Tuesday, December 11, 2018

Converting Keep to Pet Snippets

I've been wanting to move from OrkoHunter's Keep to the more feature rich knqyf263's Pet but kept procrastinating because I already had hundreds of snippets in Keep and dreaded the copy and paste nightmare to move them one by one.

Here's a quick bash script I wrote to parse through Keep's .json'ish format and convert to Pet's TOML format. Hopefully this helps someone else facing the same issue.

#! /bin/bash

###Leif Gregory <leif@devtek.org>
###Copy Keep's commands.json file to the same folder as this script and run it.
###It will output a file in the same folder called snippet.toml. Make a backup
###copy of your old snippet.toml and move the new one into its place. Run
###"pet list" and hopefully you'll get a clean output. If not, pet will tell
###you which line of snippet.toml the error is on. Compare it with the original
###commands.json file.

#Usage [scriptname]
#e.g. ./keep2pet

inputfile=./commands.json  #Typically found in $HOME/.keep/
outputfile=./snippet.toml  #Move this file to, typically, $HOME/.config/pet/

#Keep's commands.json starts with { and ends with } which the first and last
#sed take care of. The 2nd sed breaks up the single line with all commands
#and descriptions into one command and description per line. The delimiter is
#unfortunately a comma and I had lots of commas in my descriptions. So, it
#breaks on '", "' which means it removes the leading and trailing double quotes.
#The 3rd and 4th sed fixes those. Lastly, it writes all these lines to a temp
#file which gets removed at the end. 

cat $inputfile | sed 's/^{\"//g' | sed 's/\", \"/\n/g' | sed 's/^/"/g' | sed 's/$/"/g' | sed 's/\"}$//g' > ./keep2pet-temp

while read -r line
    #Now we're down to one command and description delimited by ": "
    command=$(awk -F ": " '{print $1}' <<< $line)
    description=$(awk -F ": " '{print $2}' <<< $line)

    #Write each commands.json snippet to TOML format file
    echo "
  description = $description
  command = $command
  output = \"\"" >> "$outputfile"
done < keep2pet-temp

rm ./keep2pet-temp 

Thursday, November 29, 2018

Summing numbers at the end of lines in a text file

I wrote this one liner to sum the counts of various attacks that were being blocked and logged by the firewall during an automated scan.

Let's say your log looks something like this.

Contents of log.txt

Microsoft Windows win.ini Access Attempt Detected 30851 vulnerability 782 
HTTP Cross Site Scripting Attempt 32658 vulnerability 288
Generic HTTP Cross Site Scripting Attempt 31475 vulnerability 94
HTTP /etc/passwd Access Attempt 35107 vulnerability 82
HTTP SQL Injection Attempt 30514 vulnerability 52
PHP CGI Query String Parameter Handling Information Disclosure Vulnerability 34804 vulnerability 28
Generic HTTP Cross Site Scripting Attempt 31476 vulnerability 24
Apache Tomcat URIencoding Directory Traversal Vulnerability 35298 vulnerability 13
Export RSA cipher suite detected 37493 vulnerability 11
HTTP SQL Injection Attempt 33338 vulnerability 10
Squid HTTP Header Parsing Assertion Failure Denial of Service Vulnerability 39682 vulnerability 10
Oracle 9i Application Server Dynamic Monitoring Services Anonymous Access 33756 vulnerability 8
HTTP SQL Injection Attempt 35823 vulnerability 6
PHP-Charts PHP Code Execution Vulnerability 37008 vulnerability 6
Microsoft Internet Explorer Cached Objects Zone Bypass Vulnerability 33813 vulnerability 4
Advantech Studio NTWebServer Arbitrary File Access Vulnerability 35784 vulnerability 2
Generic HTTP Cross Site Scripting Attempt 30847 vulnerability 2
Microsoft IIS ServerVariables_JScript. asp Information Disclosure 33073 vulnerability 2
Microsoft IIS 5.0 Form_JScript.asp XSS Vulnerability 32775 vulnerability 2
Joomla HTTP User Agent Object Injection Vulnerability 38519 vulnerability 1
OpenSSL Status Extension Memory Leak Denial of Service Vulnerability 39926 vulnerability 1

The five digit numbers before the word "vulnerability" are an ID and the digits at the end of each line are the counts of how many were blocked. We could sit here with a calculator and add all the digits at the end together, but the below one liner will do it for you.

grep -oP '\d{1,4}$' log.txt | xargs | tr ' ' + | bc

When run, it will output: 1428

Let's break down the one liner to understand what each part is doing.

grep -oP

  • -o tells grep to only output the matched text, not the whole line. 
  • -P tells grep we want to use PCRE regexp vs the default POSIX regexp.


