Just some links I accumulated for class to share with the students. Not complete but its good enough.

[Web Sites]
https://blog.mandiant.com/ — Mandiant
http://www.cyberwart.com/blog/ — Matt Wollenweber
http://www.gnucitizen.org/categories/blog/ — Dont know this guy, but interesting stuff no less
http://www.openrce.org/articles/ — OpenRCE (Reversing)
http://blog.rapid7.com/ — Rapid7
http://dontstuffbeansupyournose.com/ — S7ephen and Lawler
http://carnal0wnage.attackresearch.com/ — attackresearch.com
http://www.offensivecomputing.net/ — Malware, Malware, Malware, and very good posts supporting analysis
http://ha.ckers.org/ — RSnake, CEO of SecTheory (Web Security)
http://jeremiahgrossman.blogspot.com/, — Jerimiah Grossman, CEO of White Hat (Web Security)
http://blog.zynamics.com/ — Zynamics, Reverse Engineering and Malware Profiling
http://intrepidusgroup.com/insight/ — Intrepidus, Mobile Security
http://threatpost.com/en_us/blog-list — Collection of Security News and Posts
http://phed.org/ — Mike Eddington, Creator of Peach Fuzz
http://dvlabs.tippingpoint.com/blog/ — Tipping Point DVL and ZDI, good reversing posts
http://codypierce.com/ — Previously at TP
http://www.avertlabs.com/research/blog/ — McAfee
https://mattoh.wordpress.com/ — Matt Oh Creator of Darun Grim
http://trailofbits.com/ — Dino Dai Zovi, Mac Hacker
http://www.phreedom.org/ — Alex Sotirov, One of the Guys who helped break SSL
http://strydehax.blogspot.com/ — Stryde Hax, Good demonstration of security skills to benefit society
http://www.honeynet.org/ — Honeynet Research Alliance
http://www.praetorian.com/blog/ — Praetorian
http://sunbeltblog.blogspot.com/ — SunBelt Software
http://fishbowl.pastiche.org/ — Charlie Miller, the Guy who hacked the IPhone, a few times
http://schmoil.blogspot.com/ — Another Guy who has helped beat down SSL CA’s
http://contagiodump.blogspot.com/ — Mila, Cool place to get custom, under the radar malware
http://research.pandasecurity.com/ — Another cool place to see malware torn apart
http://www.inreverse.net/ — Yet a better place to see the malware torn apart

[Mailinglist]
DailyDave Mailing List — Dave Aitel’s Daily Dave (Sometimes interesting things get debated here, sometimes interesting ppl get insulted…fun to watch.)

[Twitter]
Twitter is also a good place to see whats going on.

Sorry, I have not posted in a while been busy…. For those of you who don’t know, I went back to school. In the past few months, I have been actively entertained by work, writing code, writing a presentation, and publishing said results. Then I rolled off work into school, and now I am a TA…Funny how life works. I have decided to start looking at Hypervisors, because thats what every one does when they are bored right?!?

Yeah, well, I do. I decided to install Ether so here are some quick notes to myself.

Getting ramped up with Ether.

Step 1 ) Install Debian Lenny.
Step 2 ) Update /etc/apt/sources
Step 3 ) add self to sudoers, sudo apt-get install gcc g++ make vim emacs linux-headers-2.6-amd64-all screen openssh-server linux-image-2.6.26-2-xen-amd64 wget gcc-4.1
Step 4 ) wget http://www.offensivecomputing.net/ether/ether-0.1.deb # thank you Offensive Computing guys, huge life saver
Step 5 ) dpkg -i ether-0.1.deb
Step 6 ) Enter Bios, turn on VT # blast you joanna and your pills
Step 7 ) Reboot, make sure grub, menu.lst set itself up right
Step 8 ) Installing Nvidia drivers for Xen: export IGNORE_XEN_PRESENCE=1 # now run install package, http://www.nvnews.net/vbulletin/showthread.php?p=1710997
Step 9 ) Be proud, thy coud be nursingg an ulcer due to 2 weeks of work stacked with a lightning strike induced service failure.
Step 10) start working on the real work.

Last night was the third meeting of HAHA!, and it went very well. There were several presentations and good times held by all. I spoke to my prototyping process when it comes to writing tools and developing software. I basically discussed the start to finish process I go through when I want to write a tool, and then how I integrate previous work and code into my development so that I can save time and focus on my tasks. I used a case study of some multi-threaded software that I had been working on for the past 2.5 weeks.

