the Pleb

I have been thinking about, and working on, some really great technical posts. However, as I write them, I have been noticing that it is really straining the design of this blog. I did not feel as if the code and security tricks that I like to write about were being presented clearly enough. So I have been working on a complete redesign of the blog, no templates, just designed by me from the ground up. The advantage of this is that I can get exactly the look and feel that I envision for my content. Spoiler: site chrome is kept to a minimum. I will have nobody to blame but myself if I do not like something about it. The disadvantage is that I will most likely be leaving tumblr, which, while it has its faults, has been a great platform that really delivers on the premise of frictionless blogging. The other disadvantage is there has been something of a halt in posting (nothing new to longtime followers, I am sure you just assumed I was going into hibernation again). Besides, who wants to read my take on flame, the malware that has been all the buzz lately, or the backdoor that probably was not put in a chip that may or may not have been used by the military maliciously by China.

And the crowd goes wild!

Skipfish is a round one web application scanning tool. There has been some buzz around it lately, so I thought to provide some details for people wanting to check it out, see what is new. It is provided by Google. Say what you like about their privacy policy, as long as they keep paying Michal Zelewski to develop skipfish, they are alright in my book. We run it on OSX, well, because. Other considerations for this sort of tier one web application analysis: nikto, arachni, w3af. Personally, I have used nikto a lot in the past.

I wanted to run through a quick install process and first scan just to familiarize people with it. First off we want to use brew to install, otherwise we will have to do all those boring dependency checks ourselves1. First off I checked that brew had the latest version (skipfish updates once or twice a month minimum). It didn't. So let's edit it to get the latest version.

brew edit skipfish

If you have brew configured correctly, it should popup the install instructions in your text editor of choice. We are concerned with two lines. First up is the URL. At the time of writing skipfish latest was at 2.06b. Edit the file to reflect this as shown.

url 'http://skipfish.googlecode.com/files/skipfish-2.06b.tgz'

Now of course we will have to change the checksum as well. You can calculate2 it if you like, I did not see it available on the Google Code page. If you trust me, here it is, copy and paste it into the the appropriate field.

301f3f209ddf57dd7103a61256f62afa

Ready to go, install Skipfish with Brew as normal:

brew install skipfish

Skipfish has lots of features centered around dictionaries, which are very snazzy. Dictionary brute-force, listing potential sub-directories, etc. However, you don't really need to mess with them just to try it out. Here is a scan that will tell skipfish to just run without all that nonsense. If you don't give it either the skip option or a wordlist file to use, it will just error out.

skipfish -o test-dir -L -W- http://example.com/

Away you go! -L: Tells it not to auto-learn new words from the site. -W-: redirects learned words to /dev/null. -o test-dir: tells it to output the results into a specific directory. No need to create the directory beforehand. You should specify a directory for the output results, they are kinda messy with lots of little files in the root. It will display a nice little message for you when it starts off.

And then kicks into a nice little status screen while it runs. Pressing enter will change it to a list of URLs as it scans them, if you want to watch that. Finally it tells you it is done. It has been a great day for science indeed!

You can then cd into your results directory and run this to open the results:

open index.html

Wonderful. Now you can install, scan, and view the results of the skipfish scanner.

Why Skipfish

There are a few great things about skipfish that really recommend it as a starting point tool. If we dig into the results a little we can see exactly what makes them so useful. We first have the generic high, medium, low type of thing. That is all well and good, and seems to compare pretty well out of the box. About middle of the road3. Two things really stand out when using skipfish though, and they both have to do with what you do after you have run the scan. First, you may have noticed in the terminal notifications when skipfish has finished that it generates a file called 'pivots.txt'. This is a great file to feed into other scanners/sniffers/tools. It has all the URLs that skipfish found, ready to go. Check it out. The second thing is the 'Interesting Files' portion of the scan report. This points to swfs, pdfs, scripts, source code disclosures, that any decent pen tester would certainly want to check out.

All neatly arranged in one dropdown. Thanks, Skipfish!

Extra Fun

Just for fun we can do a little toe-dipping into some more advanced options that you may want to tweak. Here is an example of running against something fairly local, with the options set to be fairly aggressive so it runs faster. You should create a blank word list file for every scan, skipfish leverages this to do some of its brute-forcing, etc. Disclaimer: settings might fail spectacularly if you try to run against something in China. Try the defaults first.

touch bts.wl skipfish -g 100 -f 25 -t 5 -o example-results -W bts.wl -S minimal.wl -b ie http://www.example.com/

-g: maximum TCP connections, normally 40, tweaked to 100. Don't go above 5 probably if you are scanning production systems, because of DDoS concerns.

-f: allowed failures, normally 100, cranked down to 25. If I get more than 25 failures running locally, something else is wrong and I want to know it fast.

-t: total request timeout, normally 20, I want it to be 5. See above.

-W: Specify the blank word list file

-S: Specify a pre-populated file to use when brute-forcing passwords, etc. Larger files here mean longer scan times.

-b ie: pretend to be Internet Explorer. Because its funny.

That should pretty much get you started, all the options available are explained with skipfish -h. Some of the things you can look forward to in there: specifying cookies, html authentication parameters, and hard finish times (for those overnight jobs).

Not actually as hard as you might think. I was only missing one dependency when I tested it (for the sake of science), and it was relatively painless. If you don't brew. Which you should. ↩︎

md5 -r skipfish-2.06b.tgz > tmpsum.txt  ↩︎

Ed Skoudis

I love reading about stuff like this.

Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file (PE) and ways to bypass AV detection. I recommended him to use any Windows supplied PE file (or any other 'goodware' PE file) and patching some "always called function" with the shellcode. It turned out to be one of the many possible AV evasion techniques that seems to work in many cases.

> A simple question.  "Can you build a trusted cloud environment?" If you're following the binary school of thinking, and trust is absolute one way or the other, and you're forced to admit that everything is fallible, then the answer is no.

What I have learned or attempted to learn in school this week.

The conjugate gradient method of matrix multiplication in a parallel setting

The first and second factorial moments of exponential distributions

How to make DB2 calls in COBOL on a mainframe running z/OS

Bruce Schneier