gbiondo.org

Let’s face it. This blog is not very useful, and I am also quite fed up of writing things only for myself. Plus, I kind of dislike the way Wordpress handles images and other similar types of content. I believe I will switch shortly to another CMS. Especially when it comes to writing technical things, WP hits his constraints…

I am also busy with other problems, nowadays, such as finding a stable job and take some steps forward in my life, so, at the end of the day, this website doesn’t represent myself any longer.

I won’t surely trash all the contents: I am planning to move ‘em in my next website; here I will only speak about the ULTIMATE hacking technique… But let’s give time to time!!!

As I said, lately I’ve had issues with my job: on April 2009 I made a terrible mistake - leaving DHL for a small dutch company working in the IT security field. I have regretted this choice for a long time, as I have been literally fired after a few months because of exogenous factors; I would say tons of things regarding this issue but I signed a contract that prevents me from doing so. Anyways, I managed to find another small Dutch company that offered me a temporary contract; and with them I had the chance to do very interesting things.

Anyways, I realized how hard is the Dutch labor market. With an euphemism, we can describe it as “very competitive and self-protectionist”. My words for it would be way harsher, indeed, but they wouldn’t help too much solving the situation. I see my current situation as follows: either I decide it’s time to be depressed once more, and leave things to their flow, or I look for some strategy to get out of this cul-de-sac. I’d rather go for the second one…

Tags: Uncategorized // Add Comment »

The BURP suite is probably one of the most efficient tools to perform web application penetration testing. In this small article, I just want to introduce the tool. Future articles will give much emphasis on how this tool can be used to analyze the responses of a web application with the suite itself.

The overall idea

The idea behind the BURP suite is very easy: it works as a proxy server, intercepting the requests sent by your browser to the remote server. This simple idea is very powerful. BURP chiefly intercepts all the requests that your interaction with your browser tries to send to the remote server; and its interface allows for editing before forwarding the requests to the remote host. Chiefly, by this technique, it’s possible to perform, amongst the other attacks, SQL injection, ASCII injection, and Cross Site Scripting (XSS). The idea standing behind BURP is the Man in the Middle attack, with the only difference that two parties of the attack (a client and the MitM) are the same person.

Some bureaucracy

BURP can be downloaded from http://www.portswigger.net/suite/download.html.

BURP is a Java package. To date, it runs on Linux and Windows. Very likely, it can run on any java-capable system, so I think that, for instance, a MacOS machine can run it. I’ll test the sooner.

BURP is distributed as a zipped file. To date, the most recent version is 1.3. I am running it on a linux box, so I’ll just uncompress it into my /home/$USER/downloads folder, obtaining the following:

gbiondo@Gaia:~/downloads/burpsuite_v1.3$ ls -al

total 2764

drwxr-xr-x 2 gbiondo gbiondo 4096 2010-01-07 14:32 .

drwxr-xr-x 11 gbiondo gbiondo 4096 2010-02-25 07:08 ..

-rw-r–r– 1 gbiondo gbiondo 2801791 2010-01-07 14:31 burpsuite_v1.3.jar

-rw-r–r– 1 gbiondo gbiondo 1673 2010-01-07 14:36 readme - running burp.txt

-rw-r–r– 1 gbiondo gbiondo 37 2010-01-07 14:37 suite.bat

-rw-r–r– 1 gbiondo gbiondo 1301 2010-01-07 14:36 terms and conditions.txt

Also the structure of the directory is pretty straightforward. There’s the .jar package, being actually the application; a couple of readme files, a batch to run it under windows (how come people think that windows user cannot use a shell???) and this is pretty much it.

To run BURP, you launch the following command, from a shell:

 gbiondo@Gaia:~/downloads/burpsuite_v1.3$ java -jar burpsuite_v1.3.jar

Clearly, you may want to set up your browser in order to use port 8080 as the proxy (BURP uses 8080/TCP). We are using BURP in combination with Google Chrome for Linux, but every browser is worth the other. You can discover how to configure your browser in its documentation.

Here you are. You are ready to work with BURP. In the next article, we’ll show the very first steps with the suite.

Tags: IT Security, penetration testing // Add Comment »

I was thinking, lately, about the functionalities of the so called ’social network’ - it’s obviously true that the impressive amount of information you leave on a profile could allow for identity theft. I kind of shielded myself within facebook: lots of pieces of information I post over there are fake - from the name onwards.

With linkedin things are completely different, as you are about to post your own CV there, so lots of relevant, TRUE pieces of information are disclosed. Plus, linkedin stores also another type of information: your network. Lots of people knowing you, lots of people with whom you are potentially connected, and who could be source of business. Now, despite the fact that linkedin only brought me troubles (well - I was introduced a company that caused me 8 months of trouble, and they didn’t stop yet - and that happened via linkedin…), in theory this tool should allow you for having a business network.

Now, in these last months, I have been involved in an intensive security audit, which also encompassed some scans for former employees and contractors. Linkedin has been a precious resource for me - and for my customers as well.

Anyways, the real threat is not being scanned like that. Lately I have been presented with this scenario: some friend of mine was having trouble with a crazy cyberstalker - or call it whatever. This person menaced my friend to ruin his own reputation with contacts and networks. First question my friend asked me was up to which extent this could be possible.

The dimension of the problem is function of how you manage your contacts. In theory, you should have only people who know you well as first line contacts, so this shouldn’t be a real problem. This is obviously not true. I am linked with tons of people I barely know. Recruiters I met once, or just people I’ve met in an expo or randomly, just to name a few examples. So this scenario is not very unlikely. The scenario becomes apocalyptic when you start thinking to Nth degree contacts (i.e. - contacts of your contacts and so on). You can safely assume they don’t really know you, otherwise they’d be your contacts as well.

How do you protect from attack to these people? In general, one hopes that (business)people  are not influenced by rumors - and no hope can be more wrong: at the end of the day, isn’t labour market nowadays mainly based on networking? Don’t even think people is not influenced - it’s not true. In theory, law should protect you…. maybe in a civil country! And I haven’t been in any, to date. Plus, proving this kind of offence is a nightmare, at best.

Countermeasures may be:

• not using linkedin - but why should you limit your freedom
• have linkedin changed - like not showing to anyone else your 1st degree connections and how many degrees stand between two generic users. This could be the real solution, but it’s not practicable as it doesn’t depend on the user and the site would hardly change such a feature - plus they are not really interested into customer’s privacy.
• creating fake identities - but this would just vanquish linkedin’s usefulness
• trusting people …ehm… no. It brings very bad luck.
• creating a greater threat. Like, if someone tries to ruin your reputation, you do even worse with him/her. Unfortunately, this solution is based on two strong assumptions (besides being unethical):
  • he/she has a reputation
  • you spot out who’s bothering.

While thinking to a proper strategy, I’ll just start cutting off my dead contacts…

Tags: IT Security, Internet life, social networking, work // Add Comment »

Tags: Uncategorized // 1 Comment »

I have been involved in a penetration test, lately. I find this kind of activities very creative and funny, although it’s everything but easy.

Whenever I do such a thing, I have the following impressions:

• I am practicing an exorcism - I don’t know what is the really next thing I’ll find. I don’t know how the assets (which are - by all means - my ‘enemies’ in this context) will answer
• I am alway feeling like I am learning new tools, technologies and tricks
• I always find a terrible problem: presenting the results. I mean - it’s going to someone and tell him “hey, these are your dork-ities”. Unfortunately, you have to say that to who is paying you!

This time I learned how to use a powerful mix of tools:

• nmap
• amap
• xsltproc

Together they help doing all the pentest basic things, so port scanning and banner grabbing, in a very elegant way.

First thing: nmap-ping the host. In this example, we’ll work with a host in my internal network, whose ip is 192.168.2.100. We would like to understand what ports are open, first, on this host. As anticipated, nmap is the solution. Running a command such as:

nmap -T Insane  -vvv  -p0-65335 -PB -sS -oA TCP-nmap-full \

-PN -n 192.168.2.100  --packet-trace

Just to translate:

• -T insane: I am not looking to evade an Intrusion Detection/Prevention System; nor I am going to care about the traffic in my network. I can run this probe with a fast pace without worries.
• -vvv: verbosity level. Very very verbous
• -p0-65336: ports to scan
• -sS: TCP SYN Scan. Most basical version, we don’t need much more.
• -PN: don’t ping before scanning (as I know the host is up and running)
• –packet-trace: it’s not functional for the probe - it’s just letting you see what happens by displaying the packets’ flow.
• -oA: allows us to define the base filename for the output. We are going to use the .xml for our purposes.
• -n: prevents nmap from doing DNS resolution
• -PN: skips host discovery. I know the host is up and running

After a few seconds, nmap gives us back this output:

Read data files from: /usr/share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 93.994 seconds
 Raw packets sent: 65336 (2.875MB) | Rcvd: 130675 (5.488MB)

This is not what we are aiming for, yet, nonetheless it shows it was sent a packet per port.

The interesting part of the output, on the other hand, was:

PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Now we know which TCP ports are open on this machine. It’s not over yet. We want to have the same report for the UDP protocol. We already gave the idea above on how to create nmap commands, we’ll leave the exercise to the reader.

