Thursday, October 28, 2010

Finding sensitive information from a drive or folder

A quick script for finding email addresses on a massive scale (for instance, on a drive).


#!/bin/env sh

SEARCHPATH="$1"

find "$SEARCHPATH" -type f -print | while IFS=$"\n" read file
do
echo "\nSearching through $file..."

MATCHES=`strings "$file" | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'`

if [ "$MATCHES" != "" ]
then
echo "---------------------------\nFound matches, beware false positives:"
echo "$MATCHES"
fi
done

unset IFS


False positives are pretty much guaranteed (as long as binary files are on the file system). Most sensitive data follows patterns, so the regex is interchangeable with SSN's or anything else you need to find.

Some example output from running the script on /usr/src/...


Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/sched.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/version.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2005, Nguyen Anh Quynh <aquynh@gmail.com>
* Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/physdev.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/event_channel.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/vcpu.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/memory.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2005, Keir Fraser <keir@xensource.com>

Searching through /usr/src/linux-headers-2.6.35-22/include/xen/interface/elfnote.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/skcipher.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/ctr.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/compress.h...

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/algapi.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2006 Herbert <herbert@gondor.apana.org.au>

Searching through /usr/src/linux-headers-2.6.35-22/include/crypto/hash.h...
---------------------------
Found matches, beware false positives:
* Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>

Sunday, October 24, 2010

Sloped Steganography

I have been preparing for my MAT exams so that I can skip all the basic math classes and just start off my college math at Calculus, playing with graphs and such. I started thinking of ways that I could use this for a project I am working on, a small steganography kit.

Say you have a binary file that is 20 bytes long that you want to embed the message "Helloworld" (10 bytes, one byte per character) into it, in a way not so obvious to anyone but whom the message is intended for. We will divide both filesizes by 5 in this example for the size of our grid... The grid can be any size that is you can write an equation around.


[M][Z][0][0][0]
[0][0][0][0][0]
[0][0][0][0][0] + [H][e][l][l][o]
[0][0][0][0][0] + [w][o][r][l][d]


We don't care about the binary file, it is the message that is important. If it just seems 'corrupted' by anyone else all the better.

Most of us will probably remember rise over run from elementary school. Treating each row in the message separately, we can insert the message using a slope evenly and easily into the binary file (using 1/1 and -1/1 for "world" and "Hello", respectively). With some trig thrown in, you can get some nice graph-like steganography:


[H][Z][0][0][o]
\ /
[0][e][r][l][0]
/\ /\
[0][o][l][l][0]
/ \
[w][0][0][0][d]


Pardon the rough mockup. Hopefully it is easy to follow.

For the technicals, we assume that [w] is located at (0,0). Both y and x = 0. That gives us a y-max of 4 and an x-max of 5. Our 'Hello' row has its trough at (3,1) and its peak at both (0,4) and (5,4). Our 'world' row has its peak at (3,3) and its troughs at (0,0) and (0,5) . From this, we can derive an equation for each line and can piece together the message.

Of course, as the message/data to be hidden grows, the math can become more and more complicated, but the amount of stealthiness is only limited to your imagination.

Tuesday, October 19, 2010

Updated OpenDiagnostics Live CD

Took the beta release and added sslscan, arp-scan, and onesixtyone. Also updated metasploit to the latest development build (3.4.2 iirc), updated clamav, and did an upgrade through apt (no dist-upgrade). Moved it up to stable.

You can get it here.

Gentoo, useradd, and SSH

I had to create a user on a Gentoo box today for SSH, but after creating the user, he could not log in over SSH, it was very frustrating. It turns out the answer was simple, but not straight forward.

Not sure if this affects other versions of *nix, though I am sure it does.


useradd -m -p "password" user


That will not allow a user to login over ssh, you must use


passwd user


if you want your user logging in remotely. I am not sure what the distinction is between the -p argument in useradd and using passwd to assign a password to a user. Anyone know more about this?

Tuesday, October 5, 2010

Say hello

Say hello to the Global Dianetics Institute And Fellowship.

Sunday, October 3, 2010

Re-elect Jesus Christ, Vote For Rick Perry



For all you Texans out there, feel free to steal this from me and pass them out at a place of interest near you.

For more context of the quote of Rick Perry, click here.

Also, if you feel like making a ridiculous spectacle, join the Yes Men Challenge group and post your videos/results.