To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.

SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.

Features

• Insecure renegotiation testing
• Scanning for weak strength ciphers
• Checking for SSLv2, SSLv3 and TLSv1 versions
• Server certificate information dump and basic validation
• Session resumption capabilities and actual resumption rate measurement
• Support for client certificate authentication
• Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can read here.

You can download sslyze here:

sslyze-0.3_src.zip

Or read more here.

This requires two important steps in order for the tool to traverse VLANs for unauthorized access. First, discovery of the correct 12 bit Voice VLAN ID (VVID) used by the IP Phones is required. VoIP Hopper supports multiple protocol discovery methods (CDP, DHCP, LLDP-MED, 802.1q ARP) for this important first step. Second, the tool creates a virtual VoIP ethernet interface on the OS. It then inserts a spoofed 4-byte 802.1q vlan header containing the 12 bit VVID into a spoofed DHCP request.

Once it receives an IP address in the VoIP VLAN subnet, all subsequent ethernet frames are “tagged” with the spoofed 802.1q header.

VoIP Hopper is a VLAN Hop test tool but also a tool to test VoIP infrastructure security.

New Features

• New “Assessment” mode: Interactive, menu driven command interface, improves ability to VLAN Hop in Pentesting when the security tester is working against an unknown network infrastructure
• New VLAN Discovery methods (802.1q ARP, LLDP-MED)
• LLDP-MED spoofing and sniffing support
• Can bypass VoIP VLAN subnets that have DHCP disabled, and spoof the IP address and MAC address of a phone by setting a static IP

You can download VoIP Hopper 2.01 here:

voiphopper-2.01.tar.gz

Or read more here.

It supports Nessus NASL plugins for vulnerability scanning – which makes it pretty useful. It also has both a GUI and command line version for scripting.

The following items can be scanned:

• Remote OS type and version detection,
• Standard port status and banner information,
• SNMP information,
• CGI vulnerability detection,
• IIS vulnerability detection,
• RPC vulnerability detection,
• SSL vulnerability detection,
• SQL-server,
• FTP-server,
• SMTP-server,
• POP3-server,
• NT-server weak user/password pairs authentication module,
• NT server NETBIOS information,
• Remote Register information, etc.

The results of the scan are saved in /log directory, and are title index_ip_address.htm (if you used the GUI) or ip_address if you used the command line option. These can be directly browsed by any normal Web Browser.

Basic user and password lists are supplied to carry out a basic attack on certain services, (above), if found enabled on the host.

You can download XScan v3.3 here:

X-Scan-v3.3-en.rar

Or read more here.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Usage

./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing flood DDoS vs. SSL-Exhaustion attack

A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for Whitehats

1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements

No real solutions exists. The following steps can mitigate (but not solve) the problem:

1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

You can download THC-SSL-DOS here:

Windows: thc-ssl-dos-1.4-win-bin.zip
Linux: thc-ssl-dos-1.4.tar.gz

Or read more here.

Version 2.0 adds SYN scanning capabilities and much more:

• Added option -s for SYN scan.
• Scanning made faster thanks to SYN scan
• Added even more default ports
• Improved error handler for SYN scan
• Improved text output
• Fixed minor bugs

A new branch of the program has been created to support SYN scan. SYN scan was necessary because under some circumstances of heavy load, the TCP Connect scan can hang routers. SYN scan is multithreaded and uses the standard library pcap on Unix/Linux operating systems. Please be aware that SYN scan requires a higher level of authorization, if compared to connect sockets: in Unix/Linux pscan requires root privilege. In some operating systems, SYN scan is performed using connectionless “raw” sockets, therefore the usage of pscan is subject to possible restriction to the usage of raw sockets in such operating systems.

With SYN scan, option -w is not used because the program does not use connected sockets, so it doesn’t have to loop reading a socket until the timeout is reached. The receive function doesn’t have to poll over a number of sockets, but simply reads the packets passing through the network card, for all ports, and displays the message of “open port” when the packet coming from the remote IP contains the information that the remote port is open. For the same reason, options -a and -n are not used. The first one because packets sent to closed ports are simply not being replied to, so they cannot be counted; the second one because the function that reads packets is one, and performs this by reading packets from the network card, not from multiple sockets.

You can download Multi Threaded TCP Port Scanner v2.0 here:

threaded-syn-port-scanner-2.0.zip

Or read more here.

NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner has, since the first release in 2007, become popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

It’s been a long time since we last mentioned NetworkMiner, it was back in 2008 – NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows.

Now there’s a new version!

New in v1.1

The new version supports features such as:

• Extraction of Google Analytics data
• Better parsing of SMB data
• Support for PPP frames
• Even more stable than the 1.0 release

You can download NetworkMiner v1.1 here:

NetworkMiner_1-1.zip

Or read more here.

Vulnerability Exploited

NFS before version 4 is reliant upon host trust relationships for authentication. The NFS server trusts any client machines to authenticate users and assign the same user IDs (UIDS) that the shared filesystem uses. This works in NIS, NIS+, and LDAP domains, for instance, but only if you know the client machine is not compromised, or faking its identity. This is because the only authentication in the NFS protocol is the passing of the UID and GID (group ID). There are a few things that can be done to enhance the security of NFS, but many of them are incomplete solutions, and even with them implemented, it could still be possible to circumvent the security measures.

Features

• Use filehandles from packet captures instead of asking mountd.
• Hide from sysadmins by immediately “unmounting” while retaining access
• Specify port/protocol for NFS or Mountd if you don’t have access to the portmapper

You can download NfSpy here:

NfSpy.zip

Or read more here.

This tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.

It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

The three steps to get this running are:

• Download and run sslsniff-0.7.tar.gz
• Setup iptables
• Run arp-spoof

Changes in 0.7

• Fixed some networking shuffling bugs (thanks Daniel Roethlisberger)
• Added basic compatibility with BSD pf (thanks Daniel Roethlisberger)

You can download sslsniff v0.7 here:

sslsniff-0.7.tar.gz

Or read more here.

For the two people here who don’t know what this tool does, Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

And now, we’re happy to announce there’s a new version out and it’s available for download now!

New Features

• The ability to compare site maps
• Functions to help with testing access controls using your browser
• Support for preset request macros
• Session handling rules to help you work with difficult situations
• In-browser rendering of responses from all Burp tools
• Auto recognition and rendering of character sets
• Support for upstream SOCKS proxies
• Headless mode for unattended scripted usage
• Support for more types of redirection
• Support for NTLMv2 and IPv6
• Numerous enhancements to Burp’s extensibility
• Greater stability on OSX

You can download Burp Suite Free Edition v1.4 here:

burpsuite_v1.4.zip

Or read more here.

It’s kind of like Firesheep for android, but maybe a bit easier to use (and it works on WPA2!).

Do note that a rooted phone is required. Please note that if the webuser uses SSL this application won’t work This application due to its nature is very phone-dependent so please let the author know if it doesn’t work for you.

There’s a great video demo of it working here:

Supported services:

• FaceBook
• Twitter
• Youtube
• Amazon
• Nasza-Klasa

You can download FaceNiff here:

FaceNiff-1.9.4.apk

Or read more here.