Sunday, December 30, 2012

Automated Open Source Intelligence (OSINT) Using APIs

Introduction

The first step to performing any successful security engagement is reconnaissance. How much information one is able to enumerate about given personnel (for social engineering engagements) or systems can often impact the effectiveness of the engagement. In this post, we will discuss what Open Source Intelligence (OSINT) is and why it takes so much time, as well as ways we can use various application programming interfaces (APIs) to automate much of this process for us. Hopefully this post will help shed light on the importance of proper privacy settings, and the threat of automated information gathering due to APIs.

Thursday, November 1, 2012

OvertheWire - Natas Wargame Level 14 Writeup

Level 14

Using the credentials obtained in the previous post, we can login to Level 14 where we are presented with the following screen:


Tuesday, October 30, 2012

OvertheWire - Natas Wargame Level 13 Writeup


Level 13

Using the credentials obtained in the previous post, we can log in to Level 13, where we are presented with the following:

OvertheWire - Natas Wargame Level 12 Writeup


Level 12

Using the credentials obtained from the previous post, we can log in to Level 12 where we are presented with the following screen:


OvertheWire - Natas Wargame Level 11 Writeup

Level 11

Using the credentials obtained from the previous post, we can log in to Level 11 where we are presented with the following screen:


Monday, October 29, 2012

OvertheWire - Natas Wargame Level 10 Writeup

Level 10

Using the credentials obtained in the previous writeup, we can log in to Level 10, where we are presented with the following:


OvertheWire - Natas Wargame Level 9 Writeup

Level 9

Using the credentials obtained in the previous writeup, we can log in to Level 9, where we are presented with the following:


OvertheWire - Natas Wargame Level 8 Writeup

Level 8

Using the credentials obtained in the previous writeup, we can log in to Level 8, in which we are presented with the following screen:


OvertheWire - Natas Wargame Level 7 Writeup

Using the credentials obtained in the previous post, we can log in to Level 7 where we are presented with the following:


OvertheWire - Natas Wargame Level 6 Writeup

Level 6

When using the credentials obtained from the previous post to log in to Level 6, we are presented with the following:


OvertheWire - Natas Wargame Level 5 Writeup

Level 5

As before, we can use the credentials obtained from the previous post to log in to Level 5. Upon doing so, we are presented with the following screen:


OvertheWire - Natas Wargame Level 4 Writeup

Level 4

We can use the credentials obtained from the previous post to log in to Level 4. Upon logging in, we are presented with the following screen:


OvertheWire - Natas Wargame Level 3 Writeup

Level 3

We can use the credentials obtained from the previous post to log into Level 3. Upon logging, we are presented with a screen similar to that of Level 2:


OvertheWire - Natas Wargame Level 2 Writeup

Level 2

We can use the credentials obtained in the previous post to access Level 2. Once we log in, we are presented with the following screen:


OvertheWire - Natas Wargame Level 0 and Level 1 Writeup

Introduction

The fantastic group at overthewire.org have created another wargame called Natas, the description of which is as follows:

 Natas teaches the basics of serverside web-security.  
 Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.  
 Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas5.  

A big thank you goes out to this group for creating compelling and well-organized wargames for people of any skillset or experience level!

I decided to go ahead and pair the writeups for the first two levels together, since they are very similar, and both very easy.

So, without further introduction, let's get started.

Saturday, October 27, 2012

"Damo" Web Security Challenge I Writeup

Introduction

I ran across some web-oriented security challenges, and thought I would take a quick break from the Stack the Smash writeups (more of which are coming soon) to create a writeup for these security challenges as they are solved. If you would like to try the challenges for yourself, you can find them here. Thanks to "damo" for setting these challenges up!

Tuesday, October 23, 2012

Smash the Stack IO Level 3 Writeup

Introduction

For the third level of Smash the Stack (IO), we are given both the source code and a binary to work with. As always, we will use the password obtained in the previous writeup to login to the server as 'level3'. Let's take a look and see if we can find a way to extract the password for level 4.

