The Blog of Josh Lospinoso: [WayBack] gargoyle, a memory scanning evasion technique
[WayBack] gargoyle, a memory scanning evasion technique – Joe C. Hecht – Google+
Source: gargoyle, a memory scanning evasion technique
–jeroen
Archive for the ‘Security’ Category
gargoyle, a memory scanning evasion technique
Posted by jpluimers on 2017/03/07
Posted in Development, Security, Software Development | Leave a Comment »
Generate Mozilla Security Recommended Web Server Configuration Files
Posted by jpluimers on 2017/03/06
In case you manually want to configure or have a web-server that’s not supported by certbot for letsencrypt (yet): Generate Mozilla Security Recommended Web Server Configuration Files.
At the time of writing, these were supported by the generator (* were not supported by certbot for letsencrypt yet):
–jeroen
via: Feature request: admin web interface over HTTPS · Issue #630 · pi-hole/pi-hole
Share this:
Posted in *nix, *nix-tools, Apache2, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger
Posted by jpluimers on 2017/03/06
DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.
Source: [WayBack] Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger
–jeroen
Share this:
Posted in DNS, Internet, Power User, Security | Leave a Comment »
Change your passwords and 2FA on a bucketload of sites because of 1139 – cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory – project-zero – Monorail
Posted by jpluimers on 2017/02/25
There are many sites potentially affected by the recently uncovered cloudflare memory leak bug below.
Read this list to get an impression: [WayBack] sites-using-cloudflare/README.md at master · pirate/sites-using-cloudflare
Basically you should change your passwords, 2FA authorisations and any other security hooks going through these sites. There are 1000s of them, including many major sites.
The reason for being so cautious is that the leaks have been cached on many systems, including Google Search. Many providers have scrubbed caches, but the information could still be in some caches, or the caches of end-user machines.
Background reading:
- [WayBack] 1139 – cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory – project-zero – Monorail
- [WayBack] Incident report on memory leak caused by Cloudflare parser bug
- [WayBack] Cloudbleed: Cloudflare leaks sensitive data, many major websites affected
- [WayBack] Cloudflare security breach exposes data from Uber, Fitbit, OKCupid among 3,400 websites; password changes recommended [U] | 9to5Mac
- [WayBack] I thought I’d write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news… – Linus Torvalds – Google+
–jeroen
Share this:
Posted in Power User, Security | Leave a Comment »
SHAttered – stop using SHA-1; it’s broken
Posted by jpluimers on 2017/02/24
We have broken SHA-1 in practice.
This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, ranging credit card transactions, electronic documents, open-source software repositories and software updates.
It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.
For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.
- Source: [Archive.is] SHAttered
- Via:
[WayBack] https://shattered.io/ – Joe C. Hecht – Google+
–jeroen
Share this:
Posted in Encryption, Hashing, Power User, Security, SHA | Leave a Comment »
How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security
Posted by jpluimers on 2017/02/03
TL;DR
At testing time, the Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space, so buy this:
Hardware Shopping List (links current as of 8/2/2016)
- ODroid-C2 – $41.95
- DC 5V/2A 2.5 mm power adapter – $6.99
- 32 GB eMMC module for ODROID-C2 (make sure the eMMC to MicroSD adapter is selected as an add-on $1) – $42.95
- MicroSD to USB Adapter – $6.99
- RT5370 Chipset Wireless Antenna – $11.99
- Performance Pro Case for RPi – $9.99
After that continue the article and start with the Initial Setup of the Kali Image
Source: How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security
–jeroen
via: Joe C. Hecht originally shared to Single Board Computers and Virtual Private Servers (Hardware).
Share this:
Posted in *nix, Kali Linux, Linux, Pen Testing, Power User, Security | Leave a Comment »
Some ChromeCast URLs
Posted by jpluimers on 2017/02/01
I need to check these against a Chromecast v2 as the below URLs are from a v1 device:
- http://192.168.71.113:8008/apps/ChromeCast (and others: most return an empty string)
- http://192.168.71.113:8008/apps/YouTube
- http://192.168.71.113:8008/ssdp/device-desc.xml
- http://192.168.71.113:8008/ssdp/notfound
- http://192.168.71.113:8008/setup/icon.png redirects to http://www.gstatic.com/eureka/images/eureka_device.png
- http://192.168.71.113:8008/setup/eureka_info
- http://192.168.71.113:8008/setup/eureka_info?options=detail
- http://192.168.71.113:8008/setup/scan_results (empty when connected over Ethernet adapter)
- http://192.168.71.113:8008/setup/supported_timezones
More is possible by using cURL: Chromecast Hacking Has Begun | fiquett.com
sleep 8h; while true; do curl -H "Content-Type: application/json" http://192.168.71.113:8008/apps/YouTube -X POST -d 'v=somevideo'; done
Related:
- [WayBack] Google to Fix Location Data Leak in Google Home, Chromecast — Krebs on Security
- [WayBack] Some Basic Rules for Securing Your IoT Stuff — Krebs on Security
- [WayBack] Google Home unofficial API documentation, which you can abuse:
- [WayBack] #Google Home devices have a few open doors ;) “I was surprised to see so many ports open so I started to do some research and found that these devic… – Alan Cox – Google+
- [WayBack] Google Home (in)Security – JerryGamblin.com
- [WayBack] #Google Home devices have a few open doors ;) “I was surprised to see so many ports open so I started to do some research and found that these devic… – Jan Wildeboer – Google+
–jeroen
via:
- java – Can i programatically detect if there are any Chromecast devices on the current WiFi network? – Stack Overflow
- Chrome-Casting to your Mac | Wolf Paulus
- dz0ny/leapcast: ChromeCast emulation app for any device
- google cast – Will there be Chromecast Receiver Emulator or an alternate app that acts as a receiver for development? – Stack Overflow
- Google Chromecast – Exploitee.rs
- Exploitee.rs » Blog Archive » Chromecast: Exploiting the Newest Device By Google.
