OWTF call for co-mentors plz RT!

If you have an owasp.org account, are familiar with python and would be willing to mentor some students OWASP OWTF needs you :)

5 students that applied to work on the Google Summer of Code 2013 for OWASP OWTF made it to the top 11 and OWASP got 11 slots this year. However, I cannot mentor them all technically speaking due to restrictions in the Google Summer of Code program.

The last thing I want to see is that someone who worked really hard is rejected from the Google Summer of Code because of lack of mentors!

So, if you are familiar with python, are an OWASP member/leader, and would be willing to mentor some of the successful students, please contact me ASAP: name.surname@owasp.org

Thank you!

P.S. I'll obviously help the students too, you will not be alone on this, but I need several backup mentors

GSoC + Pentesting like a Grandmaster: Slides, Demos, Video

Pentesting like a Grandmaster materials - BSides London 2013
NOTE: Will update the post as soon as video is available only slides and demos for now :)

BSides London 2013 was a blast as previous years, I received a lot of good feedback during the conference on my talk (thanks to everyone!) and some people showed interest on the slides so here they are :)

Slides: http://www.slideshare.net/abrahamaranguren/pentesting-like-a-grandmaster-bsides-london-2013
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
OWTF links: http://owtf.org

Google Summer of Code note:
If you are a uni student and are interested in getting paid by Google to work on OWTF for 3 months in the summer, have a look at the OWASP Google Summer of Code page and get in touch soon!:

• 7 OWTF ideas: https://www.owasp.org/index.php/GSoC2013_Ideas#OWASP_OWTF_-_Stateful_Browser_with_configurable_authentication
• Proposal deadline: 3rd May 2013

Kali Linux: Dude, where's my sshd-generate?

UPDATE: This probably only affects the VMWare image, you will know if it also affects the Kali install if your hashes match my sample hashes below.

So the fine folks at offensive security released this new distro called "Kali Linux" recently, which is essentially:

1. Replacing Backtrack
2. Based on Debian (instead of Ubuntu)

One of the things that has changed from Backtrack is that it is no longer necessary to generate ssh keys, this is a bit scary for us paranoid security folks as can be seen in this great blog post. In short, having known ssh key pairs available for the whole planet means anybody could MiTM your ssh connections to Kali by default, not cool.

The question is: How do we fix this?

In Backtrack we used to call "sshd-generate" to generate OR overwrite the host ssh keys. However, in Kali if you call sshd-generate you get this:

# sshd-generate
bash: sshd-generate: command not found

The way to "sshd-generate" in Kali is as follows:

Step 1) Move the default Kali ssh keys somewhere else
This way you can use the keys for pranks to your buddies via SSH MiTM and TCP hijacking :).

# cd /etc/ssh/
# mkdir default_kali_keys
# mv ssh_host_* default_kali_keys/

Step 2) Regenerate the keys

# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).

Step 3) Verify ssh key hashes are different now:

# md5sum ssh_host_*
(these are your new keys, compare these hashes to the hashes below)
# cd default_kali_keys/
# md5sum *
b9419ea3a8fff086c258740e89ca86b8  ssh_host_dsa_key
f9a5b57d7004e3740d07c5b037d15730  ssh_host_dsa_key.pub
58e49e0d7b24249c38db0c9cf595751b  ssh_host_ecdsa_key
597c83fabf3c1e4f2c7af74af05ac671  ssh_host_ecdsa_key.pub
cc0d92036bb86797bed354338faa7223  ssh_host_rsa_key
cc9ddc90b891b5251ed4ea8341495e84  ssh_host_rsa_key.pub

After regenerating the SSH key pairs you can start the SSH service via /usr/sbin/sshd from the CLI or just indulge in laziness and use the menus :)

NOTE: Despite the similar name, ssh-keygen is for the client ssh keys not the sshd service.

Illusionism, SE and busting 3 Dynamo tricks

Illusionism is just another form of Social Engineering (SE): The magician attempts to draw attention away from the trick to create an illusion of making the impossible possible.

During the weekend I saw three fun tricks by Steven Fryne (aka Dynamo), the first one (walking on water) additionally shows the power of the media as a social engineering tool which I believe is quite interesting on its own.

