My Defcon20 talk – “Drinking from the caffeine firehose we know as shodan” is now live on youtube!
Defcon 20 Talk!
August 21st, 2012BsidesLA Slides/Code
August 20th, 2012So I whipped a talk recently to give at BSidesLA about how to stack tools voltron-style together and get some pretty gnarly successes. Here are some light talking points to give you an idea of what the subject matter was, but I should let the slides do most of the talking for me (though they may be slightly vague without the video, which isn’t up at the time of this writing.)
- Use shodan to find things online (ec2, one-off sites, etc) not brought to the attention of IT or InfoSec before going live
- Enumerate attack surface without actually performing active scans (many shops forbid infosec guys to scan their own environment. Crazy, right? I know!)
- Use shodan for red teaming (enumerating attack surface quietly, finding “hidden stuff”, all without actually actively scanning)
- Bolt on the python api, pipe out results, do crazy things
- Screenshot 50,000 webpages using a threaded script
- Check for HTTP 200 OK return codes for direct object access vulns
- Pipe output of Shodan directly into metasploit via an RC script
- Leverage metasploits powerful auxiliary scanner tools to do enumeration
- Launch very targeted attacks on huge attack surface with NO PORT SCANS
- whatever else you can think up python can do for you!
Screenshotter script: PYTHON!
RC Script generator: PYTHON MOAR!
Slides: PDF!
LayerOne 2012 | Drinking from the caffeine firehose we know as shodan
May 28th, 2012Video of my presentation:
(edit: the videos audio doesnt start until 18 seconds in. I’ve edited it, and the video is updating on youtube. This is temporary, please bear with me)
Slide Deck: long-tail-of-the-internet.pdf
Script: shodan-turk.py
So, you pillaged a domain controllers hashes…
February 29th, 2012So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes. Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.
Enter lm2ntcrack.pl – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.
So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.
Anyhow, here’s my updated copy of the script - lm2ntcrack-viss.pl
Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).
Feedback welcome!
Get your creep on
January 24th, 2012About a week ago, I stumbled across this post in google reader:
Console Cowboys -I always feel like somebodies watching me.
I read it, I was impressed, and it immediately reminded me of previous work I’ve done. In collaboration with @achillean we scanned the whole internet looking for ddwrt routers with a directory traversal vuln, and wrote a script to step through the findings.The result was a map you could use to find routers based on their mac addresses. The vulnerability was information disclosure of the wan mac address, which likely would have been found by the google street view cars, and the skyhook cars during their sweeps, so if you know the wan mac address of a router, you can translate that to a physical location on a map. I thought this would be perfect to apply the same formula to – except in this case it would be difficult to pinpoint where the camera actually existed unless there was some kind of information disclosure in the video stream itself.
Now let me make this abundantly clear: Nothing is getting recorded or saved. The output here are IMG SRC html links to cameras on the internet. Your browser renders those image streams directly from the cameras. Nothing gets saved or written unless you explicitly choose to save something – kind of like watching television – unless you dvr something or god forbid still own a vcr, in the same manner, you have to choose to record things. That onus is on the viewer.
The author of the console-cowboys blogpost wrote a script to do all the proper API calls against shodan to search for the cameras, then another loop to manually test each result found for the path that shows video. If an HTTP 200 OK was returned for the path, the url was saved.
I took that script, and simply added IMG SRC tags to the output, also adding threading during the checks and one or two small performance tweaks – my second python script ever, and I’m already using threads! (I was kind of proud of this )
The results looked something like this. Very simple, but effective:
Each image there is actually video. The cameras each output mjpg straight to the browser, so firefox and chrome were both happy to render video. The trouble was that I found more than 550 cameras – so loading that html into a browser caused my ram and cpu to spike.. a lot. It also wanted 2 megs a second (MEGS, not megabits..) of bandwidth just to view the cameras. So I used the split command to tear the huge list into 6 parts, each list containing 100 cameras, and one with ~56 or so. I posted it off the main website before having writing the script – there were several pastebins floating around with the camera list already, so adding html tags to that was dead easy. I had 200-300 cams in one giant html posted maybe 5 days ago. Everyone had a laugh, and one friend even interacted with one of shops. It was all in good fun for about a week.
