Wednesday, May 27, 2015

Google I/O 2015 Conference Live Stream and Live Blog

Hey all! Google's I/O 2015 conference falls on Thursday and Friday this year, May 28th and 29th of 2015. I've decided to include a live stream below, so it's easy for people remote to follow along, as well as live posting some of my favorite talks and updates! Enjoy the stream below and stay tuned for updates and cool highlights below that!!

Thursday, May 21, 2015

PwnPi 3 Final Review

I recently got to use the PwnPi 3 Final release, I thought I would do a little review, as traditionally this product didn't live up to the standard of the PwnPlug, but the idea of $35 alternative to the $695 famous drop box was intriguing. You can use this tutorial for flashing the image. For our review, I'm using a Raspberry Pi 1 model B and the PwnPi 3 Final release listed below:



The PwnPi comes with an impressive list of tools, a nice busybox UI, and some preconfigure remote administrative capabilities. The OS is based on Raspbian but feels more like Kali. I really enjoy the preconfigured Conky setup, it gives a lot of nice information and hacker feel to the desktop. The tools included make it an effective network pen test suite, however the CPU on my Pi 1 model B was a limiting factor with a number of the tools. That said, the preconfigured callback features make it an easy rouge device to add to a network. Your likely going to want to use the VNC callback (it comes preconfigured with a VNC and netcat call back), as the netcat callback will be unencrypted and insecure. The tool list is below, in a mashup of the PwnPi site and sourceforce tool list:

Information Gathering
---------------------
theharvester - gather emails, subdomains, hosts, employee names, open ports and banners      
tcpspy - Incoming and Outgoing TCP/IP connections logger            
tcpflow - TCP flow recorder            
pscan - Format string security checker for C files              
ngrep - nmap tool for parsing scan results        
bing-ip2hosts - Enumerate hostnames for an IP using bing
hostmap - hostnames and virtual hosts discovery tool            
metagoofil - an information gathering tool designed for extracting metadata        
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood              
lynis - security auditing tool for Unix based systems              
enum4linux - a tool for enumerating information from Windows and Samba systems        
chaosreader - trace network sessions and export it to html format        
kismet - Wireless 802.11b monitoring tool            
btscanner - ncurses-based scanner for Bluetooth devices          
airodump-ng - Wireless tool for capturing handshakes
ike-scan - discover and fingerprint IKE hosts (IPsec VPN Servers)
svmap              
sslscan - Fast SSL scanner
ncat              
ipcalc            
nbtscan - A program for scanning networks for NetBIOS name information
amap - a powerful application mapper
sslstrip - SSL/TLS man-in-the-middle attack tool
sslsniff - SSL/TLS man-in-the-middle attack tool
ssldump - An SSLv3/TLS network protocol analyzer
onesixtyone - fast and simple SNMP scanner
swaks - SMTP command-line test tool
smbclient          
tcptraceroute      
netmask            
dmitry - Deepmagic Information Gathering Tool
xprobe2            
p0f - Passive OS fingerprinting tool
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
zenmap - The Network Mapper Front End
svwar              
nmap - The Network Mapper
netdiscover - active/passive network address scanner using arp requests
hping3 - Active Network Smashing Tool            
fping - sends ICMP ECHO_REQUEST packets to network hosts
arp-fingerprint  
arping            
dnswalk - Checks dns zone information using nameserver lookups
dnstracer          

Vulnerability Assessment
------------------------
wbox - HTTP testing tool and configuration-less HTTP server
ratproxy - passive web application security assessment tool
netwox - networking utilities
lsat                
bfbtester - Brute Force Binary Tester
sqlninja - SQL Server injection and takeover tool
airodump-ng              
sqlbrute - a tool for brute forcing data out of databases using blind SQL injection
wash - scan for vunerable WPS access points
wapiti - Web application vulnerability scanner
w3af - framework to find and exploit web application vulnerabilities
mysqloit - SQL Injection takeover tool focused on LAMP
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
skipfish - fully automated, active web application security reconnaissance tool
nikto - web server security scanner
metagoofil - an information gathering tool designed for extracting metadata          
openvas-client - Remote network security auditor, the client
openvas-server - remote network security auditor - server
svcrack - Sipvicious tool for cracking Voip logins              

