Category: Software

OWASP Attack Surface Detector Project

Published by Will Chatham on 3/8/2019

When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.

Here it is in all its glory.

From the OWASP description:

The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.

There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.

Kali Linux Dockerfile

Published by Will Chatham on 3/7/2019

Since recently discovering there is now an official Kali Linux docker image, I’ve been fiddling with it and tweaking my own setup to get it to how I like it for the things I use it for. I have a work version and a personal version. What follows is my personal version, used mostly for R&D, CTF challenges, and bug hunting in my free time.

My Kali Dockerfile (for Mac)

# The Kali linux base image
FROM kalilinux/kali-linux-docker

# Update all the things, then install my personal faves
RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get install -y \
 cadaver \
 dirb \
 exploitdb \
 exploitdb-bin-sploits \
 git \
 gdb \
 gobuster \
 hashcat \
 hydra \
 man-db \
 medusa \
 minicom \
 nasm \
 nikto \
 nmap \
 sqlmap \
 sslscan \
 webshells \
 wpscan \
 wordlists 

# Create known_hosts for git cloning things I want
RUN mkdir /root/.ssh
RUN touch /root/.ssh/known_hosts
# Add host keys
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

# Clone git repos
RUN git clone https://github.com/danielmiessler/SecLists.git /opt/seclists
RUN git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit
RUN git clone https://github.com/hashcat/hashcat /opt/hashcat
RUN git clone https://github.com/rebootuser/LinEnum /opt/linenum
RUN git clone https://github.com/maurosoria/dirsearch /opt/dirsearch
RUN git clone https://github.com/sdushantha/sherlock.git /opt/sherlock

# Other installs of things I need
RUN apt-get install -y \
    python-pip

RUN pip install pwntools

# Update ENV
ENV PATH=$PATH:/opt/powersploit
ENV PATH=$PATH:/opt/hashcat
ENV PATH=$PATH:/opt/dirsearch
ENV PATH=$PATH:/opt/sherlock

# Set entrypoint and working directory (Mac specific)
WORKDIR /Users/wchatham/kali/

# Expose ports 80 and 443
EXPOSE 80/tcp 443/tcp

Build it

docker build -t yourname/imagename path/to/theDockerfile

(don’t actually put ‘Dockerfile’ in the path). Do change ‘imagename’ to something apropos, such as ‘kali’

Run it

docker run -ti -p 80:80 -p 443:443 -v /Users/yourname/Desktop:/root yourname/imagename

The above examples require you to replace ‘yourname’ with your Mac username

-ti
Indicates that we want a tty and to keep STDIN open for interactive processes

-p
Expose the listed ports

-v
Mount the defined folders to be shared from host to docker.

Hope that’s useful to someone!

Hat tip: https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/

The InfoSec World Has a Python 2.7 Problem

Published by Will Chatham on 1/3/2019

Welcome to 2019, everyone! The future is bright, and I am sure we will all experience a lot of fun and unexpected things in the world of security. So far this year, we haven’t see anything along the lines of Specre/Meltdown, which helped usher in 2018.

One thing I did realize is that the turning of the calendar to this new year, remarkably, means that there is less than one year until Python 2.7 is officially “unsupported.”

Just check the Python 2.7 Countdown clock if you don’t believe me. Everything should be well on the way to Python 3 by now. Or so you would hope.

I find it somewhat humorous (mildly) that the infosec community still relies so heavily on Python 2.7, given its impending doom. I still see new tools being actively developed in this version of Python crossing my news feed almost daily. So many things on Kali Linux rely on Python 2.7.

I have oberved that longstanding, popular open source stalwarts of the trade have shown little interest in moving to 3.x.

I really have no idea what to do about this, other than encourage contributors to migrate, and to lend a hand if and where possible. But it’s getting really late, and I still have to use python2.7 far too much in my day-to-day pentesting and security research life.

How about a New Year Resolution?

Bespoke Software Development Tips

Published by Will Chatham on 12/3/2018

If you are planning to outsource your software development, then you need to make sure that you do choose the company carefully. Custom software development requires a high level of skill and expertise. If you don’t invest in the right service, you won’t get the quality you need.

Software lies at the core of business efficiency. It may be a lot cheaper to go for a software solution that is bought off of the shelf. However nothing meets the efficiency and effectiveness that can be reaped through implementing a bespoke software solution. This type of software will be completely tailor-made in order to suit your business; the size of your company, the activities you need to carry out, the data you need to store and your goals for expansion in the future. Read on to discover the top seven tips for having your own bespoke software developed.

Feasibility check

A lot of people overlook this point; however a feasibility check is essential. What is the purpose of developing your software? How is it going to provide you with improved efficiency? How will ROI be affected?

Technology infrastructure plan

Draw up a plan compromising of all the technologies and servers utilised in your business at present. This is essential because the software you develop needs to be compatible with the technology you use if you are to benefit from a cost efficient and time effective software development process.

Outsourcing

Outsourcing can ensure your software runs effectively for a lifetime. You can of course take advantage of the fantastic professionals out there who are trained and qualified in software development. But what a lot of people do not realise is that not only will you have the peace of mind that your software development is in the hands of the best, but you will also know you are covered in the future should any glitches occur. This is because these businesses provide substantial care and after support.

A long testing period is essential

Whether you are getting a company to develop your software or you are doing it yourself testing is imperative. This does not merely relate to a quick hour of playing around on the software. You need a testing period of approximately a month in order to ensure everything runs properly.

Find a robust software programming language

Believe it or not, but all software does not speak the same language! From Visual Basic to Java to C++, the choices are vast. Don’t try and go for something unusual – this will make bespoke software development and integration of other systems extremely difficult. Make sure you opt for a robust option. Aside from the three just mentioned other good options include; VB.NET and C#.

Web-based software application

Web-based software solutions are on the rise, with so many options, from SD-WAN to productivity apps. These are seen as highly beneficial as the only thing that is required is an internet connection for it to run. This type of software is seen as the future.

Lots of features are not always a good thing

It can be very easy to get distracted and build a software solution with a monumental number of different features. However, if these are not necessary, then don’t include them. The whole point of bespoke software is so that you can manage segments of your business efficiently. Pointless features simply complicate it.

If you follow the seven tips given in this article then you should have no issue when it comes to developing the perfect bespoke software solution for your business.

Useful Tools For Keeping Your Business’ Finances On Track

Published by Will Chatham on 11/19/2018

[et_pb_section bb_built=”1″][et_pb_row][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.17.6″]

Of all the things that need doing to keep your business running smoothly, finance isn’t everyone’s forte. In fact, managing your finances can be far down on your list of priorities – but it’s one of the most important processes. Even if you’re not the most mathematically savvy, there are tools available to you that make running your business’ finance easier than ever.

Save time and keep your money in check with these useful tools for keeping your business’ finances on track.

Accounting software

For small businesses, hiring an accountant can be a no-go, as hiring more personnel could be at the bottom of your priorities. However, thanks to technology, there is accounting software and applications designed to help make keeping your accounts up to date easier. The best accounting software will help you keep everything stored in one place so that you can manage your accounts on the go.

Reconciliation tools

Errors in reporting can be detrimental to your business, and even if things are better than what you expect – there should be no errors when it comes to your financial reports. Bank reconciliation software can help you manage your cash flow, match up your transactions and make sure that the balance you see for your business is accurate. This way, when it comes to your business’ finance, you’ve got all of the correct and up to date information at your fingertips.

Payroll management system

A payroll management system can be vital for managing your employees – especially if you deal with shift workers or contractors who might not get paid the same amount each month. Through a payroll management system, you can add rosters, apply payments and monitor things like vacation days to keep everything up to date. A cloud-based system will provide greater access to staff out of hours in case they need any information about their pay and other details.

Expenses tracking

If you usually gather all of your receipts in a box or some other form of unofficial ‘filing’ system, there’s a strong possibility that something is going to end up missing! Keeping track of your business expenses helps to keep things up to date, lets you see what you’re spending and keeps the tax man happy. Tracking your expenses in real-time can be a good way to reduce your small business spending and make sure that you are on track with your receipts. Seeing all of your spending in front of you could identify simple areas for cuts that will help your business run more efficiently.

Choosing the right financial tools for your business can take the stress out of business accounting and help free up your time to deal with more important matters. With more and more tools becoming available all the time, it’s worth keeping an eye on finance and business news to help you stay up to date. Managing your business’ finances might have been a pain in the past, but the future is certainly looking brighter.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

What Different Types of Business Software Are Available?

Published by Will Chatham on 7/12/2018

These days, many business owners are focusing on investing in software rather than physical equipment. This certainly appears to be the way that the future is heading. But if you are not hugely clued-up in this area, you may be asking what type of business software is going to work best for your company. First of all, you need to have a better understanding of your options, and that is what we will be aiming to provide right here in this article.

Business Invoicing and Billing Software

In days gone by, you would have to go through the huge effort of creating every single invoice from scratch to send out to your clients and get paid. Often, this type of software uses templates which can be customised to match the needs of your company. Ultimately, this is designed to save you a lot of the admin work which would cost you a great deal of time. Not only this, it takes away the risk of human error which is always possible when something is being done by hand.

Payroll Software

Another type of software in the financial sector is payroll software, which is designed to help you to manage your payroll taxes and payments in a more efficient manner. These often allow you to print out the paychecks and forms which are needed for all sorts of different tax purposes. Whether you only have a single employee or several thousand, there is no doubt that this type of software can prove to be useful.

Database Software

Database software comes in a number of different forms and can be designed and shaped depending on what sort of company you are running. So, Versum – salon software has been specifically designed to help people out who are running this kind of business. Some of the features contained in database software tends to be business names and contact addresses, to-do lists and other important documents directly relating to the successful running of the business. Larger companies will often require server databases, while smaller and medium-sizes ones often rely on web or desktop based systems.

Asset Management Software

If your business is directly involved in sales and distribution, asset management software can help you to keep track of what physical assets you have available. These type of programs can often offer suggestions based on what sort of information you are inputting regarding things like depreciation rates and dates for replacement.

One of the central selling points of business software is that it is there to automate processes which would have previously taken up a great deal of time and would have been subject to human error. Ultimately, it is worth checking out what sort of software is available before taking the decision to invest in it. You should also check out the different brands and programs, as well as the reviews which are available to see if they are right for you.