Friday, February 8, 2008

Tools Part 1 - The Intercept Proxy

I was doing an inventory of all of the tools I currently have on my systems that are outside of a standard build (this is business unit requirement for me) and man do I have alot of stuff! So I decided, (in addition to the suggestion from other readers) to include a list of all of the tools I currently use, where you can get them and what I think of them. This list will be specifically web application vulnerability related as that is really my forte and what I am most interested in currently. There may be a few network tools but they will in some way be related to web app security. And this will be a list not of commercially known tools but tools I have amassed from readings, industry events and searches. I will categorize them and dedicate whole postings to a single tool group as the list is long and the postings will be to large to search through. This may take a bit of time and if broken down a bit will be easier to manage for all of us. So here goes we will start with Intercepting Proxies:

Intercept Proxies - An intercept proxy is a tool which combines a proxy server (the server in this case is the application not a physical server) with a gateway. It sits between your browser and your internet connection. Connections made by client browsers are redirected through the proxy with/without client-side configuration allowing the transmission of the request/response to be altered, usually in a way NOT intended by the developer/protocol. This is by far the most valuable tool you will use in your web application vulnerability assessments/attacks. If you have never used this tool imagine you have total control of time; the time between the submission from your browser to the receiving server and from the receiving server back to your browser. This completely opens up the apps for intense inspection and manipulation. Here is my list of Intercept Proxies:

1. Fiddler 2 - http://www.fiddler2.com/fiddler2/ - I found this one by accident in searching for an addon to Internet Explorer as that is the only browser allowed in my professional environment. I use this one all the time as it requires no connection configuration, it is really easy to use and has a bunch of great addons. This is really a developer tool for web code debugging, as really they all are, but works great as a tool of mischief but only for Internet Explorer... It has some really good tutorials online as well.

2. Burpe Suite 1.01 - http://www.portswigger.net/ - This is really the BEST of the best in it's category. It was written by Dafydd Stuttard, the author of "The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws (ISBN 978-0-470-17077-9 Wiley)" which is the defacto standard in web app security exploits so it makes sense that it would be a great tool. It is full featured but does require configuration (as do the rest of the tools listed) to be used properly.

3. Webscarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project - Taken from the OWASP site: "...WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab..." Enough said... it also has a good spider... this is a good one too!

Paros - www.parosproxy.org/ - I really like Paros because it has a great spider tool as well as the proxy. This spider is great for finding all directories/files on a web server, which in turn is great to use in combination with very specific Google search strings to find all kinds of data leakage. But always remember that spiders make noise, usually alot of noise so be carefull who you unload it on as they will hear/see you, which is why Google is such a valuable tool, but that is for another posting altogether.

Summary:

This are the Interpect Proxies I use, there may be more out there but these are the tools I know and use daily for fun and for security engagements.

SANS 504 - Follow Up


This is a follow-up post referring to the SANS 504 GCIH class I recently attended.


SANS 504 - If you are new to IS, specifically network security, then this class might be very good for you. Maybe I am biased becuse I am so immersed in this field currently that I hear the same "buzz" words over and over again (this class was simply more of that) but I will list what I did not like about the class:

1. The test LAN (network) was not set-up until Friday evening so there was no way to really try the techniques that were presented aside from using your own machine and it's linux virtual machine. A step by step tutorial shoud have been used to explain the process of host/network discovery, probing for a vulnerable system/device and the corresponding techniques to fully compromise the box going as far as executing a payload to DOS a system, enumerate a database or something along those lines. It was far to general and attempted to cover to broad a range of topics without really getting specific on any of them. Even when I questioned the instructor about this by saying".... now what....?" there was no further action taken aside from him saying "...well you can do anything now..." and of course my reply was "... like what...?" The example here was using a Metasploit 3 technique and I got inside and attached to a process using a known flaw in the Metasploit tool kit but they never took it to the final level by illustrating how you compromise the system by being able to hop around in processes. It doesn't make any sense to go all that way to stop before the entire reason for using the tool kit is realized. Fragmented at best. Anyway I asked this question because I knew his answer wold be total crap like it was. If you have ever hacked anything before you must know that nothing is a success until you have gone all the way as each step presents new challenges and there just is not a "cookie-cutter"sure way to exploit a system, things change. I wanted him to show me exactly how to compromise MY system (which is what I was working on) not simply say, "... oh ya it is totally compromised now..."

2. The version on Linux (Red Hat) provided was terrible. I have distros that are far more advanced and more comprehensive in their design. This was a regular Red Hat with some additional network apps installed, the wi-fi didn't work and they even left the games on the OS, just lazy. It was no BT that is for sure!

3. I was familiar with much of the course and therefor it presented a very limited amount of new information, in addition many of the tools and topics were outdated by many years and many of the best tools (even listed in the texts) were not on the CD? It should have dealt in far more detail with more updated exploits. If your organization has vulnerabilities from years ago on your networks (that have available patches) you have a much bigger problem than just the exploits, you need to go and review your patch management standards and procedures. I would also like to mention that the texts themselves were no more than bound Power Point presentations of highlights... no comprehensive study material so basically they are useless for any type of self study.

4. This one is questionable however, manyof the people in my group were taking this class simply for the credits toward their CISSP requirements and it was clear that they had no idea what these topics were about and didn't really care as they were not taking the cert test anyway. I mention this because possibly these classes are more geared toward this type of student rather than one who is really looking for an extremely technical scenario. Or SANS is just in it for the $$ and could care less about their content our who is taking the class, and therefor diminishing the credibility of their certs. I know that now if I see a GCIH cert on someone's card or email, it holds much less value then before I took this class as they may not know much about ethical hacking at all.

5. Overall this was my first SANS training and I guess I expected a great deal more from the leading provider of information security training. I am not trying to "slam" SANS, but for the huge amount of money this costs and the length of the class (6 days) they really need to provide WAY more bang for the buck. They absolutely could have in my opinion. I really expected them to know more than I did about these topics and sadly that was not the case, and I do mean that sincerely. Even further the criteria for being an instructor of this or any SANS class is that you score above a 90% on the corresponding cert test, which is open book. So it is possible that an instructor really doesn't have extensive experience in the field, they just did well on the test and wanted to teach the class. I am not a master hacker by any means and I really thought this class would take me to the next level. It did not. I would say take this class for the cert (they are always valuable) and for a very generalized knowledge of network hacking exploits dating from about 10 years ago to near the present, however not anywhere near cutting edge. I hope this helps you in your decision to attend this class.