Quantcast
Channel: Infobyte Security Research Labs
Viewing all 236 articles
Browse latest View live

Canvas plugin - Demo

$
0
0
Canvas plugin - Demo

Collaborative Penetration Test and Vulnerability Management Platform






Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the data generated during a security audit.
The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.

More information: www.faradaysec.com

Finalists for Tech Traiblazers Awards!

Infobytesec 2nd Runners-UP for #Firestarter

Faraday Workshop! Thursday Feb 25th - 12 PM (EST)

$
0
0
Join us for the next Faraday workshop, Thursday Feb 25th - 12 PM (EST) 

During this workshop we will quickly go over how to get the corporate demo version up and running and then show the new features included in Faraday v1.0.16 

To register for the workshop, click here.

After the workshop, participants will receive the full corporate version to try out for thirty days.   

Questions? Comments? Get in Touch with us at communications@infobytesec.com. 

Faraday in Top 5 for Toolswatch's 2015 Top Security Tools

$
0
0

2015 Top Security Tools as Voted by ToolsWatch.org Readers and Faraday is in the Top 5, yay!


Full Article here: http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/

Make room for Faraday v1.0.17

$
0
0
The first of many releases in 2016, Faraday v.1.0.17 (Community, Pro & Corp) introduces a new Maltego Plugin, support for Mint 17 and Kali Rolling, and several fixes including installation issues.

Changes:
  • New Maltego Plugin
  • Added support for Kali Rolling Edition
  • Added support for Mint 17
  • Added user notification when the current Workspace doesn't exist
  • Added removeBySeverity.py script - as its name describes, it removes all vulns with a specific severity value. It supports the following parameters:
    • -v extended output
    • -t dry-run, won't connect to DB
    • -s severity to filter by, required
    • -d workspace, required
python $FARADAY/helpers/removeBySeverity.py -d WORKSPACE_NAME -s SEVERITY -v 


Bug fixes:
  • Fixed bug in pip Debian
  • Fixed pip install bug
  • Checks additionals about dependencies in installation
  • Warning about a upgrade to experimental in debian installation
  • Fixed small bug in CSV importing
  • Fixed styles for Status Report
  • Fixed bug on Status Report filter after editing
  • Show all evidence files in Status Report
  • Fixed Arachni Plugin bugs

We hope you enjoy it, and let us know if you have any questions or comments.



Faraday Debuts in Black Hat Asia's Arsenal 2016

$
0
0
Faraday is coming to Black Hat Asia!


Infobyte is excited to announce that we will be presenting Faraday at Black Hat Asia 2016! Black Hat Asia is where the movers and shakers of the security industry for the Asia-Pacific region come to show off their latest work, and discuss recent developments in the IT sec industry. The conference will be held March 29th to April 1st at the Marina Bay Sands in Singapore. 



Among the many special events within the Black Hat Asia conference is the Arsenal showcase. Arsenal is an exhibition space for individuals and companies to present their latest open-source tools. 


Black Hat USA 2015


After already having presented Faraday at the Arsenals in Black Hat USA and Black Hat Europe this will be Infobyte's first time showing Faraday at Black Hat Asia. The highly qualified Emilio Cuoto will be traveling from Japan to lead the Faraday presentation. For those of you who are not so familiar with the software, Faraday is an Integrated Multi-User Pentest Environment which helps teams collaborate more efficiently and better manage their vulns and reports. If you are not so familiar with Faraday this presentation will be a great introduction and if you already are a pro you will be able to check out some new features of the latest addition including the new Maltego plugin. 



Emilio will be presenting on April 1st in the Business Hall, Station 5 from 11:10 to 12:40.



If you are coming to the event, we definitely want to see you! We are happy to show you Faraday and answer any questions you might have. If you are can't make it to our presentation but are going to be at the conference and still want to checkout Faraday, send us an email at communications@infobytesec.com and we can arrange a time to meet.



We look forward to see everyone there.




Check out Faraday v1.0.18!

$
0
0
Today we are happy to announce that Faraday v1.0.18 (Community, Pro & Corp) is ready!

A short iteration, filled with small powerups - brand new CLI mode allows you to process reports in batch, new helpers and plugin fixes.

