pentest
Metasploit Framework 3.1 Release Imminent
I have been following the RSS feed for the Metasploit framework trac timeline. There has just been a flury of activity that, from the descriptions, makes it sound like 3.1 will be released soon. There has been a bunch of new and improvied features in SVN, perhaps the biggest is that the GUI is going mainline on both Windows and Linux platforms.
BackTrack, a new Pen-Test LiveCD
 |
I just happened to notice that BackTrack 3.0 Beta has been released. BackTrack is an amalgamation of two previous projects; WHAX and Auditor. This CD is full of useful tools for conducting penetration tests. New features include a python development environment, updatable exploit archives for milw0rm and Securityfocus, one-click setup for Nessus and Snort, and the inclusion of the free VMWare Player. I havn't had a lot of time to experiment with it, but I did find that the current beta seems to have poor WiFi support. They do mention WiFi scripts and drivers on their to-do list. |
Nmap Version 4.00 Released
Fyodor has announced a new major release of Nmap, what might just be the most popular security tool around. There is also a good interview with Fyodor at SecurityFocus which details many of the changes.
From Insecure.Org:
"Changes since version 3.50 include a rewritten (for speed and memory efficiency) port scanning engine, ARP scanning, a brand new man page and install guide, 'l33t ASCII art, runtime interaction, massive version detection improvements, MAC address spoofing, increased Windows performance, 500 new OS detection fingerprints, and completion time estimates."
First impressions of Metasploit 3.0
I downloaded the first Alpha release of Metasploit 3.0 (MSF3) last night. For those of you who don't know, MSF3 has been completely re-implimented in Ruby.
There aren't many changes to the console or web interface. The workflow is still use exploit, set payload, set options, check, exploit. New options have been added for using recon modules, however, which will scan for open ports or vulnerabilities.
There are exciting new options for find tag payloads that reuse the exploit connection for payload communications. Meterpreter can now be used to pivot an attack on a compromised host by sending network traffic through a comm API.
Abusing Web Applications
Acidus from Most Significant Bit Labs has released a tool called TinyDisk that stores files in WORM (Write Once Read Many) fashion on a web application. While this is not significant in itself, what is different is that it can save the file in someone else's web app.
By exploring the limits of the site (in this case, TinyURL), Acidus was able to store AES encrypted Base-64 encoded files as URLs in TinyURL's database. Files can be then retrieved by simply asking for the URLs, and reversing the encoding/encrypting process. This is not unique to TinyURL, many sites could be "abused" the same way.
Acidus' presentation "Layer 7 Fun: Extending Web Applications in interesting ways" can be found here.
The lesson in this? Always validate ALL input from untrusted sources. Not validating input is #1 on the OWASP Top Ten Most Critical Web Application Security Vulnerabilities.
