K so I lied (JUL 19, 2011)
I thought I'd have time to work on setting up a new site, but I just don't. And it's only the summer. This next semester/year is going to be god damn ridiculous for me :(
Someday I suppose ;)
Someday I suppose ;)
Blog down for the next few days (Jun 29, 2011)
So I'm getting really sick of editing HTML by hand. It's sloppy and there are much better ways to do it, so I'm going to be bringing this site back to a wordpress install, and hopefully I can find something decent to set up a tools section with. Sorry for the inconvenience, and I'll try to restore any files that were here before (all my funny little JS snippits and pictures for XSSing fools :-P).
I'm also not a web-dev, so this site looks crappy at best :-/, time to change that!
I'm also not a web-dev, so this site looks crappy at best :-/, time to change that!
So much to do, so little time. [sorry for the long post!] (Mar 31, 2011)
Life has been busy. Like really busy. Grinding my teeth busy, but that's what happens when a college student focuses more on seeking the knowledge he wants (and enjoys) and mostly ignores the knowledge of no use to him. Our world is getting smaller, and culture is working towards the way of the niche, which is in almost complete contradiction to the current education system. Ever since the beginning of my schooling, I've been forced into a distributed spread of knowledge, which was alright until I was in my final year of high-school - when my security interest really peaked.
Now that I am in college, and the more years I've been here, the more I realize how much of a waste of time, money, and effort it is. I feel like I need to make it clear that no matter what, I AM getting my degree, as one simply can't survive in this market without it. This doesn't change the fact that in the past 2 years I haven't learned a single thing that I hadn't already taught myself. Literally.
I'm passionate about the things I do, admittedly almost to the point of mania, but that's the mark of a true passion. When I'm working on something (especially in the security realm) nothing else in the world exists, and the rush of discovering an exploitable bug after spending hours digging through stuff as you're trying to learn about it...well it's better than any other experience I've had. I can't explain it, but the feeling I get while blasting punk/ska into my skull while breaking stuffs is a feeling I will never get tired of. It's this feeling, along with the pride of knowing I have a unique set of skills that no-one can ever take away from me is why I do what I do. Why I stay up until 6:00AM when something holds my attention. Why I'm a 'terrible student'. I made my decision, admittedly perhaps not the best one, but by ignoring my classes and focusing on specialization, I am giving myself knowledge relevant to my future that my classes /never/ would have taught me. I'm doing actual vulnerability research now, which my classes in no way, shape, or form prepared me for (sans my Cisco networking classes).
Colleges claim that the classes that are irrelevent to what specilization you're seeking are simply 'teaching you how to learn'. I call BS on that. A lot. As with any free market, if not properly regulated it can become a monopoly within iteself where people can manipulate it for the interest of the money. It's very unfortunate, but it does happen. There are so many fluff classes (such as Microsoft Administration 1 AND 2) that a few hours worth of googling could have filled the semester, it's digusting. Why is it mandatory for me to progress through calculus? I am absolutely terrible at it, but I'm good at other things. My future employers arn't going to care about if I can solve an integral, they care about the knowledge I have that's relevant to what I'm going to be doing. That is just my perspective on it though, and I guess I'm just jaded after working for Michigan Tech and having them teach me more than 10 years of schooling could, working on real systems and designing real solutions. That sort of thing is 100% invaluable, and you can't replicate that in a classroom.
I've been crazy busy at work, constantly expanding my knowledge base in any way I can. I dove into Javascript, and immediatly dove head-first into writing a self-propagating worm coupling XSS and CSRF into a deadly, deadly combo. Twice. For two different platforms. The more I used it, the more I realized that I already /knew/ it. There were a huge amount of things (loop structures, minimization of the problem) that transferred over from writing thousands of lines of bash, and hundreds of lines of python. These two things allowed me to join everything, and translate it to a object-oriented language like Javascript, and it happend FAST. It took me a month for each worm, but after I was done, I had a fully autonomous system which not only stole a user's cookie, but all their personal information, checking for already-infected people, propagated to /everyone/ by the 2nd infected person, social engineered a phishing page, and opened a malicious java applet from SET that opens a reverse-shell multi-platform. They said make it dangerous, and I wanted to see just how dangerous I could get it. Needless to say, we're having second thoughts on paying massive licensing fees for something that I can drive a mac truck through.
