Running RatProxy in a Windows and cygwin environment

September 12, 2012

RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.

Preparation:

  1. I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
  2. The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
  3. The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
  4. Add a batch file (preserve.bat) to the c:\cygwin\bin folder:

    @echo off
    if (%1)==() goto ERRPARM
    ren ..\ratproxy\report.html %1.*
    “C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
    del ..\ratproxy\*.trace
    goto EXIT
    :ERRPARM
    echo Name for report and zip file is required.
    :EXIT

With that preparation complete, and with Firefox ready to submit your interaction:

  1. Open a command shell (cmd.exe).
  2. Paste these two lines into the command window:

    cd C:\cygwin\ratproxy
    ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC

    This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.

  3. Change your browser to use this proxy (localhost:8080).  Traffic that is passed through the browser will go through RatProxy.
  4. Your test traffic occurs here.
  5. In the command window (from step 2) press Ctrl+C to quit RatProxy.
  6. Undo the browser proxy changes (from step 3).
  7. Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.

    C:\cygwin\Cygwin.bat
    cd /ratproxy
    ./ratproxy-report.sh ratproxy.log > report.html
    logout

    This will require another Enter.

    C:\cygwin\ratproxy\report.html,  C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.

  8. Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter

    preserve <project>

    where <project> is a term you choose to remember what you were testing.

    You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.

In the html file you will see each POST transaction followed by a  [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.


Microsoft Attack Surface Analyzer Error Message

August 5, 2012

Q: I have “Microsoft .NET Framework 4 Client Profile” installed, but when installing Microsoft Attack Surface Analyzer I get the message:

You are attempting to install Attack Surface Analyzer on a system without .Net 4 or above.  If you continue with the installation, only the command-line executable asa.exe and the data collection components of Attack Surface Analyzer will be installed.  To continue with installation, click Next.  If you do not want to continue with installation, click Cancel.

A: Do you also show “Microsoft .NET Framework 4 Extended” installed? If not, then install it before installing Microsoft Attack Surface Analyzer. Alternately, the command-line executable asa.exe is not such a bad idea.


HBGary Compromise Debriefing

August 2, 2012

A web application SQL injection vulnerability disclosed accounts and passwords.

Mitigation: Test, sanitize input, use library routines instead of creating your own sanitization routines.

Passwords were encrypted with an MD5 hash and no salt. This enables unencrypted passwords to be determined offline, using rainbow tables.

Mitigation: MD5 is broken. Salt to make the use of precomputed password hashes (rainbow tables) impractical.

The accounts and passwords were used for initial access to a server.

Two-factor authentication would mitigate this.

A local vulnerability on the server enabled root access to the server.

Patch deployment would mitigate this.

The content management system password was the same as the email management service.

Do not reuse passwords.

Control of the email system enabled social engineering access to other vendors. You appear to be their trusted partner.


Metawebsites

July 19, 2012

Metawebsites would be web sites about web sites.

Note: In what follows, the example.com domain is used as an illustrative example (see RFC 2606).

General utility

Hurricane Electric’s BGP Toolkit offers insight into the structure of the internet. Find all of the network ranges assigned to Amazon using:

http://bgp.he.net/search?search%5Bsearch%5D=amazon

Robtex Swiss Army Knife Internet Tool

http://www.robtex.com/dns/example.com.html#result

CentralOps.net features the Domain Dossier to investigate domains and IP addresses. Get one report with registrant information, DNS records, and more. Can also scan for FTP (21), SMTP (25), HTTP (80), POP3 (110)  and IMAP (143) services.

T1Shopper (a telecom services comparison resource) has traceroute, ping, NSLookup, Whois, Port Scan, a subnet calculator, a file size conversion calculator, a file transfer time – data transfer speed calculator, a catalog of speedtest sites, an Http header viewer and a dictionary of telecom and internet service terms.

