Thursday, September 30, 2010

Mercurial diff folding in Vim

I use Merurial a TON these days. One of the things I like to do is to view incoming patches before I pull and update them. Typically, I would hg in --patch | gvim - and browse the diff that way. However, when pulling in several of changesets which modify potentially dozens of files, the output can be quite lengthy.

At first I started to tackle this by just folding hunks, files, and changsets as I browsed through the output. This got to be ridiculously time consuming though. So, one afternoon, I decided to figure out how to make a vim plugin which would do this for me. Here is the result.

Pretty soon, I found myself using this for diffing changesets and managing my mq patches as well. Try it out and let me know what you think!

The script is also in my vimstuff bitbucket repo.

P.S. Be gentle as I am definitely still a beginner when it comes to writing vim scripts :)

Saturday, July 10, 2010

I'm Back!!! (I hope)

Man, has it been a long time since I have updated my blog...

First, let me say that this last year has been really crazy for me. I bought my first house, which has been quite an adventure. There went a couple months of moving and just adjusting to having all the responsibilities of home ownership. Then there was getting a puppy to complete the first house and new fenced-in backyard. That lead to another couple months of getting the puppy adjusted to a new home, doing the important puppy training classes, and replacing destroyed toys and furniture.

All of that has been a lot of fun, but that still leaves quite a few months of not updating my blog. Which leads me to the real reason for being too busy to blab here:

After many many months of planning, programming, testing, and bug fixing, NovaShield has finally released the 3.0 version of our behavior-based anti-malware product.

We are all extremely happy with it and are proud to say that the 3.0 version of NovaShield is probably about the most awesome thing we've ever produced.

For those interested, here are some of the highlights for the new version:
  • Totally rewritten in C/C++
  • Significantly improved detection and remediation engines
  • Decreased false positives
  • Huge performance and memory improvements
  • GUI is smaller, faster, has a nicer look and feel
  • Now supports Windows 7 (32-bit only still)

The new NovaShield Console -- TaDa!

With all of that said, I would be remiss if I didn't ask everyone to grab the latest free trial here. This is my day job and it's hard to stay employed without having any customers, so please try it out and let me know what you think!

I'm hoping I'll have more time to update the blog in coming weeks/months. There are still a ton more exciting things coming down the pipe from NovaShield (64-bit support, for example), so I may still be busy coding and testing for a while.

If you have any casual questions/comments, feel free to drop them here. I don't want to use this as a support forum, however, so any serious issues should be reported to


Monday, May 4, 2009

SSL Strip on Mac OS X

After playing around with SSL Strip for a while on BackTrack 4, I decided on trying to get it up and running on my MacBook. It turns out it was actually quite easy!

First thing, is to download the SSL Strip package from Moxie Marlinspike's homepage. You can grab it from the link above.

Next, if you're using MacPorts Python 2.5, like I am, you'll need to:

sudo port install py25-socket-ssl

The MacPorts Python 2.5 port maintainer decided to split the ssl sockets modules up into a different package for some reason, so you'll need to add it as shown.

Now, you'll need to make sure your Mac is configured to do ip forwarding and make sure that the ip firewall is enabled. Use the following commands to do so:

sysctl net.inet.ip.forwarding
sysctl net.inet.ip.fw.enable

If either of those are diabled, set them like so:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

Now, your system should be set for ip forwarding and applying firewall rules.

The firewall rules can now be modified to forward all port 80 traffic to the port which SSL Strip will listen on. If you want to listen on 1234, for example, the following ipfw command will set you up:

ipfw add fwd,1234 tcp from not me to any 80

The add fwd,1234 part tells ipfw to add a new rule for forwarding traffic to on port 1234. The rest of the command is the logic which will be used to match the traffic which needs to be forwarded. The tcp obviously specifies that it will match on only TCP traffic. from not me to any makes it so that it will match any traffic which is being sent from any address other than your IP to any other IP address. If you instead use any to any I found that SSL Strip's traffic will get redirected to itself, which will cause problems. Finally, the 80 specifies that only TCP traffic destined for the HTTP port will be forwarded.

Finally, with that rule set up, all that needs to be done is to run SSL Strip.python -h shows the following options:

sslstrip 0.2 by Moxie Marlinspike
Usage: sslstrip

-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.

