Monday, December 21, 2015

SecureSet



Last week I presented at a SecureSet War Games event - "Web Security & Countermeasures". The focus of the talk was kept in line with the title and explored a Red and Blue Team's perspective of how to both attack and defend web applications. I wanted to specifically thank the folks at SecureSet for running the event and recognize the achievement of what they have already accomplished.

For anyone that hasn't heard: https://www.secureset.com/ 

You guys rock! Looking forward to 2016!
 


Image result for "secureset"

Sunday, November 22, 2015

sqlmap Talk

I recently gave a talk at a Community SANS event in Colorado Springs, CO led by Ronald Hamann and Sol Warnock. The class was "SEC504: Hacker Tools, Techniques, Exploits and Incident Handling" and on day four students were introduced to SQL Injection attacks. Keeping with the class material, the sqlmap talk provided a glimpse into the tool, some interesting switches and provided context around raw access to the HTTP requests. When using sqlmap sometimes it can be very useful to increase visibility into the interactions between the attack traffic and the target application. sqlmap has built-in features that provide for this and simply using a proxy to view the traffic is convenient as well. Like most talks that I give, the slides show only a fraction of the communicated information, in this case I included a demo video at the end: Youtube Video






The slides are located here. I thoroughly enjoyed the talk and of course the awesome students. Many thanks to SANS, Sol and Ron!

Saturday, October 31, 2015

Simple One-liners

In this post I thought I would share some one-liners that I've have used in the past that were useful for a given task. Although limited in usefulness and in most cases not even the most elegant way to accomplish a task, hopefully someone might find them useful. I plan on updating this post with more in time and am not planning to keep it specific to any OS, shell or language although today most are bash.

*NIX  Shell: Create pseudo random string
Produce a 32 character string using only the base64 character set. Remove the pipe to base64 to increase the character set and change "32" to whatever output length you want:


echo $(head -c 32 /dev/random | base64 | head -c 32)


*NIX  Shell: Loop through pseudo random input and produce pseudo random output
Simple for loop, change 250 to the amount of output lines you want and change the "3" to a number representing the length of the output. Remove the pipe to base64 to increase the character set.


 for ((i=1; i<=250; i++)); do echo `tr -dc '[:alnum:][:punct:]' < /dev/urandom | base64| head -c 3`; done >> file




*NIX  Shell: Sed replace newlines with | for easy input into egrep
Use this when you have a list of strings, one per line in a given file, that you want to use in an egrep search. The egrepfile might look like:
First
Second
Third
Fourth
The output should look like First|Second|Third|Fourth
Use the output file as input for egrep: cat log | egrep 'First|Second|Third|Fourth'


cat egrepfile | sed ':a;N;$!ba;s/\n/|/g' >> egrepable



*NIX  Shell: Grep for specific type of string
Use a regex search in grep to find a specific length string consisting of specific characters, sort and output only unique then count the amount of matching strings:


cat access_log | egrep -o '[0-9A-Z]{16}\b' | sort -u | wc -l


*NIX  Shell: Use ffmpeg to convert mp4 to mp3
This is nice because it loops through all mp4s in a directory and replaces the .mp4.mp3 extension to just .mp3


for x in *.mp4; do ffmpeg -i $x -q:a 0 -map a "`basename "$x" .mp4`.mp3"; done


*NIX  Shell: Grab email addresses from whois output
Not reliable and not elegant due to whois output content placement and lack of regex which would be a smoother way to do this:


whois domainyouwanttoquery(example.com) | grep Email | cut -d "@" -f 1,2 | cut -d " " -f3 | grep "@"


*NIX  Shell: Find domains from target host
See what subdomains exist in index.html of target site. Download the homepage of a website, wait for that process to complete then search through the file (assuming it's called index.html in this example) using some regex to grab what we are looking for, sort out unique results and grep for in-scope results:


wget -U Mozilla --quiet example.com && wait ${!} |cat index.html | grep -o 'http://[^"]*' | cut -d  "/" -f 3 | sort -u | grep -i example


*OS Python: Output 4 digit numbers from 0000 to 9999
This will give 0000 through 9999 but only complete four digit numbers so no 11 or 193 but 0011 and 0193 will be included:


print "\n".join(['{0:04}'.format(num) for num in xrange(0, 10000)])



Monday, August 31, 2015

SpyderSec CTF Challenge


Today I want to share an information security challenge with you. Coming from a Red Team perspective and participating in many CTF style competitions, I typically enjoy well thought out scenarios that make me think; like solving an elaborate puzzle. This train of thought was the basis behind the SpyderSec careers section (https://www.spydersec.com/Career) which essentially is a way for like-minded individuals to engage in such a challenge either for fun or as part of the hiring process to work towards a career at SpyderSec.





