Exploit Pack, Abyss Walker, an exploit tool kit for Red Team style penetration tests.  A free version of the exploit pack is available to demo; however, its fairly crippled.  The paid versions carry may more exploit packs and boasts 33,000 exploits total.   The entry version runs about $155 USD. 

The exploit pack is written in Java.  Abyss Walker reminiscent of Metasploit in it’s extensibility.  Unlike some popular exploit packs Abyss Walker is full-featured and includes discovery tools, reconnaissance tools, and RAT’s.  Due to the rich features it will take you some time to learn but to help the author(s) provide links to videos and you can Google your own, of course.  Some of these exploit packs are difficult to learn, great pentesters don’t necessarily make the best UX designers, still the UI looks comparatively well thought out.  Looking forward to exploring the videos and this software further.

Note the author is presenting the exploit pack at Blackhat USA 2015, ARSENALT | Exploit Pack.

Popcorn Time is a streaming movie player similar to Netflix and Vudu.  Like it’s big brothers, Popcorn Time is easy to use but unlike it’s big brothers – it’s free.  I covered Popcorn Time’s run-in with the movie industry in two posts last year.  Apparently Popcorn Time is back for more bludgeoning.
Previous Popcorn Time Posts
I checked in some minor improvements for DeepViolet.  DeepViolet is now packaged in a couple of different ways so you can quickly try it yourself.  One executable runs the DeepViolet from the UI for fast spot checks.  The other runs DeepViolet headless from the command line and useful in the *NIX script environment.

Executable to Run DeepViolet From UI (DOWNLOAD dvUI.jar)
A new jar archive has been added, dvUI.jar.  To get up and running quickly make sure you have Java 1.8 installed, download dvUI.jar to your desktop, double-click and the DeepViolet’s interface will display.  Alternatively you can start DeepViolet UI from the command line like this…
java -jar dvUI.jar
Photo: DeepViolet UI example
Executable to Run DeepViolet form the Command Line (DOWNLOAD dvCMD.jar)
Don’t care much for user interfaces, like to script everything you do, no problem.  DeepViolet can be run headless from the command line.  To run do something like this…

java -jar dvCMD.jar -serverurl https://test.com/

Photo:  DeepViolet command line example

Where the the value of the serverurl parameter is the server you want to test.

If anyone knows of any open source projects to process ASN.1 data types send me a note.  I rolled my own code to process the common object types I encountered mostly from reverse engineering and scarce documentation I could find.

For more information about DeepViolet refer to the original blog post or project code on GitHub.  Enjoy!

In a previous post I introduced the new OWASP Security Logging Project.  The project is fresh out of the oven.  At the time there was mostly broiler text on the wiki and few breadcrumbs for visitors to understand the project or it’s benefits.  Since then we published some project background, for full background on the OWASP Security Logging Project see the projects, “Roadmap & Getting Involved” page.

A number of powerful logging technologies are available.  The challenge with popular logging frameworks is that they focus mostly on diagnostics while security and audit are mostly an afterthought.  Most developers that require security and audit logging extend popular logging frameworks for their own purposes and often with inconsistent results.  Following are a few larger obstacles we considered when adopting popular logging frameworks for security and audit logging.

Logging platforms use-case agnostic
Popular logging platform designers are interested in developing platforms that are most useful to the widest possible audience.  As such it’s not clear to developers who use these frameworks how they should be used for security or auditing.  For instance, if your logging an access failure should the message level be a WARNING or INFORMATION type message?  The point is that a system written from a software diagnostics perspective is not necessarily intuitive for use in security and auditing.  Often log quality varies from deployment to deployment since it left up to each application designer to implement these use-cases on their own.  Sometimes these logs are little benefit for security or auditing and even worse sometimes the logs provide sensitive information attackers find helpful.

Logging is non-functional requirement
By non-functional requirement I mean, logging is seldom a feature the Software Development VP mandates is included on the projects schedule.  Logging is something developers need when “fit hits the sham”.  Comprehensive logs are tools application designers need to do a better job but not generally the focus of a project effort.

Lack of domain expertise
Security and auditing logs have a wider audience than diagnostic type logs.  Consider for a moment that software diagnostic logs are useful to application designers whereas security and audit logs are likely more useful for the business units.  Even if software developers are fortunate enough to recevie some time on the schedule to build the application logging system, development may not have the required skills to build such a system.  Last but not least, loose a diagnostic message and it’s irritating.  Loose your audit log or log the wrong information and someone receives a permanent unpaid vacation, company fines, or worse jail.

Why are we doing this?  We see some room for improvement in security and auditing logging for our applications.  The OWASP Security Logging Project is planning a combination of software and documentation building upon popular frameworks to guide the development community to improve the quality of software logs.  If your interested to participate or learn more about the project take a look at the project wiki.

What the hell is security forensics holiday humor?  If your up for a distraction, you need to see for yourself.  The following information comes from Kyle Wilhoit (Twitter: @lowcalspam).

Do the following and watch the results.

On *nix or OS X…
traceroute xmas.futile.net

On Windows…
tracert xmas.futile.net

The photo (shown) shows part of the output.  Enjoy!