Wednesday, December 10, 2014

Bug Bounties And What Hackers Get Paid

I discovered recently. It's a platform companies can sign up for that gives them an avenue for researchers to disclose security vulnerabilities about their site along the lines of "responsible disclosure".

I was curious as to what vulnerabilities were published, and their amounts. Well, when a vulnerability is made public, hackerone puts it on their site with the amount on the same page. Having done network pentests for the last 4 years (professionally) it's hard not to lolwtfbbq at how easy/simple it is to identify some of the bugs listed, and a lot of them are paying out hundreds of dollars for what amounts to about 30 seconds of work.....i'm in the wrong business...

In any case, i've parsed through their public listing and compiled a list of links for people to read. At the time of this blog post, 240 vulnerabilities were publicly released:

Wednesday, September 17, 2014

Super Simple Shell Spawner in C

I needed this code for a project i was working on. Keeping it here for posterity:
#include "stdlib.h"
int main(){

Monday, September 15, 2014

"Hacking" Wireless Mics

This isn't really a hack. Wireless Mics are glorified walkie-talkies with a little extra speech smoothing fanciness.

I was playing around with some Sony wireless mics and i noticed a label on the back stating the frequency they operate in. The label said "638.125-661.875". I grabbed my hackrf one and plugged it in. It should be noted that in that frequency range, an RTL-SDR dongle would work as well.

Once I plugged in my HackRF One, I ran hackrf_info to make sure it was recognized and then started gqrx.

I tuned gqrx to the start of the range, 638.125. I was pleased to find that this was the frequency used by "Channel 1" setting on the wireless mic. I flipped the switch on the mic, and bam. A very strong signal appeared on my screen. I centered the cursor over that, adjusted the squelch to tune out the background noise and turned up the volume so i could hear. Lo, and behold thats all that was needed.

Turns out that the wireless mics simply are FM transmitters broadcasting the audio so the receiver unit can pick it up. Well, in this set up my hackrf is the receiver. 

Now, once i learned this i kind of facepalmed a little. 

Someone asked me what the big deal is with this. I told them that lots of times the communications being held over these wireless mics can be confidential. Broadcasting confidential info usually is what people try to avoid.

A great real word example of utilizing this info would be if a reporter is doing an interview with a high profile individual and wants everything to be kept secret until the airing. Well, if someone knew the building the recording was happening, they could record the audio of the wireless mic and break the story first.

Or worse, use the story info to determine if they should carry out hits to keep people quiet.

Thursday, July 17, 2014

Physical Pentest Tactic: Be Modest With The Car

This may seem like it's obvious to some people but i've heard some stupid stories.

I'm going to make this simple. When renting a car for your physical pentest, don't get the mustang. Don't get any car that is going to attract attention. Get a bland car in a bland color. Something like a gray Toyota Camry or boring SUV.

Why get an SUV if you are only one person? Dumpster diving. I cant tell you how much more crap an SUV can hold than a midsize car.

I once had to go back to the client site 3 times to get as much stuff as the SUV could hold on another site. You never want to do that. You want to get in, get what you need, and get out. The longer you stay in a particular location, the higher your chances of getting caught.

Therefore, get a bland, boring looking SUV if you can. Otherwise get a midsize car. Avoid compacts if you are planning on doing any dumpster diving.


Another aspect of choosing a car that is actually very important for night operations - Make sure all the lights can be turned off quickly and manually.

Few things are more annoying than pulling up to a spot and turning off the car only to have the lights linger on for a minute or so while you awkwardly stare off waiting for them to switch off.

The best option would be the ability to have all the lights off (interior and exterior) while the car is still on. But for most cases, its better to leave the car engine off.

Physical Pentest App - Scanner Radio

Police scanners can get expensive. Especially since today most police stations are moving over to digital (trunked) communications. I had bought a Yaesu VX8DR so i wouldnt have to worry about missing a frequency. Well it turns out it doesnt do trunking comms so i was fucked... Well, not so much.

A free alternative, although time delayed is using an android app called "Scanner Radio". Most locations in America have a entry for their county or city or whatever for dispatch.

I love having it in my ear while a case a place or do car recon. It's pretty simple, if you hear about a report for a suspicious vehicle in your area, move to another location.

I use the app whenever there is trunked comms for the area my target is in. There is however a delay, and that delay is dependent on what location you are in. I know in Chicago its about a 60 second delay between what happens on the radio and what comes through the app. You have to remember that the audio has to be received by the equipment, transmitted to the servers, relay over the cell network to your phone. That can take a bit.

The best solution is a realtime radio. The second best is the app. It's better than nothing.

Physical Pentest Tactic: Try Everything

It takes a certain kind of person to do a physical pentest well. They have to have balls. They have to be willing to take risks normal people wouldn't take. And most importantly, that risk taking should be accompanied by a level of curiosity. The thought of "I wonder whats behind this door" or "I wonder where these stairs go" are a huge portion of discovering potential vulnerabilities.