Additionally, I found a bug in the business logic of the “free wireless” registration process. Basically, a user can register with spoofed email and info, and the application will give the user 10 minutes to complete registration by going to their email and confirming the account. Well, there is an option that resends the email, and consequently resets the timer, giving the user 10 more minutes to check their email. This means the application does not track the number of resends, nor does it prevent an infinite number of resends. Thus, with ten lines of Python, the user won’t ever have to register while they are using the “free wireless” (-:

Anyway, for those interested, here are the slides.

Rapid Prototyping Tools

So I have not been to productive in a traditional sense over the last few months. I have been excercising my C++ development skills and spending a few weeks prototyping tools, based on interest and needs. Only knowledge has been the real product of my work. I have been focusing and learning a about how to perform rapid prototyping along with learning to augment functionality from other open sources of code.

Research is a slippery slope and it is hard to quantify a rate of return. This goes for any type of research in any industry. The idea is that to be novel, you must invest time and effort, so identifying as many shortcuts as possible is a valuable skill. For instance, if I want to implement a DNS scanner, I don’t want to rewrite the entire DNS protocol, nor do I want write the network code, threading, etc. I want to leverage existing sources and frameworks for those elements. Additionally, programming languages should be seriously considered. In this case, I am looking at C++, however, higher level programming languages such Python or Ruby could serve most beneficial in a very rapid PoC environment. This post will detail some of the preliminary decisions that a researcher may encounter and then give an overview into how to work through various vague compilation and linker errors, showing the time savings from short cuts.
Read the rest of this entry »

This is the second part in a two part blog.  In the initial installment, I illustrated how vague configuration settings and default and hardcoded credentials could lead to tragedy.  In this installment, I will show you that tragedy.  Armed with a dash of Google, a hearty helping of telnet, and a smidgin of echo along with some LUA trickery, I was able to roll through a misconfigured installation of FreeSWITCH.

Read the rest of this entry »

A few weeks ago I was playing with a blackbox, and I found several problems that cascaded, giving me command execution as root. Since the issue impact open source software and my research was free, I decided to provide a two part analysis of illustrating my research. In this post, I want to illustrate some how hardcoded default configuration settings can inhibit security. The second part to this post will look at the how I identified the issue on the blackbox and successfully exploited the issue.
Read the rest of this entry »

So this is just one of those brief moments of emotion.

12 years ago today, I signed up for the Army as an infantry soldier. While my time in service was very brief, the moments and experience will last a life time. It is probably one of the single most important decisions in my life.

A special thanks goes out to all those who have served, are serving, are committed to serve, and those who have given their lives. Most importantly, I would like to say THANK YOU to all those who support service members and have had to endure the loss of a friend, family member, and loved one.

gr33tz.

~dsoftware

Playing with ARM binaries in IDA Pro

I have been expanding my view of the world, and I decided to play with some ARM ELF binaries, but I ran into a problem with relocations, symbols, and the corresponding function strings being properly matched in IDA Pro.  Below is a method I used on 2 binaries (yes, testing is a hardcore part of my diet) in order to get the function name relocated and named correctly on the PLT entries and the corresponding functions.

Read the rest of this entry »

Since Friday, I have been having fun reverse engineering this piece of malware called Plague bot. Overall the bot has the typical suite of functionality including the MSN spreader, USB infector, DDoSer, SSyn along with download and updating capabilities. The initial binary was encrypted/obfuscated using a VB 6.0 compiled program. This wraps the binary in a VB virtual machine – effectively hiding the true binary. This fact was apparent because very few strings were visible and the binary itself imported the MSVBVM60.dll. Because of the P-Code wrapping, initial static analysis provided little use. Therefore we used dynamic reversing extract the binary.

Read the rest of this entry »

I had the opportunity to get a new phone a few weeks ago, and like everything I get, I sat down with some docs, how-tos, and examples.  The end result is a basic command server that listens  a selected port and  IP address assigned to the device, either the wireless address or the ppp0. There is also a basic GUI that allows the user to input and execute unprivileged OS commands on the device.

The server itself will receive commands such as put, get, exec, and a few undocumented ones. Below are some of the commands:

1. “put /path/filename b64_data_string” will put a file on the remote android phone (untested)
2. “get /path/filename” will get a file on the remote android phone
3. “exec ” will execute a command on the remote android phone

The results of the commands all come in the form of:

1. <SUCCESS,size_result:int,b64_result:string>
2. <FAIL,size_result:int,b64_result:string>

Here is a link to the project for those interested: http://code.google.com/p/aremoteserver/