To date no one has solved the challenge and based on logs and my own conversations with people there have been plenty of attempts. In order to share some more of the fun and to be able to work on the challenge offline, I am releasing a VM instance of the challenge. Just download, import into the virtual machine environment of you choosing and hack away.

Update (9-7-2015): Now hosted on VulnHub!

https://www.vulnhub.com

The virtual machine comes in an OVA format, and is a generic 32 bit CentOS Linux build with a single available service (HTTP) where the challenge resides. Feel free to enable bridged networking to have the VM automatically be assigned a DHCP address. This VM has been tested in Vmware Workstation 12 Player, and VirtualBox 4.3. I'm not going to give out any hints at this point in time as a modified version of this challenge is live on spydersec.com and keep in mind everything mentioned on the website (specifically this page: https://www.spydersec.com/Career) holds true for the VM challenge. Good luck! And feedback is always welcome.

Thursday, July 30, 2015

Taking Requests

I'm on hiatus for this month's blog posting and instead wanted to take requests for any exciting posts that you would like to see. Let me know via a comment on this blog, Google+, Twitter (@sergeborso) or the other multitude of ways to get in touch with me.



Saturday, May 30, 2015

SpyderSec

It's official, SpyderSec LLC is live...



SpyderSec is located in Denver Colorado and provides information security solutions to organizations in all industries and of all sizes.

www.spydersec.com - Check out the website, the services and products and leave some feedback. It would be nice to hear some initial reactions.

Friday, April 24, 2015

Boulder OWASP

Last night I presented at Boulder OWASP on the topic of web application security. The talk focused on ideas about enhancing the security of web applications; from addressing SPAM on simple contact forms to behavioral analysis of user requests for more sensitive applications.

The idea behind the talk touched on using the right tools for a given task and how the application is in the most logical position to make a decision based on user input. The talk weaved into a discussion of a tiered scoring system where suspicious requests equate to a higher score (null user agent, 40x server response codes, port scanning, input fuzzing, etc) and the higher the score the more aggressive the response becomes. I.E. Based on the behavior of a user, the application responds a certain way. An example with a contact form would be requiring a CAPTCHA if the the user agent is null and javascript is not enabled on the client. For a more sensitive application, like an online banking interface; profile authenticated users, establish a baseline and when deviations are detected, start locking down functionality or requiring additional forms of authentication. For this example, if the deviation is greater than X, then disable the wire transfer feature and/or prompt the user with an out-of-band question prior to allowing email address changes.

When profiling a user there is a common set of criteria that can be used and a more specific set of criteria based on elements of the application. The goal is to provide security commensurate with the sensitivity of the information being protected. Ideally this would come in a transparent form and like most ideal security situations this is a lofty goal.

An interesting conversation was brought up during this OWASP meeting as a question regarding a bullet point on one of the last slides: How to deal with username harvesting... on the account registration page. Thwarting harvesting on login and "forgot password/username" pages is doable but during the account registration process it is more challenging. Take Gmail for instance. When you sign up for a new gmail account the application essentially has to tell you that your requested username is available or already taken, since two people are not supposed to have the same email address.






One way to combat this vulnerability is to set usernames for the user; don't allow users to choose their own username. Depending on the application this "solution" can range from totally unacceptable (social networking websites) to expected (online banking websites). Remember that there are things in your control as an end user (setting a unique and complex password) and there are things that are entirely governed by the application (support for multi-factor authentication and support for complex passwords). Inconvenience vs security... It can be inconvenient to have an application set my username for me but if it prevents username harvesting is it worth it? The answer depends on the user-base, usability expectations, risk, perception, and supporting security elements.


I want to thank Applied Trust for hosting the event, Mark Major for putting it together and thanks to all of my friends and associates that were able to make it.

As usual with OWASP there were some excellent discussions and I think we all walked away richer for the experience.

Please feel free to download the slides here

Keep in mind that the bullet points tell about 37% of the story, audience participation and subsequent group discussion is where the meat and potatoes are at.

