This too shall pass.
Thanks to all for coming to my talk! Here are my slides. Drupal Security #devsecops #dcavl @drupalasheville
DevSecOps – Slides
I enjoyed being at Drupal Camp, and it was good talking with the many new folks I met (as well as the ones I already know). If you have any questions or comments, feel free to post here or contact me directly.
If you are like me, you have been working with Kali Linux, the Linux distribution for penetration testing and ethical hacking, and have been running it as a virtual machine on your 2015 Macbook Pro. And, you have been having issues with sniffing packets because your 2015 Macbook’s built-in wifi adapter is not going into true promiscuous mode — only a limited version that doesn’t give you everything you need. Sadly, other versions of the Macbook don’t seem to have this problem at all, so you may be finding yourself in need of an additional interface.
Or, perhaps you are not like me, and the chipset driving your PC’s Wifi adapter doesn’t let you do much at all, and you just want an external USB Wifi adapter that will make it easy to use tools such as Aircrack-ng for ethical hacking jobs.
Whatever the case, I’ve done some research and will present a few options that don’t break the bank and should provide you with a quick and easy way to do all the proper packet sniffing you deserve.
The first option on this list is the $13.45 TP-Link N150 dongle. A small USB device that sports a detachable antenna, it should get the job done if you prefer portability over power. This device uses the Atheros AR9271 chipset, which is known to work smoothly in Kali Linux (and probably most other distros).
The cheapest USB adapter, at a paltry $11.99, is the generic USB Rt3070, another dongle style device that is also the smallest you will find here. With similar specs as the TP-Link device, this one is even easier to conceal, and probably won’t raise any suspicions if you have it plugged into your laptop in a crowded place. While not the most powerful device by any means, if you are near the router you want to connect to, it shouldn’t be a problem.
Taking a big step up in everything, including features, power, and profile, we have the Alfa AWUS051NH. This one has been sitting on my Amazon wishlist for quite a while, and I think it’s about time I pick it up. It even has a holster with suction cups to stick to a window, and it will pick signals up from long range.
If you are needing to physically stay away from the target you are testing, while still being able to test it, try this sucker.
Lastly, we have another Alfa device, both of which get really good reviews for Kali Linux in particular. At only $6 more than the AWUS051NH, the Alfa AWUS036NHA looks cooler and has a boost in power to let it pick up signals from even farther away. It also comes with the holster and suction cups for the windows of your vehicle, office, or home. According to its description, what sets it apart is the “High Transmitter Power of 28dBm – for Long-Rang and High Gain Wi-Fi.”
Have you tried any of these? What did you think? Know of any others that do a good job?
As honest Abe Lincoln said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
For the last six months, I have been playing the part of Hey Blinkin, getting the tools in my toolbox sharpened, honed, configured, and ready as I am inches away from starting the PWK/OSCP course. As soon as some paperwork clears, I’ll be signing up, hopefully to start in mid-July. You may have seen me posting things I’ve learned so far here on my blog. I intend to keep it up, as finding other OSCP adventurer blogs, tips, and tools along my journey has been invaluable. I hope to pay it forward here.
That said, here are a few very sharp tools I’ve come to love (as recently as this evening):
iTerm 2 – http://iterm2.com/ – a better Terminal app for Mac. Highly configurable, integrative, and versatile. Not exactly a pentesting tool, but something anyone doing command line work on a Mac should check out.
Sn1per – https://github.com/1N3/Sn1per – a super-thorough and invasive reconnaissance tool. It is very noisy and not recommended for actual pentesting, but it is great for working on CTF and Vulnhub VMs.
OSINT Framework – http://osintframework.com/ – a hefty, well-organized set of free tools for gathering all kinds of information. Originally geared towards security, it includes a lot of other fields as well. Follow it on GitHub here.
Wish I had know about these earlier. Microsoft offers free Windows virtual machines for VirtualBox, VMWare, and others. You can choose from Windows 7, Windows 8, or Windows 10 (a few different flavors of each). They last 90 days before expiring, but you can snapshot them right after you install them to make it easy to reset that 90 days by rolling back to the snapshot.
