Python Terminal Colors
cmdjunkie
  def print_format_table():
    """
    prints table of formatted text format options
    """
    for style in range(8):
        for fg in range(30,38):
            s1 = ''
            for bg in range(40,48):
                format = ';'.join([str(style), str(fg), str(bg)])
                s1 += '\x1b[%sm %s \x1b[0m' % (format, format)
            print(s1)
        print('\n')
 

print_format_table()

Nmap Script Consolidation (Ops Project) Post 1
cmdjunkie
Nmap scripts provide a fantastic pentesting arsenal of tools.  The current official nmap script collection current sits around 536 and continues to grow.  The scripts address a large portion of what should be considered enumeration tactics during the procedural engagement.  And even outside of a procedural engagement, and in a more operational/ad-hoc manner, the ability to execute one script, a couple of scripts, or a batch of scripts instantanteously, and without any need to edit or modify the syntax of the command is a critical tactic for success in any adversarial interaction.

In essence, Nmap's strength is it's enumeration capabilities.  While it may be useful to learn nmap on the command line, it's flags, arguments, and syntax, it's even more important to take a successfully executed syntax string, label it appropriately with a title (technique/attack) and place it in an accessible data structure that can be used to access the technique/attack in an efficient manner.

Naturally, I use Python for this and utilize the standard class structure for defining attacks and techniques.  My current framework contains five scripts that define objects that are used to perform an operational (and often offensive) technique; or rather "adversarial objects" (... which I think expands and somewhat defines the scope of what I'm looking to accomplish.)

While it's no secret that consolidation is key, the real work is grouping and defining the functions that you will execute with a specific set of arguments.  The objective is to provide a function with one or two values that can be used in a series of weaponized commands in order to accomplish a specific task.  By weaponized, I mean full, fail-proof ultilization of the task at hand.   For example, an excellent way to quickly scan a network range for common ports with potentially vulnerable services is to issue the following command:

"nmap -Pn -n -sS -p 21-23,25,53,111,137,139,445,80,443,8443,8080 --min-rtt-timeout 0ms --max-rtt-timeout 100ms --max-retries 1 --max-scan-delay 0 --min-rate 6000 -vvv --open -oA quick_scan <targets>"

While it may be beneficial to have this in a script somewhere, it's output and the ability to execute the scan in a dynamic nature, make it a prime candidate for adversarial objectification; my process of converting a simple command like the one above, into something easily executable and endlessly scriptable.  Python is my language of choice.

The first thing to do is to ensure the command works, and works well.  The second is to ensure the output is in a format that can be parsed based on a known standard.  The third is to place it in a function of an adversarial object class and ensure all commands issue the argument called within the function successfully and in a manner that's consistent with the purpose of the function definition.
As an example, the quick nmap scan command used above will become a string in a function called quick_scan().


With that defined as the quick_scan function in the adversarial object class Discovery.discovery(), the function is called using the Python shell by initially instantiating a Discovery.discovery() object and calling the now native function quick_scan(targets):



The beauty of this approach is the ability to quickly automate more advanced pentesting logic using consolidated commands as functions and uniform parse formats for output files.  Using the -oA flag, nmap will produce three files: a normal nmap format (*.nmap), a grepable format (*.gnmap), and an xml file.

Going forward, learning new techiques becomes more about integrating them into the adversarial famework than learning or remembering the increasingly longer command line strings and syntax --especially of the more advanced tactics and techniques.

Github Management (Pushing Py to a new Repo)
cmdjunkie
I'm pushing most of my code to my github account for centralized management and better version control.  I used the following commands to push the Mimi.py python source directory to a new Mimi repository:

Having accessed the local directory where all the Python source files were located, the following commands were entered:

>> git add *.py
>> git status
>> git commit -m "First initial commit of Mimi"
>> git remote add origin <url>
>> git remote -v
>> git push -u origin master

Following the last command you will be prompted for a user and password for the repository you're pushing to.

That's all there is to it.  

ShadowBrokers
cmdjunkie

Proven Skill-sets and and Security Software Divide
cmdjunkie
I just got into a debate on a forum about the definition of hacking.  Personally, I've always believed that real hacking, at it's core, is creative programming, clever engineering, and innovative problem-solving.  Once the term was dragged through the mud, sensationalized, and beat to death by the media and the marketing engine that drives the security industry, hacking became a term for malicious computer use and unauthorized access.  Grah.

