Wednesday, 11 December 2013

OWASP OWTF CFP funds contest WINNERS

Please contribute:
We are trying to release the new version of OWTF in the next few weeks (hopefully before 2014!). For that, we need your help to identify and report bugs. THANK YOU! :)

OWASP OWTF CFP funds contest WINNERS
I would like to let you know that, after a careful deliberation, the OWASP OWTF CFP Panel, selected the following projects for access to the available OWASP OWTF funds:

  • Alessandro Fanio González: OWTF Architectural improvements
  • Marios kourtesis: OWTF Botnet mode
  • Assem Chelli: OWTF Reporting improvements

Background on the decision process
I tried to be as neutral as possible due to the unavoidable conflict of interest issue:
Being friends with some of the people who submitted due to 3 months+ working together during the GSoC vs. those that were not. Thankfully, a panel of volunteers stepped up to solve this problem and chose (wisely in my opinion) the best projects given the limited money available. Thank you! -you know who you are ;)-










Sunday, 8 September 2013

OWASP OWTF CFP funds contest

As announced at AppSec EU recently. OWASP OWTF has (thank you!):
Instead of taking this to pay myself for working on OWTF in my spare time, I'm giving it away so that others are paid to work on OWTF: There is a contest to apply for this money and you can apply to all or part of it.

Timeline:
  • September 8th - October 15th: Call for OWASP OWTF Proposals
  • October 16th - 21st (might end sooner): Review of proposals by CFP panel
  • October 21st (might be earlier): Public winner(s) announcement
To apply please click here.
NOTE: You can change your proposal as many times as you want until October 15th.
NOTE 2: Each candidate can submit more than one proposal

Contest rules (IMPORTANT: Subject to minor modifications, keep an eye on this):
  • Project payment will be performed upon project completion
  • Contributing to OWASP OWTF in advance of acceptance will award extra points
  • The technical strength of the candidate will award extra points (especially with proof such as a github page)
  • Regarless of your technical strength a decent proposal will award extra points
  • The proposed project must be relevant to the OWASP OWTF mission: "To cover as much from the OWASP Testing Guide and the Penetration Testing Execution Standard as it is feasible"

Need help?
FAQ

Q: Does the proposal have to fit into the Google Form text box? or can I append a file with the fully-explained proposal?
A: If you can provide a link to a public but not searchable google document or PDF in dropbox or an alternative service, that's OK. This is probably better since you will be able to add some graphs to explain what you are proposing and the proposal will be easier to understand for reviewers then.

Q: Is it possible to start working in January 2014?
A: Yes, you can specify the start and end dates that suit you best in your proposal, these are mandatory fields in your submission.

Q: Is it necessary to have a CV?
A: Of course not! However, some proof of your skills would be nice (github account, prior involvement in open source projects, doing something for owtf and point to a pull request, whatever)

Sunday, 25 August 2013

AppSec EU: OWASP OWTF Summer Storm slides, demos and Plug-n-Hack support!

UPDATE 04/09/2013: Added link to AppSec EU video
UPDATE 26/08/2013: Added Plug-n-Hack support link.

OWASP AppSec EU 2013 and HackPra AllStars were both a blast this week:

I would like to use this opportunity to let you know that:
  1. OWASP OWTF is always actively looking for contributors, bug reports / ideas.
  2. The slides for the OWASP OWTF Summer Storm talks last week are now online here.
  3. OWASP OWTF supports the Plug-n-Hack mozilla standard now.

The demos, research and prototypes are all linked from the relevant slides within the presentation above.

NOTE: You can now see the OWASP OWTF Summer Storm AppSec EU video here.
NOTE 2: All AppSec EU + HackPra AllStarts video is here!.

The slides were used at OWASP AppSec EU in:

You can find members of the OWTF team on our:

Monday, 12 August 2013

OWTF 0.30 "Summer Storm II" released! plz RT!

IMPORTANT NOTE: Some of the new features require the use of the "--dev" flag, please report any issues you find in our github page. Thanks!

