Son Of Sun Tzu

To content | To menu | To search

Wednesday 4 April 2018

Grabbing all the right cookies from the Burp Pro cookie jar

This solution works for me, on Kali Linux, using my keyboard; as always, YMMV.

In Burp Suite Pro:

  • Select Project Options
  • Scroll down to Cookie Jar
  • Click "Open cookie jar"
  • Ctrl+A to select the entire contents
  • Ctrl+C to copy all of those content

Now go to a file open in your favourite text editor. For me this is a file open in vim within a the gnome terminals Kali uses.

Ctrl+Shift+Insert to paste the contents of the clipboard into that file.

Now run this command, and you should have a list of cookie names you can work through:

grep <target domain> <name of file> | tr -d "/" | cut -f 3 | sort | uniq

Saturday 24 March 2018

Trying to watch the NFL Network on a KODI system, running in virtualbox, using a USB screen as the output

Yet another niche blog post that only one person will read, but maybe I will save them an evening.

I have an HP Workstation as my new desktop PC, so I'm now only a couple of generations behind in hardware, rather than ten years old. So with the increased memory and processing power, I thought I'd plug my iMo USB screen into it, pass that through to a VM running in virtualbox, and run kodi on that. It's much easier than trying to make the USB screen run under my main Arch Linux and not interfere with the other four screens I've already set up.

( also easier than making it work on a Raspberry Pi, which I tried here: http://blog.sonofsuntzu.org.uk/post/2017/04/01/How-to-run-Xbian-off-a-USB-display

Considering the time of year in the NFL season, there's a lot happening in free agency and the draft is coming up, so really the reason I wanted to run this was to have the NFL Network playing in the background so I can keep an eye out for headlines.

So....

Attempt 1

Set up: Debian buster, because I know the USB screen just works with Debian.

Reason it failed: NFL Network live streaming ( but not the games apparently ), needs the InputAdaptive and RTMP functionality of KODI to work. It turns out the relevant kodi packages for this haven't been in Debian since Sid.

Attempt 2

Set up: Alpine system, because I like Alpine because it's so small and fast.

Reason it failed: I just couldn't get the keyboard and mouse to work on Alpine once I started X. I tried hard, but not that hard as Alpine has no drivers ( "udlfb" ) for the USB screen anyway, I just wanted to get something working.

Attempt 3

Set up: Linux Mint 18.3. Mint tends to "just work" in general, and is one of the easier Linux distributions to get started with.

Reason it failed: Mint was weird... it would boot in the virtualbox monitor, then the Linux Mint graphical boot screen would appear on the USB monitor, but then the Mint interface would only show on the virtual monitor in virtualbox. This system was then unable to "see" the USB monitor at all, even after removing the specific entry to blacklist the udlfb driver in /etc/modprobe.d/blacklist.conf

Attempt 4

Set up: OpenELEC, installed by converting the OpenELEC img file to a vdi file and booting from it.

Reason it failed: As I suspected already from online forum postings, but I wanted to check with the latest version, OpenELEC doesn't appear to support the virtualbox virtual graphics card, so this didn't get anywhere at all.

Attempt 5

Set up: Windows 10 VM with Kodi installed, it worked well, although it took a while for the system to get the iMo screen drivers installed. For Kodi on Windows the relevant InputAdaptive and RTMP functionality just comes as part of the install package.

Reason it failed: Well... it kind of failed. I could actually watch the NFL Network streaming live using this, but from a quick look at the output of the htop command it was taking a lot to make this happen.

Other Notes

The mouse and keyboard use on this is weird, in general the virtual machine would boot, "transfer" the screen to the USB monitor, but then I'd operate the mouse on the USB screen by moving it around the, now blank, monitor being shown by virtualbox on my PC. On the Linux Mint solution the mouse and keyboard didn't get picked up, but after a reboot or two... it did. As you'll have seen above, it just wouldn't work under Alpine.

On Windows I only got as far as running that will two screens, and sometimes the mouse with be on the monitor being displayed in virtualbox, and the USB monitor, at the same time. I would have been tempted to play with that more except htop was showing how hard my PC was having to work.

Any constructive comments welcome...

Tuesday 6 March 2018

How not to fix the Lenovo Computer Stick 300

A friend was using a Lenovo Compute Stick 300, but a Windows update rendered it inert, as it wouldn't boot they passed it on to me to take a look.

( TL;DR - I couldn't fix it, I'd be tempted to avoid this form factor in future. )

So I had a go at fixing this, using https://www.tweaktown.com/reviews/7099/intel-compute-stick-stck1a32wfc-2gb-windows-8-1-review/index3.html as a sort of guide to the hardware.

I removed the BIOS battery, as advised in a URL I didn't note, which meant I could get it booting into the BIOS or the Windows recovery options.

However plugging the battery in, and trying all the Windows recovery options, and this fix https://support.lenovo.com/gb/en/solutions/ht118103 , didn't fix the device. The device still shows the Lenovo logo for a bit, then just powers itself down, or hitting the hotkey gets me to BIOS / Windows recovery options, which all fail in the same way as they did when I removed the BIOS key.

