Archive for the ‘insight’ Category
Thursday, July 22nd, 2010
So when I get a new phone, I immediately want to try to get as much access on it as possible (read: root it). Custom roms are wonderful, but in the case of the HTC Incredible I don’t think there are custom roms (yet).
After I rooted my HTC Incredible I started doing searches in the market for interesting things. I found some neat wireless utilities, I found a file manager that lets you browse SMB fileshares on the lan (NEAT.), I found a packetsniffer, and some more interesting tools.
The light came on over my head when I realized “Wait, a packet sniffer AND a wireless access point? .. can .. I sniff.. the wifi with this?!”. As it turns out the answer is yes – it takes some fenagling, and if you do it in the wrong order one application stomps the other (I’ve already written the author of the packet capture application about this but have not gotten a response yet).
Here is a quick walkthrough on how to turn an HTC Incredible into a rogue wireless access point:
- Root the phone. This can be done by visiting http://unrevoked.com/recovery/, downloading the app, and running it.
- Once the phone is rooted, go to the market, and install the wifi tether application: Be aware though, that with the HTC incredible there are additional steps to get this application to work (see their wiki page: http://code.google.com/p/android-wifi-tether/)
- Install the packet capture application. This also will need additional steps after the installation. (http://sites.google.com/site/androidarts/packet-sniffer)
- Once you have the packet sniffer installed, configure it to log to a file instead of a sql database. I wasn’t able to find the actual database this thing logs to, but the text file appears right at the root of the sdcard. It looks just like the ‘live’ output though, which I don’t think is a proper format. It doesn’t log raw traffic at all.
- Don’t start the sniffer or wifi tether yet – they must be configured beforehand.
- Go back to wifi-tether and configure the SSID. Name it something which will attract people in search of free wifi. Linksys. Dlink. Netgear. 2WIRE858. The SSID of a target network, perhaps. Again, do not turn on tethering here yet.
- Open up the packet sniffer again, and go to the ‘wifi capture’ section, then enable the capture, and if you’d like, enable logging packets to the screen.
- Hit the phones ‘home’ button to exit without stopping the packet capture tool, and re-open the wifi tethering tool. Once in the tethering tool, enable tethering.
- Hit home again, and go re open the packet capture tool. If anybody connects, wifi tether will tell you in the status bar at the top of the display, and you will start seeing arp traffic and dhcp traffic scroll in the live feed window as you would with any other packet sniffer.
There are several caveats to this though:
- This tool appears to not capture raw packets. You can do this from a terminal using TCPdump if you feel so inclined – the packet capture tool installation instructions have you install a new version of tcpdump. You should be able to use this to capture raw traffic and not just clear text
- Packet capture has to be running before wifi tether – if you try to do it the other way around wifi tether will hang and you’ll have to kill it.
- This will also capture all the traffic from your phone to the internet, so if you’re trying to do a bunch of stuff on your phone while running a rogue access point, it will muddy your results.
This has been a fairly simple howto – you creative types will easily be able to find more interesting things to do with this.
My wishlist after figuring this out? – An app that acts like airodump – I want to see clients probing for networks so that I can “give them what they want”. I also want this packet capture tool to log raw data, not just plaintext stuff. Now that this is possible, I wish for tools like drifnet, dsniff, and others of that sort to become available on the android platform. The objective here would be to use this during a pen test as a tool to capture data, then bring it back to the labs for analysis.
Tags: 802.11, 802.11a, 802.11b/g, 802.11n, access, audit, auditing, dan, hack, incredible, pen, penetration, point, rogue, root, tentler, test, testing, viss, vissago htc, wifi, wireless
Posted in insight, review, technology, training | No Comments »
Wednesday, June 16th, 2010
How to hack a facebook account – or, basically how to hijack php sessions. Yes – this is old news – yes its a common vulnerability – but you get a better idea for what it is and how it works when things are explained in detail (with screenshots!).
Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.
Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:
Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e
You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.
First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:
Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.
Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)
Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.
Simply browse to facebook – make sure you are not logged in:
Hit ALT-C to bring up the cookie injector dialog box:
Then paste in the cookie!
Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.
Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!
P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.
Tags: dan, facebook, hack, hijacking, how, information, lennox, mrb0t, nick, penetration, security, session, stealing, tentler, testing, to, viss, vissago
Posted in insight, review, technology | 2 Comments »
Sunday, June 6th, 2010
However good or bad you think you are at security, this may put a few details into perspective for you:
In the last few weeks Ligatt Security has been “making headlines” with their 90′s-esque hackers-style commercials and advertisements – the three most notable of which advertise that large black men, 12 year old boys, and “hackers” with what appear to be ethernet-enabled projectorgoggles are “out to get you”. Their fear-based marketing campaign slants the average computer users security experience using the standard “if you don’t hire us, your life is pretty much over” routine.
It’s a pretty huge bag of fail – I really hope this is a learning experience for them. One of the more important ‘scout badges’ I’ve earned in my time as a contractor so far is “practice what you preach”. A “large”, publicly traded “information security company” probably should have taken the time to do some BASIC SECURITY on their own website – CLICKY!