This is another a very significant release which includes the continued outstanding work of the following Google Summer of Code Projects:

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)


OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)


OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)
  • Project Plan document <-- FEEDBACK Welcome!
  • The prototypes and voting poll will become public on Thursday this week, stay tuned :)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF would just not be possible without all the people that contributed in one way or another. All contributors to date got a T-shirt this year, to all of you: Thank you!


(Picture above is courtesy of @an_animal (Thanks!)


Change log since OWTF 0.20 "Summer Storm I" (Full change log is here):

09/08/2013 - 0.30 "Summer Storm II" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.
+ Extracting the HTML generated by the reporting system from Python modules into independent Jinja2 template files <==> Assem Chelli (@assem-ch)
+ Added some features to the Testing Framework. Added tests that cover approximately the 45% of the code of the OWTF Framework. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Added support for test coverage reports and test logs in HTML. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Spawing multiple processes on the basis of targets and then handling the input, stopping of the targets <==> Ankush Jindal(@ankushjindal278)
+ Centerlized log function <==> Ankush Jindal(@ankushjindal278)
+ Generic messaging system with pull and push facility differently and database handler to use messaging for DB transaction in multiprocessing<==> (@ankushjindal278)
+ Draft inbound proxy is replaced by a new inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of caching and saving the transactions <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of cookie filters. <=> Bharadwaj Machiraju (@tunnelshade)

Thursday, 4 July 2013

OWASP OWTF report prototype voting, please contribute! plz RT!

A common complaint for OWTF was that the report was "ugly", now it's your turn to change that: This project has a community voting phase, so we need your help to choose the upcoming OWASP OWTF report default style, layout and skin:


OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)

Thank you!

Monday, 1 July 2013

OWTF 0.20 "Summer Storm I" released! plz RT!

This is a very significant release which includes the initial outstanding work of the following Google Summer of Code Projects:

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)


OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)


OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)
  • Project Plan document <-- FEEDBACK Welcome!
  • The prototypes and voting poll will become public on Thursday this week, stay tuned :)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF got some publicity last week thanks to Alessandro, thank you!




Change log since OWTF 0.16 "shady citizen" (Full change log is here):

28/06/2013 - 0.20 "Summer Storm I" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch) and Bharadwaj Machiraju (@tunnelshade)
+ Port of Abraham Aranguren's network security OSCP scripts into OWASP OWTF <=> Ankush Jindal (@ankushjindal278)
+ Fixed a small bug in the calling of metagoofil, thanks to Adi Mutu (@an_animal) for reporting <=> Bharadwaj Machiraju (@tunnelshade)
+ Added w3af and it's dependencies to install script <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed scripts/run_arachni.sh to save arachni output files into relevant owtf_review directory - https://github.com/7a/owtf/issues/41 <=> Abraham Aranguren (@7a_)
+ Fixed release name in framework/config/framework_config.cfg <=> Abraham Aranguren (@7a_)
+ Fixed the installation of phply ( a dependency of w3af ) <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed most PEP standard warnings on owtf.py <=> Abraham Aranguren (@7a_)
+ Fixed most PEP standard warnings on framework/config/health_check.py <=> Abraham Aranguren (@7a_)
+ Minor README fix replacing references from backtrack to Kali <=> Abraham Aranguren (@7a_)
+ Added arachni to install script along with some minor fixes, thanks to @fataku for reporting <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed unicode urls for dirbuster combined dictionaries <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed ssl-cipher-check bug Issue - https://github.com/7a/owtf/issues/38 <=> Abraham Aranguren (@7a_)




Wednesday, 12 June 2013

OWASP OWTF GSoC Selection, Stats and Poll


As you may know, OWASP OWTF took part in the GSoC 2013. It was somewhat surprising (also to me) that OWTF got 4 slots, the same as ZAP (an OWASP flagship project I have a lot of respect for) and OWASP as an organisation in 2012.

Instead of writing a blog post about my personal opinion, I am going to share stats and student feedback so that hopefully the blog post is not as biased :).


