.

Suggestions for security projects wanted

<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1254

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jul 10, 2009 4:02 am

Suggestions for security projects wanted

Hey,
although I am already working on some smaller projects and help out at others, I would like to start and work regulary on one big project.

Currently I have no specific project in mind, only some basic conditions I would like to follow:

  • It should be related with penetration testing (on the offensive site) or reverse code engineering, as those are the topics I have most knowledge of and personal interest in
  • Free, nothing to pay for others
  • Although not necessary, it may be good if such a project is not available yet or at least not "good", e.g. i see no particular reason for me to write another metasploit
  • It doesn't matter for me if it is something to program, automate, write, teach etc.

Some random thoughts and keywords I have in mind:

  • framework for pentesting report
  • setting up a lab environment
  • guides
  • vulnerable operating system, application, etc.
  • Some kind of CTF
  • some kind of training

Any suggestions or thoughts on this? Any help is much appreciated.
It is no problem if it is a bigger project.. i see this not only as a chance to help others in one way or another, but also to learn more myself, get "known", etc..so it doesn't matter for me if it takes a lot of time until it is finished.

Looking forward to comments on this.
Last edited by UNIX on Fri Jul 10, 2009 4:59 am, edited 1 time in total.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Fri Jul 10, 2009 10:08 am

Re: Suggestions for security projects wanted

Awesec,

I think this is admirable of you, I really struggle to find the time to do something indepth.

Nothing is springing to mind at the moment, but if I think of anything I will drop you a line.

All the best with it though.
Dale
<<

Phyr3Ph0x

Newbie
Newbie

Posts: 10

Joined: Sun Jul 05, 2009 10:27 pm

Post Fri Jul 10, 2009 2:59 pm

Re: Suggestions for security projects wanted

Hiya.
I don't know if you've ever seen the De-ICE lab disks?
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks#Level_1_2

They are a set of disks based on Slax that are configured to be user as pen-test targets.
You get very little info on what you need to do, and you hack them...  Lot's of fun, and they're damned hard too! (Especially for a noob like me  ;) )

Having looked around, there don't seem to be many things like them, so more would be nice...

Regards,

`ph0x
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1254

Joined: Mon Apr 28, 2008 9:20 am

Post Sat Jul 11, 2009 2:11 am

Re: Suggestions for security projects wanted

Thanks dalepearson. :)

I really like the mentioned De-ICE discs and already completed them some time ago. There are some similar projects I know off but probably one can't have enough of such simulations. I may consider this, thanks for your suggestion, Phyr3Ph0x. ;)

Any more suggestions are of course welcomed.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sat Jul 11, 2009 11:04 am

Re: Suggestions for security projects wanted

I've been toying with the idea of doing log cleaning tools for Solaris auditing logs in binary form.  The logs themselves don't seem so hard to clean, the harder part seems to be automating the location of ALL of your log entries and getting rid of them.  This is VERY time consuming in a manual fashion.  Of course if you can just clean the really damning stuff nobody is likely to even detect that an attack occurred, so maybe that is good enough.

Another place that I was looking at going was reverse engineering AV/firewall log file formats to create cleaning tools for these.  The big problem there is that most of these are locked open by the AV program (in windows) so you have to stop the service to clean, then restart (which invariably leaves a log message).  Still better than leaving the details of your exploit behind though.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 6:53 pm

Re: Suggestions for security projects wanted

I am working on setting up a CTF for our local DefCon Group (DC612). Our plan is to have multiple CTFs along the way until we get to the big one. Before each "mini" CTF we will have a few sessions/meetings where we explain the material they will need to pop a box. We will then add more information and tools before the next CTF. We plan on having at least two CTFs before the big one.

We are also evaluating having two teirs of boxes so the n00bs can keep up the the 1337's have something to do. For example they would have to take three boxes. The less experienced players take on A, B, and C while the more experienced take on B, C, and D. The A box would also have some tips for taking other boxes.

I plan on writing this up as we define it, but it will be a while (few months). I'll post here when we are done.
twitter.com/timmedin | http://blog.securitywhole.com
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 7:12 pm

Re: Suggestions for security projects wanted

•framework for pentesting report
Here is a good guide for understanding the type of things that are done during a test.
http://www.vulnerabilityassessment.co.u ... 0Test.html
This includes a template for a sample report
http://www.vulnerabilityassessment.co.u ... plate.html

I've seen a few other samples as well and I know one sample was posted here last week (or so), but I don't have the link and I'm too lazy to find it.

•setting up a lab environment
Setup a virtual infrastructure and setup a bunch of machines. I know there are multiple threads covering this topic here on EH.net. I would recommend getting a server class machine (used, it is cheaper) and installing ESXi. Throw on a bunch of OS'es and other software. I can't give you good specifics here since it will depend on what you want to test. I would say at a minimum you should have a Windows XP box, a Linux box, and a BSD box. If you want a good box to test against add Damn Vulnerable Linux.

If you want to test against some vulnerable software download some old software from http://www.oldversion.com

You can also download some intentionally web apps grab Web Goat, Multildea (sp?) and Moth.

•guides
Not to be a jerk but google for what you want, if you need specific help ask and you shall receive. There are a lot of good guides out there for specific tools and apps. If you are looking for one is specific google for it and if you can't find it then ask.

•vulnerable operating system, application, etc.
(See Lab)

•Some kind of CTF
I’ll submit some details on the one I am working on and post it in a few months

•some kind of training
There are lots of sites that specialize in this. Lots of good videos on YouTube and Vimeo, but it can be a little harder to find. I suggest TheAcademyPro.com for some good videos.
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1254

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 15, 2009 1:25 am

Re: Suggestions for security projects wanted

Your CTF project sounds interesting, good lock. I also like that you will offer something to play with also for the unexperienced users. ;)

I am not sure if you understood my initial posting correct or if I misunderstood you last post. I am not looking for specific guides/ videos etc. for myself but thought about offering such things to others. I have set up a few labs for security testing before and have some experience with other topics too which may help others.

I already got some ideas with this thread although nothing specific yet, still it helps me. :) Another thought I had in mind when starting this thread was that maybe someone has a good idea but is for some reason not able to do it by herself, e.g. because of lacking time or knowledge.

@former33t: Thanks for your suggestions. The log cleaning thing sounds interesting but is not exactly what I am currently interested in. I will take a closer look into it when I have experience with Solaris.

Your second suggestion sounds interesting too, although the reboot would make it a little "unsexy". I will think about it though, so thanks. :)
Last edited by UNIX on Wed Jul 15, 2009 1:33 am, edited 1 time in total.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Jul 15, 2009 11:08 am

Re: Suggestions for security projects wanted

We're working on VM lab setup guides and videos at security aegis pretty soon. One for webapp and one for network.

Should be good stuff
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Wed Jul 15, 2009 12:52 pm

Re: Suggestions for security projects wanted

You may be interested in helping out with a project I started in December last year.

Damn Vulnerable Web App (dvwa)
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.


At the moment theres me and a couple of other people working on it in our spare time. The current version is 1.0.4 however were working on a complete recode for the next version which is about 60% complete and can be accessed via SVN.

Project homepage: http://sourceforge.net/projects/dvwa/
SVN: https://dvwa.svn.sourceforge.net/svnroot/dvwa
Other info: http://www.ethicalhack3r.co.uk
Email: dvwa<AT>ethicalhack3r.co.uk
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Jul 15, 2009 1:06 pm

Re: Suggestions for security projects wanted

Hey ethicalhack3r,

We are featuring your project in our Webapp lab setup. It wont be out for a week or two (recording and uploading is most of time) but when it is finished our lab environment should have about 7 different targets one being yours.  Thanks so much =)
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Wed Jul 15, 2009 1:32 pm

Re: Suggestions for security projects wanted

Jhaddix wrote:Hey ethicalhack3r,

We are featuring your project in our Webapp lab setup. It wont be out for a week or two (recording and uploading is most of time) but when it is finished our lab environment should have about 7 different targets one being yours.  Thanks so much =)


Awesome! Glad you find it useful. Where will it be uploaded to?

Keep an eye out for the next version, its in a completely different league to the current stable version.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Jul 15, 2009 3:33 pm

Re: Suggestions for security projects wanted

It'll be on our site and youtube, vimeo, etc.  We are using Mutildae, Webgoat, Damn Vulnerable Web App, Foundstones Hacme bank, casino, shipping etc, moth, webmaven, and securibench. Our attack platform will be SamuraiWTF.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1254

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 16, 2009 3:11 am

Re: Suggestions for security projects wanted

Thanks for all replies, also the few given privately. They are much appreciated. :)

The projectidea I will probably try to realize and work on:

Two free courses, including study materials, exercices/ "homework", videos and audio, toolboxes (only using freeware tools and maybe something like shareware etc., so that there is no need to pay money to follow everything).
While the first one will focus on penetration testing and related topics the second one focuses on reverse engineering, binary analysis and malware research.

I am currently settings up a concept on topics I would like to work on and include.

Probably this project will take quite a time until it is complete but I hope and think it will be worth the efforts.

Any thoughts on this?
Last edited by UNIX on Fri Jul 17, 2009 2:52 am, edited 1 time in total.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software