Yesterday, while searching for Web Services on the Internet I came across an old, popular web service called “Amazon’s mechanical turk” based on the mechanical turk trick from old magic days.
The gist is, you (“The requestor”) put in a HIT (Human Interaction Task) in amazon’s lingo so that some one on the Internet can solve it for you (“the worker”). Most of what I saw on the website seemed like random tasks being used by researchers, online yellowpages-like directories, marketing, classification of goods, etc.
What might also be an interesting application, and I’m sure it’s probably being used for is, captcha-solving for spammers.
Also, the Amazon Mechanical Turk terms of service don’t help and say the following (verbatim):
Amazon Mechanical Turk provides a venue for third-party Requesters and third-party Providers to enter into and complete transactions. Amazon Mechanical Turk and its Affiliates are not involved in the transactions between Requesters and Providers. As a result, we have no control over the quality, safety or legality of the Services, the ability of Providers to provide the Services to Requesters’ satisfaction, or the ability of Requesters to pay for Services. We are not responsible for the actions of any Requester or Provider. We do not conduct any screening or other verification with respect to Requesters or Providers, nor do we provide any recommendations. As a Requester or a Provider, you use the Site at your own risk.

Given this, and the rates prevalent (about a penny or so per task), I think spammers might have a free-run on this service. Of course, amazon has a conveniently available web service available at http://mechanicalturk.amazonaws.com/AWSMechanicalTurk/AWSMechanicalTurkRequester.wsdl.
Now, the key question is, suppose a spammer uses this service, who’s to blame…I wouldn’t imagine the solvers know what the intent of the act is, amazon (possibly) can’t be liable because the ToS is required to be accepted before use, and since the requestor is somewhere on the Internet, he/she possibly can’t be traced.
Of course, I’m not saying that Mechanical Turk is all bad, but like all walks of life there’s a positive or a negative use to everything.
As someone once said: “Every tool is a weapon if you hold it right”!

In a pen test, it’s always the race to the finish. Either you get to the domain admin or r00t or you die tryin’! 🙂 But thanks to some real l33t fu by Hernan Ochoa this has only been made easy for you.
The key to pass-the-hash attacks is that Windows NTLM authentication relies on the passing of the right hash to identify you. As long as the right hash is stored in the authenticated session you are who you say you are.
Hernan Ochoa’s Pass-the-hash toolkit (http://oss.coresecurity.com/projects/pshtoolkit.htm) is precisely the tool for that. Once you gain local admin rights on a box, just run the whosthere.exe utility on the box. Mind you, in differing versions of Windows you need some right addresses to pass as parameters. So the first thing to do is goto C:\WINDOWS\system32 and copy the lsasrv.dll file onto your local machine. The pass-the-hash src tar ball, has an IDA Pro script passthehash.idc that you need to run after opening the file in IDA Pro. This will give you the right addresses to pass to whosthere.exe:
whosthere.exe -a -o outputfile.txt

Once you have the hash you could either use iam.exe or winexe (http://eol.ovh.org/winexe/) with pass-the-hash patch from jo-mo-kun (http://www.foofus.net/jmk/tools/winexe), or samba with jomo kun’s pass the hash patch.
Just set the Environment variable SMBHASH to the hash value such as

export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"

Then run winexe as

./winexe -U "Domain\\Username" //192.168.0.1 "cmd.exe"

Of course, you can also expend some time in cracking the LM hashes to get the actual passwords but it isn’t really necessary.

