MemoToSelf – DiabloHorn

Physical home security options

During one of those boring afternoons I noticed that most embassy buildings seem to have more or less the same amount of visible physical protection, this made me wonder what the available options are if you’d want to protect your own house. These are just some quick notes after searching around the internet on another boring afternoon, most of the options have an additional wide variety of configuration possibilities. So if you decide to implement any of the mentioned options, please do some research yourself, since these are just some starting points and you should choose the appropriate configuration yourself.

Keep in mind that (as far as I know) most options discussed here can be bypassed. Like with all security measures you should base the choices you make on a layered approach. The sum of all the protective measures should buy you enough time to detect a break in and react before any valuables are stolen. Feel free to leave additional measures in the comments or how to bypass the measures in this article. Do keep in mind that these measures will be a lot less effective if they decide to break in while you are at home, also these security measure are not aimed at preventing social engineering attacks. As usual I’ve got no clue what the rules in your country are, so read up on them before you implement some of the following options.

Oh and if you want an example of how physical security measures can by bypassed then you’ll probably enjoy this article. It’s about one of the biggest ($100 million) diamond heists in Belgium and how the attackers bypassed ten physical security measures: The Untold Story of the World’s Biggest Diamond Heist

Continue reading “Physical home security options”

[QP] Dumping the TrueCrypt second stage

I was under the impression that TrueCrypt installed a boot loader that was responsible for the pretty menu that you usually see when you boot. So to my surprise when I wanted to play around with it….it wasn’t. TrueCrypt actually uses a second stage to display that pretty menu. The traditional boot loader more or less just takes care of loading the second stage which sits compressed on the hard disk, if loading fails it will display some messages and that’s it. Since I still wanted to play around with it and preferably with the version actually sitting on my test machine’s hard disk I decided to dump it. The easiest way was to use Evil Maid, I modified the source slightly to prevent infection, it will still infect though if you omit a second argument :)

Here are the steps if you want to do it yourself:

Retrieve the first 64 sectors, for example with “FTK Imager” if you are under windows
Download the Evil Maid source
Apply this patch (patch <evilmaid.patch)
Run ./patch_tc <file_with_64_sectors> -f

This should look like this:

./patch_tc ~/Desktop/tc-full.dd -f
TrueCrypt EvilMaid patcher v0.1
---------------------------------
TrueCrypt Boot Loader detected
PatchTrueCrypt(): Compressed loader size: 11877 bytes
PatchTrueCrypt(): Saved checksum 0x267DAC67
PatchTrueCrypt(): Loader memory size: 0x7000 (28672) bytes
PatchTrueCrypt(): Decompressing the boot loader
PatchTrueCrypt(): Decompression successful

The local directory where the executable patch_tc resides should now contain two files “sectors_backup” and “loader” which is the uncompressed second stage as you can see from a simple strings output:

strings -n 15 loader 
No bootable partition found
 TrueCrypt Boot Loader 7.1
    Keyboard Controls:
    [Esc]  
Boot Non-Hidden System (Boot Manager)
Skip Authentication (Boot Manager)
[Esc]  Cancel
Enter password
 for hidden system:
Booting...
BIOS reserved too much memory: 
- Upgrade BIOS
- Use a different motherboard model/brand
Warning: Caps Lock is on.
Incorrect password.
If you are sure the password is correct, the key data may be damaged. Boot your
TrueCrypt Rescue Disk and select 'Repair Options' > 'Restore key data'.
Bootable Partitions:
, Partition: 
Press 1-9 to select partition: 
Your BIOS does not support large drives
 due to a bug
- Enable LBA in BIOS
Copying system to hidden volume. To abort, press Esc.
If aborted, copying will have to start from the beginning (if attempted again).
To fix bad sectors: 1) Terminate 2) Encrypt and decrypt sys partition 3) Retry
Remaining: 
Copying completed.
Memory corrupted

[QP] Stop video recording your command line, I want to grep it!

If this comes of as a rant, then yes it is! I understand that not everyone likes reading and that everyone has their own method to absorb information. That being said there are plenty of cases where videos are not always the best choice. Sometimes people just want to use your video as a reference or quickly look up a command. So just as a reminder I’d like to bring the following well known Linux commands to your attention:

script
- Records all your visible terminal input & output to a file as well as timing information if desired
scriptreplay
- Can replay the recorded input & output if the timing information is available

So you still keep the ‘I prefer watching someone do it experience’ BUT you also provide a way for people to just grep for information. Additionally you can also configure the replay speed to be crazy fast. If I remember correctly mubix linked to these scripts in the past. If you want a clear walk-through do READ the following site:

http://linux.byexamples.com/archives/279/record-the-terminal-session-and-replay-later/

Quick tiny python web proxy

Python just keeps amazing me, the following code is all you need to have a proxy up and running in like 10 seconds

from flask import Flask
from flask import request

import requests

app = Flask(__name__)


hosttorequest = 'www.cnn.com'

@app.route('/')
def root():
    r = requests.get('http://'+hosttorequest+'/')
    return r.content

@app.route('/<path:other>')
def other(other):
    r = requests.get('http://'+hosttorequest+'/'+other)
    return r.content
    
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

Now this sure makes it easy to start hiding some stuff in there. To get it up and running just do: sudo python filename.py

Firewalking with nmap

uhh firewalking, what’s that?

