the Pleb

Lenny Zeltser on Information Security: 6 Reasons Why Business Managers Ignore IT Security Risk Recommendations

Thu, 31 May 2012 22:45:00 -0500

Lenny Zeltser on Information Security: 6 Reasons Why Business Managers Ignore IT Security Risk Recommendations:

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted,…

Antigen

Thu, 31 May 2012 21:14:45 -0500

Antigen:

“Antigen is to zsh, what Vundle is to vim.” If this comparison means something to you, then you are the target audience for this program.

PwnPi

Tue, 29 May 2012 20:06:30 -0500

PwnPi is a very lightweight penetration testing distro for the Raspberry Pi. Make sure if you are ordering one, (or if you are lucky enough to already have one) bite the bullet and pick up the model B. It is only $10 more. Documentation is a little scarce, but it seems to run Ettercap, the social engineers toolkit (SET), and Metasploit. Of course it runs nmap. Runs xfce for X, although I prefer OpenBox. And you can’t run X and metasploit at the same time. If you put your Pi in an unobtrusive box, might make a good pen testing dropbox. Cheaper to lose than a PwnPlug.

Dropkey: Mac App For Encryption

Fri, 25 May 2012 18:21:27 -0500

Dropkey: Mac App For Encryption:

Looks interesting. Can only talk to other Dropkey installs, but to decrypt someone else’s files its free.

Start with Skipfish

Thu, 24 May 2012 18:31:13 -0500

Skipfish is a round one web application scanning tool. There has been some buzz around it lately, so I thought to provide some details for people wanting to check it out, see what is new. It is provided by Google. Say what you like about their privacy policy, as long as they keep paying Michal Zelewski to develop skipfish, they are alright in my book. We run it on OSX, well, because. Other considerations for this sort of tier one web application analysis: nikto, arachni, w3af. Personally, I have used nikto a lot in the past.

I wanted to run through a quick install process and first scan just to familiarize people with it. First off we want to use brew to install, otherwise we will have to do all those boring dependency checks ourselves¹. First off I checked that brew had the latest version (skipfish updates once or twice a month minimum). It didn’t. So let’s edit it to get the latest version.

brew edit skipfish

If you have brew configured correctly, it should popup the install instructions in your text editor of choice. We are concerned with two lines. First up is the URL. At the time of writing skipfish latest was at 2.06b. Edit the file to reflect this as shown.

url 'http://skipfish.googlecode.com/files/skipfish-2.06b.tgz'

Now of course we will have to change the checksum as well. You can calculate² it if you like, I did not see it available on the Google Code page. If you trust me, here it is, copy and paste it into the the appropriate field.

301f3f209ddf57dd7103a61256f62afa

Ready to go, install Skipfish with Brew as normal:

brew install skipfish

Skipfish has lots of features centered around dictionaries, which are very snazzy. Dictionary brute-force, listing potential sub-directories, etc. However, you don’t really need to mess with them just to try it out. Here is a scan that will tell skipfish to just run without all that nonsense. If you don’t give it either the skip option or a wordlist file to use, it will just error out.

skipfish -o test-dir -L -W- http://example.com/

Away you go! -L: Tells it not to auto-learn new words from the site. -W-: redirects learned words to /dev/null. -o test-dir: tells it to output the results into a specific directory. No need to create the directory beforehand. You should specify a directory for the output results, they are kinda messy with lots of little files in the root. It will display a nice little message for you when it starts off.

And then kicks into a nice little status screen while it runs. Pressing enter will change it to a list of URLs as it scans them, if you want to watch that. Finally it tells you it is done. It has been a great day for science indeed!

You can then cd into your results directory and run this to open the results:

open index.html

Wonderful. Now you can install, scan, and view the results of the skipfish scanner.

Why Skipfish

There are a few great things about skipfish that really recommend it as a starting point tool. If we dig into the results a little we can see exactly what makes them so useful. We first have the generic high, medium, low type of thing. That is all well and good, and seems to compare pretty well out of the box. About middle of the road³. Two things really stand out when using skipfish though, and they both have to do with what you do after you have run the scan. First, you may have noticed in the terminal notifications when skipfish has finished that it generates a file called ‘pivots.txt’. This is a great file to feed into other scanners/sniffers/tools. It has all the URLs that skipfish found, ready to go. Check it out. The second thing is the ‘Interesting Files’ portion of the scan report. This points to swfs, pdfs, scripts, source code disclosures, that any decent pen tester would certainly want to check out.

All neatly arranged in one dropdown. Thanks, Skipfish!

