25C3: Fake CA Certificates
Sat, 03 Jan 2009

A security research team has demostrated how to use  MD5 collision to create a rogue Certificate Authority certificate
with a cluster of 200 ps3s!!
You can find all the information here
The attack take advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages 
with the same MD5 hash and affects CAs that are still using this broken hash function like rapidssl.
We can use the python port of M2Crypto to automating the process to obtain server certificates to verify 
they are still using a certificate signed with MD5:

from M2Crypto import SSL

ctx = SSL.Context()
conn = SSL.Connection(ctx)
conn.connect(('www.rapidssl.com', 443))
cert = conn.get_peer_cert()
print cert.as_text()

Output:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1795 (0x703)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
        Validity
            Not Before: Mar  8 15:35:33 2005 GMT
            Not After : Mar  7 15:35:33 2010 GMT
        Subject: C=US, O=GeoTrust Inc., OU=Production, CN=www.rapidssl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bf:2b:bb:b0:a8:78:fb:8d:76:d7:14:c1:92:d8:
                    c8:cb:99:ed:a8:9e:37:e5:4f:5d:7e:06:f6:52:5e:
                    5c:4e:e8:6b:9e:22:bb:62:8b:b6:db:fe:5f:05:15:
                    79:81:5a:4c:4c:89:6c:42:77:50:ac:8d:ce:a6:1a:
                    49:21:8c:27:db:1a:79:f0:5d:fc:4d:84:8b:42:0f:
                    8e:e6:6d:74:4b:a9:1e:b3:97:38:39:ec:28:88:5e:
                    1d:7a:c9:2b:53:34:71:2c:6c:80:80:78:ed:08:c7:
                    a8:fb:70:39:76:3b:2a:bd:c4:a9:88:6c:95:95:73:
                    2a:ab:85:05:15:b8:cd:59:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 CRL Distribution Points: 
                URI:http://crl.geotrust.com/crls/ebizca1.crl

            X509v3 Authority Key Identifier: 
                keyid:4A:78:32:52:11:DB:59:16:36:5E:DF:C1:14:36:40:6A:47:7C:4C:A1

    Signature Algorithm: md5WithRSAEncryption
        49:e5:4b:7f:48:f3:d1:b6:04:f4:59:a7:63:92:f2:eb:b2:a3:
        1f:c3:31:c4:d3:54:67:9d:77:35:e2:e1:a4:84:9b:d4:91:82:
        32:6b:93:3e:d8:7e:36:66:c8:aa:5f:b8:3a:ee:2c:2c:70:97:
        66:d1:e5:0e:23:dd:04:39:a8:c8:e4:4e:bb:75:85:52:d0:cd:
        37:51:69:07:aa:25:5d:cb:60:ac:a1:98:54:4b:1e:9d:49:fe:
        fa:b1:eb:f9:c3:79:bc:84:d8:4a:2c:bf:67:de:0c:70:8d:f0:
        c3:14:6f:04:8b:9d:14:bd:e9:fd:fd:b7:6d:66:9b:bc:e5:f1:
        74:54
With this module you can easily make a tool to scan internet sites that are still using certificates of CAs affected (md5WithRSAEncryption).

posted at: 16:37 | path: /Attacks | permanent link to this entry | 0 comments | 25c3, md5, encryption, broken, ssl



Microsoft Exploitability Index
Wed, 15 Oct 2008

Microsoft has just added a new index to new security bulletins to provide additional information about the potential exploitability of vulnerabilities associated with a Microsoft security update.


The index classify each vulnerability with the Exploitability Index Assessment that indicate the likelihood of functioning exploit code, the three possible values are:


  • - 1 Consistent exploit code likely
  • - 2 Inconsistent exploit code likely
  • - 3 Functioning exploit code unlikely

  • You can find additional information in this document and real examples in the new Microsoft Security Bulletin Summary for October 2008

    posted at: 13:48 | path: /Vulnerability Management | permanent link to this entry | 1 comments | microsoft, exploitability index, vulnerabilities



    Realtime Ossim Ntop Sessions visualization
    Mon, 25 Aug 2008

    I've been developing a flex application that parse Ntop connections Data and shows a graphical interface to navigate throught the host and connections information.
    - Click Node label to show Host Info
    - Click box connector to show connection info

    posted at: 12:53 | path: /Security Visualization | permanent link to this entry | 1 comments | ossim,flex,flash,security visualization, ntop



    Raffy Presentation about security visualiztion at SOURCE Boston 2008
    Sat, 23 Aug 2008

    Here is a video of Raffael Marty's presentation about security visualization at SOURCE Boston 2008 conference:


    posted at: 15:53 | path: /Security Visualization | permanent link to this entry | 0 comments | security visualization



    Ossim Data Visualization
    Sat, 23 Aug 2008
    I'm making an effort to develop some different ways of visualizating OSSIM events and alerts. Here are some examples of my research:



    posted at: 13:51 | path: /Security Visualization | permanent link to this entry | 0 comments | ossim,flex,flash,security visualization



    Last Scada OPC Nessus Plugins
    Thu, 21 Aug 2008

    We have released some new Nessus Plugins related to OPC Servers security issues.

    List of New OPC Nessus Plugins:


  • Multiple vulnerabilities in Comsoft Profibus OPC server
  • Multiple vulnerabilities in Beijer Electronics OPC server
  • Multiple vulnerabilities in VIPA OPC server
  • Multiple vulnerabilities in Gesytec Easylon OPC server 2.0
  • Multiple vulnerabilities in Junzhi BACnet OPC server
  • Multiple vulnerabilities in IPCDAS NAPOPC OPC server
  • Multiple vulnerabilities in Klinkmann SPA OPC server
  • Multiple vulnerabilities in Newron System NLOPC OPC server
  • Multiple vulnerabilities in Wizcon Supervisor OPC DA Server

  • posted at: 08:57 | path: /Nessus/plugins | permanent link to this entry | 0 comments | nessus, scada, opc



    3d Nmap
    Wed, 20 Aug 2008
    Here is a screenshot of a project I'm working on. The tool parse XML nmap scan files and shows an interactive 3d environment where you can inspect nmap scanning results. I´m developing with XNA (C#). I'll will publish the code as soon as I fix some errors.

    posted at: 21:45 | path: /Security Visualization | permanent link to this entry | 0 comments | nmap,3d,security visualization



    New Scada OPC Nessus Plugins
    Mon, 11 Aug 2008

    Today we have released some new Nessus Plugins related to OPC Servers security issues.

    List of New OPC Nessus Plugins:


  • Multiple vulnerabilities in KEPware KEPServerEx 4 OPC server
  • Multiple vulnerabilities in Triangle MicroWorks OPC Server 2.0.2
  • Multiple vulnerabilities in Comsoft L1 OPC server

  • We'll release new plugins related to OPC and Scada in general during the next weeks!!!

    posted at: 09:50 | path: /Nessus/plugins | permanent link to this entry | 0 comments | nessus, scada, opc



    Parsing Cisco Mib
    Wed, 06 Aug 2008
    I wrote a little python script to parse Cisco mib. I need this information to implement part of the Nessus Feed Cisco stuff, for example to retrieve the cisco model from snmp.
    #
    # Parse Cisco Products MIB
    #
    # You can download mib file from http://www.oidview.com/mibs/9/CISCO-PRODUCTS-MIB.html
    #
    
    import re
    import fileinput
    
    for line in fileinput.input("cisco_mib_parse.txt"):
            #catalyst296024LT                OBJECT IDENTIFIER ::= { ciscoProducts 951 } -- 24 10/100, 8 POE and 2T ports switch
            p = re.compile("(\S+).*ciscoProducts ([0-9]+)")
            m = p.match(line)
            model = m.group(1)
            number = m.group(2)
    
    

    posted at: 11:48 | path: /Nessus/cisco | permanent link to this entry | 1 comments | nessus, cisco



    An approach to malware collection log visualization
    Wed, 06 Aug 2008
    I have just published an article related to malware collection log visualization. The paper focus on visualization of Nepenthes logs using AfterGlow. In the paper you can find information about correlation ips with countries and binary files with ClamAV signatures with the goal of generating interesting graphs. Get it here

    posted at: 11:47 | path: /Security Visualization/Malware | permanent link to this entry | 1 comments | malware,security visualization, log analysis



    Visualization of Api calls and Imported symbols of malware binary files
    Wed, 06 Aug 2008
    I'm developing a tool to extract interesting information from malware files with the goal of generating a relation graph. The tool extract api calls and imported symbols of binary files, I´ve make some interesting graph from malware files collected by Nepenthes.
    ::read more

    posted at: 11:46 | path: /Security Visualization/Malware | permanent link to this entry | 0 comments | visualization, malware



    AlienVault Free Nessus Feed
    Wed, 06 Aug 2008
    We have started a Free Nessus Feed you'll found more information at the nessus feed page: http://www.alienvault.com/free_nessus_feed.php

    posted at: 11:45 | path: /Nessus | permanent link to this entry | 0 comments | nessus, alienvault



    Showing relation graph between nessus scripts and include files
    Wed, 06 Aug 2008
    I have make an interesting graph showing the relation between nessus scripts and include files



    Click to view large image

    posted at: 11:42 | path: /Nessus | permanent link to this entry | 2 comments | nessus,visualization



    Scada: OPC Nessus Plugins
    Wed, 06 Aug 2008

    During the development of the Free Nessus Feed we are writing some interesting plugins about Scada.

    Today we released some plugins relating to OPC (OLE for Process Control) Servers, OPC standard specifies the communication of real-time plant data between control devices from different manufacturers.

    List of OPC Nessus Plugins:


  • Multiple vulnerabilities in NETxEIB OPC server CVE-2007-1313
  • Multiple vulnerabilities in Takebishi Electric DeviceXplorer FA-M3 OPC server CVE-2007-1313
  • Multiple vulnerabilities in Takebishi Electric DeviceXplorer HIDIC OPC server CVE-2007-1319
  • Multiple vulnerabilities in Takebishi Electric DeviceXplorer MELSEC OPC server CVE-2007-1319
  • Multiple vulnerabilities in Takebishi Electric DeviceXplorer SYSMAC OPC server CVE-2007-1319

  • We have write some functions for accesing DCOM Applications information throught WMI.

    posted at: 11:41 | path: /Nessus/plugins | permanent link to this entry | 0 comments | nessus, scada, opc



    Categories

    / (14)
        Attacks/ (1)
        Nessus/ (6)
            cisco/ (1)
            plugins/ (3)
        Security Visualization/ (6)
            Malware/ (2)
        Vulnerability Management/ (1)




    RSS




    < January 2009
    MoTuWeThFrSaSu
        1 2 3 4
    5 6 7 8 91011
    12131415161718
    19202122232425
    262728293031 




    Archives

    2009-Jan
    2008-Oct
    2008-Aug




    Tags




    Made with PyBlosxom