First off the bat is a couple of posts that I’ve had direct (some would say intimate) involvement.

BeEF QR Fun – Summarising some of the salient points from my OWASP AppSecAPAC 2012 presentation (Shake Hooves with BeEF), I finally pulled my finger out and posted for the BeEF blog. Mainly focusing on custom mount points in BeEF with iFrame target-site impersonation, plus a dabbling of QR-codedness, the post hopes to demonstrate a few different methods to fit BeEF into your social engineering methodology.

Anonymous Post-Compromise Control via Tor Hidden Services – My colleague Dave somehow managed to wrangle up an opus on utilising Tor to anonymise backdoor connectivity to compromised hosts over the Christmas period. Knowing Dave’s relationship with beer I’m surprised that he still had the brain power to push this out (:P). If you have any interest in Metasploit and Tor then you should check out his post.

And now onto other security stuff..

Minion – Automating Security for Developers – There are a few different open source security automation projects going on at the moment (I mentioned Codesake recently), but this one looks pretty interesting. It seems to be fairly modular (currently appears to interface with ZAP, Skipfish and Garmr. The demo video seems really interesting, very point and click. For developers, this may be an ideal ‘step’ in their SDLC to catch bugs sooner.

Red October – There’s been quite a bit of noise about this attack recently. This was one of the first blog posts I read that seemed to provide a clear summary, with further links into the Kaspersky reports. This long-term campaign has apparently been targeting embassies and other governmental agencies (including defence) for the past 5 years.

Non-Negotiable Elements of a Secure Software Development Process: Part 2 – Nick Coblentz has been posting these great articles on elements of a secure systems or software development lifecycle which are non-negotiable. Part 1 started with security requirements, while this post is focused on security architecture, configuration and other patterns. If you’re working on embedding security into your development lifecycle definitely keep in the loop on Nick’s posts.

Man-in-the-Middle Attacks Against Browser Encryption – Schneier recently posted a summary of how Nokia are intercepting HTTPS channels to offer better data transmission speeds over slower networks through compression and other means. This is really similar to a 2009 post of mine talking about how Opera Mini was doing the same thing.

Defeating AES Without a PhD – Dan Crowley writes up an excellent post on leveraging some of Burp’s more tricky intruder settings to understand (and attack) encrypted parameters within web apps. (Dan’s a great guy, was happy to have a few beers with him while he was down in Sydney last year).

Bouncer’s Laser Precision Phishing – RSA have posted an article on a particular phishing kit (i.e. pre-canned tool used to create or implement phishing sites) which utilises unique URL links for each recipient (so this kit includes the email/spam component too) to ensure that the site is only accessible (at least initially) by the victim. I’m sure there are ways to bypass this, but, it certainly may fool some simple phishing detection tools (such as used by finance or other sectors when they analysis abuse mailboxes or email bounce backs etc).

Okay, enough with the security stuff .. (Fine! .. here’s one article..)

Monkey Island Insult Swordfighter in your Browser – for those fans of the original Monkey Island point and click adventure games you should check this out! This guy has dumped in browser form a collection of the sword-fighting challenges..

Pretty hectic week, what, with Rails getting an absolute slam, Java oh-days and CES going on. If you’ve been bored on the Internet you’ve been doing it wrong.

AWS Improvements – so my IaaS-of-choice is primarily Amazon, and it’s no surprise that they’ve had some updates since the start of the year. In fact, they seem to be posting about updates on an almost weekly basis. This update, whilst primarily aesthetic, brought with it a new Android app. I’ve only had a brief play with it, but, it certainly gives a basic portable access into managing your virtual machines. In addition to this, AWS also updated CloudWatch to allow for automatic stopping of idle machines. I’ve been hacking together some stuff to perform this same task, so, it’s useful to see that they’re providing it natively. Another reason to shift from Heroku to Amazon

The Value of Concentration in the Digital Age – I originally saw this article on Lifehacker, and found that a lot of the issues discussed felt very familiar. Whilst the post primarily focuses on the impacts of lack of concentration, and how traditional books can help with this (you can’t click buttons on a book), the commentary around associated anxiety is something I certainly agree with. I’ve struggled on and off with anxiety for a while now and certainly put a high value on ‘relaxing’ and ‘unwinding’ to help manage this. Books are a great source of relaxation for me, and this article certainly confirmed for me the benefits of using a fairly dumb ereader (the basic basic Kindle) as opposed to something like an iPad. The Kindle does one thing and one thing well.

Colour Affects Perceptions of Taste – from the design/hive-mind of Core77, a quick summary of some research performed by the Society of Sensory Professionals on how the colours of containers affects the taste. For all the clever shit we, as humans, think we’re capable of, there’s certainly a whole bunch of unknowns within our minds.

The Dronenet – but, instead of being used for evil, we’re actually going to use things little critters for good. Who would’ve thought? Apart from really enjoying the vids of the quadrocopters bouncing balls, and being horrified of all the invasion-of-privacy stories coming out, there’s not too much *positive* stuff that comes out around drones. I found this idea somewhat refreshing. .. As an aside, I’m obviously in the wrong circles, as mostly when I read about drones it’s negative, when of course there are in fact a lot of benefits of this sort of tech too.

