Offensive Thinking
Internet Thoughtcrime
November 2009
Ok, I finally gave in. After resisting the hype for quite a long time, I created microblogging accounts in the end. You can follow me on
My Identi.ca account automatically pushes everything to Twitter.
Why I gave in to the “giant public asynchronous chat system”, as Lutz put it so nicely? Well, besides the things I already wrote in this blog post, microblogging can be quite fun, I have to admit. There are many things not worth a whole blog post I still would like to share sometimes.
I’m using Twidge on the command line for posting notes, which is a decent program written in Haskell for using Identi.ca and Twitter.
That said, feel free to follow me if you think my ramblings may be interesting to you ;).
2009-11-18 Firefox Extensions for Pentesters: Grab Them All
If you ever pentested a large company network, you know about all the tedious stuff which has to be done. Like, scanning for all running services, checking for interesting and maybe exploitable stuff.
Well, our trusty Nmap already does a pretty good job at scanning systems and giving us a hint on what to expect there. Even in versions before 5, you could go and do banner grabbing and all that stuff, so you at least knew what the service pretended to be. With version 5, all those nifty NSE scripts give you an amazing amount of useful information, especially in large networks. Try -A sometime, but please, be careful as its considered rather intrusive (see the Nmap manpage).
There still remains one thing that always bothered me. Even though Nmap will get me for example the page title of every web server’s index page (if available), I still find myself opening all the pages manually in my browser to check what’s going on. I just want to have the full, graphical reprentation of what’s running there. This can be rather time consuming, considering the amount of web servers often includes e.g. default installations of IIS on Windows systems, which many users do not even know about.
So I searched for a solution and found this wonderful Firefox extension called Grab Them All. It’s very simple: you give it a *.txt file with newline-separated URLs and an output directory and it will dump conveniently named screenshots of all the index pages in there. You can additionally specify useful things like how long to wait until the page is deemed fully loaded (this is useful if there’s some JavaScript magic going on even after the browser got the full response) or how long to wait for a response before trying the next URL.
All I needed now was a way to generate the text file from my nmap scan. If you have told Nmap to save its output in grepable format (-oG or use -oA, as I do) you can use the following shell-fu:
ack '80\/open' network-scan.gnmap | \
ack -o '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | \
while read line; do echo "http://$line"; done > hosts.txt
I’m using ack here, feel free to translate this to grep or pcregrep or whatever. I dig ack ;). I’m pretty sure that the above can also be optimised, but it works and that’s good enough for me, thank you very much.
2009-11-04 Auditing PHP code and phpsh
PHP. Yes, I have to work with it. Many of the web applications I pentest are written in PHP, so there’s no way around it. Sometimes I even have to read the source code of the web application to verify something I found while testing or while searching through the code for common vulnerability patterns.
The problem with PHP is… wait, let me rephrase that. One problem with PHP is that it doesn’t come with a REPL. Which sucks because if for example I want to check something quickly in Python or Ruby, I fire up Python or IRB and hack away, including things like tab completion for functions and all that fancy stuff. PHP doesn’t have that.
So I searched for a decent PHP REPL and found phpsh which was developed and released by – drum roll – Facebook. Yeah, I didn’t think it could get worse than PHP either ;). But seriously, it’s surprisingly good. I played a little bit with phpsh and it supports tab completion for functions, classes, global variable names etc., shows you the PHP documentation for a function or identifier, lets you dynamically include new files… All in all, many things you’d expect from a good REPL.
There’s already a PKGBUILD in AUR for phpsh, if you’re using Arch Linux. The only thing you have to do is to add /etc/phpsh/ to open_basedir in your /etc/php.ini, otherwise it will complain.
« Oct 2009