Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Announce: Peach 2.2 Released (Michael Eddington)
2. Owning Lotus Notes Server & Client (DSquare Security)
3. CapSec DC / October / 10/29/2008 ([EMAIL PROTECTED])
4. Deadline extension: ICNS 2009 + 1st Workshop LMPCNAP | April
21-25, 2009 - Valencia, Spain (Jaime Lloret Mauri)
5. Reflective DLL Injection (Stephen Fewer)
6. TechTarget Information Security Decisions Conference (Dave Aitel)
7. All Ur WiFi(WPA) R Belong 2 PacSec (Dragos Ruiu)
8. Re: TechTarget Information Security Decisions Conference
(J Wilder)
9. Re: All Ur WiFi(WPA) R Belong 2 PacSec (Dave Aitel)
----------------------------------------------------------------------
Message: 1
Date: Sat, 25 Oct 2008 13:45:28 -0700
From: "Michael Eddington" <[EMAIL PROTECTED]>
Subject: [Dailydave] Announce: Peach 2.2 Released
To: dailydave@lists.immunitysec.com
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
I'm pleased to announce the release of Peach 2.2 the most widely used
open source fuzzer. Peach is an easily extended fuzzing platform
that can fuzz just about anything from file parsers and network
protocols to COM objects and SQL stored procedures.
Whats new:
* Win32: Binary distribution with no dependencies
* State model paths
* Enable/disable mutations by node
* Offset support via:
- Offset-of relation
- Seek element
- Placement element
* Peach Validation hex view
* Updated and new mutators
* Improved App Verifier support
- Exclude specific stop codes
- Custom check model list
* Major speed improvements
* New/updated supporting tools:
- minset - Find the minimum set of files
- missing - Gap analysis between files and pit
- struct2peach - Convert 010 Templates to Peach
* Numerous bug fixes
Peach Documentation:
http://peachfuzzer.com
http://peachfuzzer.com/PeachQuickstart
Peach downloads:
* Win32 installer: http://downloads.sourceforge.net/peachfuzz/Peach-2.2.exe
* Python source: http://downloads.sourceforge.net/peachfuzz/Peach-2.2-src.zip
* Python dependencies:
http://downloads.sourceforge.net/peachfuzz/Peach-2.2-dependencies-src.zip
Peach Training @ PacSec 2008 in Tokyo, JP
A two day Peach training class is being offered at PacSec 2008 in
Tokyo, JP. This will be the first time Peach training has been offered
in Asia. For additional information please see the course description.
http://pacsec.jp/dojopeachfuzz.html
------------------------------
Message: 2
Date: Mon, 27 Oct 2008 17:48:04 -0500
From: DSquare Security <[EMAIL PROTECTED]>
Subject: [Dailydave] Owning Lotus Notes Server & Client
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
There are several ways to get a Lotus Notes ID during a pentest
(access to a share with all the IDs, client side exploitation, ...)
After that, if needed, you can crack the password ID with commercial
or free tools (ID Password Recovery for example)
So what can you do with an admin ID? Potentially two things:
1) Compromise the Lotus Notes server
2) Compromise the computer of the Lotus Notes clients
D2Lotus is designed to help you in this kind of work. Here are two
demonstrations of this tool:
1) Remote code execution on a Lotus Notes server:
http://www.d2sec.com/d2lotus_1.htm
2) Remote code execution on computer user via Lotus Notes Client:
http://www.d2sec.com/d2lotus_2.htm
This tool will be released in the next update of D2 Exploitation Pack.
--
DSquare Security, LLC
http://www.d2sec.com
------------------------------
Message: 3
Date: Tue, 28 Oct 2008 21:32:42 -0400
From: [EMAIL PROTECTED]
Subject: [Dailydave] CapSec DC / October / 10/29/2008
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"
Greetings Dave / DailyDavers!
CapSec DC is a monthly social event for security industry types,
located in the Washington DC / Beltway area.
