So. After getting sick of having to search all the time for shellcode, I decided it would be a nice idea to just create a nice repo of shellcode so people can just svn up and have a searchable repo of organized shellcode.
Hence I started this project.
It is a slow thing to start, and I seriously need people to help me. I can add people as committers if they want to help out, and the idea is to collect a wide variety of shellcode for various OS/Architectures/systems and have it searchable.
I eventually hope to clean up existing shellcode and add a python script for searching the repo, compiling, objdumping and encoding the shellcode.
Anyways, without further ado..
Project Homepage: Insecurety Research - Shellcode Repository
GoogleCode Page: Shellcode Repository at Google Code
Wednesday 22 February 2012
Tuesday 21 February 2012
Web Malware Collection - more Updates!
So, I have been grepping and searching through logs and google searches, hunting for malware to add. And oh lord, I am finding a LOT!
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Thursday 16 February 2012
Web Malware Collection Updated
Ok, quick post. The Web Malware Collection has had some updates done, and I am *Still* busy sorting samples to commit.
Currently it has 443 samples (according to this
Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Currently it has 443 samples (according to this
"find . -type f | wc -l" command)Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Tuesday 14 February 2012
POST-it DoS
So. Got bored waiting for a lecturer who showed up late, and decided to add some shit to POST-it DoS while working on code for RailGun.
I added a massive list of Useragents (like 70k of em or something, its big...), randomize-useragent-from-list function, and a rather epic random junk generator for the POST data instead of using just a big load of X's.
So now it hits a bit harder (actual random junk) and may even defeat some failures of IDS/IPS... until the target box dies, that is.
It KIND OF implements a SlowLoris attack of kinds too, just to make it even more awesome.
Check it out here --> POST-it DoS and as always, use SVN to get it :)
I added a massive list of Useragents (like 70k of em or something, its big...), randomize-useragent-from-list function, and a rather epic random junk generator for the POST data instead of using just a big load of X's.
So now it hits a bit harder (actual random junk) and may even defeat some failures of IDS/IPS... until the target box dies, that is.
It KIND OF implements a SlowLoris attack of kinds too, just to make it even more awesome.
Check it out here --> POST-it DoS and as always, use SVN to get it :)
Monday 13 February 2012
Insecurety Site Launched!
Good news! Our hosting came through so we migrated one of our sites to the new domain (and server) at insecurety.net - we own it for the next year, so I finally have a stable place to host downloads, projects, etc!
All projects will still be backed up to GoogleCode, but milestone releases will be available from insecurety.net as soon as we hit milestones :D
All projects will still be backed up to GoogleCode, but milestone releases will be available from insecurety.net as soon as we hit milestones :D
Tuesday 7 February 2012
HideMAC moved to GoogleCode!
HideMAC has been moved to GoogleCode!
Get it HERE... http://code.google.com/p/hidemac/
BTW, the bugs are being worked on...
Get it HERE... http://code.google.com/p/hidemac/
BTW, the bugs are being worked on...
Monday 6 February 2012
Denial of Service Attacks, Layer 7
This is a brief reposted post (one I wrote ages back) on how Layer 7, or "Application Layer" Denial of Service Attacks work.
Application Layer DoS attacks are a newer form of DoS attack. They work by not simply flooding/saturating the servers bandwidth, but by attacking a specific service, or application, running on the server. They often require far less bandwidth to accomplish, and are far more "efficient" an attack method. No massive botnets are required for an attacker to be able to effectively take out the target service.
I first got interested in Layer 7 DoS after realizing that LOIC and such "packet flooders" were essentially next to useless. TCP flooding was bandwidth intensive and required either a horde of fools, a large botnet, or a fucking huge datapipe to accomplish (a few cheap VPS's, however, made the job easier...). Sure, you could use spoofing and such attacks to enhance your "firepower", but when up against *big* targets with fairly impressive filtering, you were essentially wasting resources.
For those of you unfamiliar with Layer 7 DoS attacks, have a read of this paper from OWASP - it was what gave me my head start in understanding it all.
