Tracking lost assets.

My team been tasked to track certain items, i.e DELLs server X1000 series across the whole network, (global).

The methodology:

1. Check with Asset inventory list
2. Check with procurement list
3. Scan the entire network.

Just skip items 1 and 2, because both items related to business process and proceed with item no 3. How are we suppose to scan the entire network of class Gorgilla (purposely misspelling) amounting of 1 gazillion IP addresses. I intro you the ZMAP. yeah the powerful scanner, that is working so fast, you cant even read a,b,c...until z.... because by the time you start to read the alphabet in order, Zmap already completes scanning the entire class A (non internet routable).

the way we did it..

1. come out with common criteria of DELL X1000

• running https on port 6070

$zmap -p 80 -o results.csv 1.0.0.0/8 <- class="" gorgilla="" span="">

Thats it folks.

Welcome 2017

2017 is just around the corner, and there are gonna be more exciting things in infosec. IOT, Visualization, Machine Learning, threat intel etc.

2016, majority people were talking about IOT, threat intel and in December, nothing much to talk about these 2 issues except the biggest DDOS in internet history was actually powered by IOT.

People keep on investing in big data/threat intel when the current data that they have or available in public domain, is more than enough for their daily operation. People are investing in big data like they are running GCHQ or Fox Media. But that's people...

People keep on investing in technologies which are unnecessarily needed. People keep on harping on issues which are they barely understood. (for me) The biggest issue is still PEOPLE and their IGNORANCE.

But above all, SAP security is really interesting especially in business function area, things related to Segregation of Duties (SOD). Wonder how InfoSec is gonna be in 2017?

Skiddies in action

Nothing much to do during this festive holiday, so I decided to setup a lab to test SQL injection using POST method. I know, this is a NO BRAINER, SKIDDIES LVL 6 and a B1G J0k3 to all of you, but mind me, im just learning.

1. Setup an application that authenticate controlled by MSSQL through form submission.

2. Boot up Kali Linux

3. Using ZAP/Burp to monitor the parameter passed by browser during the crawling.

4. Using that parameter, pass it to sqlmap for further testing.

5. Grab the SQL banner using sqlmap.. Succeed.

6. Next, try to gain shell using --os-shell -> failed because of xp_cmshell was kind of fuct up.

7. Next, try to gain shell using MSF's sql_payload connecting to MSSQL port -> failed since the IPS runing like a rottweiler.

Conclusion: same ol, same ol.... 

Mod_chroot and Apache

Have a rough time running apache + vhost in jail with mod_chroot. After trouble shoot, figured that.

1) Apache will run first
2) Then it will read vhost
3) Then it will load jail

That is how you can waste 5 hours of your time.. :

Test

Test -- test

Perl: Connecting to MSSQL with DBI

I need to provide statistics of top 10 Network status for the past 24 hours. All the data is stored in a database. Using a Perl Module; DBI I, i came out with this script. How to communicate with Database using Perl can be summarized by the picture below:



Using this script, i managed to query Top 10 statistic and dumped the data into xml format to generate graph using Flash Graphing tool.

#!/usr/bin/perl

use DBI;
use POSIX 'strftime';

#Define yesterday date
my $yesterday = strftime "%Y-%m-%d",localtime(time - (24*60*60));
my $filename = strftime "%Y%m%d",localtime(time - (24*60*60));

#Creating XML file for Top 10 Ports
my $file="attack$filename.xml";

open ( my $FILE, ">> $file") or die "Cannot open file";

#Colors Array for Graph
@colors =( "AFD8F8", "F6BD0F","8BBA00","FF8E46","008E8E","D64646","8E468E","588526","B3AA00","008ED6");
$dbh = DBI->connect('dbi:Sybase:192.168.200.6',myadmin,mypasswordisharewithu);
die "Unable to connect: $DBI::errstr\n"
unless (defined $dbh);

# Querying the Top 10 Ports from the database
my $sql = qq { SELECT whatever yadayada };

$sth = $dbh->prepare ( $sql ) or

die "Unable to prepare databases query: ".$dbh->errstr."\n";

$sth->execute or
die "Unable to execute database query: ".$dbh->errstr."\n";

#Print into file
$value=0;

print $FILE " \n";

while ($aref = $sth->fetchrow_arrayref) {

$sth->finish;

$dbh->disconnect or
warn "Unable to disconnect: ".$dbh->errstr."\n";

Banner verification: nmap vs grabbb

A lot of verifications have to be made before escalation process can be carried out (this is not a good procedure according to CISSP) in network analysis. Let say you received "HTTPD v3.0 BOF shit" alert, you need to verify is the victims of this alert running HTTP v3.0 or not. The best method is to contact the owner of the victim's server due to:

1) The owner is the best person with a deep knowledge of the server.

But the cons is:

1) Time consuming

So, the alternative is an intrusive method which is banner grabbing. I have no interest in other banner grabbing except Fyodor's Nmap and Teso's Grabbb*. Grabbb is a robust banner grabber compared to Nmap. What i did was:

Grabbb
C:\MyOS\$ time ./grab -i ../ip-TIME-smtp-overflowid.txt 25
Nmap
C:\MyOS\$ time nmap -sV -iL ../ip-TIME-smtp-overflowid.txt -p25

and the result is:

Grabbb -> real 0m30.570s
Nmap -> real 0m22.289s

To my surprise; nmap performed better than Grabbb. But bear in mind, this timing method is not a credible process since a lot of factor need to be considered:

1) Grabbb was compiled on MyOS which run glibc version gazillion but the grabbb was a dinosaur program coming out of Jurassic World.
2) Network load during the process
3) Host load during the process
4) Nmap did not scan the hosts if there were no icmp echo reply since -P0 was not used. ;)

* Disclaimer: I have not gone through the codes for verification, and if you're backdoored because of your inability to read the code; which is equal to mine; please do not hesitate to bang your head to the door.

Quest for a handphone

For me, be it Iphone, Nokia or whatever it is.. the requirement is quite simple.

Must:

1) Rock hard solid Operating System
2) No or Less java based Application
3) With the ability to text and call.
4) Camera but not a fancy one.
5) With universal battery charger.
6) Wifi / Bluetooth enable that meets I3E standard.
7) That have email client that support OWA/POP3S/STMPS.


Extra:

1) Mobile accounting package that can be synced back to normal Accounting Application such as GnuCash.
2) That can export/import phone book into csv format.
3) Can be sync easily to a pc / macbook.
4) That can run Karmetasploit . ( Am i asking too much? )