Grey bar Blue bar
Share this:

Tue, 5 Aug 2014

SensePost partners with Paterva to offer improved security intelligence

SENSEPOST PNG on clear
We've been big fans of Maltego and the team at Paterva for a very long time now, and we frequently use this powerful tool for all kinds of fun and interesting stuff, like

We go way back with Andrew and Roelof, who was in fact a founder of SensePost, so today we're super excited to be able to announce a new, strengthened partnership with them under which we have been accredited as an Approved Maltego Solutions Provider. Basically this means the that with Paterva's help we plan to use the powerful Maltego toolset to become better at our job - that is to provide information and information systems to our customer with which they can make sound security decisions. Here's the official news:
SensePost today is proud to announce the completion of a contract that will see the company recognized as the world's first “Approved Maltego Solution Provider” (AMSP) and the exclusive provider of this kind in the UK and Southern Africa.


SensePost was founded in 2000 and has developed into one of the worlds leading Information Security Services companies with offices in London, Cape Town and Pretoria. As trusted advisors it has always been our mission to provide our customers with insight, information and systems to enable them to make strong decisions about Information Security that support their business performance. Whilst this mission has traditionally expressed itself in technical security analysis services like Vulnerability Assessment and Penetration Testing we recognise that the threat landscape is constantly changing and that new and more complex realities necessitate the use of sophisticated new skills, tools and techniques with which to support our clients.


“This strategic alliance perfectly fits the ‘Assess-Detect-Protect-Respond' framework that drives the way we design, sell and deliver our service. It's the perfect evolution of our growing services offering.” says Etienne Greef, CEO of the SensePost group holding company SecureData, who's strategy is at the core of this new initiative.


‘Maltego', built by Paterva, is a powerful suite of software tools used for data mining, link analysis and data visualization, giving the user the ability to extract large volumes of data from diverse sources and then analyze it to understand the patterns and relationships it reveals. In the modern digital age these techniques are used to convert data into information and thereby extract concrete value that can be used for effective decision-making.


Maltego is a highly regarded and popular platform used extensively in Open Source Intelligence Gathering, Infrastructure Analysis for Penetration Testing, Cyber Attack Analysis, Fraud Detection and Investigation, Security Intelligence, Information Security Management, Research and more.


This partnership between SensePost and Paterva (who produce the Maltego software) builds on the companies' shared roots and intellectual heritage and will allow both companies to serve their customers and fulfil their respective missions better.


As an AMSP SensePost will be authorised to provide integration, consulting, support and training for the Maltego tools with full endorsement, support and assistance directly from Paterva. This new capability, combined with an existing wealth of information security skills and experience, uniquely positions SensePost to advise and support clients seeking to exploit the unique strategic advantage the Maltego toolset can offer.


More information on our services and capabilities in this space will follow with our official "launch" in a few weeks time. In the mean, here's a brief summary of our new offering.

Thu, 19 Jun 2014

Release the hounds! Snoopy 2.0

theHounds
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in a rush, you can download the source from GitHub, follow the README.md file, and ask for help on this mailing list. For those who want a bit more information, keep reading.

What is Snoopy?


Snoopy is a distributed, sensor, data collection, interception, analysis, and visualization framework. It is written in a modular format, allowing for the collection of arbitrary signals from various devices via Python plugins.


It was originally released as a PoC at 44Con 2012, but this version is a complete re-write, is 99% Python, modular, and just feels better. The 'modularity' is possibly the most important improvement, for reasons which will become apparent shortly.


Tell me more!


We've presented our ongoing work with snoopy at a bunch of conferences under the title 'The Machines that Betrayed Their Masters'. The general synopsis of this research is that we all carry devices with us that emit wireless signals that could be used to:

  • Uniquely identify the device / collection of devices

  • Discover information about the owner (you!)


This new version of snoopy extends this into other areas of RFID such as; Wi-Fi, Bluetooth, GSM, NFC, RFID, ZigBee, etc. The modular design allows each of these to be implemented as a python module. If you can write Python code to interface with a tech, you can slot it into a snoopy-ng plugin.


We've also made it much easier to run Snoopy by itself, rather than requiring a server to sync to as the previous version did. However, Snoopy is still a distributed framework and allows the deployment of numerous Snoopy devices over some large area, having them all sync their data back to one central server (or numerous hops through multiple devices and/or servers). We've been working on other protocols for data synchronisation too - such as XBee. The diagram below illustrates one possible setup:


Architecture Diagram

OK - but how do I use it?