Last night I had a member of the information security community raise a concern with me. There was a discussion, and in the end I was berated and called names. As such, I’ve taken down the cam streams from my site. However, I’m absolutely happy to post my script that generated all the cam streams, since its just a updated version of the console-cowboys posting. I encourage you to buy a shodan account like I did, get an API key and have a look at the sort of things people find valuable enough to put on camera. You’d be surprised. Most of it is HORRIFICALLY BORING, but some of the cameras are streaming labs and industrial areas with what appear to be scada devices and other interesting stuff. I’m glad that the girl in the pizza shop had a sense of humor about it, so good on her for that.
I also encourage you to do some research before you buy something like an internet-enabled camera so that you better understand what it is you’re getting yourself into – there’s a chance your camera has not only a ‘known vulnerability’, but a flat out hardcoded backdoor, like these cameras. This is BY DESIGN. Trendnet wrote in a back door.
Anyhow, I was going to use this as material for my LayerOne presentation if my CFP submission got approved but if there are more infosec patrons out there like our generous benefactor here I can expect more headaches the more I talk about this stuff, so I’ll have to think of something else (sorry Noid/Datagram/M).
Now for the meat!
Here’s the script: camcreep.py
You’ll need to install gevent and shodan modules for python. Google can help you with that.
You’ll need a shodan API key: Shodan API key (insert it where it says ‘key =’ .. you’ll see)
I ran this on my mac with 150 threads. It returned about 10,000 results from shodan, and took Just a hair shy of 7 minutes to run.
The script outputs “camlog_new.html”. Thats one giant monolithic file with ALL the cameras. You’ll want to use the linux ‘split’ command to slice it up into various files. I manually added the page links to the bottom of those files since there were only 6 of them.
Also, since I did this all using chrome, I was using “Ultimate Chrome Flag” which is a really neat extension that lets you see some IP GeoData about the site you’re on. If you right click, then open a cam stream in a new tab, you should see the little flag on the right hand side of the URL bar – that will at least tell you what city or major geographic region the camera you’re viewing is in.
Happy Hunting!
Quickly spotting social engineering attempts with TinEye.
October 27th, 2011TinEye is a great service that you can use to search for similar photos on the web. You provide a photo and it compares it to its database looking for similar and modified images.
You can use TinEye to quickly spot fake accounts on social networking sites.
For example. I received this LinkedIn network request the other day.
Not only have I never worked with a “Jennifer Gray”, her profile photo looks like it may be a stock photo. TinEye returned 4 results for stock photography.
Looks like this account may be a recruiting bot or something.
TinEye can also be used to verify the authenticity of a photo and to see if it is a repost or duplicate of another photo. It even has Firefox and Chrome plugins!
Toorcon 13 talk: Why DLP won’t save you
October 20th, 2011Post Toorcon Talk Sushi!
October 3rd, 2011If you know me at all, then you know I love sushi, and you know that I go on and on about this place in town called ‘Love Boat’. Well, there’s a convergence of people who love sushi, elements of Love Boat and hackers all happening at the same time.
- They moved my favorite chef and waitress to a different location (closer to the Toorcon venue)
- My Toorcon talk is right before lunch on Sunday
- I get special treatment at Love Boat because I have a reputation for bringing in a ton of people – this translates to “my party gets special treatment”.
TL;DR – Come to sushi with me after my talk for Sundays lunch instead of some place in dirty old gaslamp.
http://g.co/maps/4m82p – Google map for Love Boat
Directions!
View Larger Map
(almost) 90 days with the Motorola Xoom
May 16th, 2011Just about three months ago I wrote a quick post about having the Motorola Xoom for approximately 12 hours.