For our Pro and Corporate versions we added a set of exclusive improvements making the daily work easier.
    We know that our users rely on a lot of different systems and solutions and we want to integrate Faraday in that workflow. In that order we added the ability to easily export data into a JIRA installation, allowing users to share the findings between the security engineering, devops and development teams. In order to do this, we added a new layer between Faraday and the database, making our product more robust than ever. Expect a lot of new features in this direction in the near future!

    Pro & Corp exclusive changes:

     

    • Experimental JIRA integration
    • Added Faraday Server, a proxy between CouchDB and Faraday
    • Improved Executive Report generation process
    • Extended user management features

     

     

     

    Community, Pro & Corp changes:

    • Added CLI mode - to process the XML output of an NMap scan located in /tmp/nmap-scan.xml into the workspace named project_one run the following command:
      python2 faraday.py --cli --workspace project_one --report /tmp/nmap_scan.xml
      read more about it here
    • Now you can run as many Faraday instances as you like per host
    • Added some new scripts and helpers

    Community, Pro & Corp bug fixes:

    • Included all fields when editing Web Vulnerabilities in bulk mode in our Web UI
    • Fixed selection of Hosts and Services in both their lists in our Web UI
    • Fixed Hosts and Services filters, when results were empty it showed the loading icon forever, now it works as expected
    • Fixed bugs in Qualys, ZAP, Nikto, w3af and OpenVAS plugins:
      • ZAP
        Fixed for newest report version and added Unicode support
      • Nikto
        Fixed for newest report version, added more data import
      • Qualys
        Fixed for newest report version, added more data import and Unicode support
      • ... and more!




    We hope you enjoy it, and let us know if you have any questions or comments.

    Faraday: continuous scanning [Spanish]

    $
    0
    0

    Introduction:



    Realizar un scanning de seguridad de su infraestructura, servicios o sitios web una vez por año o cada 6 meses es un gran paso para asegurar sus sistemas pero no es suficiente.

    Sumado a eso, si la auditoria involucra solo una herramienta nuestra superficie de ataque puede ser muy pequeña.

    La idea de este post es contarles como utilizar la plataforma de Faraday para realizar continuous scanning utilizando la mayor cantidad herramientas de auditoria soportadas.

    El objetivo sera realizar un scanning semanal o por eventos de un conjunto de targets, con distintas herramientas y obtener todo el resultado en la misma plataforma de Faraday para detectar y mitigar nuevos issues en su infraestructura.

    Si bien siempre es necesario realizar auditorias manuales ya que aun el software no supera al humano, tener un continuous scanning utilizando distintas herramientas puede lograr descubrir mayor cantidad de low hanging fruit y mejorar la seguridad en el tiempo sostenidamente.

    Preparación:


    Las herramientas a utilizar serán:

    • w3af
    • nmap
    • nikto
    • burp
    • zap
    • nessus
    • openvas

    Utilizando un conjunto de scripts junto con distintas API obtendremos de una lista de IPs/Website los correspondientes reportes.

    Cada reporte luego sera copiado a $HOME/.faraday/report/[workspace_name]

    Faraday se encargara de convertir todos los reportes en información valiosa para ser interpretada y consumida por usuarios.

    Script:

    El siguiente script centraliza todas las acciones antes mencionadas.
    ./cscan.py: #ejecuta cada script dentro de ./scripts/network/ y ./scripts/web/

    ./scripts/web #directorio para tools web
    ./scripts/network #directorio para tools network
    ./output #directorio temporario donde se generan los reportes
    ./websites.txt #lista de website a scanear
    ./ips.txt #lista de IPs/Networks a scanear
    ./plugin #librerias o plugins necesario por ./scripts/
    ./config.py #global configuration

    El siguiente es el script nmap
    ./scripts/network/nmap

    NAME="nmap_$(date +%s).xml"

    ${CS_NMAP:=nmap} -iL $1 -oX $2$NAME

    Muy simple toma dos parametros el primero es el target y el segundo el output directory para el report, puede ser programados cualquier lenguaje, los siguientes están disponibles:
    ./scripts/web/burp.sh
    ./scripts/web/zap.sh
    ./scripts/web/nikto.sh
    ./scripts/web/w3af.sh
    ./scripts/network
    ./scripts/network/nmap.sh
    ./scripts/network/openvas.sh
    ./scripts/network/nessus.sh

    Antes de comenzarlo a utilizar revisar ./config.py ya que contiene configuraciones especificas que pueden cambiar en tu sistema, como path de las herramientas, credenciales openvas, etc.