Layer 7 DoS - OWASP
Now. Onward to the "attack techniques". The series I wrote on DoS attacks was all about explaining what attack methods are used where, and seeing as the only edits done in this repost were a quick spellcheck and this comment, I do not plan on editing very much else. Yes, I am lazy.
HTTP GET DoS / SlowLoris Attack.
Wikipedia on Slowloris
Original page explaining it
Now, first off, list of affected target webservers:
How it works is simple, it asks the server to wait. The server, being nice, waits. It does this simulating over9000 clients. The server keeps on waiting, being nice. Server dies, pretty much.
Now, to the interesting part. Attack Tools.
Original Slow Loris
TOR Loris - SlowLoris w/ Multiple TOR Proxies
PyLoris - Python SlowLoris
In Development: FluxLoris (Rapid SOCKS switching SlowLoris implementation)
HTTP POST DoS Attack (SlowPost)
This one was inspired by the OWASP paper I referred to above, and we released a PoC tool to exploit the bug around Christmas 2010. I worked on developing the tool and learned a LOT. Basically you are uploading (POST-ing) data to the server and saying "Hey, you! I am on a laggy connect! Please wait!". The server waits... And waits... You keep the connection open.
You do this with a literal shitload of threads.
It requires bugger all bandwidth and has a very destructive effect, rendering most webservers 404-ed within a few minutes.
So, here was our initial PoC tool:
POST-it v1
We had a more "lethal" variant but it is lost long ago, maybe some day I will dig it up and re-implement it, but given current climate, no point.
Now, onward, there are far better attack tools!
SlowPost by NEC - This one is VERY nice. Uses Proxy lists to anonymize the attack. Was written by the current mantainer of the "LOIC" package I believe.
OWASP HTTP POST DoS - This one is from OWASP, and seems to be moreso for testing.
R U Dead Yet - This one is considered the "industry standard" for HTTP POST DoS attacks. It works. Most of the time. I know of some unusual errors it has thrown in the past, but it has TOR support.
And finally, the well known and loved TORSHAMMER . This one is incredibly effective, known to drop servers within minutes. Anecdotal evidence has it one guy on a DSL line took out a bunch of Iranian government websites for a half hour a year or so ago, and then ate the Libyan .gov servers for second helpings! It works fairly reliably, and uses TOR.
There are a great deal of other attack tools out there exploiting these weaknesses, but the best bet (for now) to avoid the embarassment of someone taking you down a peg with some of these is to use the NGINX platform for a webserver. It works fairly well and seems to just blatantly ignore these attacks.
Further Reading...
Testing Webservers for Slow HTTP Attacks
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.acunetix.com/blog/web-security-zone/articles/http-post-denial-service/
http://www.us-cert.gov/cas/tips/ST04-015.html
http://isc.sans.edu/diary.html?storyid=6601
http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide
http://www.checkpoint.com/defense/advisories/public/announcement/071409-slowloris-dos-attack.html
http://www.bullten.com/what-is-slowiris-ddos-attack-and-how-to-mitigate-its-effect/
Application Layer DoS attacks are a newer form of DoS attack. They work by not simply flooding/saturating the servers bandwidth, but by attacking a specific service, or application, running on the server. They often require far less bandwidth to accomplish, and are far more "efficient" an attack method. No massive botnets are required for an attacker to be able to effectively take out the target service.
I first got interested in Layer 7 DoS after realizing that LOIC and such "packet flooders" were essentially next to useless. TCP flooding was bandwidth intensive and required either a horde of fools, a large botnet, or a fucking huge datapipe to accomplish (a few cheap VPS's, however, made the job easier...). Sure, you could use spoofing and such attacks to enhance your "firepower", but when up against *big* targets with fairly impressive filtering, you were essentially wasting resources.
For those of you unfamiliar with Layer 7 DoS attacks, have a read of this paper from OWASP - it was what gave me my head start in understanding it all.
Layer 7 DoS - OWASP
Now. Onward to the "attack techniques". The series I wrote on DoS attacks was all about explaining what attack methods are used where, and seeing as the only edits done in this repost were a quick spellcheck and this comment, I do not plan on editing very much else. Yes, I am lazy.
