Penetration testing blog

I have mentioned the tool in my previous post but the tool deserves an entire dedicated post! If you were looking for a tool to count source code lines, here’s a nice one.

Take a look at CLOC (http://cloc.sourceforge.net/), an excerpt from its website:

“cloc counts blank lines, comment lines, and physical lines of source code in many programming languages. It is written entirely in Perl with no dependencies outside the standard distribution of Perl v5.6 and higher (code from some external modules is embedded within cloc) and so is quite portable. cloc is known to run on many flavors of Linux, AIX, Solaris, IRIX, z/OS, and Windows. (To run the Perl source version of cloc on Windows one needs ActiveState Perl 5.6.1 or higher, or Cygwin installed. Alternatively one can use the Windows binary of cloc generated with perl2exe to run on Windows computers that have neither Perl nor Cygwin.)

cloc contains code from David Wheeler’s SLOCCount, Damian Conway and Abigail’s Perl module Regexp::Common, and Sean M. Burke’s Perl module Win32::Autoglob, … ”

Hope you find it useful

I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.

If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com

I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.

Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.

Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)

The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.

If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.

Check it out, it’s worth it!

Good luck.

This is meant for replacing your own watermarks, not for the purpose of stealing someone else’s content!

But using imagemagick (http://www.imagemagick.org) you can easily replace a portion of the image (*.jpg in this case) with the portion that goes on top, your new logo for instance (litte.gif in this case):

@echo off
for %%X in (*.jpg) do composite -geometry +0+178 little.gif “%%X” output/”%%X”

The -geometry option is for providing a specific horizontal and vertical position within the original image.

What does it have to do with penetration testing you may ask - well it could come useful during a client-side attack where you need to reuse several images quickly, or simply related in the fact that during a period of time where you run out of work, you can work as a designer? oh well.

Hope it helps, it sure helps me remember.

I just retrieved this from Ed Skoudis’s presentation that I just mentioned in my previous post (look it up!)

Windows’ shell scripting is really in the dark, at least for me. I’m constantly looking for new ways of creating smart batch scripts and it really gets to be a pain in the ass to find something useful.

It is therefore a must to store the following one. It will open a file, the delimiter character is fictional, the idea is that you wont really use it - which forces windows not to parse the command using spaces as the default delimiter, the run the command and finally dump the output to a file!

c:\> for /L %i in (1,0,2) do (for /f “delims=^” %j in (commands.txt) do cmd.exe /C %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Goodbye!

I’m watching the following Webcast by Ed Skoudis which was hosted by Core Security Technologies:

Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security

Ed talks about the importance of being aware of your ISP filtering policies at the time of conducting a pentest, which sounds obvious but then again it’s easy to forget.

He also discusses some techniques for replacing the netcat client in Linux and Windows, and provides examples for creating reverse shells using /dev/tcp and creating port scanners both in linux/windows, among other things.

In my personal opinion, the windows port scanning options are not worth it he sure works around the limitations imposed by Windows’ telnet and ftp clients, and I believe he mentions them for a specific case in which you may have no other ways of performing an automated portscan.

You can leave it on and hear him speak while you do something else, won’t be a waste of time.

The tool has a free version and takes care of wiping a significant amount of information anytime it runs. You can configure it to run everytime Windows starts (it would be nice if the action triggered everytime Windows shut down as well)

It currently cleans the following:

You can find it here, it won’t bug you and you can configure the wiping to be better than a simple round of zeros - so far it’s been so good.

http://www.ccleaner.com/

Looking for more useful tools to have handy!

Hope that helps

This is a quick post but I don’t want to forget this! The guys over at voipsec.eu mention these 2 useful links:

http://getfiregpg.org/

“FireGPG is a Firefox extension under MPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.”

http://www.gpg4win.org/

“Gpg4win is a installer package for Windows (2000/XP/2003/Vista) with computer programs and handbooks for EMail and file encryption. Both relevant cryptography standards are supported, OpenPGP and S/MIME (the latter is in progress and currently works with GnuPG2 and Claws Mail).”

I’ll try these out sometime soon.

I just found this somewhat excellent article on Winzip encryption by Dave Whitelegg who took the job of analyzing the different types of encryption provided by Winzip and proceeded to test them out to see how efficient they really are in real-world usage.

The url of the article is the following:

http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html

I fully recommend going through the entire article. The question on whether using Winzip encryption is fair or not tends to come up when talking about deliverables. If you have to send a series of deliverables that carry sensitive information (a draft or final report, slides, anything) to a client who doesn’t really use pgp/gpg nor any kind of secure communication channel, then you’re looking at either crafting a self-decrypting archive through PGP Desktop, some other option, or using Winzip encryption.

The article discusses what you need to be aware of, if you are planning on going for Winzip encryption.

Basically the main points are:

• Don’t use Winzip encryption prior to Winzip version 9. Earlier versions carried a home-grown implementation that was broken several times.
• Use AES, and go for the key-size of your will (the bigger the better you could say)
• Your password NEEDS TO BE (and don’t break any of these rules, cause that’s what makes the protection strong):
  • At least 12 characters in length
  • Be random not contain any dictionary, common words or names
  • At least one Upper Case Character
  • Have at least one Lower Case Character
  • Have at least one Numeric Character
  • Have at least one Special Character e.g. $,£,*,%,&,!

•  Even if a file is protected/encrypted, Winzip permits you to browse around the directory structure, having access to the names of the encrypted files. Therefore it wouldn’t make sense to protect your super-secret client in bananas.zip if inside you’re going to find Report - Super Secret Client Name here - 2008.pdf

And that’s it. I guess one final comment would be that Winzip is not free. Have that in mind, we’re talking about a commercial application here.

Enjoy your day!

I don’t really know in what format you deliver your reports to your clients, and it would be great if you could comment on that - but here’s a tool that I’ve used before to turn a word document into an “uneditable” (not saying it can’t be reversed) PDF version.

Reasons why you may want to do that.

1- You’re not giving out a template report document, therefore making it harder for someone to edit/redistribute.

2- Making sure that your Word document isn’t disclosing any information isn’t easy. I’d recommend taking a look at all strings (don’t forget ucs2be)  inside the binary, before sending that out.

http://www.pdfforge.org/products/pdfcreator/

Thanks

I already talked a bit about encryption software you can use to store files safely in your computer, but what about transferring sensitive information? what about sending sensitive information through e-mail?

For encrypted e-mail to work properly, we need software and/or practices on both ends. This means that if you want your communication with your clients encrypted, then you need to get your clients to do something - which is not an easy thing to do. Actually you just convinced your clients to pay attention to you and you even sold them a product/service, now you need to use your m4d jedI skills to get them to encrypt their communication - good luck on that.

Truth is that most of them will pay attention, they are already putting money in the table for you, they somehow trust that you will perform as expected or even far beyond their expectations; then why in the hell wouldn’t they say ‘yes’ to encrypted communications?

And so it begins. What are your options? What’s out there for you?

I personally use PGP (http://en.wikipedia.org/wiki/Pretty_Good_Privacy) but in its GNU version (http://www.gnupg.org/), where I represent myself using my Public Key (visible to anyone I want to share it with) and using my Public Key then clients can encrypt sensitive information and send it over. I then have something very private, called a Private Key - which I need to use in order to decrypt any information that was encrypted using my Public Key. It works the same way for both ends, therefore I need to request the public keys for anyone on the other side, and use that public key to encrypt any sensitive information before I send it over.

So what do you encrypt? If you need to send any outstanding sensitive components then you could simply use the GPG command line utility, encrypt the files and attach them encrypted to your e-mail.

But what happens when you need to send several e-mails a day, and say more, where the contents of the e-mail themselves are sensitive. Dialing information for a conference call, pricing information in the form of ballpark estimates or more? Launching a command line tool to encrypt the e-mail contents and storing those in a file, attaching the file or pasting the encrypted contents in an e-mail to then send the e-mail…sure turns into a headache.

But thanks to lots of very clever programmers and project managers, and QA…and…thanks to lots of people, there are a series of programs that you can use to Adapt PGP to your e-mail client.

The process then turns into:

- You request public keys and import them to your keys database (most of the times just 1 click away)

- You write an e-mail as usual (making sure that the Encrypt e-mail feature is enabled)

- You hit the send button.

- Any other variation that may require one additional step.

- You’re done.

 So back to discussing the alternatives around PGP/GPG - how do you integrate it with your e-mail client?

1. Enigmail (http://enigmail.mozdev.org/) - Works with Thunderbird, SeaMonkey, Mozilla and Netscape. This is the one I currently use and it kicks ass.
2. PGP Desktop (http://www.pgp.com/) - Works at least with Outlook. This is the one your valuable clients may already be using. It isn’t free - so good luck in trying to convince someone into buying a license.
3. What could the third one be? I encourage anyone to submit more options!

Tired of writing - hope you found this useful.

Thanks for reading.