    Demo:

    Schedule:


    El ultimo paso es configurar cada cuanto esta herramienta va ser ejecutada.
    Esto puede ser utilizando simplemente cron todos los dias a las 0 hs ejecutamos la herramienta y movemos los reportes al workspace "workspace_name"

    # crontab -l

    0 0 * * * bash /root/dev/cscan/cscan.py ; mv /root/dev/cscan/output/* /root/.faraday/report/workspace_name/

    Otra opción es configurar este scripts con Jenkins y podríamos configurar distintos con eventos el inicio del scanning por ejemplo cada vez que un nuevo merge realice un scan sobre un sitio web o ip especifica.

    Faraday Web UI:

    Cada vez que un reporte sea incorporado este incluirá solo la nueva información, utilizando tags podemos ir categorizando las vulnerabilidades donde es necesario prestar atención:

    1) En la siguiente imagen podemos observar un primer import de Nessus:



    2) En la siguiente imagen taggeamos las vulnerabilidades como falso positivo y vulnerables:



    3) En la siguiente imagen cargamos un segundo reporte de Nessus, y observamos las nuevas vulnerabilidades:



    Este procedimiento continuo permite tener una vision global a lo largo del tiempo sobre la infraestructura.

    Tool:

    El código se puede encontrar en github:
    http://github.com/infobyte/cscan

    En la proxima iteracción de Faraday va ser distribuido dentro del sets de herramientas en el directorio /scripts/cscan/


    Install:



    * Para burp es necesario incluir el plugin plugin/carbonator/carbonator.py incluido, tiene algunas modificaciones para adaptarse a nuestra implementación.

    Algunos requerimientos mas:

    * pip install python-owasp-zap-v2 w3af-api-client

    To-Do:


    Agregar mas herramientas, mejorar la detección de fallos de las mismas.

    Esperamos sus recomendaciones, dudas, consultas, pull requests !



    New scripts in Faraday: cfdbToCsv.py - vulndbToCsv.py - getExploits.py (vFeed)

    $
    0
    0


    In Faraday version 1.0.18, we launched a new script to generate a Faraday-compatible vulnerabilities databases based on Open Source projects.
    Also, we launched a new script that allows one to obtain exploits based on CVEs added as references in vulnerabilities.




    “cfdbToCsv.py” and “vulndbToCsv.py” do the same: do a "git clone" of the project in Github (cfdb or vulndb) to download the database and later, parse this to generate a CSV file.
    This file is necessary later, with the script [Faraday_Installation]/helpers/pushCwe.py you can include this database for CouchDB in Faraday.





    The script “getExploits.py” is located in [Faraday_Installation]/bin/getExploits.py and this allows one to get URLs or Paths of exploits based on the CVEs present in references of the vulnerabilities.
    How is it able to do this? Using the DB of “vFeed” project, which you must first download and copy this to [Faraday_Installation]/data/



    When the DB is ready, execute this command: “fplugin -f getExploits.py” in your shell of Faraday QT.
    And you get all the exploits you need!
    scripts_out.png

    We did the following video to show it in action:

    And check the Faraday Wiki.
    https://github.com/infobyte/faraday/wiki/Vulnerabilities-Database

    Big thanks to these projects !
    https://github.com/mubix/cfdb
    https://github.com/vulndb/data
    https://github.com/toolswatch/vFeed

    What do you think about this new plugin?
    We want to hear your comments!

    Cheers!

    Nuevos scripts en Faraday: cfdbToCsv.py - vulndbToCsv.py - getExploits.py (vFeed)

    $
    0
    0


    En Faraday version 1.0.18, hemos lanzado unos nuevos scripts para generar bases de datos de vulnerabilidades compatibles con faraday, basados en varios proyectos open source. Además, lanzamos el nuevo script que permite obtener exploits basados en los CVEs agregados como referencia en las vulnerabilidades.




    “cfdbToCsv.py” y “vulndbToCsv.py” realizan exactamente lo mismo: hacen un "git clone" del proyecto en Github (cfdb o vulndb) para descargar la DB y luego lo parsean para generar un archivo CSV. Este fichero es el necesario para que luego con el script [Faraday_Instalacion]/helpers/pushCwe.py pueda ser incluido en CouchDb y esté listo para utilizarse en Faraday.



    En cuanto al script “getExploits.py” está ubicado en  [Faraday_Instalacion]/bin/getExploits.py y como ya mencionamos anteriormente permite obtener las URLs o Paths de exploits basados en los CVEs que estén presente en las referencias de las vulnerabilidades.
    ¿Cómo es capaz de hacer esto? Utilizando la DB del proyecto vFeed, la cual antes se debe descargar y copiar a [Faraday_Instalacion]/data/


    Una vez que este lista la DB, tan solo se debe ejecutar en la shell de Faraday, en QT, el comando: “fplugin -f getExploits.py” y podrás obtener esos preciados exploits.

    Para más información, puedes mirar este video:


    Y revisar la Wiki de Faraday en Github...
    https://github.com/infobyte/faraday/wiki/Vulnerabilities-Database

    ¡Gracias a los siguientes proyectos!

    https://github.com/mubix/cfdb
    https://github.com/vulndb/data
    https://github.com/toolswatch/vFeed

    ¿Que piensan acerca de estos nuevos scripts?
    ¡Esperamos sus comentarios!

    ¡Saludos!

    Faraday's BHAsia 2016 Review

    $
    0
    0
    A few days back we had the pleasure to be a part of Black Hat Asia 2016 in Singapore to complete the Faraday Trilogy @BH!

    The event took place at the Marina Bay Sands over 4 days. The event included trainings and both the content & presenters were really good with a variety of topics covered (RF, Malware, Exploits, Drone, Car, etc!)

    The organization itself was very good. The Arsenal station where Faraday was located on both days included everything that we could really ask for and we had a lot of visitors from a wide range of businesses and industries interested in Faraday, why?Black Hat Home

    Well, the fact that we were in the middle of the room surrounded by many tools that Faraday takes as input! This makes it easier to explain how Faraday aggregates many products into a place with multi-user capabilities to make the life of a pen-tester easier :)
    (Emilio showing off Faraday a bit)
    I managed to meet some great people and spend time exchanging ideas, comments and feedback, this is the beauty of the tools in the community where everyone contributes & participates, a cheers up to the open-source!
    (Attendees in awe of the awesome of Faraday)

    I firmly believe the IT Security landscape is moving rapidly and BH is one of the places where you can quickly get a nice wide view of what's around these days.

    To simplify, it's a great place to show the industry what's going on. See you next year! 

    -Graciously covered by Emilio Couto

    (Attendees checking out stands)





    INFOBYTE at OWASP LatamTour2016!

    $
    0
    0
    OWASP Events always gather all the Information Security leaders and worldwide audience interested in “what’s next”.  

    The OWASP Latam Tour is a free event with the objective to raise awareness about application security in the Latin America region, so that people and organizations can make informed decisions about true application security risks.

    Last OWASP Event Patagonia Argentina
    Our Chief Technology Officer, Federico Kirschbaum, will be presenting about Ataques a serializaciones(JAVA/PHP) -Attacks on serialization - next Friday 22 April, 9 am at Universidad de la Marina Mercante, Hipólito Yrigoyen 2325, CABA. It is necessary to register to attend from here.
      

    If you are going to be in Buenos Aires for the event, come on by!


    Hope to see all the OWASPers there!

    Prepare a warm welcome for Faraday v1.0.19

    $
    0
    0

    Faraday v1.0.19 (Community, Pro & Corp) is ready! More documentation, a new interface and plugin fixes are some of the improvements included in this version.

    Continuing with our efforts to make Faraday accessible to everyone we stopped the development and spent a few days improving our documentation, so feel free to take a look at it and let us know if you feel something is missing!

