Monday, 23 April 2012

OWTF 0.14 "London" released! cc @BSidesLondon

OWTF 0.14 "London" is dedicated with special love to BSides London, its organisers and attendants!

Usual background + Disclaimer:
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page: http://owtf.org
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Demo interactive reports (Firefox >= 8): https://github.com/7a/owtf/tree/master/demos

Change log since OWTF 0.13b "HackPra" (Full change log is here):
23/04/2012 - 0.14 "London" pre-alpha release: Dedicated to BSides London (http://www.securitybsides.org.uk/), its organisers and attendants
 + Fixed URL regexp on the link_clicker.py payload for the OWTF imap client Agent
   It was missing IP-only URLs like: http://192..., regexp changed to: 'http[:0-9a-zA-Z\.\/]+'
 + Upgraded SET spear phising scripts from SET version 2.5.3 to SET version 3.2.2
 + Bug fix: Added GetFileAsList and AppendToFile convenience functions (required by some existing code)
 + Added Version information at the bottom of the OWTF banner and arranged some loading messages to suit
 + Added GetCurrentDateTimeAsStr convenience method to the Timer class
 + Added SET script for new payload (19)
 + Replaced /etc/motd by new parameter WORD_TEMPLATE in SET payload script 3, and added parameter to Spear_Phising plugin
 + Added better error handling to the Spear Phishing handler so that it aborts when a payload script is not found (instead of crashing in SET, after)
 + Fixed SET payload 15 to take advantage of the custom PDF template
 + Added a bit of SET's documentation to the readme directory
 + Commented out the Attachment name modification in the Spear Phising plugin (sometimes you may want to control this from outside the plugin)
 + Added better exception handling to OWTF's SMTP class so that failure to perform the SMTP Login assumes open relay and moves on (also sent as a patch to SET)
 + Added slightly better message to OWTF's SMTP START TLS exception handling error message
 + Added warning to SET handler when sending blank values
 + Added check to Spear Phishing module to verify the word template exists
 + Improved exception handling on the SMTP class for Targeted Phising, thanks Sam!

Tuesday, 17 April 2012

Defeating Airline restrictions

I have had to travel a lot lately and there are some annoying issues I see as I take planes, this blog post combines some tips and tricks I have used successfully with the hope that they may be useful for you too :).


Motivation
- I do not like to see "first time fliers" get "busted" because of not following the rules
- I regularly see 99% of people with "incorrect" cabin baggage that does not take advantage of the rules
- Even when you follow the rules some tricks may make you less likely to be stopped and avoid hassle

General common sense rule
Take what is most important for you as cabin baggage: Cabin baggage is always with you, checked in suitcases are sometimes lost and even sometimes lost forever. Think about it.

Following the rules with some thinking - Cabin baggage
Ryanair is super-clear in this email they send you after booking a flight:
"Strictly one item of cabin baggage is permitted per passenger (excluding infants) weighing up to 10kg with maximum dimensions of 55cm x 40cm x 20cm (your handbag, briefcase, laptop, shop purchases, camera etc. must be carried in your 1 permitted piece of cabin baggage)."
It is important to know that other airlines, require a maximum of only 6kg of cabin baggage with up to the same dimensions as Ryanair.

To take advantage of the rules we need to purchase a hand bag that:
1) Measures as close to 55cm x 40cm x 20cm as possible: Use your full volume allowance
2) Weights as little as possible: Use your full weight allowance
3) Does not look suspicious or bigger than it really is: Avoid hassle at the airport
4) Does not have too many compartments inside: Cabin baggage with many divisions look interesting but are useless: You will eventually need to put something bigger than the biggest division and it will not fit.

Most cabin baggage I see at airports fails Rule 1) due to using cabin baggage with dimensions that do not take advantage of the volume allowance and may not even "fit in the cage" despite providing less volume to the person using it!

Rule 1) Makes hand bags with wheels inferior: Even if the hang bag with wheels is of exactly the allowed dimensions it will not allow you to use all the space because the wheels and surrounding structures will take some of the space away from you. This can be very annoying when you are trying to take big things that are light with you.

Rule 2) above makes backpacks superior to hand bags with wheels: Wheeled hand bags often weight 2-3 kg, the backpack alone is just fabric and it will weight less than 1 kg.

Rule 3) Gives backpacks an advantage again: If you take a backpack the lady at the airport will only have 1-3 seconds to decide if it is too big or not: She cannot see it until you go through and if you walk fast it is often too violent to stop you. Things with wheels or simply not hidden behind your back can be observed for more time and will be more likely to be questioned.

Rule 3) Makes black things superior: Black things look smaller than white things.

I recently bought a backpack like this and I am very happy with it:

I could take that backpack as cabin baggage even in smaller planes recently: Smaller airplanes have even tougher restrictions because normal cabin baggage does not fit: Most people, even playing by the rules (correct dimensions, etc), are often obliged to leave cabin baggage right before entering the plane in the cabin storage.

The backpack also has protection for a big laptop (my 18.4 inches one fits perfectly and its 4kg are no longer a problem for me while traveling, even with 6kg allowances).

Last but not least:  
- Wear clothes with plenty of pockets. I cannot stress this enough: No airline has rules to prevent you from putting heavy things in your pockets but your clothes must be able to handle this. If you know you cannot take all the weight you need with you consider this:
I systematically have my laptop's charger in a pocket in case they make me weight my cabin baggage. (Things that use little space but weight relatively more)
- Travel light: Take only what is strictly necessary and consider using plastic bags (which weight nothing) to wrap things instead of heavier bags/containers.
- Use automated check in systems if possible: Obviously a machine is not going to complain about your cabin baggage :). If you go to the check in desk and the lady sees your cabin baggage things could be different.
- I have seen 10.9kg be allowed by Ryanair (yes, sometimes they weight your cabin baggage), your mileage may vary but if you do not exceed a full kg you might be fine.

Being prepared for funny "security" measures
Other annoying things and how to get around them playing by the rules:
- Liquids are not allowed so purchase water after the security check in: It will be more expensive than a shop but less expensive than buying it at the airplane (unless the airline provides you drinks free of charge as some still do). You should always be well hydrated when flying, this is important for health reasons.
- Have those "super-important" plastic bags in a pocket of your hand bag so that you avoid to pay that 1€ (or pound) fee to buy them at the airport (or buy them the first time, then keep them at the bag for future travels):
- When in doubt check in "potentially dangerous items": You might have nobody to hand the stuff to at the "security" control if there is a problem
- Always be nice: If you get upset when you are stopped / questioned / etc and are uncooperative you are guaranteed to have a lot more hassle that you would ever have otherwise.

Bottom line:
Be cooperative, be nice, follow the rules but use your allowances and be prepared.