Category Archives: Pentesting

HES 2012

It has been a long long time since my last post… I have been very busy, but hopefully I am coming back in the coming months.

Just a quick note to tell that I just come back from the Hackito Ergo Sum 2012 (HES).

And that was great. All conferences were interesting and the level was very high. We could enjoy a lot of new stuff that is going to be discussed in the community during the next months. On top of that, it was really well organized.

So far it is the conference that I enjoyed the most in France. Keep up the good work!

BNAT

BNAT stands for “Broken NAT“. In the scope of Jonathan Claudius work, a NAT is considered broken when the client receives a reply from a server behind a NAT with a different IP than the one it sent the request to.

It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use a different IP because of a wrong rule or because the outbound and inbound interfaces are separated.

As a result, the operating system of the client will discard right away such a reply (with a TCP RST), because it does not match an existing TCP session.

The idea is that a pentester auditing such an infrastructure with a classic scanner will miss some entry points. A typical scanner relies on the network stack of the system : it will not receive the reply and will consider the port as filtered.

So Jonathan came with a proof-of-concept to illustrate his purpose.

It is composed of a B-Router and a client. The B-Router will intercept the reply and maintain the session by sending an ACK. This way, it handles an asymetric routing scheme for the client. Just add a filtering rule to block your system’s RST (iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP ), and you are good to go.

Simple but brilliant, isn’t it ? The great thing is that the code has now been included in Metasploit, so it is even more straightforward.

Check the slides of Jonathan at DEFCON for more info. You can download the source there (or just update your Metasploit and look for it in auxiliaries).

Ravan, password cracking using Javascript!

Ravan is a new password cracking tool based on Javascript.

Wait, what ? Javascript ? Yes, as the author explains, modern Javascript engines are not so slow anymore, and in addition HTML 5 brings a new “feature” with webworkers which allow the browser to run Javascript in the background (e.g without waiting on the page executing the script).

Combine it with several computers connecting to the same page executing a password cracking script and you get easily quite a powerful distributed password cracker.

Visit this page for more details.

Books review

I just finished reading two electronic books I bought from O’reilly. Here is a short review on them.

Hacking: the next generation

The purpose of this book is to give to the readers an overview of the most common attacks nowadays. It covers all fields : social engineering, web attacks, networking, etc.
It was easy to read : the authors are straight to the point and their sentences are clear.

I especially appreciated their state of art about XSS and CSRF attacks. It is certainly the best I have read so far, greatly illustrated with exciting and real case studies.

On the other hand,  I quickly passed over the networking stuff (both wired and wireless). It was too basic and didn’t show anything new – maybe it is because I specialize in those fields.

Anyway, globally, I strongly recommend this book. It is worth while your money if you want to know more on web attacks or to have a good overview of modern threats.

Beautiful Security

This is a collection of essays by some of the best security experts and hackers.

Well, I won’t go around, I have been quite disappointed by this book. The overall lacks coherence and after a while you start wondering what this book is trying to demonstrate. At the end, there is a crual lack of connection between the essays and it globally makes it appear very confusing.

It also sometimes lacks technical references and the writing style is too verbose, too literal for a technical book to be attractive.

There are however some good essays, like one about PGP (by Philip Zimmermann himself, though). It is hard to find some good and complete documentation about it, and this essay is definitely a good one, which I will probably read again when I feel the need of it.

But I wouldn’t recommend this book only for this short piece of writing. Lack of cohesion, too much litterature and not enough technical stuff actually bored me, though that’s just my personal taste.