Michael Boman

New virtual environment solution

2012-02-13T16:33:00.001+01:00

I’ve been running Proxmox Virtual Environment (Proxmox VE or PVE) for the last week now, moving away from my own deployed Ubuntu/Convirture/GlusterFS solution. Reason for doing this is mainly to spend less time managing the virtual environment, but also because I had some issues with the setup in general.

For the last week Proxmox (version 1.9) has worked without problems for me. I am not fully converted to the new system, and have plenty of machines to migrate from the old installation to the new system, but I am getting there (I have for an example 10+ anti-malware scanners to migrate).

In the move to my new home office under the staircase I also lost two of my server nodes, as in I have no space to put them. They will live out the remaining operational live as desktop computers to the kids while I save up some dough for new, smaller and better cluster nodes. Hopefully the price of hard drives will have dropped by then as well.

So right now I only have “sniper” in the lab, which is plenty enough for now. I have upgraded the network to the Netgear switch I wrote about a few weeks back, and it works great. I am currently designing how the lab network should be configured now when I am not depending on the Linksys WRT54G boxes. I will keep having them in the network, but they will just not have a central part of it. To try out wireless attacks and defenses I need them, and they will continue to be un-encrypted/WEP/WPA2-PSK encrypted. I am thinking about playing around with RADIUS and 801.1x authenticated wireless as well, but at the moment I don’t have that much time to spend so I am currently picking my fights very carefully.

Enough talking, here’s some pictures:

Listing of machines running on my Proxmox server

Available templates (see here how to get Turnkey templates into your Proxmox installation):

System information:

I will continue with documenting my adventures with Proxmox VE as I go along.

Sans och vett på Internet

2012-02-07T07:40:00.001+01:00

I recently did a presentation for some high school students (freshmen) here in Sweden about their digital identity and what they should think about when they are online. I’ve embedded the presentation slides below.

Sans och vett på Internet

View more presentations from Michael Boman

There were 58 students attending and during the presentation I asked some questions and here is how they answered:

20 of the students have used their neighbors WiFi network
25 students have got malware on their system in the past, but only 12 of the students has a antivirus installed.
2 students has multiple Facebook accounts
Almost all has been Faceraped (there were 2 students that didn’t have a Facebook account)
Almost all have performed Facerape (again, 2 students didn’t have a Facebook account)
1 student got their Facebook identity cloned or stolen
20 students has a webcam connected to their computer
Only 5 of them has the webcam disabled when not in use (by unplugging it or covering the lens with a post-it note)
2 of the students has a single password for everything
25 of the students has up to 5 different passwords
5 of the students has more then 5 passwords
13 of the students has a specific password for email

New hardware ordered to the lab

2012-01-26T20:33:00.000+01:00

My mix of 5-port no-brand gigabit-switch and a handful of Linksys WRT54G doesn’t turn out to be a very stable choice for network connectivity, so I just put in a order for a Netgear GS716T-200EUS, a 16-port gigabit switch with VLAN capability. It will arrive in a few days, which should be just in time for my server move.

I figured 16 ports should be enough. The devices that I am planning to connect to the switch now and in the future is:

Equipment	Number of NICs each	How many	Total
Sniper	4	1	4
WRT54G	1	4	4
Slimline (desktop)	1	1	1
Internet	1	1	1
New cluster nodes	1	4 (max)	4 (max)
Network Attach Storage	1-2	1	1-2
		Total:	15-16

I have some other equipment like networked printers and print-servers which I will put on the ISP-supplied router (that also has a 4-port switch).

New home office (work in progress)

2012-01-17T07:46:00.001+01:00

We are expecting an additional family member late May/early June and I have to give up my old home office and move to the space under the stairs instead. No matter how much I love technology, flesh and bones has priority when it comes to living arrangement.

It will however not be all bad. Sure, the amount of space is significantly smaller, but used correctly it won’t effect me too much. Here is some pictures for the interested.