Wednesday, March 11, 2015

SANS SEC 542 Mentor Class April 2015 - Denver Metro

Seats are still available for more students!

This 10 week class starts Tuesday April 7th, 2015 and runs once per week for two hours each Tuesday night. This class will prepare students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/

Meeting once a week after work, you'll learn many facets of Web App Penetration Testing and Ethical Hacking in this popular Mentor multi-week format, with time between classes to absorb and master the material. You also receive downloadable MP3 files of the full class being taught to enhance your studies.

Course Details:
Class Title: SEC 542: Web App Penetration Testing and Ethical Hacking
Start Date: Tuesday April 7th, 6:00-8:00pm
Location: Aurora Colorado
Instructor: Mentor Serge Borso
Registration details: www.sans.org/register

Each week your local Mentor, Serge Borso, will highlight the key concepts you need to know and assist you with hands on labs and exercises. From attack methodology to server-side discovery, you'll be learning the exploits and tools needed to protect your systems from attack. The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site. Each week you will be able to show off your knowledge the next day at the office!

The SANS Mentor Program is HERE! Starting soon in the Denver metro area, conveniently located in Aurora near I-225 and Parker Road. Train Local and Save on the same material taught at SANS six-day conferences.

Saturday, February 28, 2015

RMCCDC 2015


This weekend I was invited to participate in the 2015 RMCCDC (Rocky Mountain Regional Collegiate Cyber Defense Competition) held at Regis University in the Denver Tech Center area.


I was a volunteer for the Red Team and had a great time! I have participated in numerous CTF style competitions, most notably SANS NetWars, and this was my first time with the RMCCDC. It was all in fun but surprisingly intense, the focus of the program is to educate college students on how to deal with cyber attacks in a setting that mimics what happens in the real-world. The Red Team tries to breach the systems, Gold and Black Teams monitor traffic/services and provide oversight while the Blue Teams defend against all of the attacks. The scope is large and consisted of everything from printers and webcams to web applications, Linux/Windows servers, wireless, social engineering (to an extent) and everything in between.


Several student comprised Blue Teams, each with an identical infrastructure to protect, and had to stand up to a barrage of attacks. Personally I found myself less focused, (much less focused than during a typical penetration test) than I normally am due to several factors: Lack of adequate preparation, large scope and being new to the format.

Just to do something different, I was running the Windows 10 Technical Preview and only had my professional version of Burp installed along with a couple other non-standard applications. The issues with this choice (not testing thoroughly) manifested themselves in myriad ways: Nmap wouldn't run, my VM instance of Kali (that I had installed the night before) needed significant updates and tweaks to get the GUI to work, not to mention all of the issues inherent to a Beta OS (think basic things no audio). I thought I would be fine with just Burp, maybe ZAP and a couple of browsers. Wow was I wrong.

The scope was vast as previously mentioned, so I found myself spending about 10% of my time on web applications and the rest split between trying to get my box and tools running effectively, metasploit, panning and zooming webcams aimed at Blue Team white boards and an outrageously slow network (at times) due to saturation. But it was an awesome experience!

Each team had their own room, ours was a piping 80 degrees; perhaps on purpose at to fatigue us in order to slow down the attacks. After the first hour or so Social Engineering attacks were called off and I was challenged a couple of times by Blue Team members intent on keeping their assets secure, all part of the exercise and well received. The local news was shooting footage, organizations from all over the area were invited to check out the action for first hand and I was able to speak with curios observers and share insight on how a Red Team operates.

Thanks to all the teams, students, sponsors and folks behind the scenes that made this possible. Richer for the experience, and a firm believer in the spirit of the competition, I would be glad to participate in the future.

Wednesday, January 28, 2015

Embiggen your app

Tonight I presented at Denver OWASP on a topic dear to us all, web application security. First off thanks to all of my friends and associates that were able to make it tonight; one of my favorite things about the OWASP Denver chapter is the great people that turn out time and again. There were some excellent discussions and I think we all walked away richer for the experience.

I want to thank Jeff Kowalski of Solutions II for sponsoring the event and Frank Vianzon and Steve Kosten for putting it together.

Please feel free to download the slides here

Keep in mind that the bullet points tell about 37% of the story, audience participation and subsequent group discussion is where the meat and potatoes are at. Until next time...