Category Archives: Uncategorized

w00t and pillage – Captain’s bLog: day 12

Lately my studies have gone over email spoofing and hooking browsers using BeEF. Email spoofing in itself is easy enough, with editable “from” fields in many email apps, but I learned a few new cool approaches to make the spoofing far more accurate, enough to fool Gmail. Browser hooking is very cool, it’s frankly shocking to see just how much can be done to a victim’s device just through a browser. Then I consider that Chromebooks are basically a PC running through a browser. The trend is definitely to make browsers even more central to electronic device usage, and I’m not convinced that the work taking place for improved browser security is commensurate with the needs for it.

Most of this Social Engineering section has been based around one simple trojan, easily created and capable of bypassing antivirus programs. Whether it’s through spoofed emails, browser redirection, fake updates, or other BeEF tricks, the delivery of the trojan has been simple. The approaches are also fairly convincing on the face of it – getting someone to open a zipped .pdf or .png which is secretly a trojan is not hard when they are convinced it comes from someone they know and trust. At first approach, the browser hooking techniques I have seen appear a little more crude and unsophisticated – why would Firefox need to redirect you for an update, for example? – but could definitely work on more casual users. Phishing login data through a fake login window is still effective, especially when it’s from a frame in the user’s current page and doesn’t involve a redirect or an obviously fake URL in the header. Capturing screenshots, and even commandeering the webcam and microphone, is of course far more insidious and unlikely to be detected once the browser is hooked.

My main takeaway from this so far is that I’m gaining a lot more respect for proper preparation work in information gathering before making the first attack. Proper research with Maltego, or just careful use of Google and social media, clearly make an attack far more likely to succeed. As I’ve noted before, this suggests we should all be far more protective of our data and privacy – but how realistic is that really in the modern age, when simply applying for jobs or keeping in touch with your friends all but requires social media accounts?

I’m also surprised at the suggested measures for detecting trojans like the ones I have made – far too manual, like checking file properties. Fortunately the OSes I use will not run malicious code without my active consent, but the way I had my Windows rig set up (back when I had one) would be far more vulnerable despite the firewall, antivirus, and VPN.

Next up is some more work on networks, e.g. for using BeEF outside the user’s network, and then going into post-exploitation attacks in more depth. Fun!

Mycenae, the original centre for combating Trojans

New Kid On The Block

The blog title gives it away but I’m the new guy over at Security Roots working on Dradis. My name is Matt and I love to explore the world. I was born in Poland, grew up in Canada and I am currently hanging out in one of the most tech savvy capitals, Shenzhen, China. Since I am the new guy I wanted to introduce myself, give you some inside scoop, my experience working with the team and a little bit about my first assignment. 👋

Over many years I have worked on a number of web design and development projects. I pride myself in being a designer with a creative edge and although I have extensive knowledge and experience with design concepts, HTML/CSS/JS, Photoshop, Illustrator, Xd and more, I strive to continuously expand my knowledge with all the ever changing technologies. Currently, as a result of joining Security Roots, I am learning Ruby and Ruby on Rails which, I have quickly realized, it’s quite different from Python and Django. I also enjoy video production/editing using Final Cut Pro X and I have my eyes on a DJI Mavic 2 Pro. 👀