I thought you'd never ask! It's fairly straight forward.

Hardware Requirements


Snoopy should run on most modern computers capable of running Linux, with the appropriate physical adapters for the protocols you're interested in. We've tested it on:

  • Laptop

  • Nokia N900 (with some effort)

  • Raspberry Pi (SnooPi!)

  • BeagleBone Black (BeagleSnoop!)


In terms of hardware peripherals, we've been experimenting with the following:
TechnologyHardwareRange
Wi-FiAWUS 036H100m
BluetoothUbertooth50m
ZigBeeDigi Xbee1km to 80kms
GSMRTL2832U SDR35kms
RFIDRFidler15cm
NFCACR122U10cm


The distances can be increased with appropriate antennas. More on that in a later blog post.

Software Requirements


Essentially a Linux environment is required, but of more importance are the dependencies. These are mostly Python packages. We've tested Snoopy on Kali 1.x, and Ubuntu 12.04 LTS. We managed to get it working on Maemo (N900) too. We're investigating getting it running on OpenWRT/ddWRT. Please let us know if you have success.

Installation


It should be as simple as:
git clone https://github.com/sensepost/snoopy-ng.git
cd snoopy-ng
bash ./install.sh

Usage


Run Snoopy with the command 'snoopy', and accept the License Agreement. We'd recommend you refer to the README.md file for more information, but here are a few examples to get you going:


1. To save data from the wireless, sysinfo, and heartbeat plugins locally:

snoopy -v -m wifi:iface=wlanX,mon=True -m sysinfo -m heartbeat -d <drone name> -l <location name>

2. To sync data from a client to a server:


Server:

snoopy_auth --create <drone name> # Create account
snoopy -v -m server # Start server plugin

Client:
snoopy -v -m wifi:iface=mon0 -s http://<server hostname>:9001/ -d <drone name> -l <location name> -k

Data Visualization


Maltego is the preferred tool to perform visualisation, and where the beauty of Snoopy is revealed. See the README.md for instructions on how to use it.

I heard Snoopy can fly?


You heard right! Well, almost right. He's more of a passenger on a UAV:



There sure is a lot of stunt hacking in the media these days, with people taking existing hacks and duct-taping them to a cheap drone for media attention. We were concerned to see stories on snoopy airborne take on some of this as the message worked its way though the media. What's the benefit of having Snoopy airborne, then? We can think of a few reasons:


  1. Speed: We can canvas a large area very quickly (many square kilometres)

  2. Stealth: At 80m altitude the UAV is out of visual/audible range

  3. Security: It's possible to bypass physical security barriers (walls, men with guns, dogs)

  4. TTL (Tag, Track, Locate): It's possible to search for a known signature, and follow it


We're exploring the aerial route a whole lot. Look out for our DefCon talk in August for more details.

Commercial Use


The license under which Snoopy is released forbids gaining financially from its use (see LICENSE.txt). We have a separate license available for commercial use, which includes extra functionality such as:

  • Syncing data via XBee

  • Advanced plugins

  • Extra/custom transforms

  • Web interface

  • Prebuilt drones


Get in contact (glenn@sensepost.com / research@sensepost.com) if you'd like to engage with us.

Fri, 13 Jun 2014

Using Maltego to explore threat & vulnerability data

This blog post is about the process we went through trying to better interpret the masses of scan results that automated vulnerability scanners and centralised logging systems produce. A good example of the value in getting actionable items out of this data is the recent Target compromise. Their scanning solutions detected the threat that lead to their compromise, but no humans intervened. It's suspected that too many security alerts were being generated on a regular basis to act upon.


The goal of our experiment was to steer away from the usual data interrogation questions of "What are the top N vulnerabilities my scanner has flagged with a high threat?" towards questions like "For how many of my vulnerabilities do public exploits exist?". Near the end of this exercise we stumbled across this BSides talk "Stop Fixing All The Things". Theses researchers took a similar view-point: "As security practitioners, we care about which vulnerabilities matter". Their blog post and video are definitely worth having a look at.


At SensePost we have a Managed Vulnerability Scanning service (MVS). It incorporates numerous scanning agents (e.g. Nessus, Nmap, Netsparker and a few others), and exposes an API to interact with the results. This was our starting point to explore threat related data. We could then couple this data with remote data sources (e.g. CVE data, exploit-db.com data).


