Note: If you were using the Vega beta, you need to clear your workspace (back it up if necessary) before starting the new version. Once the new version is installed, reset both perspectives to ensure that the UI layout is refreshed.
We’re still working on a few things, so reluctant to call this 1.0 – but it’s close. Try it. Report any bugs. It’s also in Kali Linux.
Documentation has Moved
We’ve moved the documentation and bug reporting over to Github. No more trac.
Writing this post from a taxi in Montreal on its way to the airport. Hugo and I are headed to Black Hat 2012 / Defcon in Las Vegas. We’ll be demonstrating the pre-release version of Vega at Black Hat Arsenal on the 25 and 26, pod #5 at 3:30pm on both days.
We’ll show some new features and have freshly cut stickers to give away.
We’ve just added a feature that helps users better understand scan results. For each alert, Vega can now more precisely pinpoint to the user where and what exactly it found.
Vega modules report findings by generating alerts. In doing so, they save the relevant HTTP request and response objects for review by the user. Within the alert is a link to view these saved HTTP messages in the message viewer (see below).
For the user
The module developer can now specify an interesting string within the HTTP message. When opened through the link in the alert shown above, the Vega message viewer will scroll to the matching location and highlight the substring, making it immediately apparent to the user what the module found. Screen below:
For the module developer
The API support for this is pretty simple, there are two methods that can be called from the contextobject:
If you grab the code from our repository, we’ve added this functionality to two modules (vinfo-paths.js and vinfo-feeds.js). These examples show how simple it is:
We’ll be updating all existing and new modules so that they use this feature. We’ll also be adding UI support for viewing multiple matches.
We’ve also been busy doing a lot of services: penetration tests, code reviews, reverse engineering. We do this to help fund the development of Vega.
So we’re now excited to announce that we’ve been working on a new release. The release will fix many bugs, and some of the new features include:
Automating Web Application Login
Vega now allows you to store authentication credentials as an ‘identity’ so that Vega can log in automatically during a scan. This includes basic, digest, and NTLM credentials.
For authenticating using forms, it is possible to associate stored login requests seen by the proxy with an identity. Vega can then replay those to log in when starting a scan.
Adding a Login Request to a Macro
In the screenshot below, the user simply logs into the application through the Vega proxy, and then selects the stored login request during the creation of the macro. Binding this to an identity and then using the identity during a scan will let the scanner log itself in automatically prior to starting a scan.
Message Viewer Improvements
We’ve also cleaned up the message viewer, making the rendering nicer and adding small touches like searching (Ctrl-F) and menu-based copy and paste (right mouse click menu). For the module developer, it will be possible to tell the message viewer what to highlight and where to scroll to when a request is accessed through an alert.
Finally, we are doing a complete module refresh. This means existing modules will be made more reliable and efficient. And we have several new modules under development.
We don’t have a fixed date for the release – but it will be soon. You can always build from source if you want access to some of these features sooner. They’re in the develop branch of our github repository. Contact us if you’d like to help us test new features and we’ll make a special build if you are using Windows or OS X. Talk to us on IRC (freenode) in #subgraph.
We’ll be presenting Vega at Black Hat Arsenal 2012 in Las Vegas. Be sure to stop by and say hello if you’re going to be there.
The third edition of the new Hackfest occurred over this past November 4th and 5th.
Hackfest is a security conference held annually in Québec City (Ste-Foy, to be precise). The Subgraph crew has been fortunate enough to have been there for all of the past three events. What makes Hackfest special is the close connection to Université Laval and the well put-together hacking games – specifically the main CTF. This year the CTF was packed – at least one group that wanted to register at the last minute was denied due to a lack of space.
Félicitations to this year’s CTF winner, AmishSecurity (Montrealers, friends, and MTLSEC regulars). They had some good competition.
This year there were many familiar faces, and many more unfamiliar. What was most exciting for us was seeing the beta version of Vega being used by competitors in both hacking competitions. Just walking around the room we saw both the scanner and the proxy in action, for example:
1. During the first challenge, which involved each team maintaining operation of several network services and attacking the services of the opposing team, a player ran a Vega scan and found that one of the webservers permitted HTTP PUTs to /. This was then exploited to fill the partition and knock out the www service.
2. During the CTF, a directory traversal/file include vulnerability detected by a Vega module was confirmed as exploitable using the request replay feature and then used to access one of the flags on the webserver.
At one point, we were asked by a player if we’d put Vega content on a webserver during the first challenge. It wasn’t us, and we still don’t know who this was, but it made our evening – so thanks.
Finally, we had a chance to hand out plenty of Vega stickers. With the beta out, we’re now hard at work on the next version of Vega. I’ll be presenting some of the new features at PHP Quebec on Dec 1. More on this soon.
Much thanks to the organizers. We had fun, and we’ll be back for Hackfest 2012.