A few notes if you've stumbled across this blog post and want to see if you have more success:

  • The "hotkey" needed to get into the BIOS or Windows Recovery Partition is F2.
  • The "top" is the bit with the Lenovo logo sticker on, the bottom is everything else, including the "vents" on the sides, you'll see the join.
  • It's the only way to do it, but separating the top from the bottom using a screwdriver will mash the plastic.
  • You will need to use considerable force to pull the top off the bottom once you've got the top mostly off the bottom.
  • To disconnect the motherboard from the end of the casing opposite the HDMI port you'll need to lift off the large sticker that covers the bottom.
  • With the USB key plugged in with the new UEFI files it seemed a bit random as to what pressing the hotkey actually took me to.
  • On that second URL, note that you'll need to type "fs1:", with a colon at the end, not "fs1", as per the instructions on the page.

But as I say, after all of the above I'm only slightly farther along than I was when I started - I can boot into different recovery options, but they don't help.

I'll have a crack at putting Linux on it at some point, but right now this is going to the bottom of the "to do" pile.

Wednesday 17 January 2018

Fans specifications in an HP Z600

Making a mockery of RSS I'm just posting this because it's bound to be of use, to someone, on the Internet, once.

  • Double pair rear fans - 12V 0.6A 92mm wide, 25mm deep - both have 4 pins but are amalgamated in the shroud into 6 pins coming out - max rpm 4042 from Thermal option in BIOS, marked as "chassis"
  • Front bottom fan - 12V 0.24A 4 pins, 80mm wide, 25mm deep - uses plastic clips not screws, so will need replacements for those if you replace the fan - fan with my Z600 with can't be oiled, max rpm 3158 from Thermal option in bios, marked as "PCI"
  • Two separate processor fans - 12v 0.40A, 80mm wide, 15mm deep - can't be deeper due to mounting
  • Top / Memory fan - 12V 0.50A 80mm wide 25mm deep - fan says 495659-001 on it, shroud is 468628-001 - marked as "memory" in Thermal section in the BIOS
  • Small fan - 12V 0.15A 4 pins - 40mm wide, 19mm deep - I think max rpm 8438 from Thermal option in bios, marked "chipset"
  • Power supply fans are 2 x 60mm x 25mm according to HP website

If you can advise on OEM replacements, especially quieter versions, comments are welcome. Note that all of the fans appear to do a speed test as the machine starts.

Saturday 2 September 2017

Bluetooth keyboard reviews

I've had a bunch of Bluetooth keyboards kicking around for ages ( I suspect at least two years ). I've only used a couple of them a couple of times, so I've finally decided to give them a quick try-out - so I thought I'd put those reviews up here in case they turn up in an online search and someone finds them useful. But they have been sat in the To Do pile for quite some time, so make and model are best guesses.

Note that I just typed on each one for three lines or, while sat properly at a desk, within two feet of the Android phone I was using for testing.

If anyone's intrigued by any of these but wants to confirm whether:

  • they remain connected for more than a few minutes
  • can they hold a charge for a day
  • they have any specific functionality you're after for Unix / terminal usage
  • the specific placement of specific keys

do say so in the comments and I'll figure that out.

Some crappy Bluetooth thing off eBay

Bah, I can't find this in my order histories online, it looks like this:

I don't know this specific make and model so all I can say is to avoid the really cheap stuff. While this did appear to replicate what I typed on the screen it has a weird double space bar, the keys feel genuinely awful, and the USB power connector is Micro A.

Anker TC320

So that'll be this one: https://www.amazon.co.uk/Bluetooth-Ultra-Slim-Aluminum-Keyboard-Windows/dp/B00BKW2410 - do note that searcher for this model will actually bring up a newer version.

Works nicely on my Android phone, pretty big size, and I had this one relatively loose in a large bag, so the middle is something like 2mm higher than the edges, but it still works. OK if you want a decent size keyboard, but you'll want it in a firm bag.

EC Technology Foldable Keyboard

I think it's this, or close enough: https://www.amazon.co.uk/EC-Technology-Foldable-Ultra-Slim-Aluminium-3-Folding-Keyboard/dp/B00QRQZQR8/

This is reasonable enough to type on - it's essentially a "meh" keyboard, which is the best you can expect from something portable. Also it folds up nicely and appears to be suitably rugged, so something that will slip into a pocket or smaller bag.

Note it doesn't have a right CTRL key, which just might be important to you. Also the layout is, er, American, I think.

Zoom Bluetooth Keyboard - Series 1087 - Model 9010

Pretty sure this is this one: http://www.zoomtel.com/products/9010.html ... hmmm, this was left on a low power charger ( 500mA or so ) overnight, then left switched off for a few days, and had no charge left. It has a row of media keys along the top, with what I think are a "home button" key and a "lock screen" key.

Seems rugged enough too, not sure about that charge going away. Also bear in mind the power socket is USB Mini-B, not Micro-B.

Periboard-805

A bluetooth foldable keyboard - which will look like this:

.

