Infosanity's Blog

This review of June’s event is more than a little late, but it was still a great event. The format was different this time around, with an open podium. This produced some interesting and unexpected topics, the first being an introduction into the world of geocaching from Alastair McDonald.

Alastair’s talk caught me unawares as I was expecting a technical overview of maintaining geographically dispersed content and services for load-balancing and DR. Instead I was introduced to a world of following GPS co-ordinates to find hidden caches of goodies, in the real-world. Whilst the concept of geocaching was new to me, once aware of it’s presence it appears to be a very popular hobby, Twitter seems to be full of people all over the globe discussing success or failure of searching for various caches. I’m failing to fully do justice to Alastair’s presentation and geocaching as whole, so I’d advice watching the footage yourself (along with the rest of the talks).

Second up, was the Ecommerce Experiment. The team are setting up an ecommerce site in an unfamiliar market over the next three years, and are blogging and tweeting all there experiences, positive and negative, throughout the entire process. Their presentation was interesting enough, but I’ve been following their posts since and the material is always interesting and shows a side of online commerce normally kept behind closed doors.

Third was Mike Parker with a demo of Drupal, with the goal of ‘work less, surf more’. Web site creation isn’t exactly my forte (check www.infosanity.co.uk if you don’t believe me), but Drupal seems to be a very powerful framework, with plenty of real-world application.

Finally Ryan (@ethicalhack3r), discussed the latest release of DVWA. I won’t go into too much detail, as I’ve already reviewed DVWA previously. If your interested in this area of research, check the archive footage of Ryan’s talk.

Whilst the presentations were all good, but as usual the real value of SuperMondays is the networking opportunity and the discussions before and after. Which begs the question, if you’ve not been to the event why not? Next meeting is July 27th, and the topic is still up for debate, so get involved.

– Andrew Waite

Several months ago I was involved in a discussion focusing on steps taken to secure information systems, and came to the realisation that all the counter measures and protections where network and system based. As a joke I asked what was the point if someone could pick the building locks and walk out with the hard drives. Surprisingly to me, everyone stop talking and looked slightly concerned. Since then I’ve been toying with the same question: “What is the point of firewalls, IDS, patches etc. if the data isn’t physically protected?”

After doing some research I decided to put the theory to the test and find out how effective common physical security actually is. My first set of tools and training material arrived today, a set of 20 lockpicks and tension tools, a beginners instruction guide and a see-through lock for practice from Southord. The delivery impressed me for speed, at point of purchase Southord stated a three to five week delivery time to Europe, in practice delivery was less than a week; thank you Southord (and Dale Pearson for recommending the set)

Whilst waiting I have been researching the topic quite heavily and have found the forums at lockpicking 101 to be invaluable and need to say thank you to those who have freely contributed information. Hopefully I’ll be able to contribute back to the community once I gain some ability and knowledge.

It’s going to take a lot of practice and persistence before I’m anywhere close to proficient, but ask yourself the same question: Why spend thousands on information security if the physical protection isn’t up to the job?

– Andrew Waite

Ryan Dewhurst of ethicalhack3r.co.uk has created and been maintaining Damn Vulnerable Web App (DVWA). The goal of the project is to aid learning and teaching of the art of web application security.

Ryan provided an overview and demo of the suite at a recent SuperMondays open podium event, you can find an archive of the presentation here.

I’ve been looking at DVWA (current version is 1.0.4) and it is showing promise, especially as web application security is one of my weaker skill sets having limited experience in this field. DVWA currently focuses on six different attack vectors:

• Brute-force
• Command Execution
• File Inclusion
• SQL Injection
• File Upload
• Cross Site Scripting (XSS)

Each section provides help to exploit the target vulnerability, as well as providing access to the source code for white box review to aid full understanding of how the vulnerability exists and how it can be protected against. Each example attack vector also has the option of setting variable levels of implemented security, providing increasingly advanced attack vectors.

DVWA provides a solid basis for investigating and studying web application security issues, as well as a multitude of great links for further reading. For those of you with skill, or those that learn quickly there currently are vulnerabilities in even the high-security level versions of the code, but I’ll leave finding this as an excise for the reader.

Nice work Ryan, keep it up.

– Andrew Waite

Final Update: Crisis averted, Milw0rm is still up and functioning.