Monday, October 22, 2012

Smash the Stack IO Level 2 Writeup

Introduction

We can use the password found in the previous writeup to log in to the server as the 'level2' user. As always, the levels are in /levels. We can see that there are two possible levels for level2: level2, and level2_alt. For the sake of this post, I will focus on level2, but may update it with the solution for level2_alt later.

Sunday, October 21, 2012

Smash the Stack IO Level 1 Writeup

Introduction

One of the best ways to either learn new exploitation techniques or practice ones you already understand is through events called Wargames, otherwise known as "Capture the Flags" (CTFs).  There are two common types of CTFs: a typical "Offensive/Defensive" strategy, in which teams are simultaneously attacking each other's networks in attempt to capture their flag, and a "Jeopardy", or "Offense Only", type in which all teams are trying to solve problems to obtain the same flag.

In addition to this, CTFs can be further classified as either 'ongoing', in which participation is not limited to a small time frame, or 'Event Based', in which participants have a limited time (usually a few days) to attempt to capture as many flags as possible. As an example, the recent CSAW CTF (for which there are writeups on this blog) is considered a Jeopardy-style Event CTF because participation was limited to a weekend.

Now, with the introduction out of the way (see the end of the post for misc. CTF resources), the following is a writeup for level 1 of the ongoing Jeopardy-style CTF called Smash the Stack - IO. I have tried to make the writeup comprehensive for those that may have never participated in a CTF, or do not have much experience reversing binaries.

Tuesday, October 2, 2012

CSAW CTF Quals 2012 Networking 100 and Networking 200 Writeup

As mentioned in a previous post, the CSAW CTF Quals also had Networking challenges, in which contestants were given a packet capture file in which to find the key.

There were four networking challenges which ranged from 100 to 400 points each. Here are the writeups for the only two that I finished during the CTF.

Networking 100 - telnet.pcap

For this challenge, we were given a packet capture containing a telnet session. The first thing we want to do is to open up this file in Wireshark. Once this file is open, we can see that we indeed have a Telnet session, from which we need to extract the key. This should be trivial, since Telnet does not encrypt data (including authentication credentials). This means that if we intercept Telnet traffic, we can harvest credentials with ease.

To do this, we can right-click on a packet in the session, and select 'Follow TCP Stream.' This is a feature of Wireshark that allows us to easily see all of the data that corresponds to a particular session.


Once we choose to follow the TCP steam, we immediately see the flag, which is the password used to establish the Telnet session:


Piece of cake!

Key: welcome to 1969

Networking 200 - lemieux.pcap

For this challenge, we play the role of a friend of some person who wants to gain access to a party. Our friend says that he/she knows someone who created an invitation for a party, but is really strict about who gets in. Our challenge is to find the password used to be let in to the party from the given pcap file.

We start this challenge the same way we started Networking 100 - by opening up the provided pcap in Wireshark. We can see that this looks like a typical capture file of someone browsing the web, with multiple HTTP sessions listed. We can use the 'http' filter to help clean up the listed packets to only include those using the HTTP protocol.

From here we can start looking through the packet capture, and we start seeing requests to http://taproom307.com/. By visiting this site, we can see a link to 'Book a Party,' suggesting this may be the best way to proceed looking at the capture file. We can also guess that we are looking for a POST request, since the individual likely POSTed a form to book the party.

After some digging we finally come across this request which, after analyzing the data sent, shows us the password to attend the party.


Key: brooklyn beat box

That's all there is to it for these first two Networking challenges. Here are links to blog posts that write up the solutions to the other two challenges - Networking 300 and Networking 400:

Networking 300:
http://delogrand.blogspot.com/2012/10/csaw-ctf-quals-networking-300.html

Networking 400:
http://delogrand.blogspot.com/2012/10/csaw-ctf-quals-networking-400.html

Leave a comment below if you have any questions!

-Jordan

Monday, October 1, 2012

CSAW CTF Quals 2012 Trivia Writeup

As mentioned in the previous post, the CSAW CTF also had a Trivia section of challenges, with each solution worth 100 points. Each of these could be found with a little Google-fu and some work if needed. Here are the solutions to the Trivia challenges:

Trivia 1 - What is the first step in owning a target?

The answer to this one should be obvious to pentesters, as RECON is the first step in owning a target (you need information to work with). Also, one could possibly see the 'Recon' challenges listed under the Trivia section and assume that, which would work also.

Key: recon

Trivia 2 - What is the name of Google's dynamic malware analysis tool for Android applications?

I knew the answer to this one already since I had previously seen slides of a talk given by Charlie Miller and Jon Oberheide on exploiting the tool named Bouncer.

Key: Bouncer

Trivia 3 - What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

Since I don't have my x86 opcodes memorized, it was time to find a resource. This one served my purpose well. We can see that the and instruction called with al and an imm. value (constant) is 0x24. Therefore, the key to this is 0x2424, as the constant is listed after the first byte in the opcode.

Key: 0x2424

Trivia 4 - Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?

A bit of Googling led me to this paper, written by Spencer Pratt, which is the answer.

Key: Spencer Pratt

Trivia 5 - What is the name of Microsoft's distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving? 

This one was the most difficult for me to find, partly because I kept getting hung up trying keys related to 'BlueHat'. It made sense to me, a community driven (distributed) system revolving around those topics. However, this wasn't the answer. After some more research, I found this article, which turned out to be the answer.

Key: SAGE

As mentioned, these challenges were all easily obtainable with a little research. I think these were meant to give new CTF-goers (like me!) the chance to quickly gain points and build confidence, which is a great idea.

More write-ups will be added soon!

-Jordan

Sunday, September 30, 2012

CSAW CTF Quals 2012 Recon 1-3 Writeup


This weekend I participated in the CSAW 2012 Capture the Flag (CTF). Although I didn't have nearly the time I wish I had to spend on solving the problems, I wanted to make some writeups for those I did manage to solve in time.

The following problem categories were available to be solved:

  • Trivia
  • Recon
  • Web
  • Reversing
  • Exploitation
  • Forensics
  • Networking
Solutions to the challenges were awarded points based off of how difficult the solution would theoretically be to obtain, ranging from 100 to 600 points per solution.

I wasn't able to solve the final two 400 point Recon challenges (for Yoda, and Dan Guido's favorite foods), so if anyone participated and managed to find those solutions, I would be interested to hear how you went about it!

Recon 100 - Jordan Wiens (psifertex)

For this challenge, we are simply given a Google Search link for 'Jordan Wiens', one of the judges for the CTF, and the only knowledge we have about the key is that it will most likely be in the format 'key{something}'. Not much to go on, but we'll see what we can do.

The obvious sources of information as seen from the Google Search are his Twitter account, and Linkedin Accounts. From here, we can see the alias 'psifertex' commonly used. This may come in handy. On a hunch, we can check to see on which sites the name 'psifertex' is taken using a common tool called namechk.com. Using this tool, we see that psifertex is taken on quite a few websites, but none of these yield great results.

The next step would be to simply perform a Google Search for 'psifertex' and see if we find anything new. Fortunately, we notice the first result is psifertex.com, which only contains the string 'Nothing to see here, move along.' Not buying it, the next step of recon I like to perform on a domain is to try and brute force the subdomains. To do this, I use a tool called subbrute.py. This tool performs multithreaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains. It should be noted that I have tweaked and modified my own version of subbrute, and have added subdomains as I've found them, so the standard install may not work in this case.

However, I find the following output from subbrute.py for psifertex.com:

Checking psifertex.com
74.125.45.121 calendar.psifertex.com
74.125.45.121 docs.psifertex.com
69.163.249.183 ftp.psifertex.com
173.236.129.17 key.psifertex.com
69.163.249.183 ssh.psifertex.com
74.125.45.121 start.psifertex.com
69.163.249.183 www.psifertex.com

Obviously, the first subdomain of interest is 'key.psifertex.com', which indeed yields the key: 'secret sonambul1st'


Recon 100 - Jeff Jarmoc (jjarmoc)

For this challenge we were simply given a Google Search for 'jjarmoc'. Again, not too much to work with. Many teams had trouble with this challenge, yet I found this to be one of the easiest (most likely because I had performed the same recon with Jordan Wiens). From Jeff's Twitter page, we can see that he links offenseindepth.com as his homepage. Let's perform the same recon as before, and run subbrute. Here is the output:

Checking offenseindepth.com
107.21.146.162 finger.offenseindepth.com
173.201.193.71 imap.offenseindepth.com
74.125.45.121 mail.offenseindepth.com
107.21.146.162 www.offenseindepth.com

The only subdomain that seems out of the ordinary is finger.offenseindepth.com. Using the subdomain name as a clue, we can attempt to enumerate information about users on the host using the Finger service. Sure enough, by using jjarmoc as the username, we receive the following information:

jordan@crux:/pentest/recon/subbrute$ finger jjarmoc@finger.offenseindepth.com
Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest
-----------------------------------------------------------------------------
Username: jjarmoc                   In real life:                       


Plan:
This is my .plan.  There are many more like it, but this one is mine.

{key:does anyone still use finger?}

-----------------------------------------------------------------------------

We can use the key 'does anyone still use finger' and we are awarded 100 points. Moving right along.

Recon 100 - Julian Cohen (HockeyInJune)

I actually found Julian's recon challenge to be the most difficult, only by my own oversights. All we are given is a Google Search for 'HockeyInJune'. This, like the other recon challenges, does not provide much information. However, using namechk.com, I can see that HockeyInJune has a reddit profile, which is consistently posting about the CSAW CTF, so we know it's the right guy. I mentioned my own oversights on this one, and it was simply because I checked every Reddit post except the one that had the key. After finally checking the link posted on the comment (cockcab.com), we can see that it clearly lists the key (although I didn't manage to write it down for this post, and now it looks have been removed).

So there you have it! Those were the first 3 recon challenges for the CSAW CTF. As mentioned, two more 400 point challenges were posted later in the weekend (Dan Guido's two favorite foods and Yoda), but I didn't have time to really look to much into them. If anyone managed to find the solutions, I'd be interested to hear how much work it took to found them!

A big thank you goes out to the organizers of the CTF. Everything went smoothly, and appeared to be well organized with interesting challenges. Hopefully next year I will have more time to work on the challenges, and won't be so bogged down with school projects.

I will post more writeups for the challenges as I create them.

-Jordan

Edit: Dan Guido gave a comment on Reddit that the solution to his Recon challenge could be found here. Thanks, Dan!


Sunday, July 22, 2012

Social Engineering Social Networks - How I Will Be Your Friend

Introduction

As detailed in a previous post, social engineering is a common, yet effective, tactic used by attackers that involves "manipulating a person to accomplish goals that may or may not be in the “target’s” best interest." This usually results in the attacker gaining unauthorized access to systems, areas, or information that would otherwise be unavailable. However, while it was briefly mentioned, we didn't really discuss the opportunities available for an attacker or pentester by utilizing one of the most common goldmines of information available today: social networks.

Almost everyone has one or more social networking profiles on one of the major social networking sites (Facebook, Twitter, LinkedIn, Google+, or Myspace), including high-value targets for a social engineering engagements (e.g. "C-level execs", President's, VP's, etc.). These profiles include information that can be critical to a social engineer when crafting the most effective spear-phishing email possible, obtaining answers to secret questions to gain access to systems, or when harvesting data that can be used in further targeted attacks. In this post, we'll look at how to utilize our social engineering skills to methodically "befriend" employees in order to quickly gain access to specific targets.

Tuesday, May 29, 2012

Are Security Certifications Useful?

Introduction

Security professionals either currently employed or seeking employment are often requested to pass certification exams. In fact, many companies may not even consider an applicant for a position that does not have the "required" certifications.

With this being said, in this post we will discuss the purpose behind certifications, how we should view their obtainment, as well as list of different certifications currently offered in the industry.

Thursday, May 10, 2012

RaiderSec Meeting 05/08/2012

Hey everyone!

I would like to apologize again for having to cancel the meeting this past Tuesday. Unfortunately, a class exam overrode our room reservation. However, you can find the slides to the presentation over lockpicking here. If you ever have any questions regarding the subject, please feel free to let me know either through e-mail or in the comments below.

