Bearded – Security Automation Platform

Your website & network are Hackable


Bearded is an open source Security Automation platform. The platform allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed. All tools can be executed in the cloud in docker containers. Bearded has a default web interface which integrates all core options and makes it possible to manage large pentests easily.

Bearded - Security Automation Platform

All tools can be executed in the cloud in a Docker container, Bearded has a faultless web interface which integrates all the core options and allows you manage large scale penetration tests easily.


Demo

The project is in pre-alpha though, so use at your own risk.

You can download Bearded here:

bearded-0.0.2.zip

Or read more here.


Tags: , , , , , ,

Posted in: Countermeasures, Security Software | Add a Comment

An Introduction To Web Application Security Systems

Find your website's Achilles' Heel


In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways. They come packed with all the elements necessary to play an action-packed round of buzzword bingo, but they often overlap in some ways that may make them sometimes seem similar. After the second or third pitch of how each product delivers whatever acronym, it sometimes becomes difficult to ask yourself which one you need the most.

In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways.

Well, quite frankly, you probably need all of them.

The potential for overlap can often cause pause for question: Why is one solution not the best fit for all problems? 

This sounds like an absurd question when phrased this way, but as is the case more often than not in IT, this very question is posed in one form or another from management to the security engineering team. In this article, we will provide a brief, high-level breakdown of what each type of web application security systems is, and why you likely need a mixture of all of them.

WAF – Web Application Firewall

In the Open Systems Interconnection, or OSI model, a network connection is abstracted into seven layers. A typical firewall may exist on layers 3 or 4, handling border routing or connection gatekeeping, but the most damaging attacks against web services are at the 7th layer, against the web application itself. This is where a Web Application Firewall (WAF) becomes a crucial asset.

Pros

  • Especially in situations where a web application cannot be subjected to a source code audit or other security methods (such as in cases of proprietary, closed-source applications like JIRA or Outlook 365), a WAF can help prevent common attack methods from being executed (like typical cross-site scripting or SQL injection vulnerabilities).
  • Typically adaptive, meaning that it is capable of reacting dynamically to an attack, rather than operating solely on strict thresholds (more usual of a typical firewall). This allows a WAF to apply heuristics to attacks that would otherwise normally escape detection.

Cons

  • A WAF is highly complex due to the incredibly dynamic nature of web application security. Both configuring and maintaining a WAF requires a very deep understanding of the web application being protected, as well as requiring a thorough grasp on common web vulnerabilities to be most effective.
  • A WAF is reactive rather than proactive, meaning it is acting only when triggered by an attack. If a web application is already vulnerable (such as having a 0-day in the code, something that should be discovered and fixed during a scan or source code audit), a WAF can do only so much to protect it – assuming it ‘knows’ how.

If you’re on Amazon they recently introduced their own WAF solution, there’s also NAXSI and the evergreen ModSecurity of course.

SCA – Source Code Audit

The oldest and most mature security methodology in this list, security source code audit remains a critical core component of a strong security posture to this day due to its invaluable benefits.  Code audit is part of a process known as “defensive programming,” where a software is designed to be resilient and resistant to invalid data or misuse of the software. Commonly, this named practice is applied to lower level languages that have far more restrictive bounds (e.g. strcpy in C), but web applications also have critical bounds that a SCA can detect (such as XSS and SQL injection vulnerabilities).

Pros

  • A source code audit, if executed effectively, will lead software developers and testing teams to discover bugs and, more importantly, vulnerabilities before they make it into production.
  • To reduce impact and delays on deliverables, source code audits can be done real-time during an agile development cycle, especially when using unit and integration testing. These tests can be leveraged for threshold testing, ensuring that data is properly within bounds, sanitized, and that errors are handled appropriately and not leaking information.

Cons

  • Source code audits can be done only against assets for which the code is available. Proprietary web applications where the code is closed-source cannot be subjected to the SCA process.
  • A source code audit requires deep familiarity with the code being audited in order to be as thorough as possible. This makes it difficult to properly and effectively apply the SCA process to even open-source projects (such as WordPress) where the code is written by a third party and thus not as familiar to the personnel doing the source code audit.
  • Source code audits are proactive rather than reactive, which while this sounds like a very desirable thing, it should not be relied upon as the only approach (as is usually the case). Code is infinitely complex, automation suites can only look for patterns (explicit or inferred), and human eyes are even more fallible.  With each additional line of code, the complexity increases and, thus, so, too, does the probability of a vulnerability going undetected (a statement deserving of its own eponymous law or adage).

There are various static analysis tools that can help you run code audits such as:

Brakeman – Static Analysis Rails Security Scanner
Codesake::Dawn – Static Code Analysis Security Scanner For Ruby
Graudit – Code Audit Tool Using Grep
Yasca – Multi-Language Static Analysis Toolset
RIPS – Static Source Code Analysis For PHP Vulnerabilities

And more..

Web Application Security Scanners/Web Vulnerability Scanners

A source code audit normally focuses only on the components of the whole application, applying methods of unit or integration testing that simulate certain conditions or data. However, much like how car manufacturers not only test the components but also the assembled car itself, web application security is no different. A thorough test must not only include the components, but the summation of the parts as a whole as well. A web security scanner does just this, emulating real-world traffic (specifically attacks) in order to find areas of weakness.

Pros

  • A scanner may be able to detect vulnerabilities that escape detection during the development phase, including passing a source code audit. This can happen where individual unit tests may not see error in the way functions or methods are executed, but the summation of these parts run together may yield a vulnerability – something that may be detectable only during a security scan of the web application in full working action.
  • Scanners are proactive and typically employed against code in development or staging environments (rather than in production, although it should be noted that scanning production is always a good idea regardless), which allows them to detect problems before they are discovered by users or, worse, by attackers.
  • Scanners are automated tools that can do the work of hundreds of QA testers in a matter of minutes or hours. Since humans are prone to error and often begin to slip up the more repetitious an action is, a scanner can precisely execute and repeat a test over and over without making a mistake.
  • Good web application security scanners apply heuristics to their scans and discoveries – such as digging deeper and attempting creative attacks upon finding a questionable but not exactly directly exploitable vulnerability – to find previously unknown attack vectors (sometimes called 0-day attacks) that could otherwise likely escape detection in all the other security methodologies mentioned in this article.

Cons

  • Scanners can be invasive, therefore one must be very familiar with the tool prior to running a scan in a live environment.
  • While scanners are proactive, they are also highly dependent upon pattern recognition of known attack vectors. As stated earlier, code is infinitely complex and, as such, vulnerabilities can escape the detection of a scanner (most notably uniquely exploited 0days).

IDP – Intrusion Detection and Prevention

Even with the most thorough and intensive source code audit, web vulnerability scan, and adaptive web application firewall, there still exists potential for a hacker to compromise a system.  As stated previously, humans are fallible and problems can still slip through.  If a web application or ancillary system (such as a database or key/value store) is connected to the Internet, directly or indirectly, one should assume it can be compromised, no matter what protections you put in place.  Intrusion detection and prevention exists to find and limit when this happens.

Pros

  • When tightly coupled with monitoring and off-machine logging in general, a well-configured IDP can provide immediate, deep insight into an intrusion that is being attempted or has successfully been committed. This allows a first-level response team to work far quicker in discovering and mitigating a threat before it becomes a more serious problem.
  • An IDP provides a thorough mechanism of proving compliance with various regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Not only are intrusion detection and prevention systems sometimes are a requirement in general (like with PCI DSS), but they act as an efficient tool during audits to demonstrate a strong security posture.

Cons

  • Much like web application firewalls, IDPs are highly complex and require finely-tuned configuration and testing in order to be effective. Too restrictive and you will end up ignoring your IDP due to all the false-positives; too permissive and you may end up missing an intrusion when it happens.
  • Also like web application firewalls, intrusion detection and prevention is mostly reactive rather than proactive, meaning it is acting only when triggered by an attack. If a web application is already vulnerable (such as having a 0-day in the code, something that should be discovered and fixed during a scan or source code audit), a properly configured IDP should notify the appropriate people immediately.  But even in doing so, once an attacker has gained access, a lot of damage – especially reputation – has likely already been done.

There are various options here too like:

Smooth-Sec – IDS/IPS (Intrusion Detection/Prevention System) In A Box
pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework
Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

Summary of Web Application Security Systems

As demonstrated above, there is indeed some overlap between all these web application security solutions, so it is easy to see how one could think that not all are necessary. However, also as demonstrated above, there are many things that are highly unique to each solution. The overlap is also a good thing. A source code audit and web vulnerability scanner, for example, may both highlight similar potential problems, but they do so in largely different ways. What may be discoverable during an SCA may go undetected by a scanner, and vice versa.

The overlap, therefore, is actually a net gain in the end. Not only will each solution in combination provide many tangible benefits for the security posture of the web application, but they also act as a sort of check against each other to ensure that what goes missed in one solution may be detecting in another. Indeed, the most appropriate response is to, wherever possible, implement all of the aforementioned solutions, not just some.


Tags: , , , , , , , ,

Posted in: Advertorial, Countermeasures, Security Software | Add a Comment

IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4

Find your website's Achilles' Heel


IGHASHGPU is an efficient and comprehensive command line GPU based hash cracking program that enables you to retrieve SHA1, MD5 and MD4 hashes by utilising ATI and nVidia GPUs.

IGHASHGPU - GPU Based Hash Cracking - SHA1, MD5 & MD4

It even works with salted hashes making it useful for MS-SQL, Oracle 11g, NTLM passwords and others than use salts.

IGHASHGPU is meant to function with ATI RV 7X0 and 8X0 cards, as well as any nVidia CUDA video cards, providing a variable speed in accordance with the users GPU. The program also features a ‘-cpudontcare’ command that allows you to tell IGHASHGPU that it can use the maximum level of GPU, without any particular regard for CPU usage.

