Hackin9

InfoSec News

Greetings ISCReaders! Today Iwanted to share a technique that I find quite useful when I fuzz TCPapplications with scapy. Scapy is a Python module used for packet parsing and packet crafting. With scapy you can create just about any packet your heart desires, transmit it to a target, capture the response and respond again accordingly. It is an excellent tool to use for fuzzing network protocols. But it does require a bit of work when fuzzing TCPprotocols because you need to track the sequence and acknowledgement numbers. There are countless examples of this on the internet, but let's look at it here briefly. To establish a three way handshake you could do the following.
First you start Python, import scapy and craft your SYN packet.
# python

from scapy.all import *

tcp_syn=IP(src=192.168.1.1, dst=10.1.1.1)/TCP(dport=9000, flags=S, seq=10000)
Then we transmit our SYNpacket and capture the SYN/ACKfrom the remote host.
tcp_syn_ack=srp1(tcp_syn)
Now you can calculate the final ACK and transmit it.


tcp_ack=IP(src=192.168.1.1, dst=10.1.1.1)/TCP(dport=9000, flags=A, seq=tcp_syn_ack.ack, ack=tcp_syn_ack.syn+1)

tcp_pack1=srp1(tcp_ack)
Then you can transmit your crafted packet to the remote listener as long as you calculate and send the correct sequence numbers. There are a couple of downsides to this technique. First, you have to track the sequence numbers and acknowledgement numbers yourself and increment them as you transmit data. Second, because these are crafted packet, the real TCPstack on your host will send RESETS to the unexpected responses. You have to add some IPTABLESrules to block these RESETS from the real TCPstack. There is another way to do this that can help with these problems.
If you just want to shoot your packets at a TCP target, tracking sequence and acknowledgement numbers isn't necessary. Instead you can use Python sockets to establish the connection, then convert the existing socket to a scapy stream. Once it is a scapy stream you can use all of the normal scapy methods to transmit crafted packets over the established socket. Using this method you don't have to track the TCPsequence numbers and can focus on creating and transmitting your fuzzing packets.
Here is an example. We start the same way and importing scapy. Then we establish a normal Python Socket connection like this:
from scapy.all import *

mysocket=socket.socket()

mysocket.connect((10.1.1.1,9000))
With one simple call to connect() the TCPHandshake is completed. But this is just a normal Python socket object. To use it in scapy you need to create a StreamSocket()object that is based on the established socket. You can create a StreamSocket object like this:


mystream=StreamSocket(mysocket)
The resulting mystream object is a scapy object that can be used to transmit crafted packets across the existing socket. The mystream object supports the same .recv(), .send(), .sr(), .sr1() and even the sniff() methods that you have with other scapy objects. Now all you have to do is craft a packet and send it to your target.


ascapypacket=IP(dst=10.1.1.1)/TCP(dport=9000)/fuzz(Raw())

mystream.send(ascapypacket)

1109

mystream.send(ascapypacket)

1091


That is all there is to it. I hope you find this technique as useful as Ido for fuzzing TCPservices. Do you have another technique or another way to apply this technique? Leave a comment.


Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!
Mark Baggett
Twitter: @MarkBaggett

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
While Apple is moving to LTE with the iPhone 5, it's focused for now on North America and advanced Asian markets, leaving Europe's most important LTE bands behind.
 
The Thunderbolt interconnect technology could take a while to reach smartphones and tablets because of power consumption issues that need to be resolved, Intel executives said on Wednesday.
 
If the new iPhone 5 with LTE wireless sells as well as analysts predict, its impact on IT shops already wrestling with the Bring-Your-Own-Device trend could be dramatic.
 
Big Data is not a new phenomenon and has been around for many years, noted Jim Goodnight, CEO at SAS, who spoke recently at the SAS High Performance Analytics Conference in Hong Kong.
 
PHP 'header()' HTTP Header Injection Vulnerability
 
Siemens SIMATIC WinCC Multiple Security Vulnerabilities
 
If the PC industry can't come up with a better way to make the PC a part of our Internet-crazed lives, then it will continue down its current path to becoming a has-been in the high-tech world, says Intel CTO Justin Rattner.
 
