Wednesday, May 20, 2009

Carnal0wnage will be a BruCon!

I'm happy to announce that I'll be speaking at Brucon in September (18-19) on Open Source Information Gathering.

This is an update to my set of talks last year. After a year of doing OSINT work I've revised the methodology and it should be a pretty good update to the previous talk. I'm planning on focusing a lot on Person/Organization Information Gathering (IG) and should be followed by Chris Nickerson talking about Red and Tiger Team Testing(I call it Full Scope testing) aka putting all the "stuff" we found in my talk to actual use.

should be a good time. plus hoeagaarden on tap!

check the Brucon blog for up to date info

Client-Side Penetration Testing Notacon Edition

Here's the video from the Notacon talk. Audio sucks, sorry...blame the video guy.

Full Scope Security Attacking Layer 8: Client-Side Penetration Testing Notacon '09 Edition from FullScopeSecurity on Vimeo.


Not Dead, just busy

I'm not dead and I haven't quit blogging, just been tired and busy and working on fairly big change to c0 that I think everyone will enjoy. I was hoping it was going to be ready by now but its not...I do this for you'll just have to wait :-) I'm actually waiting on someone else to do something, and they also do what I'm waiting on for free...vicious cycle...

back to your regularly scheduled ranting and pwning

Tuesday, May 19, 2009

2 Year Anniversary!

Happy Two Year Anniversary of carnal0wnage blog!

Monday, May 4, 2009

Wicked Cool Ruby Scripts Book Review

Wicked Cool Ruby Scripts Book Review

By Steve Pugh

4 stars

Thanks to No Starch Press for my review copy!

From the Description

Wicked Cool Ruby Scripts provides 58 scripts that offer quick solutions to problems like system administration, manipulating images, and managing a website. After getting your feet wet creating simple scripts to automate tasks like file compression and decompression, you'll learn how to create powerful web crawlers, security scripts, and full-fledged libraries and applications, as well as how to:

* Rename files, disable processes, change permissions, and modify users
* Manipulate strings, encrypt files, and sort efficiently
* Validate web links, check for orphan files, and generate forms
* Mass edit photos, extract image information, and create thumbnails
* Parse CSV files and scrape links, images, and pages from the Web

Ruby is a highly extendable and sometimes confusing language especially when you throw in all the various rubygems out there. Wicked Cool Ruby Scripts provides many examples on how to use the various gems to script together quick hacks (wicked scripts) to various problems one may encounter.

Steve walks us through the problem we are trying to solve, the the code to solve the problem, how to run the code, what the results look like, a lengthy discussion on how it works and "hacking the script" with ideas on how to extend what we wrote. All the code is well commented (see the sample chapter on No Starch Press) and well explained.

Easy and fun to read, font is readable, doesn't contain pages and pages of uncommented code, source code is available, companion website exists, and the book left me with memorable ways to remember and use the material. I've actually gone back a few times to look at some of the scripts in the book. I also liked the metasploit section (of course). It certainly isn't your typical "Hello World" programming book which is also refreshing.

As one other person posted in their Amazon review, its a bit hard to say what level the book is for. Its certainly NOT for beginners as we're expected to already have ruby up and running and understand the basics and its not advanced material either. That leaves us with intermediate which is ok but certainly makes it hard to recommend for knowledgeable programmers. The book is short, its got 58 or so scripts coming in at 170 pages but it would have been nice to have more. Its certainly not "too short" but more would have been nice. I would have liked to had more information on the specific rubygems used for different scripts. Links to where to the specific gem homepages to get further usage would have been nice as well.

View the detailed Table of Contents (PDF)

View the Index (PDF)

Sample Chapter: Chapter 1: "General Purpose Utilities"

Source Code: Source Code from the Book


Programming Book Review Criteria

I don't read too many programming books and I don't usually finish the programming books I do try to read. I ended up getting sidetracked trying out the code and never finish the books. I know excuses, excuses... I also didn't have a programming book review criteria like I do for regular tech books. Chances are a programming book isn't going to bring anything "brand new" to the community or explain a brand new concept; its about programming in whatever language. So the following is what I came up with. I reserve the right to change it for future programming book reviews. I couldn't think of a way an easy way to grant stars so I guess I'll just wing it for the time being.

Programming Book Review Criteria

working ideas:

-how was the book written? easy to understand?

-what level is the book written to? Beginner, intermediate, expert?

-code correct? are there mistakes? do the examples work in real life?

-can you download the source code? does it have a companion site?

-does it have more than 2 pages in a row of code? I hate that!

-if the code is more than a snippet, is it documented?

-if the book uses external libraries (like ruby gems) are links to those libraries included in the book or companion site.

-did it leave me with a memorable way to remember the material?

-how is the font for the text of the book? too small, hard to read, distracting?

Sunday, May 3, 2009

Gray Hat Python: Python Programming for Hackers and Reverse Engineers

Gray Hat Python: Python Programming for Hackers and Reverse Engineers (Paperback)
by Justin Seitz

Publisher Description

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it.

My Take

I have to start off by saying that I've been looking forward to this book being published for months now. Since it initially popped up on the No Starch website I've been following it and nagging the publishers about it's release. I was fortunate enough to get a copy last Friday and I dove into it full force, even my final exam suffered because I was a little too focused on this book. I have mixed feelings about the book overall, there was definitely a few things I gained from it. On the other hand, there were many more things that could have been added. If you are new to Reverse Engineering then you will most likely obtain a leap of knowledge from the book. Packed with code examples on various open source tools and concepts to create your own, you'll be waste deep in python for a while. If you've been around for the last few years and have already checked out many of the open source tools discussed in the book you may only get a few things out of it. I don't understand CG's rating system so I'm not going to give you a star formula, or even a numeric rating.

