list.exploitsearch.net

list.exploitsearch.net is my attempt at creating an online searchable repository of security related lists. What kind of lists? Well, pretty much any list that can be stored in a manner similar to “[type], [value]”. So for example, it is fairly easy to store a list of common passwords… “[passwords], [123456]” or a list of common Unix usernames… “[usernames], [root]”. The site can also store lists of other items such as common browser user agent strings, reverse shells which can be written on one line, one line back doors, known malicious IPs, and so on. There really is no limit to the types of data that list.exploitsearch.net can store and provide out as needed.

The only site imposed limitation is that all the data be actual/live data. That is to say, all the data that is to be stored should have been actually seen “in the wild”. So, what does this limit? The easiest place to see this limitation is in the password list. This site will only store passwords that have been known to hav been used by actual people. So, it will not be string all possibly 8 character passwords. If you want that list, you can easily create it your self via some other mechanism.

Also, all/most of the data contained in the site has a fixed life span. Depending on the nature of the data, the life span can vary. For example, the lifespan of passwords may be 1 year, where as the life span of malicious IPs may just be a few weeks. After the life span of a piece of data has been reached, it will be removed from the standard list generation process, thus helping to enforce that the lists that are generated contain only up to date information. There may be an API parameter that will allow the generated lists to contain old data at some point, but currently this is not possible.

The goal of this site is to allow security researchers, consultants, pentesters, etc… an place from which they can pull a list tailored to their specifications of common passwords, usernames, database columns, browser user agent strings, one line reverse shells, etc…

If you have data you would like to have added to one of the current types of lists or if you have an entirely new type of list you would like to have stored here, feel free to let me know.

The site is still in Beta, but should be usable.  Over the next few days/weeks, the site will become more ful lfeatured and the types and amount of data will increase.

Let me know what you think. What types of data/lists can I add that would make this useful to you?

Advertisements

Internet Footprinting (aka OSINT – Open Source Intelligence)

What is OSINT? Well, according to Wikipedia it is:

“Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.”

In general, OSINT is simply the identifying, collecting, and analysis of publicly available data about a person, place, or thing.

OSINT is NOT merely used for cyber stalking or DOXing. (DOXing is the act of gathering personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc. typically for the sole purpose of causing embarrassment, mischief, and/or harm to the targeted person.)

OSINT has many valid/beneficial uses. These include (but are not limited to):

  • identifying information about yourself (or your own company) that may be available on the internet
  • part of a network penetration (or social engineering) exercise
  • perform additional/extended background check on potential corporate partners or employees
  • identifying possible information leakage from your company

There a few typical types of OSINT, each with their own PROs/CONs:

  • Purely Passive
    • PRO – no traffic directed toward the target (i.e. no evidence in server logs)
    • CON – only relying on second hand data at best
    • Examples
      • search engine cached pages
      • archive.org saved pages
      • searching across pastebin (and similar sites)
      • searching social media sites
      • browsing Shodan for ports, systems, and service banners
  • Typical Internet Traffic
    • PRO – gaining data directly from target’s websites and systems
    • CON – traffic is being sent directly toward the target thus showing up in server/system logs
    • Examples
      • DNS queries
      • Visiting web pages owned by the target
      • downloading documents from websites
  • Checking Locks and Doors
    • PRO – possibly gaining amazing amounts of data about types of system, websites on odd ports, and other services such as ftp, vnc, etc…
    • CON – lots of traffic sent to target and chance of eing detected is considerably higher
    • Examples
      • perform DNS brute forcing
      • perform ip scans across the target’s ip space to identify active systems
      • perform port scanning to identify open ports and gather banners

There are numerous commercial/free tools/websites that can be used to perform or assist in OSINT gathering. In future posts, I will be covering many of these tools and websites and discussing how they can be used to perform OSINT.

What are a few sources of data of OSINT: (more will be discussed in future posts)

  • Pastebin (an similar sites)
  • DNS (zone transfers, txt, hinfo, etc… records)
  • Websites (email addresses, org charts, documents, addresses, phone numbers, etc…)
  • Search engines (google, bing, etc…)
  • Social networks (linkedin, twitter, facebook, etc…)

All security tools need a “–demo” option

Over the past few years I have seen movies actually trying to include actual computer hacking, granted most of it is just showing some output from NMap.

That got me thinking.  Would Hollywood be more likely to include more (and different) “hacking” tools in their movies if they all had a “–demo” flag/option?

The concept is that if you run the tool and provide the “–demo” flag, it will start generating either canned output or start randomly generating output which looks like real output without actually doing anything.  This way, the actors/writers/etc… do not actually have to know what they are doing or even learn how to use the tools.  All the have to do is run the tool and give the “–demo” flag and they ave “real” hacker-stuff showing up on their screen.  🙂

What do you think?  Good idea or crap?

Building a New Pentest Lab

A while back I decided that I was going to start a personal infosec “re-education” process during which I hope to learn new tools/techniques, polish up on the abilities I already have, and enhance any areas where I may be lacking.  In order to facilitate this, I needed a work area.  As with any project (woodworking, automotive, or information security), having the proper work area can make a huge difference in one’s ability to succeed in their endeavors.

For my information security “re-education” project, one key part of my “work area” needed to be a wide variety or operating systems to target/test against.  There are a few different approaches I could have taken to achieve this:

1) Use what is available.

Look around your house/office.  You probably have a few older Windows/Unix systems which you do not use on a regular basis.  Odds are you also have a personal printer and/or other network attached devices.  All of those make excellent targets.

2) Use what you can borrow.

Much like the previous option, but in this one, you should ask around with friends/family/etc… to see if anyone has any old/unused hardware/system which they can loan/give you.  If lucky, you can obtain some good (possibly rare) equipment this way.

3) Use a simple virtualization approach.

Since you probably do not have access to lots of unused desktops/laptops/etc..  on which to install your desired target operating systems, you should look into virtualization.  There are several good virtualization solutions available to use (and in most cases, the software itself is free).

Any of these solutions can be easily setup/installed on a personal laptop/desktop.  Depending on the number of “guest” operating systems you wish to install and run at one time, you may encounter resource contention.

4) Build a full virtualization solution.

If the previous option does not provide you with the options/flexibility/resources that you need, you can always build a system solely dedicated to running your “guest” operating systems.  This option may require the expenditure of additional money in order to build your new virtualization host system.

Note: The above options/approaches are NOT mutually exclusive.  You can make use of any/all of them as needed/desired.

The approach I decided to take was a combination of #1 and #4.  I first took inventory of all the systems I had connected to my home network (laptops, desktops, printers, etc…) and then to house/host all of the other “test/target” systems I thought I would/may need, I decided to build a dedicated virtualization host.  For this I decided to go with VMWare’s ESXi server.  The reason I chose ESXi, is that I have had some experience with it in the past, I can easily get the parts to quickly build a decent system, and it is free.

Below is my shopping list of parts I bought to build my system:

($189.99) Seagate Desktop HDD 4 TB SATA 6Gb/s NCQ 64MB Cache 3.5-Inch Internal Bare Drive ST4000DM000
($78.99) Silverstone Tek Micro-ATX Mini-DTX, Mini-ITX Mini Tower Plastic with Aluminum Accent Computer Cases PS07B (Black)
($17.99) Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive - Bulk - IHAS124-04 (Black)
($168.99) SUPERMICRO MBD-X9SCM-F-O LGA 1155 Intel C204 Micro ATX Intel Xeon E3 Server Motherboard
($279.99) Kingston Technology ValueRAM 32GB Kit (4 x 8GB) 1600MHz DDR3 ECC CL11 DIMM with TS Intel Desktop Memory KVR16E11K4/32I
($233.99) Intel Xeon Qc E3-1230 Processor
($59.99) Corsair Builder Series CX 600 Watt ATX/EPS 80 PLUS (CX600)
-----------------
TOTAL COST = $1029.93

All of the parts were purchased from Amazon.com (mostly because I have anAmazon Prime account and thus did not have to pay for shipping).

As can be seen, the total cost of the system was just over $1000.  I may have been able to shave some $$$ off of the cost by reusing some of my old/surplus hardware, but I opted to go with all new equipment.

Now that I had my ESXi server built, I need to populate it with various “guest” operating systems.  First, I started by installing a couple old Windows XP and Vista licenses I had, but I needed more operating systems than that.  Luckily for me, there are lots of free VMs and operating systems available: Debian, Ubuntu, Fedora, Mint, etc…  In addition, there are great “target” operating systems available as well:

If I needed additional Windows guests, I could:

  • Download any available “trials” from the Microsoft website.
  • Purchase a MSDN Operating System subscription.

I also need “Hacker” boxes to perform all of my scans from.  For this I could either build my own system, follow one of the many guide on the internet to build a pentest windows/linux machine, or simply download one of the prebuilt systems.  Here again, there are LOTS of options to choose from.  Personally, I like Kali (the new version of BackTrack).

Well, that is a quick overview of my pentest lab.  If you have any comments/questions/suggestions, please feel free to contact and/or leave a comment below.

Phishing with www.SafeLogin.co

As a security consultant and penetration tester, one of my various activities I would have to perform was a phishing exercise.

“Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers . many of whom send millions of scam e-mails a day.” — as quoted from OWASP

A few days ago, a colleague pointed me to www.webscript.io and to a simple phishing site he created on it. I took a look and was very impressed by the simplicity of it and how easy it was to set up the phishing site. For a complete writeup on his “Phishing with WebScript.io” experience, check out his site:http://averagesecurityguy.info

This got me thinking, while webscript.io is an amazing site, it is overkill for a simple phishing site. I thought I could create a simple site (just a few back-end scripts, apache, etc…) that could act as a “Proof of Concept” phishing site generator.

…and thus was born: http://www.safelogin.co

http://www.SafeLogin.co is a bare bones web site which allows a visitor to set up a phisihng site of their very own (only for sites they are legally allowed to, as per the Terms of Use). All they need to provide is a target URL (the site to be cloned) and a unique phishing site name (.safelogin.co). All sites are kept alive for 7 days, at which time all data is erased. http://www.SafeLogin.co does not (at this time) provide capabilities for sending the phishing emails, that must be handled by the user.

Please take a look and if you experience any issues or have any suggestions, please feel free to let me know.

Beware of strangers with candy.

Just as that has always been as good rule to help guide you safely through life, there are also simple rules to help protect you and you home computer while surfing the internet.

By following a few simple guidelines as well as a few precautions you should be safe from the vast majority of dangerous threats you will encounter on the internet.

Precautions: (Safety measures)
  • Use a host-based firewall.  On Windows, the built-in firewall works fine.
  • Use a anti-virus detection application.  On Windows, the free Microsoft Security Essentials application works fine.
  • Enable automatic download and installation of operating system patches and updates.
  • When possible, try to update all of your other programs (firefox, adobe, etc…) to the latest stable versions.

Internet Guidelines:

  • Do not go to suspicious websites.  (i.e. such as URLs from China “.cn” and Russia “.ru”.  Nothing against the countries themselves, but a lot of malicious activities originate from those internet domains.)
  • If the website says that you need to install special software in order to view the site, do not do it.  Unless it is adobe or java, it is a safe bet that it is a malicious program that they want you to install.  Even if it is adobe or java, you should go to the products website to download and install the program instead of following a link on the webpage.
  • Practice safe information handling:
    • Do not post anything to the internet (Facebook, chat, IM, Myspace, Linkedin, blog, etc…) that you do not want to be viewed by everyone.  Once something is on the internet, it is there forever and eventually will be viewable by anyone.
    • Do not provide your password(s) to anyone.  No valid customer support will require you to provide them your password.  They already have it.
    • For each internet/website account you have (email, Facebook, banking, etc…) use a different password.  This makes it much more difficult for someone to get your banking information if they happen to get you Facebook password.
  • Practice safe email handling.  It is best if you…
    • Do not open (or preview) emails from people you do not know.
    • Do not click on any link contained within an email.  You must use the link due to something such as an activation code, retype the link into a new web browser window.
    • Do not open any document (.pdf, .doc, .xls, etc…) attached to an email.  It can be a malicious document that could install dangerous software onto you system.
    • Do not respond to spam or scams.  If you receive an offer in an email, and it sounds too good to be true, it probably is!!!
    • Do not email personal information (SSNs, credit card numbers, etc…).