We chose to use Maltego to explore the data as it's an incredibly powerful data exploration and visualisation tool, and writing transforms is straight forward. If you'd like to know more about Maltego here are some useful references:


What we ended up building were:

  • Transforms to explore our MVS data

  • A CVE / exploit-db.com API engine

  • Transforms to correlate between scanner data and the created APIs

  • Maltego Machines to combine our transforms


So far our API is able to query a database populated from CVE XML files and data from www.exploit-db.com (they were kind enough to give us access to their CVE inclusive data set). It's a standalone Python program that pulls down the XML files, populates a local database, and then exposes a REST API. We're working on incorporating other sources - threat feeds, other logging/scanning systems. Let us know if you have any ideas. Here's the API in action:


Parsing CVE XML data and exposing REST API
Parsing CVE XML data and exposing REST API


Querying a CVE. We see 4 public exploits are available.
Querying a CVE. We see 4 public exploits are available.


It's also worth noting that for the demonstrations that follow we've obscured our clients' names by applying a salted 'human readable hash' to their names. A side effect is that you'll notice some rather humorous entries in the images and videos that follow.


Jumping into the interesting results, these are some of the tasks that we can perform:


  • Show me all hosts that have a critical vulnerability within the last 30 days

  • Show me vulnerable hosts for which public exploit code exists

  • Show me all hosts for which a vulnerability exists that has the word 'jmx-console' in the description

  • Show me all hosts on in my DMZ that have port 443 open

  • Given a discovered vulnerability on a host, show me all other hosts with the same vulnerability

  • Show me a single diagram depicting every MVS client, weighted by the threat of all scans within the last week

  • Show me a single diagram depicting every MVS client, weighted by the availability of public exploit code

  • Given a CPE, show me all hosts that match it


Clicking the links in the above scenarios will display a screenshot of a solution. Additionally, two video demonstrations with dialog are below.


Retrieving all recent vulnerabilities for a client 'Bravo Tango', and checking one of them to see if there's public exploit code available.
Retrieving all recent vulnerabilities for a client 'Bravo Tango', and checking one of them to see if there's public exploit code available.


Exploring which clients/hosts have which ports open
Exploring which clients/hosts have which ports open


In summary, building 'clever tools' that allow you to combine human insight can be powerful. An experiences analyst with the ability to ask the right questions, and building tools that allows answers to be easily extracted, yields actionable tasks in less time. We're going to start using this approach internally to find new ways to explore the vulnerability data sets of our scanning clients and see how it goes.


In the future, we're working on incorporating other data sources (e.g. LogRhythm, Skybox). We're also upgrading our MVS API - you'll notice a lot of the Maltego queries are cumbersome and slow due to its current linear exploration approach.


The source code for the API, the somewhat PoC Maltego transforms, and the MVS (BroadView) API can be downloaded from our GitHub page, and the MVS API from here. You'll need a paid subscription to incorporate the exploit-db.com data, but it's an initiative definitely worth supporting with a very fair pricing model. They do put significant effort in correlating CVEs. See this page for more information.


Do get in touch with us (or comment below) if you'd like to know more about the technical details, chat about the API (or expand on it), if this is a solution you'd like to deploy, or if you'd just like to say "Hi".

Mon, 7 Apr 2014

SenseCon 2014

L1000617
What originally started as one of those "hey, wouldn't this be cool?" ideas, has blossomed into a yearly event for us at SensePost. SenseCon is a time for all of us to descend on South Africa and spend a week, learning/hacking/tinkering/breaking/building, together and in person.


A few years ago we made the difficult, and sometimes painful, shift to enable remote working in preparation for the opening of our UK and Cape Town offices. Some of you probably think this is a no-brainer, but the benefit of being in the same room as your fellow hackers can't be overlooked. Being able to call everyone over to view an epic hack, or to ask for a hand when stuck is something tools like Skype fail to provide. We've put a lot of time into getting the tech and processes in place to give us the "hackers in the same room" feel, but this needs to be backed with some IRL interaction too.


People outside of our industry seem to think of "technical" people as the opposite of "creative" people. However, anyone who's slung even a small amount of code, or even dabbled in hacking will know this isn't true. We give our analysts "20% time" each month to give that creativity an outlet (or to let on-project creativity get developed further). This is part of the intention of SenseCon: a week of space and time for intense learning, building, and just plain tinkering without the stresses of report deadlines or anything else.


But, ideas need input, so we try to organise someone to teach us new tricks. This year that was done by Schalk from House 4 Hack (these guys rocks) who gave us some electronic and Arduino skills and some other internal trainings. Also, there's something about an all-nighter that drives creativity, so much so that some Plakkers used to make sure they did one at least once a month. We use our hackathon for that.