First I’d like to address some of the points I made in my last post:
- I can now control my AR.Parrot drone with my Xoom (ad-hoc wifi access points work now, with a small tweak) though now I think that my drone has some physical damage to it, it doesn’t take off correctly. Must fix.
- I’m able to get interesting widgets and buttons using minimalistic text and widgetsoid
- the cifs client works like a champ, and I can stream everything I’d like, though the best player i’ve found (rockplayer) doesnt support mkv or certain types of divx.
- There are ad-block apps, but I cant tell if they’re working or not.
- Skype lags, still no video. Them being bought by MS is also likely not going to help things.
Now the TODO list:
- I have both ubuntu and backtrack5 running on this thing in chroots. While I now have access to tools like nmap, skipfish and other command line tools, some of the interesting ones (ettercap, aircrack) do not yet function due to lack of the proper kernel modules. I’ve contributed to the Tiamat kernel thread on the XDA forums asking if adding that kind of functionality was feasible.
Verdict:
Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).
This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.
It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!
I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.
I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.
tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.
Wishlist:
- I still want a site survey tool. Especially overclocked past %50. this thing screams.
- Having the jambox speakers helps when I want other people to hear stuff, otherwise I want a case that has little ‘ears’ to funnel the speakers forward.
- Having backtrack5 on this thing is badass, but some of the more impressive stuff is unavailable – I cant send arp traffic and I cant put the wifi interface into monitor mode or inject traffic. I’ve asked about it on the xda thread.
- I really wish someone would port VLC over to android. This hardware has so much still untapped potential – I want to be able to watch a 720p mkv. Standard dvd rips work fine, highres stuff chokes – because the players don’t leverage the GPU
- I want to find out why the hell it doesn’t work with my Nikon D3s. It sees the camera, but never sees any photos. wtf?
How I met your router
May 2nd, 2011I suppose you can call it “arriving late to the game” – I’ve only been on the full disclosure mailing list for something on the order of 6-8 months. In that timeframe I saw some interesting (but not ‘interesting enough to make the real news/blogs/etc) vulns and posts come through.
During that time I’d also spent a lot of time playing with shodan. In my downtime I’d spent hours upon hours, up until 4am some days doing searches on shodan for unprotected or easily accessible security cameras (korea has a TON of them all monitoring construction sites, for some reason). Finding traffic cameras in LA, then making a game out of trying to identify the intersection using google streetview.
That horrible movie ‘eagle eye’ starts coming to mind about now, as I’m honing my skills of being able to find all sorts of stuff and tie datapoints together.
One day on the full disclosure list I see this. The first thing I did was go STRAIGHT to shodan and start searching for dd-wrt routers accessible to the internet. I think I did this in something like Dec ’10 or Jan ’11 – I found 8000 or 9000 devices.
I wrote a quick perl script to step through the output of the search and try to see if it was worth it to do something interesting with the data, and out of the resultset I had, I got about %30. Not bad, something like 2000 dd-wrt routers, publicly available, vulnerable to a very simple information disclosure bug.
I immediately thought of Samy Kamkar. His ‘how I met your girlfriend’ talk at blackhat ’10 was hilarious and spectacular (and in getting the link to write this post I found this – cool! didn’t know that android phones were sending that data home. Thats cool and creepy at the same time) - I wondered how that would apply to my findings – so I tried a few of them. I got limited results – something like 700 or 800. Thats not too bad! The workflow kind of looked like this:
Vuln -> full disclosure -> shodan -> vuln assessment script -> google location script -> results.txt
Once I had a bunch of results in a textfile, I wasn’t really sure what to do. I knew I could try and make a google maps hack, but having never done that before I started asking around for help, so I turned to John. I told him that I’d used shodan for the datamining portion of this little quest, and he offered to help! I had no idea he’d build a little search utility around it – that was awesome. You should check it out, he did a really awesome job!
http://www.shodanhq.com/research/geomac
And heres some more background beyond what I’ve already written that details the more technical aspects of these findings:
http://www.shodanhq.com/research/geomac/report