Friday, August 24, 2018

Were You Attacked Today With Yesterday's Hacking Technique?

We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time -- today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

Read the full article at Forbes here

Wednesday, June 6, 2018

Fixating On Vulnerabilities Is A Vulnerability

You almost have to admire the hackers. Almost. Technology research firm Gartner (via Forbes) estimates that companies will spend $93 billion on cybersecurity technologies in 2018. Yet, according to a recent study by security firm Norton (via MIT Technology Review), the relentless efforts of the global hacking community still netted $172 billion in ill-gotten gains. There’s no indication that things will be any different this year. Why do the hackers continue to succeed? What must industry do to make hacking a less profitable venture for the adversary?

To better understand and answer these questions, it’s useful to examine the hackers’ successes and look for consistencies. But first, let’s define a word that is often misused or misunderstood in cybersecurity discussions: vulnerability.

Read the full article at Forbes here

Thursday, February 16, 2017

The Key To Cybersecurity: Shared Intelligence And Industry Cooperation

Chicago in the 1930s was a hive of organized crime where the bad guys always had the upper hand. As dramatized by the film "The Untouchables," lawman Eliot Ness confides to Officer Jim Malone that he is prepared to do “everything within the law” to take down Al Capone. But streetwise Malone tells Ness that, to win, he must be prepared to do more. “He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. That’s the Chicago way.”

Like ‘30s Chicago, the dark web is crawling with global crime syndicates, and everyone I've talked to says fighting the Chicago way sounds appealing. The problem is that the same laws that make hacking a crime also make it a crime to retaliate.

Read full article at Forbes here

Wednesday, July 13, 2016

Fuzzing The Kill Chain

Fuzzing is a technique in software testing where you generate a number of random inputs, and see how a program handles it. So what does a testing technique have to do with a process such as the Cyber Kill Chain as developed by Lockheed Martin? Easy! Just as fuzzing a software produces resilient software, fuzzing a process will produce a validated process. The Kill Chain takes about seven steps that adversaries must complete in order to achieve their goals, but will it always be the case? Can an attacker pull off a successful attack with just one step? Or three? That’s what we’re going to fuzz out ...

(Again, in order to avoid cross-posting between the different blogs, that was just a brief paragraph and a link to the original post is below).

Continue reading: https://www.safebreach.com/blog/fuzzing-the-kill-chain

Wednesday, December 2, 2015

I See Your True ECHO_REQUEST Patterns (Pinging Data Away)

I've started blogging again! In order to avoid cross-posting between the different blogs, I'll just give a brief paragraph and a link back to the original post. Here we go:

Getting into a network and getting data out of a network are two different challenges. Just because an employee clicked on a malicious link and got hacked, it doesn’t mean the attacker gets to walk off with PII, Financials, Source Code etc. In this blog post, we’ll explore the known breach method of using ICMP protocol for data exfiltration but with a twist. Instead of showing how to use this breach method with some custom made tools, we’re going to do it using the default and common ping utility– red team style!

Continue reading: http://blog.safebreach.com/2015/12/02/i-see-your-true-echo_request-patterns-pinging-data-away/

Wednesday, August 7, 2013

Pythonect Has New Graphs, Documentation, Tutorial, and More!

About two weeks ago I have released a new version of Pythonect (0.6) with new features, documentation, tutorial, and an (small, but growing) example directory.
I’d like to take this opportunity to discuss the past, present and future of the Pythonect Project.

Nearly 2 years ago I started working on Pythonect with the intention to help software developers to connect the dots and make mashup, rapid prototyping, and developing scalable distributed applications easy. Pythonect is a new, experimental, general-purpose dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. Pythonect interpreter (and reference implementation) is a free and open source software written completely in Python, and is available under the BSD 3-Clause license.

Why Pythonect? Pythonect, being a dataflow programming language, treats data as something that originates from a source, flows through a number of processing components, and arrives at some final destination. As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented applications comes from the realm of real-time signal processing, e.g. a video signal processor which perhaps starts with a video input, modifies it through a number of processing components (video filters), and finally outputs it to a video display.

As with video, many applications can be expressed as a network of different components that are connected by a number of communication channels. The benefits, and perhaps the greatest incentives, of expressing an application this way is scalability and parallelism. The different components in the network can be maneuvered to create entirely unique dataflows without necessarily requiring the relationship to be hardcoded. Also, the design and concept of components make it easier to run on distributed systems and parallel processors.