We're a spin off, of the growingly popular bay-sec event out in SF,
and have thus-far managed to attract a good
mix of local security folk, some of whom are household industry
names.
If you're looking for an audience for your latest sales pitch then
this probably isn't the place for you, however
if you're interested in coming along to socialize, have a drink and
talk a little shop, we look forward to seeing
you!
Generally, occurring on the last Wednesday of each month, we meet
around 7PM at Stetsons Bar at 16th and U (NW).
Details for this months gathering (tomorrow, Wednesday 29th) are as
follows:
-----
CapSecDC
Wednesday October 29th, 7:00 PM
Stetson?s
1610 U St NW
Washington DC 20009
If we are not in the back yard, we?ll probably be at the big tables
near the jukeboxes.
We reserve the right to change venues as the evening wears on ?
previously we have walked down U Street, other venues might include
The Saloon or DC9.
-----
If you would like to attend and have any questions, please just
reply to [EMAIL PROTECTED], or leave a message/comment at our
blog at:
http://capsecdc.org/blog/
--
Click here to find the perfect picture with our powerful photo search features.
http://tagline.hushmail.com/fc/Ioyw6h4dI2fnInkHE2TA2nyabq0B7LZ6OWBYFaAg0UsqUGe7V3lhNk/
------------------------------
Message: 4
Date: Fri, 31 Oct 2008 15:02:29 +0100
From: Jaime Lloret Mauri<[EMAIL PROTECTED]>
Subject: [Dailydave] Deadline extension: ICNS 2009 + 1st Workshop
LMPCNAP | April 21-25, 2009 - Valencia, Spain
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Note that the deadline for ICNS 2009 + 1st Workshop LMPCNAP has been extended
to November 10.
We would like to make ICNS 2009 a primary reference event.
Please consider to contribute to and/or forward to the appropriate groups the
following opportunity to submit and
publish original scientific results.
Please note that extended versions of highly ranked papers will be invited for
journals submission.
Full contributions are expected by the submission deadline.
=========== ICNS 2009 + 1st Workshop LMPCNAP | Call for Papers ===========
CALL FOR PAPERS, TUTORIALS, PANELS
- ICNS 2009, The Fifth International Conference on Networking and Services
April 21-25, 2009 - Valencia, Spain
General page: http://www.iaria.org/conferences2009/ICNS09.html
Call for Papers: http://www.iaria.org/conferences2009/CfPICNS09.html
- The first International Workshop on Learning Methodologies and Platforms used
in the Cisco Networking Academy
Program (CNAP), LMPCNAP 2009 will be held during ICNS 2009 in April 21-25, 2009
- Valencia, Spain
General page: http://www.iaria.org/conferences2009/LMPCNAP.html
Important deadlines:
Submission (full paper) November 10, 2008
Authors notification December 5, 2008
Registration December 20, 2008
Camera ready December 25, 2008
Submissions will be peer-reviewed, published by IEEE CS Press, posted in IEEE
Digital Library, and indexed with
the major indexes.
Extended versions of selected papers will be published in IARIA Journals:
http://www.iariajournals.org
Please note the Poster Forum special submission with on progress and
challenging ideas.
