Skip to content

Category: Security

The InfoSec World Has a Python 2.7 Problem

Published by Will Chatham on 1/3/2019

Welcome to 2019, everyone! The future is bright, and I am sure we will all experience a lot of fun and unexpected things in the world of security. So far this year, we haven’t see anything along the lines of Specre/Meltdown, which helped usher in 2018.

One thing I did realize is that the turning of the calendar to this new year, remarkably, means that there is less than one year until Python 2.7 is officially “unsupported.”

Just check the Python 2.7 Countdown clock if you don’t believe me. Everything should be well on the way to Python 3 by now. Or so you would hope.

I find it somewhat humorous (mildly) that the infosec community still relies so heavily on Python 2.7, given its impending doom. I still see new tools being actively developed in this version of Python crossing my news feed almost daily. So many things on Kali Linux rely on Python 2.7.

I have oberved that longstanding, popular open source stalwarts of the trade have shown little interest in moving to 3.x.

I really have no idea what to do about this, other than encourage contributors to migrate, and to lend a hand if and where possible. But it’s getting really late, and I still have to use python2.7 far too much in my day-to-day pentesting and security research life.

How about a New Year Resolution?

How To Protect Your Professional Reputation Online

Published by Will Chatham on 12/28/2018

Aah, the joys of social media. When you have a professional role, there are lots of things to think about, and your image across various platforms is one of them. No, we’re not talking about your actual image (although sure, you may want to get a haircut once in a while) we’re talking about how you’re perceived online, and as a result, within your community and profession. When it comes to protecting your reputation on the web, you need to follow a few steps, to make sure that you don’t cause yourself any trouble, and we’ve noted down a few easy ways that you can do this here.

Be careful what you tweet

Oh, Twitter. How we all love to have a little rant here and there, and how heated it can sometimes get when a disagreement arises. But as many professionals (and famous people) will tell you, those old tweets can come back around and haunt you. If you want to keep your reputation as clean as a whistle, make sure you’re not tweeting about anything that you wouldn’t say in a professional environment. Sure, you can tweet about how much you love eating cheese over the Christmas period, and nobody will hold it against you, but don’t tweet about how much you want to hit your neighbor with a baseball bat because of his loud music. It doesn’t look good.

Untag yourself

On sites such as Facebook and Instagram, your friends have the ability to tag you in pictures, which isn’t great news for your privacy. The issue here is that they probably find it hilarious that you got your arm stuck in a vending machine whilst you were steaming drunk, but your potential clients probably won’t. In fact, they will be quite worried about giving you their money if they see that you’re an off-the-rails individual where Instagram is concerned. Do yourself a favor, and keep these pictures between you and your buddies. The last thing that you want is for everybody to be asking you what happened on that night, especially when you can’t even remember.

Google yourself, and remove what isn’t too good

Ok, so it may sound like Googling yourself is a strange concept, especially if you’re not exactly, you know, Britney Spears. However, if you’re part of a big business or you have a large social media following, you’re going to have to say goodbye to anything that may not bode too well when it comes to your reputation, and Google is a good place to start. Whilst many images on the search engine don’t belong to them (as they don’t own the sites), there are still ways that you can get around it if Google won’t remove an image. You can get in touch with whoever runs the website, or you can try a method like suppression if they’re not willing to budge and Google won’t help.

Keep things set to private

Sure, you may feel like you should share some of your personal life online, but make a distinction between the personal and professional where you can. If there are some things you’d rather share with close friends and family, then have a Facebook account set to private, and separate it from all of your other public accounts. You don’t have to use your company accounts to share your own private thoughts (keep them business), and you can even use a different name for your personal ones if you only want to keep things between you and your loved ones. Take some time to secure your social media, and your other online profiles, too. You won’t regret it when you’ve saved your reputation.

Store Data Securely

There are various types of data that you don’t want cyber criminals to access. They could be professional or personal. Either way, you need to make sure you’re operating responsibly online and storing data securely. For work, use a VPN chrome extension. For personal files, you may want to use cloud storage.

So…

There are many ways to protect your reputation online, and one of them is being careful about what you tweet. Instead of going all out and writing what first comes to mind, take a moment to reflect on whether it is necessary, and whether it will damage your reputation. You can also untag yourself from any unprofessional photos, and remove pictures from Google if you don’t want them to be the first thing that people see. Lastly, set some accounts to private, and keep the information there between friends. This will help you to separate the personal and the professional.

Whatever you decide to do, your reputation is greatly important as a professional, and is something that you should take seriously if you want to be successful. Follow these simple tips if you want to make sure that it’s the best it can be, and that you have a reputation that precedes you (a good one, that is…).

4 Surprising Everyday Tech That Can Misuse Your Data

Published by Will Chatham on 12/7/2018

According to a Clark School study at the University of Maryland there is, on average, a hacking attack on computers happening every 39 seconds in the United States. The study doesn’t quantify how many attacks occur on other devices, but it’s fair to say that hackers are an innovative and hard-working bunch. Your smartphone and your favorite everyday gadgets can also become a target. In fact, by 2020, it’s expected that the Internet of Things will reach out around 200 billion connected devices in the US only. To put things into perspectives, there are already 25 connected devices per 100 inhabitants. The trend is expected to continue to grow. After all, when you think about it, you probably already have no far from 25 devices just for yourself. From your fitness tracker to your smart home system, modern households have made themselves more and more vulnerable to data breach attempts. How so, you ask? By increasing the reliance on IoT devices for everyday activities. The question is not whether your data are safe, but how your IoT data can be misused against you. The chilling answer you might not have expected is that some of your favorite gadgets could be the source of data (mis)interpretation. Your home is not data-safe, on the contrary!


Don’t let your ISP track your activities

Cybercriminals keep an active eye on innovative technologies to access loosely protected data – or data without any form of protection. Not only businesses, but individuals are vulnerable to hacking attacks. From using unreliable security software packages that fail to protect you to lacking common sense when you receive suspicious emails, you need to educate your household to the best way of managing your data privacy. However, what you may not know is that your Internet Service Provider, or ISP for short, can gain full access to your location, your searches, and your browsing history. While it shouldn’t matter, legal authorities can demand to see those data or can be alerted in the event of questionable activities. Admittedly, while this might be advantageous to target terrorists and other criminals online, you could be exposed to legal actions for something as innocent as essay research about controversial topics. Additionally, your geolocation can block access to specific content. The addition of a free VPN to your household network can ensure that your data are not getting used against you. A virtual private network will hide your data from the ISP.

Don’t let Alexa orders anything on your behalf

Alexa, the voice assistant introduced by Amazon on the market a few years back, has made a reputation for itself by helping you to organize your household and your online orders. But this apparently useful gadget has also developed a nasty habit; it can pass orders on your behalf without your knowledge. Does it mean Alexa has developed a form of intelligence of its own and can make decisions for you? Of course not. Alexa is and remains an AI tool that learns at your contact but never enough to become its own ruler. These unexpected orders are the results of data mishaps on Alexa’s part. The most famous story is about a little girl in Dallas who started a conversation with Alexa about cookies and a dollhouse, which led to the accidental order of the dollhouse. When the news reported the incident, Alexa devices picked up on the news segment and ordered further dollhouses, proving that the device is always listening.

Your fitness tracker reveals the location of secret military bases

Your fitness tracker might be your best ally if you’re trying to get in shape, but it knows far too much about your life to be trusted. Wearables are designed to collect data all the times, aggregated information and providing access to companies to analyze your performance and the one of the devices. And that’s precisely where the problem lies. Users of the Strava app realize that the heatmap could reveal not only the location of military bases but also the names and APIs of the individuals on each running route. In short, a fitness tracker could expose the entire position and routines of the armed services. Who needs spies anymore?

Don’t let burglars know about your habits

Who doesn’t love the ease-of-use and comfort of a smart home installation? But you might reconsider your choices when you discover that your smart home data could be used against you. Indeed, experienced hackers could gain access to your smart data, discovering your home routine and more importantly the times when you’re not at home. From ransomware attacks that threatened to take over your house to targeted burglary, smart home does not mean safe home.

Can you trust your everyday tech? While it doesn’t mean you shouldn’t use any device that connects to the IoT, it’s fair to say that exercising caution and common sense should be your default position at all times.

I made some shirts

Published by Will Chatham on 11/18/2018

Over the years, I have kept a running list of t-shirt ideas in the back of my mind, thinking that someday “I should make a t-shirt out of that.”

I finally made the effort, and now I have a shop set up where you can buy some silly things I created. Not only are they available as shirts, but you can order them as hoodies, onesies, notebooks, stickers, coffee mugs, and more.

It’s a Festivus miracle!  

Check out the shop, or browse some of the available things below.

A few new resources for pentesting/OSCP/CTFs

Published by Will Chatham on 11/11/2018

Here are a few new resources I’ve run across in the last month or so. I’ve gone back to add these to some of my older posts, such as the Windows Privesc Resources, so hopefully you’ll find them, one way or another.

Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
https://pentesterslife.blog/2018/06/28/jsgen/

So you want to be a security engineer?
https://medium.com/@niruragu/so-you-want-to-be-a-security-engineer-d8775976afb7

Local and Remote File Inclusion Cheat Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

External XML Entity (XXE) Injection Payloads
https://gist.github.com/staaldraad/01415b990939494879b4

Enjoy!

The Unofficial OSCP FAQ

Published by Will Chatham on 10/4/2018

It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.

The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.

Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.

  1. Do I have enough experience to attempt this?
  2. How much lab time should I buy?
  3. Can I use tool X on the exam?
  4. What note keeping app should I use?
  5. How do I format my reports?
  6. Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
  7. Are VulnHub VM’s similar to the OSCP/PWK lab?
  8. What other resources can I use to help me prepare for the PWK course?

According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.

I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.

To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.

Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.

In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.

Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.

With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.

I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:

The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.

If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.

If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.

Don’t forget the restrictions on Metasploit, too.

From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.

I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:

  • Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
  • CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
  • OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
  • Other options boil down to personal choice: Evernote, markdown, etc.

Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.

I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.

There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.

There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.

See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:

  • All the Kioptrix machines
  • SickOS
  • FrisitLeaks
  • Stapler

There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.

Books

Online Guides