27 posts categorized "tools"

07/07/2013

CryptoNark 0.4.9 Released

Here is another new release of CryptoNark. This release has a new feature: it will check the bit length of the private key on the ssl site or server being scanned and will warn if the bit length is less than 2048 bits. Since many Certificate Authorities will be revoking certificates at the end of this year if the bit length is 1024 bits or less, this is a useful feature if you need to know whether you need to replace that certificate soon.

You can download CryptoNark v0.4.9 from the Downloads page.

This release was tested on perl 5.10.1 and 5.12.5

Posted by Chris Mahns at 9:30 PM in cnark, cryptonark, ssl, tools | Permalink | Comments (0) | TrackBack (0)

08/25/2011

Here's a Preliminary "Apache Killer" Test Script

There is a nasty exploit in the news lately, a perl-based script called "Apache Killer" that provides an easy way to issue a denial of service attack against an apache server from a single source.  The Register has a complete write-up on the vulnerability and the exploit, SANS has started covering it in this article, and you could just grab it from the Full Disclosure mailing list or visit my friends over at PenTestIT for a writeup and download and they also have a workaround folks can implement via mod_rewrite (although it might not be appropriate for every site).

The exploit is fairly easy enough to modify but I assume that within the next day or so, anti-virus clients will start quarantining the exploit if found on the filesystem of certain machines.  I've written a script, which might receive some heavy modifications over the next couple days,  that attempts to assess whether a server (or site) is vulnerable to the Apache Range Header Denial of Service Vulnerability.  The intent of my implementation is to assess the existence of the vulnerability but prevent more than one connection to the site and containing no exploit code.

It's still preliminary because I have unanswered questions/concerns with the exploit.  The exploit appears to be sending the following request (with request headers) to the target server in order to determine if the server "seems" vulnerable:

HEAD / HTTP/1.1  
Host: 10.0.0.16  
Range:bytes=0-  
Accept-Encoding: gzip  
Connection: close

My test ubuntu server running apache 2.2.17 responds with the following http response headers:

HTTP/1.1 206 Partial Content 
Date: Wed, 24 Aug 2011 18:44:32 GMT 
Server: Apache/2.2.17 (Ubuntu) 
Last-Modified: Thu, 04 Aug 2011 03:23:21 GMT 
ETag: "20abb-b1-4a9a580b93ac0" 
Accept-Ranges: bytes 
Vary: Accept-Encoding 
Content-Encoding: gzip 
Content-Range: bytes 0-145/146 
Content-Length: 146 
Connection: close 
Content-Type: text/html

The exploit seems to assume a server is vulnerable simply because it returned a 206 Partial Content status code. The problem is that the same test run against an IIS server gives the same 206 Parital Content response and, as far as I know at this particular point in time, IIS is not known to be exploitable.  But maybe that's not the case?  The original vulnerability was reported back in 2007 and listed both Apache and IIS as being vulnerable.  I wonder if anyone tested this exploit against an IIS host.  So, my current quandary with my implementation here is that I do not have the confidence yet that simply retrieving a 206 Partial Content status code is enough to formally declare the target system vulnerable. Update: Interestingly, the exploit finds tomcat to be vulnerable, too!  See the discussion on ServerFault

I think I will have a better idea of what to test for when the new versions of apache httpd are released.  Here is the current version of my script, it uses LWP::UserAgent and HTTP::Headers and is intended to work with perl version 5.10 or above:

#!/usr/bin/env perl

# Apache Killer assessor

use strict;
use warnings;
use feature ':5.10';

use HTTP::Headers;
use LWP::UserAgent;

my $host = $ARGV[0];
my $port = $ARGV[1];
my $scheme;

my $help = "Usage:  $0  ";

if ( !@ARGV ) {
    print $help . "\n";
    exit 0;
}

if ( $port == 443 ) {
    $scheme = 'https';
}
else {
    $scheme = 'http';
}

my $message;

my $objHeader = HTTP::Headers->new;
  $objHeader->header('Host' => $host);
  $objHeader->header('Range' => 'bytes=0-');
  $objHeader->header('Accept-Encoding' => 'gzip');
  $objHeader->header('Connection' => 'close');

my $url = "$scheme://$host:$port/";

    my $method = "HEAD";
    my $ua  = LWP::UserAgent->new;
    $ua->timeout(10);
    $ua->max_redirect(0);
    $ua->env_proxy;
    $ua->agent('techstacksRangeHeaderDoSTest/v0.1');
    
    my $req = HTTP::Request->new( $method, $url, $objHeader );

    my $resp = $ua->request($req);

    given ($resp->code ) {
        when (206) {
            say "Response Status Code: " . $resp->status_line;
            say "Web Server Seems Vulnerable to Apache Range Header DoS Vulnerability";
        }
        when (301) {
            say "Redirect Present.  Potential False Positive";
            say "Retry request against: " . $resp->header('Location');
        }
        when (302) {
            say "Redirect Present.  Potential False Positive";
            say "Retry request against: " . $resp->header('Location');
        }
        when (307) {
            say "Redirect Present.  Potential False Positive";
            say "Retry request against: " . $resp->header('Location');
        }
        when (403) {
            say $resp->status_line;
            say "This is not an expected response code at this time."
            }
        when (404) {
            say $resp->status_line;
            say "This is not an expected response code."
            }
        when (405) {
            say $resp->status_line;
            say "HTTP Method HEAD is not permitted.";
            say "This is overkill!";
            }
        when (501) {
            say $resp->status_line;
            say "HTTP Method HEAD is not implemented.";
            say "This is overkill!";
            }
        default {
            say $resp->status_line;
            }
        }

Posted by Chris Mahns at 10:02 AM in apache, perl, security, tools | Permalink | Comments (1) | TrackBack (0)

08/11/2011

New iTerm 2 Beta Released Today

There's a nice new iTerm2 beta out today: iTerm2-1_0_0_20110810.zip

Changes in this release (reprinted from the announcement page):

Major New Features

  • Add support for loading prefs from a custom folder (e.g., Dropbox) or URL. This makes it easy to share a config between multiple machines or people.
  • Add auto logging of sessions. When enabled (per-profile), all input received from the host in a session is saved to a file tagged with the window, tag, and pane number, plus the time and date of initiation.
  • Add "find cursor" feature (cmd-/) that highlights the cursor location. Useful when you have a huge terminal, this makes it easy to quickly find a lost cursor. If activated with the shortcut cmd-/, continuing to hold cmd will keep the highlighting active.

Enhancements

  • For new users, we now hide the tab bar in fullscreen by default (otherwise, use cmd-shift-t to toggle it).
  • Draw a dotted line around maximized sessions.
  • You can toggle send input to all tabs/panes by re-pressing the keystroke that got you into that mode.
  • Add escape code to steal focus: ESC ]50;StealFocus^G (thanks, gordolio).
  • Add support for multiple saved window arrangements.
  • Add "bottom of screen" window style (thanks, melbic).
  • Add decimal <-> hex conversion to right-click context menu when a number is selected.

Bug Fixes

  • Changes to tab appearance take effect immediately.
  • Fix bug where a white rectangle briefly appears in Lion when opening a new tab.
  • Fix crash due to assertion in setDirtyFromX:Y:toX:Y:
  • Fix bug where fullscreen hotkey windows on Lion tried to use Lion fullscreen.
  • Fix bug where tall windows weren't restored properly.

Posted by Chris Mahns at 9:06 AM in iterm2, tools | Permalink | Comments (0) | TrackBack (0)

Next »