- Hacking the ChromeCast…
- DIAL: Dial-multiscreen.org – a specification for multiscreen “DI”scovery “A”nd “L”aunch of first-screen (TV) content apps.
- SunboX/chromcast-network-logs
- Chromecast Implementation Documentation WIP · jloutsenhizer/CR-Cast Wiki
Share this:
Posted in Chromecast, Communications Development, Development, Google, Hardware Interfacing, HTTP, https, Internet protocol suite, REST, Security, TCP | 3 Comments »
inversepath/usbarmory: USB armory: open source flash-drive-sized computer
Posted by jpluimers on 2017/01/26
Source: Inverse Path – USB armory
usbarmory – USB armory: open source flash-drive-sized computer
Roughly EUR 100 excluding, SD card, host adapter and enclousure.
Source: inversepath/usbarmory: USB armory: open source flash-drive-sized computer
Since I was talking about security anyway…. this is a nice toy for breaking open laptops or desktops when the administrator forbade the installation of software, or you want software on it executed. This is often the case with company devices, e.g. the laptops which are supplied by banks to their 3rd party suppliers. Outsourcing is cool, remember?
This is a computer on a stick which can run a Linux kernel. In combination with some USB gadget kernel modules, it can be configured to authenticate itself as any device. All you need to do is plug it in, and iterate by brute force through the device identifiers until you hit one which is accepted to be used. Store the statically linked software you want to install or run on the stick beforehand, and here you go. So if you ever need a SSH client on a “secure” Windows laptop… putty.exe FTW.
–jeroen
Share this:
Posted in *nix, Hardware, Pen Testing, Power User, Security, USB | Leave a Comment »
Using the github version of certbot (formerly letsencrypt) to get Let’s Encrypt certificates
Posted by jpluimers on 2017/01/24
The Let’s Encrypt certbot (formerly letsencrypt) had some trouble on my machinery.
When trying to test if Apache default default · Issue #3307 · certbot/certbot and opensuse Tumbleweed: Each time I run certbot, a line with Listen 443 gets added to /etc/apache2/httpd.conf · Issue #3364 · certbot/certbot were fixed, I had to run certbot directly using specific github branches.
Normally certbot queries https://pypi.python.org/pypi/certbot/json to install the latest sanctioned version of itself. Which means this won’t work to run the version from github:
git clone https://github.com/certbot/certbot.git cd certbot ./cerbot-auto <<command-line-parameters>>
But the below does:
git clone https://github.com/certbot/certbot.git cd certbot git checkout -b <<branch-name>> ./letsencrypt-auto-source/letsencrypt-auto --os-packages-only ./tools/venv.sh source venv/bin/activate cerbot <<command-line-parameters>>
The last statement will run ./venv/bin/certbot but you can also hard-code that (or perform which certbot to verify the directory is on the pat).
I used it to test with this branch:
git checkout -b origin/osrelease_like
The above are basically steps to setup a virtualenv as mentioned in Developer Guide — Certbot 0.9.0.dev0 documentation.
To undo, just run this from the certbot directory:
deactivate rm -rf venv
The first statement will adjust your path and the second get rid of the virtual environment including all packages that were downloaded in it.
If you forgot to remove the venv directory, there might be old versions hanging around named like venv.1470590779.bak where the number in the middle is the number of seconds since unix epoch (1970-01-01 00:00:00 UTC) which you might want to remove as well.
Inside the venv environment you can use all kinds of Python tools, for instance:
- Perform
pip install ipdbafter which you can addimport ipdb;ipdb.set_trace()to any source line to break right into the Python debugger. There, it will drop you into debug console, which is pretty much fully fledged Python interpreter. - Run
pip freezeto show all installed Python packages.
While testing, you can use the --test-cert or --staging command-line-options to use the Let’s Encrypt staging-environment this prevent running into the live environment rate limits (the main ones at time of writing are a Duplicate Certificate limit of 5 certificates per week and a Certificates per Registered Domain limit of 20 per week, whichever limit is lower).
–jeroen
Share this:
Posted in *nix, Encryption, Let's Encrypt (letsencrypt/certbot), Linux, openSuSE, Power User, Security, SuSE Linux | Leave a Comment »
API Web Services, integration with third party applications, Secret Server | Thycotic
Posted by jpluimers on 2017/01/18
How good is this?
Access Secret Server using Web Services: mobile apps, third party applications, and scripts (with the proper authentication).
Source: API Web Services, integration with third party applications, Secret Server | Thycotic
I bumped into this after searching for winauthwebservices/sswinauthwebservice.asmx
https://www.reddit.com/r/sysadmin/comments/2o1gvd/thycotics_secret_server_is_on_sale_again/
http://thycotic.com/products/secret-server/compare-installed-editions/
–jeroen
Share this:
Posted in Development, Hashing, Security, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 