Selected proposals
But first of all a huge thank you + congratulations to the selected OWTF students and proposals:
  • Bharadwaj Machiraju - OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES
  • Ankush Jindal - OWASP OWTF - Multiprocessing
  • Alessandro Fanio González - OWASP OWTF - Unit Test Framework
  • Assem Chelli - OWASP OWTF - Reporting
<personal>It was their serious amount of work spent on the proposals as well as their demonstrated skill that got them selected.</personal>


Some OWASP GSoC Numbers
  • OWASP received 84 proposals in total for only 11 available slots: 73 students (87%) could not be selected.
  • 14 students showed interested on the GSoC for OWTF
  • 11 students submitted an OWTF proposal (79% of students that showed interest in OWTF)
  • 14 OWTF proposals were submitted (16% of all OWASP proposals)
  • 14 ZAP proposals were submitted (16% of all OWASP proposals)
  • 5 OWTF proposals ended in the top 11, covering 6 of the 7 ideas proposed. (36% of OWTF proposals)
  • 5 OWTF proposals could have been selected but 1 student was lost in the de-duplication process, the remaining OWTF students were not ranked high enough to be picked up to replace this student.
  • 4 OWTF proposals were finally selected (29% of OWTF proposals)
  • OWTF took 4 out of 11 OWASP slots (36%)
  • ZAP took 4 out of 11 OWASP slots (36%)
  • Hackademic took 1 out of 11 OWASP slots (9%)
  • ModSecurity took 1 out of 11 OWASP slots (9%)
  • OWASP PHP Security project took 1 out of 11 OWASP slots (9%)

Poll
Instead of speculating about what made some students submit to OWTF, I tried to be a bit more scientific and conducted a poll among the students that submitted.

The poll was based on a single question:
What made you submit a proposal for OWASP OWTF? (i.e. as opposed to other OWASP projects and/or organisations)

Poll results
NOTE: I have only redacted what could identify the student and/or project.

Student 1 - "Why I submit to OWASP? I chose many organizations by the criteria python, security but I got too late to submit to all of them except Tor and OWASP. I abandoned the proposal to tor in order to focus on only one good proposal.
Why I  chose OWTF? because it's python, and then because I liked the idea of -redacted-."

Student 2 - "As a person who is amazed by the number of tools present in penetration testing distributions, OWTF is my best call to learn about all those tools and moreover I get to code in my favourite language (python)"

Student 3 - "Well, firstly, I was looking for a security organization/project, because I thought I would be a start point in the computer security world. I had already heard about OWASP (Top 10, WebGoat), so I looked into the GSoC ideas page. Then, I found a couple of ideas that I thought I could accomplish and were adapted to my skills, and I found the OWTF project.

I investigated watching some videos and I liked the project purpose. So I decided to send a proposal for one of the ideas. Definitely, one of the incentives that made me improve my proposal and not to look for another project was the quick feedback, the advices and the encouragement that I received from the mentor."

Student 4 - "I started looking for organisations and projects in GSoC list. I searched for systems and security. 
Then after seeing the projects two organisations caught my eye 1. -redacted- ( which had very good systems related projects) 2. OWASP (which had very good security related projects).

I mailed to a mentor of -redacted- for a project but there was no reply. In security, I wanted to go for a automated testing of applications because from my course on security, I realized that there should be some tool to do that. So there comes the OWTF and submitted two proposals that had to do with systems also (meant perfect combination of  my interests security and systems, may be not much of systems work)."

Student 5 - "I am interested with computer security and OWASP is an organization which i like. So i decided to send a proposal to OWASP. Then i looked for the available projects and show OWTF. I had mail you and you have send me some presentation about OWASP OWTF to learn more about it and how it works. Before GSOC(2013) i had no idea about this tool. The idea of scanning a website without touching is awesome!!! So i decided to make a proposal on this tool!
Recently i played around with it! I think that i have found a bug, i will contact you via skype soon."

