Thursday, January 15, 2015

thats it, folks

New hamfisted legislation making its way through Congress seems to have the infosec community concerned about its fundamental flagpole tenet of  'independent research' in the  name of security uber alles.
So from here on out, until this goes one way or the other i will refrain from posting about my research, and will stick to rants or other things, just to avoid trouble, and cuz who really gives a crap anyway.

Wednesday, July 02, 2014

mini-review, The Aquabats "Charge!"

The Aquabats Charge! represents a major sea change in the cartoony goofball horn driven So Cal ska bands sound.
Ditching the horns completely for this record had to be a challenge but the bats were up to it, as the record is a completely solid spin from beginning to end including references from several decades of hard rock, 50's 60's and 70's sci-fi and horror movie soundtracks.  Jabbing at Axl Rose post song outros, simultaneously competing with Devo with unforgettably catchy synth-pop guitar anthems on their own turf,
this disc will definitely be a mainstay in my tray for a long time. Vocals are inflected with Van Halen harmonies that Michael Anthony would be proud of himself. The record includes a beautiful rock ballad, 'Waterslides', on par with DefTones 'Cherry Waves', and as affecting as 'Every Rose Has Its Thorn' without the schmaltzy cheese sentiment. It leaves these ears with that feeling.  The song calls out awesome dub reggae vocal type breaks that make me want to fish out my old Black Uhuru stuff.  There are plenty of So Cal nuances as well from burritos to mexican candy, to the imagery described in the ultimately poignant 'Hot Summer Nights'.  Dont fret, the satire remains prolific, the humor intact, the weirdness still there, but does not overshadow the performance of the tightly written and loudly produced material.
Hats off to Ricky Falomir on drums, he had monster shoes to fill with replacing superfreak Travis Barker, Falomir does not fail here. Shoes filled.
The bass playing of "Crash" McLarsen locks in well with Falomir as well, no simple feat either. The criminally underrated guitarist Chainsaw, Prince of Karate, lines up a simply great palette of sounds, nodding to surf rock, sci-fi movies, Andy Summers of The Police and dozens of other throwbacks. The angular jabs in 'Mechanical Ape!' poke through my ears to the center of my brain, mocking me with a tone that I could never achieve.  Jimmy The Robot on keyboards does a great job of taking up the space left by the absence of horn arrangements.
Rarely do I personally invest so much time and personal due on a band or a particular single record, but if I had to, this would be in my top 10. Its one of the best straight-up rock records I have ever heard.

Tuesday, November 26, 2013

Auditing thousands of remote desktops

 

Recently inspired by the rash of  'internet surveys'(scanning entire portions of the 'net), I decided to do sort of the same but on a smaller scale. I hate being left out.
One of the Nova Hacker guys (Mubix maybe?) did an internet scan of port 3389 with zmap and reported the results. I have used zmap, and while it is a very intimidating utility, it typically hoses my network at home, even when throttling it way down. I decided to use something less lethal, so my kid could still use his xbox, while I sampled away.
Using 'masscan' instead of zmap, I decided to scan a rather random /8 for open remote desktops.
Throttling the packet rate down to something manageable, I then ran up against how to actually audit the desktops once found.
After discovering the first thousand out of the eventually discovered 5000 or so open desktop ports, I realized that some elegance was needed to manage all this data.
The most common way to view a remote desktop within linux or BSD variants is to use rdesktop.
Stacking the IP adresses into a flatfile, it was a simple matter to iterate through the desktops with a shell loop:
for IP in `cat port3389.list`
do
rdesktop $IP
done

But, this was still unseemly, for I would still have to view a thousand desktops manually.
Luckily, I remembered that X11 had the answer for me. Every time a new window spawns within X11, it is mapped with a title and a position within the root window. If I could easily extrapolate the newly spawned window name, I could simply query X for the window and capture a screenshot of it with the 'xwd' utility, and redisplay it with the 'xwud' utility. This required installation of X11-apps within the Kali Linux distro:
'apt-get install x11-apps'
 Now I could spawn a remote desktop, capture the image and view it later at my leisure:


for IP in `cat port3389.list`
do
rdesktop $IP; sleep 1;

xwd -out /tmp/dumps/$IP.desktop-display -name " rdesktop - $IP " && pkill rdesktop
done
The sleep 1 is to ensure the window has a chance to render completely before the cap takes place.