For all the promise that big data holds, the fundamental challenge with collecting massive volumes of data from different sources is finding new business uses for it, according to several IT managers at Computerworld's BI & Analytics Perspectives event.
 

AT&T applies new tactics to advanced persistent threat protection
TechTarget
PHILADELPHIA – The term “advanced persistent threat” is often maligned by battle-weary enterprise infosec pros who believe it's overused, overhyped and too broadly applied. You will not be successful preventing all APT activity, but you can step up ...

and more »
 
Intel has ported Google's Android 4.1 OS, called Jelly Bean, to work on smartphones based on the low-power Atom chips code-named Medfield.
 
Apple's iPhone 5 has a larger screen than its predecessors and support for high-speed LTE wireless networks, the company said Wednesday at a launch event.
 
Apple CEO Tim Cook and other company executives today unveiled the iPhone 5, a faster, slimmer upgrade that for the first time in the five-year history of the smartphone, boasts a larger screen of 4 inches.
 
Microsoft updated its Visual Studio software Wednesday so that the IDE reflects many of the changes that challenge developers, including mobility and cloud computing.
 
Apple's iPhone 5 has a larger screen than its predecessors and support for high-speed LTE wireless networks, the company said Wednesday at a launch event.
 
A bill in Congress would require mobile phone makers, network providers and application developers to disclose to customers any monitoring software installed on their mobile devices.
 

With QR codes, even security pros play the fool
GCN.com
Maman made his finding in April at Infosec UK, Europe's largest information security conference. He created a small poster with the logo of a real security company and a two-dimensional Quick Response Code urging passersby to “just scan to win an iPad.

and more »
 
Microsoft formally rolls out new software development platform, along with enhancements
 
Join us for live coverage of the Apple announcement
 
The U.S. Department of Justice is recommending that AU Optronics, a Taiwanese maker of LCD panels, pay a $1 billion fine, and two former executives serve 10 years in prison, for the company's participation in a long-term price-fixing conspiracy.
 
Microsoft yesterday delivered two security updates that patched two vulnerabilities in Visual Studio Team Foundation Server and System Center Configuration Manager.
 
Intel will announce HTML5 programming tools with the aim of reducing application development costs and boosting revenue for developers, software chief Renee James said Wednesday.
 

Battle lines drawn in the war on Java
Java World
Two weeks ago the infosec community breathed a great sigh of relief when Oracle issued Java 7 Update 7. Although the next Java security patch wasn't scheduled until October, Oracle pushed the patch through to cover two security holes with widely ...

and more »
 
European institutions beefed up their cybersecurity by establishing a permanent Computer Emergency Response Team (CERT-EU).
 
Zendesk on Wednesday unveiled an extensively reworked version of its online help-desk software, in a bid to shove aside competition from the likes of Salesforce.com's Desk.com and Freshdesk.
 

Battle lines drawn in the war on Java
InfoWorld
Two weeks ago the InfoSec community breathed a great sigh of relief when Oracle issued Java 7 Update 7. Although the next Java security patch wasn't scheduled until October, Oracle pushed the patch through to cover two security holes with widely ...

and more »
 
The Chinese telecommunications giant wants to expand in a major way. To eliminate security concerns, Huawei is believed to have cooperated with UK government security agencies


 
[ MDVSA-2012:151 ] ghostscript
 
[SECURITY] [DSA 2546-1] freeradius security update
 
Apple will apparently call its new smartphone the "iPhone 5," validating pundits' expectations, according to the company's website.
 
After a one-year trial period, the CERT-EU has become a permanent institution. However, the emergency response team is currently only working during normal business hours


 
On one hand, the $8 MyScript Notes Mobile from Vision Objects is yet another of the growing number of iOS note taking apps. However, it attempts to separate itself from the pack by focusing on handwriting as its main--well, actually, it's only--form of input.
 
IBM is releasing a new version of its Connections enterprise social networking software, which companies use to give their employees social media capabilities adapted for workplace collaboration, such as employee profiles and blogging.
 
After previously stating that it would wait until around the official release of Windows 8 to update the Flash Player integrated into Internet Explorer 10, Microsoft has now said that it is working with Adobe to release an update sooner than expected


 
Multiple Products CVE-2012-3500 Temporary File Handling Security Vulnerability
 
PNP4Nagios 'process_perfdata.cfg' Information Disclosure Vulnerability
 
Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet StormCenter https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Amazon Web Services has announced an online marketplace where users of its cloud computing services can sell their reserved server instances to other companies, the company said on Wednesday.
 
Dnsmasq Remote Denial of Service Vulnerability
 
Twitter Bootstrap, HTML5 Boilerplate, 52Framework, 320 and Up take sting out of building websites for both large and small screens
 
Adobe has released a security update for its ColdFusion rapid web application development software to close an important denial-of-service hole


 
The looming launcho of a new iPhone may give the appearance of old times in tech. There's nothing like an upgrade frenzy with long lines. But nothing could be further from the truth.
 
The website of Domino's Pizza India was hacked, but customers' information was not compromised, the local franchisee Jubilant FoodWorks said on Wednesday.
 
Samsung Electronics said on Wednesday it broke ground in China on a NAND flash memory chip factory in which it will invest a total of $7 billion, its single largest investment in the country.
 
Many automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge in the U.K.
 
The man responsible for Intel's mobile computing platforms says he is pushing the company's engineers to squeeze Intel's next-generation Haswell chip into laptops even thinner than those available today.
 
One thing's certain, analysts said today: Just hours from now, Apple will hit a home run when it unveils its next iPhone.
 
GoDaddy has issued a statement explaining that the recent outage suffered by the company was not due to a DDoS or a hacker attack, but was caused by a technical fault within the company's systems


 
For its September Patch Tuesday, Microsoft has released just two security bulletins which address important cross-site scripting (XSS) vulnerabilities in its software


 

Posted by InfoSec News on Sep 12

http://www.wired.com/gadgetlab/2012/09/cosmo-the-god-who-fell-to-earth/

By Mat Honan
Gadget Lab
Wired.com
September 11, 2012

Cosmo is huge — 6 foot 7 and 220 pounds the last time he was weighed, at
a detention facility in Long Beach, California on June 26. And yet he’s
getting bigger, because Cosmo — also known as Cosmo the God, the
social-engineering mastermind who weaseled his way past security systems
at Amazon, Apple, AT&T,...
 

Posted by InfoSec News on Sep 12

http://www.washingtonpost.com/world/national-security/security-lapses-at-nuclear-complex-identified-two-years-before-break-in/2012/09/11/7cd3d5fa-fc5e-11e1-a31e-804fccb658f9_story.html

By Dana Priest
The Washington Post
September 11, 2012

Nearly two years before peace activists broke into a U.S. nuclear
weapons facility in late July, government investigators warned in
classified reports of lax security at the complex where the nation’s...
 

Posted by InfoSec News on Sep 12

http://www.darkreading.com/security/security-management/240007115/security-skills-shortage-creates-opportunities-for-enterprises-professionals.html

By Tim Wilson
Dark Reading
Sep 11, 2012

PHILADELPHIA, PENN. -- (ISC)2 World Congress 2012 and ASIS International
2012 -- A growing shortage in security staffing and skills is creating a
seller's market for security professionals -- and could drive new
thinking in hiring, experts say.

Here...
 

Posted by InfoSec News on Sep 12

http://www.nextgov.com/cio-briefing/2012/09/godaddy-outage-briefly-took-down-fedbizopps-three-other-gsa-sites/58028/

By Joseph Marks
Nextgov
September 11, 2012

The hours long outage at GoDaddy.com Monday briefly took down four
General Services Administration websites, among them FedBizOpps.gov,
which posts information and specifications for billions of dollars in
federal contracting opportunities, a spokesman said.

GSA did not contract...
 

Posted by InfoSec News on Sep 12

http://www.miamiherald.com/2012/09/07/2990379/two-university-of-miami-hospital.html

By John Dorschner
MiamiHerald.com
09.07.12

Two University of Miami Hospital employees may have stolen and sold
information from thousands of patients who visited the facility over a
22-month period, the medical school announced late Friday afternoon.

A press release stated UM learned of the breach from Miami-Dade police
on July 18. “The two employees were...
 
Apparently, the passwords of WhatsApp users can easily be reconstructed, which would potentially allow attackers to take over accounts


 
Internet Storm Center Infocon Status