Officially, these are for testing out the Edge browser, but you can also use them for whatever else 😉
Check them out here:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
I’ve been working through Metasploit Unleashed in preparation for the PWK course and the ensuing OSCP exam. Looks like I’ll be signing up for that in early July. While you can’t use Metasploit on the OSCP exam, they do teach it in the PWK course itself, and it’s a very powerful tool anyway, so learning it now seemed like a good idea.
I’ve been taking a lot of notes in OneNote as I progress on all things OSCP, but I thought I’d share some of the handier Metasploit tricks that I might find myself using from day to day. Additionally, writing all this out and thinking about it as I do so helps me commit it to memory, so this blog post isn’t an entirely selfless effort.
__ __________________ _____ ____ __ ____ __________ / |/ / ____/_ __/ | / ___// __ \/ / / __ \/ _/_ __/ / /|_/ / __/ / / / /| | \__ \/ /_/ / / / / / // / / / / / / / /___ / / / ___ |___/ / ____/ /___/ /_/ // / / / /_/ /_/_____/ /_/ /_/ |_/____/_/ /_____/\____/___/ /_/
The arp_sweep auxiliary module comes in handy to find hosts on your network. In the below example, you select the arp_sweep tool, show its options, then set the RHOSTS variable accordingly for you your network range.
msf > use auxiliary/scanner/discovery/arp_sweepmsf auxiliary(arp_sweep) > show optionsModule options (auxiliary/scanner/discovery/arp_sweep):Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads TIMEOUT 5 yes The number of seconds to wait for new datamsf auxiliary(arp_sweep) > set RHOSTS 192.168.0.1/24RHOSTS => 192.168.0.1/24msf auxiliary(arp_sweep) > run
Running the above will return some output that looks something like this:
[*] 192.168.0.163 appears to be up (UNKNOWN).[*] 192.168.0.171 appears to be up (UNKNOWN).[*] 192.168.0.163 appears to be up (UNKNOWN).[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
If you want to be sneaky when you do this (and why would you need to be sneaky on your home network? 😉 ) you can spoof the source host (you) and the source MAC address so that it doesn’t look like you have been scanning anything. Typically, you might set this to appear to be coming from your router.
msf> set SHOST 192.168.0.1msf> set SMAC (some random MAC addy, or that of your router)
Metasploit lets you scan hosts that you discover.
msf> use auxiliary/scanner/portscan/tcpmsf> show optionsmsf> set RHOSTS 192.168.0.178msf> run
You can set THREADS (10) and CONCURRENCY (20) too, to help speed things up without getting too crazy.
You can even use nmap from within Metasploit, and store the results in the database, or import normal nmap results (saved as xml) into the Metasploit database. The advantage of doing this is that you can save your work and results in workspaces in Metasploit. Workspaces let you create projects and keep things organized, which is useful when working on many targets, or with a team.
I will provide some examples of this soon. Stay tuned. For now, here’s what looks like a great reference for this.
I will be doing a talk on Drupal and Security at this year’s Drupal Camp Asheville. I will cover some security best practices for Drupal developers, how to avoid certain Drupal-specific security gotchas, some lessons learned in keeping Drupal sites secure, and some handy tidbits you can use to prevent the bad people from ruining things.
The times for the various speaker sessions haven’t been announced yet, but stay tuned. I hope to see you all there!
#dcavl
The old bait and switch: promise you one thing and sell you another. That’s what happened when I signed up for a year of VPN service through NordVPN. Their website said:
“Easiest VPN Ever. To get on NordVPN, just click and go. NordVPN’s secure VPN software takes care of all the hard stuff so you can focus on fun stuff. And work stuff, if you have to.”
Their imagery showed multiple devices running their software, including phones and laptops.
I had read about their service and took the plunge. After I had paid, I found out they do not have an app for Mac OS X or Android. Those apps are supposedly coming soon, but not yet. For now, you have to download a third-party app for each device, download a bunch of configuration files, install said configuration files, configure a bunch of things, remember your username and password for each configuration file, and then figure out what is going on and whether or not you are actually connected.
To be fair, they do have instructions on how to do all of this, but it is far from “Easiest VPN Ever.” Every other VPN app I have used is a simple app you download and click a button to get going with.