Cisco’s SenderBase.org provides a view into real-time threat intelligence across web and email. SenderBase is powered by Cisco Security Intelligence Operations (SIO), a cloud-based capability which analyzes over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances. SIO continuously evolves its defenses by looking across multiple security platforms with a global sensor network – brought together and analyzed in the cloud, then delivered back to Cisco customers every 3-5 minutes for protection that goes beyond blacklists and reputation. SIO’s intelligence in augmented by a network of traps, crawlers, third-party partnerships and threat research.

showsiteinfo.org Check links (out and in), speedtest, keywords, description

http://www.showsiteinfo.org/search?name=example.com

MxToolbox focuses on email-oriented DNS and network configuration information.

DNSqueries.com is a large collection of utilities (Domain Health Check, Ip Neighbors, Check IP on RBLs, Reverse lookup DNS, Perform DNS query, Dns Traversal, Get ip geo location, Server banner check, RegExp Tester, Encrypter, IPv4 converter, Http Headers, Ping tool, Traceroute utility, Googlebot Simulator, Check your SMTP server, Http Gzip Test, Keyword Density Analyzer, Whois Lookup, Live port scanner, and Mx Lookup). The Live port scanner is a noisy scanner (which crashed with a “512” when I used it), but at least its not your IP address that will be blocked if someone notices the scan.

DigWebInterface unix dig (domain information groper), in a web interface, for DNS troubleshooting

myip.ms Whois

dazzlepod.com Whois, Host Services (nmap query), Visual Traceroute

centralops.net/co Reverse DNS

VirusTotal Passive DNS https://www.virustotal.com/en/ip-address/xx.xx.xx.xx/information/

Farsight pDNS passive DNS

Site Dossier passive DNS http://www.sitedossier.com/ip/x.x.x.x

tcpiputils.com is another collection of utilities (DNS Lookup (root servers), Email Test, DNS Blackhole List, Ping, Domain Neighbors, MAC Address Lookup (vendor identification), W3C Validator, Geo Targeting SEO, Reverse TinyURL).

ipvoid.com DNS Blacklist (DNSBL) Lookup

nsZones.com offers a DYN Database IP Check http://www.nszones.com/dyn.ip?xx.xx.xx.xx as well as
Domain Name System Block List (DNSBL) services for the following zones:

  • bl.nszones.com combination of sbl.nszones.com and dyn.nszones.com in a single zone.
  • sbl.nszones.com (Open Relay, Hijacked PCs, Spam Source)
  • dyn.nszones.com (Dynamic, ADSL, Cable, no PTR Networks)
  • ubl.nszones.com (Domain Names, PTR of Dynamic Networks)

The Composite Blocking List (CBL) lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.

gwebtools.com Whois, DNS Tools, Port Scanner, IP Subnet Calculator, Name Server Spy (what domains are hosted on a name server?), Domain Checker, SEO Tools, Bit Calculator (how many bits in a petabyte?), My IP

TechnicalInfo.net is a collection of passive information gathering tools, many of which fail by redirecting to swisscom. Includes some of the Sam Spade tools, which can tell you what others can easily learn about you. The Sam Spade tools look up DNS and domain information. The Sam Spade tools are frequently under revision, but one stable source is petri.co.il.

XSSposed Is the new home of examples of cross-site scripting (XSS) exploits that people have discovered and reported. Keep RSnakes’ XSS Cheat Sheet handy. </xssed> is not being updated.

Project Un1c0rn is a search engine exposing open, vulnerable and weak services (leaking mysql, mongo and heartbleed).

Cookiepedia aims to build a comprehensive knowledge base about website cookies and similar technologies.

BFK DNS Logger As a service to CERTs and incident response teams, BFK uses passive DNS replication to collect public DNS data. Compared to the ordinary domain name system, this database adds further search capabilities.

Search Engine Optimization (SEO)

Expectations. It’s all about expectations. Getting a search engine to refer to your web site appropriately requires an understanding to what the search engine crawler does, what it expects to find, and how to address those expectations.

