Archive for May, 2008

« Older Entries

Reading Rainbow: Episode 7

Sunday, May 25th, 2008

In the wake of so many ISP’s getting away with murder and the government looking the other direction it’s good to see that Florida is stepping in and fining Version for poor response time. http://news.cnet.com/Florida-…00-1036_3-6239655.html?tag=html.alert.hed

This is a great video for both optimizing and securing your Windows XP system. It shows exactly how to disable five services you probably don’t need to be running. http://blogs.techrepublic.com.com/itdojo/?p=120&tag=nl.e101

If you have ever had the “Warning: Using insecure memory” message display when using a tool such as GnuPG this article is for you. Not only does it explain exactly what that means it also goes into how to prevent the problem. http://blogs.techrepublic.com.com/security/?p=457&tag=nl.e036

Panda security has now launched thier Security as a Service for businesses. Among other services they will be offering: outsourcing of infrastructure, automated updates and patching, compliance checks, risk management, and remote management tools. http://sev.prnewswire.com/computer-software/20080519/LAM04119052008-1.html

I read this post on a friend of mine’s blog and thought it was rather useful. I’ve had PHP scripts running on cron before that had exactly this problem. They would lock up after a while and before I knew it, I had about 15 “undead” PHP processes just eating up my CPU. What was worse was that my shared host only allowed each user 15 processes at the same time, so slowly but surely the rest of my sites would go down. http://www.toosweettobesour.com/2008/05/21/amp-and-runaway-scripts/

Tags: , , , , , , , ,
Posted in SamuraiNet Archive | No Comments »

BackTrack2 Wireless

Saturday, May 24th, 2008

I’ve worked with a lot of people who had trouble with setting up wifi on BackTrack2 and decided it would be worth a post on how I manage it.

I prefer to do this task from the command line, since it allow more control, plus it shows you exactly what happens in the background of some of these GUI apps. I use 5 main commands for this: ifconfig, iwlist, egrep, iwconfig, and dhcpcd.

Before we can do anything, we need to make sure our ethernet card is turned on. To check this, simply run ifconfig with no options. If the only interface you see is the lo (local or loopback), then you are going to need to bring up (turn on) your interface with: ifconfig <interface> up for me, <interface> is eth0, but your machine may differ

Now that the device is up and running, let’s find out what networks we can connect to. (You may skip this step if you already know what you are connecting to.) For this, I will use iwlist and egrep. iwlist is used for listing all access points (APs) in range and egrep is grep’s big brother with more regex support. We use them in combination to produce output that is more useful (for our purposes) than if we simply used iwlist. We run iwlist as: iwlist <interface> scanning and then pipe it to egrep to parse out the ESSID (name of the AP) and the key (if it is encrypted). The final command looks something like this:

iwlist <interface> scanning | egrep “ESSID|key”

This will show us the ESSID and if it requires authentication or not.

Now that we have the information we need, let’s put it to good use. Ifconfig’s counterpart, iwconfig is for managing the wireless portion of your connection. The first thing we want to do is look at iwconfig and make sure the card is in the correct mode: managed. Type iwconfig and find your interface. If the mode is not managed, you will need to run:

iwconfig <interface> mode managed

Since this is for BackTrack2, we the card may have been put into passive mode by kismet or another wireless packet sniffer. Once we have the card correctly set, we need to tell it what we want to connect to. This requires the ESSID and the password if the network is encrypted. We run iwconfig as follows:

iwconfig <interface> essid <essid from before>

and for those of you with passwords

iwconfig <interface> essid <essid from before> key <hex password here>

After we do all this, we want to run iwconfig one more time to make sure that the Access Point was associated (we check this by seeing a MAC address rather than ‘Invalid’.)

Finally, after we have gotten all our wireless hooked up, we need to request an IP address. We use the following command

dhcpcd -nd <interface>

This has the dhcp client daemon request a new (-n) IP address (as well as other information) from the router for <interface>. The -d flag tells dhcpcd to be verbose. We will see our own MAC address printed and upon success we will see the IP address assigned to our machine.

Tags: , , , ,
Posted in SamuraiNet Archive | 2 Comments »

Using Tamper Data

Wednesday, May 21st, 2008

In my previous post on penetration testing I mentioned various tools that I use for web application testing. In this post and future posts, I will go into some of these tools and how I use them. This post will be over Tamper Data, which is probably the add-on I use most for penetration testing.