ICNS 2009 Area Tracks are the following (details in the CfP on site):
ENCOT: Emerging Network Communications and Technologies
COMAN: Network Control and Management
SERVI: Multi-technology service deployment and assurance
NGNUS: Next Generation Networks and Ubiquitous Services
MPQSI: Multi Provider QoS/SLA Internetworking
GRIDNS: Grid Networks and Services
EDNA: Emergency Services and Disaster Recovery of Networks and Applications
IPv6DFI: Deploying the Future Infrastructure
IPDy: Internet Packet Dynamics
GOBS: GRID over Optical Burst Switching Networks
=================================
- ICNS General Chair
Jaime Lloret Mauri, Polytechnic University of Valencia, Spain
- ICNS 2009 Industry Chairs
Kevin Y Ung, Boeing, USA
Leo Lehmann, OFCOM, Switzerland
Francisco Javier Sánchez, Administrador de Infraestructuras Ferroviarias
(ADIF), Spain
- ICNS 2009 Technical Program Committee Chair
Giancarlo Fortino, Università della Calabria, Italy
Salvador Sales, Polytechnic University of Valencia, Spain
Feng Xia, Queensland University of Technology, Australia / Zhejiang University,
China
- ICNS Advisory Chairs
Wojciech Burakowski, Warsaw University of Technology, Poland
Vicente Casares, Polytechnic University of Valencia, Spain
Petre Dini, Cisco Systems, Inc., USA / Concordia University, Canada
Xiaohua Jia, City University of Hong Kong - Kowloon, Hong Kong
Manuel Sierra-Pérez, Universidad Politécnica de Madrid, Spain
- LMPCNAP 2009 General Chair
Rafael Tomas, Mediterranean Cisco Academy Training Center (CATC), Spain
- LMPCNAP 2009 Technical Program Commitee chair
Prof. Tomeu Serra, Universitat de les Illes Balears, Spain
================================
------------------------------
Message: 5
Date: Fri, 31 Oct 2008 17:58:02 +0000
From: Stephen Fewer <[EMAIL PROTECTED]>
Subject: [Dailydave] Reflective DLL Injection
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, Just released a short paper on Reflective DLL Injection.
Abstract: Reflective DLL injection is a library injection technique in
which the concept of reflective programming is employed to perform the
loading of a library from memory into a host process. As such the
library is responsible for loading itself by implementing a minimal
Portable Executable (PE) loader.
You can download the paper here:
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
And the PoC code here:
http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip
Support for Reflective DLL Injection has been added to Metasploit in the
form of a payload stage and a modified VNC DLL (both are currently in
the development tree).
Cheers
Stephen Fewer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
iEYEARECAAYFAkkLRyoACgkQQIrmi1YdFr4jOgCfRcZn+XKIS36fzTOPhIcAfiQj
e0IAoLmUxJqKZaUiticQ5nSCVFABeNjc
=yQXH
-----END PGP SIGNATURE-----
------------------------------
Message: 6
Date: Thu, 06 Nov 2008 09:09:41 -0500
From: Dave Aitel <[EMAIL PROTECTED]>
Subject: [Dailydave] TechTarget Information Security Decisions
Conference
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm here in Chicago at the TechTarget Information Security Decisions
conference [1]. It seems like every second person in Chicago worked
for the Obama campaign, although my cabbie on the way to the airport
was convinced Obama was a Muslim and "The Antichrist".
One interesting thing they did was have 5 ten minute sessions for new
technology companies in information security. Probably my favorite was
NetWitness. Like every new company, NetWitness focuses on data
correlation almost as much as they focus on data collection, if not
more. One of the more striking things about it was the speaker they
sent up - very non-marketing. He sounded like he'd written some of the
code behind it.
His talk was simple: Here's what you do today, and it just doesn't
work against 0day. Here's some graphs we have that help you analyze
0day attacks on your network, which we generate by collecting every
packet you send. That way you can do your own anomaly detection
instead of relying on some sort of algorithm to give you fuzzy results.
