I would like to invite everyone to the knowledge sharing event which my company (7Safe) is arranging in London next week. This will be about risk-based approaches to protecting data. This suppose to be much bigger event (joined with Core Security Technologies), especially comparing to the one we did last year. Interesting (and very much up-to-date!) topics and presentations, highly recommended to attend! As you may notice, I also would be presenting something there (presumably cool), but what is it...? As for now it's a little secret. :-)
Time: Tuesday 19th April
Furniture Makers’ Hall, 12 Austin Friars, London, EC2N 2HE
(Nearest convenient tube: Bank, Moorgate, Liverpool Street)
Download the PDF with the invitation (as seen above) from here [invitation].
Please don't forget to confirm if you want to come: send the e-mail to pentestinfo(@)7safe.com /remove brackets of course/
C U there! :-)
My company (7Safe) will be delivering the training at the nearest Blackhat 2011 conference (Las Vegas). This will be about hacking and securing Oracle Database (11g), so highly recommended to be there! I took a liberty to prepare a small promotional video about it. So take a look and well... SEE YOU IN VEGAS! :-)
- Weekend Training Session: July 30-31
- Weekday Training Session: August 1-2
7Safe together with Red-Database-Security will be delivering the two-day hands-on course at Blackhat 2011. The course will teach the audience the security problems related to Oracle database. The training covers a variety of security problems arising from flaws such as insecure design, insecure features/packages, insecure PL/SQL code, patch management, weak passwords etc. The second day will focus on securing and hardening databases using built-in oracle features along with a number of externally available scripts and tools. Implementing auditing solutions will also be a part of the training. The audience will have access to an infrastructure with a number of Oracle components deployed, and they will be encouraged to identify/exploit/patch security vulnerabilities as they learn them. The training will provide software developers understanding of writing secure PL/SQL code, DBAs the understanding of thorough auditing of the database and penetration testers the understanding of how to break the unbreakable Oracle.
I don't know really how to comment it... This is what I found recently in my web server logs in the "Referrers" table:
http://10.10.1.1/login?user=0045f2&password=806361&popup=false &dst=http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php?nasIp=10.10.1.1 &nasId=fitio&loginIp=10.10.1.1:80&vlan=bridge1&macAddress=00:21:6B:15:E3:70 &ipAddress=10.10.1.95&loginPort=&urlPostLogin=http://itsecuritylab.eu/index.php/2010/09/26/pentesting-privilege-escalation-in-web-applications/
So what can I find here? Oh God...
- URL to the Network provider: http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php
- Someone's internal IPs disclosure: 10.10.1.1, 10.10.1.95
- Login IP and port: 10.10.1.1:80
- MAC address: 00:21:6B:15:E3:70
- Someone's credentials: user=0045f2, password=806361
- NAS ID: fitio
- VLAN name: bridge1
What else I already know (from geolocation info):
- Connection from IP: 22.214.171.124.dsl.dyn.telnor.net
- Country : Mexico
- City : Tijuana
Definitely I will try to mess with this VLAN next time I will be in Tijuana! One thing is clear: if the next time I would get something like this - I should not be surprised at all... ;-)
I think you are already big boys and girls, so think twice what sensitive information about you may leak out, in what weird and unusual way. Make conclusion by yourself and well... Beware! ;-)
You know, each of us has some tools we really like to use. Tools which are not "just good". We simply love them. They are nice-looking, reliable, and (this is especially important) - simple and easy to use. One of such little toys I use quite often in exploitation practice (and obviously, in many other weird experiments): is a freeware TinyWeb web server created by Maxim Masiutin from RitLabs. The server is extremely small (actually it's a single file only, about 60 Kb). Despite of it, this little creature serves HTML, executes CGI, supports SSL, writes logs, etc., etc. Full list of features you may find [here].
It's a really nice tool, and recently I had an opportunity to improve TinyWeb server a little bit, so want to share it with you. Obviously this is still not such a full-featured server as Wamp, but it is tiny, handy and can be a significant part of your "pocket hacking toolset". How to use it for your own benefit - I would leave it to you. :-)
So what functionality I added
- TinyWeb supports PHP (Yeeeeaa!). (Can you imagine a web server without PHP? I can't.) Surprisingly, original version of the server had some difficulties running PHP. Now source code is slightly changed, so everything works smoothly. Note: PHP is running as CGI.
