Digital Offensive

Posted on Tuesday, 5th December 2017 by Michael

Recently I took my first attempt at my OSCP certification, after 90 days in the lab and rooting a majority of the machines I fell short by just a few points on my first attempt. I decided to take some time off before my next attempt. During my break, a friend told me about a class called Pentester Candidate Program. The class was developed by Joe McCray of infosecaddicts.com. I have known Joe for years ever since the days of rootwars.org and IRC, almost 14 + years. I have heard a lot about his training offerings but never took any up to now. While my background and experience in pen testing are probably more advanced then the majority of the students who take the class I signed up for the opportunity for additional job interviews with companies they have partnerships with and to see how others do their testing.

Read the rest of this entry…

Posted in Blog | Comments (1)

Posted on Sunday, 8th November 2015 by Michael

48 hours with the Quick Lock by Safe Tech

I never did a kick starter before but I was looking for a low-cost solution for a smart lock for my door to my armory in the house. Up to this point, my only experience has been with Schlage but at 179.00 dollars per lock it adds up. So I decided at a cost of 79.00 I would take a chance on the Quick lock: https://www.thequicklock.com/.

The early investor deal gave you two RFID cards and two RFID keychains. You are also able to download the smartphone app for free. The company held true to their ship dates and by the end of October I had my lock. Though they said they would send tracking I never received any tracking info it just showed up on my door one day.

The lock itself did not feel as secure as the Schlage lock and the front button felt loose / flimsy. I personally would not use this lock on my front door, as I do not think it will hold up against an attack, do to not fully reading the directions on installation I had to defeat the security of this lock and was able to in a few minutes. With that being said, it is great for an interior door to keep kids and guests out.

The directions  to install are confusing as the pictures on the site show the orientation of the lock in the opposite direction of what the directions have it. Following the images of the site, I found the lock would not fit my door nor would the wire reach. Following the directions and installing it in a direction that seems to be upside down made the installation simple.

Read the rest of this entry…

Posted in Blog | Comments (0)

Posted on Wednesday, 1st July 2015 by Michael

Google Android Device Manager to the Rescue

Let’s start off by me explaining how I found out how great the Android Device Manager is. My wonderful wife came home from a trip to the local farmers market the other day all upset about losing her new Samsung galaxy S6 while running through a nasty rain storm with our newborn son. This is the same device she stores all the pictures she takes of our newborn son. When she realized it was missing she was super distraught.

When she told me about what happened I explained the likely hood of getting the device or the data back would be very slim especially since we did not have any software on the phone to track the device or recover data. At that point I started to formulate a plan of attack to stop any further loss of data such as changing passwords on all accounts associated with the phone, freezing service and checking her backup cloud account to see what data we can recover.

That’s when I took my own advice I always tell her to do, Stop, Think, Act! I decided to give the situation a quick google in the event I could find a way to locate the phone or do a remote wipe.  I found many articles on how to use third party tools that had already been installed on your device to locate the device, recover data and or wipe the device. Though deep down in my searching I found a link on how to use the ADM to track and secure a lost phone.

ADM can be installed on your android from the Google play store. Installing the ADM on your phone allows you to search for other people’s devices by using guest mode. You can also use the web ui on a PC or MAC: https://www.google.com/android/devicemanager . The only piece of information you will need is the user’s Google account (GMAIL).

Once you log into the ADM you can select the device you want to Track, Secure or Wipe from the list if you have multiple devices connected.

Below you can see an example from the web UI:

Tracking:

I have redacted my location for privacy. Below you can see the current location of my phone on the map, Google states it is accurate within 20 meters:

Below you can see what happens when you choose Ring. This feature is great if your phone is on vibrate or silent. It will enable your ringer at the highest volume for 5 minutes of continuous ringing.

Securing:

Below you can see the features of using the lock option. This is great if you do not have a pin on your device and you want to make sure no one can access the data on the device while you try to recover it.

Wiping:

Below you can see the options of using the wipe option. Note this will remove all data though a great option if the phone is stolen and to make sure no data can be accessed on it.  However per the feature it may not wipe the contents of your SD which can be pulled from the phone and accessed on a PC if not encrypted.

After exploring the options inside of the ADM. I am happy to report that the once upset wife was made happy when I told her phone was somewhere on our property and even more delighted when I made it start ringing (she had it on silent), which led to its finding wedged between the seats of her mother’s car.

Moral of the story always STOP, THINK, ACT.

• Make backups of your devices often.
• Have a Pin on your device
• Be prepared to wipe the device if need be.
• Change all passwords for applications that are not needed in a recovery attempt.

Posted in Uncategorized | Comments (0)

Posted on Wednesday, 18th March 2015 by Michael

Chevy Volt A year + later

Well it has been over a year now owning my Volt and I got to say I am very impressed. First I will start with some of the cons / annoyances.

1. Engine light: This seems to come on for the oddest reasons and despite popular belief does not always turns it off after it checks to see if what tripped it is still happening. For example over this past winter I did not drive the volt much do to the subzero temps and snow. Each week I would let it run for a bit and then turn it off. One week it was 2 degrees and when I started it all drive modes were greyed out except normal however the battery did not show the gas tank did and the engine light turned on. Since then I have driven it a bunch and I am still getting between 55 to 62 miles without an issue. The code it is sending according to Onstar is issues with charging and that it should go away after the next charge, well each time I have had this issue I had to have the dealer reset it.
2. It’s a video game: This issue is more with me do to ocd and trying to constantly push the 35 mile rated mile to over 50 + miles. I find myself constantly distracted and driving extremely conservative cause 50 is not enough for me I want the 60 +.
3. No 5^th seat: When I first bought this car I did not really think what if I was to have another kid, however with only a few days left before the new addition to our family is due to arrive I am starting to worry about this. We have two other vehicles that have 5 seats but neither is as fuel efficient as the volt.

Now for the pro’s

1. The Battery: It is amazing how far you can push a battery that is rated for only 35 miles and only allows a fraction of the full battery to be used. I am constantly pushing over 50 miles with many trips hitting closer to the 60 mark and some over it. My max miles so fa has been 65 miles of all electric driving.
2. Cost savings: My office is 156 miles away round trip for a total of approx. 780 miles a week. My FJ cruiser gets between 250 and 265 miles per fill up at a cost of between 55 to 65 dollars per fill. This means I was filling my tank a little over 3 times a week for a cost of 171 dollars per week and 686.40 a month.  My volt is averaging 600 to 700 miles per fill up (when I commute to work) and costs 1.30 per full recharge and 30 dollars per tank fill. My cost per week in electric is about 6.50 cents and at 600 miles per refill I am averaging 1 fill up a week. Total cost each week will be 39.50 and per month would be 158 dollars.
3. The community: The volt community is huge and if you have any issue or need info they are more than welcoming.
4. Design: The car looks and feels like a luxury car if you got the top end package fully loaded like I do. You get all the luxury and features at a fraction of the price of a gas luxury car.

Is the volt for me long term? Well unless I hit the lotto and I can buy a Tesla I would say yes! Though now with the volt 2.0 on the horizon and Bolt I may be looking to trade it in for one of its new family members.

Posted in Blog | Comments (0)

Posted on Thursday, 16th October 2014 by Michael

I know I am a bit behind this one however I been too busy to update my site. This code was written for a organization I work for to rule out false positives while scanning our organization for Heart Bleed.

For those that do not know what Heart Bleed is check out this site: Troy Hunt: Everything you need to know about Heart bleed

Code: a5.sh (no reason why it is named a5.sh, i just got tired of long names through the hundreds of reiterations trying to get to 99% error proof).

#!/bin/bash
###################################################
## Automate the HeartBleed Vuln Testing ##
## BY: Michael ##
###################################################
###VARIABLES
nV=not-vulnerable/
iV=vulnerable/
#Learn how to use my app already 🙂
if [ $# -eq 0 ]
then
echo “No arguments supplied”
echo “Proper usage is: ./a5.sh host_list Output_file”
exit
fi
#Remove Empty lines
sed ‘/^$/d’ $1 >> $1.bk
mv $1.bk $1
#READ THE LIST OF HOSTS FROM host.bk and NAMP FOR KNOWN SSL PORTS
while read p;
do
#Check to see if the host resolves:
nmap $p -p 80 -oG $p-v.txt > /dev/null
uHOST=`cat $p-v.txt | grep -v “initiated” | awk -F”#” {‘print $2’} | cut -d”-” -f3 | awk -F”I” {‘print $1’}`
if [ $uHOST -eq “0” ]
then
echo “$p : NOT RESOLVABLE”
echo “$p,NOT RESOLVABLE” >> $2.csv
rm -Rf $p-v.txt
else
nmap $p -p 25,143,443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8081,8082,8089,8443,8883,9091,2381 | grep “open” | awk -F”/” {‘print $1’} | grep -v “Nmap” >> $p.txt
if [ ! -s $p.txt ]
then
echo “$p : NO VULNERABLE PORTS FOUND”
echo “$p,NO VULNERABLE PORTS FOUND” >> $2.csv
else
while read i;
do
echo “Results for server: $p” >> $nV$p-results.txt
python ssltest.py $p -p $i >> $nV$p-results.txt
done <$p.txt
if grep -q WARNING “$nV$p-results.txt”; then
mv $nV$p-results.txt VULNERABLE_$p-results.txt
mv VULNERABLE_$p-results.txt $iV
echo “$p is VULNERABLE. LOGGING ISSUE”
echo “$p,VULNERABLE” >> $2.csv
else
echo “$p is NOT VULNERABLE MOVE ALONG”
echo “$p,NOT VULNERABLE” >> $2.csv
fi
fi
fi
rm -Rf $p.txt
rm -Rf $p-v.txt
done <$1

The code will create some directory structure for saving the results, a vulnerable and not vulnerable folder. This is to save the results of each site that is tested for manual verification if there is any question if the code is working correctly. We next verify the host is up and running. No need to scan a site that is dead! However we will record the sites status for auditing later.If the site is up and running we then check the site for a slue of ports that have been taking from the heart bleed IPS signatures as known SSL ports. if the script detects a known vulnerable port it will then try to exploit the site. The exploit script is called ssltest.py and was not developed by me. It can be downloaded here: https://gist.github.com/sh1n0b1/10100394. Depending on the results of the exploit the script will mark it as vulnerable or not vulnerable.

How to use the code?

Step 1: Create the Shell Script

1. vi a5.sh
2. coy and paste the above code into the file.
3. Save the file
4. chmod 777 a5.sh

Step 2: Run the code

1. ./a5.sh list_of_hosts output_file (ie. ./a5.sh heartbleed_hosts heartbleed_results.csv)

Step 3: Next steps

1. Review the results.csv file you created
2. Review the Vulnerable directory for any sites that were detected vulnerable to review the results.

Posted in Code | Comments (0)

Posted on Thursday, 16th October 2014 by Michael

What is Poodle?

Poodle stands for Padding Oracle On Downgraded Legacy Encryption. To learn more about this vulnerability check the following links as it has been covered so much already:

http://www.toyhunt.com

How to Scan for this vulnerability?

Please note this script was developed on a mac OSX. The reason i point this out is that the mac does not have timeout our gtimeout by default. Either of these tools would of made this script much cleaner. However to keep the OSX install as pristine as possible and not to install additional tools I created a work around called sleeper.sh.

poodle.sh

 

#!/bin/bash
while read rHOST;
do
exploit=$(./sleeper.sh 2>&1 & openssl s_client -connect $rHOST:443 -ssl3 2> /dev/null)

if echo “${exploit}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${exploit}” | grep -q ‘Cipher.*0000’; then
echo “$rHOST,SSL 3 disabled”
echo “$rHOST,SSL 3 disabled” >> Poodle_Results.csv
else
echo “$rHOST,SSL 3 enabled”
echo “$rHOST,SSL 3 enabled” >> Poodle_Results.csv
fi
else
echo “rHOST,SSL disabled or other error”
echo “$rHOST,SSL disabled or other error” >> Poodle_Results.csv
fi
done<$1

In the poodle.sh script we use a while loop to read a list of hosts to check. Using openssl we force the connection to use SSL V3. If the connection works we mark it as having SSL3 enabled. If the connection fails we mark it as not being enabled and if something else fails we mark it as other (ie. bad hostname).

sleeper.sh

#!/bin/bash

sleep 10
killall openssl
exit

In sleeper.sh we launch a watcher to kill the connection after 10 seconds. This script can be replaced with the timeout command if you are using Linux or if your OSX has timeout installed.