EDIT: After a couple of twitter posts about this they’ve firewalled me off of the host. Firewalling one guy isn’t gonna help guys, I’m certain I’m not the only person to have found a CORNUCOPIA of publicly available vulnerabilities on your site.
Tags: dan, fail, ligatt, poor security, security, tentler, tsk tsk
Posted in insight, rants, review | No Comments »
Wednesday, May 19th, 2010
Tags: brown, dan, derren, examples, hypnosis, hypnotism, language, neuro linguistic programming, nlp, tentler, video, videos
Posted in insight, training | No Comments »
Monday, May 10th, 2010
I just picked up one of these things. In the 3 days I’ve had it I’ve probably convinced 15 people to move to it from their iPhones, or jump to it as their next phone on verizon. Expect this to be more or less a hackers review.
This is the charted battery usage over approximately 3 days. I learned very quickly that when you go to meetups and parties and pass around a brand new phone that very few people have everybody wants to try the same stuff on it over and over again – so the thing gets quite a workout and gets handed back to you with %20 battery left.
I’m using this app to monitor the battery and produce the data for the graph. So far it works out well – except when its not running it simply doesn’t record data, so the datapoints on the bottom of the chart make the graph look a little interesting. I’ve numbered some interesting behavior on the chart:
- I recorded the Lost Abbey brewery tour for ~25 minutes. It consumed approximately %25 of the battery life
- It took 3 hours and 45 minutes to charge from roughly %35 battery life to full.
- in 40 minutes of usage I went from %80 battery to roughly %35
- Leaving the phone overnight to cycle the battery
- Disregard – You can see at the bottom of the chart the time jumps from ~09oo hours to ~1800 hours in one step.
- I’d argue ‘standard’ daily usage
- a good solid charge via my macbook
- more standard usage
First impressions: This thing is *FAST*. I mean *FAST*. Clocked at 1ghz its very impressive. My G1 would chug and choke when opening the gallery as it tried to thumbnail all the pictures. I suspect the built-in 8 gig storage may have something to do with its I/O performance as I’m guessing the onboard flash is going to behave more quickly than an sdcard. One of the first things I love thinking about is ‘can this thing run nmap/metasploit/JtR/aircrack/etc’. As far as its ability to do that – I have every confidence that the thing could take the pepsi challenge should it arise – however I’ve almost immediately noticed I have to charge this thing 2x a day if I want to use it in any lengthy amount of time. I havent actually had it DIE on me yet, but it’ll get down to %20 or so battery before I start fiddling trying to find the charger.
Its fast, and very very capable. The camera beats the pants off the G1 camera hands down and this is a very appreciated breath of fresh air after having my G1. Only drawback is that it really does consume a lot of juice. I read in the forums that some users have been able to use batteries from other phones in the incredible successfully and extend their battery lives that way.
Interested in hacking the thing? We still don’t have root on it. What does having root mean? Tethering, overclocking, the possibility of all the wonderful linux-based tools we’re used to (nmap, metasploit, etc) and more.
Here are the forums if you want to throw your hat in the ring to get root and help the community expand the functionality of this phone.
Tags: battery, chart, dan tentler, graph, htc, incredible, performance, review, verizon
Posted in insight, review, technology | No Comments »
Friday, February 19th, 2010
It’s been roughly 24 hours since I posted about paranoia and foursquare. I was correct in my foresight expecting people to respond somewhat forcibly, or strongly – but I got my responses from ENTIRELY the wrong crowd I was trying to speak to: my infosec friends.
I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.
- Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.
- This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)
- No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.
- It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.
- In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.
The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.
Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.
Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.
My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.
Tags: as, before, calm, down, evil, foursquare, isn't, relax, some, speak, think, would, you
Posted in insight, speculation | 6 Comments »
Tuesday, February 9th, 2010
Having been practicing information security on a freelance basis for roughly 2 years now, I’ve quickly come to learn that the information security industry is very incestuous – teeming with folks that think the standard “how to survive prison” methodology works for information security. Find someone who’s made a name for themselves, beat the everliving crap out of them, assume their former glory. This is a problem. Primarily because it doesn’t work, and secondly because nobody has ever been able to do it right and get their intended results.
Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.
This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.
I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.
I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.
(more…)
Tags: absurd, absurdity, david, ed, hober, kaiser, libel, linux, newb, newbies, noobs, o'connor, rog, rogelio, roger, rustad, scubacuda, slander, socal, socallinux.org, troll, trolling, wannabes
Posted in insight, rants | 4 Comments »
Monday, February 1st, 2010
In this case, I’ll be arguing:
The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.
We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.
I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes. I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.
These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.
(more…)
Tags: 4sq, 4square, android, apache, auth, basic, foursquare, g1, iphone, packet, sniffing, zipline
Posted in insight, review, technology, training | 1 Comment »
Thursday, December 10th, 2009
I know two trolls. Roger Rustad, and David Kaiser – they run socallinux.org.
If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.
This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.
Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.
(more…)
Tags: branding, dan, daniel, dave, david, hacking, kaiser, personal, rog, roger, rustad, tentler
Posted in insight, rants | No Comments »