I'm at the point now where I recognize what's valuable and what isn't with regard to working in this ever-changing field.  I'm relatively seasoned, so I have some level of expertise when it comes to the outlook and nature of the field and where it's going.  What I've found is that there is no benchmark for operational security work; only certifications.  Your skillset in the professional hacking/pentesting/security arena is only, really measured by the industry-respected credentials you've acquired, not your self-taught understanding, or even your college degree -- actually, especially your college degree.

All that's asked of one to be qualified to be considered for a security role is a security certification.  Whether it's the CISSP, the CEH, the OSCP, the CISM, or what have you, those certifications are supposed to demonstrate to hiring managers and HR that you're competent and qualified to perform security and security-related duties for a company.  Which makes perfect sense because "security skills" are hard to quantifiably measure.  What makes one security professional better than another?  Their business accumen?  Their ability to communicate, organize data, and generate reports?  Their aptitude for low level security concepts?  It's really hard to say.  But these are the people responsible for protecting a company's assets from being stolen.

Now days, programmers are a dime a dozen.  But what programming, development, and engineering have that security doesn't, is a proven method to not only demonstrate aptitude, but to also display it.  Engineering, Programming, and Development (EPD) is focused around creation, building, innovation, and clever solutions (real hacking), whereas the nature of security (especially in the enterprise) generally revolves around risk managment and business integration.  What exactly are the skills required of security professionals to do their jobs effectively?

This is why I find it hard to fit into roles at the moment.  There's still a divide when it comes to what companies want versus what companies need.  The rise of the Security Software Engineer is upon us, but companies and entities don't yet know that's what they need.  The future will require individuals with proven EPD skillsets that not only understand security and security related concepts, but also know how to implement them  -- because security itself it not a skill but a general understanding of a common body of knowledge.  This is why security certifications are important, and why EPD doesn't require them.

For example, a young software engineering graduate can come right out of school and get a job immediately.  Companies looking to hire EPD's aren't looking for certifications, they're looking for degrees.  Why?  Because an EPD degree is proof that this candidate can actually do the job they're being hired to do: EPD work.  This newly minted graduate has a collection of skills that are endlessly valuable, and they have the ability to learn new concepts quickly and competently.  Their career is now based on what they know and what they can build, so any added credentials and skills are piled on and only act to make this person more well-rounded and hirable.  Security professionals on the other hand, come from a far more diverse background.  A large percentage of security professionals don't have EPD degrees, just a certification that says they crammed for a couple of months and took a 6 hour test.  And even if they have multiple certifications, how can you really judge what this person knows how to do in the security realm?  I guess that's what interviews are for.

But this concept and current state of both industries should be taken advantage of.  Real hacking, and real technical skill absolutely and without a doubt stems from learning how to build systems, solutions, and applications on a variety of platforms.  Just the act of EPD on a variety of systems, equips you with OS, Networking, Interoperability, Compatibility, Availability, etc., knowledge and understanding.  These are core, necessary skills, and programmers have the power in that realm.  EPD skills continue to grow upon themselves and they only improve, they don't degrade with time.  Security-certification based work is nothing to build a career upon, by itself.  Security certifications should supplement an existing EPD skillset and provide additional opportunities, not define one's career as the sole source of competency.  Hell, that's what EPD's need anyway; security training to help them improve their projects.

It amazes me that there's still such a divide when it comes to both fields.  Security guys want the opportunties of the industry, and to consider themselves hackers, but don't want to learn how to code.  They also find themselves "chasing paper" to validate their skillsets and careers, but walk away with no real practical skills that can actually improve security going forward.  Anyone can pass a security certification exam -- especially the ones that are in high demand.  A lot of security guys (and gals) I know just don't have the patience to learn programming, and that's fine, but it's unfortunate.

On the opposite side, a significant portion of EPD's are not security focused, trained, or involved, and would rather keep it that way.  In my line of work, I'm constantly at odds with EPD's that need security work done on their projects and I wonder to myself why they aren't equipped to assess their own work.  Why isn't it a requirement of EPD's to obtain security certs that would only improve their knowledge and flexibility when it comes to secure solutions?  Any EPD with a security certification is a hot commodity, and going forward, there's a problem when individuals are only focused on one or the other.

Disassembling Binaries with GDB
cmdjunkie
I've been experimenting and playing around with disassembling and reversing binaries in linux.  I wanted to get a fundamental understanding so I've been using gdb as opposed to a GUI based debugger, but the plan is to move up to WinDebugger and  IDA Pro as my skillset and understanding improves.

