General

4*

Job Openings!

Interested in getting paid to develop/use tools such as FgDump and Medusa, while hacking customers silly? Do you want to join our awesome group and work with the super cool Foofus.Net goons? If so, let me know as we’re expanding and looking to hire for technical and presales positions.

Foofus.Net is the security assessment group within the consulting services arm of a sizable firm with nation-wide reach. We perform comprehensive penetration and vulnerability assessments (not simply hitting “go” on a scanner), HIPAA/NIST/PCI gap analysis and general security consultation  in our roles as trusted security advisors. While our team originated in the Midwest, we now have members across the country.

Please feel free to reach out to me for more information.

Thanks!

Joe (jmk@foofus.net)

 

 

I was informed last month of the release of the new “Faraday” penetration testing framework. A key feature of this framework is its ability to parse the output from various other security tools, including Foofus.Net’s Medusa! Here is the official release from the Infobyte folks:

We are happy to announce our first release of Faraday (beta), an open source collaborative Penetration Test IDE console that uses the same tools you use every day.

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment

We built a plugin system, where all the I/O from the terminal gets interpreted, if we have a plugin for the command, the output is processed and added to a knowledge base in a transparent way.

Our idea was to build a tool that helps from the perspective of a pentester without changing the way you work, adding the support for multi user collaboration on security testing projects.

Developed with a specialized set of functionalities that help users improve their own work adding collaborative data sharing, indexation and analysis of the generated knowledge during the engagement of a security audit.

[Features]
* +40 Plugins (Metasploit, Amap, Arachini, Dnsenum, Medusa, Nmap, Nessus, w3af, Zap and More!)
* Collaborative support
* Information Highlighting
* Knowledge Filtering
* Information Dashboard
* Conflict Detection
* Support for multiple Workspaces
* IntelliSense Support
* Easy Plugin Development
* XMLRPC, XML and Regex Parsers

Get it now:
http://www.faradaysec.com
https://github.com/infobyte/faraday

[Contact]
@faradaysec
#faraday-dev on irc.freenode.net

We hope you enjoy it!

Francisco Amato
http://www.linkedin.com/in/famato
http://twitter.com/famato

Infobyte LLC.
2699 S. Bayshore Dr #300.
[33133], Miami, FL
Phone: +1 305 851 3373
http://www.infobytesec.com
http://blog.infobytesec.com
http://twitter.com/infobytesec

 

On March 14, 2013 I released the white paper “Practical Exploitation Using Malicious SSIDs” at Black Europe in Amsterdam. This paper discuses the concept of leveraging SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed include XSS, CSRF,  and format strings attacks. A copy of the whitepaper can be downloaded from HERE.

Twitter: @percent_x

Its been almost a year since this firmware process hack was first discussed at CarolinaCon by percX. PercX has finally finished up his tutorial/white paper on the subject. In this paper he discusses the hack in-depth. Covering the step by step process around how to gain root level access to high end Xerox MFP devices, how the firmware signing process works, and how to protect yourself from this attack.  The paper can be downloaded by clicking here.

@percent_x

PercX will be presenting more printer hacking at the Oslo, Norway security conference  HackCon  on March 28th  “From Printer to Pwnd – Leveraging Multifunction Printers During Penetration Testing”. During his presentation he will also be discussing a new ‘simple’ attack against printer firmware update process on high end business MFP devices to gain root level access. This will also coincide with an updated release of PRAEDA that will contain updates to the dispatcher, allowing NMAP .gnmap as target input.