I'm really looking forward to continuing RaiderSec next semester, and hope to use this summer to publish substantial new and interesting content to the blog. Sometime next week, I will post a list of the different things I'd like to cover next semester, but tentatively my goal is to give more hands on examples, as well as take time to look at unique areas of security. Above all, I want for everyone to enjoy learning about areas of security that interest them. So, if there is a particular subject you would like to see covered next semester, or even a subject that you would like to cover yourself, let me know and we'll make it happen!

I've really enjoyed our meetings, and I hope everyone else has as well. If you're here over the summer and would like to get together to discuss things pertaining to RaiderSec, be sure to let me know! Otherwise, I look forward to seeing everyone next semester!

Have a great summer!

-Jordan

Thursday, April 19, 2012

RaiderSec Meeting 04/17/2012

Hey everyone!

I just wanted to thank everyone who made it out to the meeting, and I hope you all enjoyed learning about Cross-Site Scripting (XSS) vulnerabilities and their exploitation. You can find the slides from the last meeting here.

As mentioned in the meeting, next Tuesday (April 24, 2012) Lance will be continuing the topic of input validation vulnerabilities in web applications by going in depth about SQL Injection vulnerabilities. The widespread prevalence and impact SQL Injection vulnerabilities can have will make this a very important and interesting topic.

I look forward to seeing everyone at the meeting!

Wednesday, April 11, 2012

RaiderSec Meeting 04/10/2012

Hey everyone!

I just want to thank everyone who made it out to the meeting yesterday! I hope everyone enjoyed learning about how social engineering attacks work, as well as why the human element of security is (and very likely always will be) the weakest link in a company's defenses.

As I mentioned in the meeting, next week we will begin covering web application vulnerabilities. Until then, feel free to read up on some of the vulnerabilities listed in OWASP's Top 10 Project Report to get an idea of the vulnerabilities we will be discussing in detail.

Also, you can find the slides for the social engineering presentation here. I look forward to seeing everyone at the next meeting!

-Jordan

Sunday, April 8, 2012

Social Engineering - Exploiting the Human Element of Security

Introduction

"Hi, this is Rick from [Internet Service Provider]. We're seeing some unusual traffic from your location. It's most likely nothing to worry about, but we have a field tech on his way to diagnose the problem. Can you make sure he has access to the network to run some quick tests?"

At most, this phone call may take 3-5 minutes, and already the risk for the target being compromised is very high, especially if the individual on the other end of the line agrees to help the "field tech" (very likely the same person who called). This technique is one very specific example of "Social Engineering," and throughout this post, we will see how these techniques are often leveraged by attackers to exploit the human element of security for malicious gain.

Sunday, March 25, 2012

RaiderSec Meeting 03/20/2012

Hey everyone!

I want to thank everyone who came to the meeting on Tuesday. I hope everyone enjoyed the introduction to memory corruption (specifically buffer overflow vulnerabilities), and next meeting we will cover how a buffer overflow vulnerability can be leveraged to by an attacker to execute code of his/her choice (our example being to create a shell on the system). As a reminder, our next meeting will be on Tuesday April 3rd, 2012.

Until then, you can find the slides from the last meeting here. I look forward to seeing everyone at the next meeting!

-Jordan

Thursday, March 22, 2012

How to setup and configure snort for a Linux (Ubuntu spec.) System

Introduction

Note: This guide is not very stable, use at your own risk, do not go into this without some understanding of *nix, and the ability to solve problems and google and stuff. Also snort was not designed for wireless, this configuration will not work with wireless at all. There are hacky patches you could maybe apply to get snort to work with kismet or something (I didn't look too far into it) but honestly at that point it would much easier to choose a more light weight IDS

This is a post Jordan and myself had been talking about writing since the last meeting. Snort is a wonderful open source Intrusion Detection System (IDS) which is very effective as a first response system when your machine is being attacked, or as a line of defense in computer security related games like Capture the Flag (CTF)

I decided to set it up on my local machine for fun (since it's not very necessary on a machine not running services, but fun to have) as well as give me the ability to step through the process. I'm setting up the Snort IDS utilizing the postgres SQL database (because I already have it setup for metasploit interaction).