The new office is the result from a trip to Ikea. Following items was bought:

Desk

1 x Trofast frame, pine (000.636.72)
1 x Trofast frame, pine (800.636.72)
2 x Trofast shelf, pine (700.635.84)
1 x Vika Furuskog table top, pine (401.365.58)
1 x Trofast large storage box, white (200.892.42)
3 x Trofast medium storage box, white (956.851.00)
3 x Trofast small storage box, white (800.892.39)

Chair

1 x Franklin bar stool (201.992.07)
1 x Ritva cushion (200.696.92)

Bookshelf (no picture yet)

1 x Billy bookshelf, white (400.857.14)

Still have some way to go before it is completed. Will let you know the progress . Many thanks to IKEA Hackers for a inspiring website!

Vulnerability scanning with Nessus from within Metasploit

2011-12-08T12:56:00.001+01:00

Metasploit is a very cool tool to use in your penetration testing, if you didn’t already knew that. There is a few things you should add to it for a really good time: Armitage and XSS Framework.

Armitage makes Metasploit a multi-player exploitation tool with a graphical user interface, and XSS Framework makes XSS-attacks with Metasploit easier to perform. You can also use BeEF to exploit XSS-vulnerabilities.

But before I go and talk about all those tools I thought I should start off with how you can perform and import vulnerability scans from within Metasploit itself. It has been known for a while that you can use “db_import” to import data from various security tools:

msf> db_import
Usage: db_import <filename> [file2...]

Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
    Acunetix XML
    Amap Log
    Amap Log -m
    Appscan XML
    Burp Session XML
    Foundstone XML
    IP360 ASPL
    IP360 XML v3
    Microsoft Baseline Security Analyzer
    Nessus NBE
    Nessus XML (v1 and v2)
    NetSparker XML
    NeXpose Simple XML
    NeXpose XML Report
    Nmap XML
    OpenVAS Report
    Qualys Asset XML
    Qualys Scan XML
    Retina XML

But that means that you need to first run the scan and then import it to Metasploit. A much cooler feature is to run the vulnerability scan directly from your Metasploit console.

Nessus from msfconsole / Armitage

To run a Nessus vulnerability scan from the Metasploit console you first need to have a Nessus installation somewhere. I’ll wait while you install it, and don’t forget to register your installation so you can download the latest plugins for it.

In Metasploit you start with loading the nessus plugin:

msf> load nessus

and then connect to the Nessus installation

msf> nessus_connect -h
[*] You must do this before any other commands.
[*] Usage:
[*]        nessus_connect username:password@hostname:port <ssl ok>
[*] Example:> nessus_connect msf:msf@192.168.1.10:8834 ok
[*]         OR
[*]        nessus_connect username@hostname:port <ssl ok>
[*] Example:> nessus_connect msf@192.168.1.10:8834 ok
[*]         OR
[*]        nessus_connect hostname:port <ssl ok>
[*] Example:> nessus_connect 192.168.1.10:8834 ok
[*]           OR
[*]        nessus_connect
[*] Example:> nessus_connect
[*] This only works after you have saved creds with nessus_save
[*]
[*] username and password are the ones you use to login to the nessus web front end
[*] hostname can be an ip address or a dns name of the web front end.
[*] port is the standard that the nessus web front end runs on : 8834. This is NOT 1241.
[*] The "ok" on the end is important. It is a way of letting you
[*] know that nessus used a self signed cert and the risk that presents.

msf> nessus_connect user:password@localhost:8834 ok

If you save the credentials using

msf> nessus_save

You only need to issue

msf> nessus_connect

to automatically connect to your Nessus instance. Be warned, your Nessus credentials are stored in the clear in ~/.msf4/nessus.yaml - but it saves on typing…

After you have connected to the Nessus scan it is time to scan the target. First we need to select a policy:

msf> nessus_policy_list
[+] Nessus Policy List
[+]

