19 May 2013
I know this is off topic for this blog but it's my blog so here goes. I was raised as a Christian, and still hold to the Christian faith. As a part of my upbringing I was always taught that evolution was not true. Not wanting to blindly believe this, I decided to learn more about it and see if the arguments for evolution stand to reason. With this end in mind I bought the book "Why Evolution is True" by Jerry A. Coyne and started reading it tonight. I have read the Preface, Introduction, and first chapter. Evolution, like many other scientific theories has been studied for over a hundred years by people much smarter than I so I don't expect to read this book and be able to prove or disprove the arguments. My primary goal, for now, is to ask questions and once those questions have been satisfactorily answered, then draw my conclusions. With that in mind, these are some of my observations and questions from what I've read so far.
Chapter 1:
On pages 9 and 10, Dr. Coyne says,
"Matchbooks resemble the kinds of creatures expected under a creationist explanation of life. In such a case, organisms would not have common ancestry, but would simply result from an instantaneous creation of forms designed de novo to fit their environments. Under this scenario, we wouldn't expect to see species falling into a nested hierarchy of forms that is recognized by all biologists."
My question here is why does creation imply disorder. Is it not feasible for an entity that is powerful enough to create everything we know to also do it in an orderly manner? If creation was done in an orderly manner, why would we not expect to see a nested hierarchy of forms and similarities in DNA structure?
On page 11, Dr. Coyne says,
"Over time, the population will gradually become more and more suited to its environment as helpful mutations arise and spread through the population, while deleterious ones are weeded out."
This would seem to imply that over the course of tens of thousands of years there were no drastic changes to the environment otherwise natural selection would not be able to keep up. Do other areas of science show these long periods of time with no drastic changes to the earth's environment?
On page 18, Dr. Coyne says,
Imperfection is the mark of evolution, not of conscious design. We should then be able to find cases of imperfect adaptation, in which evolution has not been able to achieve the same degree of optimality as would a creator."
This statement doesn't seem to be provable and it also assumes that optimality is the ultimate goal of a creator. There is no reason that what we see as imperfection could not be purposely designed.
The next chapters get into the science behind evolution and I look forward to reading them. I hope to do additional blog posts as I move through the book.
10 Apr 2013
The other day I put up a site called ptarticlegen.com that creates a random penetration testing article using Markov chains. If you've never heard of a Markov chain, check out the Wikipedia article. Put simply, a Markov chain is generated by making a random choice based on the current state of a system and using that choice to determine the next state of the system. The current state of the system only depends on the previous state and not all the choices leading up to the previous state.
Markov chains can be used to generate sentences by taking a word pair and choosing the next word from a list of words that typically follow that word pair. But first, a set of source data has to be analyzed to find word pairs and create a list of words that typically follow those word pairs.
As an example consider these two sentences:
The fox jumped over the spoon.
The cow jumped over the moon.
The word pairs and the list of following words would look like this:
(The, fox) - [jumped]
(fox, jumped) - [over]
(jumped, over) - [the, the]
(over, the) - [spoon, moon]
(The, cow) - [jumped]
(cow, jumped) -[over]
If we use (The, fox) as our starting word pair we can generate the sentence, "The fox jumped over the moon" by making the following choices:
(The, fox) -> jumped
(fox, jumped) -> over
(jumped, over) -> the
(over, the) -> moon
To create the articles I wrote a Python script to analyze 600 sentences taken from my blog and then generate new sentences based on the analysis. I also used Python and web.py to create the web site. The Markov chain code I wrote is a modification of code from these two excellent resources. You can get the source code for ptarticlegen.com from my Github account.
05 Apr 2013
On a recent pentest I came across an externally accessible ADSelfService Plus server. ADSelfService Plus is sold by ManageEngine and is designed to allow users to reset and unlock their own Active Directory (AD) accounts. To use the service, the user is required to register and configure multiple security questions. After playing with the server for a while, I determined that attempting to reset the password of an unregistered user resulted in an error while attempting to reset the password of a registered user displayed the user's security questions. This meant I could enumerate user accounts and the associated security questions.