Monday, March 5, 2012

Introduction to Metasploit

The Need for Metasploit

As we saw in our first meeting, successful exploitation of a service requires three "parts":
  • Vulnerability - A flaw in a system which can be utilized as an avenue of attack.
  • Exploit - A program specifically designed to leverage a vulnerability.
  • Payload - Code to be run on the system after the vulnerability has been exploited.
Usually, when a vulnerability is found in a service, an exploit is developed that directly contains a payload. For example, it is common that a shell may be produced from the exploited service. This means that when an exploit is used, the penetration tester would have no choice but to use the provided payload, unless he/she wanted to take the time necessary to create their own. This not only takes a substantial amount of time, but also quite a bit of skill. Also, one must consider that both exploits and payloads can be (and usually are) architecture specific, so a payload that works on a Windows machine will most likely not work on a Linux machine.

So, what security testers needed was a centralized framework to mix and match exploits with available payloads. Also, there was a strong need for a central repository of exploits and payloads that can be pre-loaded for quick use. This results in a flexible security testing environment, in which the desired results can be easily achieved.

Metasploit offers this functionality, and much, much more.

Tuesday, February 28, 2012

RaiderSec First Meeting

Hello Everyone!

I just wanted to thank everyone who came out to the first meeting of RaiderSec! It was great to see everyone there, and I hope the content was interesting and insightful!

If you missed the meeting, or would like the slides, you can find them here. I will also be posting a supplementary blog post describing the basics of Metasploit in more detail for anyone who would want to see it, or get a recap of what we went over in the meeting. Hopefully it will be up in the next week or so.

I know we covered quite a bit of content really quickly at our meeting, but if you ever, ever have any questions please don't hesitate to e-mail me, and I would be more than happy to answer any questions you may have! The goal of the meetings is to learn as much as possible about the field of security, so if there's something on which you may be stuck, or didn't quite understand during the meeting, let me know!

Also, since I was unable to have the disclaimers there today for everyone to sign, you can find them here. If at all possible, please sign and return them to me by the next meeting (scanning and e-mailing is perfectly fine).

I hope everyone has a great Spring Break, and I look forward to seeing everyone at the next meeting!

Brute Force Without a Dictionary Using John The Ripper

If you’re like me (Lance), and playing with, using professionally, or writing list requiring brute-forcing software. You don’t want to waste the hard drive space for massive all-encompassing password lists which have a limited chance of success. Luckily you don’t have to do that at all leveraging some john the ripper and (l/u)nix functionality.

Monday, February 20, 2012

Searching for Devices Using the SHODAN Search Engine

In this post, I'm going to discuss a very useful search engine called SHODAN, as well as introduce the API it offers for development. I will also include a link to a PHP API Wrapper that I wrote that can assist in easily accessing SHODAN from a web application.

Friday, February 10, 2012

ACM Presentation Slides

It was great to see everyone at the ACM meeting yesterday (Feb. 9), and thanks to all who signed up for the group! It's exciting to see such interest in the field of security!

I am working with the ACM officers to get the information of those who registered and will be sending out an e-mail to each of you shortly with information concerning the date and time of the first meeting, and I will also post it to the Meetings page.

After each meeting, I will be sure to upload any slides, notes, or code that I use in the presentation for anyone who would like them. As an example, the PowerPoint slides from last night's meeting can be found here.

Again, thanks to everyone who signed up! I'm excited to get things rolling, and to start exploring the vast field of security with each of you!

Jordan

Wednesday, February 8, 2012

Setting Up a Virtual Security Lab with VirtualBox

Why Virtualization?

As security enthusiasts, we are constantly pursuing more knowledge of our field. Anytime a new class of vulnerabilities (or even simply a new exploit) surfaces, we are eager to dissect it to figure out how it works, as well as what measures we can take to protect against it. We know that the best way to learn is by doing, for example, by setting up two machines and using one to emulate an attacker and one to emulate the victim. This approach works well, and provides useful, practical information. However, it is not cost or space effective, since one must have two machines to create this scenario, and this approach is also very time consuming since one must re-build the victim OS every time it is breached by the "attacker" in order to have a fresh-start. What we as security hobbyists need is a solution to these problems that allows us to cheaply and easily build isolated machines on the fly with which we are free to experiment without fear of breaking something.