Alexa is the leading provider of free, global web metrics. SEO focused.

http://www.alexa.com/siteinfo/example.com

Google Analytics

siteshakedown.com aggregates from various sources to provide the site’s general company information, internet traffic rank, social popularity, twitter feeds, and more. SEO focused.

http://www.siteshakedown.com/q/www.example.com

SpyOnWeb.com Enter website url, ip address, google adsense or google analytics code and find out what resources belong to the same owner. SEO focused.

http://spyonweb.com/example.com

push2check.com aggregates various services. Many are SEO focused.

http://push2check.com/example.com

HubSpot’s Marketing Grader SEO focused.

Of particular interest are the HTML testing sites. Humans don’t notice a lot of HTML errors; search bots have been trained to correct and understand mistakes. Nonetheless, a valid HTML document has more chance of being correctly displayed in current browsers and updated browsers.

StatsCrop.com is a web service that lets you explore any website’s information and its history. Understand your website traffic or a competitor’s. SEO focused.

http://www.statscrop.com/www/example.com

Markosweb web site monitoring, SEO focused.

http://www.markosweb.com/www/example.com/

pandastats web site monitoring, SEO focused.

http://example.com.pandastats.net/

hostlogr web site monitoring, SEO focused.

http://example.com.hostlogr.com/

craftkeys web site monitoring, SEO focused.

http://craftkeys.com/site-info/example.com

pageglance web site monitoring, SEO focused.

http://www.pageglance.com/example.com

Reputation

webutation.net aggregates from various reputation rating sites.

http://www.webutation.net/go/review/example.com#

scamvoid.com also aggregates reputation information

http://scamvoid.com/check/example.com

urlvoid.com aggregates reputation information as well.

http://urlvoid.com/scan/example.com

ProjectHoneyPot Project Honey Pot is an open source initiative to track abuse, fraud, and other malicious behavior that occurs online. The Project tracks more than a million IP addresses engaged in suspicious behavior each day and reports on them through our website.

Honeynet Project map

PhishTank.com is a collaborative clearing house for data and information about phishing on the Internet.

Web of Trust Unfortunately, no one checks to see what the community has reported in order to interpret the WoT score. They look no further than the raw score. The WoT raw score is largely useless; if it is low, then why? What is the complaint? Two “very poor” ratings can result in a poor reputation score. If it high, then why? Perhaps only one person bothered to rate it.

Malware reported

These are historical (not on-demand, “check now”) malware detection services.

Google’s Safe Browsing Diagnostic Tool reports if malware was detected while crawling and reports networks (ASNs).

http://www.google.com/safebrowsing/diagnostic?site=example.com

StopBadware.org reports if malware was reported. Does not do detection itself.

scumware.org Was any malware detected? Search by MD5, IP address, hostname or the beginnings of a URL (such as example.com). Add a URL to the list of URLs to crawl.

Sucuri Sitecheck https://sitecheck.sucuri.net/results/example.com

Malware URL checks sites using VirusTotal, Wepawet, Anubis and Threat Expert. Was any malware detected?

VirusTotal Was any malware detected? https://www.virustotal.com/en/ip-address/xxx.xxx.xxx.xxx/information/

Clean-MX Was any malware detected?

http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=example.com

AVG Online Web Page Scanner Was any malware detected?

http://www.avgthreatlabs.com/sitereports/domain/example.com/domain-search-widget/www.avg.com.au

F-Secure Was any malware detected?

Norton Safe Web Was any malware detected?

http://safeweb.norton.com/report/show?url=example.com

Malware Domain List All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.

http://www.malwaredomainlist.com/mdl.php?search=example.com&colsearch=All&quantity=50

McAfee Site Advisor Any malware detected? Do any of the sites this site links to have malware?

http://www.siteadvisor.com/sites/example.com

McAfee TrustedSource Any malware detected? Do any of the sites it links to have malware? I do not see how the roles of Site Advisor and TrustedSource differ.