Student 6 - "OWTF project on -redacted- interested me. It was something new which
I never did before. And more importantly, it was your constant motivation that made me choose OWTF and write a proposal. It was really a nice learning experience for me while working with you."

Friday, 24 May 2013

OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!

As a wrapper tool that depends on many tools, the migration from Backtrack to Kali Linux has been a bit of a challenge for the OWTF development team: Many tools were removed, all tools and dictionaries changed their locations, some tools were not working anymore, other tools had to be replaced by better ones and coordinating GSoC students (whether accepted or not) and getting them up to speed made my spare time disappear almost completely :).

A *huge* THANK YOU + a tap in the back + a hug goes to Bharadwaj Machiraju (@tunnelshade_) without whom OWTF 0.16 "shady citizen" would just have *not* happened today, period.

Also big props for this release go to Adi Mutu (@an_animal), Anant Shrivastava (@anantshri), Alessandro Fanio Gonzalez (@alessandrofg) and Assem Chelli (@assem-ch) for smaller yet very useful contributions, thank you!

OWTF 0.16 "shady citizen" is dedicated to Michael Kohl (@citizen428) and Bharadwaj Machiraju (@tunnelshade_) for significant contributions to OWASP OWTF, thank you!

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

Change log since OWTF 0.15 "BruCon" (Full change log is here):