How to use this code?

Step 1: create the scripts.

1. vi poodle.sh
   1. copy and paste the code into it.
   2. Save the file
   3. chmod 777 poodle.sh
2. vi sleeper.sh
   1. copy and paste the code into it.
   2. save the file
   3. chmod 777 sleeper.sh

Step 2: Create the list of hosts to scan

1. vi poodle.txt
2. add all of the sites you want to scan there (legally you should only add sites that you own)
3. Save the file

Step 3: Run the code

1. ./poodle.sh poodle.txt
2. results are shown on the screen and saved in Poodle_Results.csv

Step 4: Decide what you will do with the results?

Posted in Code | Comments (0)

Posted on Tuesday, 19th November 2013 by Michael

It has been some time since I have written a blog post for my security forum. I got to first apologize but sometimes time is scarce and lately I find I have less and less of it. I have recently taken a position for a new company located much further from my house. To get to this new job I decided to rely on myself and not Amtrak as after several years of their lack of customer service and reliability while working at a pass job I decided I did not want to do that again. The other thing the cost to do this was about the same as purchasing a fuel efficient vehicle.

There are many forms of fuel efficient vehicles out there. There are pure electric cars such as the Nissan Leaf, Tesla Model S and the new Ford C-Max. The issue is that the Nissan and Ford both have limited range of below 100 miles (Nissan 75 miles and Ford around 90). The Tesla pushes over 250 miles solely on electric, with their mid model. Though with a price tag of 87,000 +/- with the features I want it was out of the price range I could afford right now.

Then there are hybrid cars that give you ranges between 30 to 50 miles on gas. These cars are sufficient but while researching them I came across the best of both worlds. The Chevy volt gives you an electric range of 30 to 50 miles depending on a multitude of factors such as temperature, driving habits, terrain, and heating / AC. In most likely hood expect around 37 to 38. Though the electric range is lower than the Leaf or C-Max it has something neither has, it is able to use an internal combustion engine to create power and continue driving as if it was a standard car with between a 40 +/- miles per gallon rating, so basically I will not be stranded once the juice runs out. The one problem you will notice in these numbers it is almost impossible to figure it out as I stated earlier. The one thing I can tell you I have driven over 500 miles so far and used less than 1 gallon of gas.

Let me start off with some negatives and wants!

First not having the 5^th seat is a blessing and curse. It is nice that my kids have a place to store their stuff while in the car but it makes any addition to the family or bringing the mother in-law along a problem. It would have been nice to have that center console as a fold up revealing an extra seat.  Next I find having the charge door on the driver’s side a pain in the butt but I understand why it was done. I have on street parking at my house and running a cord to charge the car becomes tricky. Next if all these manufactures out there have the technology to increase the battery and EV range of their cars why can’t Chevy tap that technology to add a longer EV range along with the ICE fall back? Can you imagine 75 to 125 miles on EV before needing the ICE to run? The last gripe I have about the car itself is the lack of being able to do text messages on the system. My wife’s Ford escape can do it but my volt cannot.

I will end the negative section with a huge issue for all EV owners that are not Leaf or Tesla owners. This issue is that of lack of EV charge points and dealerships not supporting the EV’s they sell such as many of the local GM dealerships. Most Nissan dealerships have EV stations for Leaf owners and some are nice enough to allow us Volt owners to charge as well.  Those that can afford Tesla’s have a large network of support thanks to the great leadership behind that car.

So here are the positive!

The car is loaded like a luxury car at a fraction of the price. There are many people who have owned high end cars and find themselves loving the Volt more. The ride is super smooth and very comfortable. When traveling I do not need to worry about running out of electric I just switch over to gas automatically and continue the trip. The display in the car along with the safety features teaches you to become a safer more efficient driver. I find myself competing with myself to drive more efficiently and get more range on the EV. The OnStar remote app is great tool allowing me to see the charge of my car and control some of the cars functions from anywhere with my smart phone, that combined with the free 3 years from OnStar is sweet. The electronics in the car is mine blowing and the setup is very high tech. I drive long distances in the car and I am 5 10 and about 250 and I have plenty of room in the car. The seats are very comfortable and the car handles like a dream. I find it to be very responsive and the sport mode on the highway allows me to reach high speeds with ease.