Trend Micro Web Reputation Any malware detected?

URL Blacklist Check blacklists.

URIBL Check blacklist.

Malware detection

Unmask Parasites Tests in real time for evidence that the web site has been hacked.

http://www.unmaskparasites.com/security-report/?page=http%3A//example.com

urlQuery.net is a (beta) service for detecting and analyzing web-based malware. It provides detailed information about the actions a browser takes while visiting a site and presents the information for further analysis. It uses Intrusion Detection Systems (IDSs) (Suricata with Emerging Threats and Snort with VRT), reports about the ASN, reviews the Java scripts, reports requests and responses.

hosts-file.net maintains net block lists and links to many web site information sources.

http://hosts-file.net/default.asp?s=example.com

Of particular interest is vURL Online. Quickly and safely dissect malicious or suspect websites.

http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Fexample.com&btnvURL=Dissect&selUAStr=1&selServer=1&ref=&cbxLinks=on&cbxSource=on&cbxBlacklist=on

The following message from hpHOSTS (about the IP address not matching the PTR record) should not influence your decision to trust the website or ISP. Consult the IP reverse DNS feature of robtex.com or the Domain Dossier feature of CentralOps.net as a convenient mechanism to review DNS records. I find that the IP address often matches the PTR record, contrary to the message.

WARNING: The IP PTR associated with this record, does not resolve. This is considered very bad practice and contravines (sic) the RFC Standards. Most legit ISP’s will have their PTR’s resolve to an IP.


Cannot connect to iTunes Store

June 15, 2012

On your iPhone, the AppStore indicates that you have updates waiting. You choose to “Update All” (or choose a specific App and “Update”). You get the response “Cannot connect to iTunes Store”. You notice that other updates can be installed; only a specific update failed.

You are not going to be able to update the app. Uninstall and reinstall the app to get the update. Deleting the app will also delete all of its data.

If this fails:

  • Hard reset
  • (Settings, General, Reset) “Reset All Settings”

iPhone Wireless Network Management

June 15, 2012

The current situation enables anyone to create a hotspot with the same name and password as a popular known wireless network and some iPhones will use it. This occurs when the iPhone has connected to a network (you have made it a “known network”) and “known networks will be joined automatically.” This assumes that you will trust any network with that name. iPhone users who have used those known wireless networks will seamlessly connect to them. This exposes them to theft of personal information.

Currently, there are two approaches to removing a known WiFi network from an iPhone (4s, iOS 6):

1. Be in range of a hotspot of the network you want to remove. Go to settings, WiFi. Click on the blue arrow to the right of the network and use the “forget this network” button.

  • This assumes that you know which networks you have connected to. This is frequently not the case.
  • This assumes that you can visit each network. This is not always practical.

2. Use “Reset Network Settings” to delete all known WiFi networks. Rebuild only the ones you want, by visiting the networks.

  • The rebuild could be laborious, prone to error and frustrating.
  • This assumes that you know which networks you want connected to. This is sometimes unlikely.
  • This assumes that you can visit each network you want to connect to. This may not be practical.

The current best practice would be to delete a known networks while you are still within range. This is not an easy habit to create.

The fix would be a utility to display known networks and the ability to delete some of the networks.


Firefox Configuration

May 28, 2012

Search

When I type a search term into the address bar it uses Bing to find the term. How do I change that?

In the address bar, type:

about:config

Acknowledge the warning, accept the risk.

Among the many configuration settings, you should see one in bold (indicating that it is “user set,” not the default):

keyword.URL

Right-click and choose “Reset”.

For additional “about” commands, try “about:about”.

Paste

To protect users’ private information, unprivileged scripts cannot invoke the Cut, Copy, and Paste commands in the Mozilla rich text editor, …

A site and protocol (HTTP or HTTPS) control is available through a user.js script.