24/05/2013 - 0.16 "shady citizen" alpha release: Dedicated to Michael Kohl (@citizen428) and Bharadwaj Machiraju (@tunnelshade) for contributing to OWTF, thank you!
+ Created an alternative phishing3.2.2_listenerIP SET script directory to use in profiles/general/default.cfg: <=> Abraham Aranguren (@7a_)
  - The point of this is to be able to simply change the PHISHING_SCRIPT_DIR to use when SET adds an additional "ask listener IP" manual step (happens sometimes)
  - If SET stops asking the MSF listener IP then simply change PHISHING_SCRIPT_DIR back to phishing3.2.2 to use the correct scripts
+ Fixed legacy misspelled "phishing" typo bug around a few files <=> Abraham Aranguren (@7a_)
+ Added external links to assist Credential Transport vulnerability exploitation: SSLStrip, Firesheep, CookieCadger <=> Abraham Aranguren (@7a_)
+ Added external link to SpiderLabs' Blogpost: Adding Anti-CRSF support to Burp Intruder <=> Abraham Aranguren (@7a_)
+ Added Skipfish support via a new Skipfish plugin: Skipfish_Unauthenticated <=> Abraham Aranguren (@7a_)
+ Added Arachni v.0.4.1 support <=> Abraham Aranguren (@7a_)
+ Removed demos directory to place demos in a dedicated repository (https://github.com/7a/owtf_demos) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
+ Removed releases directory to place demos in a dedicated repository (https://github.com/7a/owtf_releases) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
+ Substituted getopt with argparse for argument parsing <=> Abraham Aranguren (@7a_)
+ Fixed www.company.com/subdir issue thanks to Adi Mutu (@an_animal) for reporting it and Bharadwaj Machiraju (@tunnelshade) for fixing it! - https://github.com/7a/owtf/pull/15 <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed bug on draft Inbound proxy thanks to Bharadwaj Machiraju (@tunnelshade) for finding + fixing it! - https://github.com/7a/owtf/pull/16 <=> Bharadwaj Machiraju (@tunnelshade)
+ Initial Kali Linux port (some tools still missing, the install script needs more work) thanks to Bharadwaj Machiraju (@tunnelshade) for a lot of help on this! <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed websecurify path, thanks to Anant Shrivastava (@anantshri) for finding and fixing the problem in a pull request! <=> Anant Shrivastava (@anantshri)
+ Kali Linux fix: Removed setrubyenv.sh from default.cfg resource configuration file due to no longer being necessary and because it was stopping execution of ruby tools <=> Abraham Aranguren (@7a_)
+ Improved exception handling in framework/http/requester.py to avoid crashing OWTF for small library things like 'raise BadStatusLine(line)' <=> Abraham Aranguren (@7a_)
+ Kali Linux fix: Fixed DirBuster path and centralised binary name on profiles/general/default.cfg <=> Abraham Aranguren (@7a_)
+ fixed minor pentesting vs. pen testing typo on owtf.py :) <=> Abraham Aranguren (@7a_)
+ Merged new pull request from Bharadwaj Machiraju (@tunnelshade): OWTF restricted dictionary installation and merging scripts thank you! <=> Bharadwaj Machiraju (@tunnelshade)
+ Minor improvements to pull request above after testing (linking raft files instead of copying again, fixing svndigger_raft_dict_merger.py permissions) <=> Abraham Aranguren (@7a_)
+ Added .project files in order to allow importing of OWTF project into Eclipse, revised readme/CONTRIBUTORS and a bug fix in owtf.py <=> Bharadwaj Machiraju (@tunnelshade)
+ Removing big-size binaries from the git repo and purge thier history in order to have a small repository <=> Assem Chelli (@assem-ch)
+ Fixed the plugin listing option. It is no longer necessary to specify a Target when listing plugins. <=> Alessandro Fanio Gonzalez (@alessandrofg)
+ Commented out TOOL_GOOHOST as it is not being called by OWTF (since there are better tools doing same job) <=> Bharadwaj Machiraju (@tunnelshade)
+ Revhosts is replaced by dnsrecon as revhosts is discontinued in kali linux. <=> Bharadwaj Machiraju (@tunnelshade)
+ httprint is added to install script as the tool is not present in kali by default <=> Bharadwaj Machiraju (@tunnelshade)
+ Added missing gnutls-bin package to Kali Linux script <=> Abraham Aranguren (@7a_)
+ Added wrapper install scripts around other install scripts and fixed cms-explorer installation & path <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed the dictionary path for skipfish <=> Bharadwaj Machiraju (@tunnelshade)
+ Created the AUTHORS file <=> Assem Chelli (@assem-ch)
+ Added script for patching Tlssled and revised master install script <=> Bharadwaj Machiraju (@tunnelshade)
+ Removed misleading note about argparse since owtf.py now uses this library <=> Abraham Aranguren (@7a_)
+ Added checks before installation of dictionaries and updated date for tlssled patch <=> Bharadwaj Machiraju (@tunnelshade)
+ Revised the extract_urls.sh to use DirBuster.txt instead of generated report and other minor fixes <=> Bharadwaj Machiraju (@tunnelshade)
+ Skipfish is now linked to from the report, this was the final step to solve https://github.com/7a/owtf/issues/13 <=> Abraham Aranguren (@7a_)
+ Fixed a bug in invoking nikto (scripts/run_nikto.sh) <=> Bharadwaj Machiraju (@tunnelshade)

Wednesday, 8 May 2013

OWTF call for co-mentors plz RT!

If you have an owasp.org account, are familiar with python and would be willing to mentor some students OWASP OWTF needs you :)

5 students that applied to work on the Google Summer of Code 2013 for OWASP OWTF made it to the top 11 and OWASP got 11 slots this year. However, I cannot mentor them all technically speaking due to restrictions in the Google Summer of Code program.

The last thing I want to see is that someone who worked really hard is rejected from the Google Summer of Code because of lack of mentors!

So, if you are familiar with python, are an OWASP member/leader, and would be willing to mentor some of the successful students, please contact me ASAP: name.surname@owasp.org

Thank you!

P.S. I'll obviously help the students too, you will not be alone on this, but I need several backup mentors

Thursday, 25 April 2013

GSoC + Pentesting like a Grandmaster: Slides, Demos, Video

Pentesting like a Grandmaster materials - BSides London 2013
UPDATE: 2013-07-28 - Added link to BSides London talk interview 
NOTE: Will update the post as soon as video is available only slides and demos for now :)

BSides London 2013 was a blast as previous years, I received a lot of good feedback during the conference on my talk (thanks to everyone!) and some people showed interest on the slides so here they are :)

BSides London Interview about the talk:

Slides: http://www.slideshare.net/abrahamaranguren/pentesting-like-a-grandmaster-bsides-london-2013
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
OWTF links: http://owtf.org

Google Summer of Code note:
If you are a uni student and are interested in getting paid by Google to work on OWTF for 3 months in the summer, have a look at the OWASP Google Summer of Code page and get in touch soon!:

Friday, 19 April 2013

Kali Linux: Dude, where's my sshd-generate?