Now let me tell you a little bit about my first month at Security Roots. Initially I was drawn to the job posting because it really resonated with me and I was thrilled when I got an email from Daniel (he’s the big cheese over here if you aren’t sure who I’m talking about) and we discussed the opportunity and by the end of it, all of my needs and wants had been checked off for my dream job. I did a small test assignment, which apparently went well since I’m here, and I got to meet the team. I was a bit nervous about this since I knew everyone had been working together for a few years now and are already in the groove of things. I had all kinds of thoughts going through my mind but I was very excited to join the team. All the nervous feelings were put to rest moments after I joined the workspace as I was welcomed with (virtual) open arms by everyone. With the warm welcome I could feel there was excitement and enthusiasm from everyone that a designer has joined the team. I quickly learned that everyone is friendly, very helpful and extremely knowledgable and skilled in their roles. The work environment at Security Roots is very different from anything I have experienced before but is also the most interesting and effective one in comparison! Everyone works independently on their assignments but at the same time is always collaborating and communicating with each other. Every week there is a new topic that everyone answers in a video and posts it to share with the team. This is a great way to get to know the people on the team and promotes more of a social vibe in a work environment. Curious about what the office looks like? Where is it located? Who has the best parking spot or the prime corner view? Well this is actually one of the MANY perks of being part of the Security Roots team. We all work 100% remotely all over the world, so the office can be anything from a home office to a co-working space, or even a boat! Another great feature of being on the team is consistent personal development. Daniel is constantly encouraging us to grow and develop! Whether you want to learn something new within the industry, take a course or read a book, we have it covered. I love to learn so being part of a company that promotes personal development was very important to me. Security Roots really knows how to treat their employees! ✅

I could go on and on about the perks and first impressions but let’s move on to something you will get to see and experience first hand. The first thing I tackled during my first month on the team was a redesign and update of the user profile page. When I am presented with a new feature that needs to be designed, or a current view that needs to be redesigned, I like to make a list of objectives and goals for the design. I want understand how it will be integrated into the overall project. I do background research on the feature, and use a variety of tools to come up with a few variations of a design, then decide on the best one to continue to develop and finalize. In the case of the profile page redesign, I looked at the current design and identified what the issues were with the flow. We also decided to update to the most current version of the HTML/CSS/JS framework incorporated into the project. There was quite a bit of work to be done to make the view work in the current layout regarding HTML structure and CSS class names. I got the view into something that could be navigated and jumped over to Adobe Xd and made mock ups to see how I could make the page flow better and be more visually appealing. I decided to incorporate a 2-column view which focused on arranging the fields in a way that made more sense. I opt-ed to make the left column show the avatar and API token reset and moved all the text fields into the right column and arranged them in a natural order of flow. Once the front end components were arranged, I added some validation styling and magic to make it all work and BOOM! My first project was completed with better flow and a more user friendly experience. 💣

As a team we truly hope that the new designs are beneficial to you and look forward to any feedback from users on the new designs that will be coming soon to Dradis CE & Pro!

Matt,
Designer.

w00t and pillage – Captain’s bLog: day 11

This week my studies took a bit of a left turn into Social Engineering.  Whereas everything else so far was technical in nature, using and abusing hardware and software issues and their vulnerabilities, the most recent classes covered the most defective element of any security system – the meatbag in front of the monitor.  PEBKAC indeed!

In terms of systems, I got started with Maltego CE.  The interface is very user-unfriendly, but with the right walkthrough and plugins, it’s the tool I never knew I wanted!  By doing plugin-based searches on all sorts of media on nodes such as persons, websites, servers, and so on, it becomes possible to draw intricate networks of connections between nodes – like a conspiracy theorist’s corkboard, only for cyber-stalking.  Fun stuff!

Next up on the technical side was spoofing to bundle malicious code with a legitimate file and obscure the executable extension, as well as spoofing emails and accessing email servers to send spoof emails without getting immediately flagged as spam.

The downside of this part of the course is that it feels like it’s stretching the concept of “ethical hacking” to the limits of what can be considered “ethical”.  If I spoof a VM, or a real device with the owner’s permission, for the sake of attempting a man-in-the-middle attack, I’m not hurting the device’s feelings.  To even test out a social engineering attack I have to try to fool someone.  I have no problems with pushing the limits of what I can find out about an entity online through publicly accessible information, as the entity in question can use that data for good (e.g. improving their personal privacy by restricting apps’ access to their data), but getting someone to “click here” feels too close to Nigerian royalty.

Even so, the shock value of a successful engineering attack can have positive effects in the sense of raising awareness.  A BBC journalist agreed to let a cyber-security firm try to phish him, and they succeeded.