That script will drop thousands of caps in your dump directory, if you are lucky. So run it overnight unattended, if so inclined.
Now to view the caps, run another loop like so:
for cap in `ls /tmp/dumps`
do
xwud $cap
done


This will require intervention, namely your mouse. because xwud closes the displayed window after a detected mouseclick.

The next post will discuss my findings. Please note, I have not found a single truly open and unlocked desktop yet, which flies in the face of all the guys flapping their arms around and laughing at the open things they find, but some very interesting things have still been found though.
an additional note: don't do it.

 





Tuesday, November 19, 2013

new hobby:Scambaiting

Lately I have just gotten frustrated at the scammy emails I receive from various scammers. So I have taken to something very, very gray. Loading up a fake site backdoored with the Social Engineering Toolkit and baiting the scammers into visiting, but its a hard sell, with one scammer even telling me "i dont go to websites i dont know".
Each passing day sees a rework in my approach. still havent gotten any traction yet, but I had a random visit from a .gov.br site that had a rdp port open on an old 2003 box.

Friday, September 20, 2013

EC_DRBG backdoor simply proves audit feature

Recent revelations in the national security arena, namely Snowden drops and research into NIST recommended, NSA crafted random number generators finding potential backdoors, have caused the privacy folks to say “see? This is what we have been telling you!” But, I say let’s back up a second and consider the claims by government authorities who insist there is a process in place to prevent widespread abuse. I will attempt to present some information that helps prove this out, that there is an auditable process in place, regardless of how it may be sidestepped, which is another topic for another day.
First, some crypto background on the backdoor in question. Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator is an algorithm designed and published by the NSA, standardized by NIST in Special Publication 800-90.   After the publication, research was performed on the generator by Dan Shumow and Niels Ferguson, apparently crypto guys who are with Microsoft, who discovered that this dual_EC output could be influenced under certain circumstances, rendering such output suspect with regards to key generation, as once the key is determined, it follows that plaintext can be derived more easily than if output of the algorithm was truly and uniformly random.
Backdooring munitions and things is not new, recall stories of CIA intentionally skewing ingredients in The Anarchist Cookbook so that mixing up a kinetic cocktail could be problematic for the budding mixologist, and also recall stories of mass producing a hyper-flammable US flag that burns with an incredible intensity so as to maybe injure the igniting party, or start an unintentional collateral conflagration.
The pre-determined output distortion of dual_EC_DRBG can potentially be plotted and then with a master key, subsequently used to derive contents of the encrypted text and it is this salient point which serves as the basis for this write-up.
Possession of this master key when applied to the distorted output of this algorithm can be used to argue that it serves as part of an audit mechanism, where Snowden claims that the algorithm indeed contains a backdoor.  If the NSA can break all web encryption by emplacement of this particular backdoor, one can also potentially conclude that if NIST says they would not deliberately weaken a cryptographic standard, it is altogether possible that there could be a breakthrough that doesn’t weaken the algorithm, but allows usage of a master key that when applied to this distortion, can decrypt the text.
The audit point comes in when suspicious encrypted text makes its way from analyst to supervisor, and then weighted, and probably forwarded again up the chain, where eventually the master key guy plugs in the master key to reveal the text inside the comms.  So not everyone has the master key.
How then did Snowden abscond with all this data if there is an audit trail? That information is not relevant to this particular write-up, and likely not a part of this audit trail to begin with. These are separate instances of technical control.
So, by tying certain pieces together and looking at some technical details, and understanding the audit and accountability process, I feel it is highly likely that there is a break of this algorithm and that there is a mildly provable case that decryption is meant to be done responsibly.