reset tower data” option</li></ul><div></div><br /><b>Test II: using a rogue base station</b><div></div><br /><u>Testing Lab</u><div></div><br />For this second phase of tests, we modified our lab to provide GSM service using our rogue base station. The following schema illustrates this set up:<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHyoDZGhzRgKRYJ_k-pJe-EYYqNEpv4UoOjkiTehLh-4Le9gb6Ett13qcs4d1vRFi3LLDFi4uRB_9lErsclUqvsns5xxAYHCZoeLOyj4EuFXEC-TgtV7utI5bwx02yuEx7KaQeMrHcfi_0/s1600/TestingLabII.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 250px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHyoDZGhzRgKRYJ_k-pJe-EYYqNEpv4UoOjkiTehLh-4Le9gb6Ett13qcs4d1vRFi3LLDFi4uRB_9lErsclUqvsns5xxAYHCZoeLOyj4EuFXEC-TgtV7utI5bwx02yuEx7KaQeMrHcfi_0/s400/TestingLabII.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5647120856086895058" /></a><br /><br /><u>Testing with a non-existent cell identifier</u><div></div><br />To perform this test we configured our rogue base station for emitting with a non-existent cell identifier, and then we turned on the iPhone inside the cage (remember that the iPhone was connected to the Internet inside the cage through our WiFi infrastructure, as shown in the previous picture).<div></div><br />When the Signal application started, it detected the servicing tower and correctly reported our false cell identificator, but it could not locate that cell geographically.<div></div><br /><u>Testing with a different cell identifier</u><div></div><br />In this test we used a cell identifier belonging to a cell that is located somewhere in the Madrid area (we were performing our tests in Valencia area) and, sure enough, the application located us in Madrid, next to that tower, as we can see in the following picture:<div></div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIp3BTBHeCDfyhvj3H1KwT41FMgVCKtrFZBthcWFiNo77ZHoxQ0a0W24_pyAiAqZb6_ftqJxJi_vtTQBjv1arg0mbUKh5uEFmww3snL_3W47lA6IwS9oh-qGC-sK3M1P99OJegFcZZWRUu/s1600/MapIII.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 214px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIp3BTBHeCDfyhvj3H1KwT41FMgVCKtrFZBthcWFiNo77ZHoxQ0a0W24_pyAiAqZb6_ftqJxJi_vtTQBjv1arg0mbUKh5uEFmww3snL_3W47lA6IwS9oh-qGC-sK3M1P99OJegFcZZWRUu/s320/MapIII.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5646908890699661890" /></a><br /><u>Conclusions obtained in Testing Phase II</u><div></div><br />From these tests we can infer that:<ul><li>The identifying information about servicing tower is obtained from the radio signal</li><li>The geographical information, that Signal obtains from the Internet, depends uniquely on the cell identifier (MCC|MNC|LAC|CI) where:<ul><li>MCC: Mobile Country Code</li><li>MNC: Mobile Network Code</li><li>LAC: Location Area Code</li><li>CI: Cell Identifier</li></ul></li></ul><br /><br /><span style="font-size:small;"><b>NOTE: We first published this article, in Spanish, in <a href="http://www.seguridadapple.com/2011/08/signal-y-la-deteccion-de-estaciones.html">this post</a> of the blog <a href="http://www.seguridadapple.com/">“Seguridad Apple”</a></b></span>Jose Picohttp://www.blogger.com/profile/11351143259307490487noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-21114001438611525442011-08-11T10:20:00.015+02:002011-08-11T12:38:36.656+02:00Building OWASP ZAP Using Eclipse IDE for Java… Pen-TestersIf I were only given a single tool for a web application penetration test, that would definitely be a web interception proxy!
<br />
<br />As you can check within <a href="http://sourceforge.net/projects/samurai/">Samurai WTF</a>, the number of web interception proxies available to web app analyst and pen-testers is... (at least) quite large. During the last years (after the old initial <a href="http://www.mavensecurity.com/Achilles/">Achilles</a> days... Wow!, from Oct 13, 2000), a few proxies have become the web application security assessment tool of choice. OWASP <a href="https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">Webscarab</a>, together with <a href="http://www.parosproxy.org">Paros</a> (Proxy), have been two of the most commonly used open-source alternatives, with <a href="http://portswigger.net/burp/">Burp</a> (Suite) on the free/commercial side (but not open-source).
<br />
<br />Unfortunately (or not... keep reading ;-p) Webscarab and Paros were somehow discontinued. The lastest official Webscarab build (not from GIT) is from May 2007, and <a href="https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project">Webscarab-NG</a> (Next Generation) was born as a very promising Webscarab replacement, but is slowly progressing with new features and releases. Paros ended up on the famous 3.2.13 version from August 2006 (5 years ago!) and a replacement project or fork was born afterwards, called <a href="https://code.google.com/p/andiparos/">Andiparos</a>. In parallel, a new OWASP project saw the light, called ZAP (Zed Attack Proxy). On a very smart decision from their leaders (Psiinon and Axel), both projects joined forces to contribute to a single and common open-source web interception proxy (and security assessment tool, considering all the features currently available within ZAP), keeping the name of ZAP for the final project. Therefore, <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">OWASP ZAP (Zed Attack Proxy)</a> is definitely the current open-source web interception proxy and security assessment tool of reference.