Did you click that link?  Considering the subject of this post, did you even check if it was legit?  This time it was – but what if it hadn’t been?

w00t and pillage – Captain’s bLog: day 10

This week I got started with Veil.  By using this software together with other techniques from the course, I could open backdoors to target devices in short order.  There are two clever aspects to the approaches used.  First, I was forcing the client device to connect to my Kali VM to execute the attack, rather than me connecting to the target directly.  This approach sidesteps the typical defences in regular firewalls and routers.  Second, the payload delivery was made to spoof the download of genuine updates, with redirects to the appropriate “Update successful!” pages once the download was complete.  Alternatively, the payload could be set to be delivered together with any other download of an executable file.  It could also be combined with the use of your own web server, which comes conveniently included with Kali.

I haven’t yet played around with all the things that can actually be done once this backdoor is open, but ultimately, it looks like all that is required for me to get complete access to another device are fairly innocuous things – using a WiFi hotspot I set up, or clicking a link, or attempting to update their own software.  Even more striking was the demonstration that the Veil software payloads were considered “clean” by all antivirus software.

Much like “Defense against the dark arts” classes, the sequence of lectures on attack methods and vectors ended with a lecture on how to defend oneself against these sorts of attacks.  Worryingly, these again boiled down to:

  1. Always make sure you’re using HTTPS
  2. Don’t use networks you don’t control and/or trust completely
  3. Verify checksums of all your downloads

These measures are all more active than convenient.  “I think the base consideration of one’s security is insufficiently paranoid unless one is optimistic enough about their fellow humans to not believe that anyone will go to the effort of trying to steal their data.”

There might be a point there, though.  Why bother stealing data when most people give it to Google, Apple, and Facebook for free?

w00t and pillage – Captain’s bLog: day 9

Now I have got into vulnerability testing tools from the users’ perspective!  This week I set up a Metasploitable machine, to use Metasploit from my Kali VM to scan for vulnerabilities and generate tool output.  It’s very cool to see how Metasploit had writeups on the individual vulnerabilities and procedures to exploit them right from the command line.

Even cooler was Nexpose.  Again I got a solid overview of the sort of vulnerabilities found and how they could be exploited.  By referring to material outside the Metasploit Community, it feels very connected to the wider InfoSec world out on the internet.  The automatic report generation and automated scans were also handy features.

I have been working on some improvements to the base Dradis CE application this week as well, so this tied in neatly with the studies.  I have only just started with tool output generation, and already I’m manipulating data from Metasploit, Nexpose, and Nmap, all of which are supported in Dradis.  Now that I’m getting the actual user’s view of tool usage I can better put myself in the shoes of hackers starting out with Dradis for the first time to generate customised reports using data from multiple sources.

Having spent so much time with Dradis Pro, it’s fun to get back to basics with Dradis CE.  I’m not bothered by not having access to Word templates.  I gave up using Windows years ago, even my Steam library wasn’t worth the hassle of dealing with it – and I think there’s a lot of potential in well-made HTML templates.  For my purposes, learning and experimenting at home, and showing off to the people at the sailing club bar, it’s a good tool to play with; scan with all the tools and plug all the results into a simple collated report.

Next up in the course is client-side attacks; technical exploits as well as the social engineering exploits of the PEBKAC vulnerabilities!

The view from the bar

w00t and pillage – Captain’s bLog: day 8

This week I finished up the section of the course regarding basic network hacking.  I learned some more about man-in-the-middle attacks, and got started with Wireshark to start actually analysing the data packets flowing through the network. Combined with attacks to make users use HTTP instead of HTTPS, that made target data (including usernames and passwords) totally readable and even searchable.

The obvious next step was “honeypot” attacks, creating a fake wi-fi access point using mana-toolkit. Combined with methods I learned earlier, this would make every user’s data transmitting through my fake network openly visible.  Once again I am struck by how easy all of this is, with freely available easy-to-use software and a cheap USB wi-fi device.  I am right next to a luxury marina and I have excellent mobile internet; it would be trivial to set up a fake hotspot to appear to be set up by the town for foreign visitors, and then ultimately read the visiting yacht owners’ data.