The Pixel Trade – Really interesting photography project whereby the author is travelling the globe trading his photography skills for accommodation, food, travel etc. I’m quite glad that this sort of exercise is being done by people, and, I sort of wish that I could convert what I do into a similar process… Anyone want to fly me around and hook me up with a couch for security services? People keep on saying I have Penetration Testing skills on LinkedIn .. surely someone finds those skills useful?

Onto the security stuff:

Patch your Rails stuff – The R7 guys have been posting a lot about this issue, which is pretty darn wide. Just read their posts, and, if you’re not following them on twitter/RSS, get onto it.

Patch your Java – This is being actively exploited in the wild, and, if it’s not in MSF now, it will be shortly.

Realtime iOS Filesystem Monitoring – @Jhaddix has been posting some really good iOS stuff over the past few days. If you don’t follow his blog or twitter get onto it. (He just posted Defeating iOS Jailbreak Detection too!)

Q1 Security Projects – Daniel Kennedy over at 451 Research posted some pretty graphs showing the various states of security projects from a sub-set of organisations. I haven’t really looked too closely at the data sources or rigour within, but, it might be a quick and easy way for you to gauge where you are at with your projects compared to ‘some’ sectors.

ENISA BYOD Guide – I won’t really add much to what @rmogull wrote – but, if you’re at all working on BYOD in your companies, this is a pretty good set of information for you.

This isn’t the first time I’ve had to do this, but I recently had to quickly spin up an Amazon EC2 instance to run the Metasploit Framework online, and thought I should capture the high level process flow somewhere. And so this gist was created on github.

I found that if you need it quickly, aren’t expecting on requiring it for very long and don’t mind spending a little bit more (I’m still talking about that Metasploit instance .. sickos), then running up one of Amazon’s “Basic 64-bit Amazon Linux AMI” on an “High-CPU Extra Large (c1.xlarge, 7GB)” instance is perfect, especially if you need to install ruby 1.9.2 instead of using the AMI’s default ruby 1.8.

The gist does the following:

sudo yum install make gcc openssl-devel svn git

Install the necessary packages to build software, including OpenSSL requirements. Also install git (for getting RVM, more below) and svn (for getting MSF .. although they have moved to github, so this will likely change soon)

bash < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
exit

Install RVM, the Ruby Version Manager, this is a simplified method to install multiple ruby versions. The bash script above is ripped directly from the RVM page here. This helps us run up ruby 1.9.2, which seems to work brilliantly with the Metasploit Framework, at least as of the current version. We exit, and then you ssh back into your instance so that RVM gets setup in your bash profile.

rvm pkg install openssl

Use RVM to install the OpenSSL package, this is used for the RVM process when we install Ruby 1.9.2.

rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr

Use RVM to install Ruby version 1.9.2, and set it to use the RVM install OpenSSL, per the above command. This is the longest part of the process, and this is where we really benefit from using that High CPU instance ;)

svn co https://www.metasploit.com/svn/framework3/trunk/
cd trunk

Checkout the latest version of the Metasploit Framework into the “trunk” folder and change into there.

rvm use 1.9.2

Tell RVM that we want to use that installed version of Ruby 1.9.2.

rvmsudo ruby -v

Check that we’re running Ruby 1.9.2. Rvmsudo is used to emulate running the commands through sudo, but in the context of rvm. We want to check that Ruby 1.9.2 runs under rvmsudo because we may want Metasploit to listen on low ports, such as TCP/80.

rvmsudo ruby ./msfconsole

Lets start up Metasploit, as Root, using Ruby 1.9.2. Obviously, if you’re concerned about running Metasploit as root feel free to start Metasploit as a regular user with “ruby ./msfconsole”.

And there you go. A quick, blow away Amazon Linux powered Metasploit Framework instance.

One of the biggest issues I had with BeEF when I started contributing to the project was the administrative interface. Primarily this was due to being absolutely spoilt by Metasploit’s “msfconsole” interface, it just felt so natural to run everything from the command line, it made it trivial to ssh into EC2 instances running MSF, or even just locally, it didn’t matter, the “show” command making it so easy to iterate through a fairly complex hierarchy of information.

So I took some time out to try and figure out how we could implement another UI for BeEF, and naturally I started to look into how MSF did it, and then I came across their fantastic Rex Library, now packaged as a gem for easy distribution and installation over here: https://github.com/hammackj/rex. (Cheers @hammackj). Now, at this point the console interface for BeEF is still non-trunk material, and it’s more of a remote-control interface, i.e. talking via the admin JSON interface that exists within the “Admin” BeEF extension.

It was through this process that I really came to appreciate the awesome work the Metasploit team had done in the construction of Rex, I mean immediately just by performing a quick “# gem install librex” and then including a “require ‘rex’” into your code you have access to an incredibly powerful console based interface with tab completion, multiple level stacks (think beef > zombie > command), a job management system, and this is just the stuff the BeEF console’s using. Lets not forget logging, encoding, sockets and much much more.

If you’re building any security tools in ruby, nay, any tool in ruby that requires this sort of interface (and lets not forget how extensive msf is, so sure you can use Rex to drive a web-ui, console, cli, whatever) I think you’d have a hard time trying to find anything as effective and full-featured as Rex. In addition you’ll find that new features come out quite consistently too, like their JS obfuscator.

By separating the remote control library from the Rex console driver UI, I was then also able to drop the exact same remote control library into the recently announced MSF BeEF Plugin (early version available here).

You can see the console in action here (the current version in the trunk has been updated though, so it’s a lot neater than this):

And the MSF BeEF Plugin here: