Archive

Archive for the ‘Uncategorized’ Category

OWASP AppSec Research EU 2012

May 21, 2012 2 comments

Two years ago, around February I found myself sending a mail regarding AppSec Research EU 2010. It was a mail to John Wilander , chair of the organizing committee , asking to be a volunteer for the conference. Back then I was still a M.Sc. student leaving abroad and this was more or less my only chance at attending. I had “met” John when he came to give us a lecture on Web Application security in DSV for a course I was taking at that time. In another course, the course literature included Software Security : building security in by Gary McGraw . To cut a long story short, I ended up attending the conference as a volunteer, helped around with all kinds of stuff before and during the conference days and had the opportunity to attend quite a few interesting presentations.

Fast forward to 2012 , I found myself sending another mail regarding OWASP AppSec Research. This time it was a submission for the CFP for a presentation/demo on locational privacy and cree.py, titled : “The cree.py side of geolocation. Weaponizing your check-ins. “ . Yesterday I got a reply that it was accepted. It was accepted in a conference where Gary McGraw is giving a keynote, and John Wilander is presenting his “Advanced CSRF and Stateless Anti-CSRF” talk. These two are just an example of the cool people and presentations that will be around, I just mention only these as they play a part in my story.

I feel extremely happy, humbled and privileged to be given such an opportunity. It’s not that “I’m there” or “I’m getting there” , wherever and whatever this “there” is. It’s just a small personal “victory”, a very own #WIN moment to realize that what sometime ago was just an abstract idea in my mind, became a project I will talk to people about in a conference like AppSec Research. I hope I can deliver an interesting, fun and educational talk and more importantly get to hear what other people will be presenting, mingle and get a feeling of the community. The trip to Athens will be an extra Bonus 🙂

Well, see you in Greece in July !

Categories: Uncategorized

creepy 0.2 or “Your SET was cool, but now it’s creepy too”

March 29, 2012 7 comments

It’s been more than a year since the last major ( and initial) release of creepy. A year that had everything, from nasty comments and ill based criticism, to appreciation , shout outs and positive feedback. Everything from random pull requests (only 1 sadly enough) to “is this project dead or what, dammit?” Everything from 400+ downloads per day (for a short period) to the infamous twitter key revocation issue that rendered the application useless for a couple of weeks ( this deserves a post on its own , but I fear that this will remain one of the posts that “I should have written” )

When I wrapped my mind around the idea of an application like creepy, I had 2 explicit goals :

1) Raise awareness. Publicity came, both good and bad, I got a little more involved personally than I would imagine/want to , but looking over the past 13 months I feel that I succeeded in that. References in mainstream media ( TV, newspapers, radio) and of course blogs/twitter gave the project enough exposure to send the message across. I have no metrics, but I think it was a good scare for social network fanatics and a wake up call for people to take their locational privacy a little more seriously. Or at least just a good step towards it. Or at least that’s what I want to believe.

2) Useful tool for information gathering. I have had some good feedback and use cases from OSINT people and police agencies across the globe, but not so much from penetration testers. So, if you do use the tool, drop me a line, tell me if it has been useful, submit a feature request.

Bah, anyway, enough with the retrospection. Without further delay, I give you creepy 0.2

Release notes :

Availability:

The source code is already in github, feel free to try it from there. The windows binaries and deb packages should follow shortly!

Improvements :

  • More responsive user interface. Previous versions handled the information retrieval ( tweets, photos.. ) and the geolocation information extraction as a single event. This made people uncomfortable since it could take a while, and there was no way to know if the application is still gathering data or it just hung. This is why i separated the retrieval from the extraction . Now users will get feedback that creepy finished retrieving tweets before it will start analyzing them.
  • FASTER. I used the multiprocessing module to make the geolocation extraction process “threaded” . This made the whole application a lot, lot faster.

New Features :

    • Support for t.co links. A while ago, twitter started replacing all links with t.co links. There was no support for parsing these links, so links to image hosting sites where being ignored
    • Connected to the above, configurable exclusion of t.co link parsing. Since all links in twitter are t.co links, with no further information about them, creepy has to go and fetch them, follow the redirects and end up to the target website before it can determine if it is a website (twitpic, yfrog etc ) from where it can gather geolocation information. As @thomzee mentioned on twitter, they actually return the expanded URL . Oh well, someone didn’t go through the API well enough.. I will update the code, but I think the need for the option is still valid, as extracting geolocation information from external links is by far the most time consuming part.  So, there is an option to ignore all links in the tweets and get geolocation information only from twitter.
    • Control over the pagination of the results from twitter : Many people had big problems with twitter 502 responses ( service unavailable) . Although this should not be happening (at least not that often ) , I did some testing and realized it can be improved using tweepy’s Cursor object controls over result pagination. The earlier versions were hardcoded to get pages of 200 results which is still the default value(and the maximum that twitter allows ), but if you get 502s often, you might want to play with lower numbers using the configuration file.
    • Last but not least, my favorite ! : Creepy is good at aggregating information, but what can you do with it afterwards ? I was thinking about that a lot and realized that I should somehow allow for the data that creepy gathers to be used in an easy way with other security tools. First step in this direction, is integration with the Social Engineer Toolkit. I am pretty sure there is no need for introductions, but if haven’t heard about it, go to secmaniac and give a try to the beast the Dave has put together. Creepy 0.2 allows you to create templates for SET’s spear-phishing attack vector. What if instead of generic emails, you could create personalized ones that would put you in the target’s comfort zone and highly raise the chances of him/her opening the attachment ? Creepy uses a meta-template file format very similar to the one that SET is using itself for storing mail templates. The addition is that creepy allows you to input specific geolocation and date,time information into the generic templates. Creepy comes with 3 templates you can use and you are of course encouraged to create your own since this attack vector is rather specialized. Let’s take a look at one of them to see how it works :
# Author: Ioannis Kakavas
#
# Email about photos
#
SUBJECT="Is that really you ?"

BODY="Hey man, \n I got this pictures of you in an email from a stranger last night. This guy claimed that you were in @area@ , sometime around @hour@ on @date@". It looks like he is stalking you or something.. Take a look at them and tell me if its really you, I got kind of spooked...\n Best, \n

The @area@ and @hour@ in this case are placeholders and they are just two of the available ones which include the following : @formatted_address@, @area@,@username@, @realname@ ,@date@,@time@,@ampm@, @datetime@,@month@, @day@, @year@, @hour@, @minutes@.
So when you right click in the location list in creepy, select “Export template for Social Engineer Toolkit” and select the specific template from the drop-down list
creepy will parse the template, replace the place holders with the actual information about the specific time and place and save it in SET’s template directory. The included templates
are here to get you going and give an example of what you can do, but the possibilities are endless !! If people find it useful, I will create a new repository where we can share
templates. So, go, play with the new feature and please do come back with bugs and feature requests of how this could be made better.

Roadmap:

  • Working on creepy now, made me realize the the code is becoming slowly close to being unmaintainable. I need to fix that now, before it grows to be a spaghetti code monster that I will have trouble debugging or adding new functionality to. That’s why the next major release will be only about redesigning and refactoring the application without any added functionality.
  • Secondly, I will try to drop gtk and move to QT. This will allow for a truly cross-platform application (Mac OS X included). I have started working on it already and I dare to say that I like QT better visually 😉
  • An android version is in the plans, but not the immediate ones. I don’t know how useful it will be, but I think it will be cool .

Need for help :

This one man team thing is not progressing very well. 13 months for a major release is a bit too much, plus the fact that I hardly have time for bug fixing in the meanwhile. I work full time,  free time is not plenty and there are oh so many more nice things in life apart from code that I need to enjoy 🙂 So if you feel like joining the team, drop me mail or a tweet and let’s have a talk about it.

That’s that for now, go play and let me know how it went 😉

Harvesting google profiles

May 19, 2011 8 comments

Some minutes ago, I saw an interesting tweet from Mikko H. Hypponen saying that he found out that all (yes, as in ALL – 35,513,445 )  google profiles addresses can be retrieved from a single XML file  . Looked through it and , yeap, he was quite right.

Well , all these information is going to be useful somehow ,right? Right. In case it’s going to be removed here is a simple way to harvest them before that happens :

#!/usr/bin/env python

import urllib
from BeautifulSoup import BeautifulStoneSoup as bs

xml = bs(urllib.urlopen('http://www.gstatic.com/s2/sitemaps/profiles-sitemap.xml').read())
for i in xml.findAll('loc'):
    try:
        urllib.urlretrieve(i.text, i.text[35:])
        print 'Downloaded %s' % i.text[35:]
    except Exception, err:
        print '%s could not be retrieved' % i.text
print 'All done'

That’s it, save it , run it and wait 🙂 Not that I used it, but I calculate that you get around 1.7 GB worth of profile links .

Well , the juicy part is obviously the harvesting of the information from the profiles themselves. People are mentioning on twitter that Google is aware for a long time, or at least should be. Thoughts about the potential implications from that harvesting, on a blogpost to come .

“Hello World” or “Oh mum, what a complex World”

March 1, 2010 7 comments

Hello World is a typical example of a small program used as an introductory tutorial for all programming languages. It has also evolved to act as an introductory act for blogs as well . WordPress creates a “Hello World” post automatically when creating a blog. Anyway you got the point. Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.

McGraw[1] defines software complexity as one of the three factors in the trinity of trouble for software security. The other two are connectivity and extensibility.

So we have a simple HelloWorld code snippet in Java :

public class Hello {
/**
* @param args
*/
public static void main (String[] args)  {
// TODO Auto-generated method stub
System.out.println("Hello World!");
}
}

Fairly simple right ? Can you imagine how many system and library calls this program makes while executing ?

System Calls :

ilektrojohn@securebook:~$ strace -c -f -q java Hello
Hello World!
upeek: ptrace(PTRACE_PEEKUSER,19107,120,0): No such process
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
100.00    0.044222         533        83         3 futex
  0.00    0.000000           0       632           read
  0.00    0.000000           0         2           write
  0.00    0.000000           0       109        61 open
  0.00    0.000000           0        49           close
  0.00    0.000000           0        58        28 stat
  0.00    0.000000           0        44           fstat
  0.00    0.000000           0        50         1 lstat
  0.00    0.000000           0       598           lseek
  0.00    0.000000           0       125           mmap
  0.00    0.000000           0        51           mprotect
  0.00    0.000000           0        20           munmap
  0.00    0.000000           0        10           brk
  0.00    0.000000           0        27           rt_sigaction
  0.00    0.000000           0        42           rt_sigprocmask
  0.00    0.000000           0        18        16 access
  0.00    0.000000           0         2           sched_yield
  0.00    0.000000           0         2           socket
  0.00    0.000000           0         2         2 connect
  0.00    0.000000           0        11           clone
  0.00    0.000000           0         2           execve
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         4           fcntl
  0.00    0.000000           0         1           ftruncate
  0.00    0.000000           0         6           getdents
  0.00    0.000000           0         1           getcwd
  0.00    0.000000           0         1         1 mkdir
  0.00    0.000000           0         1           unlink
  0.00    0.000000           0         4           readlink
  0.00    0.000000           0         4           getrlimit
  0.00    0.000000           0         3           getuid
  0.00    0.000000           0         2           getgid
  0.00    0.000000           0         3           geteuid
  0.00    0.000000           0         2           getegid
  0.00    0.000000           0         2           arch_prctl
  0.00    0.000000           0         1           setrlimit
  0.00    0.000000           0        12           gettid
  0.00    0.000000           0        24           sched_getaffinity
  0.00    0.000000           0         2           set_tid_address
  0.00    0.000000           0         1           clock_getres
  0.00    0.000000           0        13           set_robust_list
------ ----------- ----------- --------- --------- ----------------
100.00    0.044222                  2025       112 total

Library Calls

ilektrojohn@securebook:~$ ltrace -c -f java Hello

Hello World!

% time     seconds  usecs/call     calls      function

------ ----------- ----------- --------- --------------------

 91.11    0.126965      126965         1 pthread_join

  1.68    0.002335          53        44 fgets

  1.50    0.002085        2085         1 dlopen

  0.73    0.001015          59        17 JLI_MemAlloc

  0.52    0.000727          45        16 JLI_StringDup

  0.37    0.000522          43        12 strcspn

  0.37    0.000515          42        12 strspn

  0.37    0.000511          28        18 strlen

  0.36    0.000498          33        15 JLI_MemFree

  0.30    0.000422          38        11 getenv

  0.27    0.000372          46         8 sprintf

  0.25    0.000343          42         8 strrchr

  0.21    0.000295          36         8 strcat

  0.19    0.000260         130         2 fclose

  0.17    0.000233         116         2 fopen

  0.16    0.000224         112         2 readlink

  0.14    0.000196          98         2 getuid

  0.14    0.000191          95         2 access

  0.13    0.000182          91         2 __xstat

  0.12    0.000161          80         2 getgid

  0.11    0.000154          77         2 geteuid

  0.11    0.000152          76         2 getegid

  0.10    0.000136          27         5 strchr

  0.08    0.000116         116         1 pthread_create

  0.08    0.000115          57         2 memset

  0.07    0.000103          51         2 strcpy

  0.07    0.000102          51         2 strncpy

  0.07    0.000095          47         2 JLI_FreeManifest

  0.06    0.000086          43         2 fflush

  0.04    0.000059          59         1 putenv

  0.04    0.000057          57         1 pthread_attr_destroy

  0.02    0.000034          17         2 dlsym

  0.01    0.000018          18         1 pthread_attr_init

  0.01    0.000016          16         1 JLI_WildcardExpandClasspath

  0.01    0.000016          16         1 strncmp

  0.01    0.000014          14         1 pthread_attr_setstacksize

  0.01    0.000014          14         1 getpid

  0.01    0.000013          13         1 pthread_attr_setdetachstate

------ ----------- ----------- --------- --------------------

100.00    0.139352                   215 total

You can get the drill, complexity is a beast. Ah, and I almost forgot : Hello world 😉

[1] Gary McGraw (2006). Software Security, Building Security In. Crawfordsville, Indiana: Addison-Wesley Professional. p7-10.

Categories: Uncategorized