The tricks I will "bust" here (SPOILER ALERT!) are:
1) Walking on water
2) Matrix lean
3) Benching 155kg being out of shape from a weight lifting perspective :)

1) Walking on water 
What makes this very interesting from my point of view is that the media turned a FAIL into a WIN, have a look at the "official" video first (one of the highest ranked ones in youtube):

Here you may notice: 

1. Paid actors
2. The canoes going over the area where he walked: Trying to prove there is nothing
3. The police picking him off the water as if there was nothing where the boat was 
4. (After watching the unofficial video) The video is actually manipulated (!): It takes off the bit when the police boat bumped against the plexyglass platform: Pay attention to the place where the boat drives off and compare that with the unofficial video below (the boat did not go in that direction first) :)

Now let's have a look at the unofficial video where the police boat was damaged and people watching laughed:

Here you notice:

1. River waves looking funny for a couple of seconds where Dynamo walks in the first few minutes, especially around minutes 0:00-1:30: This alone is enough proof to detect he is walking on something, probably plexiglas.
2. Dynamo is wearing a red jacket and putting his arms in a cross-like position, drawing attention away from his feet and the river waves, this enforces the illusion.
3. Dynamo is clearly dragging his feet to check where the plexiglas platform finishes and where there are gaps, he is using touch to guide his feet through the platform: He is clearly not walking like a normal guy on the street :).
4. Dynamo stops walking at the end of the plexiglas platform to be picked up by the police: He could not have continued to walk from that point, it was all organised :).
5. At minute 2:30 the police try to make an odd turn over the area where Dynamo walked, to prove a point beyond what the canoes tried to do (i.e. there is nothing under the water), however the depth and/or plexiglas gap to drive through was not calculated well enough and they hit the platform probably damaging the boat :)
6. People start to laugh, the FAIL is hilarious :)

What is amazing to me is that a lot of London people witnessed this hilarious FAIL, yet Discovery Channel and news outlets show it as a WIN, and the WIN is ranked higher than the FAIL on youtube, etc! :).

Creating an illusion of walking on water is actually quite hard as can be seen in the following mythbusters' "buckets of fail" where they just cannot find a reliable way to walk on water:

Here the mythbusters just give up and create a goo-thing to walk over that instead of water, hence busting absolutely nothing :)

Here the mythbusters try "running on water" instead of "walking on water" failing miserably too :)

The plexiglass trick (probably) used by Dynamo is explained quite well here:

From the videos above, it looks like the most reliable tricks to create an illusion of walking on water depend on having the ability to manipulate the environment: The platforms must be setup in advance and the magician must know where to walk.

The Jesus Christ Lizard is however able to run over water without setting up the environment in advance, hence beating all human magicians to the ground :)

But if magicians really want to challenge the feat of walking on water by Jesus Christ 2000 years ago (awesome Bible verse comparison by wikipedia here), they should create an illusion of:

1. Walking from the shore into a boat controlled by others without any coordination with the magician (no environment control!)
2. Being able to do this on bad weather conditions (the Bible talks about wind, etc)
3. Have a random volunteer (without any idea about the trick) walk to you over water (Peter in the Bible)
4. When the other guy (Peter) starts to sink because of "lack of faith" the magician must be able to lift them off the water and have them walk with them into the boat

If a magician can make 1-4 believable that'd be really awesome, that is some homework for you, youtube links welcome :)

2) Matrix lean
For this one I do not have a counter video to prove the trick, but there are a couple of hints on how he (possibly) made this work. High ranked video first for background:

If you stop the video at minute 1:05 you may notice the back of his right foot appears to be hooked to the ground: How can he lean all the way back on one leg without the tips of his right foot touching the floor? :)

A nice explanation of the hook technique is done in the following video. The illusionist is also required to setup the environment in advance to disguise the hook on the floor (disguising the hook on the red carpet at the beginning of the video above would have been harder, could a light guy like Dynamo get away without a hook?):

3) Benching 155kg

The trick here is how could a small guy like Dynamo bench 155kg, the original video is here:

Again, having full environment control, there are so many tricks that the following is not an exhaustive list:

1. The plates could be fake, hence weighting near 0: The plates on the bar are different than those in the gym, hence being probably fake (you could also have fake plates that look like the ones in the gym, obviously :))
2. Dynamo could be wearing a benching shirt underneath, hence getting up to approx. 100kg+ help
3. The spotter is just laughing at minute 3:00 :)
4. There is no slight bending on the bar as it should be at 155kg
5. The lift is just not clean with the spotter getting the bar off Dynamo's chest using a mixed grip (yes, not using all the fingers but that guy can easily deadlift 100kg+ that way)
6. If you stop the video at minutes 3:45-3:50 you can see Dynamo's right wrist being bent at an angle while his left wrist is mostly straight: It is unlikely for such a small wrist to hold that kind of weight and not bend further (i.e. to parallel). Also if you are performing a maximal lift, you are unlikely to perform at your best with one wrist straight while the other is bent, this is another minor proof of lack of weight on the bar.

Did I miss something? I'm sure I did! thoughts welcome :). I'll update the post with suggestions if you have them :).

VSA: The Virtual Scripted Attacker, Slides online

At Brucon 2012 I had the privilege to present and demo VSA, the Virtual Scripted Attacker, a tool I had been working on with a great team of very talented people for a number of months.