Another thing I've been working on lately is my battery-operated Jasager, which is an OpenWRT-based fonera router. It opens a whole new world of penetration testing, allowing me to become the man in the middle when I please. It does a number of things, including responding to wireless probes from laptops or smartphones, and throwing up an AP so they associate. I modified it further by soldering a 'party button' onto the reset button on the bottom, and re-writing the configuration to run a script I wrote to systematically scan for and deauth every base-station and client above a specific threshold (if the station/client is to far away it times out) within the area. This forces the clients to think the station has gone away, and send out probe requests, of course to which my router responds. The idea of a rogue AP is nothing new, but I haven't seen anyone ever use this specific 'smash and grab' technique before.
As soon as the client authenticate's they're immediatly passed through the wired port into my laptop's ethernet port, which is bridged into a VMWare network with a routing VM which also acts as a MITM platform (yay ubuntu!), passing internet back in from my wireless card. This allows me to run /anything/ that I want, from modifying their DNS traffic, injecting a BEEF hook into any page they request, snarf session cookies, or anything else you can do as a man in the middle.
An idea I have for future development is to have an independent 'steal mode', which carries out this 'smash and grab' technique, then as soon as the user requests a web page, feed them a page with hundreds of iframes pointing to facebook, twitter, etc. Since I'm the man in the middle, the user will send their session cookie through me, allowing me to snarf & store it. It won't actually point to anything, as there will be no internet connected to the jasager, but the cookie request will be sent none-the-less. Immediately after the frames are done gathering cookies, I'll simply kick the user off & blacklist their MAC, forcing them to re-authenticate to their regular station, leaving the user none-the-wiser (besides a static error page with the iframes). I have a feeling that this attack would be amazingly successful in a crowded area like an airport of office building, and be near-impossible to detect by searching, as the entire package is quite small. Scary stuff, but the best way to get people working on re-mediating issues like this is by creating something dangerous and FORCING them to do it. Sad, but true :-/.
Finally I've finished my ICMP-based knocking daemon. I have had problems with the implementation of all the other knocking daemons, because for each of them you need to have a 'knocking client'. Some clients even have cryptographic support, which in my eyes is approaching the problem in a very backwards way, and demonstrates a bit of a mis-understanding about layered security. The only thing I have my knocking daemon unblocking is port 22, which has another form of authentication to access my computer. The idea that a knocking daemon that needs all these libraries to connect to implies that that would then be the only strong form of authentication, which is NOT the way it should be. My computer operates in an environment that should be considered hostile, a public campus network. We /constantly/ have millions of SSH brute-forcing connections coming in on any given day so if they need to do something extra before my computer will talk to them, the worst case scenario is they hit my bigger, stronger layer of security.
Yes it can be sniffed/replayed, but the only thing that will accomplish is bringing my security level down to a still very acceptable level. I've also built in counter-measures in case this DOES happen as well, using the google-voice python module. Whenever someone knocks my firewall open, it immediately alerts me via text message, and I've built in limited command functionality to do a couple things if I text back. If I send it a #block hashtag, it kills all connections to the IP that knocked it open, and black-lists them from talking to me at all. If I send #configuration, it dumps my iptables configuration and emails it to me, so I can read it on my phone, no matter where I am. All-in-all I'm very satisfied with how well this works, as it adds 2-factor authentication to my SSHd which can be unlocked from *any* networking stack, *won't* be triggered by any scans of any form, and allows me to quickly detect any abuse, which if it happens - I just change the packet length it operates on. Too many of our security systems ::cough cough:: SSH ::cough cough:: are perfectly alright with failures (even into the millions), which to me is too much leniency with a potentially hostile client, especially on a hostile network! I'm not happy with the state of the code-base though, as I'm still trying to figure out weird bugs (after it's been running for a month or so, it freaks out and seizes), so for version 2 I'm just going to re-implement it in python, then it'll be more stable, and more easily daemonized :).
Here it is running in debug mode, it usually runs as a daemon.
Now that I am in college, and the more years I've been here, the more I realize how much of a waste of time, money, and effort it is. I feel like I need to make it clear that no matter what, I AM getting my degree, as one simply can't survive in this market without it. This doesn't change the fact that in the past 2 years I haven't learned a single thing that I hadn't already taught myself. Literally.
I'm passionate about the things I do, admittedly almost to the point of mania, but that's the mark of a true passion. When I'm working on something (especially in the security realm) nothing else in the world exists, and the rush of discovering an exploitable bug after spending hours digging through stuff as you're trying to learn about it...well it's better than any other experience I've had. I can't explain it, but the feeling I get while blasting punk/ska into my skull while breaking stuffs is a feeling I will never get tired of. It's this feeling, along with the pride of knowing I have a unique set of skills that no-one can ever take away from me is why I do what I do. Why I stay up until 6:00AM when something holds my attention. Why I'm a 'terrible student'. I made my decision, admittedly perhaps not the best one, but by ignoring my classes and focusing on specialization, I am giving myself knowledge relevant to my future that my classes /never/ would have taught me. I'm doing actual vulnerability research now, which my classes in no way, shape, or form prepared me for (sans my Cisco networking classes).
Colleges claim that the classes that are irrelevent to what specilization you're seeking are simply 'teaching you how to learn'. I call BS on that. A lot. As with any free market, if not properly regulated it can become a monopoly within iteself where people can manipulate it for the interest of the money. It's very unfortunate, but it does happen. There are so many fluff classes (such as Microsoft Administration 1 AND 2) that a few hours worth of googling could have filled the semester, it's digusting. Why is it mandatory for me to progress through calculus? I am absolutely terrible at it, but I'm good at other things. My future employers arn't going to care about if I can solve an integral, they care about the knowledge I have that's relevant to what I'm going to be doing. That is just my perspective on it though, and I guess I'm just jaded after working for Michigan Tech and having them teach me more than 10 years of schooling could, working on real systems and designing real solutions. That sort of thing is 100% invaluable, and you can't replicate that in a classroom.
I've been crazy busy at work, constantly expanding my knowledge base in any way I can. I dove into Javascript, and immediatly dove head-first into writing a self-propagating worm coupling XSS and CSRF into a deadly, deadly combo. Twice. For two different platforms. The more I used it, the more I realized that I already /knew/ it. There were a huge amount of things (loop structures, minimization of the problem) that transferred over from writing thousands of lines of bash, and hundreds of lines of python. These two things allowed me to join everything, and translate it to a object-oriented language like Javascript, and it happend FAST. It took me a month for each worm, but after I was done, I had a fully autonomous system which not only stole a user's cookie, but all their personal information, checking for already-infected people, propagated to /everyone/ by the 2nd infected person, social engineered a phishing page, and opened a malicious java applet from SET that opens a reverse-shell multi-platform. They said make it dangerous, and I wanted to see just how dangerous I could get it. Needless to say, we're having second thoughts on paying massive licensing fees for something that I can drive a mac truck through.
Another thing I've been working on lately is my battery-operated Jasager, which is an OpenWRT-based fonera router. It opens a whole new world of penetration testing, allowing me to become the man in the middle when I please. It does a number of things, including responding to wireless probes from laptops or smartphones, and throwing up an AP so they associate. I modified it further by soldering a 'party button' onto the reset button on the bottom, and re-writing the configuration to run a script I wrote to systematically scan for and deauth every base-station and client above a specific threshold (if the station/client is to far away it times out) within the area. This forces the clients to think the station has gone away, and send out probe requests, of course to which my router responds. The idea of a rogue AP is nothing new, but I haven't seen anyone ever use this specific 'smash and grab' technique before.
As soon as the client authenticate's they're immediatly passed through the wired port into my laptop's ethernet port, which is bridged into a VMWare network with a routing VM which also acts as a MITM platform (yay ubuntu!), passing internet back in from my wireless card. This allows me to run /anything/ that I want, from modifying their DNS traffic, injecting a BEEF hook into any page they request, snarf session cookies, or anything else you can do as a man in the middle.
An idea I have for future development is to have an independent 'steal mode', which carries out this 'smash and grab' technique, then as soon as the user requests a web page, feed them a page with hundreds of iframes pointing to facebook, twitter, etc. Since I'm the man in the middle, the user will send their session cookie through me, allowing me to snarf & store it. It won't actually point to anything, as there will be no internet connected to the jasager, but the cookie request will be sent none-the-less. Immediately after the frames are done gathering cookies, I'll simply kick the user off & blacklist their MAC, forcing them to re-authenticate to their regular station, leaving the user none-the-wiser (besides a static error page with the iframes). I have a feeling that this attack would be amazingly successful in a crowded area like an airport of office building, and be near-impossible to detect by searching, as the entire package is quite small. Scary stuff, but the best way to get people working on re-mediating issues like this is by creating something dangerous and FORCING them to do it. Sad, but true :-/.
Finally I've finished my ICMP-based knocking daemon. I have had problems with the implementation of all the other knocking daemons, because for each of them you need to have a 'knocking client'. Some clients even have cryptographic support, which in my eyes is approaching the problem in a very backwards way, and demonstrates a bit of a mis-understanding about layered security. The only thing I have my knocking daemon unblocking is port 22, which has another form of authentication to access my computer. The idea that a knocking daemon that needs all these libraries to connect to implies that that would then be the only strong form of authentication, which is NOT the way it should be. My computer operates in an environment that should be considered hostile, a public campus network. We /constantly/ have millions of SSH brute-forcing connections coming in on any given day so if they need to do something extra before my computer will talk to them, the worst case scenario is they hit my bigger, stronger layer of security.
Yes it can be sniffed/replayed, but the only thing that will accomplish is bringing my security level down to a still very acceptable level. I've also built in counter-measures in case this DOES happen as well, using the google-voice python module. Whenever someone knocks my firewall open, it immediately alerts me via text message, and I've built in limited command functionality to do a couple things if I text back. If I send it a #block hashtag, it kills all connections to the IP that knocked it open, and black-lists them from talking to me at all. If I send #configuration, it dumps my iptables configuration and emails it to me, so I can read it on my phone, no matter where I am. All-in-all I'm very satisfied with how well this works, as it adds 2-factor authentication to my SSHd which can be unlocked from *any* networking stack, *won't* be triggered by any scans of any form, and allows me to quickly detect any abuse, which if it happens - I just change the packet length it operates on. Too many of our security systems ::cough cough:: SSH ::cough cough:: are perfectly alright with failures (even into the millions), which to me is too much leniency with a potentially hostile client, especially on a hostile network! I'm not happy with the state of the code-base though, as I'm still trying to figure out weird bugs (after it's been running for a month or so, it freaks out and seizes), so for version 2 I'm just going to re-implement it in python, then it'll be more stable, and more easily daemonized :).
And the lulz were had by many (Dec 10, 2010)
So a while ago I gave a demonstration about XSS for PSG (The Progressive Security Group) - a student org that focuses on security in most (if not all) it's forms. I was looking for a simple demo to show how XSS worked, and how it could be used to modify pages with your own content, as well as steal cookies with a cookie catcher.
I found a XSS bug posted to xssed.com on the topgear site. I modified it into a rick-roll for the presentation, but even with all the traffic hitting their site probably dripping with malicious script tags, they /still/ aren't checking their logs. Just goes to show you that logging is USELESS unless you actually check them.
I've also got a few projects that i've finished since my hosting got all kinds of borked (thanks fatcow), so i'll hopefully be putting them up this weekend at some point, but I'm not making any promises :-P. Stupid finals week :(.
:-D
Been passing this out for about a month now
I found a XSS bug posted to xssed.com on the topgear site. I modified it into a rick-roll for the presentation, but even with all the traffic hitting their site probably dripping with malicious script tags, they /still/ aren't checking their logs. Just goes to show you that logging is USELESS unless you actually check them.
I've also got a few projects that i've finished since my hosting got all kinds of borked (thanks fatcow), so i'll hopefully be putting them up this weekend at some point, but I'm not making any promises :-P. Stupid finals week :(.
:-D
Been passing this out for about a month now
New Site (Oct 30, 2010)
Ohai.
If you've been here before you'll notice that things are a bit different. I tried and tried to get a blog going, but it just didn't work. I'm not a writer, I tried, and I didn't like it. I love teaching people, but I just don't have the time nor the motivation to do the wordpress thing anymore.
This is now my tool/resume/hacking space for demos of tools I've created - no pressure to update, and it does everything that I had in mind when I started this site. I think this'll work out better :)
A good place to start would be My Tools
If you've been here before you'll notice that things are a bit different. I tried and tried to get a blog going, but it just didn't work. I'm not a writer, I tried, and I didn't like it. I love teaching people, but I just don't have the time nor the motivation to do the wordpress thing anymore.
This is now my tool/resume/hacking space for demos of tools I've created - no pressure to update, and it does everything that I had in mind when I started this site. I think this'll work out better :)
A good place to start would be My Tools