Using Python and a list of common first and last names I developed a script, ad_self_service_miner.py, that would enumerate user accounts and capture the security questions. The script is available on my Github account. To use the script you will need to set the server and domain. The domain information is available on the account reset page.
server = 'https://server'
domain = 'DOMAIN'
You will also need to modify the username format. In my case the username was First.Last. Keep in mind that in most Windows environments the AD username typically matches the username portion of the email address, so a quick Google search should yield the correct username format.
user = "{0}.{1}".format(f.capitalize(), l.capitalize())
After you modify the script, get a list of first names and last names and save them to firstnames.txt and lastnames.txt, respectively, in the same directory as the script. Finally, let the script run. All user accounts and security questions will be stored in ad_self_service_miner.log also in the same directory as the script.
I tested approximately 20,000 username combinations and was able to enumerate 132 user accounts along with the associated security questions. The hard part is going through the process of finding the answers to the questions, which I didn't do on this engagement.
You can find ADSelfService Plus devices using this Google search.
I spoke with ManageEngine about this vulnerability and was informed that there is a configuration setting to place a CAPTCHA on the account reset page, which will help prevent automated brute-forcing.
18 Feb 2013
As a pentester, I often gain access to a Windows domain controller and dump the hashes. I can use pass-the-hash to login to other Windows machines with those credentials but if I want to login to web services or databases as those users, I need to crack the passwords. Typically, I would break out JtR, Ophcrack, rcracki_mt, or Hashcat. With Ophcrack or rcracki_mt, it can take anywhere from 30 minutes to many hours to crack all of the passwords, depending on the number of hashes in the file. In addition, you have to store Gigs worth of data files. With JtR or Hashcat, you have a similar wait time and you have to maintain extensive word lists and mangling rules. In addition, most of the passwords you test will not meet the Windows complexity requirements, which are common in large organizations.
KnownPlainText.co is different. It uses a database to store pre-computed hashes based on the most common base words and password mangling rules and all of the passwords meet the Windows complexity requirements. The initial database was built from public password breaches such as, rockyou, and facebook. As users upload new password hashes, the database will be updated with new base words and password mangling rules, becoming more efficient over time.
The value of KnownPlainText.co comes from the time/effectiveness trade off. You can spend hours cracking 100% of passwords or you can crack 10-20% of the passwords immediately. Over the course of the year, the time and money you save will completely pay for the service.
Please checkout the site for more details and feel free to provide constructive feedback.
30 Jan 2013
I was helping a friend with a Python script he was using to query the Twitter search API and I decided I wanted to write a simple Twitter client in Python. Twitter allows users to use two OAuth authorization methods, three-legged and single user. Most OAuth examples and libraries are centered around three-legged authorization, which requires an application to call a Twitter authentication page, so the user can input his or her username and password and then calls back to another URL with the necessary access tokens. This sounded overly complex for what I wanted, so I started looking at single user authorization. I am sure the standard OAuth libraries can handle single user authorization just as well as three-legged authorization but I also wanted to understand the OAuth protocol better, so I wrote my own single user OAuth module using the information here and here. This module integrates with the Python Requests library so accessing Twitter is as easy as:
import requests
import twitter_auth
ssn = requests.Session
ssn.auth = twitter_auth.TwitterSingleOAuth(consumer_key,
consumer_secret,
access_token,
access_token_secret)
resp = ssn.get('https://api.twitter.com/1.1/statuses/mentions_timeline.json')
print resp.json()
To use the library you will need to sign in to dev.twitter.com and create a new application and get your consumer key, consumer secret, access token, and access token secret. Don't share the consumer secret or the access tokens with anyone, including Github. You can find the Twitter single user OAuth library here.
Have fun, and as always, let me know if there are any problems.