The talk was only 5 minutes long (a Lightning talk) so the presentation is brief.

VSA is the first fully automated DOM XSS scanner ever created, capable of finding many more bugs than any other similar tools.

The VSA Team that made this happen was:
- Dr. Ing. Mario Heiderich (XSS PhD!) <-- For all questions please ask Mario :)
- Gareth Heyes
- Abraham Aranguren
- Alfred Farrugia
- Frederik Braun


The slides can be found here:
http://www.slideshare.net/abrahamaranguren/the-virtual-scripted-attacker-brucon-2012

I was interviewed about VSA, OWASP OWTF and other things at EuroTrash 32:
http://www.eurotrashsecurity.eu/index.php/Episode_32

Free Android sec tools, resources and smartphonesdumbapps release

UPDATE: April 2nd - Added new pinning article thanks @an_animal!
UPDATE: Feb 14th - Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!

Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component.  The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.

Free Tools

• OWASP Mobisec ISO: This is a bootable ISO like Backtrack/Samurai WTF but for Mobile testing, including lots of tools, emulators, etc (i.e. saves you a lot of time) http://sourceforge.net/p/mobisec/wiki/Home/  (Slides here). NOTE: You can install it on a VM for persistent changes, updates, etc
• Dan Cornell/DenimGroup's scripts (https://code.google.com/p/smartphonesdumbapps/): I made some small contributions to this new release and Dan added more improvements (released yesterday: Feb 13th!)
• Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented (pinning links below), as well as other debugging tasks: https://www.isecpartners.com/tools/mobile-security/android-ssl-bypass.aspx (Source here)
• Java Decompiler: http://java.decompiler.free.fr/?q=jdgui 

NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it's a GUI tool so you'll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:

• Droidsheep (for broken SSL PoCs): http://code.google.com/p/droidsheep/
• SQLite editor (Edit SQLite databases from your phone): http://code.google.com/p/xdroidx/downloads/detail?name=SQLite%20Editor-9.apk&can=2&q=
• Android APK Tool: http://code.google.com/p/android-apktool/w/list 
• Agnitio (@securityninja's source code review tool, contains Android and iPhone app analysis features and great checklist questions):  http://www.securityninja.co.uk/application-security/agnitio-and-mobile-apps/

Vulnerable Apps

• OWASP GoatDroid (Jack Mannino): https://github.com/jackMannino/OWASP-GoatDroid-Project
• Pandemobium (Dan Cornell/DenimGroup): https://github.com/denimgroup/Pandemobium/

Useful Presentations

• OWASP Top 10 Mobile Risk (Jack Mannino, Zack Lanier, Mike Zusman) http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
• Advanced Code Review Tecniques (Prashant Verma, Dinesh Shetty): https://www.owasp.org/images/4/40/OWASP_Advanced_Mobile_Application_Code_Review_Techniques.pptx
• UI Redressing A$acks on Android Devices (Marcus Niemietz): https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-slides.pdf (Paper here)
  
• Whack-­‐A-­‐Mobile II (Secure Ideas: Kevin Johnson, Tony DeLaGrange): https://www.owasp.org/images/4/49/ASDC12-WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment.pdf
  
• Mobile Malfeasance (Jason Haddix) http://www.slideshare.net/jasonhaddix/mobile-malfeasance-exploring-dangerous-mobile-vulnerabilities
• Seven Ways to Hang Yourself with Google Android (Yekaterina Tsipenyuk O'Neil and Erika Chin): http://blog.fortify.com/blog/2011/08/19/Seven-Ways-to-Hang-Yourself-with-Google-Android (NOTE: Android Intent Madness explained here!)
• TEAM JOCH vs. Android: The Ultimate Showdown (Jon Oberheide, Zach Lanier): http://jon.oberheide.org/files/shmoo11-teamjoch.pdf
• Mobile Threats and OWASP Mobile Top 10 Risks (Securbay): http://www.slideshare.net/securbay/securbay-mobile-threats-and-owasp-top-10-risks
• Secure Android Applications The OWASP Way (Jack Mannino): http://www.slideshare.net/JackMannino/secure-android-apps-nvisium-security
• Mobile Application Security Code Reviews (Dan Cornell/DenimGroup): http://www.slideshare.net/denimgroup/mobile-application-security-code-reviews
• Cracking the Code of Mobile Applications (Sreenarayan Ashokkumar): http://vimeo.com/54227159 (Slides here)
• (Italian with lots of English, easy for Spaniards/Valencian-Catalonian speakers :)) - OWASP Top 10 Mobile Risks: http://www.slideshare.net/franciov/owasp-mobile-security-project

