Jan 10, 2016

Reading list

Just a list for me to catch up on blog posts I need to read:

https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
https://adsecurity.org/
https://github.com/angr/angr-doc
http://subt0x10.blogspot.com/?m=0
http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/
https://github.com/byt3bl33d3r/CrackMapExec
http://www.harmj0y.net/blog/
https://www.nowsecure.com/blog/2015/08/10/world-writable-code-is-bad-mmmmkay/
https://wiki.debian.org/Subkeys?action=show&redirect=subkeys
https://github.com/SpiderLabs

Oct 09, 2015

Use a web proxy for apt-get

To configure using an HTTP proxy for apt-get, add the following line to your /etc/apt/apt.conf file (you may need to create the file)

Acquire::http::Proxy "http://PROXY_HOST:PROXY_PORT";

This will configure apt-get to use a web proxy without configuring it for the entire system. Just comment out or remove the line to reverse the change.

More information here:
https://help.ubuntu.com/community/AptGet/Howto#Setting_up_apt-get_to_use_a_http-proxy

Oct 04, 2015

Disabling Browser Cache in Apache

Since I plan on blogging fairly often, it might be a good idea to configure apache to inform browsers not to cache the site. That fixes the problem of readers not always seeing new blog posts right away. I am running Apache Web Server so here is what I did to disable caching:

First, enable the headers apache module

sudo a2enmod headers

Next, add the following lines to your .htaccess file, or create one if it does not exist:

<FilesMatch "\.(html|htm|xml)$">
    FileETag None
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Tue, 1 Jan 1980 01:00:00 GMT"
</FilesMatch>

Oct 02, 2015

Getting Started in Information Security (Presentation)

I recently gave a presentation to the University of Houston's Cyber Security Club about getting started in the information security industry. Below is the link to my presentation:

Getting Started in Information Security

Sep 24, 2015

VITB Podcast - Guest Appearance

I was recently featured on a new podcast from Vince called Vince In The Bay. This episode features a few different people from DEFCON including myself where I talk about the presentation I gave as well as some other things. You can check it out here:

VITB PODCAST: DEF CON 23 RECAP

My part starts at 18 minutes and 57 seconds into the podcast.

Sep 13, 2015

Hijacking an Elevator Phone

If you have ever been on an elevator, you have probably seen (or even used) the elevator phone inside the elevator. By law elevators are required to have some form of two-way communication which usually entails a device connected POTS (Plain Old Telephone Service) or PBX telephone line. Turns out, these devices are easy to take over and use for malicious purposes.

Many elevator phones are programmable in order to allow for different use-cases at different locations. A lot of these can be programmed simply by calling the phone number attached to the elevator phone.

How do we find the telephone number to the elevator phone?

Each phone may have a standard phone line attached to it (RJ-11). Find it and you can "borrow" that connection to find the number to the elevator phone.

You can use a small corded telephone like the one above to connect to the phone line. Once connected, dial 1-800-444-4444. This number is a toll-free Automatic Number Announcment Circuit that will inform you of the phone number you are calling from. Note this phone number down. Also note down the manufacturer or model number of the elevator phone if you can find it.

Look up the documentation for the specific model number of the elevator phone and you will find that you will most likely be able to program it simply by calling the number it is attached to. You will also find that it may have a default password to access programming mode, such as 123456 or 35842#. From there, you can perform actions such as change the message it announces or even change the number it calls when the emergency button is activated. Documentation example here.

How can this be used maliciously?

  1. Most elevator phones will auto answer when called. You can find the phone number to the device, call it, and now you are listening to private conversations happening in the elevator. This has the potential for corporate espionage.
  2. You can cause a Denial-of-Service by changing who the elevator phone calls in case of an emergency.
  3. You can pull a prank by changing the message it announces to people in the elevator car, or the party the phone is calling.
  4. Think of some other things you can do with this. Maybe some social engineering attacks.

PS: Sometimes, you can find the elevator phone's phone number written somewhere in the elevator by maintenance personnel

Sep 09, 2015

DEFCON23 Presentation

So my DEFCON23 talk was given an early-release onto the internet! I am excited since many of you were eager to see it and I'd hate for you all to have to wait for the normal release schedule.

DEF CON 23 - Dennis Maldonado - Are We Really Safe? - Bypassing Access Control Systems

Sep 08, 2015

Check the a file permission number on linux

Here is how to check a specific file/folder permission number on Linux

stat -c %a /home

This will return something like:

755

Untracking and removing already pushed files in Git

I had the problem of wanting to remove and ignore files that I have already commit-ed to git. Turns out, it's pretty simple:

  1. Add the files you want to ignore to your .gitignore file
  2. To unstage and remove paths only from the index, not the file system, run:
    git rm -r --cached .
  3. Run:
    git add .
  4. Run:
    git commit -m "Removed sensitive files"

The files/paths listed in .gitignore should now be gone from the repository but should still exist in your file system.

Note: This will not remove files already pushed to your git repository. To remove sensitive data already pushed, see this article

Sep 07, 2015

NFSpy - Attacking NFS Servers

I recently learned of the tool: NFSpy which can be used for attacking an NFS server.

nfspysh -o server=<ip/host>:<dir>

nfspysh -o server=192.168.12.41:/home/jimmy
Next → Page 1 of 2