*I* don't believe any sort of sniffer is the answer, but he was still
the best-in-show in my opinion. In any case, I'll be talking on the
panel today at 1:55pm if you want to come by and grade MY performance. :>
[1] http://infosecurityconference.techtarget.com/conference/index.html
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJEvqktehAhL0gheoRAjwbAJ0fs91Cjur09yiBRaeTJNZuaWD9NACfVyhv
Jmn6+itZHUVEgzIlAIutSNE=
=eCZU
-----END PGP SIGNATURE-----
------------------------------
Message: 7
Date: Thu, 6 Nov 2008 22:54:50 -0800
From: Dragos Ruiu <[EMAIL PROTECTED]>
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
To: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Just as a heads up, one of the author(s) of the first practical crypto
attack against WPA secured wireless networks, besides
launching a dictionary attack when a weak pre-shared keys(PSK)
are used, Erik Tews, will be speaking at PacSec in Tokyo, on
Thursday next week. More specifically, his attack uses a
combination of protocol weaknesses and cryptographic
weaknesses to compromise TKIP encryption. The attack
lets the attacker inject seven packets into the network,
per decrypt window. It's an interesting attack, because it
also hints at other attack forms, so it is rather open
ended research.
You should discontinue use of TKIP is my recommendation.
The problem with this is that most AP implementations that
I have seen will automatically drop back to TKIP from CCMP(AES)
to support older clients. You should disable this if you are
given the option on your AP or WiFi router configuration.
Unfortunately how to do this varies on each router's
configuration systems, and some routers do not
provide facilities to do this.
If you aren't given the option to disable this, you might want
to think about getting a different Access Point or WiFi Router. :-)
You should seriously consider using some higher level
encryption facilities such as a VPN, IPsec, or SSH
to secure your communications over wireless.
Look at ssh -D <port> (or equivalent putty options)
to a wired host and the socks proxy options on
your browser to use that port on localhost, when
surfing over wireless.
On some equipment CCMP is called WPA2 and TKIP is WPA.
The WPA spec leaves support of CCMP(AES) optional
while the WPA2 spec mandates both TKIP and AES
capability.
Important WPA/WPA2 Recommendations:
-Use only CCMP(AES).
-Disable Negotiations to TKIP from CCMP(AES).
-If you must use TKIP, rekey every 120 seconds.
Quote:
To prevent this attack, we suggest using a very short rekeying time,
for example 120 seconds or less. ... The best solution would be
disabling TKIP and using a CCMP only network.
Oh, P.S. AFAIK some of the code to do this attack is out :).
If you want to find out more, you have to come to PacSec. :-)
The details are fairly intricate but the bottom line is above.
Consider yourselves duly warned.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Buenos Aires, Argentina ? Sept. 30 / Oct. 1 - 2008 ? ?http://ba-con.com.ar
Tokyo, Japan ?November 12/13 2008 ?http://pacsec.jp
Vancouver, Canada ?March 16-20 2009 ?http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
------------------------------
Message: 8
Date: Thu, 6 Nov 2008 10:06:25 -0500
From: "J Wilder" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] TechTarget Information Security Decisions
Conference
To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Yet not entirely new...
http://findarticles.com/p/articles/mi_m0EIN/is_/ai_n6089017
2004:
ManTech International Corporation (Nasdaq:MANT), a leading provider of
innovative technologies and solutions focused on mission-critical national
security programs for the Department of Defense, Intelligence Community, the
Department of State, the Department of Justice, Department of Homeland
Security and other federal government customers announced today the
introduction of NetWitness version 5.0, an enhanced version of the popular
network wiretap tool that offers improved analytics features and increased
capabilities to monitor Voice over Internet Protocol (VoIP) traffic.
...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Aitel
Sent: Thursday, November 06, 2008 09:10
To: [EMAIL PROTECTED]
Subject: [Dailydave] TechTarget Information Security Decisions Conference
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm here in Chicago at the TechTarget Information Security Decisions
conference [1]. It seems like every second person in Chicago worked
for the Obama campaign, although my cabbie on the way to the airport
was convinced Obama was a Muslim and "The Antichrist".
One interesting thing they did was have 5 ten minute sessions for new
technology companies in information security. Probably my favorite was
NetWitness. Like every new company, NetWitness focuses on data
correlation almost as much as they focus on data collection, if not
more. One of the more striking things about it was the speaker they
sent up - very non-marketing. He sounded like he'd written some of the
code behind it.
