VMWare is excellent for malware analysts because it lets you keep snapshots of pristine Virtual machine states and you can revert back to them when you want to.
I encountered a weired error this time around on my Windows XP Pro VM. Whenever I would try to take any snapshots I would get an error: “Error taking snapshot: Windows XP Professional.VMX-Snapshot1.vmsn file already exists”. When I looked into the folder there was no .vmsn file with that name. I deleted all the files .lck and .lock files and still to no avail. Then I saw the files named as
Windows XP Professional-000001-s00?.VMDK.
The regex for these files was:
Windows XP Professional-00000?-s00?.VMDK
where ? is one character replaced by 0-9. Upon deleting these files, my snapshots started working properly.

What www.hak5.org started was quite commendable and I’m really not sure what the status of the Community Rainbow Tables project is at hak5.
They are generating the rainbow tables with the following configuration:

* NTLM
* mixalpha-numeric-all-space
* [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
* 26 indexes, 22 files/index
* 572 tables total
* 340.93GB
* 96.07% probability of successful crack

I’m currently generating index 13 and index 26 on this configuration. It would be cool to have multiple people generate it and upload it. I know many people are already doing that as we speak. We should also have SHA1, MD5 project for mixalpha-numberic-all-space configurations.

If you use Windows 8 x64 and when you launch the Cisco VPN Client adapter and you see the following error:
Reason 442: Failed To Enable Virtual Adapter Here’s how to fix it.
Open your command prompt in Administrator mode by right clicking at the left lower corner of the screen and going to “Command Prompt (Administrator)”. You will have to log in as an administrator. Launch registry editor by typing “regedit.exe”. Browse to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA“. In the DisplayName key, you will see something like @oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter. Edit that to just say Cisco Systems VPN Adapter. Try to connect again by launching the VPN Client. It should work!

This week I got the CREA certification to add to my list of CISSP, CEPT, Visa QSA. This certification required a good practical and conceptual knowledge of reverse engineering. The certification requires a good working knowledge of components such as IA-32 assembly language, malware reversing, expert level knowledge of IDA Pro, OllyDbg, HiEW, Dumpbin etc., PE File header, repairing packed and compacted binaries, using system level reversing etc. The exam was good and tested on the concepts of the reverse engineer.

I finally got a candidate on the Common Vulnerabilities & Exposures (CVE) list. Apache Tomahawk also released a critical security update due to my disclosure to iDefense. In case, people are wondering I did not get any money for the disclosure to iDefense. It was just a case of responsible disclosure.
The advisory can be found at:
http://seclists.org/fulldisclosure/2007/Jun/0305.html.

I’ve been a Batman fan since the time my father took me to watch the first Batman movie starring Michael Keaton. The latest addition to the Batman series is Christopher Nolan’s Batman Begins. The film is an excellent depiction of Batman and his rise as the caped crusader in Gotham City. The story is a prequel to the Batman movies which we have seen in the past.
The remaining cast is also well studded with some of the best actors of Hollywood like Michael Caine (Alfred) and Morgan Freeman. Katie Holmes also has done a good job of acting. But I still think that Michelle Pfeiffer is yet to be beaten in looks in the entire Batman series.
Overall, the movie is excellent with everything about Batman being explained and I think it’s a must watch for any Batman fan!

Server-Side Request Forgery is a security issue in applications where an attacker is able to get a server to send some type of a request (these days mostly HTTP/s requests) that the server should not be able to send. This issue is the classic abuse of trust vulnerability – the server tends to sit in a “trusted” environment (e.g., DMZ, your cloud VPC, etc.) and the users of the application sit outside the trust boundary (e.g., mobile devices, cafe, home, corporate environments, API clients within and outside cloud).

A brief history
In this blog post though, I won’t be talking about all the fancy new things that have had SSRF issues – you can likely find a few hundreds of those anyway! I am going to be talking about a brief history of this issue and what happened before we gave this issue a “name” – SSRF. The earliest references to the name “SSRF” appear to come from a talk done in BlackHat US 2012, and wayback machine tells me that the CWE-918 page was authored sometime around 2013. If you look closely at the CWE-918 page though, you will find that there were old CVEs dating back to 2002, and 2004. There was a Shmoocon talk about it in 2008 too but the term SSRF was not established until 2012.

The Issue
I was working on a penetration test for a financial services firm in 2010 of a popular load balancer that offered a GTM (Global traffic manager) solution and that allowed folks to login and obtain restricted execution environments wherefrom certain applications could be exposed and that would allow remote workers or untrusted entities who you only want to expose certain applications could use. The issue was in a POST request post login and IIRC even pre-login (though my details on this are fuzzy). This might be circa 2010 timeframe and to my knowledge the issue was not issued a CVE and wasn’t associated with Knowledge base article – I may not know 100%. The guidance from the vendor was simple – update the software and move on. The issue was this – an authenticated or an unauthenticated user would send an HTTP POST request to a page with a base64 encoded parameter that included a hostname which would trigger a DNS request on the back end of the GTM site. The time it took for the response to get back would indicate whether the domain was legitimate or not. So I used the a popular dictionary and enumerate all the hostnames from that directory that were legitimate and the ones that were not sitting outside on the Internet and mapping the hosts on the internal network.

The backstory
What the vendor of the GTM software did not know was how critical this application was to the business of the customer. They seemed to be dragging their feet without updates and meanwhile the customer – a financial institution with lots at stake could not go live. The pressure mounted on the IT staff to fix the issue and the vendor while being responsive was unable to give a firm date quickly – remember this was 13-14 years ago prior to bug bounties and responsible disclosures still were quite clunky! And the customer was also advising me to push the software vendor so we could discuss. Thankfully, on the vendor side, there was a solid security person who understood the issue immediately and its impact and advised the software teams to do what was right. They made the process post authentication and they also added tokens, limits and constant time responses to fix the issue.

Fast forward
Today, obviously things are a lot better. And I wrote this blog post so the old me can look back and point to this in a meaningful way without forgetting the old experiences among the new.