    It shouldn't come as a surprise that our QT interface will be deprecated during 2016. As a first step towards its replacement we started building a brand new GTK3 interface! This new, modernized look for Faraday improves how you see and interact with the information. Also, it allows Mac users to finally use the desktop application smoothly and without complications.



    At the moment, the GTK interface supports all of the most common operations in Faraday: you can create, change and delete workspaces, connect to CouchDB databases, view and change plugin settings. Of course you also have tabs and notifications, just as before (only better).

    But the best part is that this new GUI uses your zsh shell, this means that you get to keep all your aliases, colors, zsh plugins and prompt. Working with Faraday GTK feels even more like working with your own terminal, plus all the added benefits you already use!

    We are very excited to release this new interface, but we also know the importance of stability, that's why we decided to release it as experimental, while maintaining QT as our default interface. If you feel like trying the new GTK GUI, just install the dependencies and start up Faraday with the --gui=gtk flag, like this:
    ./faraday.py --gui=gtk

    Pro & Corp changes:

    • Changed the way in which Executive Reports are generated adding a DOCX template. Read more about it in Faraday's wiki
      Preview of the default template

    Community, Pro & Corp changes:

    • Added GTK3 interface prototype - a brand new interface for you to enjoy!
    • Improved the documentation
    • Added plugin detection through report name - if you wish to force Faraday to process your report using a specific plugin, just rename it adding _faraday_PLUGINNAME. For example, if you wish to use the Nmap plugin for the report some_report.xml, rename it to some_report_faraday_Nmap.xml. You can find a detailed list of all available plugins in our Github wiki.
    • Added open services count to Hosts list in WEB UI - as some users suggested, when viewing the list of all Hosts in our WEB UI it was confusing not to know how many services each host had, so we added the amount of services to that list.
    • Improved zsh integration - this means that all plugins are now compatible with our ZSH interface, including fplugin. Read more about Faraday plugins.

    Community, Pro & Corp fixes:

    • Fixed an error in wcscan script
    • Fixed nikto plugin
    • Fixed openvas plugin
    •  
    We hope you enjoy it, and let us know if you have any questions or comments.
       

    Faraday v1.0.20 is here!

    $
    0
    0
    A brand new Faraday version is ready! Faraday v1.0.20 (Community, Pro & Corp) is here, bringing more functionality to our GTK interface and other cool new features.

    If you've been keeping up with Faraday, on our last release we published a new experimental GTK interface. In this iteration we added several missing features and fixed a lot of small bugs.

    You will probably notice the most our new conflict resolution dialog, which improves on our design for QT and highlights the differences between the two conflicting objects, not to mention it requires one less click from you when fixing a conflict.
    Conflict resolution dialog in Faraday's GTK interface
    Also, you will notice the status bar now displays relevant information about your workspace, so you know exactly where you stand regarding the number of hosts, services and vulnerabilities. Your workflow will also be improved by the new exit command support, which now behaves as you'd expect - if you exit from a tab inside Faraday, the tab will close.

    Big new features are exciting, but bug fixes and small add-ons are important too. The terminal now features infinite scrolling and scroll bars, there are more descriptive labels, the sidebar is resizable and you can search for specific workspaces by name.

    However, our web UI wasn't left behind, including fixes and improvements in the hosts and services views. Also, in this version we added the report import event to the commands history, so it can be viewed in the dashboard. We believe this feature will enable you to keep track of all the movements in the workspace, so we hope you enjoy it!

    Pro & Corp changes:

    • Fixed a bug in report creation - removed relative paths in the generation script so it can be run from another directory

    Community, Pro & Corp changes:

      • Fixed bugs in plugins: Acunetix - Nmap - Nikto 
      • Removed description from Hosts list in web UI
      • Fixed sort in Hosts list in web UI
      • Fixed ports sorting in Host view in web UI
      • Added search link for OS in Hosts list in web UI
      • Removed description from Services list in web UI
      • Added version to Services list in web UI
      • Modified false values in Hosts list in web UI
      • Added search links in Services list in web UI
      • Added scrollbar in Gtk Terminal
      • Added workspace status in Gtk interface
      • Added conflict resolution support for the Gtk interface
      • Added search entry for workspaces in Gtk
      • Added support for 'exit' command inside Faraday's Gtk terminal
      • Improved handling of uncaught exceptions in Gtk interface
      • Improved text formatting in Gtk's log console
      • Fixed several small bugs in Faraday GTK
      • Added support for resize workspace bar
      • Added a quote for imported reports in web UI
      • Added support for a new type of report in Qualysguard plugin

      We hope you enjoy it, and let us know if you have any questions or comments.



