Would love to see this continued, and other sites following this lead!

(via Google Blog)

Obligatory blog post graphic, to make this more "interesting" Meanwhile, check out the really nice Tonido Plug at http://www.tonidoplug.com/

My internet connection goes down periodically, and I used to have to power cycle the router in order to fix that.  When it started to become too frequent it posed a problem, since I'm too lazy to keep going to the room (my wife too) to restart it.  There's also the option of restarting the router via the web admin interface, but it required me to login, click to the page for restarting, and click "restart"!  Very complicated indeed for lazy people.

Inspired by this hack (Hack a Day) where the guy automated the physical power cycling process, I decided to automate mine too.  Since I have a Tonido plug which is almost always on, and I've just learnt Python too, I decided to go the scripting method.  As they say: to a man with a hammer, everything looks like a nail

A couple of lessons learnt

I was caught by surprise by when reproducing the login and restart sequence exactly didn't work, and I went so far as to reproduce ALL the requests made by a "normal human".  It turned out (after 2 hours and a shower break) that things worked just fine when I simply converted the minimally needed POST parameters to GET parameters.  Nice classic web application hacking trick learnt from my old job as a web application ethical hacker I'd say.

Also, the restart sequence for my router turned out to not only need the form "POST" to request a restart, but also a subsequent request for the "restarting now" status page, interesting...

Download

Note that before you use this, some reverse engineering of the web application calls is needed, and some Python coding too.  You have been forewarned!  Also, I'm not responsible for this script causing you direct/indirect damage in any way, so don't come crying when your lawnmower starts to act crazy because you installed this script.  The script is released under the GPL, and can be downloaded here.

How to install/use

• Edit 'router_host': '10.0.0.1', in line 8
• Reverse engineer the web admin login and restart sequence, see what you need.  I used tools like a transparent proxy (Burp Suite), notepad and some brain grease.
• Hack the restart_router() (lines 43-73) function in the python script according to your needs (you're on your own here...  Alternatively you could offer me a good amount of Coke/chips for me to help you with the reverse engineering/coding somehow )
• Copy into the Tonido plug's /root directory (assume running as root, for simplicity's sake)
• SSH into the Tonido plug as root
• # chmod 400 /root/internet_connection_monitor.py
• # crontab -e
• Add in this line: (makes the script run in the background, 4 minutes after every tonido plug reboot to give the router time to start up)
  @reboot sleep 4m && /usr/bin/python /root/internet_connection_monitor.py &
• Press Alt-X, then "y" to save the new crontab
• Reboot the Tonido plug
• Profit!

What are the risks to note

The script basically is a hardcoded piece of info revealing the password and sequence to your login/router's workings! Make sure the script is chmod'ed properly, and isn't accessible via Tonido's interfaces.  For me I don't have this problem, since I don't allow connecting to my Tonido from outside anyway, and people will have to brute force ssh public keys to get in...

Have fun!

It's normal for the web server to get scanned by other "inquisitive" people/machines/bots, but this tool looks pretty interesting...  Will dig deeper into this later.

The scanners typically try to detect whether I'm running certain vulnerable versions of web apps for them to exploit.  So when the web app does not exist, guess what happens?

This particular scan was interesting, because of the user agent field.  Check it out:

200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /roundcubemail-0.1//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /wm//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /webmail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:06 +0800] "GET /webmail2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /rms//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /mail2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:05 +0800] "GET /mail//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:04 +0800] "GET /mss2//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"
200.6.121.56 - - [17/Jul/2010:14:51:04 +0800] "GET /rc//bin/msgimport HTTP/1.1" 404 136 "-" "Toata dragostea mea pentru diavola"

If anyone knows more about this particular scanner, feel free to comment and share!

Edit (19 Jul): it seems that I've joined the ranks of those who've been scanned one way or another.  Apparently it is in Romanian, meaning "All my love for the devil".

• Adblock Plus: you know what this is for...  Remember to disable when performing penetration testing.
• CacheViewer: Allows for viewing and sorting of cache files.  Seldom used, but a great tool nonetheless when the need comes for it.
• Domain Details: Displays plenty of information about the server (type, headers, IP, location) that you're accessing.  Good for basic information awareness during normal surfing.
• Download Statusbar: View and manage downloads from a tidy statusbar.
• DownThemAll: For fast grabbing of files from a directory.
• Firebug: Powerful tool for web developers that allows you to freely manipulate/view the loaded objects for a page.  I haven't really figured out how to use this for penetration testing yet though.
• Greasemonkey: Could come in very handy if you want to do some mods to a site's page automatically, remember to enable/disable the scripts that aren't needed when on a penetration testing job.
• IE Tab: Don't really use this, unless I get a site that's coded to work only with "browsers like IE".
• iMacros for Firefox: Another powerful macro editing/playback tool, I don't use this though
• JavaScript Debugger: JS debugger and profiler, more useful for web developers I think.
• Live HTTP headers: Great for showing basic information about the HTTP headers being exchanged.
• NoScript: A MUST-HAVE for Forefox.  Whitelists the scripts and objects that are allowed to load for a domain, amongst other protection features against other nasties out there.  Remember to disable for penetration testing engagements.
• People Search and Public Record Toolbar: Great tool for information gathering, pity I never had the chance to really use it
• ScrapBook: Aids in archiving and organizing pages.  I use it to profile a site's workflow.
• SwitchProxy / FoxyProxy: A must-have for changing between the many proxy tools that I use.
• Tamper Data: I use this to grab extra timeline information about the loading of pages.  Also allows you to do request/response editing.
• User Agent Switcher: Self explanatory.  Useful for certain situations only.
• View Dependencies: A must-have for organizing image/JavaScript/CSS resources for a page in a tidy manner.
• View formatted source: Formats HTML source neatly for viewing.
• View Source Chart: Formats final document DOM (after all the loading/JavaScript events have finished firing) for easy viewing.  Also for when View formatted source isn't available for the version of Firefox that you're using.
• Web Developer: Great for manipulating the forms/cookies/JavaScript/whatnot on a page.  A definite must-have for penetration testing.

Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use non-conflicting ports and a Firefox proxy switcher is set up to match.

Web Security Dojo is an open source project built on Ubuntu and hosted at SourceForge. It is available in three flavors: a Virtualbox VM, VMWare VM, and a build script which can be used on a standard Ubuntu 9.10 install to produce the Dojo. Collaboration and contributions are welcomed.

Looks pretty promising, I will be checking this out and writing more (as usual, when my "relaxed" schedule allows me to) later.  But this looks like one of those training tools that I wished existed far earlier: a full environment with the targets and tools to let you learn and train your web application security kung-fu.

So what're you waiting for ?!  Go grab a copy and try it out!  Unless you really really want to see a review from me first.  Heeeyyaaaahhhh!!

The 2^nd All ‘Bout Security& Connectivity Seminar is here again in Temasek Polytechnic! This seminar provides a knowledge-sharing platform for IT Security, Network Professionals and students.

The seminar includes talks on IT security and connectivity and a Web Challenge (supported by HITB), which is open to public. The aim of the challenge is to test the contestants on various web penetration techniques.

Interested?  It's being held on Friday, March 05, 2010 from 10:00 AM - 6:00 PM (GMT+0800).  Find out more from their site, or get the agenda for the day here, and you can signup at this link.

It's hard for people to care about anticipated dangers, till it becomes true on a large scale or when it happens to them, sad but true.

Nonetheless, it's high time industries/companies/individuals start to look seriously into attacks at the web application level, because it has been the path of least resistance for the attackers for a long time already.

And time for the whitehats to really prepare the answers needed by the masses in time to come.

It involves the use of a plugin (currently maintained at OSSEC) to get WordPress to send syslog events for OSSEC to parse.  It is a good idea since it is good to monitor any web applications running for anomalies, but WordPress doesn't seem to provide any kind of audit logging.

Looking at its capabilities, the first use for this that comes to mind is to monitor sites that run WordPress with multiple user logons.  As for those with insufficient access to your web server (you're on a shared webhost), you're probably better off using the tips given at wpbeginner.

I won't know yet, but perhaps I'll have a better idea on what it is good for after I try it out.

Do YOU use OSSEC to monitor your WordPress installations?  Any comments on it?

1. Just because you moved something from being a GET parameter to a POST parameter so I couldn’t see it in the URL bar doesn’t mean that I don’t know it is there. And it also doesn’t mean I can’t change it. (Download WebScarab if you disagree)

2. Just because you put something in a hidden FORM parameter doesn’t mean I can’t find it. Or change it. See #1.

3. Ditto for cookies. See #1.

4. Validating things on the client side with JavaScript doesn’t prevent me from submitting whatever the heck I want.

5. I love it when you say “That would never happen in production.”

6. I really love it when you say “An attacker would never do that.”

7. I really hate strong server side input validation.

8. That page with the detailed error message – my job would be way harder without it.

9. Most of those “Guaranteed Secure!” banners you put on your site only serve to tell me you don’t understand the first thing about security.

10. That web application scanner you ran – it didn’t find everything. Not even close.

11. That network scanner you ran – it didn’t even start testing the security of your application.

12. I understand AJAX (or fancy, new technology “XYZ”) better than you do.

13. The more clever you think you are – the better I feel.