Monday, March 18, 2013

Download ShmooCon 2013 Videos

ShmooCon released their videos on their website for everyone to download.

wget -i <(cat <<EOF 2013 - Opening Remarks & Rants.mp4 2013 - How to Own a Building BacNET Attack Framework.mp4 2013 - Mainframed The Secrets Inside that Black Box.mp4 2013 - WIPE THE DRIVE - Techniques for Malware Persistence.mp4 2013 - Apple iOS Certificate Tomfoolery.mp4 2013 - Hide and Seek, Post-Exploitation Style.mp4 2013 - Hackers get Schooled Learning Lessons from Academia.mp4 2013 - Friday Fire Talks.mp4 2013 - Running a CTF - Panel on the Art of Hacker Gaming.mp4 2013 - C10M Defending The Internet At Scale.mp4 2013 - Paparazzi Over IP.mp4 2013 - DIY Using Trust to Secure Embedded Projects.mp4 2013 - Moloch A New And Free Way To Index Your Packet Capture Repository-1.mp4 2013 - OpenStack Security Brief.mp4 2013 - Generalized Single Packet Auth for Cloud Envions.mp4 2013 - From Shotgun Parsers to Better Software Stacks.mp4 2013 - The Computer Fraud and Abuse Act Swartz, Auernheimer, and Beyond.mp4 2013 - Malware Analysis Collaboration Automation & Training.mp4 2013 - Bright Shiny Things Intelligent DA Control.mp4 2013 - Strategies of a World Class Security Inciden.mp4 2013 - Armoring Your Android Apps.mp4 2013 - Protecting Sensitive Information on iOS Devices.mp4 2013 - Beyond Nymwars - Online Identity Battle.mp4 2013 - How Smart Is BlueTooth Smart.mp4 2013 - Chopshop Busting the Gh0st.mp4 2013 - The Cloud - Storms on the Horizon.mp4 2013 - 0wn The Con.mp4 2013 - PunkSPIDER Open Source Fuzzing Proj Tgting the Internet.mp4 2013 - Crypto - Youre Doing It Wrong.mp4 2013 - Identity Based Internet Protocol.mp4 2013 - NSM and more with Bro Network Monitor.mp4 2013 - These Go To Eleven - When the Law Goes Too Far.mp4 2013 - Forensics - ExFat Bastardized for Cameras.mp4 2013 - Page Fault Liberation Army or Better Security Through Trapping.mp4 2013 - Hacking as an Act of War.mp4 2013 - MASTIFF - Automated Static Analysis Framewor.mp4 2013 - Attacking SCADA Wireless Systems.mp4 2013 - Ka-Ching - How to Make Real Money.mp4 2013 - Is Practical Info Sharing Possible.mp4

You can copy and paste that into your terminal and it will download the videos to that directory.

Friday, March 8, 2013

Tmux screen logging workaround

I really like tmux, its sexy, sleek, actively developed, and has amazing mouse support. I only had one problem (so far) with the transition from GNU screen: output logging.

GNU screen has an amazing config option that I used almost all the time:

logfile screenlogs/%S%Y%m%d-%n.log
deflog on

The problem is that tmux doesnt have the same option :( the closest thing I have seen is the "pipe-pane" option, but I couldnt find any way to automate that upon startup of tmux. I figured, well since tmux doesnt let me do it, maybe I can hack something together myself. And thats exactly what i did. I give to you...tmux output logging via the script command:
if [[ $TERM = "screen" ]] && [[ $(ps $PPID -o comm=) = "tmux" ]] ; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -t 1 $HOME/logs/${logname} bash -login
The above code basically checks if the $TERM variable is set to "screen" (tmux does this by default) and then check if the parent PID's name is "tmux". then it sets up a logging environment and output everything to the logfile it specifies.

That code works for OSX, for your basic GNU linux setup try this instead:

if [[ $TERM = "screen" ]] && [[ $(ps -p $PPID -o comm=) = "tmux" ]]; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -f $HOME/logs/${logname}

All you have to do is put that code into your .profile or .bashrc/.bash_profile and you are good to go.


Sunday, March 3, 2013

Bash script to sniff, parse, and decrypt cpassword's from GPOs

echo -n "$1" | grep -o -P 'runAs=".*?"'| cut -d'"' -f 2
echo -n "$1" | grep -o -P 'cpassword=".*?"'| cut -d'"' -f 2
pad_length=$(expr 4 - length "${cpassword}" % 4) # figure out the padding length
padding=$(for i in {1..${pad_length}}; do printf =; done) #output correct padding string
#pad, b64 decode, then decrypt the password
echo $(echo -n ${cpassword}${padding} | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv '')

tshark -R 'smb.cmd==0x2e and tcp contains 'cpassword'' -Tfields -e smb.file_data \
| xxd -r -p | grep cpassword \
| while read line; do \
echo $(parse_username "$line"):$(decrypt_cpassword $(parse_cpassword "$line"));

Figlet Fonts

These seems to be the least retarded....


figlet -f stop KITTENS