UPDATE: This probably only affects the VMWare image, you will know if it also affects the Kali install if your hashes match my sample hashes below.

So the fine folks at offensive security released this new distro called "Kali Linux" recently, which is essentially:
  1. Replacing Backtrack
  2. Based on Debian (instead of Ubuntu)
One of the things that has changed from Backtrack is that it is no longer necessary to generate ssh keys, this is a bit scary for us paranoid security folks as can be seen in this great blog post. In short, having known ssh key pairs available for the whole planet means anybody could MiTM your ssh connections to Kali by default, not cool.

The question is: How do we fix this?

In Backtrack we used to call "sshd-generate" to generate OR overwrite the host ssh keys. However, in Kali if you call sshd-generate you get this:

# sshd-generate
bash: sshd-generate: command not found


The way to "sshd-generate" in Kali is as follows:

Step 1) Move the default Kali ssh keys somewhere else
This way you can use the keys for pranks to your buddies via SSH MiTM and TCP hijacking :).

# cd /etc/ssh/
# mkdir default_kali_keys
# mv ssh_host_* default_kali_keys/

Step 2) Regenerate the keys

# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).


Step 3) Verify ssh key hashes are different now:

# md5sum ssh_host_*
(these are your new keys, compare these hashes to the hashes below)
# cd default_kali_keys/
# md5sum *
b9419ea3a8fff086c258740e89ca86b8  ssh_host_dsa_key
f9a5b57d7004e3740d07c5b037d15730  ssh_host_dsa_key.pub
58e49e0d7b24249c38db0c9cf595751b  ssh_host_ecdsa_key
597c83fabf3c1e4f2c7af74af05ac671  ssh_host_ecdsa_key.pub
cc0d92036bb86797bed354338faa7223  ssh_host_rsa_key
cc9ddc90b891b5251ed4ea8341495e84  ssh_host_rsa_key.pub


After regenerating the SSH key pairs you can start the SSH service via /usr/sbin/sshd from the CLI or just indulge in laziness and use the menus :)



NOTE: Despite the similar name, ssh-keygen is for the client ssh keys not the sshd service.

Tuesday, 9 April 2013

Illusionism, SE and busting 3 Dynamo tricks

Illusionism is just another form of Social Engineering (SE): The magician attempts to draw attention away from the trick to create an illusion of making the impossible possible.

During the weekend I saw three fun tricks by Steven Fryne (aka Dynamo), the first one (walking on water) additionally shows the power of the media as a social engineering tool which I believe is quite interesting on its own.

The tricks I will "bust" here (SPOILER ALERT!) are:
1) Walking on water
2) Matrix lean
3) Benching 155kg being out of shape from a weight lifting perspective :)

1) Walking on water 
What makes this very interesting from my point of view is that the media turned a FAIL into a WIN, have a look at the "official" video first (one of the highest ranked ones in youtube):
Here you may notice: 
  1. Paid actors
  2. The canoes going over the area where he walked: Trying to prove there is nothing
  3. The police picking him off the water as if there was nothing where the boat was 
  4. (After watching the unofficial video) The video is actually manipulated (!): It takes off the bit when the police boat bumped against the plexyglass platform: Pay attention to the place where the boat drives off and compare that with the unofficial video below (the boat did not go in that direction first) :)
Now let's have a look at the unofficial video where the police boat was damaged and people watching laughed:

Here you notice:
  1. River waves looking funny for a couple of seconds where Dynamo walks in the first few minutes, especially around minutes 0:00-1:30: This alone is enough proof to detect he is walking on something, probably plexiglas.
  2. Dynamo is wearing a red jacket and putting his arms in a cross-like position, drawing attention away from his feet and the river waves, this enforces the illusion.
  3. Dynamo is clearly dragging his feet to check where the plexiglas platform finishes and where there are gaps, he is using touch to guide his feet through the platform: He is clearly not walking like a normal guy on the street :).
  4. Dynamo stops walking at the end of the plexiglas platform to be picked up by the police: He could not have continued to walk from that point, it was all organised :).
  5. At minute 2:30 the police try to make an odd turn over the area where Dynamo walked, to prove a point beyond what the canoes tried to do (i.e. there is nothing under the water), however the depth and/or plexiglas gap to drive through was not calculated well enough and they hit the platform probably damaging the boat :)
  6. People start to laugh, the FAIL is hilarious :)
What is amazing to me is that a lot of London people witnessed this hilarious FAIL, yet Discovery Channel and news outlets show it as a WIN, and the WIN is ranked higher than the FAIL on youtube, etc! :).

Creating an illusion of walking on water is actually quite hard as can be seen in the following mythbusters' "buckets of fail" where they just cannot find a reliable way to walk on water:

Here the mythbusters just give up and create a goo-thing to walk over that instead of water, hence busting absolutely nothing :)
Here the mythbusters try "running on water" instead of "walking on water" failing miserably too :)
The plexiglass trick (probably) used by Dynamo is explained quite well here:

From the videos above, it looks like the most reliable tricks to create an illusion of walking on water depend on having the ability to manipulate the environment: The platforms must be setup in advance and the magician must know where to walk.

The Jesus Christ Lizard is however able to run over water without setting up the environment in advance, hence beating all human magicians to the ground :)

But if magicians really want to challenge the feat of walking on water by Jesus Christ 2000 years ago (awesome Bible verse comparison by wikipedia here), they should create an illusion of:
  1. Walking from the shore into a boat controlled by others without any coordination with the magician (no environment control!)
  2. Being able to do this on bad weather conditions (the Bible talks about wind, etc)
  3. Have a random volunteer (without any idea about the trick) walk to you over water (Peter in the Bible)
  4. When the other guy (Peter) starts to sink because of "lack of faith" the magician must be able to lift them off the water and have them walk with them into the boat
If a magician can make 1-4 believable that'd be really awesome, that is some homework for you, youtube links welcome :)

2) Matrix lean
For this one I do not have a counter video to prove the trick, but there are a couple of hints on how he (possibly) made this work. High ranked video first for background:
If you stop the video at minute 1:05 you may notice the back of his right foot appears to be hooked to the ground: How can he lean all the way back on one leg without the tips of his right foot touching the floor? :)

A nice explanation of the hook technique is done in the following video. The illusionist is also required to setup the environment in advance to disguise the hook on the floor (disguising the hook on the red carpet at the beginning of the video above would have been harder, could a light guy like Dynamo get away without a hook?):

3) Benching 155kg

The trick here is how could a small guy like Dynamo bench 155kg, the original video is here:
Again, having full environment control, there are so many tricks that the following is not an exhaustive list:
  1. The plates could be fake, hence weighting near 0: The plates on the bar are different than those in the gym, hence being probably fake (you could also have fake plates that look like the ones in the gym, obviously :))
  2. Dynamo could be wearing a benching shirt underneath, hence getting up to approx. 100kg+ help
  3. The spotter is just laughing at minute 3:00 :)
  4. There is no slight bending on the bar as it should be at 155kg
  5. The lift is just not clean with the spotter getting the bar off Dynamo's chest using a mixed grip (yes, not using all the fingers but that guy can easily deadlift 100kg+ that way)
  6. If you stop the video at minutes 3:45-3:50 you can see Dynamo's right wrist being bent at an angle while his left wrist is mostly straight: It is unlikely for such a small wrist to hold that kind of weight and not bend further (i.e. to parallel). Also if you are performing a maximal lift, you are unlikely to perform at your best with one wrist straight while the other is bent, this is another minor proof of lack of weight on the bar.