On SSL validation and pinning

• OWASP Pinning CheatSheet: https://owasp.org/index.php/Pinning_Cheat_Sheet
• Certificate Pinning in a Mobile Application: http://www.netspi.com/blog/2013/04/01/certificate-pinning-in-a-mobile-application/  
• Defeating SSL certificate validation for Android Applications  (McAfee):  https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf
• Your app shouldn't suffer SSL's problems (Moxie Marlinspike): http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
• Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks: https://www.isecpartners.com/tools/mobile-security/android-ssl-bypass.aspx (Source here)
• Certificate Pinning - Pin Creator: https://certpins.appspot.com/about
• Public key pinning: http://www.imperialviolet.org/2011/05/04/pinning.html
• Surveillance works! Let's have more of it: http://blog.cryptographyengineering.com/2013/01/ubiquitous-surveillance-works-lets-have.html

Forensics

• FROST: Forensic Recovery Of Scrambled Telephones (full disk encryption bypass via cold boot attacks against new Android 4 devices): https://www1.informatik.uni-erlangen.de/frost

Further reading

• OWASP Top 10 Mobile Risks: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks
• OWASP Top 10 Mobile Controls: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_Ten_Mobile_Controls  
• Android Security and Permissions: http://developer.android.com/guide/topics/security/index.html
• Android Security Overview: http://source.android.com/tech/security/ 
• Rough overview of HP Fortify's Android checks: http://stackoverflow.com/questions/12832957/fortify-android-checks
• Reversing Android apps (the article focuses on malware but reversing an .apk for review is largely equivalent): http://palizine.plynt.com/issues/2011Sep/android-malware/ 

P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.

Installing and using LAPSE Plus in BackTrack 5/Ubuntu

An interesting tool for Java source code analysis is OWASP LAPSE Plus.
You can see the instructions to set it up on the project's page or here.

OWASP LAPSE Plus requires Eclipse Helios and a number of people who know more than me at stack overflow suggest that you should not install eclipse using apt-get.

This means you need to install Eclipse Helios from here or OWASP LAPSE Plus will not work (you can see the pain I just saved you here).
Installing any other Eclipse version will result in OWASP LAPSE Plus crashing like this when you try to use it:

An internal error occurred during: "Computing Sources". java.lang.NullPointerException

This is quite basic but worth a mention, make sure you get the right Eclipse version for your operating system (32 or 64 bits):

#uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

Knowing the number of bits of our OS (64 bits from the command above) we know which "Eclipse IDE for Java Developers" version to download:

After you download the eclipse bundle, you need to uncompress it, for example (this creates the eclipse directory):

root@bt:~# tar xvfz eclipse-java-helios-SR2-linux-gtk-x86_64.tar.gz

Now we need to download the OWASP LAPSE Plus plugin into the Eclipse plugins directory in Backtrack:

root@bt:~# cd eclipse/
root@bt:~/eclipse# cd plugins/
root@bt:~/eclipse/plugins# wget http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
--2013-01-21 20:37:52--  http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
Resolving evalues.es... 163.117.174.60
Connecting to evalues.es|163.117.174.60|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213623 (209K) [application/java-archive]
Saving to: `LapsePlus_2.8.1.jar'

100%[=============================================================================================>] 213,623      492K/s   in 0.4s   

2013-01-21 20:37:52 (492 KB/s) - `LapsePlus_2.8.1.jar' saved [213623/213623]


After that:
- Close Eclipse if you had it open
- Start Eclipse:

Use an ampersand to keep the shell window usable:
root@bt:~/eclipse# ./eclipse &

Now Eclipse Helios loads:

You will be asked for a workspace directory, /root/workspace will be fine for most.

- Go to Window / Show View / Other
- Select all the views and click OK:

After clicking OK you should have 3 panels:

The problem now is that the panels are empty, to perform a source code analysis you are supposed to:
0) Make sure all project dependencies are solved
1) Open a project
2) Click on the "scan sources" icon

If you run into further issues the following patch might help.

Good luck!

OWASP OWTF BruCon 2012 Workshop slides, code, demos

Here are a few links if you want to download the materials from the OWASP OWTF BruCon 2012 workshop that happened last week in Ghent, Belgium:

- The slides are now online in slideshare
- The demos, code and slides PDF can be downloaded from either of these:

1. The OWTF Project Github page
2. The BruCon site: Using the tar.gz link at the top

If you use the tool and you find any bugs of have any suggestions please feel free to do either or both of these:

1. Fork the OWASP OWTF project in github and send me a Pull request
2. Create a bug report on github

If you attended the workshop or even if you just downloaded the materials, I would also appreciate if you could take the time to provide some feedback on ideally at least:

• What you liked the most
• What you liked the least 
• What could have been done better

Thank you!