- The server is 100% portable now! No need for installation or configuration: just copy it to any folder, make a single click and voila! everything is configured and running immediately (yes, PHP is also configured automatically).
- PHP files may be placed in any folder inside \wwwroot (note that in original TinyWeb server - CGI is handled only in \wwwroot\cgi-bin folder).
Looks good? Och, believe me, it is. Let's see what this little beast can do for us, but "first things first": see what you may download:
- TinyWeb Portable - web server with PHP support (binaries only, most recent PHP is included, CGI demo included) - recommended for download (about 9 MB).
- TinyWeb Portable - web server with PHP support (binaries only, CGI demo included).
- TinyWeb Portable - web server with SSL support (binaries only, SSL fully configured, CGI demo included).
Download source code:
- TinyWeb Portable - web server source code (with my modifications needed to support PHP, also includes the source code for "run_web_server.exe" utility) .
- Run_web_server.exe (the utility, source code only).
- Original TinyWeb 1.93 source code (from RitLabs).
Note that author (Maxim Masiutin) kindly published the source code of standard TinyWeb server only (without SSL support), so this is the only version which is modified by me now (hence supports PHP).
Running the little daemon
Ok, in our first example we will be using the version of the server with PHP support. Download it and unzip to any folder in you PC (you already did it, yea?). Now run the file "run_web_server.exe". Important: you must run it as Administrator. Same application may be used for both versions of TinyWeb: with and without SSL support. Once you have it running - everything should be self-explanatory (not much to configure really):
If you will be using the TinyWeb version with SSL - you would see the following info at the bottom:
Once we have the port chosen: press [RUN] button. Note that LPORT field is grayed now and button [RUN] is also disabled. Our server is running!
Now you can close this application completely, the TinyWeb server would be happily running in the background. How to stop the server? Oh I don't know, try to guess... ;-)
Is it really working?
Ok, the server is running, now let's browse the structure of our folders:
wwwroot ¦ index.htm ¦ index.php ¦ login.htm ¦ +---cgi-bin login.exe shell.php test.cmd test.php test.pl
Those files will be available "on-line" under following URLs:
http://localhost:81/index.htm http://localhost:81/index.php http://localhost:81/login.htm http://localhost:81/cgi-bin/shell.php http://localhost:81/cgi-bin/test.cmd http://localhost:81/cgi-bin/test.php http://localhost:81/cgi-bin/test.pl <-- to run this you must have Perl installed
Try to open it in your browser and see what would happen. :-) Actually any console program with stdIN and stdOUT may be easily handled by TinyWeb server (which is really handy).
Imagine that you have the following batch file:
When you navigate to the following URL: http://localhost:81/cgi-bin/test.cmd you can see in your browser something like this:
Nice, isn't it! :-)
Remember one important thing: PHP is supported in \wwwroot (also in any nested subfolder inside). CGI is handled only in \wwwroot\cgi-bin folder and any subfolders.
Couple of words about TinyWeb with SSL support
This is the original version of TinyWeb binary with SSL support, compiled by Maxim Masiutin. Source code unfortunately is not available, so I may not make necessary modifications, hence PHP is not supported. Sad but true.
Anyway you may download it from here along with sample SSL certificates (and of course with run_web_server.exe) and in fully portable form. So again - nothing to configure. Just unzip, and run!
I am always saying: trust is a basis of any business, chaps. And especially in a such serious business as banking. But if banks may (or should?) blindly trust all IT guys (which have their natural childish "curiosity of everything") - this question was never such serious as after this year's Blackhat conference. Close your eyes and try to imagine: vacation, you, ATM, laptop and a screwdriver... And nobody around! Ach dreams, dreams... ;)
But sometimes crazy-weirdo-bank-guys (yes, that's the right word) are really provoking kinda "dirty IT thoughts". A friend of mine, Jerome666, recently send me the picture made during his recent vacation in Egypt. I was almost crying, and through the tears of happiness I was barely able to see the ATM, UPS (?), modem, some strange device (?) and even the juniper firewall. All infrastructure nicely and peacefully coexisting together. It's so nice, so... innocent and... so darn close - just raise your hand! :) Ok, let's cut the crap: see it's by yourself:
I'll buy you a beer (or two) if you would send me cool pics of ATMs, similar to the one above. And additional beer for the one who would correctly identify all infrastructure on the picture! :)