Our hackathon's setup is similar to others - you get to pitch an idea, see if you can get two other team mates on board, and have 24 hours to complete it. We had some coolness come out of this last year and I was looking forward to seeing what everyone would come up with this time round.


L1000662


Copious amounts of energy drinks, snacks, biltong and chocolates were on supply and it started after dinner together. The agreed projects were are listed below, with some vagueness, since this was internal after all :)


  • pORTAL anonymous comms device - Sam & Dr Frans


Getting a modified version of Grug's pORTAL device working on a Beagle Bone and Rasperry Pi for us to use while traveling.

  • Video Conferencing - Craig and Marc


For video conferencing we normally use a combination of Skype, Go-To-Meeting, Google hangouts, or a page long gstreamer command piped over a netcat tunnel (I'm not kidding). Craig and Marc built an internal video conferencing solution with some other internal comms tools on the side.

  • SensePost Radar - Keiran and Dane


SensePost Radar
SensePost Radar


Keiran and Dane put our office discone antenna to good use and implemented some SDR-fu to pick up aeroplane transponder signals and decode them. They didn't find MH370, but we now have a cool plane tracker for SP.


  • WiFi Death Flag - Charl


Charl, so incredibly happy!!
Charl, so incredibly happy!!


Using wifi-deauth packets can be useful if you want to knock a station (or several) off a wifi network. Say you wanted to prevent some cheap wifi cams from picking you up ... Doing this right can get complicated when you're sitting a few km's away with a yagi and some binoculars. Charl got an arduino to raise a flag when it was successfully deauthed, and lower it when connectivity is restored for use in a wifi-shootout game.


  • Burp Collaboration tool - Jurgens, Johan & Willem


Inspired by Maltego Teeth, Jurgens set about building a way to have multiple analysts collaborate on one Burp session using a secure Jabber transport. He and Johan got this working well, and we will be releasing it and several other Burp apps during the ITWeb Security Summit in Johannesburg in May.

  • How to Pwn a Country - Panda and Sara


YMCA pwnage
YMCA pwnage


Panda (Jeremy) and Sara ended up building local Maltego transforms that would allow mass/rapid scanning of large netblocks so you can quickly zoom in on the most vulnerable boxes. No countries were harmed in the making of this.


  • Bender - Vladislav


While doing client-side engagements, we realised we needed our own payload to help us to better move from spear-phish to persistent internal network access. Earlier in the year, Vlad put our hacks into a professional SensePost beaconing payload he called Bender. During the hackathon he extended its capability in some key areas.

  • Oh-day stuffs - Georg and Etienne


He likes his ice-cream
He likes his ice-cream


gcp and et decided on some good ol'fashioned fuzz-n-find bug hunting on a commercial mail platform, and websense. Along the way they learned some interesting lessons in how not to fuzz, but in the end found some coolness.


  • 3d Printer - Rogan


Rogan finally got around to putting his 3D printer together! He hasn't printed an SP logo yet, but we're assuming this is the most logical first print.

  • Rogue AP - Dominic & Ian


In preparation for our BlackHat submission, singe and ian spent some time researching our new wifi attacks. This resulted in a key new finding and implementation of their new KARMA rogue-ap attack.

  • The challenge - Daniel


I too had to show that I still had tech skills (not all spreadsheeting you know) and created a challenge to send our peeps down the rabbit hole while pushing their skills but also awaken some old school hacking approaches.


L1000686


The hackathon went gangbusters; most of the team went through the night and into the morning (I didn't, getting old and crashed at 2am). Returning that morning to see everyone still hacking away on their projects (and a few hacking away on their snoring) was amazing.


Once the 24-hours was up, many left the office to grab a shower and refresh before having to present to the entire company later on that afternoon.


Overall this years SenseCon was a great success. Some cool projects/ideas were born, a good time was had AND we even made Charl feel young again. As the kids would say, #winning


 


 


 


 

Wed, 12 Feb 2014

RAT-a-tat-tat

Hey all,


So following on from my talk (slides, video) I am releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.



An example of finding and extracting Camellia key from live Poison Ivy C2's:
nmap -sV -Pn --versiondb=nmap-service-probes.pi --script=poison-ivy.nse <ip_address/range)
Finding Poison Ivy, DarkComet and/or Xtreme RAT C2's:
nmap -sV -Pn --versiondb=nmap-service-probes.pi <ip_range>


If you have any questions, please contact research@sensepost.com
Cheers