Penetration testing blog

I went crazy yesterday looking for a tool that would easily let me remove every single e-mail from my Gmail account. I really find it hard to believe that even though I get the “E-mails deleted” message, they are not being kept somewhere for some agency’s convenience. Nonetheless, I wanted to take a measure of removing everything and quickly (I don’t have anything to hide really, it’s just for learning!.)

By quickly I mean that if you have thousands of e-mail conversations, the largest amount of e-mails/threads that you could list within Gmail are 100. Therefore an hour clicking select-all and delete would have been incredibly insane.

I started googling. I found a script in perl that some guy wrote which simply connected to Gmail’s IMAP service and looped through the threads removing everything with IMAP commands.

Then I found a series of threads about people trying to do the same thing, which is automating the e-mail deletion process, and a discussion on how certain Firefox GreaseMonkey (http://www.greasespot.net/) plugins could fake your button clicks, pretty much like a single sign on session.

I also found python libraries from 2005, nothing really convincing.

That is when I went back to the Gmail interface and selected all 100 threads on screen, and all of a sudden this amazing “Select all 4015 conversations in Inbox” link appeared! It had already been implemented by Gmail, stupid me trying to look somewhere else for the response!

Clicking on that link provided me with a way of selecting everything I had in my Inbox, then again on my Sent e-mails and by clicking on the Delete button I moved everything to the Trash. You then have to go to the Trash and delete everything forever.

Hope that saves you some time!

I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.

If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com

I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.

Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.

Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)

The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.

If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.

Check it out, it’s worth it!

Good luck.

This is meant for replacing your own watermarks, not for the purpose of stealing someone else’s content!

But using imagemagick (http://www.imagemagick.org) you can easily replace a portion of the image (*.jpg in this case) with the portion that goes on top, your new logo for instance (litte.gif in this case):

@echo off
for %%X in (*.jpg) do composite -geometry +0+178 little.gif “%%X” output/”%%X”

The -geometry option is for providing a specific horizontal and vertical position within the original image.

What does it have to do with penetration testing you may ask - well it could come useful during a client-side attack where you need to reuse several images quickly, or simply related in the fact that during a period of time where you run out of work, you can work as a designer? oh well.

Hope it helps, it sure helps me remember.

I just retrieved this from Ed Skoudis’s presentation that I just mentioned in my previous post (look it up!)

Windows’ shell scripting is really in the dark, at least for me. I’m constantly looking for new ways of creating smart batch scripts and it really gets to be a pain in the ass to find something useful.

It is therefore a must to store the following one. It will open a file, the delimiter character is fictional, the idea is that you wont really use it - which forces windows not to parse the command using spaces as the default delimiter, the run the command and finally dump the output to a file!

c:\> for /L %i in (1,0,2) do (for /f “delims=^” %j in (commands.txt) do cmd.exe /C %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Goodbye!

I’m watching the following Webcast by Ed Skoudis which was hosted by Core Security Technologies:

Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security

Ed talks about the importance of being aware of your ISP filtering policies at the time of conducting a pentest, which sounds obvious but then again it’s easy to forget.

He also discusses some techniques for replacing the netcat client in Linux and Windows, and provides examples for creating reverse shells using /dev/tcp and creating port scanners both in linux/windows, among other things.

In my personal opinion, the windows port scanning options are not worth it he sure works around the limitations imposed by Windows’ telnet and ftp clients, and I believe he mentions them for a specific case in which you may have no other ways of performing an automated portscan.

You can leave it on and hear him speak while you do something else, won’t be a waste of time.

The tool has a free version and takes care of wiping a significant amount of information anytime it runs. You can configure it to run everytime Windows starts (it would be nice if the action triggered everytime Windows shut down as well)

It currently cleans the following:

You can find it here, it won’t bug you and you can configure the wiping to be better than a simple round of zeros - so far it’s been so good.

http://www.ccleaner.com/

Looking for more useful tools to have handy!

Hope that helps

Hey there,

I’ve been looking for a mobile device that will let me install gpg/pgp and send/receive encrypted e-mails from a mobile device to anywhere. While looking for such a thing I took a look at BlackBerry and the service they offer - I have someone close who uses such a device to send/receive e-mail including his gmail accounts.

That’s when I learned about the Blackberry Internet Service account. Which is what you need to create online in order to configure (online) your login information for the e-mail accounts that you want to access. Which means that you end up giving your password to BlackBerry so they check the e-mail for you and forward it to you.

I then found out that pgp.com does actually offer a PGP package that can be installed in a BlackBerry but it looks like it’s a very expensive solution (each license is about 250 usd and you need to buy a minimum of 10, not to mention you can’t simply install it a mobile device and go solo, you need to have an enterprise server solution installed somewhere) which means that you end up spending lots of money and integrating more PGP technology in your environment.

Instructions on how to configure your e-mail for your BlackBerry are here:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB04553

And the site for PGP blackberry support is right here:

http://www.pgp.com/products/pgp_support_package_for_bb/

So I would say forget about BlackBerry. I’m going to look at other mobile solutions, some include Windows Mobile meaning that I should be able to install GPG/FireGPG and workaround a way of using encrypted e-mails from there.

A friend of mind mentioned the HTC Dual touch (http://www.htc.com/UK/)

We’ll see what I find..

Cheers

This is a quick post but I don’t want to forget this! The guys over at voipsec.eu mention these 2 useful links:

http://getfiregpg.org/

“FireGPG is a Firefox extension under MPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.”

http://www.gpg4win.org/

“Gpg4win is a installer package for Windows (2000/XP/2003/Vista) with computer programs and handbooks for EMail and file encryption. Both relevant cryptography standards are supported, OpenPGP and S/MIME (the latter is in progress and currently works with GnuPG2 and Claws Mail).”

I’ll try these out sometime soon.