Exploitation Tools
------------------
w3af-console - framework to find and exploit web application vulnerabilities (CLI only)
msfpayload - payload generation tool from metasploit
exploit-db - Exploit Database
bsqlbf - Blind SQL injection brute forcer tool
inguma - Open source penetration testing toolkit
msfencode - payload encoding tool from metasploit
msfvenom - payload generation and encoding tool from metasploit
msfconsole - metasploit console
s.e.t - Social Engineers Toolkit
aircrack-ng - WEP/WPA cracking program
reaver - brute force attack tool against Wifi Protected Setup PIN number
airmon-ng    
airodump-ng  
aireplay-ng  
sslstrip - SSL/TLS man-in-the-middle attack tool
mysqloit - SQL Injection takeover tool focused on LAMP
sqlninja - SQL Server injection and takeover tool          
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
isr-evilgrade - take advantage of poor upgrade implementations by injecting fake updates

Privilege Escalation
--------------------
voiphopper - VoIP infrastructure security testing tool
yersinia - Network vulnerabilities check software
voipong - VoIP sniffer and call detector
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
ettercap - Network man in the middle tool
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
tcpick - TCP stream sniffer and connection tracker
pdfcrack - PDF files password cracker
packit - Network Injection and Capture
packeth - Ethernet packet generator
netsed - network packet-altering stream editor
filesnarf
mailsnarf
msgsnarf
urlsnarf
dsniff - Various tools to sniff network traffic for cleartext insecurities
darkstat - network traffic analyzer
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
pentbox - Suite that packs security and stability testing oriented tools
medusa - fast, parallel, modular, login brute-forcer for network services
hydra - Very fast network logon cracker
sipcrack - SIP login dumper/cracker
john the ripper -active password cracking tool
fcrackzip - password cracker for zip archives

Maintaining Access
------------------
6tunnel - TCP proxy for non-IPv6 applications
vidalia - controller GUI for Tor
ptunnel - Tunnel TCP connections over ICMP packets
netcat-traditional - TCP/IP swiss army knife
ftp-proxy - application level proxy for the FTP protocol
udptunnel - tunnel UDP packets over a TCP connection
tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
stunnel4 - Universal SSL tunnel for network daemons
socat - multipurpose relay for bidirectional data transfer
proxychains - proxy chains - redirect connections through proxy servers
iodine - tool for tunneling IPv4 data through a DNS server
dns2tcp - TCP over DNS tunnel client and server
cryptcat - A lightweight version netcat extended with twofish encryption

Stress Testing
--------------
mz - versatile packet creation and network traffic generation tool
siege - HTTP regression testing and benchmarking utility

Reverse Engineering
-------------------
dissy - graphical frontend for objdump
splint - tool for statically checking C programs for bugs

Adding a wireless card to your Pi is a nice touch as well. I sure was relived when my TP-Link TL-WN722N played nicely, even though it's not on the following supported wireless list, it instantly showed up on iwconfig. Using wireless, it would be easy to drop this kind of device anywhere in a corporate environment, under or behind a desk. The following is the list of officially supported wifi cards:

3COM 3CRUSB10075
7DayShop W-3S01BLK
Alfa AWUS036NEH
Alfa AWUS036NH
Alfa AWUS036H
Alfa AWUS036H
Alfa AWUS036NHA
AirLink101 AWLL5088
Asus USB-N10
Asus USB-N13
Asus WL-167G v1
Asus WL-167G v3
AusPi Technologies WiFi Adapter
Belkin F5D7050 v3000
Belkin F5D8053 ver6001
Belkin F5D8053 ver6001
Belkin F7D1101 v1
Belkin F7D2102 N300 Micro
Belkin F9L1001v1 N150
Belkin Surf Micro
BlueProton BT3
Buffalo WLI-UC-GNM
Buffalo WLI-UC-G300N
Conceptronic C300RU
Conrad N150 mini
DELL Wireless 1450
DIGICOM USBWAVE54
DIGICOM USBWAVE300C
D-Link AirPlus G DWL-G122
D-Link DWA-110 Version A1
D-Link DWA-121 Version A1
D-Link DWA-131 Version A1
D-Link DWA-140 Version B1
D-Link DWA-160 Version B1
D-Link DWA-160 Version A2
D-Link WUA-1340(Version A1
Edimax EW-7811Un
Edimax EW-7318USg
Edimax EW-7711UAn
Edup 150MBPS Wi-Fi Adapter
Edup Ultra-Mini Nano
Edup EP-N8508
Eminent EM4575
EnGenius EUB9603
Gigabyte GN-WB32L
IOGear GWU625
Linksys WUSB100 v2
Linksys WUSB600N
Linksys Linksys WUSB54GC
LogiLink Nano Adapter 802.11n
Mvix Nubbin MS-811N
Netgear N150
Netgear N150
Netgear WG111v1
Netgear WG111v2
Netgear WNA1000M
OvisLink Evo-W300USB
Patriot Memory PCBOWAU2-N
Ralink RT2770F
Ralink RT3070
Ralink RT2501
Ralink RT2573
Ralink RT5370
Rosewill RNX-N180UBE
Rosewill RNX-G1 Wireless B/G Adapter
Rosewill RNX-MiniN1
Sabrent USB-A11N
Sagem XG-760N
Sempre WU300-2
Sitecom N300
SL SL-1507N
SMC SMCWUSBS-N
SMC SMCWUSB-G
Sony UWA-BR100
Tenda W311MI
Tenda W311U
The Pi Hut USB 802.11n
TP-Link TL-WN422G v2
TP-Link TL-WN721N
TP-Link TL-WN723N
TP-Link TL-WN821N
Trendnet TEW-648UBM
Widemac RT5370
ZyXEL NWD2105
ZyXEL G-202

In conclusion, the PwnPi 3 makes an effective pen test drop box solution. You can't beat that price, and I've even ordered a new Raspberry Pi 2 to try it out on the upgraded hardware. Here's a good example at using it for arp spoofing and backdooring unencrypted binaries. Here's to adding another tool to the arsenal, especially one can enable such lasting network persistence for so cheap!

Sunday, May 17, 2015

DefCon CTF 2015 Quals WriteUp: BabyCmd and MathWhiz

Hey all! I got to play some of DefCon CTF 2015 Quals early on Friday evening, during which I was able to solve the BabyCmd challenge. First, they provided you with this binary, and also a service to connect to and pwn. The binary was a striped, 64bit ELF, that gave the user a limited command shell, consisting of these four commands:



and if you take too long:


After playing around I discovered a format string vulnerability, but this didn't seem to yield much:


Next I found I could escape the input and get command injection:


Which quickly led to being able to traverse the disk, and locate the flag (note, our commands couldn't include spaces or pipes):


And then read the flag:



MathWhiz was another quick solve, this one came with no binary, just a socket connection where they throw a ton of math questions at you with various differences, such as brackets, braces, exponents, and the numbers written as words. You only have a few seconds to solve each question, and have to solve well over 500, so an automated solution is the way to go. I drafted up a quick python script, which you can find below:

This does the trick too, as you can tell from the output below:



Just some more quick CTF solutions :)

Intro to Static Forensic Analysis of an Android Image

In this post we are going to be talking about static forensics with an entire Android image, not a single piece of malware / an application. Our goal here is to get general user information out of the phone vs finding a compromise. So you have a dd image of an Android phone, what now you ask? Well let's dig into using The Sleuth Kit, or TSK for short. TSK is a collection of open source forensics tools, which are free, easy to operate, and produce reliable results.

We will start by running fdisk on our image for some holistic info: fdisk -l dump.img

Next, we want to read all of the partitions on the disk with mmls, simply run: mmls dump.img

This also tells us where each partition begins and ends.

From here, we can start to read specific partitions with fls (for example, lets take a look at the 'userdata' partition): fls -r -o 0003133700 dump.img > userdata_filestruct.txt

Sweet! that's a lot of data. Lets start by finding extracting some really useful information.

grep *.db* userdata_filestruct.txt

Lets grab some of the most interesting base databases for user communication:

mmssms.db
telephony.db
downloads.db
mail.db
*@gmail.com.db
emailDB.db
search_history.db
suggestions.db

Select offsets specific to the files you want to recover, for example mmssms.db, and carve them out with icat:

icat -o 0003133700 dump.img 263147 > mmssms.db

The databases are mostly sqlite, so browsing them with the cli is simple:

md5sum mmssms.db
sqlite3 
.open mmssms.db
.tables
select * from sms;

You will notice the timestamps are in epoc time. I wrote the following quick script to convert them to UTC for you:

There are definitely some more advanced and streamlined tools out there, but The Sleuth Kit, aka forensics command line swiss army knife, is a reliable and free approach. This is also just an intro and not at all comprehensive, there are other guides out there on more advanced techniques. Both FTK and Cellebrite are other great approaches, and it's always wise to use more than one tool and compare the results.