Tamper Data is used for monitoring and editing requests made to a server. When you start Tamper up and refresh a page or have a page that automatically refreshes or uses AJAX you will see the requests in the top portion of the window. When selected, the bottom will display both the request headers you sent as well as the response headers you received. These can be useful for determining information about the server, monitoring background processes on a site (such as AJAX requests), and seeing all the various files and locations that are loaded when you view the page. While this is useful for reconnaissance work and gaining initial information on the a target, this is not where Tamper’s strong suit lies. As the name suggests, Tamper Data is for … Tampering with data.

Despite the fact that Tamper is running and capturing headers for requests and responces, Tampering has not actually be started. By clicking “Start Tamper” we enable Tampering of Data. Now, when Tamper notices an outgoing request it will halt that request and ask for approval. You are then presented with three options to proceed, along with the option to discontinue Tampering. If you unselect the check box, Tamper will go back into passive mode and allow you to work, undisturbed, on the current request.

Submit: This simply sends the request as-is. Normally I use this if unsuspecting traffic gets caught up in Tamper’s web, such as gmail which makes AJAX requests.

Abort Request: This should be a fairly obvious option. It will stop the request from being sent. I generally use this when I am testing a potentially malicious site. In the case that a client asks me to review some code or I am analyzing a piece of Cross Site Scripting code I will use Tamper, to allow the request to be made, but to stop it before any of the data is actually transfered. I would recommend using this only after looking over the code. Some Cross Site Scripting code does not need for a request to be made to be dangerous and therefore Tamper is a poor defense.

Tamper: Here is where the real meat and potatoes to Tamper lay. When you choose to tamper with the request you are brought to a new window. On the top of the window is the URL the request is being sent to. In the case of a POST, this saves us the effort of looking through the HTML (and potentially JavaScript) for where the request is to be sent. On the left-hand side of the window we have the Request headers and their values. We can actually modify the request headers on the spot. Instead of using JavaScript injection to modify cookie data, we can simply change it in the request header, we can modify our referrer to be anything we want, even spoof our User Agent. For referrers and User Agents I recommend other tools, but Tamper is the swiss army knife of my FireFox plug-in set of tools and I have used it over the others for such actions. Finally, we reach the right-hand side of the window. This is the POST data of the request. Here we can see what POST fields are sent and the values they are sent with. By right clicking we can add other elements and we can modify the values of current fields. Again, this saves us the effort of bypassing client side restrictions on what values may be sent or to submit an element not part of a select without using JavaScript. When finished tampering, simply select OK and watch you request be sent.

As this is an introduction to the usage of Tamper, I won’t go into advanced usage of the tool nor will I go into exactly how I execute some exploits with it. I leave you to tamper with Tamper.

Tags: , , ,
Posted in SamuraiNet Archive | 3 Comments »

Reading Rainbow: Episode 6

Monday, May 19th, 2008

I played with both of these plugins. The view formated source one didn’t do a whole lot for me, but the view source chart was a great improvement. It makes checking out HTML much easier, and with the added ability to collapse various blocks of code it makes it easier to sort through just what I want. http://blogs.techrepublic.com.com/programming-and-development/?p=670&tag=nl.e055

A friend asked me a few months ago to help him uninstall Internet Explorer 7 and it was more than a pain. Here is a great explanation of how to do it painlessly.http://blogs.techrepublic.com.com/window-on-windows/?p=680&tag=nl.e101

As security becomes more mainstream, solutions grow beyond the capabilities of do-it-yourself solutions. Here is discussed various ways to keep current and secure, without sacrificing stability and redundancy. http://blogs.techrepublic.com.com/security/?p=456&tag=nl.e036

As hacking becomes “more popular,” or perhaps simply easier with the availability of tools, proper attacks are not the elegant assaults of yesteryear. Now, brute force attacks are run simply because the tool is easily downloadable and anyone with an internet connection and a target can attempt to crack user accounts. Discusses her further is an example of just this situation. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339&subSection=Cybercrime

I saw this site on a forum and it’s really wonderful. Has texts on all sorts of programming languages, networking, the works. http://stommel.tamu.edu/~baum/programming.html

Tags: , , , ,
Posted in SamuraiNet Archive | 2 Comments »

Utilities for backing up client-side website data

Friday, May 16th, 2008

I was looking into various methods for backing up websites on my localhost and have come up with 3 options. I’m sure there are more, but these require tools you already have.

