Jaime Blasco Blog : /index

sobek-hids: Host Monitoring System
Sat, 20 Jun 2009

I've just created a google code's project with some code I wrote some time ago. Sobek-Hids is a python based Host IDS system capable to monitor:

Registry Changes

File Activity

Process Creation

Printing Jobs

External Drives (USB Disk Plugs)

Shared Resources

Windows Accounts

Logon

Firewall Changes

I hope I will have the time to continue and improve this couple of scripts.

You can find it at sobek-hids

posted at: 20:30 | path: /General | permanent link to this entry | 0 comments |

Snort: Rule to detect Modbus device fingerprinting
Tue, 21 Apr 2009

I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)

You caN find it at Emerging Threats

posted at: 15:55 | path: /Scada Security | permanent link to this entry | 0 comments |

Ntop: Testing l7-filter protocol detection patterns
Sun, 12 Apr 2009

I've wrote a little script to quickly test l7-filter protocol patterns used by ntop to detect protocol usage.

You have to install scapy, I' ve include some patterns from Ntop, include your owns on l7-patterns directory

You could read a pcap or capture from an interface.

Examples:

root@ubuntu:~/panalyzer# python l7Match.py -f http1.pcap
http
74.125.43.83 -> 192.168.1.131

root@ubuntu:~/proyectos/panalyzer# python l7Match.py -i eth0
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51

posted at: 19:00 | path: /Ossim | permanent link to this entry | 0 comments |

April 1st, Conficker day
Tue, 31 Mar 2009

Tomorrow Conficker will activate a P2P system to coordinate to other infected machines over TCP and UDP, we've published a directive to detect the P2P behaviour.

Donwload Directive

posted at: 14:55 | path: /Ossim | permanent link to this entry | 2 comments |

Ossim: Shellcode Detection and Analysis
Tue, 10 Mar 2009

I'm glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

posted at: 14:35 | path: /Ossim | permanent link to this entry | 0 comments |

Ossim: New Directives
Wed, 04 Mar 2009

I've just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Attacks:

Possible Successful Attack: Reverse Shell Access to the System

Possible POP3 Bruteforce against SRC_IP

Possible FTP Bruteforce against SRC_IP

Command execution against webserver on DST_IP

File /etc/passwd access on DST_IP

Possible SQL injection attempt against DST_IP

Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)

Possible sa account bruteforce against SRC_IP (SQL Server)

Possible VNC bruteforce against SRC_IP

Possible attack against DST_IP (Microsoft Server Service related attack)

Too many Cisco Firewall dropped events with destination DST_IP

Worms:

Possible Worm Infection against DST_IP

Possible Worm Infection against DST_IP via DCOM RPC vulnerability

Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability

Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability

Possible Worm Infection against DST_IP via WINS vulnerability

Possible attack against DST_IP (Microsoft Server Service related attack)

Possible worm scanning behavior on port DST_PORT

Misc:

Username gathering at SMTP server DST_IP

posted at: 17:08 | path: /Ossim | permanent link to this entry | 0 comments |

Ossim: Cross Correlation Rules Updated
Tue, 03 Feb 2009

I ´ve just updated ossim Cross Correlation rules related to nessus-snort, check the cvs!! So, the basic rule for Cross Correlation is: if snort has discovered an attack to an IP, and we know that IP has that vulnerability, the reliability will change to 10. The relationships between nessus ID.s and snort vulnerabilities are stored in the table plugin_reference. If you want to do some kind of personalization, you have to insert data in this table. Check Personalize Cross Correlation. When a personalized Cross Correlation matches, the event adds the reliability of the new plugin to the old one.

posted at: 14:59 | path: /Ossim | permanent link to this entry | 0 comments |

25C3: Fake CA Certificates
Sat, 03 Jan 2009

A security research team has demostrated how to use MD5 collision to create a rogue Certificate Authority certificate with a cluster of 200 ps3s!! You can find all the information here The attack take advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash and affects CAs that are still using this broken hash function like rapidssl. We can use the python port of M2Crypto to automating the process to obtain server certificates to verify they are still using a certificate signed with MD5:

from M2Crypto import SSL

ctx = SSL.Context()
conn = SSL.Connection(ctx)
conn.connect(('www.rapidssl.com', 443))
cert = conn.get_peer_cert()
print cert.as_text()