        Infobyte in The Positive Hack Days, Moscow

        New Faraday - Netsparker Partnership

        $
        0
        0


        Day after day we try to offer you more options and benefits to do your work more successful.   Here is another great tool that IT security specialists and ethical hackers can't ignore.
        Welcome to Netsparker
        Netsparker is the developer of the only desktop and cloud based false positive free web application security scanners. Netsparker hosts an advanced suite of scanning technologies that can probe deep into your web application, identifying security flaws that other products merely leave to chance.
        For more information, please visit https://www.netsparker.com/
        Exclusive Benefits
        Faraday and Netsparker have gotten together to offer a 10 % discount for customers who buy both products. This discount also is available for any users or companies already using one of the products and want to start using the other. For more information, ping us at sales@infobytesec.com


        ¡ With Faraday and Netsparker, your toolkit is more and more effective!
        Really, still haven't tried the latest version of Faraday???  You can find out more doing click

        Grab your Faraday v1.0.21 today!

        $
        0
        0
        v1.0.21 (Community, Pro & Corp) is here, so get yours!

        Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way! Check out the Faraday project in Github.

        As we mentioned before, we're really excited with our new GTK interface! So this iteration was mostly based on improving it and preparing the tool to deprecate the QT interface. Check out all the brand new features we prepared just for you!

        Now you can view all your Hosts within the sidebar, each with its OS and number of vulnerabilities found. But that's not all - if you click one of the hosts the Hosts detail window will be displayed showing host data and all of its Interfaces and Services will be listed in a tree structure, along with all the vulnerabilities found in each of them. On the rightmost part of the window, you'll have all the information about your selected objects, like ports and protocol for your Services or severity for your Vulnerabilities.

        Hosts detail window

        Say goodbye to manually copying your reports to the report folder and waiting for Faraday to detect the file. Just click on the import report button on the rightmost top corner of Faraday GTK, select a plugin to parse your report and then choose the report. As easy as that.

        Import report button and dialog

        Some actions take a while to load and that's a part of handling great amounts of data, regardless you should know what's happening backstage while the program is unresponsive. That's why we added a Loading dialog for some critical operations, like changing workspaces. Never again wonder what Faraday is doing!

        Loading dialog



        Pro & Corp changes:

        • Fixed the title color for all vulns in the Executive Report -  all vuln titles were painted as critical due to a problem with the template, but not anymore!

        Community, Pro & Corp changes:

        • Added Import Report dialog to Faraday GTK
        • Added a 'Loading workspace...' dialog to Faraday GTK
        • Added host sidebar to Faraday GTK
        • Added host information dialog to Faraday GTK with the full data about a host, its interfaces, services and vulnerabilities
        • Added support for run Faraday from other directories - supported in all interfaces
        • Fixed log reappearing after being disabled if user created a new tab
        • Fixed bug regarding exception handling in Faraday GTK
        • Now Faraday GTK supports Ctrl+Shift+C / Ctrl+Shift+V to Copy/Paste
        • Faraday will now not crash if you suddenly lose connection to your CouchDB

        We hope you enjoy it, and let us know if you have any questions or comments.

        Core Impact & Faraday - Exclusive Pack!

        $
        0
        0


        We want to offer you high quality security tools. With that in mind, we present you a new exclusive pack where you can get Faraday and Core Impact(Core Security) together.

        Detect, prevent and Respond


        Core Impact gives you visibility into the effectiveness of your endpoint defenses and reveals where your most pressing risks exist across your network.


        Some features


        Multi-vector Testing Capabilities Across Network, Web, and Mobile.