[+] ID Name                        Comments
-- ----                        --------
-1 Web App Tests
-2 Internal Network Scan
-3 Prepare for PCI DSS audits
-4 External Network Scan

Then we need to start the scan:

msf> nessus_scan_new -h
[*] Usage:
[*] nessus_scan_new <policy id> <scan name> <targets>
[*] Example:> nessus_scan_new 1 "My Scan" 192.168.1.250
[*]
[*] Creates a scan based on a policy id and targets.
[*] use nessus_policy_list to list all available policies

msf> nessus_scan_new -4 “Metasploit Scan” 192.168.1.0/24

Once the scan is completed it is time to import the result into Metasploit

msf> nessus_report_list

msf> nessus_report_get -h
[*] Usage:
[*] nessus_report_get <report id>
[*] Example:> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
[*]
[*] This command pulls the provided report from the nessus server in the nessusv2 format
[*] and parses it the same way db_import_nessus does. After it is parsed it will be
[*] available to commands such as db_hosts, db_vulns, db_services and db_autopwn.
[*] Use: nessus_report_list to obtain a list of report id's

msf> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca

After which it is time to check what we now know about our target network using the “hosts”, “services” and “vulns” commands.

References

Metasploit Unleashed: Working With Nessus

Metasploit Unleashed: Nessus Via Msfconsole

Merging multiple Nessus reports

2011-10-17T09:41:00.001+02:00

I have recently had the need to merge multiple Nessus reports into single reports and here is the code I used to do it. Take care and if it breaks for you you get to keep both pieces . Please note that you need to change the report name to the same value, like this:

sed -i -e s/\<Report\ name=\".*\"\>/\<Report\ name=\"Combined\ report\ name\"\>/g reports/*.xml

mergeReports.pl

#!/usr/bin/env perl

use strict;
use warnings;

use XML::Merge;

if ( $#ARGV < 0 ) {
    print "Merging into " . $ARGV[0] . "\n";
    my $merge_obj = XML::Merge->new( 'filename' => $ARGV[0] );
    foreach my $filename (@ARGV) {
        if ( $filename ne $ARGV[0] ) {
            print "Merging " . $filename . "...";
            $merge_obj->merge( 'filename' => $filename );
            print " Done!\n";
        }
    }

    print "Tiding up.... " . $ARGV[0];
    $merge_obj->tidy();
    print "Done!\n";
} else {
    print "Usage: mergeReports.pl Output.xml inputfiles.xml\n";
}

Cloning Facebook accounts with FBPwn

2011-10-06T23:19:00.001+02:00

When you do penetration testing it is useful to become “friends” with the employees of the target organization to gather information and perhaps slip a spiked link or two to the employee in hopes that the user clicks and executes its content. However, it is quite tedious to manually clone a Facebook profile (a lot of copy and paste, downloading and re-uploading of images etc.) and become one of the target organization employees. Luckily there is now a tool available to automate the task.

FBPwn (Facebook Pwn (slang for owning [taking control over] a resource)) is a application written in Java that downloads a target profile and, if one so chooses, clones the acquired information into a new Facebook profile.

First you need to create a Facebook profile which will be used to access the data and, if chosen, updates the profile information with the targets including pictures. You can also make FBPwn to send friend requests to the cloned profile’s Facebook friends, and more often then not the friends will accept the friend requests because it is from someone they “know” (has the same name and picture of someone they know). The tool has, even at this early stage of development, quite a few tricks up its sleeve and I will go through each of them here.

Getting FBPwn

You can download FBPwn from the Google code project site. As it is written in Java is will run practically everywhere Java can run. Here I will go through version beta-0.1.6, which is the latest release at this moment.

First off we download it:

Then we unpack and execute the “run.sh” script (OSX, Linux) or “run.bat” (Windows). You will be greeted with the following screen:

Using FBPwn

First you need to configure one or more Facebook profiles to be used to access the profile you want to attack. The Facebook profile needs to be created separately from this tool and the profile language needs to be set to English for FBPwn to work at this stage.