Another aspect that may be worthwhile to explore is system/services discovery. We’ll do it with nmap, once again:

nmap -T Insane  -sV -vvv  -p80-445 -O --packet-trace -oA \

OSServs -PN 192.168.2.100

(here, with the -O i just specified I wanted to know about the operating system, and with -sV, to probe services’ versions).

Outputs of these commands are not only on my terminal, as i dumped everything to files:

gbiondo@Gaia:~/gbiondo.org$ ls
OSServs.gnmap  report-nmap-full.gnmap  UDP-nmap-full.gnmap
OSServs.nmap   report-nmap-full.nmap   UDP-nmap-full.nmap
OSServs.xml    report-nmap-full.xml    UDP-nmap-full.xml

We are going to use the .xml files and to convert them in nifty HTML pages. Here I read some interesting hint; chiefly the XML output needs a proper stylesheet in order to be rendered in an HTML file. The link given above explains properly how to change the files. Here we’ll just report the changes:

substitute

<?xml-stylesheet href="/usr/share/nmap/nmap.xsl" type="text/xsl"?>

with

<?xml-stylesheet href="http://nmap.org/data/nmap.xsl" type="text/xsl"?>

in all XML files.

A simple

xsltproc report-nmap-full.xml > report-nmap-full.html

xsltproc OSServs.xml > OSServs.html

will translate the original files in HTML, according to the stylesheet defined above. Keep in mind that stylesheets can be customized; thus, if you need to run often these kind of network mapping; or if you work in the IT Security industry, you may want to customize the stylesheets with your company’s look and feel.

Here’s a sample of the output:

I promised also some banner grabbing detail. I am going to use amap; which is a wonderful banner grabber from THC-the hacker’s choice. You can get more information here; this is a site i strongly suggest to visit.

We want to grab banners on 192.168.2.100; on the tcp ports 80, 139, 445. First, let’s update the engine of amap:

amap -W

Basically, this commands connect to the THC body of knowledge and downloads the signature of the banners; just like an antivirus does with the virii signatures.

The most basic usage of amap is amap <target> <ports>. Let’s try it.

amap 192.168.2.100 80

amap v5.2 finished at 2009-05-31 10:28:33
root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 80
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:28:50 - MAPPING mode

Protocol on 192.168.2.100:80/tcp matches http
Protocol on 192.168.2.100:80/tcp matches http-apache-2
Protocol on 192.168.2.100:80/tcp matches webmin

Unidentified ports: none.

root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 139
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:29:48 - MAPPING mode

Protocol on 192.168.2.100:139/tcp matches netbios-session

Unidentified ports: none.

root@Gaia:/home/gbiondo/gbiondo.org# amap 192.168.2.100 445
amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:30:01 - MAPPING mode

Protocol on 192.168.2.100:445/tcp matches netbios-session

Unidentified ports: none.

Now, amap works by sending triggers and analyzing responses; it’s the default mode (-A switch).

This is good for a pentester, but it’s not supplying any evidence. A better result, in terms of evidences, could be achieved by issuing a pure banner grabbing (-B) or a hex dump (-d) command like:

amap -A -d -o output.amap 192.168.2.100 80

the output is very descriptive - Unfortunately, wordpress doesn’t allow me for uploading a text file; so I’ll paste some sample of the output below:

amap v5.2 (www.thc.org/thc-amap) started at 2009-05-31 10:35:32 - MAPPING mode
Protocol on 192.168.2.100:80/tcp matches http
Identified response from 192.168.2.100:80/tcp (by trigger http):
0000:  4854 5450 2f31 2e31 2032 3030 204f 4b0d    [ HTTP/1.1 200 OK. ]
0010:  0a44 6174 653a 2053 756e 2c20 3331 204d    [ .Date: Sun, 31 M ]
0020:  6179 2032 3030 3920 3038 3a33 353a 3332    [ ay 2009 08:35:32 ]
0030:  2047 4d54 0d0a 5365 7276 6572 3a20 4170    [  GMT..Server: Ap ]
0040:  6163 6865 2f32 2e32 2e38 2028 5562 756e    [ ache/2.2.8 (Ubun ]
0050:  7475 2920 5048 502f 352e 322e 342d 3275    [ tu) PHP/5.2.4-2u ]
0060:  6275 6e74 7535 2e36 2077 6974 6820 5375    [ buntu5.6 with Su ]
0070:  686f 7369 6e2d 5061 7463 680d 0a4c 6173    [ hosin-Patch..Las ]
0080:  742d 4d6f 6469 6669 6564 3a20 5375 6e2c    [ t-Modified: Sun, ]
0090:  2032 3120 5365 7020 3230 3038 2030 393a    [  21 Sep 2008 09: ]
00a0:  3034 3a34 3920 474d 540d 0a45 5461 673a    [ 04:49 GMT..ETag: ]
00b0:  2022 3938 3964 632d 3264 2d34 3537 3634    [  "989dc-2d-45764 ]
00c0:  3361 3062 3265 3430 220d 0a41 6363 6570    [ 3a0b2e40"..Accep ]
00d0:  742d 5261 6e67 6573 3a20 6279 7465 730d    [ t-Ranges: bytes. ]
00e0:  0a43 6f6e 7465 6e74 2d4c 656e 6774 683a    [ .Content-Length: ]
00f0:  2034 350d 0a43 6f6e 6e65 6374 696f 6e3a    [  45..Connection: ]
0100:  2063 6c6f 7365 0d0a 436f 6e74 656e 742d    [  close..Content- ]
0110:  5479 7065 3a20 7465 7874 2f68 746d 6c0d    [ Type: text/html. ]
0120:  0a0d 0a3c 6874 6d6c 3e3c 626f 6479 3e3c    [ ...<html><body>< ]
0130:  6831 3e49 7420 776f 726b 7321 3c2f 6831    [ h1>It works!</h1 ]
0140:  3e3c 2f62 6f64 793e 3c2f 6874 6d6c 3e0a    [ ></body></html>. ]
Protocol on 192.168.2.100:80/tcp matches http-apache-2