If you want to find out the components of a site’s certificate the following commands will help you.
If you want to find if the certificate is signed with the weak MD5 signature algorithm:
$ echo | openssl s_client -connect webserver.example.com:443 2>/dev/null | sed -ne ‘/—–BEGIN CERTIFICATE—–/,/—–END CERTIFICATE—–/p’ | openssl x509 -text | grep “Signature Algorithm”| gawk ‘{print $3}’

$ echo | openssl s_client -connect 167.155.38.24:443 2>/dev/null | sed -ne ‘/—–BEGIN CERTIFICATE—–/,/—–END CERTIFICATE—–/p’ | openssl x509 -text | grep “Exponent”

In metasploit there’s a plugin admin/backupexec/dump. This plugin uses the default credentials to login to Veritas backupexec agent and download an arbitrary file. The catch is it downloads it in the MTF (Microsoft Tape Format) file. You need a utility called NTBackup to restore this file. Metasploit authors have conveniently made this available for us at http://metasploit.com/tools/msbksrc.tar.gz.
However, if you compile this file you get an error:
msqic.c:814: error: conflicting types for ‘bques’
This happens because the function prototype is missing.
Goto line 169 of msqic.c file in the source code and add the following line:
int bques(char);
Once you add this, you should be able to make the client and should be able to extract the file from the .mtf file.

This time the DefCon CTF challenges were really tough. After about 40 hours of straight effort in those 2 days my head was spinning. There were some nice write-ups that people have posted:
Vedagodz’s site is up at : http://shallweplayaga.me/
Pursuits Trivial 400 writeup : http://pastie.org/510841
Binary l33tness 300 writeup : http://hackerschool.org/DefconCTF/17/B300.html (based on k0rupt’s original work)
Crypto badness 400 : http://beist.org/defcon2009/defcon2009_crypto400_solution.txt

I like using dcfldd for creating the raw images, because it shows a nice status…it’s interesting to see progress.

dcfldd if=/dev/sda of=/mnt/sdb1/filename.dd hash=md5 md5log=hashfile.md5 conv=noerror,sync bs=4096

It’s the ‘bs’ (stands for bytesize) that makes the difference (…always does doesn’t it ;-).

Autopsy – The forensics browser always uses the ~/.autopsy as the base directory for storing the files from the cases. The following command is helpful in changing the directory in which the cases should be stored:

./autopsy -d /mountpoint/dirname

The exiftool is a cool application that can read meta-information to determine the different types of files.

A very typical scenario is that by default the Tomcat Servers tend to have a 404 Error page that displays the name of the file that was requested and not found. It seems to me that though display of such pages might be considered as merely an informational item for the purpose of any security test…this definitely presents a risk.
E.g., take this scenario.
1. The attackers has a SQL injection vulnerability in an application
2. The App server and DB can reach each other
3. The DB cannot directly reach the attacker and his system (on any port outbound)
4. The app server issues 404 error messages with the name of the file being disclosed in the 404 error message (e.g., The requested resource indexblah.html was not found).
5. The attacker can see the responses to the injected SQL queries (i.e., the injection is not blind).

Assuming that the DB accesses have been tightly controlled and you can’t get much access to any tables except the current one. This can be exploited as follows:
Invoke a SQL query (in the injection string) on the DB to request a page from the app server based on the contents of the DB such as send me /blahusername, /blahpassword where /blah is a string the attacker’s put in to make sure that such a resource doesn’t actually exist on the app server and username and password are columns or DB names from the DB. These error messages will be reflected in the response to the SQL query to the attacker. This could create an interesting side-channel attack whereby even though the data from the DB doesn’t actually reach the attacker, it can be inferred from the 404 – error messages.

___________       ______________        __________
| Attacker| <===> | App server | <=====>|  DB    |
___________       ______________        __________
      1  ----------> 2  -----------------> 3
                     5  <----------------  4
                     6  -----------------> 7
      10 <---------- 9 <-----------------  8   
1. Attacker sends sql to make the db query the app server for a non-existent page
2. The app server sends this sql query to the DB
3. The DB receives this SQL query and acts on it
4. The HTTP query for a missing resource is sent to the app server
5. App server looks up the resource and can't find it
6. The App server responds with a 404 /blahusername not found
7. The response recd is put in the SQL query response
8. The SQL query response is sent to the app server
9. The App server received the SQL query response (404 /blahusername not found as a line in there)
10. The attacker receives the 404 response with the data from the username in the 404 error message  

An interesting attack vector to say the least!