Midnight Research Labs

New Open Source Forensics GUI
sth posted in tools on June 7th, 2008
comments:1

The guys over at Professional Security Testers recently posted about a new open source forensics tool named PTK. It’s an updated front end for sleuth kit, which could possibly replace the current interface, Autopsy, which has been getting pretty stale. Autopsy is pretty good, but I’ve found if you know what you’re looking for that the sleuth kit CLI and a couple scripts to automate case creation is often faster. PTK claims many improvements over autopsy:

* Indexing Engine
 - String Extracion
    o Allocated, Unallocated, Slack Space
    o Live Search
 - File Categorization
    o File signature analysis
        oFile extension mismatch
    - Auto Data Carving
        o Customizable file signature
    - Hash Set Manager

* Advanced Timeline
* Gallery View
* Advance Keyword Search
* Bookmarking Section
* Multi Investigator System
* Incident Response Mode

Looks pretty interesting. It doesn’t mention OSX support, but since TSK is supported on OSX, I’m hoping it will run there as well since it’s just a web interface. We used Autopsy and TSK a bit this weekend during CTF pre-quals, and an update is greatly appreciated.

PS — Recon, an entire convention focused on reverse engineering, is next weekend. If you can get to Montreal, you should check it out. It looks like there are a few interesting talks going on.

metasploit 3.1
sth posted in tools on January 27th, 2008
comments:0

Greetings from Tahoe. It looks like there is a new release of Metasploit out now. It includes among other things a GUI, full windows support, some new wifi fuzzing modules, a bunch of new exploits, and Scruby, which is a ruby port of an awesome tool, Scapy.

“Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community” — HD Moore

Get some.

The great fuzz frenzy
sth posted in tools on April 23rd, 2007
comments:1

Fuzzing is hot these days. I just ran across a neat idea/tool called FuzzMan recently (posted to full-disclosure I think). It takes a man page as input, and will fuzz input parameters based on what options it can parse from the man-page. The examples page shows the tool eliciting several segfaults in a known vulnerable version of sharutils.

There is an article in the latest hackin9 magazine (the print version anyway) about fuzzing, which covers several different fuzzing tools as applied to their relevant layers. You should check out the hackin9 magazine if you haven’t already. It’s a pretty good read, and is much more technical than other security/hacking print publications. It is a little spendy though (probably partially because it’s translated and imported), but I think it’s worth it. This issue they started a hacking challenge which is included (among other things) on a CD.

Yea for google images.

VOIP security tool list
sth posted in tools on April 12th, 2007
comments:0

Here is a list of VOIP security tools that I found today whilst scouring my RSS feeds (sorry original poster, I lost the reference). There are different sections for different attacks, including sniffing tools, scanning and enumeration tools, VoIP packet creation and flooding tools, and the attack du jour, fuzzing tools. Looks like fun.

metasploit three finally released
sth posted in tools on March 28th, 2007
comments:0

The long awaited metasploit 3.0 has been released. Here are some screenshots and demos of the latest version. Everything was rewritten in ruby, and lots of new features were added. Some of the cool things are the meterpreter, irb, db_autopwn (best name ever), the latest wi-fi exploits and threaded attacks. Here is the download packages (the linked are for unix, but win32 is also available).

wyd
sth posted in tools on October 31st, 2006
comments:0

I guess today is “tools” day at MRL. Here is another tool I ran across recently that I think is useful. Wyd is a modular potential password generator that can generate a wordlist from multiple sources. For example you can dump a website, and use that as input, or just scan a hard-drive in a forensics case to find content for the list. It currently knows about a few different file types (html, .doc, .pdf. .ppt, etc). I created a module for it that will scan jpg images for exif data that can be used as a source. I submitted it to the maintainers, so maybe it will end up in one of the next releases.

This week in MRL
sth posted in tools, wifi on October 17th, 2006
comments:0

Sorry for the lack of updates, we’ve been pretty busy with wicrawl and catching up with life after Toorcon and Security Opus. We had a great time at both conventions, and the presentations went well (at least I think they did, :).

We had a pretty great week so far for wicrawl. Our friend Eliot at HackADay.com posted on wicrawl and the toorcon presentation which he edited very well and posted the whole video on the new netscape video site. (Thanks Eliot,

We also got mentioned as the “tool of the week” from the very cool security podcast PaulDotCom.com. We met Twitchy and Joe at Toorcon, and I guess they actually remembered us afterwards, :). Anyway, give it a listen here, it’s worth putting on the podcast queue.

Also, we got a posting on Wi-Fi Net News, which I’ve linked to a few times in the past. If you’re keeping up on wi-fi developments, it’s a good blog to read (I’ve been reading it for a while now).

That’s it for now! Hope to see everyone Friday.

wicrawl updates
sth posted in tools, wifi on October 8th, 2006
comments:3

A few updates for wicrawl:

– First, we released a new package for wicrawl 0.3a that fixes some build issues in the previous release.

– I also added a new plugin based on pickupline which tries to bypass captive proxies by spoofing an already authenticated MAC/IP address pair.

— There is a new wicrawl-users mailing list for any wicrawl users. I expect it will be pretty low traffic, but if you have any questions, or if you just want updates, please feel free to subscribe.

Please let us know how it’s working for you, especially if you’re having any issues with it.

Thanks.

wicrawl release 0.2a
sth posted in tools, wifi on October 3rd, 2006
comments:0

It’s finally here. wicrawl is finally being released in alpha. Officially we released it this weekend at Toorcon after my talk, but I’m just now getting around to posting the source (sorry for the delay). Let us know if you have any issues with it, or what you think of it. You can send mail directly to wicrawl-cvs [@] midnightresearch.com (you can also jump on #mrl on efnet). Thanks to the other developers who have worked hard on this, and also to anyone who came out to see my talk. Toorcon, as always, was a great time.

Wifitap
sth posted in tools on September 14th, 2006
comments:0

I just found this pretty interesting project called WifiTap. Basically it allow for communication over a wifi network through traffic injection so that you’re not actually associated to the AP through the driver interface. Apparently you can actually route IP traffic over it and everything like a “real” interface.

The reason this is cool for us, is that it’s a step closer to the 2.0 framework for wicrawl and being able to multi-plex Access points over one card. It’s proof that a software only stack for 802.11 works end to end without crazy firmware issues. A video of his presentation at recon is available online.

Another cool thing I found out while checking out the presentation, is that Scapy actually has packet classes for all the of the different 802.11 management frames, etc.