His talk was simple: Here's what you do today, and it just doesn't
work against 0day. Here's some graphs we have that help you analyze
0day attacks on your network, which we generate by collecting every
packet you send. That way you can do your own anomaly detection
instead of relying on some sort of algorithm to give you fuzzy results.
*I* don't believe any sort of sniffer is the answer, but he was still
the best-in-show in my opinion. In any case, I'll be talking on the
panel today at 1:55pm if you want to come by and grade MY performance. :>
[1] http://infosecurityconference.techtarget.com/conference/index.html
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJEvqktehAhL0gheoRAjwbAJ0fs91Cjur09yiBRaeTJNZuaWD9NACfVyhv
Jmn6+itZHUVEgzIlAIutSNE=
=eCZU
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
------------------------------
Message: 9
Date: Fri, 07 Nov 2008 10:27:21 -0500
From: Dave Aitel <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
To: Dragos Ruiu <[EMAIL PROTECTED]>
Cc: dailydave@lists.immunitysec.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This article has a good summary of the technique, for those not going
to Japan. While good work, it's not going to worry me if I have a WPA
network set up at home or as part of my business. At least, not yet
(and maybe not ever - we'll see :> ).
The other mitigating factors according to the article are:
o It works like chopchop on small packets only
o Busy networks might make it impractical
o You can only send packets from the AP to the endpoints
http://arstechnica.com/articles/paedia/wpa-cracked.ars
- -dave
Dragos Ruiu wrote:
> Just as a heads up, one of the author(s) of the first practical
> crypto attack against WPA secured wireless networks, besides
> launching a dictionary attack when a weak pre-shared keys(PSK) are
> used, Erik Tews, will be speaking at PacSec in Tokyo, on Thursday
> next week. More specifically, his attack uses a combination of
> protocol weaknesses and cryptographic weaknesses to compromise TKIP
> encryption. The attack lets the attacker inject seven packets into
> the network, per decrypt window. It's an interesting attack,
> because it also hints at other attack forms, so it is rather open
> ended research.
>
> You should discontinue use of TKIP is my recommendation.
>
> The problem with this is that most AP implementations that I have
> seen will automatically drop back to TKIP from CCMP(AES) to support
> older clients. You should disable this if you are given the option
> on your AP or WiFi router configuration. Unfortunately how to do
> this varies on each router's configuration systems, and some
> routers do not provide facilities to do this.
>
> If you aren't given the option to disable this, you might want to
> think about getting a different Access Point or WiFi Router. :-)
>
> You should seriously consider using some higher level encryption
> facilities such as a VPN, IPsec, or SSH to secure your
> communications over wireless. Look at ssh -D <port> (or equivalent
> putty options) to a wired host and the socks proxy options on your
> browser to use that port on localhost, when surfing over wireless.
>
> On some equipment CCMP is called WPA2 and TKIP is WPA. The WPA spec
> leaves support of CCMP(AES) optional while the WPA2 spec mandates
> both TKIP and AES capability.
>
> Important WPA/WPA2 Recommendations:
>
> -Use only CCMP(AES). -Disable Negotiations to TKIP from CCMP(AES).
> -If you must use TKIP, rekey every 120 seconds.
>
> Quote: To prevent this attack, we suggest using a very short
> rekeying time, for example 120 seconds or less. ... The best
> solution would be disabling TKIP and using a CCMP only network.
>
> Oh, P.S. AFAIK some of the code to do this attack is out :).
>
> If you want to find out more, you have to come to PacSec. :-) The
> details are fairly intricate but the bottom line is above. Consider
> yourselves duly warned.
>
> cheers, --dr
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJFF5ZtehAhL0gheoRAreXAJ0XEpxnbWIAkCb2uYMNEdVMeB2KHwCeM6Fk
qva3gj7/uznxX9pmHha3sEY=
=fvvr
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 40, Issue 1
****************************************