Did I miss something? I'm sure I did! thoughts welcome :). I'll update the post with suggestions if you have them :).

Wednesday, 20 February 2013

VSA: The Virtual Scripted Attacker, Slides online

At Brucon 2012 I had the privilege to present and demo VSA, the Virtual Scripted Attacker, a tool I had been working on with a great team of very talented people for a number of months.

The talk was only 5 minutes long (a Lightning talk) so the presentation is brief.

VSA is the first fully automated DOM XSS scanner ever created, capable of finding many more bugs than any other similar tools.

The VSA Team that made this happen was:
- Dr. Ing. Mario Heiderich (XSS PhD!) <-- For all questions please ask Mario :)
- Gareth Heyes
- Abraham Aranguren
- Alfred Farrugia
- Frederik Braun


The slides can be found here:
http://www.slideshare.net/abrahamaranguren/the-virtual-scripted-attacker-brucon-2012

I was interviewed about VSA, OWASP OWTF and other things at EuroTrash 32:
http://www.eurotrashsecurity.eu/index.php/Episode_32

Thursday, 14 February 2013

Free Android sec tools, resources and smartphonesdumbapps release

UPDATE: April 2nd - Added new pinning article thanks @an_animal!
UPDATE: Feb 14th - Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!

Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component.  The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.

Free Tools
NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it's a GUI tool so you'll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:
Vulnerable Apps
Useful Presentations
On SSL validation and pinning
Forensics

Further reading

P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.

Wednesday, 23 January 2013

Installing and using LAPSE Plus in BackTrack 5/Ubuntu

An interesting tool for Java source code analysis is OWASP LAPSE Plus.
You can see the instructions to set it up on the project's page or here.

OWASP LAPSE Plus requires Eclipse Helios and a number of people who know more than me at stack overflow suggest that you should not install eclipse using apt-get.

This means you need to install Eclipse Helios from here or OWASP LAPSE Plus will not work (you can see the pain I just saved you here).
Installing any other Eclipse version will result in OWASP LAPSE Plus crashing like this when you try to use it:

An internal error occurred during: "Computing Sources". java.lang.NullPointerException

This is quite basic but worth a mention, make sure you get the right Eclipse version for your operating system (32 or 64 bits):

#uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

Knowing the number of bits of our OS (64 bits from the command above) we know which "Eclipse IDE for Java Developers" version to download:



After you download the eclipse bundle, you need to uncompress it, for example (this creates the eclipse directory):

root@bt:~# tar xvfz eclipse-java-helios-SR2-linux-gtk-x86_64.tar.gz

Now we need to download the OWASP LAPSE Plus plugin into the Eclipse plugins directory in Backtrack:

root@bt:~# cd eclipse/
root@bt:~/eclipse# cd plugins/
root@bt:~/eclipse/plugins# wget http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
--2013-01-21 20:37:52--  http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
Resolving evalues.es... 163.117.174.60
Connecting to evalues.es|163.117.174.60|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213623 (209K) [application/java-archive]
Saving to: `LapsePlus_2.8.1.jar'

100%[=============================================================================================>] 213,623      492K/s   in 0.4s   

2013-01-21 20:37:52 (492 KB/s) - `LapsePlus_2.8.1.jar' saved [213623/213623]


After that:
- Close Eclipse if you had it open
- Start Eclipse:

Use an ampersand to keep the shell window usable:
root@bt:~/eclipse# ./eclipse &

Now Eclipse Helios loads:
You will be asked for a workspace directory, /root/workspace will be fine for most.

- Go to Window / Show View / Other
- Select all the views and click OK:


After clicking OK you should have 3 panels:





The problem now is that the panels are empty, to perform a source code analysis you are supposed to:
0) Make sure all project dependencies are solved
1) Open a project
2) Click on the "scan sources" icon

If you run into further issues the following patch might help.

Good luck!