<br />
<br />What all these web interception proxy tools have in common? They have been developed in Java, what makes them great multi-platform (Windows, Linux, Mac OS X...) security assessment tools.
<br />
<br />Experience has demonstrated during the last few years that pen-testers need to use two types of tools on their daily activities: the latest official stable tool release, typically distributed by the project as a prepackaged and ready to install bundle (.tar.gz, .zip, .jar, etc), and the most current development tool revision, the one that includes the most cutting edge, neat and mighty features, options, and capabilities, typically distributed by the project from the official Subversion (SVN/CVS, GIT, etc) repository.
<br />
<br />Most pen-testing tools are developed using traditional languages, like C/C++ (e.g. nmap), where the standard 3-way build handshake works like a charm ("./configure", "make" & "sudo make install"), or using interpreted languages, where there is no need to build the package, such as Ruby (e.g. Metasploit), Python (e.g. w3af), or others.
<br />
<br />But... what about the Java-based web interception proxies? I've discovered that there is a significant barrier to entry that make it difficult for pen-testers to enter into the building process of this kind of tools, as a simple "javac" (Java compiler) invocation does not make the trick. In order to compile and build Java-based web interception proxy tools, as they make an extensive use of GUIs and library sets, a Java IDE (Integrated Development Environment) is required.
<br />
<br />As a result, lots of security professionals cannot and are not using the most current features of these tools until a new official version is released by the project. In order to overcome this, I have released the <a href="http://www.taddong.com/en/lab.html#BUILDINGZAP"><span style="font-weight: bold;">"Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers"</span></a> guide, available for download (as usual) from <a href="http://www.taddong.com/en/lab.html#BUILDINGZAP">Taddong's lab</a>.
<br />
<br />The goal of this document is to provide a simplified step-by-step guide web app pen-testers can go through to be able to easily build the most current OWASP ZAP version from <a href="https://code.google.com/p/zaproxy/source/checkout">the official Subversion repository</a> by using the open-source <a href="http://www.eclipse.org/">Eclipse Java IDE</a>. A final appendix provides some brief guidance for those interested on, not only using the latest tool features, but <a href="https://code.google.com/p/zaproxy/">contributing to the OWASP ZAP project</a> (what I encourage you to do).
<br />
<br />Do not forget to always, but specially when using the most current development version, extensively test the tools on your lab environment before using them against the real pen-test targets, probably in production (at least, before you started using the tool... :-)
<br />
<br />Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0tag:blogger.com,1999:blog-2773536350893785230.post-26640253686747662312011-07-26T09:41:00.005+02:002011-08-11T10:22:42.156+02:00OWASP Session Management Cheat SheetThe results and conclusions obtained from dozens of web application penetration tests completed during the last few years confirm that session management is still today one of those web application critical components prone to suffer multiple and critical vulnerabilities.
<br />
<br />Session management is a core and very complex module in modern web application architectures, and has to integrate smoothly and securely with other critical components, such as the authentication and access control modules:
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://www.owasp.org/images/1/1d/Session-Management-Diagram_Cheat-Sheet.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 603px; height: 137px;" src="https://www.owasp.org/images/1/1d/Session-Management-Diagram_Cheat-Sheet.png" alt="" border="0" /></a>Sessions, represented by a session ID or token, bind the user authentication credentials to the user HTTP traffic and the appropriate access controls enforced by the web application. The stateless nature of the HTTP protocol, the complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.
<br />
<br />Unfortunately most people put the focus on the top two or three risks or vulnerabilities, injection (being SQL injection the top one), Cross-Site Scripting (XSS) and (if lucky) Cross-Site Request Forgery (CSRF), but the <a href="https://www.owasp.org/index.php/OWASP_Top_Ten_Project">OWASP Top 10</a> already reflected the importance of session management flaws on its 2007 version (7th position - A7), and highlighted this fact even more in the 2010 version, raising authentication and session management risks ("A3: Broken Authentication and Session Management") to the 3rd position.
<br />
<br />Although the emphasis goes to authentication, due to all the weaknesses of the current authentication mechanisms (mainly based on username and password), session management tends to suffer serious vulnerabilities even for the most secure web applications. Do not forget that, once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the web application, such as username and password, passphrase, one-time password (OTP), client-based digital certificate, smartcard, or biometrics (such as fingerprint or eye retina).
<br />
<br />For all these reasons, the <a href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet">OWASP Session Management Cheat Sheet</a> has been released, with the goal of providing guidance and best practices to web application architects, developers, and information security professionals when building or auditing the session management module of web applications.
<br />
<br />The whitepaper with the original content that has inspired and has been used for the creation of the first version of this OWASP cheatsheet is available in PDF format for easy download, distribution, and usage <a href="http://www.taddong.com/en/lab.html#OWASPSESSMGMT">at Taddong's lab</a>.
<br />
<br />I encourage anyone involved in web application security to provide comments, feedback, and improvements to the OWASP Session Management Cheat Sheet, for the benefit of the whole web application community.Raul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.com0