I chatted with NordVPN’s technical support guy, “Dave,” who informed me that of their refund policy, which states that unless their product did not work for a fault of their own, I could not get a refund for my money. All he could do was extend my subscription by 3 months.
(01:30:40) David: if the service does not work we will issue a refund.
(01:31:17) Visitor 34392357: that is my point – it doesn’t work as you advertise it. it only works through a lengthy process of installing other software.
I would argue that their product does not work as advertised and I am entitled to a refund. In fact, it’s not even their product I am using — I am using something called “Tunnelblick” on my Mac, and an app called OpenVPN on my Android phone to connect to the NordVPN servers.
In summary, the bait was the promise of an easy to use VPN app. The switch was not even having an app for me to use. And no matter what VPN you will choose, be sure to run a speed test so you can see if your VPN is slowing down your internet speed.
WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.
That said, there are two major areas where WordPress lacks in security:
1. Plugins
2. Administrators
There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.
It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.
This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.
The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.
On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!
I’m not sure anyone will want to read this entire post, but I wanted to share it and document it in case anyone else finds themselves in the same boat.
Charter Communications is a bad, bad company. Charter Communications has terrible customer service. Here is my story.
We bought and moved into a new house in July. We called to have Charter set up a couple of days before we moved in, and their Residential department said they did not service our address because the line was over 1000 feet away. However, there was a Charter box at the end of our driveway, roughly 35 feet from the house, and the people who sold us the house guaranteed that Charter was available. Our new neighbors have Charter Business being served from that box, so Charter was clearly available.
I called Charter Business, and they said they could definitely service us from that box. It’d be a little more money each month, but we knew we needed it, so we jumped in. We were assigned a friendly Business representative who was very helpful in getting us all set up. At this time, we were told we could cancel and get a refund within 30 days.
A couple of weeks into the Business service, I called Residential back, just to see if they could switch us over since we were unhappy with our Business account, and since we clearly had Charter access at our house now. With Business, we were paying more for fewer features, such as a poorer channel lineup, no music channels, and no On Demand. They said they could definitely help us, however, we’d need to have Business cancelled separately since they were “two separate things” in Charter. They said that there was nothing they could do to make a seamless switch, and that they’d have to treat this as a new service being set up.
They sent a Charter Residential technician to come out and set up our new Residential service. He said he had to replace all of our HD boxes and our modem with new ones since this was considered a new setup. I thought that was silly, but he swapped out all the hardware, got us set up, took the old hardware with him, and went on his way.
The next day, I called Business, as instructed by Residential, and asked them to cancel our service. They obliged. Unfortunately, they also sent a guy out who promptly disconnected our service altogether. Apparently, he didn’t know we had switched over to Residential service.
We had to call and schedule an appointment for reconnection. You know how appointments go: they give you a 4 hour window in which you must come home from work early for, only for them to arrive late. It turned out we didn’t even need to be there for the reconnection to occur, but they didn’t tell us that ahead of time. A pain, but they got us reconnected. We went about our lives, thinking this was all over.
Then we got the bill from Charter Business in the mail. They wanted us to pay for the first month of service and three missing HD boxes: the boxes that the Residential technician took with him when he switched over. The bill was about $650.
Here we were with none of the hardware they said we had, thinking we’d actually be getting a refund since we cancelled within 30 days. Instead we got a $650 bill!
I promptly called the Business billing folks to clear up the situation. They filed a lost equipment report of some kind regarding the HD boxes and said they’d let me know the results the next day. Then, they told me that because this was not a “change of service” or a “switch” that we didn’t qualify for the 30 day refund. I told them that when I called to switch from Business to Residential, I was told I couldn’t do a switch, that it had to be two separate transactions. The customer service rep said it didn’t matter. I got off the phone, exasperated.
The next day, they didn’t call me about the missing equipment report as promised. I called them back to find out the status, but there was no record of it on my account, apparently. So they filed another one.