Output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1795 (0x703)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
        Validity
            Not Before: Mar  8 15:35:33 2005 GMT
            Not After : Mar  7 15:35:33 2010 GMT
        Subject: C=US, O=GeoTrust Inc., OU=Production, CN=www.rapidssl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bf:2b:bb:b0:a8:78:fb:8d:76:d7:14:c1:92:d8:
                    c8:cb:99:ed:a8:9e:37:e5:4f:5d:7e:06:f6:52:5e:
                    5c:4e:e8:6b:9e:22:bb:62:8b:b6:db:fe:5f:05:15:
                    79:81:5a:4c:4c:89:6c:42:77:50:ac:8d:ce:a6:1a:
                    49:21:8c:27:db:1a:79:f0:5d:fc:4d:84:8b:42:0f:
                    8e:e6:6d:74:4b:a9:1e:b3:97:38:39:ec:28:88:5e:
                    1d:7a:c9:2b:53:34:71:2c:6c:80:80:78:ed:08:c7:
                    a8:fb:70:39:76:3b:2a:bd:c4:a9:88:6c:95:95:73:
                    2a:ab:85:05:15:b8:cd:59:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 CRL Distribution Points: 
                URI:http://crl.geotrust.com/crls/ebizca1.crl

            X509v3 Authority Key Identifier: 
                keyid:4A:78:32:52:11:DB:59:16:36:5E:DF:C1:14:36:40:6A:47:7C:4C:A1

    Signature Algorithm: md5WithRSAEncryption
        49:e5:4b:7f:48:f3:d1:b6:04:f4:59:a7:63:92:f2:eb:b2:a3:
        1f:c3:31:c4:d3:54:67:9d:77:35:e2:e1:a4:84:9b:d4:91:82:
        32:6b:93:3e:d8:7e:36:66:c8:aa:5f:b8:3a:ee:2c:2c:70:97:
        66:d1:e5:0e:23:dd:04:39:a8:c8:e4:4e:bb:75:85:52:d0:cd:
        37:51:69:07:aa:25:5d:cb:60:ac:a1:98:54:4b:1e:9d:49:fe:
        fa:b1:eb:f9:c3:79:bc:84:d8:4a:2c:bf:67:de:0c:70:8d:f0:
        c3:14:6f:04:8b:9d:14:bd:e9:fd:fd:b7:6d:66:9b:bc:e5:f1:
        74:54

With this module you can easily make a tool to scan internet sites that are still using certificates of CAs affected (md5WithRSAEncryption).

posted at: 16:37 | path: /Attacks | permanent link to this entry | 0 comments | 25c3, md5, encryption, broken, ssl

Microsoft Exploitability Index
Wed, 15 Oct 2008

Microsoft has just added a new index to new security bulletins to provide additional information about the potential exploitability of vulnerabilities associated with a Microsoft security update.

The index classify each vulnerability with the Exploitability Index Assessment that indicate the likelihood of functioning exploit code, the three possible values are:

- 1 Consistent exploit code likely

- 2 Inconsistent exploit code likely

- 3 Functioning exploit code unlikely

You can find additional information in this document and real examples in the new Microsoft Security Bulletin Summary for October 2008

posted at: 13:48 | path: /Vulnerability Management | permanent link to this entry | 1 comments | microsoft, exploitability index, vulnerabilities

Realtime Ossim Ntop Sessions visualization
Mon, 25 Aug 2008

I've been developing a flex application that parse Ntop connections Data and shows a graphical interface to navigate throught the host and connections information.
- Click Node label to show Host Info
- Click box connector to show connection info

posted at: 12:53 | path: /Security Visualization | permanent link to this entry | 1 comments | ossim,flex,flash,security visualization, ntop

Raffy Presentation about security visualiztion at SOURCE Boston 2008
Sat, 23 Aug 2008

Here is a video of Raffael Marty's presentation about security visualization at SOURCE Boston 2008 conference:

posted at: 15:53 | path: /Security Visualization | permanent link to this entry | 0 comments | security visualization

Ossim Data Visualization
Sat, 23 Aug 2008

I'm making an effort to develop some different ways of visualizating OSSIM events and alerts. Here are some examples of my research:

posted at: 13:51 | path: /Security Visualization | permanent link to this entry | 0 comments | ossim,flex,flash,security visualization

Last Scada OPC Nessus Plugins
Thu, 21 Aug 2008

We have released some new Nessus Plugins related to OPC Servers security issues.