Here are a couple of common commands when debugging an exe:

display/x $eax                                 Displays the contents of the supplied registry
x/s                                                   Examines the contents at the supplied addr as string
x/x                                                  Examines the contents at the supplied addr as hex
x/u                                                   Examines the contents at the supplied addr as unsigned
x/d                                                   Examines the contenst at the supplied addr as signed
x/8x $sp                                           Examines 8 bytes in the stack
x/i $eip                                              Examines the current instruction
x/4xw $sp                                         Examines four 'words' of memory above the stack pointer
break _start                                      Sets a breakpoint at the start function
info registers                                     Displays the current state of CPU registers
info frame                                          Displays stack start, end, args, and locals pointers

Programming and Piano
cmdjunkie
I bought my piano in the fall of 2008, when I lived by myself for the first time, and I was going through absolute turbulence with my girlfriend at the time.  It was something I was always interested in, and something I felt like I had natural talent with.  I was right, and I started playing, not by following a book, or taking lessons, but by playing what I heard, watching youtube videos, and smoking weed and fucking around.  Eventually, I got pretty good because I practiced all the time. It was something I enjoyed.  I wasn't a dynamo, but I knew how to play a few things and I was a good song writer.  Fast foward to 2017, and I definitely don't play anywhere near as much as I used to.  This has a lot to do with the fact that I don't smoke weed anymore and I don't play in a band anymore.  No big deal.

Well, a couple of weeks ago, I took it upon myself to make a declaration that I wanted to get back into playing, writing, composing, and most specifically, learning Jazz Piano.  So for the last couple of weeks, I've gone back to basics.  I dusted off one of the old Jazz Blues piano books I bought years ago, and started practicing scales, like I didn't know anything --because I really don't.  I don't know my scales like I should, I don't know the flat majors, or the minor scales, and it's limiting.  These are the absolutely basic building blocks for improvisation and advanced chord building.  This is where I need to focus.  The difference is, I have a level of familiary and dexterity that will asist me in constant improvement because I've been playing for fun, for so long.  This is why I'm not afraid to start all over again.

With that being said, I can understand why some people are natural programmers and some just don't have the patience to sit down and learn it.  Honestly, if I hadn't been playing piano for the last 10 years, I doubt I would have the patience to sit down and learn the basic scales to eventually get to the point where I can improvise jazz scales and progressions.  The only reason I think I can get to that point is because I have a self-taught skillset (and confidence) that leads me to believe I can actually get to that point.

In a lot of ways, learning programming is the exact same thing.  You start out with the most simple examples; learning syntax, input and output, simple OOP concepts, file R/W, etc, and unless you can see the full picture of how everything will eventually fit together, it becomes monotonous, tedious, and frankly, boring.  How could these seemingly pointless concepts ever come together to allow you to create that game you've been thinking about for the last 4 years.  How is the ability to write text to a screen going to help you build that app you know will make you some extra money if you ever could just whip it together?  It take A LOT of time, dedication, and future-thinking to stick to it enough to get to the point where you can turn an idea into a program.  The similarities with jazz improvisation are uncanny.

I started programming at such a young age, it was always borderline second nature to me.  I developed that skill of abstract conception and application very early.  I don't often think about how a concept or learned skill is developed in the brain, but I understand that when something new is learned and developed, the brain builds new neural pathways, which become apart of how you generally think and operate.  This is why programming has always come easy to me.  This is why it has always been easy for me to pick up new programming concepts.  The the neural pathways and building blocks have been there since I was 12.

A lot of people want to learn how to program like I want to learn how to play jazz music, only I have experience in playing piano -- not jazz -- just self-taught piano.  I understand the big picture of things and most of all I understand that practice is the only way to improve.  Where does the satisfaction come from with regard to practicing programming everyday?  What about practicing piano every day?  The motivation has to be deep seeded.  It has to stem from some deep psychological impulse that gives you and your mind something you crave.  For me, it's the ability to create.

My primary motivation is the desire to turn my thoughts, and what I hear, into reality -- something I can share with the world.  Almost everything I do is rooted in that fundamental aspect.  This is probably why I'm constantly at odds with programming versus pentesting.  Pentesting is a lucrative skill, but it doesn't give me what I need because I'm not a criminal.  Programming, at its core is an ability to create anything, without real world limitations and that's true power.  Pentesting is the ability to manipulate the world that has been created by programmers.  Cool, but not all-powerful.  Piano, and ultimately jazz-piano is creation by pure expression; or rather the ability to communicate through an entirely universal medium.  That's not power, that's just plain cool.

Finding Non-Ascii Characters in Python Code
cmdjunkie
Ran across this error developing my python based pentest wrapper:

"SyntaxError: Non-ASCII character '\xe2' in file Discovery.py on line 74, but no encoding declared; see http://www.python.org/peps/pep-0263.html for details"


To locate the error, I cycled through the code to locate the byte and single it out.

