Category Archives: #coding

Updates, Malware Analysis Links, Meltdown, & Spectre

Readers,

My apologies for not posting more often. I’ve been busy with my studies (and occasionally reading and writing off-site). There’s been so many new forensics blogs, mailing lists, and infosec communities recently that I’ve been content with reading instead of writing my own posts. Bad habit, I know! I’ve also taken part in a number of security CTF and infosec challenges. I said that I’d be covering past challenges and their solutions in greater depth in my DC3 post and that’s still a plan for the future (if time permits).

I’ve also been toying with the idea of setting up an up-to-date CTF challenge section on site since I have enough content from past CTFs and challenge organizers. We’ll see. I did make a challenge to de-anonymize target onion sites, the solution to which would be in discoverable data about the target web server. But I’ve been told that this might come across as hostile and not helpful for learning purposes, so I’ll probably just end up with standard jeopardy-style questions. Other options include the obligatory stegano in images, sound files, whole forensic images of disks with flags for various forensic artifacts, etc. Since security challenges are time consuming to create, it’ll have to wait a little longer. As always, feel free to subscribe to the blog for future updates.

I’ve also been looking for quality reverse engineering malware resources. I’m still new to that arena but what follows is a list of some really helpful sites, webinars, and books for learning to disassemble programs and study malware both from a static and dynamic perspective. I realize many readers here already do malware analysis, but this is intended for others looking to get into it. Some of the sources are older but all of them are worth checking out. Regretfully I can’t go through every examiner’s quality blog here, but check the site for more links! I’m also happy to read, study, and add any sites or research if submitted.

Malware Resources

Blogs, Articles, Webcasts, & General Papers

Introduction to Malware Analysis by Lenny Zeltser (Webcast), 12/6/2016.
Note – Webcasts, webinars, white papers, blog entries, conferences, I’ve seen a lot of Lenny Zeltser’s work and I’m a big follower. So I often link to his work.

Malware Analysis: An Introduction (GIAC Gold Paper) by Distler. 12/14/2007.

5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. 3/14/2015.

Malware Analysis Essentials Using REMnux w/ Lenny Zeltser (Webcast), SANS Institute, 4/17/2014.

4 Cheet Sheets for Malware Analysis by Lenny Zeltser, SANS Blog, 9/13/2017.

Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. 9/7/2017.

Thoughts on Malware, Digital Forensics, and Data Breaches by Hal Pomeranz, SANS Blog, 1/18/2012.

CyberBit’s 5 Open Source Malware Tools You Should Have in Your Arsenal

Projects To Watch/Tools to Know:

FLARE VM – The Windows malware platform by FireEye, a company known for their malware analysis and incident response know-how. 1/16/2018 Update: This tool is really outstanding. The packages can be imported into any VM, preferably newly rolled evaluation copies of Windows 10 VM, since you can just keep restoring back if you max the 90 day eval. Flare includes many tools for file analysis out-of-the-box such as hex editors, debuggers, disassemblers, text editors, PE tools, process hacks, packet analyzers, alternate data stream manipulation tools, and more (official list on Github). Package installation is made simple with Chocolatey. My own custom box includes essentials I downloaded such as OWASP ZSC for Python shellcode generation, Yara, stegano detection tools, audio editors, and more. Definitely not an exaggeration to say that you can make this into the best security platform available on Windows.

REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Kali Linux – I use Kali a lot so I highly recommend it. It’s an extremely well maintained distro, adding your own packages as needed is simple and usually everything just works (thanks to all the modules and dependencies pre-rolled into Kali). There are some great tutorials for pentesting and forensics on Udemy and through Offensive Security. Adding malware tools is easy.

SIFT Workstation – I’ve used multiple versions of SIFT from Linux to Windows 7 and 10. I highly recommend it for forensics work. It does have more timeline tools than Kali (although you can add packages to Kali as you see fit). SIFT VM + Kali VM = ideal. I have heard great things about BlackArch for penetration testing but have yet to try it (I do have fond memories of Archlinux and Archbang, so it’s on my to-do list).

Yara Analysis Tool – industry leading tool in signature and behavioral rule-set matching for malware.

Cuckoo Sandbox – Sandboxing tool for malware. If you’re just using VMware, be careful of VM escape vulnerabilities, bogging down resources, etc.

IDA & IDA Pro – Ideal for static analysis. Disassembler for every major operating system. I’ll be honest, my assembly skills are weak, but this is one tool worth sticking with. There’s even a great No Starch book on IDA to help you out! (IDA Pro Book, 2nd Edition by Chris Eagle — fair warning, the assembly sections are pretty light and assume you know what you’re doing, so I’d suggest supplementing it with another resource to familiarize yourself with the subject prior to diving into IDA. One good (and free) course is the x86 class by Open Security.)

OllyDbg – The Gray Hat Hacking books use OllyDbg a lot.

Immunity Debugger

Automatic Malware Analysis and Sandbox Services by Lenny Zeltser

Classes:

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration w/ Xeno Kovah (Open Security Training)

Introduction To Reverse Engineering Software by Matt Briggs & Frank Poz (Open Security Training)

Reverse Engineering Malware by Matt Brigs & Frank Poz (Open Security Training)

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jake Williams (SANS Institute)
Note- I haven’t had a chance to take this class but it’s pretty much the de-facto malware analysis class in digital forensics.

Again, there are many courses and tutorials available through Lynda, Udemy, and YouTube. Here… hold up. There we go (had to do it!).

Technical References:

Tech refs can be expensive but these are totally worth it if you’re committed to learning the subject matter (or, like me, you’re equally committed to making a visually impressive security bookshelf /modestyfail). Most well-maintained, high traffic libraries should have some of them. Sure, there are plenty of online sources with similar information but these texts are definitely helpful.

Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Hartstein, Richard, Ligh, and Adair. 2010.
Note: It’s the bible of malware analysis. It was one of the first larger-works to tackle malware head-on. While it isn’t as technically in-depth for complicated tasks (I found that GHH was more technical for some things), it’s a must have. New to malware analysis, I can honestly say it’s readable and worth checking out.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz. 2015.
Note: One of my all time favorites. Black Hat-style techniques are explored using Python code and popular modules. There’s something for everyone here. (I often use BHP or GHH – mentioned below – as a springboard for Python projects, so I can also recommend getting physical copies as opposed to eBook versions.)

Gray Hat Hacking, 2nd Edition & 3rd Edition by Harper, Harris, Ness, Eagle, Lenkey, Williams. 2008 & 2011 respectively.
Note: When I first picked up the 2nd edition from the library I had no idea what IDA Pro was and wanted more on pentesting. Immediately dismissing GHH something I wouldn’t use. In retrospect, GHH is an awesome guide to DLLs, handles, processes, reverse engineering, and malware analysis.

Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense by Hassan & Hijazi. 2017.
Note: This book should just be called “How to Win at CTF Every Time.” While it doesn’t explore malware in-depth, it does talk about various forms of data hiding and data manipulation (ADSs, stegano, etc). Since malware utilizes different methods of remaining hidden, DHTIWO is a great guide for developing critical thinking skills. This and File System Forensic Analysis by Brian Carrier are so easy to use as regular resources in forensics.

Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers & Security Engineers. TJ. O’Connor. 2013.
Note: I used to really love this book prior to finding BHP and the Gray Hat books. It has drone hacking and Twitter OSINT hacks, what’s not to love? The code is hit or miss but it has some good ideas for Python coders. It does also contain a section on Virus detection. I prefer Justin Seitz’s work, but respectful nod to TJO’s great resource.

Miscellaneous Resources:

Mitre’s CVE Page (Security Bug/Exploit Lookup)
Yara Official Documentation
Yara Definitions & Rulesets
Offensive Security’s Exploit-DB (Exploit Lookup & Sample Code)

Also check the links to other blogs around the site as there are a fair amount that cover malware research.

Meltdown & Spectre Links

Meltdown Paper | Spectre Paper | FAQs: https://meltdownattack.com/#faq-fix

You know that feeling when you’re lurking darknet forums or Inj3ct0r for information on new malware and you’re like, “what a liar, that’s not a revolutionary 0day exploit, that’s yet another buffer overflow exploit!” This is a fair bit more serious.

Thanks to Jann Horn and the analysts at Google Project Zero, two new dangerous exploits were discovered. Spectre – which leverages a processor’s speculative execution to pull data from memory to an attacker via side channels* – and Meltdown – which uses out-of-order code execution on processors to leak sensitive information across any form of virtualized environment or through any form of protected memory space. Unfortunately, fears are that they’re so deeply embedded in modern processor architecture that they’re nearly impossible to temporarily patch without crippling current infrastructure. They aren’t entirely software issues that can be patched easily. Dynamic execution speeds up computing performance drastically while Spectre potentially effects so many different types of processors. I’ve tried to include some useful links here for understanding the severity of Meltdown and Spectre.

* Yes, Spectre sounds like the coolest thing since poptarts. So much for professionalism.

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (FireEye), 1/5/2018.

Researchers Discover Two Major Flaws in the World’s Computers by Cade Metz and Nicole Perlroth (New York Times), 1/3/2018.

The Complete List Of CPUs Affected By Meltdown / Spectre by Dr. Adrian Wong, 1/8/2018.

In response to worries of Spectre being able to extract passwords from application password managers and vaults, Dashlane’s Eitan Katz wrote an article on the state of Dashlane and what Meltdown and Spectre do. Check it out here: Meltdown and Spectre: What you Need to Know to Stay Safe by Eitan Katz (Dashlane), 1/5/2018.

It’s not every day you see patches that cause entire Linux communities to freak out. If you’re an Ubuntu user, be sure to check out this article regarding Ubuntu 16.04’s patch: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers by Catalin Cimpanu, 1/10/2018. The patch in question only applied to Meltdown. The problem was fixed with subsequent updates after the article was released.

Be sure to check out the CVEs below for more technical information about each of the exploits. The links contain a lot of critical information such as sample source code that you can attempt to run in a virtual environment. Note that your mileage may vary in VMs, some have reported BSoDs and not useful crashes when attempting to execute the exploits.

Spectre CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
Meltdown CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Sample Code – Dictionary Zip Password Tool

After reading Violent Python, I decided to try making a basic dictionary zip password recovery tool for fun. Some of the other free open source tools out there are great but this tool is fully functional if not ideal. I’m primarily posting it to serve as an example of how Python can be used to perform such an attack. I do not condone the use of password crackers for illicit purposes.

The tool can generate a biographical dictionary from a specified file’s ASCII strings as well as populate the dictionary with a recursive directory listing from the location of your choice. Got the idea while studying for my AccessData cert. Their Password Recovery Toolkit does this in hopes of increasing the likelihood that the dictionary will contain a relevant password. The idea is that a user either used the word in the past or that it can be found elsewhere on his or her computer. A very cool idea that’s helped me on forensics challenges in the past.

I’ve designed the code below for Python 2.7.5 on Windows 7. It uses the Strings binary from Picnix Utils. You can also click here to download a copy. Obviously the best defense against it is to use a strong password outside the scope of the dictionary (which most people do when protecting zip files anyway).

import argparse
import zipfile
import subprocess
import os

print ''' SYNTAX:
    Dictionary: zipdict.py -f (zip) -d (dict)
    Bio Dictionary Generator: zipdict.py -f (zip) -s (file with desired strings)
'''

parser = argparse.ArgumentParser(description='Zip file dictionary attack tool.')
parser.add_argument('-f', help='Specifies input file (ZIP)', required=True)
parser.add_argument('-d', help='Specifies the dictionary.', required=False)
parser.add_argument('-s', help='Build ASCII strings dictionary.', required=False)
args = parser.parse_args()
zipfile = zipfile.ZipFile(args.f)

print '{*} Cracking: %s' % args.f
print '{*} Dictionary: %s' % args.d

def biodictattack():
  print '{*} Generating biographical dictionary...'
  stringsdict = open('stringsdict', 'w')
  stringsout = subprocess.Popen(['strings', args.f], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
  for string in stringsout.stdout:
    stringsdict.write(string)
    stringsout.wait()
  walkpath = raw_input("Directory listing starting where? [ex. C:\] ")
  for root, dirs, files in os.walk(walkpath):
    for name in files:
      filenames = os.path.join(name)
      stringsdict.write(filenames + '\n')
  for root, dirs, files in os.walk(walkpath):
    for name in dirs:
      dirlisting = os.path.join(name)
      stringsdict.write(dirlisting + '\n')
  print '{*} Done. Re-run tool with zipdict.py -f (zip) -d stringsdict'

def dictattack():
  dict = open(args.d, 'r')
  with open(args.d, 'r') as dict:
    for x in dict.readlines():
      dictword = x.strip('\n')
      try:
        zipfile.extractall(pwd=dictword)
        print '{*} Password found = ' + dictword + '\n'
        print '{*} File contents extracted to zipdict path.'
        exit(0)
      except Exception, e:
        pass

if args.s:
  biodictattack()
else:
  dictattack()

My next post will be on analyzing Volume Shadow Copies on Linux and some cool methods that I used on the 2013 DC3 Forensic Challenge.

Updates to GPS Utility (Timestamp Features)

I decided to make some pretty solid changes to TrackerCat since my last post.  I wasn’t satisfied with it only converting GPX-to-KML. The new changes include the following:

  • Ability to recursively export all GPXs from a specified path (can be a mounted device image).
  • Extract and write all trackpoint timestamps to CSV  including archived files.  Optionally, you can choose to export Active Log names and times to its own CSV. While the latter isn’t as important to export as trackpoint times, it may still be useful to some.
  • Display a file’s metadata time tag during the timestamp dump. This is critical if the GPX file is the Current.gpx (akin to a last access, or rather, last power-on for some devices). These are not written to CSV as their importance differs depending on file and scenario.

To reduce spam, I’ll try to keep minor official updates to Twitter instead of posting here in the future . Hope the updates are useful!

newlogo

TrackerCat: GPX-to-KML Active Log Mapping Tool

To supplement my GPS research, I created a simple tool for the extraction of Active Log data from GPX files. This tool will transform GPS device data files into keyhole markup language files for easy mapping (GPX to KML). The output can easily be opened in programs like Google Earth. This tool will provide analysts with a better understanding of data contained within GPXs and their Active Logs. The KMLs are complete with timestamps and trackpoint coordinates.

Prior to TrackerCat – and without the use of expensive utilities – analysts had to manually re-save exported GPX files as KMLs in mapping programs. TrackerCat automates the transformation process while striving to preserve as much forensic data as possible.

While the tool is really just a simple XML-to-XML XSLT transform script (that parses the appropriate formats), you can join the the project to improve its functionality! You can use the project’s Github to show off your own GPS device forensics scripts. Also be sure to check out the PowerPoint here.

Official Github Logo

Click on the Official GitHub logo above for TrackerCat’s reader-friendly GitHub landing page, or go right to the project’s GitHub.

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

Google Searching & Subversion

Google can be an extremely powerful tool to have at your disposal. You can use advanced operators appended to Google search strings to enhance your searching. Using this method you can find (almost) anything.

The fun thing about playing with Google operators is that there’s no limit to what you can do. The potential grows greater with time as different sites introduce different technologies which react differently to Google’s search spiders. Consider the ability to use Google to find images taken from security cameras! This is an extremely powerful exploit using a very legitimate method. Security professionals should take note. But right now we’re going to go over some basics for all the folks that don’t care about exploitation…

Operators and Symbol/Special Word Usage

If you’re not quite aware of Google’s power try using mathematical operators in your search string. Operators are:

^ + - * / are basic operators
% of - as in, "percent of."
in - as in, "340 lbs in kg."

As such these can be seen in the string:

(36+3) * 2

At which case the answer will calculate to 78, showing a neat on-screen calculator and adhering to the rules of PEMDAS (quite like your Python interpreter). By the way, if words are injected into the search, you’ll get a search for the words and numbers as opposed to getting a sum of the math (such as asking Google, “What is the sum of (36+3) * 2?”)

Symbols and Special Words with examples can include (text being modified is in blue for ease of reading):

- meaning  not the next word; exhaust -cars    
 + must include the next word; "cats" "dogs" "ducks"
 ~ find word references of all sorts; dishonest ~dictionary (or wherever you want to search)
" " search exact phrase on page together; example "cats" + "dogs"
... range search; Dan Brown 1990...2012
AND  such as "ducks" and "goats"
OR you probably get the point

Advanced Search Techniques/Operators

Okay cool, so we know how to say that we want to search for ducks and chickens but only if they occur on the same page so long as hens aren’t mentioned! But what else can you do?

Some advanced operators for use in the search bar can include:

book searches the content of an entire book on Google Books
define, what is, what are these are all types of definition queries
cache:* will give you the last recorded cached page for a specified URL; note there are cache archives out there as well.
id: or info: gives you information about a specified URL
related: will attempt to give you related web pages to the specified URL.
movie: 007; common sense.
site: can be used to search only on a specific domain
filetype: or ext: searches documents of a specific types such as PDFs.
link: searches pages that are linked to a specified URL (very cool feature)
stocks: looks up stock quotes
weather: (state, zip, etc) can result in giving you weather reports
allinanchor: specifies a word which, when found in the alt or anchor will trigger. Useful to find sites that refer to other sites by a certain name or word.
inanchor: specifies a word that must appear in an anchor otherwise it isn't listed in the search results.
allintext: or intext: does the same as the two above except the word can or must be within the text of the page.
allinurl: or inurl: term must be listed within the URL.
allintitle: or intitle: refers to the title line usually shown about the file menu bar in the browser.

For more cache sites please see a list of repositories.

Okay that’s enough for now… each of Google’s Services also have their own set of advanced searches but such goes beyond the scope of this blog entry.

So by now you realize you can mix and match results. But what else can we learn? First a word of warning…

Google’s Data Retention

Before you try and pull the wool over anybody’s eyes make sure you’re not logged into Google. Data typed into Google and with an account associated with such information will be kept indefinitely. Anonymous data collection – if you’re not logged in – will include your IP address, search string and time and date the search was made (as well as the results so that Google can monitor their search algorithms and generate statistics).

Within a certain amount of time the IP addresses are stripped from the search so that only the search words, date, time and results remain (I forgot how long, it was actually on an MSNBC documentary… what?? I don’t work for Google!).

If you’re worried about privacy use a proxy and/or VPN solution. Plain and simple.

Analyzing the Browser URL/Parameters and Google Hacking

On your browser you can get a lot of information by looking at your URL bar. You can tell where on the internet you’re going (duh)! So at its base Google may say: http://www.google.com/

Found a neat cheat sheet for reading the various parameters here: http://cdn.yoast.com/wp-content/uploads/2007/07/google-url-parameters.pdf — but what this means is essentially there’s a lot of code in there when you actually search that you probably don’t need to know.

But altering the URL line, or at least understanding it is a key to any successful “Google hack.” When we say “google hacking” we essentially mean directing or using Google search to perform tasks that we wish the search engine to accomplish. People call these “Google dorks.”

There are also exploits which can be triggered against a remote machine by using Google’s search engine. One such example is SQL Injection via Google which can be used by exploiting database code on a remote server in hopes of gaining useful information.

A great guide to Google SQL Injection can be found here @ breakthesecurity.com.

What Google hacking isn’t: Google hacks do not access restricted data on Google’s own servers. You aren’t “hacking into Google,” so if that’s what you’re looking for you should go seek psychiatric help. There’s nothing wrong with using Google dorks to accomplish tasks which would otherwise be difficult to do. However, exploiting any remote system to gain access which would otherwise be restricted to you is subject to federal and state laws. If in doubt, don’t do it.

Lastly you can also use Google searches to pull up completely benign but useful information. Such information can include a person’s entire background or even default router gateway UI login information (dlink + model # + default username and other such combines can be extremely useful at this form of recon).

Consider the fact that many popular cross-platform password managers save their username/password database files with the same .db extension. Some people actually upload their db files right to their web server for safe keeping. Proper awareness of these security concerns are needed.

Happy hunting. The sky’s the limit!

Google Dorks

There are Google dorks for everything from searching for specific types of photos to accessing content which would otherwise be restricted to you on a remote system. Google is a public search engine and as such provides access to everything that its spiders have access to. This can be used for positive and negative gain.

Offensive Security’s Exploit DB covers Google Hacks extensively here and can be located here: http://www.exploit-db.com/google-dorks/

One popular dork is:

"index of /etc/passwd"

Which will attempt to show you password files on systems that are also running active web servers. In this case you’d enter that text directly into the Google Search field. It’ll find pages with that content displayed chiefly on it.

Another is the ability to look up and remotely control TrackerCam security cameras using Google but by manipulating your search bar.

https://encrypted.google.com/search?num=100&hl=en&lr=&safe=off&q=intitle%3A%28%22TrackerCam+Live+Video%22%29|%28%22TrackerCam+Application+Login%22%29|%28%22Trackercam+Remote%22%29+-trackercam.com&btnG=Search

Similarly you can search using key words if you know which words a specific system uses. Consider the TrackerCam example. We know that such sites use Trackercam Live Video, TrackerCam Application Login, Trackercam Live Video in the page’s title. So utilize the intitle option to search such pages.

The operation can be best illustrated by asking Google to search for:

intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com

As you can see, the pipe can be used to separate multiple intitle search options, following similar rules as any computer command line or program interpreter. Using common sense you can master these techniques to give you a desired outcome.

For sake of exhausting this example you can also make up something along the lines of…

inurl:log.txt intext:"password" -com

Searching log files on web servers looking for the phrase “password” found within those text files but only displaying sites ending in the .com suffix. Using that and/or replacing “password” with “username,” you can typically find information stating when a specific user does things which are log worthy (such as a web server software upgrade).

Google dorks is about using your imagination and testing it. Keep in mind though all of your actions will be retained via Google in conjunction with your external IP address!

