Results tagged “tools” from Just Another Hacker

Password length matters

|
In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead. When it comes to user education things are often hard to quantify, but looking at the recent password breaches the message doesn't seem to register.
The issue is compounded by a users habit of having a single password and using it everywhere. As their password is used and re-used all over work, home and the internet it needs to meet the password criteria of several "password policies". Luckily for us that means that most users have a password of 6-8 characters, usually containing one or more numbers.

I won't go too much into detail about password length, but suffice to say that you should ditch your password and go for a passphrase instead. I would also recommend that you don't make it a simple sentence, but rather something obscure like your grandfathers address combined with the name of your cousins pet rabbit. That should ensure it's not too easy to crack using a dictionary attack.

This months password tool is lensort.pl. It will split a dictionary file into several smaller files based on number of characters in the file;
root@bt:~/Jason# ./lensort.pl /mnt/hgfs/Tools/wordlists/Trek
Sorting 530 passwords by length
Finished 6.txt
Finished 11.txt
Finished 3.txt
Finished 7.txt
Finished 9.txt
Finished 12.txt
Finished 15.txt
Finished 14.txt
Finished 8.txt
Finished 4.txt
Finished 13.txt
Finished 10.txt
Finished 5.txt


You can download the script from https://github.com/wireghoul/Jason

Buffer overflow pattern tool

|
I can't help fee like an arrogant bastard writing this post. It is not my intention to discredit the work of others. I have tremendous respect for the skill of people who do reverse engineering and exploit development.

I have been working on (learning) exploit writing lately and although I had heard about it before I hadn't actually used the pattern generator approach. Being a perl man I decided I wanted to grab a perl based generator so I could modify it to suit my own needs. A quick google later I found Wasim Halani's perl implementation at http://securitythoughts.wordpress.com/2010/03/18/tool-unique-pattern-generator-for-exploit-development/. After a quick play with that I decided that I should just write my own.
My first run produced a similar looking string, but my 1024th character was off by one. I decided to compare the two strings and founbd the difference at byte 781. Washal's implementation appends the uppercase character before incrementing the uppercase character, ie: "7Az8Az9ABa0" instead of "7Az8Az9Ba0". Comparing it to metasploit's tools/pattern_create.rb mine was spot on. I decided to take it all the way to the end for comparison so I generated a 20280 character string from both tools and compared them. This time there was a difference at byte 20278, metasploit produced "Zz8Aa0" as the last six characters compared to my "Zz8Zz9". I consider my behaviour to be correct and reported the bug.

Furthermore, once you go past 20280 characters the pattern starts repeating. My tool relies on the perl string incrementer and that changes the pattern from three to four characters in my tool. I tend to lean to my behaviour as correct, especially when dealing with 8 byte addresses, but I am completely biased. So without any further ado, here is my implementation of the buffer overflow pattern generator.
[bop]

#!/usr/bin/perl
#!/usr/bin/perl
# Buffer Overflow Pattern generator v 1.0
# Written by Wireghoul - http://www.justanotherhacker.com
use strict;
use warnings;

sub generate {
    my $len=shift;
    my $pattern='Aa0';
    my $out = '';
    while (length($out) < $len) {
        $out.=$pattern;
        $pattern++;
    }
    return substr($out,0,$len);
}

sub search {
    my $string = shift;
    # If we get a hex string, decode and reverse it
    if ($string =~ /0x/) {
        $string =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
        $string =~ s/0x//;
        $string = reverse $string;
    }
    my $pat = 'Aa0';
    my $out = '';
    while ($out !~ m/$string/) {
        $out.=$pat;
        $pat++;
    }
    return index($out, $string);
}

if (!$ARGV[0]) {
   print "Buffer overflow pattern generator by Wireghoul\n$0 <size> creates pattern of size characters\n$0 string finds offset of string in pattern\n";
   exit 0 ;
}
if ($ARGV[0] =~ m/^\d+$/) {
    print generate($ARGV[0])."\n";
} else {
    print search($ARGV[0])."\n";
}
I'll finish with some examples of usage:
~/challenge$ ./vuln `bop 1025`
Segmentation fault
~/challenge$  bop 0x42306942
1020
~/challenge$ bop Bi0B
1020
1020+length("Bi0B) = 1024 in case that wasn't clear. I hope you'll enjoy the tool.

Tool review: Halberd

|
halberd-ss.png
Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that I have used. It even handles multiple A records right off the bat. It is a little short on documentation and the error messages could be better, but it's still a great reconnaissance/testing tools for pen testers and system administrators alike.

Grab your copy today from http://halberd.superadditive.com/

Tool review: Bugle

|
Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.

The downside is that the code is often old and the vulnerability has been found, disclosed and fixed. And checking all those hits take time. Still it is well worth a spin.

Disclaimer:
Bugle's use of regular expressions to locate code defects was what initially prompted me to organize my messy scripts into the open source script graudit

Tool review: Fuzzman

|
Fuzzman is a simple perl script from cipher.org.uk (the guys that brought you bugle). It is a simple perl script that inspects the man page for a command and enumerates through the combinations of command line options. It then creates a shell script that will run the commands with fuzzing data, such as buffer overflow or format strings. You then run the shell script and look for a crash. It's a simple automated script, with some simple changes you could even make it part of your automated testing suite.

For more information on fuzzman, examples and download go to:
http://www.cipher.org.uk/read/2007/04/18/fuzzman-man-pages-based-fuzzer/

Pros:
By generating the fuzzing script from man pages it can fuzz any binary that has a man page.

Cons:
Many binaries are missing or have inconsistent man pages.


What is graudit?
Graudit is a semantic static analys tool that highlights potential vulnerabilities in source code.


Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
Version 1.5 Shipped with support for the following languages:
  • ASP
  • JSP
  • Perl
  • PHP
  • Python
  • Other (looks for suspicious comments, etc)
Can you add support for language x,y,z?
I can add support for almost any language, but if I don't program in the language myself it is likely to have a high false-positive or even false-negative rate. If you can point me to an existing set of rules for a language I can convert these to graudit.

Can I help?
Sure you can! I could use help with anything and everything, improved rulesets, documentation, packaging, testing, etc. And if you're unable to help with any of these you can tell someone else about graudit.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.