Using CARVER to identify risks and vulnerabilities

CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first. Let me write down what each component means in terms of information security.

Read More

Open, Edit & Save Encrypted Files with Vim and GPG | Jason Seney

Jason Seney has a simple, yet vey effective, way to encrypt files on the fly using GPG and Vim. The beauty of the method is that plain text never touches the disk or the swap file. It’s a neat trick and a good one to have when you are in the field.

To Open an Encrypted File (from shell):

gpg -d myfile.mkdn.gpg | vim - -n -i "NONE" "+set filetype=markdown"

To Encrypt and Save a File (from vim):

:w !gpg -c -o myfile.mkdn.gpg

Crude steganography with the command line

Here's a neat trick to have: using cat as a steganography tool to hide a RAR archive inside a simple jpg image.
The following will work on any Unix, including Mac OS X (for Windows see at the end of the post):

Step 1

Create a file with the data you want. If possible save it as an encrypted file.

Step 2

Compress it using RAR. Copy the RAR archive into the same directory as the jpg image.

Step 3

Open a terminal and type:

cat image.jpg archive.rar > newimage.jpg

The result is another jpg image. If you open newimage.jpg it will display the image, however if you try to unrar newimage.jpg RAR will extract the contents of the RAR archive you just appended to the image.
It's not super secure and if you look inside the image with a hex editor you can see the RAR archive, but it's a fast and simple way to use steganography.

For Windows use the following:

Open the cmd.exe and type

copy /b image.jpg + archive.rar newimage.jpg

The dangers of a flat network - or how I tracked the mob boss...

Some time ago, while I was helping a law enforcement agency track a wanted mobter boss, I came across one of his trusted people's computer. He and I were connected to the same insecure wireless at a cafe. After some scanning and running several little exploits I managed to get a shell to his Windows XP machine.

Putting aside the fact that his XP wasn't updated and that XP is the easiest Windows to penetrate, he didn't have any firewall, antivirus or any other security program on his laptop. Initially I thought the laptop was one of those *burn* computers: use once and discard, so I was hesitant to leave there any backdoor, however he was the only lead we had to the boss. I installed a little backdoor.

The backdoor program would try to connect to a server I had ready. Just send a "I'm alive" signal via an HTTP GET that was injected into any application connected to the internet as soon as the laptop connected to a new network (different from the one we were connected at that moment). The idea was to piggy back into an app already connected and try to remain hidden like that.

I wasn't sure it would work because the more I searched the laptop, the more I thought this was a burn computer. My hope, though, was that this guy would eventually connect to a network where either the boss was connected or that we could find data belonging to the organization; maybe this last part would help us find the boss.

For several weeks my *listening* program didn't get any signals. Then, when I was to shut down the server, I had one.


Read More

Smash and Grab: Windows Dir Lists

This is a great tip by Room362:

Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to look through offline:

start /b cmd /c dir /b /s \\doesnotexist\supersecretshare$ ^> shareinfo.txt

Breaking that down:

start /b – starts a process that won’t hang up our current one, with the “b” flag meaning “background”, yay not visible to the user! (unless your process forces it back)

cmd /c – no reason to explain this one it runs something.. (since dir isn’t an executable but something that resides inside of cmd this is needed)

dir /b /s – the “s” means sub directories and pretty widely known. The one that isn’t as well known is the “b” which means “bare” format. Also known as “puts-path-on-every-line-to-make-it-easy-to-find-and-grep-stuff” mode.

The path is arbitrary, if you didn’t know you could dir list a UNC path, now ya do.

The ^> is the cool trick. If you use “start” to create a process in the background, re-routing its output to a file instead of just getting the fact that start began (the only thing start outputs), is made possible by this lowly ‘carrot’ before the greater-than.

Big, expensive, digital lock defeated by an old credit card and a spring.

A few years back, a customer asked us to test their newly installed (and very expensive) surveillance and security system. The products promised them an automated system that was so secure they wouldn’t have to place a security guard there.

After some recon we discovered that while the entrance was guarded by a very secure keypad + access card combination lock, the inside had an automated “unlock” sensor so if anyone wanted to come out, the door would unlock from the inside.

After some careful review of the pictures we took we found out that the top and bottom of the doors were not sealed tight against the floor, we could see a tiny bit of light from there (we took the pictures with a high resolution night capable camera). A plan was set in motion.

We arrived, we approached the door and we remove the piece of gear that would, hopefully, allow us to bypass the very secure lock: a old credit card.

We slid the old credit card under the door and… nothing.


Read More

DEFCON 20: Cortana: Rise of the Automated Red Team

Speaker: RAPHAEL MUDGE
Do you ever wish that you could clone yourself during a penetration test? Meet Cortana, a new scripting language to automate Metasploit and extend Armitage. Cortana is a penetration tester's scripting language inspired by scriptable IRC clients and bots. Its purpose is two-fold.