Penetration testing blog

I have mentioned the tool in my previous post but the tool deserves an entire dedicated post! If you were looking for a tool to count source code lines, here’s a nice one.

Take a look at CLOC (http://cloc.sourceforge.net/), an excerpt from its website:

“cloc counts blank lines, comment lines, and physical lines of source code in many programming languages. It is written entirely in Perl with no dependencies outside the standard distribution of Perl v5.6 and higher (code from some external modules is embedded within cloc) and so is quite portable. cloc is known to run on many flavors of Linux, AIX, Solaris, IRIX, z/OS, and Windows. (To run the Perl source version of cloc on Windows one needs ActiveState Perl 5.6.1 or higher, or Cygwin installed. Alternatively one can use the Windows binary of cloc generated with perl2exe to run on Windows computers that have neither Perl nor Cygwin.)

cloc contains code from David Wheeler’s SLOCCount, Damian Conway and Abigail’s Perl module Regexp::Common, and Sean M. Burke’s Perl module Win32::Autoglob, … ”

Hope you find it useful

If you were ever involved in the process of scoping out a source code audit project, you have probably run into the situation where you have to figure out how to count the code. There are several things involved:

• What tool are you going to use to count it?
• Should the tool be able to understand the language?
• Or will you simply use a line counting tool such as wc -l?
• What will you consider in your count? Code lines, blank lines, what about comments?

I’m going to go ahead and cover each of the points I mention above, based in my own experience. I therefore invite you to submit and share your comments based on your own xperiences as well.

I believe in providing [potential] customers with accurate information and I understand that some times that may not even be possible - but when it comes to counting lines of source code I rather use a tool that can parse the code than simply running a “wc -l” - However any functional bugs within the tool you use may end up impacting your estimate considerably and for that reason you need to test the tool first (or make sure it’s got some testing already.) The main benefit you would get from parsing the source code other than simply counting raw lines within a file is the ability of identifying source code comments (the way of specifying comments varies according to each language.)

Now, why would you be interested in identifying source code comments? Good question! And it is up to how you perform your scoping. The reasons I can think of are:

• You have a certain metric for source code lines and a different one for comments (in average, comments should be easier/faster to read.)
• You want to exclude comments from the estimate. You are ok with working an extra bit to cover for any comments.
• You want to exclude comments from the estimate. You will simply blink, look away, close your eyes whenever you go through a commented line while performing the review.
• You simply want to provide your client with a break down containing lines of source code and comments.

I have been in both sides of the court, considering comments within the estimate and excluding them. But either way, I have always looked at comments while reviewing code! You could argue that comments don’t get compiled/run, that there could be plenty of dead code laying around - but comments not only can be fun! they are a window into the programmer’s mind and what’s more valuable than that?! Yes, you can find dead code - but why is that code even there? From a version to the other dead becomes alive and boom! And flexibility is the key! If you do know of a directory just filled with dead code, why not look carefully or talk to your client and about excluding that piece from your estimation?

So it is up to whether you decide to include comments in your time estimate or not - but it shouldn’t be your choice to decide whether to review them or not.

So this all ends up being:

source_code_lines = lines_in_file - blank_lines - comment_lines | comment_lines = lines_in_file - source_code_lines - blank_lines | total = source_code_lines + comment_lines

I have recently found a very nice tool called CLOC (http://cloc.sourceforge.net/) - which deals with a wide set of programming languages. Test it out!

Later.

Sebastian Muñiz also known as “topo” who worked hard on creating the first public IOS Rookit, which among several things is platform independent, has now created a blog named “Ret2Libc - REVERSE ENGINEERING AND RELATED”

He mentions a document disclosed by CISCO in response to his presentation on IOS rootkits (the one he also gave at EuSecWest 2008) which includes several security measures administrators can take to protect their routers.

Take a look at the blog right here: http://ret2libc.blogspot.com/

Later,

I was looking for resources on how to test personal firewall solutions which are so frequent these days. Here are some of the things I found which may come in handy to someone looking 4 the same thing.

History and Advances in Windows Shellcode (The part for: Uploading file with debug.exe and VBS)
http://www.phrack.org/issues.html?id=7&issue=62

Bypassing Windows Personal FW’s
http://www.phrack.org/issues.html?issue=62&id=13 

Firewall leak tester (a collection of scripts for testing personal firewalls)
http://www.firewallleaktester.com/

Defeating Windows Personal Firewalls
http://www.thehackademy.net/madchat/windoz/win32inc/defeating_windows_personal_firewalls.pdf

Hope those help! I need to add those to the directory.

-AV

I went crazy yesterday looking for a tool that would easily let me remove every single e-mail from my Gmail account. I really find it hard to believe that even though I get the “E-mails deleted” message, they are not being kept somewhere for some agency’s convenience. Nonetheless, I wanted to take a measure of removing everything and quickly (I don’t have anything to hide really, it’s just for learning!.)

By quickly I mean that if you have thousands of e-mail conversations, the largest amount of e-mails/threads that you could list within Gmail are 100. Therefore an hour clicking select-all and delete would have been incredibly insane.

I started googling. I found a script in perl that some guy wrote which simply connected to Gmail’s IMAP service and looped through the threads removing everything with IMAP commands.

Then I found a series of threads about people trying to do the same thing, which is automating the e-mail deletion process, and a discussion on how certain Firefox GreaseMonkey (http://www.greasespot.net/) plugins could fake your button clicks, pretty much like a single sign on session.

I also found python libraries from 2005, nothing really convincing.

That is when I went back to the Gmail interface and selected all 100 threads on screen, and all of a sudden this amazing “Select all 4015 conversations in Inbox” link appeared! It had already been implemented by Gmail, stupid me trying to look somewhere else for the response!

Clicking on that link provided me with a way of selecting everything I had in my Inbox, then again on my Sent e-mails and by clicking on the Delete button I moved everything to the Trash. You then have to go to the Trash and delete everything forever.

Hope that saves you some time!

I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.

If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com

I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.

Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.

Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)

The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.

If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.

Check it out, it’s worth it!

Good luck.

This is meant for replacing your own watermarks, not for the purpose of stealing someone else’s content!

But using imagemagick (http://www.imagemagick.org) you can easily replace a portion of the image (*.jpg in this case) with the portion that goes on top, your new logo for instance (litte.gif in this case):

@echo off
for %%X in (*.jpg) do composite -geometry +0+178 little.gif “%%X” output/”%%X”

The -geometry option is for providing a specific horizontal and vertical position within the original image.

What does it have to do with penetration testing you may ask - well it could come useful during a client-side attack where you need to reuse several images quickly, or simply related in the fact that during a period of time where you run out of work, you can work as a designer? oh well.

Hope it helps, it sure helps me remember.

I just retrieved this from Ed Skoudis’s presentation that I just mentioned in my previous post (look it up!)

Windows’ shell scripting is really in the dark, at least for me. I’m constantly looking for new ways of creating smart batch scripts and it really gets to be a pain in the ass to find something useful.

It is therefore a must to store the following one. It will open a file, the delimiter character is fictional, the idea is that you wont really use it - which forces windows not to parse the command using spaces as the default delimiter, the run the command and finally dump the output to a file!

c:\> for /L %i in (1,0,2) do (for /f “delims=^” %j in (commands.txt) do cmd.exe /C %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Goodbye!

I’m watching the following Webcast by Ed Skoudis which was hosted by Core Security Technologies:

Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security

Ed talks about the importance of being aware of your ISP filtering policies at the time of conducting a pentest, which sounds obvious but then again it’s easy to forget.

He also discusses some techniques for replacing the netcat client in Linux and Windows, and provides examples for creating reverse shells using /dev/tcp and creating port scanners both in linux/windows, among other things.

In my personal opinion, the windows port scanning options are not worth it he sure works around the limitations imposed by Windows’ telnet and ftp clients, and I believe he mentions them for a specific case in which you may have no other ways of performing an automated portscan.

You can leave it on and hear him speak while you do something else, won’t be a waste of time.

The tool has a free version and takes care of wiping a significant amount of information anytime it runs. You can configure it to run everytime Windows starts (it would be nice if the action triggered everytime Windows shut down as well)

It currently cleans the following:

You can find it here, it won’t bug you and you can configure the wiping to be better than a simple round of zeros - so far it’s been so good.

http://www.ccleaner.com/

Looking for more useful tools to have handy!

Hope that helps