The financial positives were that even though this car lists for 45k new with all the discounts and tax credits it is almost attainable by anyone. GM will offer 7k off right away on 2013 and older models. Then USAA will give 750 towards the car if you had family in the military and you sign up. Thanks Grandpa! If you belong to a credit union you get about another 1900 off as well.  With all those right off the back you are getting 9,650 off the car and then add any haggling or other incentives from the dealership. Though the savings don’t stop there, since the Volt’s battery is 16kwh and it uses max 10.2 kwh it qualifies it for the full federal tax credit of 7,500 (at the time of writing this). Then my state offers a refund check of $3,000 for this vehicle as well. When I buy a level 2 charger I will also receive credit for 30% back from the state on the purchase and installation of it. So all together you are looking at close to 20k + in saving and incentives to purchase the vehicle.

There is still a lot of learning to do with this car and as I drive it more I will post some updates. For those that are new to this vehicle I suggest checking out YouTube for videos on it and www.gm-volt.com. There are so much tips and tricks on these sites.

Posted in Blog | Comments (0)

Posted on Friday, 7th June 2013 by Michael

Quick little shell script to backup a full website recursively with ftp

Recently I had a client that was trying to use several methods for doing remote recursive backups of their website content. I responded that this a very trivial task using the ncftpget command. Even though showing them the syntax they asked if it could be simpler, so hence my shell script to simplify the process.

#!/bin/bash
###################################
## Created by Michael LaSalvia
## of Digital Offensive
##################################

echo -e “Enter a host to connect to:  ”
read rHost
echo -e “Enter username:  ”
read rUse
echo -e “Enter local directory and Path: ”
read rPath
echo -e “Enter fodler to download or * for all:  ”
read rRpath
echo “### Note your will be prompted for the password ##”
ncftpget -R -T -v -u $rUse $rHost $rPath $rRpath

Enjoy and let me know if you have any questions.

Posted in Code | Comments (0)

Posted on Thursday, 23rd May 2013 by Michael

Not to long ago I had my first Raspberry Pi experience setting up a media server to stream movies. Now that I have started playing with them more I have run into a few issues. Though each time I have encountered a problem the fix was found with in the “raspi-config” command.  This launches the Raspberry PI configuration menu.

The first issue I had was the PI did not detect my keyboard correctly. It had set it as a UK keyboard and this made using some characters such as @ impossible. To fix this choose the keyboard option in the raspi-config screen and follow the prompts.

The second issue I had was with it not using my whole 16 gig SD card. To fix this choose the extend-rootfs. This will make use of the rest of your SD card on reboot.

There are numerous other options under that menu that can make your life using the Raspberry PI simpler.  So if you have never used that command before on your next boot up check it out.

Posted in Blog | Comments (0)

Posted on Tuesday, 14th May 2013 by Michael

Four of the most helpful Outlook Web Access Rules you will want for your Web Application Firewall

Over the last few years a new client of mine has been battling a never ending battle against human stupidity and system compromise. It seems that no matter how much training the client provides to their users that at least a few times a year they have several employees fall victim to phishing attacks. These attacks could lead to compromise of additional systems depending of the access the user has and the remote solutions the client has, denial of service through spamming and black listing, loss of revenue due to the loss of ability to email, possible loss of sensitive data depending what was in the compromised user’s mail box, countless hours of IT staff time to remediate and resolve the chaos the attack caused and so on.

To help combat the non-human element in this article we are going to address ways to combat the steps attacker takes to leverage the credentials once they have gained them in order to send more phishing attacks and stay hidden. The rules below assume that you are serious about security and have your WAF in bridge mode where it has the ability to reset a TCP handshake then block the attacker IP. If you are in other modes you are basically going a race condition against the attacker to try to reset his / hers packet. In my opinion the best solution for deployment of the WAF is in bridge mode between the firewalls DMZ interface (because being security pros you don’t let your developers put internet facing servers inside your network) and the DMZ switch. The reason I do not say outside the firewall is that you will have a lot more traffic hitting the WAF that has nothing to do with the WAF increasing the load on it and the tuning required. Trust that your firewall administrator has done their job and limited access to the web servers to 80 and 443 and trust the WAF admin to protect them against web based attacks.

Read the rest of this entry…

Posted in Blog | Comments (0)