Sunday, May 10, 2015

ASIS CTF 2015 Quals WriteUp: Broken Heart

Hey! The qualifiers for Asis CTF 2015 just ended. The following is a network forensics writeup. We are given a pcap file, called myheart.pcap, that contains several broken http transfers, however all of these are incomplete parts of the file. You can tell from the http streams that we have to collect all of the pieces of the heart file, as well as find the first 13 missing bytes.


After collecting all of our pieces (by carving the data out of each http transfer and naming them after their [Byte]Content-Range), we begin assembling the bytes, which is trickier than it first seems as the byte patterns over lap one another. This was taken care of using Hex Fiend by copying out an entire byte group and pasting it into a collective file, at it's specified offset, in overwrite mode.


The missing 13 header bytes are the PNG file header bytes, which you can tell from the IEND and other various PNG magic bytes throughout the file. Taking a look at it in Synalyze It! Pro we can see more of the PNG grammar.


Putting that in place and changing the file extension we get our flag :)


Sunday, May 3, 2015

Python for Security Professionals Review (Cybrary.it)

This is my review of the Cybrary.it course, Python for Security Professionals, by Joe Perry. For starters, I really appreciate the Cybrary.it model, the lessons are all free and you can purchase a certificate of completion (which could help validate the 15 CPEs the course is worth, if you need to justify that type of thing) if you want at the end. However, the entire site model is interesting in that you can "complete" any of the courses (lol in fact, I've "completed" all the courses), and purchase the relevant certificate, without ever having clicked any of the video links. That seemingly large security mistake kind of invalidates the certificates, as anyone can obviously say the've completed the course and have the certificate without having done so. All of that aside, I love the idea of free education material and we will now be delving into the content of the Python for Security Professionals course. Like my other reviews, I'm going to go over the material and recommend this based on your experience and time commitment. The course contains 10 hours of video content, which are pretty decent especially if you are trying to learn Python from scratch, but slightly less so if you are trying to learn the nuances of Information Security. All of the modules are video focused, but come with PDFs of slides, activities in python programs, and the completed solutions to the activities in python programs. Overall, the first four modules are very basic and mostly just cover programming in python vs security specific tasks. Another issue is that currently all of the videos are pretty blurry and it's hard to read the code / command line used in the video series. For this reason you have to watch the videos in HD, however they address this in the comments and mention how they will soon be re-releasing the videos in a higher resolution. At the end of the weekend, I'd recommend this course to someone who is trying to learn Python from scratch with an Information Security focus, but for someone with more of a background in Python, I would actually recommend a text more like Black Hat Python, for more of an Information Security focus. That said, even if you are experienced with Python and Information Security, you may find the last two modules interesting (The Packet Gathering Module and the Info Gathering Module).



The first module, Intro and Setup, is pretty basic and be easily skipped if you have any prior Python experience. Here he goes over how to setup and install Python, as well as why it's a good language for rapid prototyping and security professionals.

The next module, Apprentice Python, is also very basic and still doesn't touch on anything security related. This module is all about basic usage and arithmetic in Python. There is also a stumbling block in the second video, as it's a little odd when he googles for solutions and then reads stack overflow during the tutorial.

The Journeyman Python module is interesting, but still doesn't delve into anything necessarily Information Security specific. In this module he talks a lot about networking protocols and RFCs that govern these. These modules are interesting in that they are informative, but fairly incomplete in the information they relay, a good example of this would be when he starts talking about ports and protocols he doesn't differentiate which transport protocol the application protocols are traveling over, despite discussing the differences between the TCP and UDP transport protocols. In this chapter you are shown you how to connect to arbitrary TCP ports, which could be useful for banner grabbing. The last activity in this module shows you how to listen to a TCP port and thus create your own arbitrary file server, however these lack really any security controls.