Extra Fun

Just for fun we can do a little toe-dipping into some more advanced options that you may want to tweak. Here is an example of running against something fairly local, with the options set to be fairly aggressive so it runs faster. You should create a blank word list file for every scan, skipfish leverages this to do some of its brute-forcing, etc. Disclaimer: settings might fail spectacularly if you try to run against something in China. Try the defaults first.

touch bts.wl
skipfish -g 100 -f 25 -t 5 -o example-results -W bts.wl -S minimal.wl -b ie http://www.example.com/

-g: maximum TCP connections, normally 40, tweaked to 100. Don’t go above 5 probably if you are scanning production systems, because of DDoS concerns.
-f: allowed failures, normally 100, cranked down to 25. If I get more than 25 failures running locally, something else is wrong and I want to know it fast.
-t: total request timeout, normally 20, I want it to be 5. See above.
-W: Specify the blank word list file
-S: Specify a pre-populated file to use when brute-forcing passwords, etc. Larger files here mean longer scan times.
-b ie: pretend to be Internet Explorer. Because its funny.

That should pretty much get you started, all the options available are explained with skipfish -h. Some of the things you can look forward to in there: specifying cookies, html authentication parameters, and hard finish times (for those overnight jobs).

Not actually as hard as you might think. I was only missing one dependency when I tested it (for the sake of science), and it was relatively painless. If you don’t brew. Which you should. ↩
md5 -r skipfish-2.06b.tgz > tmpsum.txt ↩
In almost every way. Catches about 50% of all SQLi, XSS, and this performance puts it almost in the middle of the pack for scanners. Upper middle. ↩

"I have been tasked by the Human Ruling Council to ask… no… beg you to read this book and..."

Sat, 12 May 2012 17:40:22 -0500

“I have been tasked by the Human Ruling Council to ask… no… beg you to read this book and master its skills so you can turn the tide of history itself. In these pages, you will learn how to wield control of computer systems through writing scripts and code in a variety of the most important languages today: Python, Ruby, PowerShell, and more.”

- Ed Skoudis

From the forward from Coding For Penetration Testers. Ed gives Jason and Ryan’s book a terrific introduction. Added to my reading list, expect a review forthcoming.

A Hacker's Tools

Sat, 12 May 2012 17:27:01 -0500

A Hacker's Tools:

They say a good hacker can pick a lock with a hairpin. You can always make do with the tools you have, but it sure would be nice to have all my favorite tools available whenever I wanted them.

Shellcode in PE File

Tue, 08 May 2012 09:07:46 -0500

Shellcode in PE File:

I love reading about stuff like this.

Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file (PE) and ways to bypass AV detection. I recommended him to use any Windows supplied PE file (or any other ‘goodware’ PE file) and patching some “always called function” with the shellcode. It turned out to be one of the many possible AV evasion techniques that seems to work in many cases.

He also provides a script that works with Pyew for embedding a shell. Natch.

"Has a picture of a polar bear. I feel more secure already."

Fri, 27 Apr 2012 12:05:31 -0500

“Has a picture of a polar bear. I feel more secure already.”

- thepleb, old research notes

Insights into Trust

Mon, 23 Apr 2012 00:07:32 -0500

Insights into Trust:

A simple question. ”Can you build a trusted cloud environment?” If you’re following the binary school of thinking, and trust is absolute one way or the other, and you’re forced to admit that everything is fallible, then the answer is no.

Rafal Los (Wh1t3Rabbit), goes on to talk about levels of trust, and how that can stop your business from being paralyzed by binary trust states. Using this sort of insight, you can really cut through the FUD.

This Week in School

Tue, 10 Apr 2012 08:25:22 -0500

What I have learned or attempted to learn in school this week.

The conjugate gradient method of matrix multiplication in a parallel setting
The first and second factorial moments of exponential distributions
How to make DB2 calls in COBOL on a mainframe running z/OS

So all in all a varied week. Thing that is giving me the most trouble: the matrix multiplication. It is supposed to save computation cycles so you can deal with a bigger problem set, but if it takes you 3 days to code it and it would take 30 minutes to do a less efficient algorithim, hard to calculate the savings. Most interesting: COBOL’s DB2 methods. It is very fast, beats much of mySQL’s transitive tables in efficiency. Would have been the matrix stuff because it is more sophisticated, but the frustration level is temporarily clouding my judgement.

"[D]efenders are in what military strategist Carl von Clausewitz calls “the position of the..."

Tue, 20 Mar 2012 11:17:00 -0500

“[D]efenders are in what military strategist Carl von Clausewitz calls “the position of the interior.” They have to defend against every possible attack, while the defector only has to find one flaw that allows one way through the defenses. As systems get more complicated due to technology, more attacks become possible. This means defectors have a first-mover advantage; they get to try the new attack first. Consequently, society is constantly responding: shoe scanners in response to the shoe bomber, harder-to-counterfeit money in response to better counterfeiting technologies, better antivirus software to combat new computer viruses, and so on.”

- Bruce Schneier

My take: this is interesting to consider in the context of the utility of a pen test.

Textmate to Tumblr

Tue, 29 Nov 2011 22:05:35 -0600

I went looking for a way to post to Tumblr via the command line the other day, and I was very interested in M. Wunsch’s post. He has created a Ruby gem which elegantly speaks to the Tumblr API and creates posts with attributes specified in a YAML front matter, a la Jekyll. This is brilliant, and wonderful. A really good idea sparks other ideas, and this one sent lightbulbs off in my head. I could use this to create a script that would automatically post to Tumblr, or even better I could use the still fabulous Textmate to make a bundle that would make my blogging just a few button presses away. Seems wonderful.

Now a few brief words on why anyone would ever want to go to this trouble. Isn’t there a nice little text box on the Tumblr post screen that would do this for me?

I could just enter my posts that way, and hey, I can even write them in Markdown! Off the top of my head, here is why I would want to do this.

Have a copy of every post I ever made in an easily readable, renderable format
Luxury of writing in my favorite text editor
No suffering from closed tab syndrome (ask my wife, who posts from a Wordpress entry form)
Able to write posts even when Tumblr is down (hey it has had more uptime than me recently)

Some of these need no explanation. I cannot emphasize enough how nice it is to have the ability to compose in my own editor, with its over abundance of tricks and hacks that I have built up. So, on to the how-to.

This is taking place on a Mac. Primarily because that is where you can use Textmate. Now the first part would be equally viable on any Linux Ruby install. Install the gem:

sudo gem install tumblr-rb

That builds it out and installs the tumblr executable. You can check the extensive documentation on how this CLI tool works on M. Wunsch’s excellent github page. The flexibility of the tool is truly excellent. Many modes are supported. However, it is fairly simple to use to setup a Textmate bundle. First create a file in your home directory to store your Tumblr credentials.

mate ~/.tumblrcreds

Enter your username and password as such

username: YOURuserNAME
password: myCRAZYAWESOMEsecurePASS

Please substitute your own combination. And email me if that really is your password cause that is epic. Do not tell me to what it is your password. Now in Textmate open up your bundle editor, available in Bundles -> Bundle Editor -> Show Bundle Editor. Create a new bundle using the plus sign at the bottom. Use these settings as a guide.

If this is done correctly, it will take the entire document and feed it into the tumblr command line utility. The command line utility, using the file we created earlier for reference, posts your document to Tumblr. If there is any feedback, it will provide it to you in a fresh document in Textmate. Now you are just a key combination away from a fast Tumblr post. It even supports queued posts with specified publish times, if you are one of those real bloggers that has several posts in the queue ready to go.

Let me know how it works for you!

SOPA is a Terrible Idea

Tue, 29 Nov 2011 12:19:34 -0600

SOPA is a Terrible Idea:

Mike from Techdirt nails SOPA to the wall. SOPA has been getting more and more bad press lately, probably why copyright monopolies were trying to ram it through legislation before anyone could protest. I am hoping at this point it dies, even big companies are coming out against it.

Writing Again

Mon, 28 Nov 2011 14:14:00 -0600

I plan on a triumphant return to the land of blogging sometime soon, I know that people are desperate for my input on matters technical or otherwise. What I am planning is to get somethings together that make it easy to post, remove some of the friction, so to speak, so that I have a little more flexibility. This particular post is written in Elements, the dropbox text editor for iPad that can magically make markdown formatted text into tumblr posts. This is one option I am pursuing. The other option is to get things working with Textmate so that I can simply use a Textmate bundle to post markdown with some YAML front matter to the blog, which, combined with Brett Terpstra’s blogsmith bundle and some interesting textexpander snippets, would make blogging a breeze.

So, I certainly do not remember this being here pre-Lion....

Mon, 05 Sep 2011 17:19:00 -0500

So, I certainly do not remember this being here pre-Lion. Apparently there is a utility that can put your wireless card into promiscuous mode just that easily. By telling it to capture raw frames you can capture all the network traffic around you. Then it will spit out a zipped pcap file wherever you would like, to use whatever command line tools you might want to on it. I certainly aliased this little utility into my applications folder. It is found by default in all Lion computers in /System/Library/Core Services/Wi-fi Diagnostics.

Not Like you Like

Wed, 03 Aug 2011 17:00:32 -0500

Launchbar 5, when invoked from a fullscreen Lion-ified application, rips you out of the custom space and drops you on another desktop. Unfortunate behavior, that. You find anything strange after your upgrade?

Saddleback Now for iPad2

Tue, 05 Apr 2011 16:28:28 -0500

Saddleback Now for iPad2:

I love my iPad sleeve from here, still works on the iPad 2. But their custom built iPad 2 case is certainly drool worthy.

Signals of A Degree

Tue, 05 Apr 2011 09:54:41 -0500

Signals of A Degree:

I certainly enjoyed this as a read, knowing what signals you are sending to a potential employer with your degree is a valuable skill, and one worth knowing.

Remiel: Making the leap to SSD on a MacBook

Sat, 04 Dec 2010 14:25:44 -0600

Remiel: Making the leap to SSD on a MacBook:

remiel:

It used to take 28 seconds for my 13-inch MacBook Pro to load the folders on my desktop after I logged in. Now it takes five seconds.

Large-footprint apps like Photoshop and Dreamweaver now load near-instantly.

The machine now has 1.16 terabytes (1,160 gigabytes) of hard drive space, 160 gigs of…