PercX will be presenting his recent research on injection attacks using malicious SSIDs “Practical Exploitation Using A Malicious Service Set Identifier (SSID)” at Blackhat Europe in Amsterdam on March 14-15 2013.
I just published an advisory, click here to enjoy it.
We are foofus.net. We are Humoctopus. Many of us will be at Defcon, where The Danger Is Real.
I got a very interesting note from Ryan Reynolds and Jonathan Claudius, who will be presenting at BlackHat and Defcon 20 in a few weeks. They discovered that, in certain circumstances, the hashes returned by tools like fgdump3 (which is a very limited “ask-and-you-shall-receive” research version I unveiled at ToorCon 2011) as well as HashDump are wrong. They have a proposed patch to HashDump, and I will be incorporating it into the fgdump3 branch as well.
So does this affect fgdump2/2.1?
No – this only affects versions pulling their values right from the registry (which version 3 is doing).
Where is fgdump3 anyway?
I unofficially/quietly released version 3 at ToorCon last year. However, speed issues continued to plague me (changing permissions on the keys is SLOW), and I started looking for a new solution. Right now, the NEW fgdump3 is about 80% done, and combines the old injection method, the registry method, and a new “super s3kr1t” method that looks to work well, and quickly I might add. I have yet to finish the new version (about 80% complete), but I’m going to see if I can pound this out before DC 20 in time for their presentation. It will be ultra-beta, but something to play with.
How can I get a copy to play with?
I can send you the old fgdump3 if you want to play with the registry method – email me at firstname.lastname@example.org if you like. It’s unsupported and may cause nausea, but feel free to give it a shot. :)
Medusa 2.1.1 is now available for public download.
This release contains several bug fixes and should also now compile with gcc 4.7.
The Micro Technology Services Inc. “Lynx Message Server 188.8.131.52″ and/or “LynxTCPService version 1.1.62″ web interface is vulnerable to SQL Injection, Cross-Site Scripting, and other security problems.
- Bede 5/3/12
Medusa 2.1 is now available for public download.
What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net. It currently has modules for the following services: AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC. It also includes a basic web form module and a generic wrapper module for external scripts.
While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see:
This release does not introduce any major changes to the core of the application, however, it does include two years worth of bug-fixes throughout the code base and numerous incremental improvements.
Updated release of Praeda 0.02.0b can be downloaded from GITHUB HERE . This release contains a few new modules and an update to the dispatcher, allowing NMAP .gnmap as target input.
PercX will be presenting more printer hacking at the Oslo, Norway security conference HackCon on March 28th “From Printer to Pwnd – Leveraging Multifunction Printers During Penetration Testing”. During his presentation he will also be discussing a new ‘simple’ attack against printer firmware update process on high end business MFP devices to gain root level access. This will also coincide with an updated release of PRAEDA that will contain updates to the dispatcher, allowing NMAP .gnmap as target input.
While examining a Lexmark X656de multifunction printer awhile back I was pleased to “NOT” find any of the common information leakage vulns like passwords within the html source that you typically find on these type of devices. Which was a good sign. Although with a little more testing it was quickly found that the export setting feature was a total fail. Once I exported the system setting (settingfile.ucf) using the export function, it revealed the plain test password for the SMTP settings .
For the latest advisory on this click here