  • \d tells grep we're looking for a digit.
  • {1,4} tells grep we're looking for a number that will be between one and four digits.
  • $ tells grep we're looking for these one to four digit numbers to be at the end of the line.
Technical note: Just in case someone has an issue with how I phrased the above, what we're really telling grep is to look for between one and four digits sequentially.

log.txt is the name of the log file

| means we're piping the output of the previous command, grep in this case, into another command

xargs is going to take all the one to four digit numbers found and concatenate them into a string like this:
782 288 94 82 52 28 24 13 11 10 10 8 6 6 4 2 2 2 2 1 1

tr ' ' + will replace all the spaces between the numbers with the plus sign like this:

bc is a command line calculator that will evaluate the string provided by tr above and produce a sum. 1428 in this case.

If you needed to subtract instead of add, you'd just change the '+' in the tr command to '-'. Or if your counts could be a five digit number just change '{1,4}' to '{1,5}'. Or let's say your counts will always at least be three digits, but no more than five, you'd change it to '{3,5}'

Tuesday, August 11, 2015

iOS Security Tools - OpenVPN Connect

OpenVPN Connect - Normally $2.99 but free at time of this article

Developer: OpenVPN Technologies

Whether you're connecting to the internet over WiFi at a hotel, airport, coffee shop etc. unless your app provides native encryption or you're browsing websites over HTTPS (HyperText Transfer Protocol Secure) then your data is wide open for someone on that same network to see. If you're googling for fuzzy kitten pictures, then it probably doesn't matter, but if you're transferring work files or logging into a website without encryption then you run the risk of a bad guy intercepting that data. You might even think that only highly skilled hackers can do this, but nothing is further from the truth. It could be the soccer mom sitting four tables away from you running Wireshark on her laptop just passively collecting packets until her filter for the text "password" flags and then she's got you.

But for a moment, let's get away from the hacker scenario. Who else could be monitoring your traffic? The provider of the wireless access point you're connected to? The ISP (Internet Service Provider) connecting you to the internet? The coffee shop? If you answered yes to all of these, then you are correct. It might be relatively benign, most likely they're monitoring which websites you go to and injecting ads they believe are relevant. Or they're just building on your profile of browsing habits because they can monetize that.

That's where a VPN (Virtual Private Network) comes in. Basically a VPN creates an encrypted tunnel between your device and a server out on the internet. This tunnel encrypts all your data making it unreadable to anyone except the server on the other end who decrypts the tunnel and passes your requests on to wherever you were trying to go. Let's say you are connected to your local cafe's free wireless on your iPad using a VPN and you launch the Chrome web browser to go to this blog at http://blog.saltedbrain.org. Your iPad is connected to a VPN server on the internet over an encrypted tunnel. The hacker soccer mom can see your packet data, but it's all securely encrypted and unreadable to her. Same for the cafe owner's wireless access point, the ISP and the interconnecting hops all the way to your VPN server. The VPN server decrypts the traffic and passes your web browser request for this blog to my server on your behalf. My blog server responds and sends everything back to the VPN server who then encrypts everything again over the VPN tunnel and sends it back to your iPad.

Now, the more tech savvy among you might have realized that if everything is decrypted at the VPN server, then they could potentially capture all that data right there. You are correct. That's why it's very important to do your research in finding a reputable VPN provider. Or, you can place your trust in me and my research and follow along below to get set up. But bear with me for another minute here so I can explain what you're looking for in a good reputable VPN provider.

  • They should support the latest encryption methods such as AES 256
  • They should state in very plain text and loudly that they do not store or read your internet traffic. You still have to take that on a leap of faith I suppose.
  • They should make mention of their speeds. In a world where you usually get what you pay for, free or cheap VPN providers typically have slow connections. The one I will be telling you about is an exception.
  • Look for bandwidth limits. Will they give you fast connectivity until you hit 1GB and then rate limit your connection (slow you down)? Will they cut you off after you hit 1GB of traffic?
  • Do they limit what sort of sites you can visit? Most will block P2P (torrents), but will they block gaming sites?

I've found a VPN provider who gives you unlimited bandwidth, doesn't block anything but P2P, doesn't store your internet traffic aside from your IP address and what time you connected (which they only keep for a week), support strong cryptography and they're FREE. You can find them at http://www.vpnbook.com.

Let's get into how to get set up.

  • Download the OpenVPN Connect app from the Apple App Store.
  • Download the Zip Viewer app from the Apple App Store. We need this to download and extract the OpenVPN profile from VPNBook. If you have another app that will let you download ZIP files, such as iDownloader already, then use that.
  • Go to http://www.vpnbook.com/freevpn in Safari and tap the link for US1 OpenVPN Certificate Bundle as shown in the screenshot. Take note of the username and password just below the various bundles. You'll need this later.
  • Choose Open In and scroll over till you find Open In Zip Viewer
  • When Zip Viewer opens, tap on VPNBook.com-OpenVPN-US1 on the left to open the ZIP file and then tap on vpnbook-us1-tcp80.ovpn on the right.
  • Next tap on the Send To icon at top right and choose Open in OpenVPN

  • When OpenVPN launches you'll see under the New Profiles Are Available section. Tap on the green plus sign and it will open that profile below like the screenshot (I had already added this when I took the screenshot.)
  • The username and password are listed on the VPNBook page where you downloaded the OpenVPN Certificate Bundle. At the time of writing this article, it was vpnbook:y6gaTRuv. Tap the save switch so you don't have to enter them again later. Now tap the Connection switch.

    And that's it. You can switch to another app and start browsing. You should see a VPN box next to your carrier and WiFi info at the very top. This lets you know you are using a VPN connection. When you're all done, just launch OpenVPN again and tap the Connection switch to turn it off. You can even run OpenVPN over your cell data connection. It's not limited to just WiFi.

Sunday, March 1, 2015

iOS Security Tools - Fing

Fing - FREE

Developer: Overlook Soft

Fing is a highly configurable network scanner which can be leveraged for private networks, but can also be used to scan external hosts. One of Fing's best features is that it will remember networks you've already scanned and retain the names and additional information you've put in for discovered hosts. Fing has a built in MAC vendor database to help identify targets of interest from the discovered hosts. When you first launch Fing, it will detect the network you're on with a scan button in the upper right corner. Depending upon the size of the network, the scan can be fairly quick for a /24 bit subnet, or fairly long for say, an airport running a /16 bit network.

In the above, I cancelled the scan on after a minute or two because it was a /16 bit network and I really didn't need a full scan. One limitation of Fing is that you have to wait till a scan is completed or cancel it to be able to do more detailed scans on discovered hosts. Once you have your list of discovered hosts, you can perform additional scans to determine which services are running on them. For this article, I'm going to choose the HP printer listed at the top as my target for a deeper dive.

After tapping on the host, you have a few options such as Scan Services, Ping Device, Delete from the List, Show Log and Wake on LAN. I'm going to Scan Services and show you that next.

You can see from the results above that there are a number of interesting services running on the host. Fing allows you to tap on the service and attempt to connect with an appropriate app. For http and https, that's your default browser for instance. If the host is a computer, you might see things like FTP or NETBIOS which will leverage your FTP app or file browser app. Let's check out port 8080 to see if we can get a live webpage.

Ouch, it looks like our printer is an HP LaserJet M1536dnf MFP and it doesn't have an admin password set. If I was a mean co-worker, I could change a few settings here and have a nice MFP all to myself. If you remember in the beginning of this article, I said Fing remembers networks you've scanned and additional information you put in about a discovered host. Let's go ahead and put in some info about this host.

Now we've got a more descriptive name than NPI23xxxx and I've annotated that the web interface on port 8080 is wide open and physically where the printer is located. One benny is that the information you type in is searchable from the main screen when you tap the search button on the bottom left. Below you can see the search result from the comment I put in about port 8080 being wide open.

If you'd like to scan an external host, you can do that from the main screen by tapping the pen and paper icon on the bottom row.

The ubiquitos send to icon in iOS allows you to send the information to other apps or via email which includes any additional info you put in about the host.

In the settings, you can modify things like what services to scan for and even add your own. You can also spoof your MAC address if need be.

Fing is a nicely put together network scanner to help locate potentially insecure devices on your network and the ability to remember previously scanned networks and any additional information you put in really sets this app apart from others. One last note, You can sign up for a free FingBox account which will sync and backup your customizations.


Friday, February 20, 2015

iOS Security Tools - RBL Status

RBL Status - $1.99

Developer: Pavel Ahafonau

One of the other hats I wear is as a web application developer predominately in the PHP / MySQL realm and I generally build, harden and deploy the web servers to run those applications on. Sometimes those servers also include a Mail Transfer Agent (MTA) / mail server depending upon the business need.

Whether you're troubleshooting an email issue or you're wanting to verify your mailform code is secure or that your mail server is properly hardened and not configured as an open-relay, Real-time Blackhole Lists (RBLs) can help you determine whether your server is listed as being a source of spam.

The efficacy of RBLs, also referred to as DNS blacklists or DNSRBLs, is debatable for a couple of reasons. One of the biggest problems it presents is the collateral damage that ensues when a single domain on a shared host is exploited to send spam. Because RBLs are IP based, an insecure mailform on a website sharing the same IP as you could cause the IP to be blacklisted. This is an extremely frustrating situation to be in because until they fix the problem you'll be punished right alongside them.

A similar situation can occur if you're running a server on a dynamic IP and you happen to one day pick up an IP that has been blacklisted.

To further complicate the matter, there are a number of RBL services and to effectively troubleshoot, you have to track down which one is being used by the mailserver denying your emails. Getting your IP delisted can sometimes be difficult and each RBL service has varying policies for automated or manual delisting.

If you'd like to learn more, take a look at Wikipedia's Comparison of DNS blacklists

The RBL Status app is an easy and quick tool to determine whether your IP address has been blacklisted. Currently it supports thirteen of the most popular RBLs, with seven selected by default for checking when you install the app. Based on your needs, you can select or deselect the RBLs that are most appropriate for you.

As an example, I took the IP for one of the top spam senders according to McAfee's Threat Intelligence site. In the below screenshot you can see that the IP is listed in two RBLs.

There are two downsides to the RBL Status app that I see. The first is that aside from the information it displays, you can not drill down to get more information. Based on the previous issue, the second is that the links it provides for further information where an IP is listed are not clickable and so you'll have to resort to typing the URLs in manually, or choosing the arrow button to the left of the Check button to send the info via email where you can then copy and paste the URL into a browser.

Visiting the URL listed for SORBS in the above screenshot will bring you to the below page where you can determine how fresh the listing is etc.

One nice benny RBL Status has is that you can perform a whois lookup on the domain, the IP, and the reverse hostname.

So, that's it in a nutshell. Hopefully you won't be on the wrong side of an RBL listing and have to deal with the headache of delisting.

Tuesday, February 10, 2015

iOS Security Tools - Netstat

Netstat - FREE with IAPs
Developer: James Devenish

Netstat, as you may be familiar with already on Linux and Windows, gives you live information such as protocol (http, https, imaps), remote address, connection duration, idle time, round-trip-time (rtt) and bytes received grouped by interface such as wifi, VPN or cellular.

Netstat on an iOS device is a useful tool for being able to see where an app is connecting to and over what protocols without having to packet sniff your device traffic. It's also handy for finding apps that might be sending your information across the internet using insecure protocols or to watch how other security tools on your device are communicating.

The paid version which is available as an IAP comes in two flavors. The first is a $.99 Connection Details which allows you to tap on a connection to see additional information. The second is a $3.99 IAP which includes the Connection Detail, but also adds audio alerts, delta mode for new activity, sorting connections by various criteria, host connectivity testing, whois lookup and port info.

The free version allows export to CSV which will give you basically the same thing as the $.99 IAP for Connection Details with just a couple extra steps.

One potentially fatal limitation is the lack of IPv6 support. If IPv4 is all you need though, then this will do the trick.

- Leif Gregory, Security Professional

Friday, April 22, 2011

MacXDVD Free Giveaway

MacXDVD is free until May 3rd. Grab it now and register with the registration key provided.

Rip DVDs to iPhone, iPad and iPod formats.