List of New OPC Nessus Plugins:

Multiple vulnerabilities in Comsoft Profibus OPC server

Multiple vulnerabilities in Beijer Electronics OPC server

Multiple vulnerabilities in VIPA OPC server

Multiple vulnerabilities in Gesytec Easylon OPC server 2.0

Multiple vulnerabilities in Junzhi BACnet OPC server

Multiple vulnerabilities in IPCDAS NAPOPC OPC server

Multiple vulnerabilities in Klinkmann SPA OPC server

Multiple vulnerabilities in Newron System NLOPC OPC server

Multiple vulnerabilities in Wizcon Supervisor OPC DA Server

posted at: 08:57 | path: /Nessus/plugins | permanent link to this entry | 0 comments | nessus, scada, opc

3d Nmap
Wed, 20 Aug 2008

Here is a screenshot of a project I'm working on. The tool parse XML nmap scan files and shows an interactive 3d environment where you can inspect nmap scanning results. I´m developing with XNA (C#). I'll will publish the code as soon as I fix some errors.

posted at: 21:45 | path: /Security Visualization | permanent link to this entry | 0 comments | nmap,3d,security visualization

New Scada OPC Nessus Plugins
Mon, 11 Aug 2008

Today we have released some new Nessus Plugins related to OPC Servers security issues.

List of New OPC Nessus Plugins:

Multiple vulnerabilities in KEPware KEPServerEx 4 OPC server

Multiple vulnerabilities in Triangle MicroWorks OPC Server 2.0.2

Multiple vulnerabilities in Comsoft L1 OPC server

We'll release new plugins related to OPC and Scada in general during the next weeks!!!

posted at: 09:50 | path: /Nessus/plugins | permanent link to this entry | 0 comments | nessus, scada, opc

Parsing Cisco Mib
Wed, 06 Aug 2008

I wrote a little python script to parse Cisco mib. I need this information to implement part of the Nessus Feed Cisco stuff, for example to retrieve the cisco model from snmp.

#
# Parse Cisco Products MIB
#
# You can download mib file from http://www.oidview.com/mibs/9/CISCO-PRODUCTS-MIB.html
#

import re
import fileinput

for line in fileinput.input("cisco_mib_parse.txt"):
        #catalyst296024LT                OBJECT IDENTIFIER ::= { ciscoProducts 951 } -- 24 10/100, 8 POE and 2T ports switch
        p = re.compile("(\S+).*ciscoProducts ([0-9]+)")
        m = p.match(line)
        model = m.group(1)
        number = m.group(2)

posted at: 11:48 | path: /Nessus/cisco | permanent link to this entry | 1 comments | nessus, cisco

An approach to malware collection log visualization
Wed, 06 Aug 2008

I have just published an article related to malware collection log visualization. The paper focus on visualization of Nepenthes logs using AfterGlow. In the paper you can find information about correlation ips with countries and binary files with ClamAV signatures with the goal of generating interesting graphs. Get it here

posted at: 11:47 | path: /Security Visualization/Malware | permanent link to this entry | 1 comments | malware,security visualization, log analysis

Visualization of Api calls and Imported symbols of malware binary files
Wed, 06 Aug 2008

I'm developing a tool to extract interesting information from malware files with the goal of generating a relation graph. The tool extract api calls and imported symbols of binary files, I´ve make some interesting graph from malware files collected by Nepenthes.
::read more

posted at: 11:46 | path: /Security Visualization/Malware | permanent link to this entry | 0 comments | visualization, malware

AlienVault Free Nessus Feed
Wed, 06 Aug 2008

We have started a Free Nessus Feed you'll found more information at the nessus feed page: http://www.alienvault.com/free_nessus_feed.php

posted at: 11:45 | path: /Nessus | permanent link to this entry | 0 comments | nessus, alienvault

Showing relation graph between nessus scripts and include files
Wed, 06 Aug 2008

I have make an interesting graph showing the relation between nessus scripts and include files

Click to view large image

posted at: 11:42 | path: /Nessus | permanent link to this entry | 3 comments | nessus,visualization