Good job, isn’t it? it’s the Apache default page (and this tells me I had a very poor configuration of my machine, but transit).

Finally: these tools are very flexible and prone to scripting. Here I gave only the basics, shall you want to discuss some aspect, feel free to drop a comment below.

Tags: IT Security // Add Comment »

From a friend’s note:

“If you’re a person who likes to control what’s on their network, get Adblock Plus (FOSS) for your browser and use the following filters as a minimum precaution:

http*://static.ak.fbcdn.ne

t/rsrc.php/*/*/*/*/*/css/feed/socialads.css
http*://static.ak.fbcdn.net/images/icons/ads*
http*://www.facebook.com/ac.php?i=*
http*://www.facebook.com/swf/SoundPlayer.swf
http*://creative.ak.facebook.com/ads*/*
http*://static.ak.fbcdn.net/images/ads_feedback/*
http*://*.channel26.facebook.com/*
http*://www.facebook.com/ads/*
http*://ads.*.facebook.com/*

accessibility.blockautoref resh true
noscript.forbidMetaRefresh true“

Tags: social networking // 1 Comment »

I never thought I needed to apply all the skills I have built these years in IT forensics for a real case in which I was involved, but…

… but so it seems. To keep the things very short, I am victim of a stalker, a former girlfriend who is ruining my life since 2006. Let me say fuckin’ hell, and excuse for the french.

I never wanted to report anyone but this thing went somehow too far -this person is constantly calling and menacing, invading my privacy, calling me over three hundred times in a night, eavesdropping my communications, invading my spaces - even my cyberspaces. Even stalking this website.

Now, fortunately this person left tons of proofs and evidences, just like sms, emails and so on. These evidences have to be gathered and classified (hmmpfff - what a nasty stuff). I will report on these pages how did I do the whole thing.

Til’ then… I’d say “take care” - but unfortunately, the only one who needs to take care is, without any doubt, myself.

Tags: Forensics, IT Security, Mobility // 2 Comments »

On next sunday (2009-02-22), I am going to hold an open bootcamp course pertaining on:

• wifi and wardriving
• port scanning with nmap

If you’re interested, please, feel free to drop a comment and/or send me an email.

Tags: bootcamps and courses // Add Comment »

I am currently about to close a project within DHL/DGF that involved me from the very beginning. Nothing too complex, but it’s very funny and I am happy I have been working with one of the best project managers I have ever been in touch with.

I finished a review of the contents of a book pertaining on Capacity Planning for some ITIL committee. It was a good fun. I will receive another version (for acceptance) somewhere between march and april. It’s an interesting thing - though I may not agree totally with the Author, I should admit it is quite aligned to my style.

Traveling - all this travelling really fulfilled me. I have met wonderful people from wherever in old Europe, and - you know what? - it feels nice to feel European. Hard to explain, but moving from a Latin culture to a Teutonic one, then meeting several people from wherever, on the long run enriches you. I am happy I left Milan, and I am happy I met all the people I met. Even the jerks :) 

Tags: general nonsense, work // Add Comment »

Now as I resigned from DHL, I have been involved in a DHL Global project, as a security policy developer.  

Instead of regretting leaving, I want to see it like this: I have had enough satisfaction on that role. Probably I have used all my skills, and I need to build more to reach new goals.  

I should look back more often…

Tags: career, general nonsense // Add Comment »