• massive hacking campaign against windows servers underway

    The internet storm center had announced it some days ago but now we can see the effects of the message popping up in the registers of the hacked sites. These listings of hacked sites are much longer than normal and they have more windows servers (even 2003) than normal (30)

    If you have webdav activated on an IIS 5 or 6, than you are vulnerable and you will be hacked, it is just a matter of time. You can see a list of .be sites hacked the last days of which the communitysite of Microsoft in Belgium. http://be-hacked.skynetblogs.be

    You must read the following http://isc.sans.org/diary.html?storyid=6397

    and if you have a big network, here is way to find vulnerable servers in your network


    we see it in this kind of hacked weblink  site/portals/0/......

    it is possible by adding some unicode characters to bypass the authorization to add some content. For the moment it seems to be only used for adding stupidities but what about phishing, malware downloads and spamming or rumors....

    it learns three things

    * you should upgrade whenever new major versions come out (IIS 7)

    * you shouldn't activate stuff that has been desactivated as a standard unless you are absolutely sure that you know what you are doing

    * you should monitor your websites more intensily (most of the hacked sites weren't repaired)

  • Sodexho - dienstencheques

    Combining a full-time job as security consultant with being a SANS instructor AND having a non-imaginairy girlfriend :-) doesn't leave much time for cleaning the appartement. So, a few weeks ago I decided to  get myself a cleaning lady. I already had an account on AccorServices (the former provider of "dienstencheques") from the year before, so I didn't have to enroll myself again with Sodexho (the current provider of "dienstencheques").

     Getting up this morning, half a sleep, trying to view my account on Sodexho, I suddenly realised that I have forgotten my username and password.  As I am security aware, all my account information is in my head, so I am pretty screwed right now. There is an option to recover your password through email ...but I am not really sure if my username is correct. The only thing left is to call the friendly lady at the helpdesk:

    Me: Goodmorning, this is Mr. ABC speaking from XY

    Helpdesk: Goodmorning sir, Alicia (fake name) speaking. How can I help you?

    Me: Well, I have my username and password here, but I am unable to login. How can I solve this?

    Helpdesk: What is your personal account number?

    Me: XXX-XXXX-XXX (censored for obvious reasons, especially if you read the rest of this conversation)

    Helpdesk: Thank you. Are you Mr. ABC?

    Me: yups, that's me!

    Helpdesk: Ok, I will give you your login credentials. Do you have something to write it down?

    Me: Sure

    Helpdesk: Your login is XXXX and password is XXXX

    Me: Let my try that .... (silence) .... ok! great, it's working! Thanks!

    Helpdesk: No problem sir! Goodbye

    Mr: Thank you and goodbye 

    Now, the problem here is that whoever knows the personal account number, could potentially receive the login credentials for a personal account. Now guess what ... which number does a service provider need to credit your "dienstencheques"? YES! The personal account number!

    Basically, this means that anyone who is providing services for you, can confirm his own services if he is able to steal your login details as I did here above. What a service! Now I don't even have to confirm my payments anymore!

    And that's not all ... you can also ask for a "reimbursement" of your cheques if you decide you don't need them anymore. So anyone who has your personal account number, can login, use the "change preferences" to change the bank account number, and then ask for a reimbursement of your cheques.

    Oh boy ... did I use an l33T 0day exploit for this? Or a vulnerability that was already know since .... Columbus discovered the Americas? :p

    </free consultancy, targetted for Sodexho>

    Before doing sensitive transactions for an account, verify the identity of the caller. This can be done by using a "shared secret":

    1. At registration, let each user provide a "shared secret". Note that the personal account number of Sodexho is NOT a shared secret, because this is known also by the service providers. "Shared" means something known only by Sodexho and your client. Not shared over the whole world:p

    2. Ask some personal identificaton details randomly (not 100% secure, but better than nothing): address, passport number, SIS-card number, birth date, bank account number ..

    That's what is know as "identification and authentication". Next, you can reset the password, or sent a password reset link to the email address you have on file. If they claim they don't have access to the email address, reset the password and always sent a confirmation email to the account on file.

    Also, some DO NOT's:

    - provide personal information (name, address, ...) BEFORE you have identified and authenticated your called. Things like "Are you Mr. ABX" before authentication are BAD :p

    - let someone change any preferences in the account (such as the bank account number) without confirming through an email address on file, or asking again for the password.

    - let someone reimburse without confirming through email 

    </free consultancy, targetted for Sodexho>

     Well, that's about it again for now. Back to real-life :-).

    Yours Truly,


    PS: Anyone attended DC16, msg me

  • What is keeping me busy nowadays?

    PortBunny - Linux-kernel-based Port Scanner 

    During the 24C3 conference I already posted about a new tool which was going to be released by recurity-labs. (For those who care, these are the people from Phenoelite who moved their old site to the free world).


    PortBunny is a Linux-kernel-based port-scanner created by Recurity Labs. Its aim is to provide a reliable and fast TCP-SYN-port-scanner which performs sophisticated timing based on the use of so called "trigger"-packets. The port-scan is performed in 2 steps: First the scanner tries to find packets, to which the target responds ("triggers"). Second, the actual port-scan is performed. During the scan, the triggers, which were found in the first scanning-phase, are used to determine the optimal speed at which the target may be scanned.

    I hear you thinking ... "Portscanning is nothing new, it's and old technique". True, but portscanning still stays a key component of performing reconaissance on your target. And in a world where time is money, having a portscanner which uses effecient techniques to reduce the time of scanning ... will maken consultants happy :p. Also, let's think about tomorrow. IF the world decides to implement IPv6 on a great scale and companies will start to use IPv6 ... there are numerous IPv6 addresses available and scanning one range takes ages. (For those who want to try, checkout the THC-IPv6 attack suite from THC). Maybe by using the PortBunny technique, these scans can be speed up and portscanning becomes feasible for IPv6 ranges :-). 

    But beware, PortBunny will not replace the infamous nmap. The latter has numerous option (which I only use in about 5% of my pentests) such as ACK-scanning (for bypassing very old firewalls, or ACLs), UDP scanning (this takes ages to scan with a good filter policy), XMAS scanning (hell, if anyone has ever found a practical use for this scan, let me know :p).

    New course from the SANS Institute: Network Penetration Testing and Ethical Hacking

    Just a few days ago, I was informed that Ed Skoudis from SANS has created new course content (SEC560). I am delighted to see that there is actually some non-technical stuff in the course contents which -- according to my experience and knowledge -- is essential in providing good penetration tests: Day 1: Rules of Engagement, scoping a project, legal issues around pentesting, reporting...


    I am not sure how much this course will differ from the Hacker Techniques, Exploits and Incident Handling (SEC504) course, but I will find this out on the SANS conferences in London and Belgium later this year! If anyone wants to follow these course, there are some coming up in Europe in the next months: Prague (February 2008), Sweden (March 2008 with a very very handsome instructor:p ), Dublin (April 2008).