Tuesday, August 07, 2007

Defon 15 presentation now online

"Beyond Vulnerability Scanning - Extrusion and Exploitability Scanning" is now online at http://www.eescan.net/downloads/DC15.pdf.

Many thanks to all who attended. Please feel free to send any feedback to:

Matt Richard - Extrusion and Exploitability Scanning
mrichard@verisign.com
matt.richard@gmail.com
or

Fred Doyle - Risk Metrics
fdoyle@verisign.com

Labels:

posted by Matt Richard @ 11:42 PM   0 Comments

Thursday, July 26, 2007

New Twists for HTML Obfuscation in EEscan

Update 8/7/2007 - Please see www.eescan.net for additional details.

I've just finished coding up some new HTML obfuscation modules for eescan. The exploitability tests in eescan will use these obfuscators to probe for

Here are some of the obfuscators that work right now:
  • gzip
  • deflate
  • chunked
  • MPack XOR javascript encoder
  • MPack cryptor 4-pass javascript encoder
  • AJAX
  • SSL
  • HTTP over port 443
  • SSL over port 80
  • arbitrary combinations like AJAX->Mpack->gzip->chunked->SSL->port 80
My favorite so far is AJAX which breaks up the target html into a random number of arbitrary chunks, downloads each using a synchronous request, reassembles them and then eval()'s the code.

Initial testing of the Ajax modules is yielding great results against network based IDS/IPS, so-so results against proxies and good results against desktop AV/IPS suites.

Labels:

posted by Matt Richard @ 11:36 AM   1 Comments