G-SEC™ Tools and Whitepapers
G-SEC™ offers offensive and defensive IT Security tools, original research, gives regular talks on original topics at security conferences. Here is a summary of Tools, Whitepapers and talks that have been published by our members over the years.
Whitepapers
TLS/SSLv3 renegotiation vulnerability explained
This paper explains the SSLv3/TLS renegotiation vulnerability for a broader audience and summarizes the information that is currently available. It includes original research and Proof of concept code.
Updates:
· Updated : Added SMTP over TLS attack scenario, added s_client testcase
· Updated : Added FTPS analysis, new attacks against HTTPS
· Updated : PoC files for TRACE and 302 redirect using TLS rengotiation flaw
Author :
Thierry ZOLLER
Download : TLS/SSLv3 renegotiation protocol vulnerability
Blog post : SSLv3/TLS mitm vulnerability
TLS/SSL hardening and compatibility report 2010
What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort.
This paper aims at answering the following questions :
· What SSL/TLS configuration is state of the art and considered secure (enough)?
· What SSL/TLS ciphers do modern browsers support ?
· What SSL/TLS settings do server and common SSL providers support ?
· What are the cipher suites offering most compatibility and security ?
· Should we really disable SSLv2 ? What about legacy browsers ?
· How long does RSA still stand a chance ?
· What are the recommended hashes,ciphers for the next years to come
The paper includes two tools :
· SSL Audit (alpha) : SSL scanner scanning remote hosts for SSL/TLS support
· Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool
Author :
Thierry ZOLLER
Download : SSL/TLS Hardening and Compatibility report 2010
Blog post : SSL/TLS Hardening and Compatibility report 2010
Tools
Harden SSL/TLS (beta)
Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" we developed this little tool.
“Harden SSL/TLS” allows hardening the SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.
This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use.
Advanced mode
· re-enable ECC P521 mode on Windows7 and 2008R2
· Set TLS Cache size and timeout
Known issues:
· The BETA initialises and sets the OS defaults at startup
Changelog :
· Fixed Protocol initialization on Vista/Seven/2008/2008R2 (Adrian F. Dimcev)
· Fixed TLS 1.1 on Vista/2008 (Reported by Adrian F. Dimcev)
Author :
Thierry ZOLLER for G-SEC
Download: Harden TLS/SSL (beta)
Download: Documentation
Fullscreen view
SSL Audit (alpha)
SSL Audit was born out of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010"
SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites.
Fingerprint mode (Experimental)
Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.
SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom
· RSA BSAFE
Known issues:
· FP on SSLv2 (needs seperated HTTPS request to verify)
· No way to export results
Author :
Thierry ZOLLER for G-SEC
Download: SSL Scanner (alpha)
Download: Documentation
Fullscreen view
BTCrack 1.1 Windows
BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured pairing* exchanges.
To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR flash a CSR based consumer USB dongle with special firmware.
Speed Comparison :
· P4 2Ghz - Dual Core 200.000 keys/sec
· FPGA E12 @ 50Mhz 7.600.000 keys/sec
· FPGA E12 @ 75Mhz 10.000.000 keys/sec
· FPGA E14 30.000.000 keys/sec
Changes :
· 1.0 First release
· 1.1 Intermediate Release
E12 + E14 FPGA Support ( http://www.picocomputing.com)
Splash Screen
Process Priority
Speed increase (+15%)
Author :
Thierry ZOLLER for n.runs AG
Download: BTCrack
BTCrack 1.1 Open source
This is a straight forward open source linux port of BTCrack. Should work with most other unixes too, code is nearly ansi clean, except for strdup().
Author:
Thierry Zoller & Eric Sesterhen
Download : BTcrack OSS
USB write Blocker
Usb write blocker is a small tool to block write request to USB devices, which will effectively become READ-ONLY. Requires .NET 2.0 Framework.
Author:
Thierry Zoller for G-SEC
Download: Usbwrite blocker
Omron Communicator
Researching in the area of payment systems and credit cards we had to reverse engineer the Omron card reader protocol and implement it in software.
Details about the protocol research can be found here, here and here.
Author:
Thierry Zoller
Download: no download available
Talks and Lectures
Research and discoveries in Bluetooth security
Hack.lu - 2006 Edition
· Press coverage : Symantec, Heise, Network Computing, Tecchannel
Minerva (EUBAM) - 2006
· Press coverage: Digital Library Forum
CCC 23C3 - 2006
· Press coverage : Heise, H-online, Magnus, Google Video
Heisec - 2007
· Press Coverage : Heise
IT Sicherheits Forum - 2007
· Information : GAI Netconsult
High Level Security Board - 2007
· Information : none available
M-Vision 2007
Lecturer : Thierry ZOLLER
Download: Heisec version of the Talk
Research and discoveries in Anti-virus and Security Products
Hack.lu 2007
· Press coverage: Heise, Washington Post, Security Focus, Infoworld
Cansecwest 2008
· Press coverage: Computerwoche Le Monde Informatique
Lecturer : Thierry ZOLLER
Download: The Death of AV Defense in Depth ?- Revisiting AV Software
Research into Security Metrics
HLSB 2008
Lecturer : Thierry ZOLLER
Download: Not available
Note: All trademarks mentioned herein belong to their respective owners.
