In the aftermath of the Debian SSH Keys issue, at least there’s a lighter side…

There’s some good analysis, predictable PRNG toys and more funny pictures from HD Moore.

This auxiliary module for Metasploit does a simple HTTP GET or POST and returns the result, be it a file and error - whatever!

Get it here: Metasploit Simple HTTP

Rename the file to .rb and install in the aux directory of your Metasploit installation.

If you need a PUT example, Carnal0wnage has a good module on his blog.

Paros is a great little tool, however it can leave traces of its use due to an altered User-Agent header. (Adding Paros/x.x.x at the end of the UA, where x is the version). This can lead to problems some of which, including this fix, are detailed at Security Ripcord and Armor.

To remove this download the source and edit line 80 of Constant.java from

public static final String USER_AGENT = PROGRAM_NAME + “/” + PROGRAM_VERSION;

to

public static final String USER_AGENT = “”;

and recompile.

This should remove the obvious traces!

I received my PinSentry from a certain UK High Street bank today, and so far I don’t see where it’s going. This device, produced by Gemalto (http://www.gemalto.com//press/archives/2007/04-18-2007-Barclays.pdf) allows two factor authentication using a customers ‘Chip and Pin’ card.

This doesn’t really change anything as the numbers generated by the device (at least in identify mode) can be created one by one offline, written down and then later used sequentially. I’ve seen enough people with pin numbers on Post-It’s attached to their cards to know that it won’t be long before the notes also contains PinSentry numbers. FaultyFlipper has some good discussion of peoples feelings towards the devices as well as the reasons it may have been introduced.

I’ve had a quick look at the numbers generated, and they seem to follow a sequential pattern of random increments. A very quick phase-space analysis of one hundred numbers from the device shows no discernable patterns, but more numbers are needed to carry this out thoroughly.

If anyone is interested in sample output from the device, I can supply the numbers I have used for testing. Likewise if you’d like to supply me with some numbers (and not any personal details) let me know.