>>> with open("ops.py") as fp:
...     for i, line in enumerate(fp):
...             if "\xe2" in line:
...                     print i, repr(line)




Mastery and the Ultimate Cost
cmdjunkie
I literally just strapped on my old rollerblades and went for a skate around my complex -- at 11:00 at night.  Yes, I'm a little crazy, but I have to admit, it felt good.  It was obvious I spend entirely too much time sitting, as my core, hips, quads, and glutes were stressing halfway through the first lap.  I powered through however and did two laps total, and was rather pleased with myself for not bailing once.

Maybe I've explored this idea before, maybe I haven't, but I have to touch upon the fact that mastering the craft of pentesting as well as software development, takes a toll on the body because of the sedentary lifestyle.  I've read numerous studies about what sitting all day does to someone and I'll be the first to admit I'm one of those hapless victims.

I'm coming up on my mid thirties and fuuuuuck, I'm a lazy bastard.  I genuinely do not like going to the gym.  I hate lifting weights, and I don't like to sweat.  Nerdcore son.  Sure, I played sports when I was a teenager, but that was a long time ago.  Besides, by the time I was old enough to cash in on being athletic in my youth, I rebelled, started hacking, smoking weed, and hitting up the skatepark on the daily.  Anyway, fast foward a couple of years and I've honed my techno hobby into a full blown career and I don't have an inkling of discipline to keep my body in good shape.  hahaha.

I recognize that continuing down this road in the pursuit of software and security mastery can only result in the complete degradation of my core and body overall.  There's no end to it.  If I'm going to spend as much time as I do in front of a couple of computers, I have to find time to exercise.

As I was barely making it up the three flights of stairs to my front door, I realized that I've only ever done things that I deem fun or stimulating.  Everything else is boring to me -- and it always has been.  I look at my career and I recognize that I became a pentester because pentesting is fun and challenging.  Software development is also fun and challenging.  I play music because it's fun and stimulating.  And truth be told, working out in a gym is not fun.  Running a marathon (and training for a marathon) is not fun.  Lifting weights? Nope.  Rowing.  Fuck that.  I'm convinced getting back on the blades may be the best idea I've had in a while with regard to my overall health and well-being.

With that being said, I ordered some new books -- one of which was supposed to come out Monday, but it got delayed for some reason:
Good shit.  I should get them by Friday... for that sweet, geek, weekend literature.  Ohhh yeah.  

PMPNNN -- Pimpin' Essentials (Tools of the Trade)
cmdjunkie
Pentesting like Security is such a broad/wide discipline, it's hard to know what to focus on with regard to constant improvement.  There are so many tools, tips and tricks out there, it's hard to not only keep abreast of it all, but it's even harder to organize and maintain a level of mastery with everything that's available to us.

Personally, I'm a big fan of sports, and I feel as though pentesting could (and should) be thought of as a modern day sport.  The reason why it's so hard to pin down competitively, is because the "game" itself doesn't really have any rules; and without rules it's hard to practice.   Pentesters should move fast, period.  There should be a mastery of tool use that's essentially an extension of thought.  With this in mind, pentesters should rely on a small selection of highly adaptable and capable tools and learn every single aspect of what they can do, and how they can use them.

It rings true that mastery of a handful of tools is better than familiary with a wide range of tools.  I'm not saying don't learn other tools, that's expected, I'm saying that mastery of the tools below and in combination with other tools, is all you nedd

Behold, the essentials.  The essentials are what I like to think are the absolute necessities when it comes to the craft.  These are the tools of the trade, and one need only know these essentials to be considered a player in the game.

  • Metasploit

  • Nmap/NSE

  • PSexec (and its multiple variants)

  • Netcat

  • Python

  • Native Tools and Commands

PMPNNN (Pimpin) Python, Metasploit, Psexec, Nmap, Netcat, Native

Metasploit mastery is an absolute necessity.  The tool has so many useful capabilities, it really only takes a couple of minutes playing with it to realize how powerful it is.  It has features to perform every step of the pentesting phase, recon, enumeration, exploitation, post-exploitation, and more.  It can help in producing exploits, droppers, malicious files, DLL's, all that crap.  It's important to remember that metasploit is a pentester's tool, not a cyber criminal's tool.  It's not that useful for committing cyber crime because security vendors are well aware of what it can do, and it's signatures.  Cyber criminals discover their own vulnerabilities and write their own exploits -- most are 0days.  That is not the key here.  Pentesting is about moving quickly and the better one knows metasploit, it's capabilities, and how to use them, the better.