Looks like Milw0rm is calling it a night. Haven’ t been able to get any official word as the site is unavailable. As the site is now unavailable it’s hard to tell what happened, but an ISC diary has this message from the site:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t . For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Always a shame when a big player in the infosec community closes it’s doors. My thanks to all those how contributed and ran the site when it was a going concern; and if anyone has a recent mirror, I’d appreciate a copy, mines a little dated :’(

– Andrew Waite

Update:
Looks like the fat lady may not be singing for Milw0rm just yet, Str0ke post this on Twitter:

I have talked with a few friends and I’ll be handing the site over so a group of people can add exploits / other things to the site. Hopefully it will be a new good start

Plus Dale Pearson of Security Active pointed me in the direction of splo.it, which is currently posting nothing but a farewell to Milw0rm. Given the (rather cool) URL it may become Milw0rm’s spiritual successor.

Update 2:
This keeps on going, Milworm came back and then died under the load of people trying to grab an upto date archive (ISC Diary). Until/if Milw0rm comes back for good you can get a copy of the July archive via Security Database Tools Watch

I’ve spent the day adding some additional functionality to my GPS mapping proof of concept (original here).

The second release, kismet2gmapstatic-0_2.py, changes the scripts output to wrap the Google maps API call in a self contained HTML page, and contains multiple map images to mitigate the URL length limit.

The third release, kismet2gmapstatic-0_3.py, builds on the HTML framework and includes additional information on each mapped access point: SSID, channel and available encryption options.This will likely be the final release of kismet2gmapstatic in this form, the code has grown organically without any real planning and as a result is a hideous mess, but as a PoC I feel it has served it’s purpose. I still have several ideas and additional functionality that I would like to implement, so watch this space for similar tools in the future.

– Andrew Waite

Recently added to my wireless toolkit is a USB GPS reciever. After a fair amount of research and some advice from more experience guys I ended up with the Globalsat BU-353 device below:

(If you can’t make it out, that is a British 10p for size comparison)

Unsurprisingly given some of my previous posts, the initial use of the GPS device is to increase the power and data gathering ability of my war-driving rig for wireless security assessments. Therefore I was a little disappointed when I struggled to got the device working out of the box with gpsd, which is pretty much the de-fact0 standard in gps software.

After much hair-pulling, command-typing and Google-searching I found a series of articles and forum posts stating that the BU-353 works fine with gpsd-2.37 (sorry, can’t find links, but thanks to all those who put the information out there). A quick download and compile later and everything was good.

I don’t have prior experience with GPS devices for comparison, but I’ve got no regrets with the purchase. The accuracy seems very impressive, and the data logging ability when coupled with wireless sensors is equally so.

I’m still looking into the best ways to capitalise on the functionality and data from the GPS unit, my first attempt at harnessing the data set was released yesterday, a PoC release of kismet2gmapstatic. Potential ideas in the pipeline include improving on kismet2gmapstatic to produce interactive javascript maps, again with the Google Maps API, or go the whole hog and output *.kml files for importing to Google Earth. Alternatively I’m considering reading the GPS data directly on a walking site survey, focusing on a single ESSID to map the strength and coverage of a particluar wireless network. Either way, hopefully be more to come in the future.

– Andrew Waite

I’m still following my recent interest in wireless networks and devices. In the past month I gained a USB gps reciever (which I forgot to write about, may have a short review shortly). After adding gps capability to my wardrive setup I proceed to scan the local area, then hit a brick wall. There appears (could be my google-fu is failing me) a lack of available tools to meaningfully use the captured data.

After a lot of digging a stumbled upon this script, designed to parse the output from Kismet and generate a .kml file to import into Google Earth. Unfortunately, I’ve been unable to get this to work as Google Earth complains when opening the file. Could be a version issue so your mileage may vary, if anyone does get it working please let me know.

The PerryGeo code did however provide an excellent foundation to utilise the Kismet log file and generate different output. To this end I have released a basic proof of concept script that generates a static map via the Google Maps API. If you want to do anything similar, or want to extend or modify my image code I found the Google documentation to be invaluable.

To the tool itself, starting a disclaimer:

This tool should not be used for illegal or malicious purposes. It was created to visualise network locations and implemented encryption technologies, in an effort to enhance previous analysis of wireless network statistics.

For each discovered access point, the script places a marker on the map, colour coded to level of encryption: Open access points are green, WEP encrypted access points are yellow, whilst WPA encrypted APs are red.

The Google maps API appears to have a limit to the length of URL that it is able to support, as a result the script limits the plotted APs to the first 50 in a given Kismet xml log file. This should be sufficient for site surveys, but is less useful for mapping the results from a wardrive trip. I haven’t manage to locate any firm documentation on this limit, if anyone is able to shed any light or knows a workaround I’d appreciate a heads up.

Below is an example of the tools output (actually, it just outputs the URL, which in turn requests google create the image). The image is created from a subset of data collected during a drive around the Angel of the North.

This is still very early days for the tool (started coding 24hours ago) so any feedback, issues or feature requests would be appreciated. Download available here: kismet2gmapstatic-0_1b.py

– Andrew Waite