HTTP GET DoS / SlowLoris Attack.
Wikipedia on Slowloris
Original page explaining it
Now, first off, list of affected target webservers:
- Apache 2.x
- Apache 1.x
- dhttpd
- GoAhead WebServer
- WebSense "block pages" (unconfirmed)
- Trapeze Wireless Web Portal (unconfirmed)
- Verizon's MI424-WR FIOS Cable modem (unconfirmed)
- Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
- BeeWare WAF (unconfirmed)
- Deny All WAF (unconfirmed)
How it works is simple, it asks the server to wait. The server, being nice, waits. It does this simulating over9000 clients. The server keeps on waiting, being nice. Server dies, pretty much.
Now, to the interesting part. Attack Tools.
Original Slow Loris
TOR Loris - SlowLoris w/ Multiple TOR Proxies
PyLoris - Python SlowLoris
In Development: FluxLoris (Rapid SOCKS switching SlowLoris implementation)
HTTP POST DoS Attack (SlowPost)
This one was inspired by the OWASP paper I referred to above, and we released a PoC tool to exploit the bug around Christmas 2010. I worked on developing the tool and learned a LOT. Basically you are uploading (POST-ing) data to the server and saying "Hey, you! I am on a laggy connect! Please wait!". The server waits... And waits... You keep the connection open.
You do this with a literal shitload of threads.
It requires bugger all bandwidth and has a very destructive effect, rendering most webservers 404-ed within a few minutes.
So, here was our initial PoC tool:
POST-it v1
We had a more "lethal" variant but it is lost long ago, maybe some day I will dig it up and re-implement it, but given current climate, no point.
Now, onward, there are far better attack tools!
SlowPost by NEC - This one is VERY nice. Uses Proxy lists to anonymize the attack. Was written by the current mantainer of the "LOIC" package I believe.
OWASP HTTP POST DoS - This one is from OWASP, and seems to be moreso for testing.
R U Dead Yet - This one is considered the "industry standard" for HTTP POST DoS attacks. It works. Most of the time. I know of some unusual errors it has thrown in the past, but it has TOR support.
And finally, the well known and loved TORSHAMMER . This one is incredibly effective, known to drop servers within minutes. Anecdotal evidence has it one guy on a DSL line took out a bunch of Iranian government websites for a half hour a year or so ago, and then ate the Libyan .gov servers for second helpings! It works fairly reliably, and uses TOR.
There are a great deal of other attack tools out there exploiting these weaknesses, but the best bet (for now) to avoid the embarassment of someone taking you down a peg with some of these is to use the NGINX platform for a webserver. It works fairly well and seems to just blatantly ignore these attacks.
Further Reading...
Testing Webservers for Slow HTTP Attacks
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.acunetix.com/blog/web-security-zone/articles/http-post-denial-service/
http://www.us-cert.gov/cas/tips/ST04-015.html
http://isc.sans.edu/diary.html?storyid=6601
http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide
http://www.checkpoint.com/defense/advisories/public/announcement/071409-slowloris-dos-attack.html
http://www.bullten.com/what-is-slowiris-ddos-attack-and-how-to-mitigate-its-effect/
Wiley Less: It Is Back!!
Just a quick post. The WileyLess Project has returned... And has a blog/twitter of its own. Facebook app delayed.
I am working on the hosting/mirrors side of things, the .js and html is the other developers problem!
Link: Wiley Less Blog
Coming Soon from the Wiley Less team: Interactive Periodic Table, and some kind of chemdraw app, or so I am told...
I am working on the hosting/mirrors side of things, the .js and html is the other developers problem!
Link: Wiley Less Blog
Coming Soon from the Wiley Less team: Interactive Periodic Table, and some kind of chemdraw app, or so I am told...
Friday 3 February 2012
HTTP Session Hijacking
So. We all know about the infamous FireSheep, which caused an EPIC shitstorm when it came out - and was subsequently abused by many a bored student to "Frape" people in lecture halls.