        Test More Common Vulnerability Exploits than the Competition
        Controlled Commercial-grade exploits using a simple Interface

        Exclusive Pack


        Faraday & Core Impact have gotten together to offer a 15 % discount for customers who buy both products.  With this pack, customers will receive two indispensable tools to manage vulnerabilities with a differential price.


        Remember!This discount also is available for any users or companies already using one of the products and want to start using the other. Get your Exclusive Pack getting in contact with our sales team sales@infobytesec.com


        Still haven't tried the latest version of Faraday???  You can find out more doing click

        Evilgrade: Updating a backdoor never gets old

        $
        0
        0

        In case you haven’t seen past month advisories, there was a release of multiple vulnerabilities on Original Equipment Manufacturers (OEM) regarding the safety of updates mechanisms.


        Most of the vulnerabilities described on those advisories were ported as a module to evilgrade, and additional modules for non OEM were also included as well.


        This vulnerabilities were made public by coresecurity and duo, affecting the following vendors:
        Samsung, Lenovo, Intel, Acer, Dell, Hewlett Packard, Asus.


        • Dell: One high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
        • Hewlett Packard: Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
        • Asus: One high-risk vulnerability that allow for arbitrary code execution as well as one medium severity local privilege escalation.
        • Acer: Two high-risk vulnerabilities that allow for arbitrary code execution.
        • Lenovo: One high-risk vulnerability that allows for arbitrary code execution.


        From coresecurity’s advisories:
        • Samsung: Samsung SW Update Tool is prone to a Man in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution.
        • Lenovo: Lenovo SHAREit for Windows and Android are prone to multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses.
        • Intel: Intel Driver Update Utility is prone to a Man in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution.


        Non-OEM Additional modules:
        • Keepass: Keepass uses in all versions up to the current 2.33, unencrypted HTTP requests to check for new software versions. An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page.
        • Openbazaar: A man in the middle could intercept the update request and reply with a fake JSON response, forcing the electron updater to download a custom payload and, on platforms where code signing is not enforced by settings, this could lead to a remote code execution.
        • Sparkle: All applications that use the Sparkle Updater framework and are connecting over HTTP instead of a secure HTTPS connection are vulnerable. On a side note,a few years ago we reported a prior vulnerability of Sparkle, for an example application like Adium. Despite the way the updates were handled was modified, AppCast, the RSS feed that hosts information about software updates and more, is prone to MITM attacks, resulting in insertion of modified HTML and JavaScript code into a WebView component, finally displaying it to the user. From there, there are interesting things you can do, and one of them was applied to the new Sparkle module.
        • Timedoctor: The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.


        Evilgrade’s latest release (2.0.8 at this moment) includes all the necessary modules to fulfill the exploitation of the mentioned updaters, including one that according to what we know so far hasn’t been published explicitly yet, neither has a CVE, but was mentioned on a blogpost last year, which exploits a firmware update on Lenovo’s mobile devices.


        Moreover, there has been fixes and upgrades to the usage of evilgrade and they will be described briefly below:


        • A bug on the current version of ReadLine::Gnu that was affecting mostly Kali users was fixed on our side.
        • Extended filtering of requests via user agent was added. An example module can be found here. By setting useragent to true, this allows us to trigger an action when the regular expression fields inside of request: req and useragent match the current request. This also grants us the opportunity to filter a request only by the User-Agent header, as seen in sparkle2 module, where req  field accepts all incoming requests “.*” if and only if the useragent matches “Sparkle”.
        • 2 new configuration variables <%URL_FILE%> and <%URL_FILE_EXT%> were added to provide a more realistic approach. An example module can be found here. This variables may be used to handle the victim a file with the same name that was requested, for an example. In the asus module scenario, the updater requests an .ide file, for example MODEL_A123.ide that is not legible, but it also has the possibility to request .idx files which are in plaintext. The variables are used to make the updater believe it is asking for the same file but with a different extension.
        • Optimization on matching requests: When a module answers a request, the lookup on the following modules stops. This enables evilgrade to serve responses much faster, and encourages users to develop modules that match accordingly.

        We hope you enjoy it, and let us know if you have any questions or comments.
        https://github.com/infobyte/evilgrade

        Viewing all 236 articles
        Browse latest View live


        <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>