Recent Readings on Criminals, Android Botnets, Pen Tester Bootcamps, Stealth Films and SPAAAACE TRAVEL

Written to the sweet relaxing sounds of the new Villagers album, Awayland (for those indie fans). I know I’m a bit late on my ‘attempt to post every Friday’ post thing, but, Friday turned into a bit of a clusterfudge, so excuse the delay (plus, Australia day over the weekend <insert dranks>).

Security articles that caught my attention:

Actually, I really was a criminal.. – I found Rich’s post really insightful and refreshing. I also think it’s a fairly common occurrence for those involved in the info sec space to have done similar things themselves, just, not as common for those people to publicly post about it. Kudos.

Android Botnet Infects 1 Million Plus Phones – I didn’t read too much into the ‘extremist’ title of this post, but, I don’t think that this sort of thing should be too surprising to security peeps. Phones are just computers right? And as they continue to grow in popularity and drop in price, well, of course malicious actors are going to focus their attention on them. I know a personal interest of mine is in using BeEF to target mobile devices, in this way, you could effectively coerce untold number of devices to perform actions on your behalf just through their browser.

Pen tester launches infosec bootcamp – I’m glad to have worked with, and hung out with, Snyff on a few occasions, and I’ve really gotten a lot out of his PentesterLab for quite some time, and now that he’s making more of a move to make this material available this is only a good thing. Another one of Snyff’s ‘free’ services is the PNTSTR Bot. His bot sends me a ‘pen tester’ question once a week via a DM. It’s a great little ‘test yourself’ activity that takes less than 30 seconds, and, I look forward to the challenge every week.

Movie filmed entirely in Disney Theme park – Not strictly a digital security post, but, I certainly found the concept really interesting. The crew and actors pretty much had to ‘stealth’ film the movie, referring to mobile phones for notes and scripts, and using as discrete camera setups as possible. I hope this inspires more of these sorts of things.

Application Framework Security – Jerry Hoff over at OWASP has started a new Project to document the security controls available in common development frameworks. It’s a good reference (if just at the beginning), and hopefully it can be extended to integrate and interlink with other OWASP projects like the T10, ASVS, etc.

Some tech/dev stuff:

Visual Event – for when you need to dig into JS events. Hat tips to Vitaly for the link.

LICEcap – for when you need to capture a portion of your screen and immediately convert it into an animated GIF. .. obviously for .. you know .. legitimate reasons.

MS Going its own way on Audio/Video spec – .. god damnit WHY does this shit happen? Just when you think browsers are starting to all meet at an apex of compatibility *bam* – we’re going to do our own thing. I really dislike IE, mainly because of the experience and bloat of it, but, there’s all this underlying gumpf that, when I think about it, also grinds my gears. (Goes back to rocking backwards and forwards on his angry man chair).

Firefox Phone – I’ve seen a few presentations on the Boot to Gecko (BTG) / Firefox OS over the past 12 months. Primarily at OWASP events. And I’ve been interested in the ‘everything is a web app’ phone (a little bit like Chrome OS), except, in this case, everything is HTML and JS. Obviously from a BeEF point of view I was salivating, but, from a new player in the space, I’m also keen to see how it goes. Plus, obviously, being completely customisable.

Motivational / inspirational (?):

Putting Things Into Perspective: Space – I was enthralled by the entire 19 minute vimeo, and it was one of those moments (that you may not experience that often) when you realise just how small we all are, and how profound it must be to a) see the entire earth under you and b) see the sun surrounded by the darkness of space, as opposed to the blue sky we normally associate with the sun.

Recent Readings on BeEF, MetasploiTor, Automation, SDLCs, Phishingggggggg

First off the bat is a couple of posts that I’ve had direct (some would say intimate) involvement.

BeEF QR Fun – Summarising some of the salient points from my OWASP AppSecAPAC 2012 presentation (Shake Hooves with BeEF), I finally pulled my finger out and posted for the BeEF blog. Mainly focusing on custom mount points in BeEF with iFrame target-site impersonation, plus a dabbling of QR-codedness, the post hopes to demonstrate a few different methods to fit BeEF into your social engineering methodology.

Anonymous Post-Compromise Control via Tor Hidden Services – My colleague Dave somehow managed to wrangle up an opus on utilising Tor to anonymise backdoor connectivity to compromised hosts over the Christmas period. Knowing Dave’s relationship with beer I’m surprised that he still had the brain power to push this out (:P). If you have any interest in Metasploit and Tor then you should check out his post.

And now onto other security stuff..

Minion – Automating Security for Developers – There are a few different open source security automation projects going on at the moment (I mentioned Codesake recently), but this one looks pretty interesting. It seems to be fairly modular (currently appears to interface with ZAP, Skipfish and Garmr. The demo video seems really interesting, very point and click. For developers, this may be an ideal ‘step’ in their SDLC to catch bugs sooner.

Red October – There’s been quite a bit of noise about this attack recently. This was one of the first blog posts I read that seemed to provide a clear summary, with further links into the Kaspersky reports. This long-term campaign has apparently been targeting embassies and other governmental agencies (including defence) for the past 5 years.

Non-Negotiable Elements of a Secure Software Development Process: Part 2 – Nick Coblentz has been posting these great articles on elements of a secure systems or software development lifecycle which are non-negotiable. Part 1 started with security requirements, while this post is focused on security architecture, configuration and other patterns. If you’re working on embedding security into your development lifecycle definitely keep in the loop on Nick’s posts.

Man-in-the-Middle Attacks Against Browser Encryption – Schneier recently posted a summary of how Nokia are intercepting HTTPS channels to offer better data transmission speeds over slower networks through compression and other means. This is really similar to a 2009 post of mine talking about how Opera Mini was doing the same thing.

Defeating AES Without a PhDDan Crowley writes up an excellent post on leveraging some of Burp’s more tricky intruder settings to understand (and attack) encrypted parameters within web apps. (Dan’s a great guy, was happy to have a few beers with him while he was down in Sydney last year).

Bouncer’s Laser Precision Phishing – RSA have posted an article on a particular phishing kit (i.e. pre-canned tool used to create or implement phishing sites) which utilises unique URL links for each recipient (so this kit includes the email/spam component too) to ensure that the site is only accessible (at least initially) by the victim. I’m sure there are ways to bypass this, but, it certainly may fool some simple phishing detection tools (such as used by finance or other sectors when they analysis abuse mailboxes or email bounce backs etc).

Okay, enough with the security stuff .. (Fine! .. here’s one article..)

Monkey Island Insult Swordfighter in your Browser – for those fans of the original Monkey Island point and click adventure games you should check this out! This guy has dumped in browser form a collection of the sword-fighting challenges..

Security Tools – Don’t re-invent the wheel when there’s a whole car available

One of the biggest issues I had with BeEF when I started contributing to the project was the administrative interface. Primarily this was due to being absolutely spoilt by Metasploit’s “msfconsole” interface, it just felt so natural to run everything from the command line, it made it trivial to ssh into EC2 instances running MSF, or even just locally, it didn’t matter, the “show” command making it so easy to iterate through a fairly complex hierarchy of information.

So I took some time out to try and figure out how we could implement another UI for BeEF, and naturally I started to look into how MSF did it, and then I came across their fantastic Rex Library, now packaged as a gem for easy distribution and installation over here: (Cheers @hammackj). Now, at this point the console interface for BeEF is still non-trunk material, and it’s more of a remote-control interface, i.e. talking via the admin JSON interface that exists within the “Admin” BeEF extension.

It was through this process that I really came to appreciate the awesome work the Metasploit team had done in the construction of Rex, I mean immediately just by performing a quick “# gem install librex” and then including a “require ‘rex'” into your code you have access to an incredibly powerful console based interface with tab completion, multiple level stacks (think beef > zombie > command), a job management system, and this is just the stuff the BeEF console’s using. Lets not forget logging, encoding, sockets and much much more.

If you’re building any security tools in ruby, nay, any tool in ruby that requires this sort of interface (and lets not forget how extensive msf is, so sure you can use Rex to drive a web-ui, console, cli, whatever) I think you’d have a hard time trying to find anything as effective and full-featured as Rex. In addition you’ll find that new features come out quite consistently too, like their JS obfuscator.

By separating the remote control library from the Rex console driver UI, I was then also able to drop the exact same remote control library into the recently announced MSF BeEF Plugin (early version available here).

You can see the console in action here (the current version in the trunk has been updated though, so it’s a lot neater than this):

And the MSF BeEF Plugin here:

Burpdot: Now with Web UI

*Phew*, burpdot is now up to version 0.5. I can’t really explain the relief I feel at getting this version out. Ever since David planted the idea of visualising Burp log files showing how URLs refer to one another he was always going on about “Hey, jQuery is easy right? Sure! You can build up a web interface right? That’ll only take you a couple of days?”. Well according to the network graph I’ve been making tiny commits to the work in progress branch for the past 2 months, only now have I merged it back in and voila.

The existing command line functionality should be exactly the same, but, if you set up your environment according to the documented dependancies then you should be able to simply run “./burpweb.rb” and open up http://localhost:8015.

Less words, more shows:

Burpdot: Playing with Depth and Optimising Graphviz

Burpdot is now up to version 0.4, it’s starting to shape up into something a little bigger than first imagined, which I guess is the way with these things. But first lets cover the simple stuff, as of 0.4, burpdot now has a new mode to output into a SQLite database file. At the moment, there’s not much point in this functionality, but new versions will use it – but lets leave that for another post. Example:

# ./burpdot.rb -i burp.log -m sqlite -o burp.db


Okay, not really. Anyway, before getting onto the depth option I’ll have to admit, I don’t really know much about using Graphviz. So, after a little reading I figured out a couple of over-rides that really help with burpdot (via Afterglow) generated graphs, the normalize option, the splines option, and using vpsc for overlay prevention instead of ortho. You can see these generated below.

The concept of depth is really simple, set to 1 and burpdot only extracts the domain portion of the URI, set to 2, and you get the domain and the path, set to 3 you get the domain, path and query string. By default depth is set to 2, so you get graphs as generated in previous versions. Examples:

# ./burpdot.rb -i burp.log -m csv -d 1 | ./ -t -c | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-1.png

# ./burpdot.rb -i burp.log -m csv -d 2 | ./ -t -c | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-2.png

# ./burpdot.rb -i burp.log -m csv -d 3 | ./ -t -c | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-3.png