With Advanced Python he covers ctypes, regular expressions, multi-threading, and finally fuzzing. The multi-threading exercise in this module is pretty interesting, but still nothing really advanced, just a quick launching of multiple independent threads (vs something that has to consider deadlocks). The fuzzing section is also pretty interesting as this can be a core Information Security technique, so I appreciate the videos for Slides part 3, jperry even alludes to a buffer overflow in this video. Unfortunately, he also says fairly uneducated things like fuzzing and password cracking are similar in theory (the technique of bruteforce may be similar, but that hardly scratches the theory involved in either subject) or that writing a password cracker is against the CFAA, which is certainly false as industry professionals use password cracking all the time in penetration testing (trafficking hacked information or the actual act of hacking another person's system is illegal, not writing a password cracker). In this module's activities he also writes a fairly insecure file server implementation. I say it's insecure not because it lets you arbitrary read / write to an entire drive, but because it uses no authentication or encryption to protect the communications, meaning anyone could trivially hijack your fileserver activities.

Packet Analyzer module is where things get really cool. In part two, jperry starts implementing an IP protocol parser and demonstrates bitwise manipulation to read exact fields out of the protocol. This is a pretty awesome tutorial for writing a network protocol parser in Python and something I would truly call Python for Security Professionals. I recommend this section for those interested in getting a more in depth handle of protocols and automated parsers.

The Info Gathering module is also really interesting, as here jperry writes a quick post-exploitation RAT in Python for Windows. This is excellent and where the class really starts digginging into the Python applied to security specific applications. I really like where he uses python to parse the Windows registry key values, this is super useful for various security applications. Overall, I think this is a pretty good Python for Security Professionals video. This module also covers most of the content from the Post Exploitation Hacking course in this script. I recommend this module for moderately experienced hackers looking to start writing their own implants.

Overall, the modules were well done and I appreciate the relaxed approach of the course and exercises. That said, I think the whole course is great for someone trying to learn Python from scratch, however if you already are a novice Python / Information Security enthusiast you should checkout something more like Black Hat Python, and even if you are well versed with Python and Information Security you may find the last two modules interesting. As for Cybrary.it, I really appreciate what they are doing with free education, I think this is a great program and it deserves a lot of support, however I don't think the certifications are worth anything, based on the lack of business-logic security preventing anyone from just acquiring the certificates without having to go through the courses.


Volga CTF 2015 Quals WriteUp: Homework, FindHim, and Intersteller

Hey all! This was the first CTF playing on a new team, Team Sportsball (who competed in the Shadow Cats hosted CTF). During this CTF I was only able to play during the last 6 hours, very late Saturday night / Sunday morning, so had to get some super-quick solves.

Homework (100): This simple challenge was a photo of a 4x4 QR code which had been cut into 12 pieces and dropped on the ground. This challenge was simple enough, one just had to get an image editing software (we used photoshop), then cut out and put each piece on a separate layer. After that, it's easy to start finding pairs by finding two pieces that have the same split alignment marks. When this is all said and done, one adds the 3 corners (the bottom right is the only one missing in the QR format). Now that you have a rough outline of the QR code, it's easy to rotate and start placing the middle pieces. Finally, make sure all of your edges are flush, and scan the QR to get:

"It was night, in the lonesome October
Of my most immemorial year:
It was hard by the dim lake of Auber,
In the misty mid region of Weir-
It was down by the dank tarn of Auber,
In the ghoul-haunted woodland of Weir.
Here once, through an alley Titanic,
Of cypress, I roamed with my Soul-
flag is: of_cypress_with_psyche_my_soul"

FindHim (250): This was a recon challenge, our only hints are his name is Greg Medichi, he's from Sydney, and it's his code we are looking for. After some google searching (search his name with no spaces), we stumble on his github and only application. Then going through each commit individually, it quickly becomes obvious he has deleted some sensitive content. Revealing the flag: Fl@g={LURK1NG_G1T_1S_PHUN}

Intersteller (200):  The challenge is a single 64bit ELF file that you are supposed to reverse and crack, but this was essentially another recon challenge the way we solved it. Searching Google for some of the strings in the binary, revealed some interesting pastebin posts, most notably one named "We got the flag", written in python. After running the script, it produces the flag: flag = W@ke_up_@nd_s0lv3_an0ther_ch@113nge!  I've included that code below, with a shoutout to the orginal author, calixte.melly@heig-vd.ch:

Boom, 500+ points without reversing, exploiting, or really getting off the couch. Next time I'll play longer and take a more serious approach, but those are just some quick and easy ways to pick up points. Biggest lessons learned? Don't share live / sensitive content via pastebin!