So, the basic python -l 1234 should get you started.

The kill session and favicon options are handy, so those are worth checking out. Also, the -a option is handy if you need to debug things or just want a dump of all traffic which is running through the proxy.

I think that's about it for all the configuring. Running and parsing the results of SSL Strip is something I'm sure you all can figure out.

Let me know if any of the above steps don't work for you. Otherwise, happy hacking, don't do anything mean and as usual, have fun!

Update 05/18/2009 -
After seeing Ivan's question, I realized I didn't provide anything on how to convince people to connect through you instead of the default gateway. Oops! Well, here's the rest:

I used arpspoof when setting up sslstrip for the first time because I'm more used to it and I also find it easier to target individual clients. Also, I think it reduces my chances of breaking connectivity on the entire LAN if my ipfw config was off.

So, what I did in my initial testing was:

arpspoof -i en1 -t

Where en1 is my Mac's AirPort adapter, is the client I'm attempting to MITM and is the address I'm spoofing which is the default gateway for my LAN.

I didn't use ettercap with sslstrip, but if I remember my ettercap correctly, you can use it to attack an entire LAN like so:

ettercap -i en1 -Tq -M arp / // -P autoadd

In this example, -Tq enables just the console interface in quiet mode, -M arp instructs ettercap to use ARP poisoning for doing the MITM, / // instructs it to poison all connections between the gateway and any other hosts on the LAN. Finally, the -P autoadd enables the autoadd plugin so that new hosts are poisoned upon connecting to the LAN. You may need to use -M arp:remote which enables ettercap to sniff remote connections, but I think you'll be fine without.

Hope this helps!

Friday, April 17, 2009

Hack a social network - Get a job

There's been lots of hoopla going around today about this Mikeyy Mooney character, and I have to say I find the whole situation incredibly irritating.

For those people who don't know, of which I doubt there are many, this 17 year-old recently hit Twitter with a series of XSS worms which move from one account to another. Just today, another one was supposedly release by him which is targeting popular users in an effort to spread faster.

The worm would post messages under your account along the lines of "Twitter, hire Mikeyy!" or "Dude, Mikeyy is the shit!". This has caused many people to wonder whether or not their account was compromised and their password stolen. Fortunately, the attack did not require stealing your credentials, so members' profiles remain safe. Or at least they will, once this worm has been eradicated.

Aside from the obvious damage of causing Twitter to spend many man-hours remediating this and correcting the vulnerability, I fear it has also damaged the InfoSec community and Web 2.0 community as a whole.

I could re-hash all of this, but I think Innismir put it very eloquently in a post on his blog:
Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.

I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people

I completely agree with him here. I also fear a rash of copycat attacks from people hoping to prove themselves as l33t and get enough cred to land jobs. I just don't understand why someone could be so foolish as to say "Hey, you know how you hijacked thousands of people accounts, without their knowledge, without their consent, and never even thought to assist the site in fixing the problem once you exploited it? That was awesome! Here... have a job!"

To me, this is nothing short of ridiculous. I've known plenty of younger kids who have asked me about hacking, said they wanted to be hackers before, and always asked, "How many people's computers have you hacked? Could you hack my friends computer for me?" I fear for kids like this. An example such as Mikeyy just what we need to push them into doing the same things in an attempt to become 'cool' and 'popular'.

I have to say, though, as someone who is in his mid-20's and has aspirations for a nice career in InfoSec, I can kind of identify with this. It can be fun to poke at sites and maybe pull some XSS or CSRF tricks on your friends. It can be good practice, and sure you can brag about how you made one of friends post 'I <3 Hannah Montana' on your favorite message board.

But, the one difference is if I ever play around like this and actually exploit something or someone before reporting it, I have existing relations with all the parties involved: web admin, tricked friends, etc. and they know me well enough to understand it was not malicious. Furthermore, when I'm done, I say "Yea, that was neat, and oh, by the way, here's how you can fix this."

Something of this magnitude, however, is utterly unacceptable no matter what your intentions. What's even sillier is that after hiring Mikeyy, Travis Rowland had the audacity to say one of the Twitter co-founders: "@biz hope u guys don't file lawsuit against him, hope u understand Mikeyy did u favor and could have compromised personal information."