Here is the canonical "Hello, world" example program in Pythonect:
"Hello, world" -> print
And here is the canonical "Hello, world" multi-threaded example program in Pythonect:
"Hello, world" -> [print, print]
Not to mention that you can go from multi-threaded to multi-processed as easy as:
"Hello, world" -> [print &, print &]
Or remotely call a procedure using XML-RPC:
"Hello, world" -> print@xmlrpc://localhost:8081
The language couldn't possibly be simpler...
Okay, so what's new you're asking? *I was wrong*, it can be simpler, and it is in Pythonect version 0.6 :-)

In Pythonect 0.6.0 I have re-written the engine and some large parts of the backend. Pythonect is now using graph (NetworkX. DiGraph) as its data structure, and it's also supporting multiple file formats as an input. Currently, Pythonect (since version 0.6) supports 3 file formats:
  • *.P2Y (text-based scripting language aims to combine the quick and intuitive feel of shell scripting, with the power of Python)
  • *.DIA (visual programming language enabled by Dia)
  • *.VDX (visual programming language enabled by Microsoft Visio XML)
In other words:


is equal to:
"Hello, world" -> print
And vice versa. You can launch (almost) any graph/diagram editor and save a graph/diagram as *.VDX or *.DIA format and Pythonet will be able to parse and run it (even if it's gzipped!). Curious to see how a multi-threading/processing graph looks like? See below!


Yup, it's that simple. One node with two edges. The graph above is equal to:
"Hello, world" -> [print, print]
Which is the canonical "Hello, world" multi-threaded example program. Now, another issue that I have addressed in this release is the reduce functionally.
The famous reduce from big data. Let's say that we want to write a program that will add one to every integer input and eventually sum all the results:
[1,2,3] -> _ + 1 -> sum -> print
The above example won't work because Pythonect maps (think MapReduce) each iterable value to its own thread, so the sum function will actually receive 2, 3, 4 separately and not as a list. A workaround for this will be:
sum(`[1,2,3] -> _+1`) -> print
But with the new reduce functionally in Python 0.6, it is as easy as:
[1,2,3] -> _ + 1 -> sum(_!) -> print
By using the _! Identifier, the Pythonect interrupter will automatically join all the values (and threads/processes) into a single list and pass it to the Python function without any prerequisites. The same applies when using a graph:


is equal to:
[1,2,3] -> _ + 1 -> sum(_!) -> print
Now let's talk about the future of Pythonect. Here's a link to the TODO list, where you can find future directions. In a nutshell, more graphs, more Python implementation support, and more Service-oriented architecture (SOA).

Right now, the biggest application of Pythonect (to the best of my knowledge) is my second project, Hackersh. Hacker Shell (hackersh) is a free and open source command-line shell and scripting language designed especially for security testing. It is written in Python and uses Pythonect as its scripting engine. The upcoming release of Hackersh (work in progress!) will also enjoy the Pythonect 0.6 features such as graphs (*.VDX and *.DIA) as scripts and a better reduce functionally.

To learn more about Pythonect, please visit its homepage: http://www.pythonect.org and be sure to check out the new documentation at: http://docs.pythonect.org/en/latest/ where you can find an up-to-date tutorial and installation instructions.

That's all for now!

Wednesday, April 3, 2013

Hackersh 0.1 Release Announcement

I am pleased to announce the Official 0.1 launch of Hackersh ("Hacker Shell") - a shell (command interpreter) written in Python with built-in security commands, and out of the box wrappers for various security tools. It uses Pythonect as its scripting engine. Since it's the first release of Hackersh, I'd like to take this opportunity to explain how it works and why you should be using it.

Hackersh is an interactive console for security research and testing. It uses Pythonect as its scripting language. Pythonect is a new, experimental, general-purpose high-level dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. The combination of the two makes:
"http://localhost" -> url -> nmap -> w3af -> print
Return something like this:
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| VULNERABILITY DESCRIPTION                                                    | URL                                                             |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| Cross Site Scripting was found at:                                           | http://localhost:8080/black/vulnerabilities/xss_r/              |
| "http://localhost:8080/black/vulnerabilities/xss_r/", using HTTP method GET. |                                                                 |
| The sent data was:                                                           |                                                                 |
| "name=%3CSCrIPT%3Efake_alert%28%22v3bd%22%29%3C%2FSCrIPT%3E". This           |                                                                 |
| vulnerability affects ALL browsers                                           |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The whole target has no protection (X-Frame-Options header) against          | Undefined                                                       |
| ClickJacking attack                                                          |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| "X-Powered-By" header for this HTTP server is: "PHP/5.3.3-7+squeeze3"        | Undefined                                                       |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The server header for the remote web server is: "Apache/2.2.16 (Debian)"     | Undefined                                                       |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| An error page sent this Apache version: "addressApache/2.2.16 (Debian)       | http://localhost:8080/black/vulnerabilities/xss_r/_vti_inf.html |
| Server at localhost Port 8080/address"                                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server sent a strange HTTP response code: "405" with the      | http://localhost:8080/black/vulnerabilities/xss_r/GeBrG         |
| message: "Method Not Allowed", manual inspection is advised                  |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server sent a strange HTTP reason message: "The HTTP server   | http://localhost:8080/black/login.php                           |
| returned a redirect error that would lead to an infinite loop. The last 30x  |                                                                 |
| error message was: Found" manual inspection is advised                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The remote Web server has a custom configuration, in which any non existent  | http://localhost:8080/black/vulnerabilities/xss_r/              |
| methods that are invoked are defaulted to GET instead of returning a "Not    |                                                                 |
| Implemented" response                                                        |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The URL: "http://localhost:8080/black/vulnerabilities/xss_r/" sent the       | http://localhost:8080/black/vulnerabilities/xss_r/              |
| cookie: "security=low"                                                       |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| The URL: "http://localhost:8080/black/index.php" sent the cookie:            | http://localhost:8080/black/index.php                           |
| "PHPSESSID=lut893qvd4gdngp1rud5ei8pc2; path=/"                               |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
| A cookie matching the cookie fingerprint DB has been found when requesting   | http://localhost:8080/black/index.php                           |
| "http://localhost:8080/black/index.php" . The remote platform is: "PHP"      |                                                                 |
+------------------------------------------------------------------------------+-----------------------------------------------------------------+
So, how does it work? As a dataflow programming language, Pythonect treats data as something that originates from a source - it flows through a number of processing components and arrives at a final destination. As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented application comes from the realm of real-time signal processing, e.g. a video signal processor which starts with a video input, modifies it through a number of processing components (i.e. video filters), and finally outputs it to a video display.

As with video, penetration testing (and other security domains) can be expressed as a network of different components such as: targets, network scanners, web security scanners, etc, connected by a number of communication channels. These components (and more) are provided by Hackersh, and can be either internal (e.g. url is an internal component that converts String to URL) or external (e.g. nmap is a wrapper around the Nmap security scanner). Every Hackersh component (except the Hackersh Root Component) is standardized to accept and return a context. Context is a dict (i.e. associative array) that can be piped through different components, just like text can be piped through different Unix tools (e.g. cat, grep, wc, and etc.).

Back to real life examples, here is how you can pass command line arguments to an external Hackersh component (e.g. nmap):
"http://localhost" -> url -> nmap("-sS -P0 -T3") -> w3af -> print
Here is how you can debug a Hackersh component:
"http://localhost" -> url -> nmap("-sS -P0 -T3", debug=True) -> w3af -> print
Please note that this is not a component-specific option as almost every Hackersh component can be debugged this way.

Moving on to more advanced options:
"http://localhost" -> url -> nmap("-sS -P0 -T3") -> [_['PORT'] == '8080' and _['SERVICE'] == 'HTTP'] -> w3af -> print
Support for Metadata is a major strength of Hackersh as it enables potential AI applications to fine-tune their service selection strategy based on service-specific characteristics.
"http://localhost" -> url -> [nmap, pass] -> amap
The script above is an example for a multithreaded application. It scans http://localhost alternately, using nmap + amap and amap. The output is:
http://localhost
  +-3306/tcp (MYSQL)
  +-25/tcp (SMTP)
  +-25/tcp (NNTP)
  +-902/tcp (VMWARE-AUTHD)
  +-21/tcp (FTP)
  +-21/tcp (SMTP)
  +-22/tcp (SSH)
  +-22/tcp (SSH-OPENSSH)
  +-80/tcp (HTTP)
  +-80/tcp (HTTP-APACHE-2)
  +-80/tcp (HTTP)
  +-80/tcp (HTTP-APACHE-2)
  +-631/tcp (HTTP)
  +-631/tcp (HTTP-APACHE-2)
  +-631/tcp (HTTP-CUPS)
  +-8080/tcp (HTTP)
  +-631/tcp (SSL)
  +-8080/tcp (HTTP)
  +-8080/tcp (HTTP-APACHE-2)
  +-53/tcp (DNS)
  +-8080/tcp (HTTP-APACHE-2)
  +-2222/tcp (SSH)
  +-2222/tcp (SSH-OPENSSH)
  +-3000/tcp (HTTP)
  +-111/tcp (RPC)
  `-111/tcp (RPC-RPCBIND-V4)
To read more about Pythonect's multi-thread and multi-process capabilities, please visit Pythonect Tutorial: Learn By Example.

External Hackersh components (sorted by alphabetical order) supported in this version include: As well as the internal Hackersh components (in alphabetical order) supported in this version include:
  • Hostname
  • IPv4_Address
  • IPv4_Range (supports CIDR, Netmask Source-IP Notation, IP Range and etc.)
  • Nslookup
  • Stateful programmatic Web Browser (i.e. Browse, Submit, and Iterate_Links)
  • URL
To familiarize yourself with Pythonect, you should also read these other blog posts: Make sure you check out these resources as well. Good luck, and May the Force be with you!