The key positioning is too weird on this one - the EC Technology foldable keyboard is OK because it folds a quarter of the way in from either end, this keyboard folds in the middle - which means the centre of the space bar I tend to hit is the join, the right shift is in a weird place, and the placement of the keys in the middle detracts from ease of use. Only the foldable keyboards will fit in the smallest of my bags, along with a phablet and a spare battery... so I like the idea of them, but they don't seem to work in practice, at least without spending more money.

Palm Universal Wireless Keyboard

This https://www.cnet.com/products/palm-3169ww-universal-wireless-keyboard/review/ . Not a Bluetooth keyboard, just an illustration of what I had lying around in the "must figure out what this is" pile ;)

Saturday 1 April 2017

How to run Xbian off a USB display on a Raspberry PI

The short version

Don't.

The long version

( I've not gone into too much detail, I figure the only people who'll stumble across this are either considering the same solution, or troubleshooting their own attempt )

I had a Raspberry Pi 2, it's a "2+" I think, running Xbian. Xbian is a pre-built version of Kodi, the popular media player that used to be called XBMC. No X server is used, Xbian turns your Raspberry Pi into a media player with relatively little effort.

Having acquired a couple of USB screens over the years I thought it would be useful to connect one of these screens to the Pi, just so something like BBC News 24 or the NFL Network could run in the background to the side of my main monitors, or a Twitch channel.

So I connected a Mimo USB UM710 monitor and rebooted the Pi. This came up as a green screen, which means that the udlfb driver has loaded; and from the command line I can see that I have "/dev/fb0" and "/dev/fb1" - meaning that two framebuffers are available.

However I couldn't find any way within the Xbian interface to direct Xbian to use /dev/fb1, nor any kind of option to specify this in any of its configuration files.

I tried using the con2fb tool to redirect a different console to each framebuffer, directing tty1 to the USB monitor, in the hope that Xbian was starting on tty1 ... but still running "kodi start" from the command line brings up Xbian on HDMI.

I looked at somehow disabling the first framebuffer, but to no avail; the relevant bcm2708_fb driver is part of the kernel, and there's no way to stop it being used. Also I don't know if that functionality is required to generate that graphics that are then sent to the USB monitor using the udlfb driver. I expect that a Raspbian kernel can be compiled that doesn't include this functionality, but I decided that for a relatively simple system, which I'm trying to use in an "plug and play" way as possible, compiling my own kernels was a step too far, especially as I had no idea if the solution would work or not.

Also, ideally, I would be able to switch this device from using the USB screen to an HDMI screen with a few commands.

( As a side note, if you're looking at this in general it's worth researching the "chvt" and "xbmc_send.py" commands online )

On further research it turns out this is a common issue for people trying to extend their use of a Raspberry Pi.

That research did lead to a couple of possible solutions, these are framebuffer copiers, or mirrors, that copy of the output from framebuffer to another. While not ideal, this could work.

Firstly I tried fbcp but that just didn't work.

I set the Xbian resolution down to 480p to match what the USB screen was capable of, but this didn't make a difference.

So I moved on to raspi2fb instead.

This worked up to a point, showing the output of the first framebuffer at the right resolution, and at something like 25 frames a second. While slightly jerky this was more than enough to satisfy my requirement to keep an eye on the channel. Kodi's BBC News 24 plugin worked fine, the NFL Network worked fine at a low enough resolution ... but both the Twitch and YouTube plugins would crash the entire system. As far as I can tell it seemed that if I attempted to display anything above the resolution supported by the USB screen the Pi would just crash and need to be manually restarted. Also the system was now a little flaky in general.

I tried both 1.0 amp and 2.0 amp power supplies with the same result.

In the end I gave up, and decided I'd try something else to get Xbian on the USB monitor.

However having disconnected the USB screen, and tried using the Raspberry Pi on an HDMI monitor again, it's crashed after a few minutes. I'll be seeing if there's some kind of software diagnostics I can run to spot any obvious problems - it feels like something the community will have written already.

So in the end I have a Pi that appears to be broken in some way, possibly a result of how many USB devices I plugged into it at once - suggestions for easy ways of running hardware diagnostics are welcome in the comments below.

Sunday 26 March 2017

Notes on Incident Response from the SC Congress

I had the pleasure of attending the "Do Data Breaches Matter? Mitigating Impact" session at the SC Congress last month ( details here http://www.sccongress.com/london/programme/section/4505/ ).

The panel consisted of:

  • Beverley Allen CISA, Information Security Professional, Independent|
  • Bob Tarzey, Analyst and Director, Quocirca
  • Sarb Sembhi CISM, CTO CISO DPO, Virtually Informed

There were some great points made on incident response, which I've summarised below:

The stages of incident response

The actions that result from an incident being detected and becoming a breach fall into the stages below:

Stage 1 - The company wonders why it's been attacked, is in shock to discover it has been successfully compromised.

Nothing happens during this stage.

Stage 2 - Staff ask "What do we do? What's the plan? Where's the plan?"

A lack of leadership will be shown up here.

Also people will think they know better than the plan and will act independently.

It will be illustrated that the plan has never been tested and does not work in practice.

Stage 3 - Dealing with the breach

I.T. teams are likely to take control of the situation because the compromise will be I.T. based, and they will fall back on, or create, informal processes if no formal processes are available.