Justin does a great job elaborating through the the code examples used throughout the book. The sheer scope of this book makes it difficult to cover everything but Justin definitely attempts to give you a taste for the more common scenarios you may find yourself in. Below I highlight a few chapters that I found interesting and useful. Overall the entire book is useful but a large portion covers open source tools that have a plethora of documentation and examples in existence.

Chapter 3 is just downright awesome. This chapter walks you through creating your own python based debugger that is similar to pydbg. Between the concepts and actual implementation you obtain a solid understanding of what is going on in a Windows based debugger.

Chapter 6 goes over Hooking in 5 pages. This topic could easily fill a few chapters by itself but Justin sums everything up quite nicely with plenty of examples.

Chapter 7 discusses DLL and Code injection which was a pretty interesting topic. The chapter even gets a little "Evil" by showing you how to hide files on a filesystem using python. It goes one step deeper into evilness by demonstrating how to code a back door into files.

Chapter 8 goes into fuzzing concepts and the demonstration is very practical for anyone doing exploitation. Justin shows us how to create a file format fuzzer which I thought was pretty slick.

The last chapter I found pretty interesting was chapter 10 titled "Fuzzing Windows Drivers." This chapter outlines methods of identifying Device names and IOCTL codes using Immunity Debugger. It continues to show examples of an IOCTL Fuzzer that can be used in conjunction with the rest of the scripts outlined in the chapter. Definately some cool stuff. Personally, I'm not quite up to a Drive level fuzzing level but I still found the knowledge very useful and was able to translate some of the immunity scripts into IDAPython scripts for static analysis to find the device names and IOCTL Codes.

The Cons

The entire book was based off Dynamic analysis. This is great for those out there doing RE through execution, but it really sucks for people like me who only does dynamic analysis 10% of the time.

The entire book is windows specific. Yes, most RE work is done on windows, for windows binaries. However, there are closed source applications and even embedded stuff that is Linux based. Would have definitely been useful to have some examples for these types of cases.

At times I found the book drifting into the direction of exploitation. Granted, RE and exploitation go hand in hand but I feel those of us who perform RE for the purpose of compatibility, protocol analysis, and other crap were left out a bit.

The chapter on debugger design did not have all that much to say about designing a debugger. In fact, it was probably more inline with a quick introduction to x86 architecture, specifically registers and stacks. It was not until chapter 3 that you really understand the elements involved.

Overall, I equate this book to Hacking the art of exploitation first edition but for Reverse Engineering. The book is packed with useful information for both the novice to the professional but I hope a second edition comes out with more information, that covers both static and dynamic analysis.

E. Hulse

Geek Mafia Pseudo Book Review

So not a real book review because its not a tech book, but certainly a recommendation to grab a copy of Geek Mafia (PM Fiction) and read it if you read (and I may be kicked out of the "club" for this) non-technical books at all.

Geek Mafia has a good mix of tech, sex, geek, and adventure to make it a good read. I've ordered the second one (Geek Mafia: Mile Zero (PM Fiction) and I'm ordering the third one (Geek Mafia: Black Hat Blues (PM Fiction) as soon its available.


Chained Exploits: Advanced Hacking Attacks from Start to Finish Book Review

Witty (Hopefully) Amazon Title: Nothing New to People in the Security Community

Chained Exploits: Advanced Hacking Attacks from Start to Finish

by Andrew Whitaker, Keatron Evans, Jack B. Voth

3 stars

From the Description:

"Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.

Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering."

It took me awhile to decide on a star rating for this book. It had lots of very good pro's and to me several significant cons. So the pro's: I couldn't think of another book that approaches the problem from the "chained exploit" perspective meaning one exploit doesn't give you the keys to the kingdom or your final end state. Now, for the last 10 years we've had the Hacking Exposed Methodology which essentially tells us "how to chain exploits together" but doesn't actually walk you through the process during a chapter of a book or share the process in the "story" format that Chained Exploits does. The Hacker's Challenge series of books is similar but the Chained Exploits book gives you a bit more technical detail (code snippits, metasploit output, etc) than the Hacker's Challenge books. The countermeasures in Chained Exploits are also valuable and usable which is refreshing because they usually seem like an afterthought and less of a major piece of other books.

OK so the cons:

So the "chained exploit" approach is valuable from a teaching point of view but anybody that pentests for a living has been doing this for awhile now, its just part of "the process." Its certainly not new to the security community but maybe new to print. You could also argue that chaining reconnaissance with the sending of our phishing email really isn't "chaining" anything, again its our process of attack or methodology. Our attacker phoenix, for being such an evil black hat, makes some gross errors that go unmentioned in the book. One of the biggest errors was testing code on his home system that actually sends traffic to the later victim. A halfway decent admin with some Law Enforcement help will trace that activity right back to the source...his apartment. That leads me into my final con about the book. The book, while technically correct and well written, was not overly technical or employing many new techniques. I felt like most of the attacks mentioned in the book were pretty old and had been discussed in a lot of other places. I would have liked to have seen much more technical attacks carried out. There was no mention of semi-advanced techniques like IDS evasion, AV evasion and detection, or stealthiness. We don't live in a day and age anymore where i can push netcat to most Windows systems and not expect AV to catch it or IDS to signal on the traffic. The authors were certainly capable of more advanced technical content but did not deliver.

Detailed info here: