David Robert's -castlebbs- Blog

To content | To menu | To search

Wednesday 6 May 2009

Lotus Notes/Domino Security

From: http://www.securityfocus.com/archive/101/492134

Here's a list of useful resources on Lotus Domino/Notes security:

http://www.dominosecurity.org/
http://www.ngssoftware.com/papers/hpldws.pdf
http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf
http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://seclists.org/pen-test/2007/Jul/0111.html (all thread)
http://documents.iss.net/whitepapers/domino.pdf
http://www-128.ibm.com/developerworks/views/lotus/library.jsp
http://www-128.ibm.com/developerworks/lotus/security/
http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf
http://www.nsftools.com/

Some testing tools:

http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
http://www.cqure.net/wp/?page_id=17
http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
http://www.openwall.com/john
http://usuarios.lycos.es/reinob/
http://www.nestonline.com/lcrack/
http://www.securiteinfo.com/download/dhb.zip
http://www.cqure.net/wp/?page_id=12
http://www-128.ibm.com/developerworks/lotus/downloads/
Other commercial password crackers from Elcomsoft/Passware/etc.

And some exploits:

http://www.0xdeadbeef.info/exploits/raptor_dominohash
http://www.milw0rm.com/exploits/3602
http://www.milw0rm.com/exploits/3616
http://www.milw0rm.com/exploits/4207
http://www.milw0rm.com/exploits/4574

Monday 4 May 2009

Compliance automation

Saturday 19 April 2008

Are you linkedin ?

I subscribed to the professional network linkedin.com. It's the first time I register to this kind of website and I have to say that I found it useful for security professionals. First, you can get in touch with experts in Information Security by connecting to security groups or inviting friends of friends. I also like the questions and answers section. You can ask questions or participate to answers on high level security topics and since the people that answers the questions gets a note, often high quality answers are provided on very interesting IT Security topics.

Wednesday 16 May 2007

GNU httptunnel with CGI

I wrote this patch for GNU httptunnel 3.0.5. this adds the following functions:

  • HTTP Basic Authentication: Allows to authenticate against a firewall or a Web server
  • CGI options: For the client htc, a new option to enable the definition of a cgi-script URI. For the server hts enable the option not to send the HTTP return code (which must be sent only by the web server).

I wrote this initially to do a proof of concept in a penetration testing I did previously: if you can find a way to write to the cgi-bin folder of a vulnerable web server, you can then use this version of httptunnel to encapsulate any flows like the ssh protocol and rebound on other systems that can be accessed from the vulnerable webserver.

The server hts cannot be called directly by the web server because it must ensure input-outputs persistence. The idea is to use a small cgi which makes the interface between hts and the web server. I wrote a small script in python which makes this job but it is simple to do one in C:

#!/usr/bin/env python
# tun.py : cgi tunnel to httptunnel
# David ROBERT david@ombrepixel.com
import socket, string
import os, sys

# host where hts live
host="localhost"
# hts listen port
port=8888

stdin=sys.stdin
stdout=sys.stdout

def log(texte):
    f=open("/tmp/log","a")
    f.write(texte + "\n")
    f.close()

def processGet():
    # GET processing
    data = """GET /index.html HTTP/1.1
Host: %s
Connection: close""" % os.environ.get("HTTP_HOST")

    # Send headers
    for line in string.split(data,"\n"):
        sock.send(line+"\r\n")
    sock.send("\r\n")
    #log("Lignes envoyees")

    # Receive flow
    while 1:
        v=sock.recv(8192)
        if not v: break
        stdout.write(v)
        #log("recu : %s" % v)
        stdout.flush()

def processPost():
    # POST processing
    data = """POST /index.html HTTP/1.1
Host: %s
Content-Length: 102400
Connection: close""" % os.environ.get("HTTP_HOST")

    # Send headers
    for line in string.split(data,"\n"):
        sock.send(line+"\r\n")
    sock.send("\r\n")

    # Send flow
    while 1:
        v = stdin.read(1)       # Ecriture
        if len(v) == 0: break
        #log("lu : %s" % v)
        sock.send(v)

# __main__
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
if os.environ.get("REQUEST_METHOD") == "GET":
    processGet()
elif os.environ.get("REQUEST_METHOD") == "POST":
    processPost()
else:
    print "Boum"

# Fin
sock.close()
sys.exit(0)

How does it work ?
  • On the server, copy tun.py in the cgi-bin folder. Start hts in cgi mode (-C or --cgi), listen to port 8888 and forward connexions to local port ssh (22):
    • hts -C -F localhost:22 8888
  • On the client, start htc in cgi mode provinding URI to tun.py (-C URI or --cgi URI). In the following example webserver must be the name of the web server (IP address resolution must be possible). This name is also used in the HTTP headers sent by htc and makes it possible to select different virtual hosts.
    • htc -C "/cgi-bin/tun.py" -F 2222 webserver:80
  • If authentication (only HTTP Basic) is required to reach the cgi script, you can specify login:password on the htc command line:
    • htc -C "/cgi-bin/tun.py" -a david:noway -F 2222 webserver:80

Wednesday 9 May 2007

Metasploit self-training

If part of you job is about security or if this is a hobby, you probably heard about the metasploit project. This tool will help you during penetration testing, you can try known exploit and create your own tools.

