Rcapd start meterpreter module

During the post-exploitation phase of an intrusion, after getting a shell on a computer, one of the steps to gain access to other computers or networking devices is thru traffic sniffing. Just listening to the traffic passing through the machine, even in a switched environment, can provide us with very useful information about the network topology or the potential vulnerabilities that can we exploit later: NetBIOS names, users / passwords in clear ARP, CDP, DHCP, HSRP, VRRP, etc..... Leer Más

Introduction to Mallory Proxy

Although I have tried most of the proxies that allow to modify web traffic “on the air” such as burp or WebScarab, I recently discovered a pretty interesting, not only because of its developers and the context in which it was presented, but also because of its features and architecture. Mallory Proxy is a proxy developed by the computer security experts Intrepidus that was presented at the Black Hat 2010.

Mallory is developed in Python and shows a server side and a client interface for configuration and user interaction.

For those who want to try Mallory, the application shows basically has two options. The first is to follow the installation instructions and download and install both proxy sources and dependencies. The second is to download a VMWare image whose operating system is Ubuntu and that comes with both software and dependencies.

[Read more…]

SSD drive forensics

(Please note this post was originally published in the Spanish version of Security Art Work last 5th Nov 2012)

Some weeks ago I was playing with django, when I accidentally deleted an application that I had already finished. It was not complex; it had few lines of code and I think I would have been able to recover it in less than a day, but I saw in this error the chance to learn how to make a recovery of data on a SSD drive.

The configuration of this computer’s drive is as follows: GPT partitioning with multiple partitions formatted with ext4 (without LVM). My previous experience in this type of situations has always been to use the most known tools in GNU/Linux environments: sleuthkit, autopsy, testdisk y photorec (these last two usually come in the same package), dd, grep

[Read more…]

Locating our smartphone

Since smartphones installed in our lives, either for personal or professional use, one of the greatest fears is losing it. We store a great amount of sensitive information in this devices that can be potentially accessed by a malicious person. This problem is even bigger when it comes to professional smartphones, which have not only personal but also access to the corporate environment and information.... Leer Más

Online reputation, a rising value

How much is our reputation worth? To respond to this issue we have to consider the relationship between reputation and success. And when I say “success” I mean achieving our objectives, both personal and professional. In certain groups, reputation is an essential element for its success or decline. We could include in that group people with public office as mayors, councilors, ministers, etc., but it also directly affects professionals from the private sector as actors, singers, designers and a long etcetera.

In this entry we’ll talk about the particularities of online reputation and see some examples that show its importance. Let’s start by defining what online reputation is. Although the concept has many corners worth to explore, the simplest definition comes courtesy of Wikipedia: The online reputation is a reflection of the prestige or esteem of a person or brand on the Internet.

It is known that to achieve and maintain a good reputation requires much effort, perseverance, dedication and time. On the other hand, “bad reputation” can be reached in the most unexpected moment as either hand of a scandal, a simple misunderstanding or an error. The same happens with “online reputation” but with the particularity that information technologies highlight the impact of our actions. If you are good, there are ways to publicizing, disseminate and make the most of our effort. However, our failures will also be more widespread, deeper and faster. Therefore, we could say that online reputation is more “fragile” than the reputation traditional concept. Needless to say that both concepts (reputation and online reputation) are closely linked.

To illustrate what we commented on the “fragility” of the online reputation, we will see some examples in which a unfortunate simple comment and/or misunderstanding has tarnished the reputation of some famous.

[Read more…]

Real Cloud Security

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)... Leer Más

Covert channels

(Please note this post was originally published in the Spanish version of Security Art Work last 26th Oct 2010)

Covert channels is an evasion technique that allows an attacker to send information using the communication protocols headers. In this post we will cover-up of channels in the TCP/IP protocols and provide a tool, CovertShell, designed as a proof of concept. The sources are at the end of this post.

The TCP/IP protocol has headers that usually are initialized by the client to maintain or number a communication. The technique covert channels uses these fields to assign them values ​​so the target machine does not interpret these fields as part of the communication, but to obtain data.

An interesting example was developed by Craig H. Rowland in his paper back in 1996: Covert Channels in the TCP/IP Protocol Suite, where he created a small client/server “CovertTCP” of no more than 500 lines that allowed file transfer between client and server, using for it only the fields SEQ, ACK (TCP protocol) and ID field (IP protocol). This information was on the protocol overhead and not in the payload.

[Read more…]

Auditing TCP stack with Scapy

Recently I have been playing with the library Scapy for Python. It allows to create any type of network packet with a few simple commands, even for non existing protocols making use of RAW packets.

Suppose we want to evaluate the behavior of the TCP stack when any combination of TCP flags is received. In order to do it, we need to send TCP packets to a given port using any combination of them.

Keep in mind that sending a packet with the SYN and ACK flags is the same as sending it with the flags ACK and SYN. Therefore it is necessary to generate any combination considering that the order does not affect the result and avoiding to send more packets than those strictly necessary.

[Read more…]

Introduction to SSH tunnels

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Jul 2012)

All of us have at some time found that the service we wanted to access is on a computer unreachable from our network or other similar problems. If we have SSH access we can easily solve problems like this using SSH tunnels.

We propose a first scenario, in which we have a database server protected by a firewall that prevents us directly interact with the database but that can be accessed by SSH (assuming MySQL, which uses port 3306).

[Read more…]

The “hidden” information in your photos (they may be saying things you don’t know)

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Jul 2011)... Leer Más