To quote the original paper (1998):

A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists

Now that sounds pretty neat right or not if you usually only focus on open ports and ignore all other relevant information that a network scan can give you. The paper does a pretty good job of explaining the technique, so I’m not going to repeat that. Let’s just see if we understood it correctly by doing a manual test and then let’s see how we can use nmap to automate this. In case you are wondering why I don’t use the original Firewalking tool, it’s cause I prefer to not have a lot of fragmented tools unless I really need them. I mean nmap is a great tool and it just saves you a lot of time if you can just perform all (or as much as possible) of the network mapping with nmap.

Let’s setup a little lab which roughly looks like this:

So basically the attacker wants to enumerate the firewall rules that are in place on vyatta. As said, let’s start with grasping the concept of firewalking, by testing if we can proof the following configuration:

Continue reading “Firewalking with nmap”

console/terminal logs ftw

Occasionally I find myself wishing I had logged the output of some command for later reference and often during those occasions I find myself wishing it had a time stamp. So here is a nice reminder to myself, next time make sure my pentesting machine has these modifications.

Make sure my prompt includes the time
Log everything

bash prompt with time stamp (.bashrc)

#example of what we want:
#PS1="\n[\t] \u@\h:\w\$ "
#embedded in the default ubuntu options "\n[\t] "

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\n[\t] \u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\n[\t] \u@\h:\w\$ '
fi

bash with continuous logging (.bashrc)
make sure we always log our stuff. Note when doing interactive stuff the logs get a little but ugly…but we can live with that
Courtesy of: http://ubuntuforums.org/showthread.php?t=1796500 & https://answers.launchpad.net/ubuntu/+source/gnome-terminal/+question/7131

if [ -z "$UNDER_SCRIPT" ]; then
        logdir=$HOME/conlogs
        if [ ! -d $logdir ]; then
                mkdir $logdir
        fi
        #gzip -q $logdir/*.log
        logfile=$logdir/$(date +%F_%T).$$.log
        export UNDER_SCRIPT=$logfile
        script -f -q $logfile
        exit
fi

References

native linux psexec

Sometimes you just don’t feel like starting up metasploit. All you want is an easy way to execute commands on that remote windows computer from your linux shell. Now if you google around you’ll find the following helpful links:

Which are nice but don’t really get you up and running quickly, so for my own future reference here are the direct links to a nicely packaged version of winexe for ubuntu:

Just download, install and then you can go like this from any random terminal session you open:

winexe -U administrator –password=password //10.0.0.2 cmd.exe

Vmware workstation and “dragging” vms to a new window

If you run vmware workstation under linux you can just grab the VM tab and drag it to a new window. Comes in real handy when working with multiple monitors or when you just want to alt tab. Now for some unknown reason this is NOT possible under windows. Yeah you read that right, a simple feature like this seems to be OS dependent. There are some threads out there with people asking exactly this question:

But the answers are not entirely clear, seem a little bit cumbersome or cause “in use” errors.

So here is the answer that imho actually works doesn’t cause errors and doesn’t require you to restart your VM:

Click Edit->Preferences
Select workspace in the left menu
Check the option that says “Keep VMs running after Workstation closes”
Close the tab of the VM you want to move
Click File->New Window
In the new window just use the library to open the VM

That’s it you can now open every single VM in a new window if you wanted to without errors. I admit it’s still a work-around until vmware decides to actually implement the much wanted feature of just dragging your VM out to a new window.

Portable (secure) (pen)test virtual lab

I’ve always wanted like online ‘memo-to-self’ stuff to stop forgetting how to set things up, so I’ve decided to create a category for it. These posts will contain rambling, snippets and links on how to do stuff. Mostly intended for my own use so they won’t contain extensive instructions on every configuration detail.

I’ve always wanted a virtual lab which is easy to bring along and somewhat secure. Just to be clear here are some definitions of the words portable & secure as I see them:

Portable
- easy to transfer
- minimum amount of files
Secure
- easy to encrypt
- easy to delete
- network segmentation
- central firewall

Secure is a relative term, since it all depends on how much you harden the setup. To achieve the above mentioned points I’ve chosen to use vmware workstation and vmware esxi as the virtualization software. If you ever decide to spend money on software, vmware workstation surely deserves it!

Since this post is partially a little idea on creating a portable lab and partially a reminder for myself, I’ll take a shortcut in explaining how to set it up. Like you all know the internet is full of really nice guides on how to set stuff up, so why duplicate?

Continue reading “Portable (secure) (pen)test virtual lab”