But the purpose of this post isn’t to show you how to “exploit” Google or any other web server. My goal is to help reinforce the need for companies worldwide to study their technologies and ensure that the loopholes such technologies present are within reason. A wise man once said, “knowing is half the battle.” For that reason I’ll let you, the reader, explore new Google dorks of your own.

cDc’s Goolag Dorks Scanner

One of the coolest tools I’ve ever had the chance to play with has got to be Cult of the Dead Cow‘s Goolag Scanner, or gS for short. Although the tool is rather dated, it allows you to scan for Google-related exploits on a designated domain of your choice. gS will run exploits ranging from data retention/cache tests to Google dork exploration.

To find the scanner you should search around the ‘net, again, it’s really old!

In Closing

Google is an amazing tool which puts all the services of the internet at your fingertips. But service providers and technology producers alike must routinely check for exploits to their own system. Part of this is to regularly “test” search engine accessibility. Not merely for efficient optimization techniques but to ensure their systems can’t be exploited.

I hope that you’ve also learned a thing or two about advanced Google searching. Whether you’re an investigator  or every-day-user, you can use the techniques discussed here to improve your search experience online.

Python Common Exponent Mistake

I was just learning some Python when I ran across a problem. So I thought I’d share the solution to that problem here in case any amateur programmers are running across it during their studies:

print 8^3

Was giving me the answer 11 when in actuality I wanted 8 raised to the 3rd power (8*8*8), which should yield 512.

This is best accomplished by using the ** operator instead of the ^ typically common in math.

print 8**3

Stack Overflow forum members helped me realize that ^ in Python was used as a Bitwise XOR while ** was actually used for exponents. So don’t confuse the tw

print 8**3 <= 8*8*8 # TRUE - Both are equal.

Instead Bitwise XOR enable you to input actual math operations and receive an output in binary.

If you’d like to read Python’s complicated page in regards to Expressions, and in particular the exponent operator, feel free to click here. Similarly if you’d like to learn more about Python’s Bitwise XOR click here.

Sources:

Python doc on Powers Operators:

http://docs.python.org/reference/expressions.html#the-power-operator

Python doc on Bitwise XOR:

http://wiki.python.org/moin/BitwiseOperators

Metasploit 3.5.2 Windows VB-XCACLS Error

I was installing the Windows Metasploit on a Windows XP desktop host today and I encountered an error message. After resolving the error I thought I’d post about it here to inform people of why it occurs and how it fix it.

Problem running post-install step. Installation may not complete correctly
Error running cscript “C:metasploittoolsXCALCS.vbs” “C:metasploit” / G “
(Username):f” /G SID#S-1-5-18:f /I REMOVE /T: Program ended with an error exit code

If you get that message and you’re using XP you’re dating yourself. In Windows versions prior to Windows Vista you’ll need the the VB tools located at: Download details: Extended Change Access Control List Tool (Xcacls)

The r00tsec blog describes this as being caused by the fact that in prior Metasploit utilizes the ability to run without requiring special permissions from the user and, in XP, this feature requires the right tool (the Xcacls expansion from MS).

It is my understanding that the tool above allows Metasploit to run with the right privileges without requiring any additional access/permission(s) on the part of the user.

Prior to Vista there was no special group of users (“Authenticated Users” group), so Xcacls.vbs is needed to facilitate this operation in earlier operating systems.

To fix the error(s)

All I did was uninstall Metasploit (may or may not be required), install the VB tool, and reinstall.

When asked where XCacls.vbs should install, you can install to your framework directory. Then from a DOS prompt in the same directory as Xcacls.vbs:

Cscript.exe /h:cscript
Cscript.exe xcacls.vbs
xcacls.vbs (framework directory) /E /R SID#S-1-5-32-545 /T

Note – If your VBS scripts are opening in Notepad, the correct Visual Basic scripts association has been broken (yeah, and you just wanted to open all scripts in your cool new text editing program, right?). You can correct this by altering the appropriate registry string or simply by downloading a .reg fix which will reset it for you.*

A similar problem can also occur in Vista but to read more about it please follow the r00tsec link below.

Keep in mind that Metasploit works best in Linux as there are many bugs that need ironing out in the Windows release.

Source: Computer Security Blog | Learning The Offensive Security: Metasploit Framework 3.5.2 Released!

Source2: http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html

* VBS Association Fix (XP):
http://www.dougknox.com/xp/fileassoc/xp_vbs_file_association.zip