Select one of the accounts you want to use for the next step and click on the “Attack !” button.

Friend URL: The URL of the Facebook profile you want to target. For an example: http://www.facebook.com/profile.php?id=100001638343979

At the moment FBPwn has following attack methods (plugins):

Add Victims Friends
Add the target profile’s friends to the configured profile.
Check Friend Request Task
Ask to become friend with the targeted profile.
Dump Friends Task
Download the target profile’s list of Facebook friends.
Dump Images Task
Download the images from the target profile.
Dump Info Task
Download the target profile’s information.
Dump Thumbnail Images Task
Download the target profile’s thumbnail images.
Dump Wall Task
Download the target profile’s wall postings.
Profile Cloner Task
Clone the target profile into the configured account.

Once you have selected the modules you want to use click on the “Lunch Attack” button.

The “Monitor Submitted Tasks” tab will show the progress of the selected tasks.

Do note that Facebook’s Terms of Use actually forbids many of the things FBPwn is performing. For an example, under section 4 (Registration and Account Security) section 1 and section 2. You have been warned.

Implementing VT Uploader in OSX

2011-09-08T07:57:00.000+02:00

VirusTotal.com, possible the best malware analysis service on the web, has a application for Windows called “VT Uploader” which sends selected file to VirusTotal.com for analysis. Unfortunately they don’t have a similar program for OSX… Well, here is how I implemented the same functionality using Automator in OSX .

First off you need an API key for VirusTotal.com, which you get by register yourself on the website (found in your Inbox -> Public API).

Second you need the Python script from Bryce Boe that uploads a file to VirusTotal.com. Make sure that you put your API key into the code (API_KEY variable) and run it from the command line to make sure that you have all the Python dependencies:

$ /usr/bin/python virustotal_report.py eicar.com

You can download the simplejson dependency by using the easy_install utility like this:

$ sudo easy_install simplejson

When you have the prerequisites you start a new “Service” project in Automator. Create a new “Run Shell Script” action and choose the shell “/usr/bin/python”. Paste the code from Bryce Boe’s site in the “Run Shell Script” editor.

Select “Pass input: as arguments” on the top right of the action window.

Finally you select “Service receives selected files or folders in Finder”.

Save the project at “Send to Virustotal”, and you have a nice menu item for it in Finder:

Until next time .

OSX Automator script for pasting to Pastebin.com

2011-09-07T12:40:00.000+02:00

I found this cool Automator script for OSX that allows you to paste text from your selection to Pastebin.com.

The steps provided in the original article was a bit difficult to follow at first so here is a visual walkthrough how to do it:

Start the Automator application

Create a new “Service” application

Drag a “Run AppleScript” action to the workflow workspace

Paste in the code from https://gist.github.com/761482 into the “Run AppleScript” code window

Then I created a “Copy to Clipboard” action

Then I made sure that the actions are “Service receives selected text in any application” and “Input is entire selection” with “Output replaces selected text” unchecked.

Finally I saved the file as “Pastebin.bin.workflow”.

when you select some text and right-click you get a nice option of sending the selected text to Pastebin.com:

Many thanks to Marc Abramowitz for his very nice blog entry. I haven’t been looking at Automator before but now I think I will automate a lot of tasks in OSX .

Introduction to the ConVirt console

2011-09-03T11:46:00.000+02:00

When you go to the ConVirt console you are greeted by a login screen:

The default username and password is admin/admin.

As you can see I have several machines already running. Let’s try out this system migration I talked about in an earlier blog post.

First you select the machine you want to move:

and then you right-click on it

and select “Migrate Virtual Machine”. Select where you want it migrated to:

In this example I will migrate it to “hunter”. Confirm that you want to migrate the virtual machine:

After confirming that you want to move the virtual machine to the other server you just need to sit back and in a few seconds the machine will pop up on “hunter” with almost no down-time at all.

