Friday, September 13, 2013

Mapping Tor Relays and Exit Nodes


The Tor network is used by anyone who wants to maintain their online anonymity. There has recently been quite a bit of activity regarding Tor in the media, so I thought it would be helpful to explain a bit about how Tor's peer-to-peer structure is setup, as well as showing how we can create a map of Tor relays and exit nodes.

Friday, July 5, 2013

Building an SSH Botnet C&C Using Python and Fabric


Disclaimer: I suppose it would be wise to put a disclaimer on this post. Compromising hosts to create a botnet without authorization is illegal, and not encouraged in any way. This post simply aims to show security professionals how attackers could use standard IT automation tools for a purpose in which they were not originally intended. Therefore, the content is meant for educational purposes only.

System administrators often need to perform the same (or similar) tasks across a multitude of hosts. Doing this manually is unreasonable, so solutions have been created to help automate the process. While these solutions can be a life-saver to many, let's look at them in a different light. In this post, we'll explore how easy it would be for an attacker to use one of these solutions, a popular Python library called Fabric, to quickly create a command and control (C&C) application that can manage a multitude of infected hosts over SSH.

Thursday, June 20, 2013

How Browsers Store Your Passwords (and Why You Shouldn't Let Them)


In a previous post, I introduced a Twitter bot called dumpmon which monitors paste sites for account dumps, configuration files, and other information. Since then, I've been monitoring the information that is detected. While you can expect a follow-up post with more dumpmon-filled data soon, this post is about how browsers store passwords.

I mention dumpmon because I have started to run across quite a few pastes like this that appear to be credential logs from malware on infected computers. It got me thinking - I've always considered it best to not have browsers store passwords directly, but why? How easy can it be for malware to pull these passwords off of infected computers? Since sources are a bit tough to find in one place, I've decided to post the results here, as well as show some simple code to extract passwords from each browser's password manager.

Wednesday, June 5, 2013

Smash the Stack IO Level 4 Writeup


It's been a while. I suppose finals, projects, etc. will do that. Anyway, I figured it was time to get back to posting content on here as much as possible - and I have some neat projects underway that I'm excited to share soon. For now, I'll continue the previous series covering the IO wargame on

Thursday, March 28, 2013

Introducing dumpmon: A Twitter-bot that Monitors Paste-Sites for Account/Database Dumps and Other Interesting Content


I created a Twitter-bot which monitors multiple paste sites for different types of content (account/database dumps, network device configuration files, etc.). You can find it on Twitter and on Github.


Paste-sites such as Pastebin, Pastie, Slexy, and many others offer users (often anonymously) the ability to upload raw text of their choice. This is helpful in many scenarios, such as sending a crash report to someone or pasting temporary code. However, in addition to some people not being careful with what they upload (leaving passwords and other sensitive data in the text), attackers have been starting to use these sites to share post-compromise data, including user account data, database dumps, URLs of compromised sites, and more.

Since there are so many users uploading text to these sites, it's often difficult to find these interesting files manually. While techniques such as Google Alerts can be applied, the results are often a day or two old and are sometimes deleted. This prompted me to create a tool which monitors these sites in "real-time" (less than a minute of delay for the slowest sites) for specific expressions, and then automatically rank, aggregate, and post these results to Twitter for further analysis. I call this tool DumpMon.

Thursday, March 14, 2013

Installing Kali Linux in a VirtualBox Virtual Machine


For years, Backtrack Linux, a penetration testing suite from Offensive Security has been the standard operating system for security testing professionals. However, Offensive Security has just released a new distribution based on Backtrack called Kali Linux which seems to offer quite a few improvements. In a previous post, I showed how to create a Backtrack virtual machine using the open-source virtualization software VirtualBox. I felt it would be helpful to create a similar post showing how to create a Kali Linux virtual machine. The process will be nearly identical, but hopefully will still serve as a useful reference to some. With that being said, let's get started.

Monday, March 4, 2013

Automatically Enumerating Google API Keys from Github Search


Github recently introduced its new and improved search feature. While the improvements make search for content much easier, it has certainly introduced its share of problems as well. This is just another example.

Saturday, January 26, 2013

Wireless "Deauth" Attack using Aireplay-ng, Python, and Scapy


A couple of days ago I received my order of a nifty Alfa AWUS036H and decided it'd be a perfect time to explore a few common wireless attacks. This post will explore how to perform a common "Deauthentication Attack" both the "easy" way using a fantastic tool called aireplay-ng, as well as writing our own tool in Python to perform the attack for us using the extremely powerful Scapy module. In this post I won't be going into detail about basic wireless mechanisms, but if you'd like a very comprehensive guide to understanding the topic, I really recommend the Wireless LAN Security and Penetration Testing Megaprimer on SecurityTube. With that said, let's deauth some clients.

Alfa AWUS036H

Thursday, January 10, 2013

Distributed Port Scanning: Creating an Nmap Cluster Using DNmap


When performing a security engagement, the information gathered from port scanning is crucial. However, these scans can take a substantial amount of time when we set a reasonable timeout in an attempt to be thorough. So what happens when we need to scan a large amount of hosts? Say, an entire continent? We need to find a way to distribute the bandwidth load to multiple hosts in parallel. Fortunately, a tool has been developed which will allow us to create and manage a cluster of hosts which each have its own bandwidth dedicated to port scanning.

Monday, January 7, 2013

SANS Holiday Challenge 2012 Zone 5 Writeup

Zone 5

Heat Miser

The last zone we need to gain access to is Zone 5 for Heat Miser. Connecting to the URL we found in the previous post, we are presented with the following:

SANS Holiday Challenge 2012 Zone 4 Writeup

Zone 4

We can use the URLs obtained in the previous post to access Zone 4 for both Snow and Heat Miser.

SANS Holiday Challenge 2012 Zone 3 Writeup

Zone 3

Using the URLs obtained in the previous post, we can access Zone 3 for both Heat and Snow Miser. Let's see if we can obtain the URLs for Zone 4.

SANS Holiday Challenge 2012 Zone 2 Writeup

Zone 2

Using the URLs obtained in the previous post, we can gain access to Zone 2 for both Snow and Heat Miser.

SANS Holiday Challenge 2012 Zone 1 Writeup

Zone 1

We can use the links found in the previous post to gain access to Zone 1 for both Snow Miser and Heat Miser. Since no more introduction is needed, let's get started.

SANS Holiday Challenge 2012 Zone 0 Writeup


This year, SANS hosted a holiday CTF-like challenge in which participants play the role of Heat Miser and Snow Miser, two characters from the classic movie The Year without a Santa Claus, as they attempt to gain access to each other's weather control systems to alter the weather systems on Earth as we know them.

Sunday, January 6, 2013

Google as an IDS: Using Google Alerts to Help Detect Compromise


Detecting a compromise can be difficult. When it comes to intrusion detection, the more information and sources a sysadmin has at their disposal - the better. Fortunately for us, Google has created a tool called "Google Alerts" that inadvertently gives us the capability to monitor for intrusions in a few ways.

Friday, January 4, 2013

Cracking Unix Password Hashes with John the Ripper (JTR)


This post will serve as an introduction to password cracking, and show how to use the popular tool John-the-Ripper (JTR) to crack standard Unix password hashes. I am also working on a follow-up post that will provide a far more comprehensive look at password cracking techniques as well as the different tools employed (as well as their pros/cons).