OWASP European Summit 2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends.

I will be participating in the summit presenting the project WebSlayer, the web application brute forcer. Here you can find the WebSlayer site at OWASP. Also i will participate in some working sessions about OWASP Top Ten 2009, Tools Projects, OWASP Certification and OWASP Live CD.

The summit will be held at Algarve Portugal, i never been there but it seems a beautiful place.

It will be a huge event, with a lot of interesting talks and sessions to attend, i hope to meet some interesting people to exchange ideas.

If you will be there and want to have a beer, drop me a line.


EnDe - Complete web Encoder Decoder

Always in a web application analysis you end up looking for a fast way to convert/encode/decode/transform a string or a piece of text; there are a lot of online encoders/decoders but they are very specific, if you want a one stop with all you can need, enter EnDE. 

I came across EnDe in the OWASP Project page, it is described as:

"Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web"

That's for sure, it has an extensive list of encoders, decoders, hashes, encryption, also you can transform dates, create regexp in different languages.

You can check EnDe in the OWASP page or in the tool website 


Cheat sheets

Here are some interesting cheat sheets that people posted in the Pentest mailing list:

Networking cheat sheets: 

  • Protocols: Spanning Tree, Ipv6, Ipv5, OSPF, EIGRP, BGP
  • Applications: Tcpdump, Wireshark
  • Reference: Common ports, IP access lists, Subnetting
  • Technologies: MPLS, QoS, Vlans, IOS version

Linux-Unix Command Line sheets:

The name says all.


Here are very good quality cheatsheets, this site used to be "IloveJackeDaniels".

  • Regular expressions
  • Subversion
  • CSS
  • PHP
  • Mod_rewrite
  • HTML
  • Ruby on rails
  • ASP/VBScript
  • Mysql
  • Etc

The rest:

A very big collection of many cheat sheets, you can find things like:

  • Jquery
  • JSP
  • Java
  • Firefox
  • Coldfusion
  • htacces
  • Gimp
  • Django
  • mod_rewrite
  • Mysql
  • Oracle
  • Perl
  • Python
  • Ruby
  • Sendmail
  • Solaris
  • SSI
  • Sybase
  • UML
  • Vim
  • XML
  • XSS
  • etc.

Setting Vmware to trick Malware

Here are some configuration options for VMware that can be useful to thwart some malware
when they check for virtual machine presence. It's not going to fool all malware but
there are a lot that will fall.  So fire up your text editor and add this lines to your virtual machine VMX file:

isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"

With this configuration you can trick most VM detections like RedPill, Scoopy checks and other techniques.

Becareful with this configuration because will break the communication channel, thus nullifying the VMtools.

This configuration was provided by Ed Skoudis and Tom Liston in their document "Thwarting Virtual Machine Detection"

If you have another trick please share it here :)


OWASP Spain Chapter Meeting

The next 21 of November i will be participating as speaker in the OWASP Spain Chapter Meeting, i will give a talk about Information Gathering, the key point of the presentation is to show new techniques on how you can gather interesting information about a target (individual or company) and how can you use it in a penetration test. I will talk about my tools, and some online sites that provide interesting information.

If you want to join us, remember the 21 of November, place IL3 - Institute for LifeLong Learning (Universitat de Barcelona)
Link: Owasp

Metagoofil in Toorcon

The last week Chris Gates from carnalOwnage gave a talk in Toorcon about Information Gathering called "New School Information Gathering" in his talk he speak about Metagoofil, and how you can use it on getting information from the metadata of public documents.

I liked the presentation, and i think that Chris did a good job putting everything together

If you want to get the presentation get it here: http://www.carnal0wnage.com/research/Carnal-NewSchool-ToorconX.pdf


Displaying Windows cached DNS entries

This is a super fast post, here is an interesting command for checking the cached DNS entries in a Windows system:

c:>ipconfig /displaydns

Nombre de registro . : slashdot.org
Tipo de registro . . : 1
Período de vida . . . : 2117
Longitud de datos . . : 4
Sección . . . . . . . : respuesta
Un registro (host). . :

This could be useful when analyzing malware or doing forensic analysis


Yaptest - Automating Pentesting tasks

I was reading my rss feeds and i stumble across "Yaptest", a tool that aims to make it easy for a pentester to automate parts of testing on the fly. In the tool website the author gives some examples like:
  • Run nikto on anything nmap thinks is an HTTP service
  • Run hydra on every host with TCP port 21 open
  • Attempt upload a file to any TFTP servers found
  • Run onesixtyone on all hosts that are up
  • Try metasploit's solaris_kcms_readfile exploit against any hosts running kcmsd
Im thinking right now in thousand of more uses.  I like this kind of tools oriented in the automation of tedious work,  boosting productivity and cutting time from assessment projects.

Now there is a Yaptest front end, and it look amazing:

The tools is developed in perl and the frontend in Ruby. I'm not too fan of perl, but i will give a try to the tool asap.


Ecrime - New mafias

This time my partner Vicente gave a great talk about the Cyber Mafias in the FIST Conference. Tha talk was an overview on how they operate, the money they manage, and some techniques they use.

It's a very interesting talk for everybody, because it's not a topic that you can find much information about..

The presentation is more interesting with Vicente's speech and comments, but you can download the presentation from the FIST Conference page, or from here Edge-Security site.