Internet Explorer 6 (I don’t have IE7 installed yet, so I did it with IE6)

Internet explorer 6 offers the ability to “work offline” which downloads all data to your localhost and allows you to act as tho you are viewing the live site. In order to enable this, you bookmark the page and select “make available offline.” If you want more than just that one page, goto customize and you are prompted for getting pages it links too also. What is nice is that you can specify how deep you want IE6 to go. If you select 2, for example, all links on the page will be followed and downloaded. All links on these pages will be treated similarly and the process stops. You are then prompted for how you want to synchronize these local copies. You have 2 options: manually synchronizing and scheduling. Scheduling will do it at a specified time every n number of days. Since IE6 is “working offline” paths don’t need to be modified.

FireFox 2

Firefox 2 offers a similar solution, however; it does not appear to have the synchronization by default. To do this you “save page as” and then have the option of saving as a text file, as the single page, or “complete” which will build up all the files needed for that page. Unlike IE6 you cannot get pages linked to. There is a Firefox add-on that will provided added functionality, but this article’s scope is default functionality. Also, Firefox does not change links to localhost paths.

WGET

The previous options are great for GUI systems, however; if you are a sysadmin or a web developer and need to make a backup of a current live site before replacing it with a new version neither of these options are very good for you. So I provide a command line, no GUI option. running wget with the -r (recursive) option will provide the same functionality as IE6. Simply create a directory, change directory into it, and run:

wget -r site.com

and you have all the client side data. Much eaiser and without GUI.

These options bring up 2 more topics I’d like to cover. First is from the perspective of the site owner. Suppose you don’t want people going around downloading your content. For a dedicated person, this is not preventable, but you can make it more difficult and annoying. IE6 and wget both follow the robots.txt rules, this is not an issue for Firefox 2 since it doesn’t have this functionality by default anyways. In short, other than making it less convenient and data you send to a client (HTML, CSS, Javascript) will be available for backup which is obvious since it is client side data and the web would be useless if it was inaccessible.

The other topic is client side security. Browsers disallow cross site AJAX requests. This is a security feature to stop a malicious individual from putting AJAX calls to other sites on their page and stealing your personal information. Browsers do however allow this behavior from the localhost. So by downloading and viewing this malicious code it will execute. Also, by putting JavaScript code on your local file system you allow malicious individuals to access these files.

Interestingly it seems that Internet Explorer 6 actually beats the default install of Firefox 2 in this test. Seems Microsoft did a good job on this feature. wget doesn’t really enter into that comparison since both are browsers and wget is utility, however; it also tops Firefox 2 by having recursiveness. As backup utilities wget and Internet Explorer 6 are tied since they both preserve pages, links included. Personally, I prefer wget since I’m not a fan of GUI or tools that won’t run under linux.

Tags: , , , , ,
Posted in SamuraiNet Archive | 2 Comments »

Wylde Computer: Revision A

Thursday, May 15th, 2008

I recently purchased a used Alienware box that I will be turning into my “hotrod computer.” Since I have a habit of naming my machines (since most of the time they need encouragement or I need to personify them when I get upset), I have chosen Wylde as this machine’s name since it will be completely “metal” and my show computer.

Currently the specs on the machine are:

  • P4 @ 3.07 GHz (Hyperthreaded)
  • 1G RD Ram
  • Sound Blaster Audigy 2 Sound card
  • Ratheon 9800
  • 130G ATA Hard drive

Not bad for $120 USD.

The machine won’t be staying this way for long. I’ve already purchased a water cooling system to install so I can over clock the processor. Most likely I’ll be finding a PCI SCSI controller so that I can replace the ATA harddrive with faster ones. The motherboard only supports up to 2G of RD Ram, so that will be what it sits at. I have a DVD burner in another box that will surely be stolen and put into this machine.

In the non-performance realm, I am looking into sound reactive cold cathodes, a custom paint job for the case (done by me), and some neat hardware like a cup-holder/cigarette lighter.