For those of you who have slept throu gh the last year, here is a link to it...
Get FireSheep
Wikipedia: Firesheep
Firesheep on Linux
Now, onward! Firesheep only "Kind of" works on Linux, so we had to find other tools to do the same thing (session sidejacking without any ARP fuckery).
Also, installing FireSheep on Linux was such a total pain in the arse, even WITH instructions, that I soon got annoyed. I may write a .sh script to automate it all later, if I could be arsed.
However, fear not! Someone wrote something awesome! Hamster and Ferret!
Hamster and Ferret
It sets up a web proxy type thing and sniffs wireless. It works, most of the time.
It is also totally awesome!
Here is someone elses video on using it...
Now that is all pretty damn cool. But I found an even better tool yet on my travels...
SurfJack
Why is it better? 'cos it is written in python. That is why. And it is using SCAPY. I love SCAPY.
Check out their site here... Enable Security
There are, of course, a lot of nasty things one can do with session hijacking, and I planned a longer post on the topic but my fingers are tired.
For those of you who have slept throu gh the last year, here is a link to it...
Get FireSheep
Wikipedia: Firesheep
Firesheep on Linux
Now, onward! Firesheep only "Kind of" works on Linux, so we had to find other tools to do the same thing (session sidejacking without any ARP fuckery).
Also, installing FireSheep on Linux was such a total pain in the arse, even WITH instructions, that I soon got annoyed. I may write a .sh script to automate it all later, if I could be arsed.
However, fear not! Someone wrote something awesome! Hamster and Ferret!
Hamster and Ferret
It sets up a web proxy type thing and sniffs wireless. It works, most of the time.
It is also totally awesome!
Here is someone elses video on using it...
Now that is all pretty damn cool. But I found an even better tool yet on my travels...
SurfJack
Why is it better? 'cos it is written in python. That is why. And it is using SCAPY. I love SCAPY.
Check out their site here... Enable Security
There are, of course, a lot of nasty things one can do with session hijacking, and I planned a longer post on the topic but my fingers are tired.
Thursday 2 February 2012
New OS... BackBox
OK. Seeing as the installer or Xubuntu 10.04 crashed every time it got to "partition shit plz" I ended up with BackBox.
BackBox 2 is damn nice, XFCE interface... Lightweight... And does the job.
I will be later covering slight modifications I make to it.
Also, my keyboard is a bit fucked as I used it as an ashtray. Derp.
BackBox 2 is damn nice, XFCE interface... Lightweight... And does the job.
I will be later covering slight modifications I make to it.
Also, my keyboard is a bit fucked as I used it as an ashtray. Derp.
Wednesday 1 February 2012
Bricked!
Ok, so I did SOMETHING wrong with SVN and broke 2 of my SVN repos. I also seem to have broken several other things on my computer, so its time for the infamous rm -rf and restart.
I will be documenting every thing I change, I am starting with XUbuntu 10.04 and will be turning it into a bit of a pentesting distro. Compiling lots of shit from source, apt-getting lots of other shit, and generally fucking about until it works.
If you are looking for nice information on making your own PT distro, watch this space. I will be logging every last thing I do, from the MetaSploit Install to compiling nmap, and it may be interesting to some of you :)
Seeing as I focus a lot on Wireless and Web App testing you will see a lot of focus on those applications, and on making MSF work from source.
Hope you find it useful and interesting - I will be doing it all over the next few hours :D
I will be documenting every thing I change, I am starting with XUbuntu 10.04 and will be turning it into a bit of a pentesting distro. Compiling lots of shit from source, apt-getting lots of other shit, and generally fucking about until it works.
If you are looking for nice information on making your own PT distro, watch this space. I will be logging every last thing I do, from the MetaSploit Install to compiling nmap, and it may be interesting to some of you :)
Seeing as I focus a lot on Wireless and Web App testing you will see a lot of focus on those applications, and on making MSF work from source.
Hope you find it useful and interesting - I will be doing it all over the next few hours :D
Subscribe to:
Posts (Atom)