There was an interesting threat on the pen-test mailing list in regard to resources freely available on the internet to learn how to use metaslpoit. Here is a sum-up of the links provided on the list:

  • Official documentation:
http://www.metasploit.com/framework/support/
  • User guide:
http://framework.metasploit.com/documents/users_guide.pdf
  • The metasploit book :
http://en.wikibooks.org/wiki/Metasploit/Contents
  • Article on Security Focus (maybe a little bit outdated) :
http://www.securityfocus.com/infocus/1789
  • Demos on milw0rm :
http://www.milw0rm.com
  • Flash tutorial:
http://www.irongeek.com/i.php?page=videos/metasploit1
  • A few videos :
http://www.computerdefense.org/?p=53

Thursday 3 May 2007

Penetration Testing Framework 0.4

J'invite les personnes qui ne connaissent pas le "Penetration Testing Framework" de Kev Orrey et Lee Lawson d'y jeter un oeil :

Version html :

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Version PDF :

http://www.vulnerabilityassessment.co.uk/PenetrationTest.zip

Source freemind :

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.mm

Ce "framework" peut être intéressant pour une personne désirant effectuer des tests de pénétration. Une description est inutile, allez-voir la version html.

Cette nouvelle version inclue entre autres les sections suivantes :

  • Pentest wireless
  • AS400
  • VOIP
  • Bluetooth
  • Cisco

Saturday 14 April 2007

net2acid

I wrote net2acid. The goal is to insert into snort ACID database IP packets matched and jumped by netfilter QUEUE target. Version 0.0

I think it has never been completed

Thursday 12 April 2007

reStructWeb

reStructWeb is a small piece of software written in Python language. I wrote it to manage my personal web site. The most important features that I wished when I decided to write it are :

  • To be able to simply modify my website online
  • Not to have to write my pages in html or xml
  • To create links between the pages very easily (like Wiki )
  • To integrate templates and css to separate the presentation from the contents
  • To be multi-lingual
  • To be powerful and light for my poor computer ( SiteAbout ).

I took as a starting point the the Wiki system to update my Web site. The pages are created in text format using thereStructuredText format. 

Continue reading...

Wednesday 11 April 2007

Search my imap folder

Some explanations

I wrote a small program in python that can query my advisories email folder. I wished to be able to have a advanced query language, independent from the IMAP4 language. This abstraction is also made to avoid the risks of IMAP commands injections and also to be able to query other subsystems than IMAP.

As I've set up the form on my website for my own use, I let other people benefit from it (even if their number is negligible: -)

More details

My program uses a lex and yacc python implementation : ply. the grammatical analyzer transforms my query into an Abstract Syntax Tree (AST). This tree is then transformed into an IMAP4 query string.

The grammar I have defined for the query language :

expression : expression AND term
| expression OR term
| term
term : NOT term
| QWORDS
| WORD
| LPAREN expression RPAREN

For more details, look at the source code.

Wednesday 21 March 2007

scapy vs hping3 : spectrographe de distribution ISN

scapy et hping3 sont des outils de manipulation de paquets réseau. Ce sont des couteaux suisses de la fabrication, de l'envoi et de la réception de paquets. M'intéressant particulièrement à Python, je me suis naturellement intéressé à scapy. Il existe d'autres outils et bibliothèques pour python (par exemple impaquet, pcapy). Le les présenterai dans d'autres billets. Hping3 est un autre outil très puissant intégrant un interpréteur tcl, je me suis donc intéressé à comparer ces deux produits. Ce billet présente mes débuts de comparaison et n'est pas fait pour être exhaustif sur le sujet. Il est juste là pour recueillir mes premières impressions

Pour commencer ma comparaison j'ai décidé d'écrire en Python/Scapy le programme isn-spectrogram écrit en tcl/hping3. La création de paquet, envoi et réception a été réécrite avec scapy, la fenêtre graphique réécrite avec Tkinter (isn-spectrogram utilisant Tk, le portage a été facile :-)). Ce programme analyse les numéros de séquence renvoyés par le destinataire lors de l'initialisation d'une connexion TCP. Ce programme dessine un spectrogramme qui représente la distribution des écarts de numéros de séquence renvoyés entre les différents paquets. Ces écarts correspondent à des incréments aléatoires et plus le spectre sera large, plus il sera difficile de déterminer les numéros de séquences.

Spectrogramme linux 2.4.27 :

linux.png

Spectrogramme d'un routeur Zyxel (!) :

Continue reading...

- page 2 of 3 -