Nmap/NSE is all you really need for discovery, recon, and enumeration (and even some exploitation).  As a player, running a one-line nmap scan is just not enough.  Sure it helps when learning, or trying something new, but during an engagement, NMAP scans should be already predetermined, included in a script, and ripe and ready for parsing and analysis.  NSE is even more robust as the key to mastery here is not only knowing how to use the available scripts (and searching for new scripts on the web), but how to write your own scripts.  Again, pentesting is about speed, and NSE supports this with the ability to perform a plethora of nmap capability quickly and efficiently.

PSExec is a SysInternals tool that's been around for a while.  It allows you to execute code on a remote machine.  Again, it allows you to execute code on a remote machine.  One more time, it allows you to execute code on a remote machine.  Yes.  Talk about useful in a pentest.  The best part about PSExec is it's got many variants that all have their own strengths and weaknesses.  The only downside to PSExec is you need to have valid credentials to make things happen.  This is a good thing however, as credentials should be the first thing you're after once you pop a system.  Once you have a set of credentials, using service-based exploits is pointless.  In fact, Skoudis' Pentesters Pledge addresses this directly:

              " I, cmdjunkie, do hereby pledge to use PSEXEC to exploit Windows target machines, after I    

              have gained admin credentials and SMB access of the target environment.  I shall forsake other

               service-side exploits thereafter.  Otherwise, I unnecessarily risk crashing target systems"

Netcat is the bomb.  It's the first "hacker" tool I learned how to use, way back in 1999.  Netcat is known as the swiss army knife of networking and that's actually not even close an accurate description.  Netcat can do so many things, unfortunately most AV systems detect it as malicious or as a hacker tool.  This doesn't mean you shouldn't learn the in's and out's of it, it means don't use it as a janky backdoor.  By all means, ensure you know how to redirect traffic, exchange files, set up a proxy, port scan, access an open port, and all the other awesome stuff that netcat can do.

Python.  Ah, python.  My favorite computer language by far.  Python is now known as a hacker's language and its for good reason.  Python is versatile, dynamic, object-oriented, platform indepenent, and just plain badass.  Don't let anyone tell you otherwise.  Python can be used for absolutely everything.  All of the tools listed above can be enhanced when combined with Python, and that's an understatement.  As a programming language, the possbilities are only limited by your imagination, but as a hacker's tool, the language can't be beat.  Don't fuck around and learn Perl.  Fuck Perl.  Don't fuck around with those bloated M$ languages (except Powershell, which deserves an honorable mention).  Just learn C and Python and you're good.

And finally, Native Tools and Commands.  And what I mean by Native Tools and commands is knowing and learning how to navigate/perform administration on a system using just the command line.  Thats right bitches.  CLI4Ever.  Forget the GUI.  The GUI's for chumps.  So are GUI based tools.  Remember back in college when you took your C++ course and all you created were Command-based tools, yup, that's all the fuck you need up this bitch.  Learn how to configure a systems settings, get, set, etc.  Learn how to create and delete user accounts.  How to activatie networking features, and download files from the web.  Learn how to access other systems from the CLI.  Use only Native commands -- the more clever you are the better.  Most if not all systems have a console interface, so learn it.  Learn how to nativate the filesystem and search for files by name and content.  Learn how to read and review system logs.  Stay away from GUI's.  They're always changing and you'll always find yourself poking around looking for some dumbshit. But the console doesn't change.  It hasn't changed in like 30 years.

---

Using these tools, every phase the pentesting process can not only be performed, they can be automated and operationalized.  Combining these tools can produce amazing results.  Sure there are plenty of tools out there that can do some cool shit, but do you have time to learn a new tool?  Fuck that noise.  Think about it this way.  A cowboy carries three guns on him at the most.  One on each side, and one in/around his boot or ankle.  How effective is a cowboy with 12 guns hanging off of his belt?  He'd have trouble deciding which one to use at any given time.  That equates to death.  Draw! Bang Bang!!

When I took CEH training I coined an acronym to remind me of the pentesting process; REAMC.

Recon
Enumeration
Access/Exploitation
Maintaining Access
Cover Tracks

All items mentioned in this post can be used at every phase of the pentest process.  The act of improvement is using these tools in a creative manner to not only perform these phases but to maxiimize results.  The combination of these tools can do that, and produce the information needed to not only improve the efficiency and efficacy of a pentest but to also aid in producing the report.  This is what it's all about.  My new pentest blog will focus strictly on maximizing the use of these tools to play the game.




?

Log in