Thursday, 25 April 2013

GSoC + Pentesting like a Grandmaster: Slides, Demos, Video

Pentesting like a Grandmaster materials - BSides London 2013
UPDATE: 2013-07-28 - Added link to BSides London talk interview 
NOTE: Will update the post as soon as video is available only slides and demos for now :)

BSides London 2013 was a blast as previous years, I received a lot of good feedback during the conference on my talk (thanks to everyone!) and some people showed interest on the slides so here they are :)

BSides London Interview about the talk:

Slides: http://www.slideshare.net/abrahamaranguren/pentesting-like-a-grandmaster-bsides-london-2013
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
OWTF links: http://owtf.org

Google Summer of Code note:
If you are a uni student and are interested in getting paid by Google to work on OWTF for 3 months in the summer, have a look at the OWASP Google Summer of Code page and get in touch soon!:

Friday, 19 April 2013

Kali Linux: Dude, where's my sshd-generate?

UPDATE: This probably only affects the VMWare image, you will know if it also affects the Kali install if your hashes match my sample hashes below.

So the fine folks at offensive security released this new distro called "Kali Linux" recently, which is essentially:
  1. Replacing Backtrack
  2. Based on Debian (instead of Ubuntu)
One of the things that has changed from Backtrack is that it is no longer necessary to generate ssh keys, this is a bit scary for us paranoid security folks as can be seen in this great blog post. In short, having known ssh key pairs available for the whole planet means anybody could MiTM your ssh connections to Kali by default, not cool.

The question is: How do we fix this?

In Backtrack we used to call "sshd-generate" to generate OR overwrite the host ssh keys. However, in Kali if you call sshd-generate you get this:

# sshd-generate
bash: sshd-generate: command not found


The way to "sshd-generate" in Kali is as follows:

Step 1) Move the default Kali ssh keys somewhere else
This way you can use the keys for pranks to your buddies via SSH MiTM and TCP hijacking :).

# cd /etc/ssh/
# mkdir default_kali_keys
# mv ssh_host_* default_kali_keys/

Step 2) Regenerate the keys

# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).


Step 3) Verify ssh key hashes are different now:

# md5sum ssh_host_*
(these are your new keys, compare these hashes to the hashes below)
# cd default_kali_keys/
# md5sum *
b9419ea3a8fff086c258740e89ca86b8  ssh_host_dsa_key
f9a5b57d7004e3740d07c5b037d15730  ssh_host_dsa_key.pub
58e49e0d7b24249c38db0c9cf595751b  ssh_host_ecdsa_key
597c83fabf3c1e4f2c7af74af05ac671  ssh_host_ecdsa_key.pub
cc0d92036bb86797bed354338faa7223  ssh_host_rsa_key
cc9ddc90b891b5251ed4ea8341495e84  ssh_host_rsa_key.pub


After regenerating the SSH key pairs you can start the SSH service via /usr/sbin/sshd from the CLI or just indulge in laziness and use the menus :)



NOTE: Despite the similar name, ssh-keygen is for the client ssh keys not the sshd service.

Tuesday, 9 April 2013

Illusionism, SE and busting 3 Dynamo tricks

Illusionism is just another form of Social Engineering (SE): The magician attempts to draw attention away from the trick to create an illusion of making the impossible possible.

During the weekend I saw three fun tricks by Steven Fryne (aka Dynamo), the first one (walking on water) additionally shows the power of the media as a social engineering tool which I believe is quite interesting on its own.

The tricks I will "bust" here (SPOILER ALERT!) are:
1) Walking on water
2) Matrix lean
3) Benching 155kg being out of shape from a weight lifting perspective :)

1) Walking on water 
What makes this very interesting from my point of view is that the media turned a FAIL into a WIN, have a look at the "official" video first (one of the highest ranked ones in youtube):
Here you may notice: 
  1. Paid actors
  2. The canoes going over the area where he walked: Trying to prove there is nothing
  3. The police picking him off the water as if there was nothing where the boat was 
  4. (After watching the unofficial video) The video is actually manipulated (!): It takes off the bit when the police boat bumped against the plexyglass platform: Pay attention to the place where the boat drives off and compare that with the unofficial video below (the boat did not go in that direction first) :)
Now let's have a look at the unofficial video where the police boat was damaged and people watching laughed:

Here you notice:
  1. River waves looking funny for a couple of seconds where Dynamo walks in the first few minutes, especially around minutes 0:00-1:30: This alone is enough proof to detect he is walking on something, probably plexiglas.
  2. Dynamo is wearing a red jacket and putting his arms in a cross-like position, drawing attention away from his feet and the river waves, this enforces the illusion.
  3. Dynamo is clearly dragging his feet to check where the plexiglas platform finishes and where there are gaps, he is using touch to guide his feet through the platform: He is clearly not walking like a normal guy on the street :).
  4. Dynamo stops walking at the end of the plexiglas platform to be picked up by the police: He could not have continued to walk from that point, it was all organised :).
  5. At minute 2:30 the police try to make an odd turn over the area where Dynamo walked, to prove a point beyond what the canoes tried to do (i.e. there is nothing under the water), however the depth and/or plexiglas gap to drive through was not calculated well enough and they hit the platform probably damaging the boat :)
  6. People start to laugh, the FAIL is hilarious :)
What is amazing to me is that a lot of London people witnessed this hilarious FAIL, yet Discovery Channel and news outlets show it as a WIN, and the WIN is ranked higher than the FAIL on youtube, etc! :).

Creating an illusion of walking on water is actually quite hard as can be seen in the following mythbusters' "buckets of fail" where they just cannot find a reliable way to walk on water:

Here the mythbusters just give up and create a goo-thing to walk over that instead of water, hence busting absolutely nothing :)
Here the mythbusters try "running on water" instead of "walking on water" failing miserably too :)
The plexiglass trick (probably) used by Dynamo is explained quite well here:

From the videos above, it looks like the most reliable tricks to create an illusion of walking on water depend on having the ability to manipulate the environment: The platforms must be setup in advance and the magician must know where to walk.

The Jesus Christ Lizard is however able to run over water without setting up the environment in advance, hence beating all human magicians to the ground :)

But if magicians really want to challenge the feat of walking on water by Jesus Christ 2000 years ago (awesome Bible verse comparison by wikipedia here), they should create an illusion of:
  1. Walking from the shore into a boat controlled by others without any coordination with the magician (no environment control!)
  2. Being able to do this on bad weather conditions (the Bible talks about wind, etc)
  3. Have a random volunteer (without any idea about the trick) walk to you over water (Peter in the Bible)
  4. When the other guy (Peter) starts to sink because of "lack of faith" the magician must be able to lift them off the water and have them walk with them into the boat
If a magician can make 1-4 believable that'd be really awesome, that is some homework for you, youtube links welcome :)

2) Matrix lean
For this one I do not have a counter video to prove the trick, but there are a couple of hints on how he (possibly) made this work. High ranked video first for background:
If you stop the video at minute 1:05 you may notice the back of his right foot appears to be hooked to the ground: How can he lean all the way back on one leg without the tips of his right foot touching the floor? :)

A nice explanation of the hook technique is done in the following video. The illusionist is also required to setup the environment in advance to disguise the hook on the floor (disguising the hook on the red carpet at the beginning of the video above would have been harder, could a light guy like Dynamo get away without a hook?):

3) Benching 155kg

The trick here is how could a small guy like Dynamo bench 155kg, the original video is here:
Again, having full environment control, there are so many tricks that the following is not an exhaustive list:
  1. The plates could be fake, hence weighting near 0: The plates on the bar are different than those in the gym, hence being probably fake (you could also have fake plates that look like the ones in the gym, obviously :))
  2. Dynamo could be wearing a benching shirt underneath, hence getting up to approx. 100kg+ help
  3. The spotter is just laughing at minute 3:00 :)
  4. There is no slight bending on the bar as it should be at 155kg
  5. The lift is just not clean with the spotter getting the bar off Dynamo's chest using a mixed grip (yes, not using all the fingers but that guy can easily deadlift 100kg+ that way)
  6. If you stop the video at minutes 3:45-3:50 you can see Dynamo's right wrist being bent at an angle while his left wrist is mostly straight: It is unlikely for such a small wrist to hold that kind of weight and not bend further (i.e. to parallel). Also if you are performing a maximal lift, you are unlikely to perform at your best with one wrist straight while the other is bent, this is another minor proof of lack of weight on the bar.

Did I miss something? I'm sure I did! thoughts welcome :). I'll update the post with suggestions if you have them :).