I also asked about the refund again. This time, I got a whole different story. Wait until you hear this. The Billing customer service lady told me that because I didn’t mention the 30 day refund when I cancelled service, I didn’t qualify for it. I asked her how I was supposed to know I had to mention it, and she said I should have known based on commercials or advertisements. That seemed absolutely insane to me. After asking to talk to a manager, which she wouldn’t let me do, she told me I’d need to talk to my original Business sales rep about it since he was the only one who could reverse the charges or do anything about it.
So, I emailed him back and explained the situation. He said that he couldn’t do a thing, and that I’d have to call Billing. I told him that they sent me to him, but he never emailed me back.
At this point, I filed a complaint with the FCC.
Then, I started getting calls from a strange number at all hours of the day. I finally answered and it was an “equipment recovery” company (aka collections agency) attempting to find the missing HD boxes. They were persistent, even thought I told them what happened. Finally, they made a note of it on my account and let me go. I still got a letter from them saying the same thing: that my HD boxes needed to be turned in or I’d owe $125 each.
I haven’t heard from Charter since the FCC complaint, but I did hear from the collections company again. This time it was about the cable modem from the business account. I told them that the Charter technician took it with him. They guy said he’d make a note of it.
So that is where I am after almost 2 months of this rigmarole. I have yet to see a credit to my account from Charter Business. It would be about $239 I could really don’t think I need to pay since I cancelled within the 30 day trial period. They have since sent me another bill asking me to pay up.
I’ll update this post as I learn more. Maybe Thomas Rutledge, the Charter CEO, will see this and realize how screwed up his company is. One can hope, anyway.
Update 9/28/14: Here are the terms of the Charter Business 30 Day Guarantee. I certainly don’t see anything in there that suggests I don’t qualify for it.
Update January, 2015: I received a phone call from a Charter Business representative not long after this blog post came out. He assured me that he would have an account specialist look into the situation and that I’d soon hear back from him on the status. I never heard anything. I also never got another bill from Charter Business!
I am completely fine with paying for software that I really like and that serves a purpose for me. However, if you are a software company that is going to use the ‘paid upgrade’ model of charging customers to upgrade to the next major version of your product, make sure the next major version contains new features worth paying for.
In the case of TechSmith’s Snagit, they have failed to provide anything of real value in their latest release (version 3.0 for Mac, or 12.0 for Windows), yet they are asking for $24.95 to upgrade to the latest version.
I paid for version 2 of Snagit for my Mac (that’s version 11 for you Windows users), and I really enjoyed using it. It became a tool in my arsenal that I relied heavily upon for doing quick screen shots and adding text, notes, arrows, and more.
Then one day a couple of weeks ago the updater ran and I was suddenly looking at a trial version of Snagit 3.0. And it said it was going to expire unless I paid the discounted upgrade fee of $24.95.
Aggravated, I hoped to have my mood changed and be wowed by version 3.0. So I tested it out for a few days. I quickly found that it had a nicer look and feel about it, but other than that, there were no noticeable enhancements or actual upgrades to the product. It was the same product with about one new feature related to the video clipping tool — something I could care less about. And that new feature was only a new arrow selector of some sort. Not impressed.
Jason Eagleston, the “Snagit Product Owner” at TechSmith even admits in their self-congratulatory release video that “with this release we had a focus on updating the way Snagit looks and feels, partially to bring that consistency across all the Techsmith things that you are going to interact with, but ultimately it’s only focused on getting your content to be the most prominent thing on the screen.”
Hmm…I only interact with one Techsmith product, so why should this be a feature worth paying for? And how is it not the most prominent thing on my screen if I’m currently using it in the first place?
A couple of more employees in the video go on to talk about how much nicer the product will be to use, and that they really wanted people to feel like they were using something current and not outdated. So it really isn’t about an upgrade, it’s about a change of clothes.
The whole video is about them admitting that their product didn’t look that great, so they spent a lot of effort making it look better (or “flatter,” as they say in the video, which is supposed to be something we should like), and now they want their customers to pay for that. No real tool enhancements or additions, just a subjective improvement to the design. For $24.95? No thanks.
For those of you looking for a free alternative to Snagit, check out Skitch. With or without Evernote, it’s a nice tool that does just about everything Snagit does for screen capturing.
Photo by Darin Barry 