We all like to think that a "properly done" pentest includes a holywood-esque layout of the building with every exit and entry points with real time updates of the guard patrols and all that fancy movie crap. The reality is that is extremely rare. The recon you do beforehand can only give you a certain picture of whats happening.

1. Do they have guards?
2. Do they have guards all night long?
3. Do they guards patrol? outside? regular intervals?
4. Are there guard changes? what time?
5. IS THERE A CLEANING CREW? do they exit the building often to throw out trash?
6. etc, etc.

One of the physical tests I was on we were lucky enough to have multiple people (usually they are all solo). After doing internal recon and figuring out the security system and how it works, and where it was placed and all that stuff we decided to check out the place more up close and personal.

We determine that the security system in place supposed to work based off of sounds. If it detected the sound of someone walking around or breaking the window or something like that, the audio was supposed to be pumped back to the monitoring station to determine if it was an intruder or something accidentally hit the window. The whole system was created to reduce false positives and having the police called out when it was actually nothing.

Well we wanted to test how sensitive the system was just be fore we hightailed it out. So as we were done checking out the rest of the building, we were all in the SUV and drove up to the last door to see if the alarm would trip if we rattled the door. My friend got out of the car and firmly pushed on the door. Me with my binoculars was watching the LEDs on the alarm system for a change from green to blinking red, meaning it went off. Well, after the push the lights didnt go off. We dont him to really go at it, shake the door hard. He pushed really hard, and then pulled really hard to do the motion over and over again and holy shit. THE DOOR OPENED. That door, the door we saved for last was the one door in the whole place that was unlocked completely. The hilariousness and elation faded quickly as I saw the LED go from green to blinking red. From reading the alarm system documentation we had about 30 seconds to GTFO before the cops were called.

After a bout of screaming because my friend thought we told him to go inside when in fact we told him to get inside the car (lmfao, that was funny beyond belief). We got in the car and got out of the area. Found a dark parking lot to park that allowed us to see the target from across the street. We waiting, scrunched down in our seats. It's amazing how many cars are out driving around at 3am. After about 6 minutes i hear on the police radio that there was a burglar alarm set off at the location. Less than a minute later the cop shows up checking out the place. Then another cops shows up.

The moral of the story: never assume a door is locked. CHECK EVERYTHING.

Physical Pentest Gear: The Clipboard

I've done several physical pentests in the past (and current) and one piece of gear that never ceases to amaze me on how useful it is is the clipboard. I'm not talking about your grandfather's clipboard. I'm talking about today's modern clipboard. It has wifi for auto note taking and a camera to transmit pictures. Ok i'm just messing with you it doesn't have all that. But it still is incredibly useful.

I was doing a physical one day and was on the social engineering portion of the test, AKA: me walking around the office trying to get sensitive documents. I came across an empty cubicle that was being used to store a bunch of bankers boxes (think stereotypical cardboard boxes with the handle holes and tops). Well, I peeked inside one of the boxes and giggled at what I found. Thousands of documents with handwritten credit card info dating back several years. That was in one box. One box of about 2 dozen.

I took a couple snapshots with my camera but couldn't get a good photo because of the lighting/not enough time. So I grabbed a couple documents (they were old, just as a PoC) and took a picture of the pile of boxes. The clipboard I was carrying was perfect to quickly stash these papers:

Any clipboard with a similar compartment will do. You can stash a surprising amount of documents in those things. Waaaay more than you need to prove your point.

Once I was back at the hotel I took much better shots, included it in the report and when everything was done and over, I securely mailed the documents back to my point of contact. That "Sensitive Documents Not Stores Securely" finding was a small finding in an otherwise juicy report and that clipboard made my life way easier during the entire SE portion of the test.

There is also the added benefit of having a clipboard in your hand subconsciously insinuates to other people that you are a person of authority, a decision maker, someone that should probably be treated a little better than any old average joe. That thought tends to arise from two different personalities.
1. The person wants to suck up to you (the teachers pet syndrome)
2. I don't want to get in trouble (the teachers ruler syndrome)

There is a third personality type who is tends to hate authority figures but you can usually defuse those types of people by being very confident and most importantly - very polite/kind. Kindness in authority figures tends to be fairly disarming to the vehemently authority-opposed.

So there you go, just like an EDC (every day carry), every object in your blackbag should have multiple uses. I'd suggest adding a compartment clipboard to yours asap.

It may seem like a small and insignificant addition at first, but I guarantee that you will be happy you bought it.

Wednesday, July 16, 2014

Ruby - What quarter a date is in

I have a report i have to generate every week and it requests all items of a particular status since the begining of the current quarter. Everyone like to say "Just use activerecord!". Fuck you.

Here is the simple ruby code that will do it:

require 'Date'
def whatQuarter(date)
  thisYear = #just a filler year
  if    (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) #date range for quarter1
    return 'Q1'
  elsif (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date)
    return 'Q2'
  elsif (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date)
    return 'Q3'
  elsif (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date)
    return 'Q4'
def sameQuarter?(date1, date2)
  if whatQuarter(date1) == whatQuarter(date2)
    return true
    return false

I'm sure there is something retarded about that code but it seems to work for me :/


I shortened everything and made it easier on the eyes:

require 'Date'
def whatQuarter(date)
  thisYear = #just a filler year
    when (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) then return 'Q1'
    when (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date) then return 'Q2'
    when (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date) then return 'Q3'
    when (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date) then return 'Q4'

def sameQuarter?(date1, date2)
  whatQuarter(date1) == whatQuarter(date2) ? true : false

Tuesday, July 15, 2014

LM Hashing Policy - Changes to the same password

No password set for account:

Password of 'Password1' when LM is allowed

Password of 'Password1' when LM is disabled

Basically if LM is disabled then the machine will substitute a "blank" value for the LM field (aad3b435b51404eeaad3b435b51404ee) and then continue on normally with the NTLM portion.

If the password is larger than 14 characters, the LM portion will have the blank value (aad3b435b51404eeaad3b435b51404ee). This is regardless of whether or not LM is disabled.

LM hashing is enabled/disabled by the existence of a DWORD reg key 'NoLMHash' in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa that is set to '1'

Monday, July 14, 2014

Transferring Files Using Netcat

It's probably one of the most well known and simplest ways of transferring files in an emergency. You simply pipe a file to a listening netcat service and have the client output the connection to a file.

Start/Share the file:

nc -l 5678 < file.blah

That line will start listening for connections on port 5678. Once a connection is made, it will spit out the contents of file.blah to the client. If you have the following netcat line listening on the "client" side then it will spit the contents it gets to a file:

nc 5678 > file.blah

i like to md5 check the file afterward to make sure network gnomes didn't mess up the data somehow.

Pretty simple and straightforward.

Friday, July 11, 2014

Netcat with SSL

Recently i needed to troubleshoot some requests to an HTTPS server. Instead of going through the hassle of setting up mitmproxy to middle the SSL connection, I just decided to point to to an empty listening port. After all, all I really needed was to see what GET requests it was making.

You can set up a netcat like server that supports SSL using ncat (the tool that comes with nmap).

ncat --ssl --listen 4443

If you want it to stay open after the first connection, append '--keep-open' to the end. And if you want some verbosity to whats going on, add '-vv' to get more info.

There are supposedly a bunch of different ways to get a netcat like interface for SSL but ncat gave me the least trouble.

Wednesday, July 9, 2014

Encodings (personal notes)

This is not supposed to be pretty, just for me:


From hex to string
print("\x41") #will print "A" since 41 is the hex of capital A

From string to hex

From hex to string (again)

  encoder/decode supports hex, base64, utf-8, rot13, and a bunch others (

URL encode:
import urllib

Wednesday, July 2, 2014

Python script to grab the title of a page

#!/usr/bin/env python
import urllib2
import sys
from BeautifulSoup import BeautifulSoup
#expects "" as argument

except urllib2.HTTPError, e:
    print sys.argv[1], '--- HTTPERROR'

soup = BeautifulSoup(urllib2.urlopen(sys.argv[1]))

if soup.title:
  print sys.argv[1], "--- ", soup.title.string
  print sys.argv[1], '--- NULL'

Thursday, June 19, 2014

Getting Internal IP from WebDAV via PROPFIND method using curl

I wanted a curl line that would grab the disclosed internal IP from a webserver.

It turns out that you need to specify an empty host header, and the content length of 0 for it to work.

If you dont specify the empty host header, it will just spit back the XML with whatever host header you specify. And you need a content length of 0 because the server expects a content length header :/

Below is the curl line to get the IP in the body of the message:

curl -v -k -H "Host:" -H "Host;" -H "Content-Length: 0" -X PROPFIND

Friday, February 14, 2014

Cool Bash Trick: Constantly updating a "status" line in bash script

Lots of times i'm dealing with repetitius data and i dont like that it can take up so much of my screen when i'm really only outputting something like "Portion 3 is done" and the only thing that updates is the number.

It's annoying to have a screen full of:
Portion 1 is done
Portion 2 is done
Portion 3 is done
Portion 4 is done

I'd like it if only one line is used to tell me the current done portion. Well, it turns out there is a way to do this with bash scripts.

It turns out there is "\r" which means carriage return. So if you output a carriage return WITHOUT a newline then you essentially clear that line of text.

A simple double for loop to visually see what i'm talking about:
for j in $(seq 1 10); do 
  for i in $(seq 1 20); do 
    printf "$i is part of $j \r"
    sleep .1