I hope Twitter reads this and says to themselves, "Yea he really did us a favor! Not only did he point out a security flaw to us, but he also gave us thousands of accounts which we need to go clean up! Isn't he wonderful?" and then proceeds to take him to court in order to get reimbursed for all their time which they've wasted on cleaning up something which should have never happened in the first place.

Anyhow, I hope we see the end of this soon, and I hope the kid gets what is coming to him. I mean, this is a good start, at least if it's true that it actually happened to him, but I, for one, would like to see something a little more legal brought down upon his dumb self.

Thursday, March 26, 2009

Mozilla symbols + source in your WinDBG

After seeing the new Firefox 0-day which was announced today, I thought it would be fun to play with the PoC code.

Also, WinDBG has been becoming my debugger of choice lately, so I decided it would be nice to use that for debugging Firefox while I take a look at the exploit code.

In order to make debugging a little easier, I decided to poke around and see how I could go about getting debug symbols and source for Firefox and make it all work snazzily with WinDBG. Turns out Mozilla has these awesome pages for doing just this: symbols howto and source howto

It was actually astonishingly easy. Just typing these into your command window should be sufficient:

.sympath+ srv*c:\users\ryan\documents\symbols\firefox*
.srcpath+ srv*c:\users\ryan\documents\sources\firefox

and that's it!

Now all your sumbols and sources for this WinDBG session will be downloaded to your symbols\firefox and sources\firefox folders respectively. Of course, you'll want to replace the c:\users\ryan\documents with whatever your location is, but that's about it.

Go to it and hack you some Firefox!

Tuesday, March 24, 2009

Diffing the output of two commands

Today, while doing some server maintenance, I needed to diff the output of two different commands. To be more specified, it was actually the same command, but with different sets arguments. As an example, let's say I wanted to diff the contents of two folders, /tmp/folder1 and /tmp/folder2.

What I had done in the past was:

ls -l /tmp/folder1 > tmp.txt
ls -l /tmp/folder2 | diff tmp.txt
rm tmp.txt

Today I decided there had to be a better way to do that and set out to discover how. What I found was something that I had long forgotten about: named pipes. If you're not familiar with named pipes, check Wikipedia. For a refresher of how they work in Unix, here's an example:

mkfifo mypipe

then in two separate shells type:

ls -l > mypipe


cat < mypipe

Now, with a pipe already created, I can accomplish my task a little more quickly and efficiently:

ls -l /tmp/folder1 > mypipe&
cat ls -l /tmp/folder2 | diff < mypipe

Howevery after reading all the way through this great Linux Journal article I learned that what would work even better is the great <(...) syntax:

diff <(ls /tmp/folder1) <(ls /tmp/folder2)

This does exactly what I wanted to do without needing to create any temporary files or named pipes myself. What's happening here is that BASH creates a temporary named pipe and fills it using the output of the command between the parens.

As you can see, temporary pipes make these quick one-offs much, much easier.

Take a look at that awesome article for a peek at more awesome stuff you can do with named pipes.

I'll have to admit that I've not used named pipes much (maybe only once or twice that I can remember), but after this, I'll definitely keep my eyes peeled for more excellent piping opportunities.


Saturday, March 21, 2009

Visor is my new best friend

Okay, so maybe it isn't my new best friend, but this is the first time I've mentioned it.  I've been using Visor for quite some time now, and every time I use it I fall even more in love with the tool.

From the Visor page: "Visor provides a a systemwide terminal window accessible via a hotkey, much like the consoles found in games such as Quake."

If you love the tool QuickSilver, and feel a little nervous when you don't have quick access to a command line (I get extremely nervous, personally), then this tool might just be for you.  It's easy to install, and once running, a quick press of CTRL+` brings down your console window:

Combine this with Screen and you'll practically never need a standard Terminal window again.  I used to have two or three Terminals open at all times, now I only ever open one if I really need a full screen console.  Being able to SSH into another machine and quickly change some settings was never easier now that my console is just a keystroke away! No more CMD-Tabbing, Exposè, or excessive mouse clicking.  It's quick and easy, and a must have for Mac users who are Terminal nuts.

Check it!