That’s all for this time, join me next time when I discuss more part of my home lab.

Automatically add clan-members on Zynga’s Vampires iPhone game

2011-09-02T13:19:00.000+02:00

This is a quick hack I’ve done on Zynga’s “Vampires” game on the iPhone. One of the parameters of becoming powerful in the game is to have a large clan (friends) in the game. As there is no downside with being clan-member with people outside your normal social sphere (like the loss of privacy) people have published their player IDs on the net in the hope that people will add them.

The thing is that adding members to your clan is a tedious effort, where you can add a member perhaps every 30 seconds if you are really fast. Still, adding hundreds of members is something that I rather not do manually. Luckily for me I didn’t need to.

First off I sniffed the traffic between the iPhone and Zynga’s servers while playing the game and especially took note how the “add player to clan” message looked like. It looked something like this:

{"purchase_level":0,"accept_codes":["PLAYER_TO_ADD"],"zid":"8:14103891","client_version":"1.72","gids":[46],"data":{},"ipid":"IPHONE_ID","gid":46}

The nice thing is that it is not protected against replay attacks, so I can post the same message over and over again with a list of clan members to add.

So lets get the second piece of the puzzle and grab some player IDs. I grabbed almost 1200 player IDs from http://mycodelive.com/vampires#ids and put them in a text-file called “vampires.txt”. I then wrote a little bash-script around curl that looks like this:

#!/bin/bash
for VAMP_ID in `cat vampires.txt`
do
        POST_DATA1='{"purchase_level":0,"accept_codes":["'
        POST_DATA2='"],"zid":"8:14103891","client_version":"1.72","gids":[46],"data":{},"ipid":"IPHONE_ID","gid":46}'
        POST_DATA=${POST_DATA1}${VAMP_ID}${POST_DATA2}


 
        curl \
            --user-agent "Vampires/1.72 CFNetwork/485.13.9 Darwin/11.0.0" \
            --data-binary ${POST_DATA} \
            http://net.iphone.zynga.com/net/group/accept.php?zsig=A79D802A730CE31B1AC5853615AD87A0
done

You need to replace IPHONE_ID with your iPhone ID (you can grab it by sniffing the traffic just like how I did it).

I hope that you will use this successfully and get as large clan as I have now .

PS:

Just to be clear: The player IDs from http://mycodelive.com/vampires#ids are from people who wants to be added to your clan so in their turn get a larger clan for the game (if I add you to my clan I automatically becomes added to your clan as well). The “hack” in this is that I automated the process of adding people to my clan. I am lazy, but in a good way.

“Cheating” on Zynga’s Vampires game

2011-09-02T12:15:00.000+02:00

I recently blogged on how I “cheated” (a.k.a. automated) on adding members to my clan in Zynga’s Vampire game on the iPhone over at Omegapoint Security Lab blog. Check it out!

Changing VirtualBox to KVM/ConVirt

2011-08-31T22:45:00.000+02:00

As I have mentioned earlier VirtualBox and PHPVirtualBox didn’t work out for me and I have since moved on to KVM (QEMU) and ConVirt - which so far works out pretty well.

Uninstalling VirtualBox

First one needs to uninstall VirtualBox as it is no longer needed

$ sudo apt-get remove virtualbox-4.1
$ sudo apt-get autoremove

Installing KVM

KVM is very easy to install, even if you didn’t select the virtualization profile when you installed Ubuntu Server. The “magic” command to install KVM is:

$ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils

Installing ConVirt

First you need to enable the partner repositories on your Ubuntu installation. Edit /etc/apt/sources.list and uncomment the following lines:

deb http://archive.canonical.com/ubuntu lucid partner
deb-src http://archive.canonical.com/ubuntu lucid partner

Then run the following commands to install ConVirt version 2

$ sudo apt-get update
$ sudo apt-get install convirt2 convirture-tools
$ sudo apt-get install ssh kvm socat dnsmasq uml-utilities lvm2 expect

Install required dependencies for convirt-tool:

$ sudo convirt-tool install_dependencies

To have a virtual machine connect to a network, bridge setup is required. With virtualization platform installation, depending on the version, you would have either virbr0 or eth0 or br0 setup. You can verify this using the brctl show command. If you do not have any bridge, convirt-tool can set up bridges for each network interface.

$ sudo convirt-tool setup

Once this is done you can start the ConVirt console:

$ sudo /etc/init.d/convirt2 start

The web interface can be reached at http://localhost:8081/ or the IP / hostname of your choice.

Setting up distributed file system for the virtual system images

ConVirt stores the virtual system images in /var/cache/convirt and the images needs to exists on all servers for system migration to work. See a separate blog post why this is a very cool thing.

Anyway, I already have GlusterFS installed and created a new share very much like the /home share I already have but this time share /export/convirt and mount it on /var/cache/convirt. Once that is done all my 3 systems share the same data and can perform system migration, both live and offline.

Converting VirtualBox and VMWare virtual machines to KVM/QEMU

If you haven’t noticed VMWare has become the de-facto standard when it comes to virtual machines (of all the virtual systems I have imported only ZeroWine seems to be shipping as a QEMU image). It can be useful to convert the .vmdk file to a .raw (or any other format that KVM/ConVirt supports). This I do using the qemu-img utility:

$ qemu-img convert virtualmachine.vmdk -O raw virtualmachine.raw

Then I create a new virtual machine using ConVirt and replace the created virtual hard disk with the converted one, something in the style of:

$ sudo cp $HOME/virtualmachine.raw /var/cache/convirt/vm_disks/virtualmachine.disk.xm

There is a conversion utility that supposed to solve this, but I didn’t get it to work. Maybe another time…

Welcome to the Hacklab

2011-08-29T19:23:00.000+02:00

I promised a while ago that I would show you guys how my lab environment at home looks like, and here it is:

Sniper:

model name : Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz
cpu MHz        : 2000.000
cpu cores    : 4
MemTotal:       16467156 kB

Hunter:

model name : Dual-Core AMD Opteron(tm) Processor 1214
cpu MHz        : 1000.000
cpu cores    : 2
MemTotal:        4057096 kB

Scout:

model name : Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz
cpu MHz        : 1596.000
cpu cores    : 2
MemTotal:        2056892 kB

Sniper has 4 NICs (Network Interface Cards), 3 of them currently in use: one to the LAN and 2 to some wireless access points I had laying around. One of the access points uses WPA2 encryption while the other is unencrypted. Connecting to the unencrypted is ill-advised as you are then targeted with SSLStrip, Metasploit, BeEF and other goodies. Don’t steal peoples internet without permission (the access point identifies itself as “Virus distribution network”). I plan to add a splash-screen when people tries to surf for the first time. The other AP (Access Point) is to provide network connectivity to my wireless devices.

I have removed VirtualBox as the virtualization environment as it didn’t work out for me, and phpvirtualbox kept loosing connectivity with the VirtualBox instances. I tried to run VMWare Server 2.0.2 but it didn’t want to build on my Ubuntu servers - which is actually a good thing as I discovered KVM and ConVirt (see separate blog post on how to get them installed).

I will blog about each aspect of the Hacklab the next few weeks, including creating (or converting) virtual machines for

target practice (on-purpose vulnerable systems for penetration testing testing)
malware collection
malware analysis
TOR network participant

among other things. Stay tuned!

What I learned from participating in “Crack me if you can” @ Defcon 19

2011-08-22T07:15:00.000+02:00

I (tried) to participate in Defcon 19’s “Crack me if you can” contest with the “John Users” group, but I did not manage to contribute much to the team (more then CPU-cycles on my quad-core server). I have analyzed why I couldn’t contribute more and it came down to “time” and “internet access”.

Time: I went to Defcon to watch the presentations, not to crack hashes (although it is fun to crack hashes). I over-estimated how much time I could spend on cracking hashes while attending the talks.

Internet access: Free internet access was available at the conference area, if it wasn’t attacked by someone. Internet access at the hotel room was about $25/day, a bit more then I was willing to spend. Next year I’ll buy a MiFi from Best Buy and a month pre-paid subscription (@ USD$ 50) for my internet needs.

If I solve the internet access problem I can make more use of the time between the presentations, social activities and sleep at Defcon, which should add up to at lease a few hours every day. As most of the time the computer chugs along cracking hashes anyway it should be enough to take a 30-60 minute look at it a few times a day.

I hope that Defcon 20 will also have a “Crack me if you can” contest.

Defcon 19 Conference Material

2011-08-21T22:18:00.001+02:00

You can download the slide pack from http://dl.dropbox.com/u/10217290/Defcon19.zip. The DVDs with the material had ran out of stock when I got my badge (did get a real titanium badge though).

Note to Defcon staff: please make sure that all pre-registered, pre-paid (via Black Hat USA conference) attendees gets a complete conference stack. You don’t need to know who we are to get the number of sign-ups from Black hat crew.

Thanks!

Trojan t-shirts

2011-08-10T22:01:00.001+02:00

According to BBC right-wing extremists that attended “Rock für Deutschland” was given free t-shirts with the following print (“Hardcore Rebels”):

However, when they was washed the hidden message was reviled:

The new message reads: "What happened to your shirt can happen to you. We can help you break with right-wing extremism".

The prank (I’d call it a cool hack) was done by the group Exit, who is trying to help people who has not been totally brain-washed to change their ways and turn their back on neo-Nazism for a more balanced world view.

Really cool hack, I wonder if it could be used for some sort of prank at next years Defcon?

XKCD on Password Strength

2011-08-10T16:24:00.001+02:00

The final statement says it all: Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

I am going to print this and put it at the geek corner in the office. XKCD should make a t-shirt of this one…

Swag from Black Hat USA 2011 and Defcon 19

2011-08-10T00:02:00.001+02:00

This post is triggered by @fyrtiosju’s tweet: @mboman maximizes his baggage allowance with all #DefCon swagger on our way back home to Sweden. See you at DC20! twitpic.com/633b27

Here are the t-shirts I managed to get my hands on:

PaulDotCom (Thanks for the t-shirt Paul!). The back says “Hack Naked”, which my colleges found very cool and somewhat disturbing.

HBGary is taking a piss at APT. I like the attitude.

Splunk

Metasploit / Rapid7. Doesn’t look as cool as a Metasploit-inspired t-shirt should. Corporate marketing must have been involved a bit too much.

DefCon 19 has some pretty nice graffiti-inspired print on the back.

…

This one must be my favorite one; not because of the vendor (eEye), but because it has quite a kick-ass lolzsec-inspired message on the back:

Core Security Technologies has a cool cobra on the back. Really cool, just like last years t-shirt was.

…

Just thought I would share what swag I brought home with me.

DefCon 19: Notes from Saturday

2011-08-07T21:25:00.001+02:00

On day two of DefCon 19 I attended “Battery Firmware Hacking” by Charlie Miller, which was a very good presentation and hack. Charlie discovered how to update the Apple MacBook battery to make it lie about when the battery was manufactured, charge status and how many charge cycles it has done etc. This can be used to make the battery to be within the warranty even if it isn’t. It can also be used to cause a catastrophic failure on the battery and potentially destroy the computer the battery is connected to. Dangerous stuff. I am predicting that easy-to-use tools that change values related to warranty period will soon be made available.

I then attended the “Hacking Google Chrome OS” talk on how Chrome extensions can be used as an attack vector, possible with persistence. Scary stuff.

Hackajar went through the economics of password cracking in the GPU area. What you can take away from the talk is that if you don’t value your password (and what it’s protecting) to more then USD$2000 you can continue to use 8 character passwords; for everyone else make sure your password is longer then 8 characters.

Jason Ostrom talked about how to hack VOIP networks and released a tool for that. I’ll put that on my “to investigate” list.

Finally Nicole Ozer talked about how far from reality Hollywood is in their movies. Unfortunately it is not that far off, and governments in the western world (both US and EU) is making laws to make the technology legal.

There was a rumor that LulzSec had a party in the middle of no-where. Acrylic badges was handed out to some people with instructions to dial a certain number after 11pm for the location that was later mapped to an address quite a bit from the Rio hotel. Although we managed to get some badges we decided it was not worth going, and we were discouraged to go by some anonymous feds (anonymous in the way that they don’t want me to disclosed their names).

Conference CD from Black Hat USA uploaded

2011-08-07T00:54:00.001+02:00

I have uploaded the contents from the Black Hat USA 2011 CD to http://dl.dropbox.com/u/10217290/BH-US-2011.zip. If you missed the conference then at least you can get (some) of the presentation material now.

DefCon 19: Notes from the day

2011-08-05T17:24:00.000+02:00

Today we (some of my colleges and myself) changed hotel from Caesars Palace to Rio and DefCon 19. Started the day by listening to Mikko Hypponen (of F-Secure fame) about the history of malware (very educational and entertaining), followed by Moxie Marlinspikes talk about trust in SSL and his new tool Convergence (which was released today). Moxie had some cool ideas on how to fix the CA authority problem with SSL, and I will install his tool when I get back home.

I also attended panel discussions on hacker spaces and vulnerability databases, both of them pretty good.

I am also participating in this years “Crack me if you can” competition on the “John Users” team. I will (hopefully have time to) do a write-up on it at a later date.

Black Hat USA 2011: Zero Day Malware Cleaning with the Sysinternals Tools

2011-08-04T21:45:00.001+02:00

Mark Russinovich starts of by mentioning how popular Sysinternals tools are with the anti-malware crowd and that some malware detects if the Sysinternals tools are running on the system and try to terminate them.

The workshop begins with walking through the features of Process Explorer followed by Process Monitor. I have been using the tools before, but there was a lot of things I haven’t tried out before that turns out to be pretty useful.

Mark also had plenty of war stories on how Sysinternal tools has been used to locate and remove malware, including one on Stuxnet. Very entertaining and I learned a few new techniques I will apply from now on.

The PowerPoint slides was not included on the conference CD so I have not been able to upload them. I hope that they will be available soon.

Black Hat USA 2011: Final thoughts

2011-08-04T15:38:00.000+02:00

Black Hat USA 2011 is over for this year. I went to many good presentations but didn’t have time to blog about each of them, however the “Chip and Pin is Dead” was a particular interesting one that I want to look closer in to at a later date.

Black Hat has (again) inspired me to take a closer look at many different things, so I need to put them in some sort of list and get started.

Last night we went out to party: first we went to the Netwitness party at the Jet night club and then we moved to Qualys’ party at The Bank. Qualys party was the better one of them, but it didn’t match up to their party last year. Qualys: please bring back the live band for next year.

I will continue to blog from DefCon 19. Ta ta for now…

Black Hat USA 2011 - The Art of Exploiting Lesser Known Injection Flaws

2011-08-04T00:04:00.001+02:00

This workshop was an interactive experience where we, the participants, got to hack some servers. The target machine for the first challenge was running LAMP (Linux, Apache, MySQL and PHP), which is not my everyday target environment and I didn’t realize why I couldn’t crack the first challenge in time.

The workshop was haunted by technical problems, the software used was Windows only without any mentions in the material that a Windows machine is required for participate on some of the labs. I also got the feeling that the presenters was poorly prepared, and combined with the technical problems I lost interest and left after the first break.