Quick Tip on E-mail Gathering

Here’s a quick tip for when you don’t have search engine API keys, theHarvester doesn’t work, and Burp Suite fails to grab all the e-mail addresses from the search engine results.

  1. Search for @example.com on Google
  2. Go to last page of results and click “repeat search with the omitted results included”
  3. Go through each page of results, select all, save as a plain text document (results1.txt, results2.txt, etc)
  4. Run grep -E -o "\b[A-Za-z0-9._%+-]+@example.com\b" results*.txt

This method, although manual and time consuming, avoids having to deal with HTML and obfuscation tricks and instead allows you to work with plain text.

This should work for other search engines as well.

Another pro tip: disable instant results and infinite scrolling deal, and set number of results per page to maximum allowed.

OpenVPN Performance through PrivateInternetAccess

I’ve been wanting to get a VPN service due to privacy concerns for a while now. I have not done it until now mostly because of my assumptions about VPN service speeds and reliability. A (blog post)[http://blog.level3.com/global-connectivity/verizons-accidental-mea-culpa/ “Verizon’s Accidental Mea Culpa”] by Level 3’s Mark Taylor prompted me to finally take action. As it turned out, I was about half-right in my guesses and below I’ll tell you why.

First, though, let me talk about my choice of VPN service. To clarify, my primary concern was privacy, speed, and reliability. Conducting illegal activities was not part of my search criteria, however I did keep in mind the attitude towards using popular file sharing protocols since there are plenty of legitimate uses for those. I looked at about 10 different options and ended up going with PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”). Don’t take this as a “best of 10,” though, because I have not properly reviewed any of them.

Before choosing PrivateInternetAccess, I was leaning towards AirVPN because of their origins. But, what turned me off is their slow support for prospective customers (I requested a trial and am still waiting on a reply) and their social features oriented website. For instance, their customer and forum accounts are one and the same, and when logging in one has to explicitly check the option to not be added to the active users list. The control panel has all the usual social profile features of a forum member (user information, post tracker, status feed, etc) in addition to billing information and other service related information such as current plan, support tickets, and invoices. I understand the need for a community, but when you are a privacy oriented service I feel there are better ways of going about setting that up.

All this in contrast to (PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”), or PIA for short, that only has options for setting your e-mail, password, and subscription. That’s more up my alley. And they are cheap.

I did briefly consider running my own VPS setup on a VPN, but the cost/benefit didn’t work out.

Let’s talk benchmarks. I should warn that these numbers are not very scientific in the sense that, although I performed multiple tests while setting things up and messing around, the results below are from one-time runs that were done specifically for this post but still looked representative of my overall experience.

There were three main scenarios that I looked at, with the only difference being where the VPN client was set up.

  • For all of the speed tests I chose one closest geographical location (VPN server was set to the same state).
  • There was no other significant traffic on the LAN
  • DOCSIS 3.0 cable modem with a 100BASE-T cable plugged in to WAN (because it helped with cable management and wasn’t going to come close to capping my bandwidth)
  • 50/5 Mbps ISP plan
  • OpenVPN setup
  • All the snapshots were done within a 30 minute window

Scenario 1 — no VPN.

Speedtest without VPN

This is the baseline — low ping, speeds as advertised. No surprise there.

Scenario 2 — VPN on a Windows PC running PIA’s software

Speedtest with VPN on a PC

Triple the latency and triple the speed. Pretty impressive, huh? The conclusion is obvious — to increase the speed we must increase the latency! Call your ISP now and demand higher ping times! All kidding aside,
the increase in latency is due to additional VPN hops and the increase in speed is most likely due to LZO compression. Still, rather impressive considering I am going through a VPN. Certainly, not what I was expecting and in a good way.

Scenario 3 — VPN on TL-WDR4300 router running OpenWRT Attitude Adjustment

Speedtest with VPN on a TL-WDR4300 router

This is really the use case I was going for. I wanted to set up VPN service on my router for use for the entire house. The latency did not change from the previous scenario, however the download speed took a huge hit — about 1/4th of my regular speed and 1/10th of the VPN link with compression enabled. That’s not where I want to be for the entire house. The drop is mainly due to lack of processing power and cryptography instruction set of the Atheros chipset.

Here are some router details and benchmarks:

r36088 | Atheros AR9344 rev 2 | TP-LINK TL-WDR4300 (rev. 1.6) | MIPS 74Kc V4.12

OpenSSL 1.0.1h 5 Jun 2014
built on: Tue Jul 8 12:26:54 CEST 2014
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
compiler: ccache_cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/include -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DOPENSSL_NO_ERR -DTERMIO -Os -pipe -mips32r2 -mtune=mips32r2 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -fpic -fomit-frame-pointer -Wall -DSHA1_ASM -DSHA256_ASM -DAES_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               2262.45k     7884.17k    20603.42k    36201.19k    46113.77k
sha1              2093.89k     6299.78k    14280.39k    20922.61k    24506.03k
des cbc           4773.74k     5072.14k     5074.42k     5106.69k     4915.20k
des ede3          1722.16k     1746.40k     1748.50k     1751.77k     1756.32k
aes-128 cbc       7946.99k     9082.26k     9267.77k     9436.00k     9639.67k
aes-192 cbc       7108.66k     8013.22k     8061.08k     8232.59k     8185.86k
aes-256 cbc       6321.97k     7008.89k     7149.37k     7204.08k     7282.47k
sha256            1778.04k     4265.98k     7643.96k     9560.77k    10464.99k
sha512             553.24k     2236.05k     3239.23k     4406.14k     5018.68k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.108095s 0.003021s      9.3    331.0
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.030133s 0.036694s     33.2     27.3

The moral of the story here is VPN service can be fast and reliable, but if you want it to be on par with your home ISP, you will need the hardware to support it. So, I am now looking for a more powerful router. At first glance it looks like (MikroTik)[http://www.mikrotik.com “MikroTik”) or (Ubiquiti)хhttp://www.ubnt.com “Ubiquiti”) might have what I’m looking for.

HTTP/1.1 — STOP; HTTP/1.0 — GO!

Here’s something I came across not too long ago that I thought was a bit odd. An externally accessible web server was being protected by what appeared to be Cisco’s web filtering technology. This was strange because it is the kind of thing one would expect to see on an internal network, restricting access to the outside world. Protecting servers that still require access from the Internet by authorized users is generally done by things like firewalls, IP address whitelists, and VPNs. I believe this was a case of misuse of technology. An attempt to make something work in a way that was not intended. However, that is my job and it is the opposite of what network/systems administrators should be doing when implementing solutions.

Access was denied and a scary sounding message “Access to this destination is not allowed due to a possible malware threat” was presented when trying to access the website:

Access Denied

malware detected! maybe…

I had not seen that before and my first thought was that maybe an IPS detected the vulnerability scan that ran the night before. That scenario would have been annoying but not surprising as the scans are quite noisy. Maybe my source IP got flagged as potentially dangerous? But, after a few checks, it turned out to not be the case. Must be some kind of content filtering setup with a generic message and possibly IP-based, I figured. Or, even worse, malware got planted during an earlier compromise and internal Cisco solution was flagging it but the administrators haven’t noticed.

Anyway…

I noticed that the test results I was getting back were inconsistent. Some were coming back with the “Access Denied” page, while others with something else entirely. A few manual checks later it became apparent that the Cisco solution was only filtering HTTP/1.1 requests that are normally used by browsers, and letting everything HTTP/1.0 through.

After ensuring all my applications and tools were set to use HTTP/1.0 for communications with this web sever, it turned into just a regular day at work. This is what was behind the content filtering wall:

ShoreTel's login interface

Beyond the wall.

The moral of the story here is two-fold. One, if you are setting up security controls, don’t rely on web content filtering solutions as a means of controlling access to your external websites. Two, if you are testing security, always poke with several different sticks and from several different angles even when you think “there’s no way that would work.”

How I Chose My Blogging Platform

Over the past few days I scoured the Internet in search for a blogging platform that fits my needs. The usual suspects that immediately came to mind were WordPress, Blogger, LiveJournal and TypePad. As it turned out, there are a lot more other options out there. Before I go into my impressions of these platforms, I should explain what it is that I was looking for.

  • First and foremost, it had to be easy to write in. Fewer distraction, but enough tools to get the job done easily.
  • Second, it needed to handle attachments and media library well. I want to (attempt to) keep things organized.
  • Third, the look and feel had to be easily customizable. I wanted something a little more personal.
  • Fourth, it had to have support for custom domain names.
  • Fifth, it had to be a managed service.

To expand on the last point, although running your own setup can be a lot of fun and educational, it is also a fair amount of work. I don’t trust the security of regular shared hosting solutions, plus that route would require acquiring an SSL certificate. So, setting up a VPS would have been the way to go for a DIY approach. That, however, means:

  • set up, secure configuration, maintenance, and monitoring of the server host
  • set up, secure configuration, maintenance, and monitoring of the web server
  • set up, secure configuration, maintenance, and monitoring of the web application
  • set up, secure configuration, maintenance, and monitoring of the database server (most likely)
  • set up, secure configuration, maintenance, and monitoring of the monitoring software (IDS/IPS, etc)

Been there, done that, ain’t got time for it. I had to find a managed service that I felt was reasonably secure and gave me the freedom I needed.

roon.io
I think they have a poor infrastructure because the site frequently failed to load properly. Also, they are having some UI issue because I wasn’t able to modify some account settings and was given some silly errors as to the reason why. Plus, they are new and none of that builds confidence. On the other hand, because they are new and because I think their blogging interface is right up my alley, I will be checking up on roon.io to see how it develops.

Ghost
Another fairly new platform. It’s open source and their service definitely felt more stable, however I didn’t feel very comfortable with it. What threw me off was the fact that they require registration of one account with ghost.org and then, after you create a blog, you will need to create another account to administer that blog. Not only that, but after the setup the administrative user registration for your new blog is left wide open to anyone who happens to visit the website before you register. Granted, this timeframe should generally be rather small (as long as it takes you to click a link and type in a user name and password) and the URL of your blog should be unknown, I still don’t like it. Nevertheless, another platform I will be keeping my eye on.

Scriptogr.am
Requires Dropbox. Although I can see why it can be appealing, I do not like sharing access because the restrictions are not granular enough.

Postagon
Has a good set of attractive features, but is “blogging for minimalists” and thus doesn’t have quite all the features I required.

Svbtle
Registration partially closed. I did not bother trying to get an account because it seemed like it lacked the customization/CMS functionalities that I required.

Pen.io
Too simple for my needs. It also claims to be anonymous because they “don’t store email addresses or any personal information.” Unless they also don’t store IP addresses and browser fingerprinting information I don’t see how they are any more anonymous than any other free blogging service out there (since you can use a dedicated e-mail address and fake personal information).

Medium
Seems pretty neat and social, but too simple for my needs.

Postach.io
Similar to above. Too simple for my needs.

Squarespace
Loved the simplicity of setting up and managing the website, however from the blogging perspective I found it to be lacking. The writing interface is suited more for creating webpage content rather than regular publishing. That is it tailors to website development rather than distraction-free writing. Their theme choice is fairly small and the themes, I feel, are suited better for e-commerce, portfolio, photography, etc. and less for for blogging. Additionally, making CSS adjustments requires a “developer” account which you need to apply for. I didn’t go through the process since completely rewriting or creating my own theme wasn’t my intention. Their support was thorough and helpful. I submitted a ticket for an issue the night I was testing out the service and the following morning I got the answer. I have to say, when I require a business/professional website Squarespace will by at the top of my candidates list.

WordPress
This is the one I eventually settled on (the managed service). It’s a bit bulky, has a set of its own quirks, requires payment to remove ads and at the same time has a policy of not allowing placing your own. Custom domains and other features also require payment. The current deal is $99/year for a set of all the features you’ll need to get started. Unless the domain name is registered with them you will not be able to simply point it at their servers. At the same time their DNS management options are fairly basic. In addition, their system supports TXT field of only up to 192 characters long, so if you have, say, a long DKIM public key it won’t work. Admittedly, I have not contacted their support to see if they can manually make an exception. I had to resort to some CNAME and redirect trickery at my DNS provider to get mostlyhacking.com and http://www.mostlyhacking.com to end up pointing here. Additional restrictions are placed on the usable themes and plugins. But, with all that, it is still possible to make managed WordPress work well. The huge community and large theme choice and customization options mean you’ll find the look you want and get the support you need. The writing portion has a good distraction-free option; the posts support HTML and extended Markdown; there is built-in HTTPS support; ability for the website to be more than just a blog; easy media management, and a slew of other options.

The following blog platforms currently do not provide a managed service and therefore got only a peripheral look from me:

So the takeaway here is what you’d expect. There are a lot of options out there when it comes to publishing content and there is no universal right and wrong answer. It all depends on what you are trying to accomplish and how much of a tradeoff between time, effort, and money you are prepared to make. The more features you need and the less time you’re willing to spend on making things work, the more money it’s going to cost.

Set one (or several) of these up yourself, it’s great fun.

Synapse 1.0 not Recognizing BlackWidow Ultimate Fix

I had an issue where Synapse 1.0 software was not recognizing my BlackWidow Ultimate. My guess is that firmware got updated at some point (probably when I installed Synapse 2.0 without realizing it wasn’t what I wanted) which made the keyboard incompatible with the old software. Razer’s support website told me that I should try updating the firmware:

My BlackWidow or BlackWidow Ultimate is not being detected is there anything I can do? The latest FW v1.04 should correct most of these problems.

Unfortunately, just like the Synapse 1.0 software, the firmware installer could not detect the keyboard either and therefore could not flash the firmware.

Fast-forward me messing around with Synapse 2.0. The keyboard’s firmware was now at the latest version and magically the Razer_BlackWidowUltimate_FirmwareUpdater_v1.04.exe could now detect the keyboard. However, the updater said that “Device is already has the target firmware” and prompted me if I wanted to continue. At first, I did not want to proceed, but later decided to do it anyway for science. To my surprise the updater showed that my current firmware version was 1.08 and the new one will be 1.04. Considering how I’ve come across multiple devices where downgrading firmware was not possible, my first thought was “Uh-oh, I just bricked my keyboard.” Fortunately the downgrade went fine and nothing was bricked. In hindsight, given how buggy Synapse 2.0 I found to be after my messing with it (maybe I’ll make a post about that too), all of the above wasn’t really all that surprising. After the flash I decided to give Synapse 1.0 another try and it worked! The keyboard was detected and I was able to create macros. Best of all, I didn’t need Synapse 2.0. Yay!

In short, if Synapse 1.0 and Firmware Updater 1.04 do not recognize BlackWidow Ultimate:

  • Try updating firmware to 1.08 and then downgrading to 1.04.

If that doesn’t work:

  • Install Synapse 2.0
  • Use the offline hack to get firmware up to date
  • Downgrade to 1.04
  • Install Synapse 1.0

Hope this helps.

Razer Synapse 2.0 Offline Mode Hack

Skip to bottom half for the instructions.

I have one of Razer’s keybords and have been happily using it for probably roughly two years with Synapse 1.0 drivers. A recent system upgrade required me to install keyboard drivers again to get all the functionality. I went ahead and got the latest drivers (Synapse 2.0 by this point) and discovered that they required online registration as well as always-on Internet connection. That didn’t sit well with me so I found and installed the old Synapse 1.0 drivers. It appeared to work right away and I didn’t bother checking the actual configuration software.However, a few days ago I needed to create a macro and found out that the old Synapse software didn’t recognize the keyboard (although the OS saw it just fine). After a bit of searching I found this little gem from Razer:

Can I use the Razer BlackWidow or Razer BlackWidow Ultimate with the legacy drivers? Legacy drivers for the Razer BlackWidow and Razer BlackWidow Ultimate are available. However, if you have already used your Razer BlackWidow keyboard with Razer Synapse 2.0, you will not be able to roll back to the legacy drivers. Razer Synapse 2.0 configures your keyboard in such a way that makes it only compatible with Razer Synapse 2.0 and not with the legacy drivers.

For gamers. By gamers.”, you say? Looking further I found out that Razer recently improved their offline mode in Synapse 2.0. So I installed the latest version of those to see what would happen if I tried to launch them and register for the first time without a connection to the Internet. As I suspected, the registration/logon process failed due to network issues and there was no way to enter offline mode right away. A bit more looking around and I figured out a way to force the software into Offline mode and trick it into thinking it is logged in. Here’s how:

  • Install Synapse 2.0 drivers
  • Open up “C:UsersUSERNAMEAppDataLocalRazerSynapseAccountsRazerLoginData.xml” (On Windows 7. Have not tested on other OS’s)
  • Change the contents to:

<?xml version="1.0" encoding="utf-8"?>
<RazerLogins xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<StayLoggedIn>true</StayLoggedIn>
<LastLoginAccount>hax@hax.com</LastLoginAccount>
<AllLogins>
<SavedCredentials>
<Username>hax@hax.com</Username>
<Password>hax@hax.com</Password>
<Mode>Offline</Mode>
</SavedCredentials>
</AllLogins>
<LastLoginDate>2013-06-02T16:01:00.7743658-06:00</LastLoginDate>
<Version>1</Version>
</RazerLogins>

  • Relaunch the software and you should be logged in and ready to go!

Hope this help. Thanks to pentestgeek.com for posting their source of RazerLoginData.xml file which saved me from actually having to register an account.

And Razer… you disappoint me. Needless to say, I will not be buying your products again unless you start doing the right thing.

Sincerely.