At the same time, you can set a temperature threshold for tracking your hardware (’-hm’), so you can make sure to desist any activity that causes your system to go over the permitted value (the default is 90 degrees Celsius).

It also has a feature that lets you set the block size so as to adjust the video response time and reduce any possible lags; if on the other hand, this is a characteristic that does not bother you in any particular way, you can input a higher value (as IGHASHGPU supports block sizes ranging between 16 and 23).

Hashes Supported for Cracking

As IGHASHGPU supports salted hashes it’s possible to use it for:

  • Plain MD4, MD5, SHA1.
  • NTLM
  • Domain Cached Credentials
  • Oracle 11g
  • MySQL5
  • MSSQL
  • vBulletin
  • Invision Power Board

Supported Cards/Requirements

  • Only currently supported ATI cards are:
    • HD RV7X0
    • RV830/870
    • 4550
    • 4670
    • 4830
    • 4730
    • 4770
    • 4850
    • 4870
    • 4890
    • 5750
    • 5770
    • 5850
    • 5870
  • Catalyst 9.9+ must be installed.
  • Only supported nVidia cards are the ones with CUDA support, i.e. G80+.
  • Systems with multiple GPUs supported.

Usage

You can download IGHASHGPU here:

ighashgpu_v0.80.16.1.zip

Or read more here.


Tags: , , , , , , , , ,

Posted in: Hacking Tools, Password Cracking | Add a Comment

PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Find your website's Achilles' Heel


PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”. PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.

PowerOPS - PowerShell Runspace Portable Post Exploitation Tool

It tries to follow the KISS principle, being as simple as possible. The main goal is to make it easy to use PowerShell offensively and help to evade antivirus and other mitigations solutions. It does this by:

  1. Doesn’t rely on powershell.exe, it calls PowerShell directly through the .NET framework, which might help bypassing security controls like GPO, SRP and App Locker.
  2. The payloads are executed from memory and never touch disk, evading most antivirus engines.

Since PowerOPS offers basically an interactive PowerShell command prompt you are free to use the PowerShell tools included the way you want, and additionally execute any valid PowerShell command.

What’s Inside The Runspace

  • PowerShellMafia/Powersploit
    • Get-Keystrokes
    • Invoke-DllInjection
    • Invoke-Mimikatz
    • Invoke-NinjaCopy
    • Invoke-Shellcode
    • Invoke-ReflectivePEInjection
    • Invoke-TokenManipulation
    • Invoke-WMICommand
    • PowerUp
    • PowerView
  • Nishang
    • Get-Information
    • Get-PassHashes
    • Port-Scan
  • Auto-GPPPassword
  • PowerCat
  • Empire
    • Invoke-Psexec
    • Invoke-SSHCommand
  • mimikittenz
  • SMBAutoBrute
  • PowerUpSQL

Additionally you can run any valid PowerShell command.


Powershell functions within the Runspace are loaded in memory from Base64 Encoded Strings.

Usage

Just run the binary and type ‘show’ to list available modules.

You can download PowerOPS here:

PowerOPS-v1.0-beta.zip

Or read more here.


Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking | Add a Comment
Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities

Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities

Right now there’s a ton of people talking about the NSA Hack, the severity, the repercussions and the value of what has been leaked. It seems the 0-day exploits in the cache of stolen aren’t super recent ones, as it appears they are from 2013. But even so, some of them haven’t been patched as […]

Tags: , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools | Add a Comment
UFONet - Open Redirect DDoS Tool

UFONet – Open Redirect DDoS Tool

UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes. The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc. […]

Tags: , , , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Pompem - Exploit & Vulnerability Finder

Pompem – Exploit & Vulnerability Finder

Pompem is an open source exploit & vulnerability finder tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pen-testers and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, […]

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools | Add a Comment
Bug Bounties Reaching $500,000 For iOS Exploits

Bug Bounties Reaching $500,000 For iOS Exploits

It seems this year bug bounties are getting really serious, especially on the secondary market involving exploit trading firms, not direct to the software producer or owner. $500,000 isn’t chump change and would be a good year for a small security team, especially living somewhere with a weaker currency. Even for a solo security researcher […]

Tags: , , , , , , , , , ,

Posted in: Apple, Exploits/Vulnerabilities | Add a Comment
CuckooDroid - Automated Android Malware Analysis

CuckooDroid – Automated Android Malware Analysis

CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, for Android malware analysis. CuckooDroid brings to Cuckoo the capabilities of execution and analysis of android applications. CuckooDroid provides both static and dynamic APK inspection as well as evading certain VM-detection techniques, encryption key extraction, SSL inspection, API […]

Tags: , , , , , , , , ,

Posted in: Forensics, Malware | Add a Comment
Telegram Hacked - Possible Nation State Attack By Iran

Telegram Hack – Possible Nation State Attack By Iran

So there’s been a lot of news lately about the Telegram hack and how 15 million accounts were compromised, which is not technically true. There’s 2 vectors of attack at play here, both of which regard Iranian users, but are not connected (other than the attackers probably being the same group). So the two attacks […]

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Privacy | Add a Comment