Internal teams may make land grabs during incident response, or actively avoid responsibility in order to avoid blame, both responses are counter-productive.

Stakeholders will want updates during the incident and afterwards, this capability should be planned for.

Everyone has a role, even if that role is staying out of the way.

Stage 4 - After the breach has been resolved.

It is important here to review the actions that took place in the previous stage, so that the breach can be learnt from in future. If an ad-hoc response method was used it's extremely unlikely that sufficient information will be available.

While the impact on share price and customer trust can be insignificant over the longer term, don't underestimated the impact on staff morale on the long term viability of their employer, also that scrutiny by regulators and auditors will be intense and ongoing.

Stage 0

Not a term that was used on the day, but looking at the stages above much of the conversation covered what was required before an incident response plan had to be initiated:

Part of thinking ahead is determining who is in charge of the breach response, and who should be contacted, and how.

This is the most important stage to get right, and is the foundation for best practice for all the other stages.

Companies don't have time to be breached, so make time now for your preparation - Sarb Sembhi.

"You have to do all of your thinking up front, test it, and test it again" - Beverley Allen.

 

Hacking For A Career - Drinking From The Firehose

( NOTE - this should have been published six weeks ago, apologies )

A short list of which podcasts to listen to, and which blogs to follow. These are just a few entries to get you started, there's a lot of information out there, learning how to filter it to what is relevant to you is a very useful skill.

Podcasts

Risky Business - particularly the first twenty or so minutes covering the main stories of the last week, but also the interviews tend to be worth your time. Find it here.

SANS Internet Storm Center - released daily, and just a few minutes long, a quick way to be bang up to date with security news. Find it here.

Down The Security Rabbit Hole - good coverage of recent news, or an in-depth look at particular issues. Find it here.

The Silver Bullet Podcast - particularly useful just to get an insight into the "names" from cyber security you'll have seen online or presenting at conferences. Find it here.

Blogs

I went through my RSS reader and pulled out those few blogs that would be the most useful to anyone entering the industry:

For thoughts on penetration testing by working penetration testers try Holly Graceful, Carlos Perez's Dark Operator, and Digi Ninja's blog,

For a wider perspective of information security go to Black Swan Security, Michael Santarcangelo at CSO Online, Naked Security from Sophos, or Brian Krebs.

For regular updates on security news and testing tools, try Darknet. While I've found the quality of entries to vary quite considerably, this seems to be the best resource for quickly reviewing the latest news and a useful way of seeing what's out there.

RSA Roundtable on AI and Automation

I recently had the pleasure of attending a roundtable discussion at the RSA on the future of "AI and Automation" in business, particularly among the so-called "low-skilled" workers. Many ideas were discussed under Chatham House rules, and there were a few of my own which didn't fit into the discussion.

A great deal was discussed, but a couple of highlights that I noted down:

  • The definition of Artificial Intelligence itself is tricky, and mischaracterising Machine Learning as Artificial Intelligence can raise expectations beyond what is possible or necessary.
  • "Switching costs" can be huge, with technology developing so quickly organisations can overlook the cost in resource of moving from one technology requirement to the next when the next move is already on the horizon.

The overall discussion prompted a few thoughts of my own, some points I made, some weren't appropriate to the conversation or didn't fit the timescale, deciding which are which is left as an exercise for the reader:

  • A largely artificial workforce, combined with the ever-present threat of ransomware, leads to some very interesting criminal possibilities.
  • With many employees being replaced by automated processes, or actual robots, there is a correspondingly massive increase in the attack surface that any organisation presents to an attacker? It will be much easier to affect or disrupt an organisation when so many more of its resources are on a network, and interact directly with many of the existing security systems.
  • With regard to Fraud Detection an intriguing difference might be that the increasing use of Machine Learning means success or failure of fraudulent activity is far more predictable than human analysts, therefore will it be possible for particularly smart organised crime groups to test their efforts in a safe environment before trying them out?
  • Alternatively will it be possible to steal and/or download fraud detection methodologies and test them offline for weaknesses, so that organised crime can then guarantee the success of efforts in the real world against known procedures?
  • It feels like too much of a "cyberpunk" idea, but if artificial intelligence is used by more and more organisations to detect fraudulent activity, or for other assessments that benefit the profitability of a business - i.e. determining insurance premiums - can criminal organisations use their own AI technology to determine how to bypass the AI of those organisations that they're attempted to defraud?

In the event that you're reading this, and thinking that these ideas have been covered before, and I should read a particular book or article or author, then please do list them in the comments section below.

Monday 27 February 2017

Everything Wrong With CloudPets

I've just read Troy Hunt's excellent summary of the CloudPets breach, and it got me thinking. I'm a big fan of those "movie snark" YouTube channels, something like CinemaSins where they take a film to pieces and list "Everything Wrong With" it. The same kind of idea struck me about this issue, it is the Suicide Squad of security practice; CloudPets didn't make one error, but made several errors which exacerbated the effects of the others.

Cinema Sins

Referencing CinemaSins mean you should be watching a video with high production values but instead you've just got a text only blog that really needs a livelier theme.... but putting that to one side, I think CloudPets committed twelve "security sins". Did I get them all? And bear in mind I've just read Troy's blog, I've carried out no extra investigation myself.

Firstly - what they did get right - the use of bcrypt. Bcrypt is recommended for password hashes as it includes a salt, and so greatly reduces the feasibility of being attacked using rainbow tables.

However, for what they did wrong, in no particular order:

CloudPets

  • Unnecessary Internet connectivity - I assume the MongoDB just needs to interface with the API, which is what interfaces with the phone apps, therefore the database doesn't need to be Internet facing at all.
  • No firewalling in place - just the fact that the MongoDB was exposed to the Internet, rather than any kind of any host or network based firewall being in place.
  • No database authentication - by default MongoDB does not used a password.
  • Using live data in development - as Troy explains, there's no apparent separation between live and development environments or data.
  • Not protecting your interfaces from known bad actors - while Shodan.io isn't necessarily a "bad actor", it does help your security if you block traffic from a service known to index vulnerable systems.
  • No security based email addresses in place - standard email addresses that should be run for each domain are specified in RFC 2142. While some of these are undoubtedly out of date ( usenet@ anyone? ), others, such as security@, should be implemented and monitored appropriately.
  • No network or security monitoring - the database was compromised multiple times and yet CloudPets obviously didn't spot this as they didn't react by securing their systems, or at least protecting the database server from the Internet.
  • Unencrypted data within the database - it strikes me that there could/should have been a clever way to encrypt the data in the database, maybe tied into a particular toy's hardware, or some key derived from the App associated with the toy. As the toy appears to talk using Bluetooth to an App within the same household, as that App acts as a gatekeeper for inbound and outbound messages; a key based on the toy might work. By cryptography standards it would be horrible, a shared key in multiple locations, and that would require little effort for the App to encrypt or decrypt voice data, but certainly better than nothing.
  • No authentication protecting online assets - the profile pictures, voice recordings, and so on are all accessible with knowledge of the complex URL they're hosted at. While not trivial to index this makes them vulnerable. The authentication credentials required are already available to the service, this is omitted simply because the service is so poorly secured.
  • No network separation - from Troy's article it looks like the webserver, the production database server, and the development database server, were either all sitting on the same IP address, the same physical or virtual system, or all were the same physical or virtual system. I assume it's difficult to elevate privileges from MongoDB access otherwise far more damage would have been caused by all the recent compromises, but this is a less than ideal configuration all the same.
  • No password policy in place - any password was permitted, including a single letter; as Troy points out the demo video uses "qwe", and judging by his article, the obvious choice of "cloudpets" was common.
  • No notification of compromise - as Troy illustrates through interrogating Shodan, CloudPets knew that there database had been compromised, but made no effort to contact their users. I can't comment on the legal situation here, but it's due to vendors like this that the inbound GDPR disclosure rules look so useful, or so concerning, depending on whether you're consuming or providing a service.

So that's the twelve. There was a couple more that sprang to mind around Threat Intelligence, and more fine grained database security, but they're too wobbly for this piece.

So what did I miss? Did I catch everything? Suggestions for what else they did wrong are welcome in the comments below.

And do sign up for Troy's haveIbeenpwned.com website too.

Monday 13 February 2017

The "Targus Wireless Bluetooth Presenter Remote Control & Mouse Cursor", model BEU0564C

In an earlier blog here I stated I was going to use a Targus device that combined the functionality of being a wireless mouse, and a wireless remote control for presenting; rare functionality that is exactly what I was after.

As stated... it does work with Linux, but only for short periods of time. Sometimes it can only last for a couple of minutes before it just kind of forgets that it was talking to something else. This makes it completely unusable for presentations, and essentially completely worthless. Reading through the Amazon reviews more thoroughly, it looks like I'm not the only one with this problem.

I realise the device was on the "cheap and cheerful" side but I expected basic functionality, rather than no functionality.

Avoid.

Suggestions for equivalent but reliable devices would be appreciated in the comments.

Monday 6 February 2017

Hacking For A Career - Which Events To Attend

A short blog this time, which events should you attend as a budding penetration tester?

There's a great list here on cyber.uk of all the relevant UK conferences - the only thing I'd add is that the dates for BSidesLondon have been announced.

So once you're at a cyber security conference, how to make the most of it? Talks are always important, they can be great chance to learn a lot about a subject in a short amount of time. But do make a point of making contact with new people in-between or outside of the presentations, what people tend to call "CorridorCon".

As with any experts cyber security people will tend to dislike uninformed questions, so "how do I learn to hack?" or "who will pay me the most?" or "you use Windows, you must suck" won't go down well. However if you're obviously put in some effort, and ask "I really enjoyed your presentation, I'm interested as to why you advocate X not Y" or "I'm looking for a company to work for over my holidays, and I'm wondering whether to contact Weyland Industries or The Umbrella Corporation, who should I consider?", you're much more likely to get a response.

Be interested, be interesting, and have your contact details ready to pass on, and a day spent at security conference can make all the difference to starting your career in the right way.

Hacking For A Career - Tools You Should Know

This is the next entry in the series, aimed at providing depth to parts of my "Hacking For A Living" presentation.

Further to the packed slide I gave during my presentation, here are the tools you should have a passing familiarity with. Note that these aren't the offensive tools, but the other programs you should be familiar with. Do bear in mind my background is as an infrastructure tester, in my experience of web application testing a lot of the information on the target was within a single application - Burp Suite.

Also, do look at the functionality and integration between up to date versions of Nmap, Nessus, and Metasploit - being able to easily transfer data between all three will enable you to do more testing in less time, making you more valuable as an employee, and more efficient as a tester.

The emphasis below is very much on Unix tooling, if you prefer to test from a Windows system I'd still recommend installing Cygwin to give you access to these, unless you're particularly adept at the Windows command prompt or PowerShell.

System and network monitoring tools

These will help you understand what your own system is doing, any bottlenecks or other issues that mean your system is slower than it should be, or any local connectivity issues causing you problems:

htop, iotop, ip, lsof, netstat, ps

Interrogating remote services or networks

All of these programs are useful for determining that you're on the right network, that you've got the right connection to your target systems, and so on. Also some of them are useful in an elementary way for obtaining information on whatever system or service it is you're attacking:

arp, arping, dig, host, hping2, netcat ( in all its forms ), nslookup, ping, openssl, socat, tcptraceroute, telnet, tftp, tracepath, traceroute, wget,

Terminal multiplexers

These programs allow you to easily manage multiple programs simultaneously, or to keep a session up on a remote system that will survive a break in connectivity:

screen, tmux

Recording your output

These programs are useful for recording your tool output, or network traffic - so you can grab entries from their logs for your report, or demonstrate to a customer what was or was not happening on your testing system at a particular time:

script, snoop, tcpdump, tshark

Sorting, searching, and manipulating output

There's a lot here, and I should stress that you don't need to know them extensively, you just need to know *of* them, and have an idea of how to start using them when necessary:

awk, sed, head, tail, strings, grep, egrep, findstr, cut, sort, uniq, sponge, tee, pee

Recording your knowledge

You will learn a great deal as a penetration tester, and won't have access to old machines or reports or notes when you change employer. For recording wehat I learnt on a test, so I could easily reference it on a future test, I always liked TiddlyWiki. Find something that suits you, but I'd strongly recommend using something digital, rather than a paper notebook - that way you can back up your notes, or easily search through them for a specific entry.

Programming Languages

You can arguably get by as a penetration tester with just a little bash shell scripting, but to really get on with automating your penetration testing workflow do look at advanced bash shell scripting, or Python. If you're going to be attacking Windows systems a working knowledge of PowerShell is increasingly required.

Others

A couple of commands it's worth familiarising yourself with, just so you can ensure the output from your tools, or your notes, isn't accidentally overwritten:

chmod, chattr

And also the text editor "vi", as you'll find it on any Unix system you have access to.

One last thing, familiarise yourself with "man" pages. I always find man pages useful reminders for how a tool or program works, but far less useful in determining why or when I should use it.

Hacking For A Career - What To Learn

So, you want to become a penetration tester, where do you start?

Introductions

Really the place to start is Robin Wood's two "Breaking in to Security" blog posts, which are here and here.

After that watch this great twenty minute interview with John Carroll on what it's like to be a penetration tester.

Now you have some context, work through "Start In InfoSec", put up by Rob Fuller, also known as Mubix. His Twitter feed is here: https://twitter.com/mubix. There's a considerable number of resources there, don't be afraid to pick and choose, move on to the next entry if the subject matter or the tone isn't relevant.

There's also a lot of information listed in "Getting Started in Information Security" on the netsec sub-reddit wiki here: https://www.reddit.com/r/netsec/wiki/start. While not directly useful this is handy to see the breadth of the subject matter, and what resources are available. Overall "/r/netsec" is worth your time as long as you aggressively filter. The regular hiring threads, while mainly focused on North America, are also worth following.

Attack Platforms

Kali is definitely the attack platform that many penetration testers use, and the most common. However it's also worth looking at BlackArch .

I would recommend running these as a virtual machine, however if you're looking at attacks at Layer 2, such as VLAN Hopping, you may have issues and ideally you'll run your attack platform directly from your laptop.

There are other platforms available, and also you may prefer to "roll your own" rather than having the platform maintainer decide how you work and what interface you use.

Offensive Tools

Depending on where you'll focus as a penetration tester you'll either need to become very familiar with very few tools, or at least have an understanding of a wide range of tools. These are good ones to start off with:

  • Nmap - the industry default for port scanning.
  • Nessus - this tends to be the vulnerability scanner that companies will use, and expect you to know.
  • Metasploit - a well maintained collection of attacks and an industry default.
  • Nikto - useful to see just how simple some tools can be, and the strengths and weaknesses of that approach.
  • SqlMap - SQL injection is still a major weakness on websites, this program automates exploiting it.
  • Burp Suite - the free version is enough for you to get the hang of this software, which is an industry default for web application testing.
  • Kismet - for analysis wireless networks.
  • Aircrack-NG - for testing wireless networks.

Targets To Attack

Of course you should only be attacking systems that you control, and have authorisation to do so. I always think it's much better to attack something locally that you're running as a virtual machine rather than to attack a Virtual Private System ( VPS ) you've paid for on the Internet. The best resource I've found is Awesome Cyber Skills as a list of systems to download, or access online.

Other Notes

As per my presentation, if you're interested in physical Social Engineering look at films such as Sneakers or the TV series Leverage just for flavour, look at the YouTube videos of Jayson Street and Johnny Long to see how professionals do it. Also check out the "career" of Karl Power and the book "The Complete Guide To Gatecrashing" to obtain interesting and entertaining insights into what's possible, and the mental challenges involved.

I expect similar examples of real world security failures to be present in Channel Four's "Britain's Greatest Hoaxer" documentary, which is on this week.

For real world examples of where this is important, look at the "KVM Hack" of Santander, and much more recently, the taping of members of the Republican Party...

Friday 3 February 2017

Hacking For A Career - Introduction

I was a penetration tester for ten years, working for a few companies in the UK, and participating or leading hundreds of tests. I also find the overall philosophy behind penetration testing, and pentesters themselves, particularly interesting, so I'm reasonably familiar with how the industry "works" in the UK.

Since moving on from penetration testing I've presented a few times on "Hacking As A Career", a rough guide to being a penetration tester, covering what the career involves, how to get into it, and what to get out of it. The presentation is usually given to Computer Science students in the UK, so that's where my focus lies. It's mainly based on my own experience, but I've made a point of asking a few friends for suggestions for each category.

In the following blog posts expand on this presentation, with references taken from my research and notes, and partly filling in the detail from my slidedeck:

What To Learn

A few references on where to start:

  • which resources to read on breaking into the industry
  • which attack platforms or tools to learn
  • what to attack using those tools

Tools You Should Know

A list of the tools which any aspiring tester should familiarise themselves with in order to make their life easier.

Which Events To Attend

A list of which events anyone looking to enter the industry should attend.

A guide on what to ask, and how to introduce yourself.

Drinking From The FireHose

Which blogs to follow, and which podcasts to listen to - focusing on those that will provide the greatest value in the shortest amount of time.

In particular for this one I'll list relatively few resources as I'm naturally averse to listing everything, pre-curated lists of resources are woefully rare on the present day Internet.

Tuesday 13 December 2016

xmonad issue with drop down menus - workaround

If you have a problem with drop down menus for certain programs ( in my case kdenlive and virtualbox ) not displaying their drop down menus in xmonad it might be this issue:

https://github.com/xmonad/xmonad-contrib/issues/73

The workaround proposed by geekosaur in that bug report appears to work for me, after about ten minutes of testing.

However if you've followed the usual introductions to xmonad you'll need to change "workspacen" for "myWorkspaces", as looking at this online paste that appears to be what geekosaur calls their workspaces variable. ( It might be a "variable", I don't know Haskell ).

So copy and paste this text into the appropriate place in your xmonad.hs file, and restart xmonad:

-- @@@@@@@@ HAAAAAAAAAACK
setWorkArea :: X ()
setWorkArea = withDisplay $ \dpy -> do
    a <- getAtom "_NET_WORKAREA"
    c <- getAtom "CARDINAL"
    r <- asks theRoot
    io $ changeProperty32 dpy r a c propModeReplace (concat $ replicate (length myWorkspaces) [0, 26, 3840, 1028])

Friday 9 December 2016

How to remove all notifications of FaceBook user status changes in Weechat when it's talking to Bitlbee

If you're using Weechat to talk to Bitlbee to talk to FaceBook ( or other instant messaging services ), your private message window for each user will be full of notifications that the user has joined or quit.

You can get rid of most of the notifications using this filter line:

/filter add joinquitbitlbee irc.bitlbee.* irc_join,irc_part,irc_quit *

Which is specified here,

However if you do this you'll see get the "is back on server" messages; to remove those as well you want to use this line:

/filter add joinquitbitlbee irc.bitlbee.* irc_join,irc_part,irc_quit,irc_nick_back *

If you want to see those messages temporarily, for example to see if someone is online or not, enable them in Weechat with ALT and "=". Use the same key combination to remove them.

Tuesday 6 December 2016

Running videos directly from LibreOffice Impress

For a recent presentation I gave at DC4420 I needed to show some videos, so I originally tried embedding them into the presentation's LibreOffice Impress file. LibreOffice did not handle the resulting large file size well, and particularly didn't like embedded videos. So what I did was flick from my presenting window to a terminal window, and run a quick script from there that called mplayer with the appropriate options.

This worked pretty well, and I was able to do it pretty quickly when I practised the presentation at home.

Unfortunately in practice I under-estimated how difficult it would be to type the name of a file with a microphone in one hand and a presenter's remote control in the other, if you were a member of the audience your patience was appreciated. This bugged me so I now have a solution, ready for the next time. I haven't tested this "live" yet, but I figure if someone else is stuck in a similar position it will get you 95% of the way there.

How to do this:

Firstly - running videos from LibreOffice Impress

You'll need to change the security settings around macros first. Go to Tools, then Options, then in the window that opens go to Security under "LibreOffice". Go to Macro Security and set it to Low. Yes, not ideal, do change it back to an appropriate level whenever possible.

Go to Tools, Macros, Organise Macros, and then LibreOffice Basic. From there select "Edit", and then put in a macro that reads as follows:

shell ("bash -c '/<path to shell script>/script.sh'")

From here it's up to you, either have one shell script that runs all videos by calling them as an option, or use a different shell script for each video. That should work, I believe in the LibreOffice macro you can call a script with options.

For the script, it will say something like:

mplayer -xineramascreen 1 -fs file.mp4

This means you can also use the "-input conf=/<path to file>" option to call a specific mplayer configuration file, which I'll cover later.

I'm expecting that you're using "Presenter View" in LibreOffice, so you might need the -xineramascreen option to ensure the video plays on the correct screen for your audience to see. In my limited experience the options for mplayer were weird, "--xineramascreen=1" might also be accepted, or it might not - experiment if necessary.

If you need to play multiple files then look at the "playlist" option for mplayer.

Then in the presentation itself, where you want to play a video, insert a graphic. Bear in mind you'll be clicking on this graphic during the presentation to run the video, so make it nice and big.

Right click the graphic and select Interaction. Select the appropriate Macro from those you've set up to call the right shell script.

Secondly - how to do this one handed

Ideally during the presentation you'll be standing away from your laptop or whatever you're using to present from, so you want to advance presentation slides, and click on that graphic, using just the one presenting Remote Control. In my experience most presenting remote controls don't include mouse functionality. So for this buy an all-in-one presentation remote control and mouse. I've chosen a "Targus Wireless Bluetooth Presenter Remote Control & Mouse Cursor", model BEU0564C, this should work with your Linux box too. For example you can get it from Amazon.

Sync the Remote Control with your Linux system, which works for me. When you've set your Linux system to scan for new Bluetooth devices you might need to press buttons on your Remote Control to get it to "wake up" and connect.

This now means you can use "presentation mode" to advance slides, then flick the Remote Control to "mouse mode" and click on the presentation graphic to run the required clip, and then flick it back to "presentation mode" to keep controlling LibreOffice Impress.

Thirdly - some mplayer modifications

As I said above, you can call mplayer with a specific configuration file to determine how it manages input. If you put this into the configuration file:

b pause
F5 quit
PGUP seek -8
PGDWN pt_step 1 1

This should mean that on your remote control:

Press the "blank screen" button to pause or unpause a video. Press the "start / stop presentation" button on your remote control to stop a video playing. Press the "next slide" button to rewind the video eight seconds. Press the "previous slide" button to skip to the next video in a playlist.

You can use the program "xev" to see what specific keypresses your presenter's remote control is sending; and of course do experiment and practice before you give the presentation.

And there you have it.

Wednesday 30 November 2016

Notes from "What Happens When A Game About Hacking Meets The Hacker Mindset?"

Thank you to everyone who braved the cold and made it to my presentation at DC4420.

A description of the presentation can be found here; and details about DC4420 can be found here.

A few notes from slides that I probably flew right past during the live talk:

The PDF of Chris Sumner's presentation from HackFest Canada is... around somewhere, I'll check with Chris and update this blog post.

Jayson Street's presentation on global hacker culture and hacker history can be watched here.

J4vv4d's blog post that I grabbed a couple of quotes from is here.

Tanya Snook's article is here.

The presentation by Fraser and I from DevSecCon is here, and I may or may not have generated enough intestinal fortitude to watch that by the time you're reading this.

If you want to ruin your enjoyment of media, go to http://tvtropes.org/.

You really should be watching Scorpion.

The concept of Neo Tactics comes from Mike Bond's "Boom! Headshot!" research paper, the paper is here, and a PDF of the presentation is here.

The manual for the First Earth Battalion is here.

And, er, that's it - which probably wasn't the information you were after. It's been suggested I give the presentation elsewhere, so if I put more work into it I'll put in some links to the YouTube players who provide good examples of hacks, and other references in the talk.

And if anyone can help me understand XBox360 game save file formats, or help me track down a copy of Raven's Cry, please respond in the comments...

Saturday 26 November 2016

Tuesday's forthcoming DC4420 presentation - What Happens When A Video Game About Hacking Meets The “Hacker Mindset”?

With the very recent release of WATCH_DOGS 2 it’s timely to look back at the original WATCH_DOGS video game. Set in a fictionalised Chicago, in WATCH_DOGS you play as a “brilliant hacker” who uses his hacking skills to manipulate ctOS, the “Central Operating System” that runs the city. The game was similarly forward looking in its design, combining an open world single player mode with an “always on” feature, meaning the player’s game could be surreptitiously invaded at any time by an online rival.

But for a game that should be saturated with an understanding of hacking, what happens when it meets players with the “hacker mindset”? This talk will take you, Inception like, through the different levels of a player’s understanding of the game, and how they can use that understanding to gain a disproportionate advantage during gameplay.

( Please note, originally this talk was entitled “What Can WatchDogs Teach Us About Cyber Security?” but the presenter realised that there wasn’t that much to learn; also after fighting and losing against Linux display drivers at the October meeting the presenter will be bringing at least two different presenting platforms to the meeting and is currently watching several Overhead Projectors on eBay. )

More talk description is here , venue details are here.

- page 1 of 2