Having covered attacks and basic fake access point creation, I learned about preventing these sorts of attacks, for example by using Wireshark to look for unusual network activity and using XArp to detect ARP poisoning.  It was interesting to get a better look at more good reasons why the sysadmins of an organisation with a medium-sized or larger pool of devices face challenges protecting all their devices – hardly convenient to make the ARP tables static for hundreds of devices at once without good scripting and a good deployment system.

I have noted before that people and organisations in general seem to have a more lax view of data security than I would be comfortable with, but here at the system level, it feels a little more disturbing.  Perhaps I’m missing something, but I would think standard mass-market OSes like Windows, Ubuntu, Android, and such ought to have built-in tools for monitoring network safety and at least natively allow pop-up messages to show that your router appears to have changed its MAC address or that there are duplicates in the ARP table?  Microsoft regularly gets a lot of criticism for its update services, but how can their multi-GB updates not include simple utilities for guarding against MITM attacks?

By coincidence I’m looking into appropriate hardware for better internet connections on my boat, like a powerful active wi-fi range extender combined with mobile internet connections bridged into a router with failover.  If I’m going to be setting up a powered wi-fi antenna on the masthead, perhaps I should look at getting one with AP and Monitor mode capability…

Anyone for free wi-fi?

w00t and pillage – Captain’s bLog: day 7

This week I have been learning about man-in-the-middle attacks.  This section of my course started out with learning more about network discovery, including my first hands-on experience with Nmap as an actual user.  First impressions of Nmap: it’s amazing how much data you can gather so simply.  Just discovering which devices are visible and which ports are open is very powerful information.  And then we get into the possibilities for exploiting that information!

Noodling around with MITMF is a lot of fun.  With just a few short commands and plugins, I could do cool tricks in no time:

  • ARP spoofing for my Kali VM to become the MITM
  • DNS spoofing – I get to decide which pages the victim’s browser gets sent to
  • Screenshotting – I see what the victim sees
  • Keylogging – obfuscated password field? Not to me!
  • Javascript and HTML injection – here, have some popups

Two things really strike me here.  First, once again I’m astounded by how little is done for security or at least security-consciousness.  The above tricks were tested out using the MITM to turn HTTPS pages into HTTP.  Of course that’s a huge security issue, but the user-facing warnings in the browsers – particularly to people not in IT and not interested in computers, like my parents for example – are easy to ignore.  How likely are they to spot the missing padlock icon, how likely are they to even understand Firefox’s warning that the password field they are seeing is not secure?

Second, I’m always amazed by how powerful and excellent free open-source software can be.  MITMF, and indeed Linux (and Kali as a subset) are all free and anyone can modify them, yet a simple video guide showing a few simple canned commands allow anyone to potentially access very sensitive data.

I think there will always be a game of cat-and-mouse, with major developers trying to construct more secure software and communication, and the open-source world finding the vulnerabilities and exploits.  State actors will continue to try to exploit infosec vulnerabilities for snooping, and the open-source world will find ways to protect their data, for those with the will and know-how to do so.  I used to play with VPN setups, and I found that one that I made based on SoftEther circumvented state censorship easily – very cool stuff with a day’s configuration of a spare server.  Will the Great Firewall of China ultimately harm information security, or in the long term, will it lead to improving it?

China built and maintained the Great Wall to keep out foreign invaders. Even so, the Mongols invaded and built a Chinese dynasty

w00t and pillage – Captain’s bLog: day 6

Earlier I looked at the security and privacy issues surrounding AIS (the Automatic Identification System) and other navigational aids aboard ships.  Today there was an interesting article about this on the BBC.  Essentially, while commercial vessels are generally required to carry AIS transponders on board, it is also possible to switch them off.  Vessels have therefore been able to bust sanctions by switching off their transponders, e.g. to make deliveries or enter ports that they are not supposed to.  However, satellite imagery combined with big data analysis is being used to combat this.

Surface ships do not really have anywhere to hide on the sea, so they can be tracked by satellite imagery.  Their shadows will change depending on the size of the load they are carrying.  Data is available regarding which ports in which locations typically load or unload which types of cargo.  The result is that it is now proving possible to track shipping and even types of cargo on the high seas, using data and satellites.  Not only does this make it possible to detect when ships are carrying out illegal activity, such as ship-to-ship transfers circumventing sanctions, but also shows changes in the flow of trade, such as oil tankers diverting en-route to new destinations based on fluctuations in oil prices.

I’m concerned about privacy implications.  Once again it shows how actors with access to significant resources – hardware manufacturers, state intelligence agencies, software companies – can extract more data from users (and even non-users!) of seemingly straightforward products and services than we may be aware of or be prepared to accept.  As the resources required for big data decrease, with cloud computing and accessible user platforms, the barrier to entry will also decrease.  If a country’s coast guard is capable of identifying vessels and their cargo on the high seas, that’s one thing – if a RIBload of pirates are able to do so as well, that’s another.

One of the techniques I enjoy for hiding data is steganography, hiding a message in plain sight disguised as something else.  After all, even the best cryptography is susceptible to “ball peen hammer decryption” if someone knows you have something to hide.  Incredibly, the principle of steganography has even been used at sea.

During the Second World War, the Japanese invasion of the Dutch East Indies left the Dutch navy in the area in grave danger.  Their ships tried to escape to Australia, but were all soon sunk – except for one.  The captain of HNLMS Abraham Crijnssen realised that their ship was all too visible at sea from the air – so in a stroke of mad genius, he had the warship disguised as an island!  Moving only at night, and slowly, they evaded detection and arrived safely in Australia 8 days later.  HNLMS Abraham Crijnssen served out the rest of the war operating out of Australia, and well done to the ship and her crew. Read more here!

HNLMS Abraham Crijnssen at sea

w00t and pillage – Captain’s bLog: day 5

The studies continue!  This has been a busy week, so I only got to cover the theory and practice behind cracking WiFi passwords – WEP, WPA, and WPA2.

WEP cracking is fairly straightforward.  Since each transmission contains the key that ultimately has to be cracked, it’s just a matter of gathering enough packets to analyse. Both gathering the packets and cracking they key is done with packages pre-installed in Kali.  The cool thing was speeding up the gathering of packets with ARP replay – forcing more authentication packets without the device owners necessarily noticing.

WPA cracking of course is far more complex. The course covers the exploitation of the WPS feature, a far simpler backdoor into a WPA network, but even around here WPS seems to be disabled by default or push-button-only.

For actual WPA cracking, I suppose it’s a testament to its level of security that the recommended attack is still a brute force dictionary attack. It was interesting to see what sort of ready libraries are available for download for testing – compilations of the top 10,000 passwords, actual dictionaries for different languages, and so on.

From my previous life in the corporate world, I have heard most of the horror stories of password policies. This class is the reason why we keep hearing the same ones – “why is the password to the server with our expensive custom software ‘password1’?” A justification for borderline paranoia regarding information security in the modern world is the “password on a post-it note on the monitor” and social engineering.  You might have strong passwords and encryption, but those you communicate with may not. So you want to collect data? Carry a clipboard and go anywhere.

I enjoyed the discussions of cryptography and password policies in Neal Stephenson’s Cryptonomicon. And still, at times I feel like D. M. Shaftoe’s character, too paranoid to use cryptography as all, since if something is worth keeping secret, it shouldn’t be shared digitally at all.

My secrets are safe, though. Notebooks, illegible handwriting, and fluency in obscure languages.

Midnight sun in a land of obscure languages

Tales from the Other Side: we survived our first security review

In a dimly lit room with Doritos and Mountain Dew on my side, I was ready to begin the assessment and be like Hackerman. – Aaron

Recently, the Dradis team was presented with the opportunity to conduct a security review for a funded startup. Our original team comes from a background in security consulting. But, we also have team members who come from the software or support worlds. Basically, some of us (Aaron, Rachael, and Xavi) were n00bs and had never pwned anything before.

As someone who unintentionally adds holes in an application for a living (aka web developer), finding vulnerabilities in an app sounds like a fun activity that could give me a new perspective on my profession. – Aaron

Why did we decide to take on this project? We wanted to experience what you experience every day. The Dradis team doesn’t (usually) deliver security reports, we release software. We exhaustively test new releases and fix the bugs that you report to us. But, we rarely (if ever) get the chance to use Dradis in a real-world scenario. This time, we had a client, the team needed to collaborate despite time zone differences, and there was a deadline looming. Yes, we crossed over to the other side. And, we survived.

What we did:

  • Performed a security review on 3 components of a single web application
  • Drank a lot of coffee and/or mountain dew
  • Followed the WAHH methodology (with some custom checks added in)
  • Found, verified, and reported on roughly 3 dozen Issues
  • Generated a Word report that was organized by Risk Rating (based on the CVSSv3 score) and by affected component
  • Delivered the report to the client, answered their questions, then wished we could celebrate in person as a team

We learned a lot. We delivered a report to our client that we’re proud of and we covered a lot of ground in a short period of time. The technical team did a great job transitioning from their day jobs as Ruby developers and becoming pentesters for a week. Aaron summed up the learning curve perfectly, it was “like a scientist trying to do ballet for the first time.”. Everyone ran into at least a few walls. But, with some teamwork, fantastic resources, coffee, and a little Google, we got it all done. During the process of the security review, we learned about you, we learned about us, and we’re excited to apply these lessons as we continue building Dradis.

 

We learned a lot about you

No, not about you as a person, but we did learn a lot about our customers in the whole “walk a mile in their shoes” sense. By using Dradis to perform a real-world security review, we got insight into how we can make Dradis so much better for you in the future.

Here’s an example:

We’re a remote team. On this project, team members were collaborating between 3 different continents. Team members jumped in and worked during their own daylight hours. After about day 2 of the project, we realized that we were pasting links from the Dradis project into Slack with messages like “Hey, I don’t understand this part, can you clarify?”. Then, the author of the Issue would have to log back into Dradis, edit the content over there, and then update the Slack thread saying “I fixed it! How does that look now?”.

You know what we needed instead? The ability for all of those conversations to take place within Dradis. This wasn’t our only lightbulb moment, but it was one of the biggest. We can’t wait to roll out new features and improvements to give you the features that we were looking for!

 

We learned a lot about reporting (and deadlines)

Dradis is a collaboration and reporting tool. So, learning about reporting and deadlines is really the same as learning about ourselves. Some of us also learned more about our caffeine tolerance during the security review, but you want to hear about Dradis, right?

I (Rachael) spend a whole lot of time with your report templates. I’ve made friends with Microsoft Word (ok, it’s still a rocky relationship sometimes) and can break and fix just about anything you throw at me. But, I’d never experienced generating a report with Dradis while under an external deadline before. This time, I knew that there was a client waiting for me to review the findings and export the report.

We’ve always had a “we will go above and beyond for our customers” approach to support. But, the next time we get an email like “MY REPORT WAS DUE YESTERDAY AND IT’S BROKEN OH GOD PLEASE HELP ME” (not a direct quote), we can understand you even better. That extra understanding of what you’re going through was worth every hour we spent on this security review.

And it’s not just on the support side. We want to take our newfound understanding and help take away even more of the work (and stress) of the reporting process. How? By improving Dradis.

Improvements: Big and Small

We found plenty of small (and big!) improvements that we can’t wait to implement. We quickly identified a few UI tweaks. In some cases, they’re as simple as moving a button or adding different scrolling options. But, if we were internally screaming for them, we think you’ll like them too.

Some of the takeaways were bigger. For example, after going through the QA process ourselves, we feel very strongly that we need a more seamless QA process within Dradis.

Back to the other side

In the end, we all ended the security review with a deeper respect for what you all do every day. Walking the digital equivalent of a mile in your shoes left us with a list of improvements that we think will make the road a little less rocky for you next time. But, we’re ready to head back to the other side (the software development side) and leave the security reviewing to all of you again. You find the vulns, we’ll keep making Dradis better for you. Stay tuned for more Dradis improvements in the coming months!