One of the questions that we get on a regular basis is "Are there any good tools for SQL Injection?"

There are a number of great tools that do this commercially like Core Impact and Cenzic Hailstorm. However, many tools will simply alert you that a SQL Injection vulnerability exists then leave it at that.

We are penetration testers so proof is kind of important. Simply stating that you found a SQL injection vulnerability because your tool said so is not enough.

To that end, I would like to introduce you to sqlmap.

First up, I would like to say thanks to the developers Bernardo Damele A. G. and Daniele Bellucci.

Now I would like to show you a short video of the tool.

Why does this tool rock?

Glad you asked.

First, it has the ability to process results from burpsuite and webscarab with the -l option:

Like..

# ./sqlmap.py -l /tmp/webscarab.log/conversations/

It also has the ability automatically dump data. For example it can dump the database version and the tables in the database.

To do this you would use the --dump-all switch like:

# ./sqlmap.py --dump-all -u "testurl.com"

Next, it has the ability to use googledork search strings. Yep, thats right googledorking and SQL Injection... Honestly, does it get any better?

# ./sqlmap.py --dump-all -g "site:testsite.com ext:php"

The above command will have google crawl a website and pull all pages with a php extension. After sqlmap has a nice list of targets it tries to attack them.

Finally, and in my humble opinion most importantly, it can get you a SQL shell.

To do this use the --sql-shell option and it will try to give you a shell.

# ./sqlmap.py --sql-shell -g "site:testsite.com ext:php"

Very nice!!!

Once again, I want to drive home the importance of proof. Our jobs as testers is to demonstrate risk. To do that we need to act like a threat and interact with a vulnerability. Simply stating that a tool said there is a vulnerability is not enough. Also, we should be after what the attackers are after.... Data! What better place to get data then a SQL database?

strandjs

We have been promising for a few week a write-up on SSLStrip and now we have finished it!!!!

SSLStrip from John Strand on Vimeo.

SSLStrip basically strips the SSL session between the attacker and the victim. This allows the attacker (or tester) to see all of the data that is being sent to the user in clear text. As far as the server is concerned it is a valid encrypted session. There are a few interesting things going on with this attack. First from a pen-test perspective it only articulates even more how dangerous man in the middle attacks are when leveraged correctly. Funny thing about that... arp cache poisoning is just as effective as it was 5 years ago. It is getting clearer and clearer to me that if an attacker gets access to an internal network it is pretty close to being over. So if you are doing pen-testing and you don't Man in the Middle... Get on board and start doing it. Now for the second issue. User training. We tell our users that they need to be careful to not click on links for strangers and be carefull what websites they should not go to, but we rarely demonstrate that risk. Why do organizations do pen-tests? The do it to demonstrate risk. Otherwise they tend to do nothing. Is there any reason why we would expect anything less from our users? The reason I bring this up is that when we do user education we really need to be doing some live demonstrations. For example, we need to demonstrate a browser being compromised. We can also use tools like SSLStrip to demonstrate why that HTTPS is so important. We can also use tools like Web Monkey in the Middle from Dsniff to demonstrate why those certificate pop-ups are kind of important. I know I am tilting at windmills with user education. Just a hopeless romantic I guess. strandjs

Learn some command line kung fu tricks on how to extract useful metadata from Office 2007 XML documents.

Hack Naked TV - Episode 2 - Office 2007 Metadata from PaulDotCom on Vimeo.

• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce (Voice), Paul Asadoorian (Editing & Command Line)

Email: psw@pauldotcom.com

Direct Video Download

Video Feeds:

Larry shows you how to build a Sim Card reader and use software to read the contents of Sim cards.

Hack Naked TV - Episode 1 - SIM Card Information Gathering from PaulDotCom on Vimeo.

• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce

Email: psw@pauldotcom.com

Direct Video Download

Video Feeds:

Larry did a fantastic job with the Shmooball Cannon, it was featured on Make Magazine and Hack A Day. It was such a huge success that we produced a video detailing how it was made, including several takes of Paul getting shot:

This video will also be added to our video feed and our YouTube channel:

Video Feeds:

YouTube: PaulDotCom YouTube Channel.

Look for more videos to come!

PaulDotCom

All:

Coming soon, we'll be showing you how the 2008 Shmooball launcher goes together and operates. We even get to fire it a few times. Here's a tease of how we made out.

This video has also been added to our video feed and our YouTube channel

Video Feeds:

YouTube: PaulDotCom YouTube Channel.

Look for more videos to come!

- Larry aka haxorthematrix

The PaulDotCom TV video feed lives on! I just know that everyone was dying to have the latest videos from PaulDotCom available on your iPods and iPhones, so I've updated the feed with the latest four spectacular videos from the PaulDotCom crew. They include:

• Make the Switch: Danny - Larry and I were talking one day last week about the number of listeners that have given us much of the same feedback. They all stated something along the lines of, "I used to listen to Security Now!, but now I listen to PaulDotCom Security Weekly". So, on the last podcast we asked real listeners to record their own switch commercials (audio only). I've added a bit of flavor (thanks to iMovie) and created this video of our first submission (Thanks Danny!).
• Set Your Router On Fire! SANS SEC 535 - We have created a promotion video for the SANS course I authored called "SEC535 - Network Security Projects Using Hacked Wireless Routers". Sign up for this course today!
• The Destruction Files - Paul & Larry have some fun busting up some old computer equipment. Sun monitor, take 2, network sniffer, and a Cisco switch all fall victim to Paul's new sledge...
• Where's Twitchy? - So many of you have written to ask us the age old question, "Where's Twitchy?". This video provides you with the answer...

Video Feeds:

All of these videos are also available on our PaulDotCom YouTube Site. Look for more videos to come!

PaulDotCom

All:

We have created a promotion video for the SANS course I authored called "SEC535 - Network Security Projects Using Hacked Wireless Routers":

Sign up for this course today:

SANS Orlando (Comes with your very own copy of Linksys WRT54G Ultimate Hacking by Paul Asadoorian and Larry Pesce!

If you are interested in this course and cannot attend the Orlando conference please contact me (paul /at/ pauldotcom.com) for more information.

PaulDotCom

Larry and I were talking one day last week about the number of listeners that have given us much of the same feedback. They all stated something along the lines of, "I used to listen to Security Now!, but now I listen to PaulDotCom Security Weekly". So, on the last podcast we asked real listeners to record their own switch commercials (audio only). I've added a bit of flavor (thanks to iMovie) and created a YouTube video of our first submission (Thanks Danny!):

Enjoy! And keep those submissions coming as we reward with fabulous prizes!

PaulDotCom

In this episode of PaulDotCom Security Weekly TV, we show the implantation of Larry's RFID chip.

This video may be disturbing to some viewers, due to the implantation procedure. Please, don;t try this at home (even though we did). We are trained professionals!

Direct Video Download At this time there are no Show Notes for this episode

Video Feeds: Enjoy! - Larry