Extensions

What I’m running:

  • Edit Cookies Update, add, or delete cookies live. No more page refreshes or editing text files. Edit Cookies allows you to change cookies from a convenient screen. Great for web site testing, particularly security tests!
  • Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
  • Flashblock currently blocks Macromedia Flash, Shockwave and Authorware content. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
  • FlashFirebug Debug ANY AS3 SWF files on the web. Edit properties and inspect elements. Redirect SWF output to the extension. Run AS3 code and transform objects on the fly. Access SWF assets with the decompiler. View AMF calls and Shared Objects and much more! Requires Firebug.
  • User Agent Switcher You can use this extension to change the user agent of your browser.Useful for web application penetration tests that you want to check and the mobile versions of the websites.
  • Web Developer
  • wmlbrowser Simulate WAP browsing by viewing WML (Wireless Markup Language) pages.
  • XHTML Mobile Profile Firefox does not natively support the mime-type application/vnd.wap.xhtml+xml. This is one of the possible mime-types for XHTML Mobile Profile. This addon adds support for this mime-type.

What I should be running:

  • FireCAT (Firefox Catalog of Auditing exTensions) is a mindmap collection of the most efficient and useful Firefox extensions oriented application security auditing and assessment. FireCAT is not a replacement of other security utilities and software as well as fuzzers, proxies and application vulnerabilities scanners.

Other addons:

  • Hackbar Useful for SQL injection and XSS attacks.It includes also tools for URL and HEX encoding/decoding and many more.
  • HttpFox Monitor and analyze all the incoming and outgoing HTTP traffic between your browser and the web server.
  • Live HTTP Headers View the HTTP headers of a website instantly.
  • Tamper Data View and modify HTTP/HTTPS headers and post parameters.
  • ShowIP Shows the IP of the current page in the status bar.It also includes information like the hostname, the ISP, the country and the city.
  • OSVDB Open Source Vulnerability Database Search.
  • Packet Storm search plugin Search the Packet Storm database for exploits, tools and advisories.
  • Offsec Exploit-db Search Search the Exploit-db archive.
  • Security Focus Vulnerabilities Search Plugin Search for vulnerabilities in the Security Focus database.
  • Cookie Watcher Watch the selected cookie in the status bar.
  • Header Spy Shows HTTP Headers on status bar
  • Groundspeed Manipulate the application user interface.
  • CipherFox Displays the current SSL/TLS cipher and certificate on the status bar.
  • XSS Me Tool for testing reflected XSS vulnerabilities.
  • SQL Inject Me Extension to test SQL Injection vulnerabilities.
  • Wappalyzer Discover technologies and applications that are used on websites.
  • Poster Make HTTP requests,interact with web services and watch the output.
  • Javascript Deobfuscator Show the JavaScript code that are running on web pages.
  • Modify Headers Modify HTTP request headers.
  • FoxyProxy Advanced proxy management tool.
  • FlagFox Displays a country flag for the location of the web server. It also includes tools such as Whois, Geotool, Ping, and Alexa.
  • Greasemonkey Customize the way a webpage behaves by using small bits of JavaScript.
  • Domain Details Displays Server Type, Headers, IP Address, Location Flag, and links to Whois Reports.
  • WorldIP Location of the web server, IP, Datacenter, Ping, Traceroute, RDNS, AS etc.
  • Websecurify Useful for security assessments in web applications.
  • XSSed Search Search the cross-site scripting database at XSSed.com.
  • ViewStatePeeker ASP.NET viewstate viewer.
  • CryptoFox CryptoFox is an encryption/decryption tool for cracking MD5 passwords.
  • Server Spy Unveils the technology of the web server (Apache, IIS etc.)
  • Default Passwords Search CIRT.net default password database.
  • Snort IDS Rule Search Search for Snort IDS Rules.