[April, 2010]Update:

This project never actually came to pass. This box still runs the same Windows XP installation it came with, but most of the applications and services have been removed. Other than functioning as my last Windows installation on physical hardware, “Mystique” functions as a testbed for my Type 2 (or hosted) hypervisor testing and Windows tinkering.

Tags: , , , , , , ,
Posted in SamuraiNet Archive | No Comments »

Vanishing Point: HTTP Optimizer

Wednesday, May 14th, 2008

For work I built an HTTP Optimizer: Vanishing Point. It’s a framework that accepts plugins, so that custom optimization engines can be built for different file types. Currently I have released a CSS and Javascript optimizer plugin. Both implement packers/miniifiers designed by other people, however; I added in my own code to further optimize them. They also will combine files so as to save time by reducing HTTP requests. In our benchmarks they have shown that they do infact reduce page load time.

Here is the google code SVN repo:

http://vanishingpoint.googlecode.com/svn/trunk/

Tags: , , , ,
Posted in SamuraiNet Archive | 1 Comment »

pwlib.java

Tuesday, May 13th, 2008

I have finished up the first version of pwlib.java. It was created in Java 1.4, because I haven’t bothered to update Java in ages. I should be revising it for 1.6 soon enough, but this is something to get you going. I haven’t done a whole lot of testing on it just yet, so feel free to post any bugs you may find.

Currently it only supports hashing for md5 and SHA1, but that will change later on. Right now I’m just trying to get the code base out in all four languages. Next up will be python. Enjoy.

pwlib.java (Java 1.4)

Tags: , , , , ,
Posted in SamuraiNet Archive | No Comments »

Windows Vista is less secure than Windows 2000?

Tuesday, May 13th, 2008

In a recent study by PCTools, Windows Vista was found to be far more vulnerable to malware than Windows 2000. These tests were run on both server and client editions of the operating system and the following statistics were provided: Windows Vista was found to allow 639 threats per thousand computers while Windows 2000 only was allowing 586.

Based on these statistics 64% of Vista users are in danger, however; only 59% of Windows 2000 users are in danger. These numbers seem damaging to Microsoft considering that Vista has been marketed as the most secure version of Windows to date. However, after a bit of examination, these statistics are not quite as blunt as they seem.

The 5% difference between the two operating systems is not a large margin. Also Dennis Kudin points out that software such as Internet Explorer 7 will not run on Windows 2000. Internet Explorer 7 provides security that requires newer service packs that Windows 2000 simply cannot run. This provides a whole new target for Vista that Windows 2000 does not have. Windows Vista provides the UAC (User Access Control) system to stop processes from being administrators without permission. Most Windows 2000 users ran under administrator by default, which would allow malware to be more effective.

Microsoft’s director of project management security, Austin Wilson, commented on his blog that Vista was tested fully and stated “We study the malware space very carefully and publish our results twice a year in the Security Intelligence Report. This report is compiled from statistics on malware infections based on over 450 million executions of the Malicious Software Removal Tool (MSRT) every month. Microsoft is a member of AMTSO (Anti Malware Testing Standards Organization) and its charter includes defining test methodology so that there is a minimum quality bar to all testing of this type.

It seems that PC Tools may have been rather hasty in their claim, however; with all the “added security features” and testing that Vista has undergone a 64% infection rate seems to be a bit high. Even with the security provided by UAC and Vista’s built in security, Austin Wilson recommends, and rightfully so, that users still run firewall and anti-virus software.

Sources:

http://www.scmagazineus.com/Report-Vista-…Windows-2000/article/110008/

http://blogs.msdn.com/windowsvist…-vista-windows-2000-and-malware.aspx

http://dkudin.spaces.live.com/…6B73AF165%21135.entry

Tags: , , , , ,
Posted in SamuraiNet Archive | No Comments »

A change…

Monday, May 12th, 2008

You may notice that I changed from full blog posts on the front page to excerpts posted on the front page. For posts that didn’t have an excerpt before (most of them) they are simply being truncated. I will be going through most of them an adding in excerpts to keep the site looking clean and nice, but bare with me while I get it done.

-Samurai

Tags: ,
Posted in SamuraiNet Archive | No Comments »

« Older Entries