Penetration testing blog

Hey there,

I’ve been looking for a mobile device that will let me install gpg/pgp and send/receive encrypted e-mails from a mobile device to anywhere. While looking for such a thing I took a look at BlackBerry and the service they offer - I have someone close who uses such a device to send/receive e-mail including his gmail accounts.

That’s when I learned about the Blackberry Internet Service account. Which is what you need to create online in order to configure (online) your login information for the e-mail accounts that you want to access. Which means that you end up giving your password to BlackBerry so they check the e-mail for you and forward it to you.

I then found out that pgp.com does actually offer a PGP package that can be installed in a BlackBerry but it looks like it’s a very expensive solution (each license is about 250 usd and you need to buy a minimum of 10, not to mention you can’t simply install it a mobile device and go solo, you need to have an enterprise server solution installed somewhere) which means that you end up spending lots of money and integrating more PGP technology in your environment.

Instructions on how to configure your e-mail for your BlackBerry are here:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB04553

And the site for PGP blackberry support is right here:

http://www.pgp.com/products/pgp_support_package_for_bb/

So I would say forget about BlackBerry. I’m going to look at other mobile solutions, some include Windows Mobile meaning that I should be able to install GPG/FireGPG and workaround a way of using encrypted e-mails from there.

A friend of mind mentioned the HTC Dual touch (http://www.htc.com/UK/)

We’ll see what I find..

Cheers

This is a quick post but I don’t want to forget this! The guys over at voipsec.eu mention these 2 useful links:

http://getfiregpg.org/

“FireGPG is a Firefox extension under MPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.”

http://www.gpg4win.org/

“Gpg4win is a installer package for Windows (2000/XP/2003/Vista) with computer programs and handbooks for EMail and file encryption. Both relevant cryptography standards are supported, OpenPGP and S/MIME (the latter is in progress and currently works with GnuPG2 and Claws Mail).”

I’ll try these out sometime soon.

Hey, so today I wanted to take a look at the traffic both the blog and the pentest directory project are receiving and, as you may have already noticed, since I’m using Google Analytics for keeping track of traffic stats I found some interesting data that I wanted to share with you.

I’m analyzing 7,167 unique surfers, ranging from January 1st 2008 to yesterday, April 26th 2008.

Most of them, 2.687 connected using IPs from the US. 623 came from the UK and in third place is India, with 417. We then have several more different countries.

From the ~7100 surfers, the 63.61% (4559) used FireFox as a browser, and in second place with 29.15% comes Internet Explorer. 245 used Opera, 114 Safari, 109 Mozilla, 18 Konqueror, 9 Camino, 7 Mozilla compatible Agent, 9 Avant Go.

So most of them use Firefox, that’s nice. And take a look at the following:

82.41% used Microsoft Windows, that’s 5,906 users! Then comes Linux with 831, Macintosh with 370. We have 18 iPhone users! 3 used the iPod, and a couple more.

And moving on to the Adobe/Macromedia Flash plugin version installed:

28.92% (2,073) had 9.0.r115  - 26.58% had 9.0 - and so on with decreasing versions.. we get to a point where:

76 users had version 6.0 installed! and several different old versions of 9.0 including r28, r45, r47, etc.

I would say - interesting. Nothing new yeah but interesting. Let’s update the Flash plugin.

And then you wonder why google analytics takes so much time to load.. 

Cheers

Recently a new thread in the pentest mailing list (pen-test@securityfocus.com) related to wireless keyboard security was started. Quite interesting given that several different responses included a wide range of resources. So I thought I would grab them all and store them somewhere (here) for the future in case I ever need it.

The thread can be found online here:

http://www.securityfocus.com/archive/101/490080/30/0/threaded 

The links include:

http://www.wartyping.com/  and http://www.wartyping.com/?page=links

WarTyping is the act of location, and interception of radio signals transmitted by wireless keyboards onto the public airwaves by driving / walking around with the appropriate equipment.”

http://www.symantec.com/enterprise/security_response/weblog/2007/12/why_did_my_nextdoor_neighbor_e.html Why Did My Next Door Neighbor Erect a 50-Foot Radio Antenna? Wireless keyboards have been around for several years. After developing the first series of infrared devices, vendors have developed radio-based keyboards that run at 27 MHz.

I’ve been looking for a particular script which could be instructed into brute-forcing/enumerating [hidden] directories, simply that, and all I could find was the following Nessus plugin:

http://www.nessus.org/plugins/index.php?view=single&id=11032

Directory Scanner, by Digital Defense @ 2002

I know Nikto supposedly also takes care of enumerating directories but I haven’t yet looked at the code. I also looked for directory name wordlists but it looks like none are public. So I took all those directory names from the Nessus plugin and created a straight list (I’ll paste it below) and then a quick python script that is in a very raw form but will save you the first 2 minutes of programming a script which does the same thing.

 Here’s everything, use it for good and educational purposes.

(more…)

I just found this somewhat excellent article on Winzip encryption by Dave Whitelegg who took the job of analyzing the different types of encryption provided by Winzip and proceeded to test them out to see how efficient they really are in real-world usage.

The url of the article is the following:

http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html

I fully recommend going through the entire article. The question on whether using Winzip encryption is fair or not tends to come up when talking about deliverables. If you have to send a series of deliverables that carry sensitive information (a draft or final report, slides, anything) to a client who doesn’t really use pgp/gpg nor any kind of secure communication channel, then you’re looking at either crafting a self-decrypting archive through PGP Desktop, some other option, or using Winzip encryption.

The article discusses what you need to be aware of, if you are planning on going for Winzip encryption.

Basically the main points are:

• Don’t use Winzip encryption prior to Winzip version 9. Earlier versions carried a home-grown implementation that was broken several times.
• Use AES, and go for the key-size of your will (the bigger the better you could say)
• Your password NEEDS TO BE (and don’t break any of these rules, cause that’s what makes the protection strong):
  • At least 12 characters in length
  • Be random not contain any dictionary, common words or names
  • At least one Upper Case Character
  • Have at least one Lower Case Character
  • Have at least one Numeric Character
  • Have at least one Special Character e.g. $,£,*,%,&,!

•  Even if a file is protected/encrypted, Winzip permits you to browse around the directory structure, having access to the names of the encrypted files. Therefore it wouldn’t make sense to protect your super-secret client in bananas.zip if inside you’re going to find Report - Super Secret Client Name here - 2008.pdf

And that’s it. I guess one final comment would be that Winzip is not free. Have that in mind, we’re talking about a commercial application here.

Enjoy your day!

And then again! I suddenly got interested in old technology. I found this excellent article that was published back on Phrack’s magazine #37 in 1992 called “Card-O-Rama: Magnetic Stripe Technology and Beyond” - which really gets you into magnetic card technology.

If you never cared about how the 1 to 3 magnetic stripes on the back of your credit card, supermarket card, .. work, then you better start reading this somewhat old but somewhat up-to-date paper

You should use this article along with some other sources of information - I’ll give you some wikipedia links too. Unlike with barcodes, if you want to get the technology you need to start _researching_ around with this, you’re going to get a headache. There are somewhat cheap magnet card readers out there… but I hope you weren’t thinking of using your laser printer to print the 3 stripes on the back of a blank card. In case you want to create your own cards, you need to get a card writer, and that’s where the headache starts.

A dozen of years ago if you wanted to get a writer you would get lots of questions in return. Why? Who are you? With what purpose? Now in 2007 it changed… a little. You can go ahead and find reader/writers on eBay but look at the damn prices! You may not get questions in return but you get high prices to keep you from buying any. But then again, if you REALLY want to start learning, you need to give some cash.

I found a model @ eBay called MSR 206 which is around ~400 bucks in the US and probably turns a lot more expensive anywhere else other than Taiwan Here’s the link.

http://search.ebay.com/search/search.dll?sofocus=bs&satitle=MSR206

So getting back to the documents, here’s the Phrack article:

“A Day in the Life of a Flux Reversal”
http://www.phrack.org/issues.html?issue=37&id=6#article

And a wikipedia entry:

“Magnetic stripe card”
http://en.wikipedia.org/wiki/Magnetic_stripe_card

Keep on learning!

A few days ago I found the following presentation by FX of Phenoelit @ the Chaos Communication Congress related to Barcode technolgy in 1D and 2D format. The one dimensional format is the typical format you’re most familiar with, mostly used to tag books and originally created to tag Cars. And then the 2D format is the latest one, also called matrix code (rings a bell?) and for both the 1-D and 2-D there are several interesting variations. For instance, “Data Matrix” is a type of 2-D code where using white and black squares you can get data in forms of ASCII art.

Anyhow, once you read the following PDF it gets you thinking. How old and usually vulnerable this technology is and then again how much we use it. And *for experimental, research and educational purposes only* what kind of projects you could start working on.

Along with the PDF I include a couple of links. Getting a barcode reader is very cheap and your local laser printer can most likely print any barcodes you want.

So once in a while it’s nice to leave the web aside and focus your mind on other technology.

The PDF I just mentioned can be found at the following page:

http://events.ccc.de/congress/2007/Fahrplan/events/2273.en.html

Take a look at the following definitions:

http://en.wikipedia.org/wiki/Barcode

http://en.wikipedia.org/wiki/Data_Matrix

http://en.wikipedia.org/wiki/Aztec_Code

You have at wikipedia a whole list of links to the different variations of 1-D and 2-D barcode symbols.

Yes, just as you read in this article’s title - it’s insane and far from being true.. but the question is.. how far? Take a look at this article from wired.com - http://www.wired.com/politics/security/news/2008/01/dreamliner_security

They are stating that “The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.” which is hard to believe but if it was the case, then I would simply stop flying those damn planes

I know and believe me _I know_ how distorted a story arrives to the media. As with any non-critical security vulnerability that arrives to the press, ends up being the-end-of-the-world as in a Tom Cruise movie.

Either way, my experience is that *thank god the passenger interfaces are isolated* - I once took a plane that had multiplayer gamming software in each seat. I believe it was from ALITALIA. You were able to invite other seats into playing with you, through standard games or you could also play old Mame games (which rocked) but that was a single plane and then there’s the standard small-screen with digital phone planes. They are equipped by default with a joystick behind the phone but unluckily never used by the company. I have seen live how by messing around with the digital phone control, not only your screen can core-dump but a whole column of seats behind you as well. I’m not saying *how* so this is partial information, I’m not feeding any terrorists out there with new information

If they isolate one network from the other with firewalls, anyone flying that plane is screwed. If they isolate one network from the other with anything other than real physical isolation that isn’t the output of a programmer, then anyone flying that plane is screwed.

Good luck on your next trip!

This a quick note and probably offtopic, probably not. But if you ever have a server dedicated to hosting multiple clients - you’ll want to remember this. It is very common for clients to install buggy software that ends up posing a threat to your hosting server. Either because a new vulnerability was disclosed and is unpatched, or simply because the installed software lacks any security at all.

As a result, one or more of your clients get hacked by worms. Worms tend to use the following commands while exploiting vulnerable software in order to download large pieces of payload that later get executed in order to mess things up even more. So we could say there’s stage 1 when the script gets hacked and let’s say a ‘command injection’ vulnerability is exploited, and stage 2 when the first small exploit downloads and executed the real thing, the malicious payload.

If you get to stage 2, then you’re lucky or in a big problem (start identifying the damage) - but the idea is to prevent one or more stage 2 situations. You don’t end up fixing a vulnerable script, no, but at least you lower the impact of the first automatic exploit.

The binaries that I tend to chmod to null (000)  and by experience (ouch!) used by worms are:

• wget
• curl
• lpdownload
• GET
• links
• lynx

It *really* helps prevent large disasters.  By NO MEANS this is the solution, no, but just a tip for webmasters.

Enjoy!