DEF CON 26 Notes


This is my 6th DEF CON and I plan on coming back for more! There is a lot of life and energy at the con that I haven't been able to find at other conferences. A big appeal to me is that DEF CON itself is kind of a wrapper event where you find a number of mini-conferences (called Villages), so even if the main tracks don't interest you, odds are you'll find something at the 27-ish villages that run at the same time.


Black Hat 2018 Session Notes


This year's Black Hat USA conference was pretty solid. Every timeslot had something available that I found interesting and often times I had to pick between competing sessions that captured my interest. Conference organization and crowd control was excellent again as usual. The mobile app this year had more features than in previous years, which I appreciate, though it does lose a few points for complicated and missing capabilities.

For a quick reference on the sessions and tool demos, see the Briefings and Arsenal pages


Review of Black Hat Advanced Infrastructure Hacking Training (2 day edition)


I had the chance to attend Black Hat this year and attend a 2 day of my choice. This year I took the Advanced Infrastructure Hacking - 2018 Edition: 2 Day session sponsored by NOTSOSECURE. It can be hard to find reviews of these trainings so I think it's worthwhile to post my thoughts here.


Rough Notes From RSA 2018 Conference Sessions


My notes from RSA 2018 sessions and labs. I've sanded off the rough-edges from my raw notes. Might still be a bit 'bumpy'


RSA 2018 - Highlights & Thoughts


When the opportunity to attend RSA came up, I decided to take a chance to see how it compares to other security conferences I've attended in the past (like DEF CON, BlackHat and BSides). After attending the 5 days of the conference I can say that RSA definitely has a different 'feel' to it than the other conferences and depending on what you are trying to accomplish, it may or may not be a good value for the $$$ spent.


Preparing an offline installation of Python 3.4 (+packages) for CentOS 6


We ran into an interesting situation on a legacy system where we were unable to allow outbound traffic on a CentOS 6 server to the internet, yet we needed to install Python 3.4 and the 'requests' library on the server.


Guide to Troubleshooting the Dreaded OpenVAS 8.0 503 Status Code (service temporarily down)


OpenVAS is an open source vulnerability scanner that I have used (and seen used) over the last few years. It's history goes back to 2005 as a fork of a previously open source (now commercialized) vulnerability scanner. This tool tends to be used when the dollar-cost of a commercial solution appears to outweigh the time and effort needed to maintain an effective OpenVAS installation.

The most common problem that I encounter using OpenVAS is the 503: service temporarily down error. When I see this message it almost invariably ties back to an expired self-signed certificate. I've seen this error enough times that I want to document the process in case I end up using this tool again in the future.


Reverse engineering a 'secure' system data collection tool


Awhile ago at a previous employer I worked with a VAR to do a system and software inventory of our workstations. They had written a custom application in C#.NET (for windows systems) and a bash script (for Mac OS) that captured the inventory data and encrypted it for us to email back to them. Sounds pretty straight forward, right?

I asked them about how the data would be protected on collection and being transmitted to them and surprisingly heard back from the VAR that their encryption mechanism 'cannot be disclosed publicly'. Hmm.... Before agreeing to run the programs and send back results, I performed a secure code review and found some interesting things about their collection tools.


yum killed during upgrade


This morning I tried to run security updates on one of my Centos VPS systems. Had to get creative since just running yum upgrade did not work. The yum process was killed unexpectedly:

Transaction Summary
==========================
Upgrade      19 Package(s)

Total size: 24 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Killed

Results: SSH Statistics Gathering Project


A month or so ago I started an SSH Statistics gatherer with the hope of identifying high-level configuration details of SSH-2/SSH-1.99 servers in the USA. In running the tool for a couple of weeks I identified 46,250 SSH Servers that meet the basic criteria (I'd like to do a survey of SSH Servers running older versions in the 1.x range at a later date). This post explains the results of the survey.


Chrome Extension Development: Options Page Does Not Load Javascript


Today I spent way too much time trying to debug an issue encountered while developing a Chrome extension. While attempting to create an Options page, I setup a separate 'options.js' file (to comply with security requirements that don't permit inline-JS) and found that the .js file would not load and that there were no error messages listed in the chrome developer tools view.


Macs can RDP to Windows Server, but my PC can't?


An interesting problem surfaced earlier this year that prevented our systems administrators from using RDP to connect to a windows server if they use a windows laptop. Paradoxically, SysAdmins who run Macs were not affected. It took a little time to track this down and now that I've been through the troubleshooting process I know how to fix it and can see how we wound up in this situation in the first place


LastPass to 1Password: Dealing with a Messy Conversion


We switched from LastPass to 1Password and encountered an unexpected hindrance: HTML encoded strings somehow replaced certain characters in critical passwords. The first time through the process it seemed like 1Password was was causing the problem. Upon further investigation we found that the problem originated during the LastPass 'export' process.


SSH Statistics Gathering Project


I will be starting an SSH Statistics gatherer that will be targeting US based IP addresses today. The gatherer tool will run for 1 week through Sunday, January 22, 2017. During this time you may notice SSH-2.0-ssh-stats-gather-2017_1.0.0 appear in your SSH server logs. This tool performs a banner grab of SSH servers and does not attempt to login (performs a partial connect)

I will update this post once the run completes with more details.

Update 2017-01-29: Things picked up pretty fast and I was able to pick up quite a bit of data. The stats gathering tool has been turned off and I am parsing the results. Expect a post about the details at some point in the next few weeks.

Update 2017-01-22: Technical issues have come up which require that I extend the duration of this project for another couple of weeks. The new target completion date is Sunday, February 5th, 2017

Update 2017-02-21: Results were published here


How to Compile and Build PuTTY on Ubuntu 16.04


This week I needed to compile PuTTY to work on an Ubuntu system running 16.04 (LTS). The instructions are pretty straight-forward and will take you most of the way through compiling something you can use. A problem I ran into is that I kept on running into errors during compilation referencing dlsym, dlopen and dlclose.

Fate was on my side as I was able to work my way through the problem (with a generous dose of google) and comple that actually works.


Telerik JustDecompile and MSSQL Profiler Save the Day


For the last few months we have been experiencing intermittent issues with one of our production processes. The issue is one that has confounded us in its lack of consistency and ability to frustrate anyone assigned to troubleshoot the problem. I was asked to look into the situation and in the end was able to discover the root cause in just a few hours using Telerik JustDecompile coupled with Microsoft's SQL Profiler tool. The journey was exciting and I'll share what I can here.


Compare MSIs using C#


While cleaning up some old files I found a project that compares file manifests between MSIs. At the time we needed the ability to quickly determine if the files contained in a set of new MSIs contained at least the same set of files that was generated using a previous build process. While there are other tools that can compare MSIs, this code is lightweight and command-line scriptable.


Dashing.io Does Not Load Data on Centos


I needed to setup a quick dashboard a couple months back so I turned to Dashing.io. Everything worked great, then one day none of the dashboard widgets displayed any data. Given the nature of the dashboard and its users this was incredibly annoying.

The symptoms of this problem (which I can only replicate on Centos) are:

  • Dashboard widgets appear in the right order/layout when you load the page
  • Widgets do not contain any data until you Ctrl-C or kill the dashing process


Migration from Concrete5 to Jekyll


When I first setup boredwookie.net Concrete5 was used to power the site. In the years since then I've grown tired of using a heavyweight CMS to post a few pages. Last month I made the switch over to Jekyll and the transition was anything but painless. It was incredibly difficult and required a lot of manual effort and fine-tuning to get right. Along the way I created a ruby script to take some of the busy work out of doing a bulk migration.

The script takes xml files generated by the Concrete5 Legacy Migration Tool and creates jekyll-style posts with YAML front matter that can be massaged into a working site. While there are gaps in what I could script-out it was a useful tool in the migration effort.


Qt Works for Me


I've been looking for a development platform that can let me create programs which work across all major operating systems. While there is nothing wrong with scripts and scripting languages, sometimes a GUI just makes sense. In the past I've used WinForms in C# to create utilities with functional user interfaces, but now that I'm looking to switch to Linux full-time I'd like something which is about as easy to use that can target at least Linux and Windows.

Qt appears to check all the boxes I need, so barring development of a WinForms-like option for .NET Core or other changes in the landscape I'll press on.


Trying out Electron


Within the next year or so I would like to be using Linux as my full-time desktop. To get there I need to find a development platform that lets me create small, stand-alone, cross-platform GUI tools. While scripts are great, sometimes things can be a lot easier with a GUI.

One contender for this development framework role comes in the form of electron: a cross-platform development framework that lets you build desktop applications using HTML, CSS and JavaScript. I decided to take it for a spin and used it to create a small tool to examine a note taking database I exported from an old BlackBerry app.


BlackBerry Noted app - Database Viewer


As part of my continued migration to Android from BlackBerry OS 10 (and to try and pick a framework for cross-platform application development), I created a tool in both Electron as well as Qt variants to read and extract notes from the old Notepad application I used to use on BB 10 devices (Noted - Written by a friend of mine). While the user interface for this tool is not very sophisticated (especially the Electron version), it gets the job done.


Electron: Cannot find module 'app'


While attempting to use electron to write a cross-platform utility, I ran into an unexpected problem: The application would error out with a few weird messages like these:

  • App threw an error during load
    Error: Cannot find module 'app'
    at Module._resolveFilename (module.js:455:15)


  • App threw an error when running [TypeError: Cannot read property 'on' of undefined]
    A JavaScript error occurred in the main process
    Uncaught Exception:
    TypeError: Cannot read property 'on' of undefined


NextCloud / OwnCloud freezes or hangs on importing a large ICS file


This week marks a bittersweet end to my use of BlackBerry smartphones: I retired my BB Priv. BlackBerry no longer makes a device that I can advocate for or recommend. Part of my migration to a new device involves exporting an old device-local calendar that I have been carrying around since BB OS 7. The export went well (plenty of utilities on the app store will let you export a calendar) and I was left with a 16,000 line ICS file that I wanted to migrate.

The problem I ran into is that NextCloud hangs when it tries to process such a large calendar file and does not give any indication about the trouble it has (The web UI would hang with the words Import Scheduled).


OpenVAS gsad service: disable weak ciphers


I've been experimenting with OpenVAS for a few months now in my home lab. While the tool can be a bit fiddly at times it has found legitimate issues that would have been difficult for me to identify manually.

One interesting thing to note is that when OpenVAS scans itself (at least for installs that I've performed) is that it defaults to allowing certain weak ciphers. There is general guidance on how to lock-down the ciphers to a more secure configuration - it just requires some massaging if you run OpenVAS as a service which starts on boot.