David van der Sluis

Ethical Hacking & Web Development 2.0

Anatomy of an IRC Trojan / Bot / Backdoor

As the security freak of the company, I often find gems in access or errorlogs. Sometimes a plain old scanner, sometimes very sophisticated spiders. What most of the payloads have in common is: they are oftentimes obfuscated, ‘optimised’, encoded and what not.

We recently began using modsecurity more aggressively and immediately the logs began filling themselves up. My colleague then pointed me to a very interesting attack, in which a practically non-obfuscated piece of PHP-code was being injected and asked me what happened here.
Fun, because it gave me an easy insight on the code, without having to deal with obfuscation and get to see the internal workings!
[Read the rest of this entry…]

PWB / PWK OSCP course

I took the PWB and that was a wild ride!

Lots of stuff covered in the screencasts; the same and some more in the course pdf.

This is not for the feint-hearted, though, and you need to have some developingskills in order to keep with the speed (aka $End_of_lab_time – NOW()) as the labs really are the key.

Important skills:

  • Developers mindset: there is not enough time in the labs to teach you basic programming pragmatics, but you certainly can learn this upfront and you should. Don’t think you can learn do this within 60 days if your biggest experience with a PC is Word and browsing Reddit.
  • Linux skills. You really need to learn the CLI, (file)permissions, Environment, compiling of c and c++ thus also gcc
  • shellscripting (Bash, but you can use any language you want with a shebang line)
  • Python, a lot of exploits are written in the same style:
    //socket stuff
    //shellcode in a var (with possibly an egghunter-tag)
    //optionally some egghunter code
    //a certain amount of chars as the buffer to overflow on target
    //the ret address in the OS, JMP ESP into a var
    // socket.send(buffer + returnaddress + shellcode)

    or if there’s a need for an egghunter:
    // socket.send(shellcode + (buffer-len(shellcode)) + returnaddress + egghunter)
    You need to be comfortable with Python, it’s indenting and tweaking exploit for other platforms and you’ll be creating tools of your own. I sometimes jumped the gun though, rapidly created some shellscript, when the course explained the working for Nmap, to create logging/reports for each host while be able to scan whole subnets, only to find out about PBNJ in the next chapter.
  • Perl, almost the same as above.
  • Reporting. You need to document everything, not only for the customer, but also to find attack vectors and connections wchih you would have not seen otherwise.
  • Patience. Seriously. You have to be able to enumerate, enumerate, catalog data and enumerate some more. And if you have found a time-based mysqlinjection which is only reliable with a sleep of 5 seconds, you will want a reverse shell a.s.a.p, trust me.
    But this is why the course’s credo is “Try Harder”.

The course taught me a lot and they did this in a fun way:

  • Explain concept
  • Practical approach to lab on target X
  • “Now you try on Target Y. Hint: blabla”
  • spend hours and hours to spot the difference and look for that tiny subtle thing
  • r00t! And never forget

This really worked for me and I certainly won’t forget the stuff I learned the hard way.

Now for those doing the OSCP course:

OSCP Prayer
root@kali:/root# ./sayprayer.sh
Our Nmap who is in /usr/bin/,
Hallowed be thy enumeration,
Your scans will come,
your PBNJ reporting will be done,
on kali, as it is in backtrack 5.
Give us this day our holy apt-get upgrade,
and forgive us our network tresspasses,
as we punish those who trespass against us,
and lead us not into temptation of the power of Nessus,
but deliver us our Wireshark logs.
For thine is the reporting,
and the scanning, and root for ever and ever.

PWB has started!

So it has begun…

Received my course material past sunday and I am happy to start!

I succesfully connected to labs, but not after a ceremonial:

root@kali:/#apt-get remove nessus
root@kali:/#apt-get update
root@kali:/#apt-get upgrade

[Read the rest of this entry…]

Offensive Security Certified Professional

As an avid fan of hackerchallenges and wargames (rootthisbox kind of games) in general, I have been using BackTrack/Kali for quite a while now.

Packed with all kinds of 3rd party tools focussed on Digital Forensics & PenTesting it was a true playground for me and I must say I know my way around in BT a bit and the possibilities it offers in the PenTesting world.

In my daily job, I work as a webdeveloper with a slight tin-foil hat on, because of my root in the security world, which my employer is very grateful of. I also am very interested in how I can secure myself and be as private as possible on the stuff that matters to me (SSL, TOR, TrueCrypt, etc, etc).

So lately I’ve been researching the courses the guys behind BT (Offensive Security) have to offer and came to the conclusion that the OSCP-certification, with the precursor course “Penetration Testing with Backtrack” would be a fun way to dive into the wonderful world of PenTesting.

Reviews are all around (almost all of them very positive) and I must say I’m intrigued by the way the course gets you direct hands-on experience and the 24-hours exam is basically a black box labelled with “Figure it out” unlike the other security certifications floating around.

I hope I’ll learn a lot, but I’m already reprogrammed with a new motto I “heard somewhere”: “Try Harder”

Hacker Challenges

Wow. It has been quite some time since my last update here.
I might aswell start using this place a little bit more often…

Today’s topic will be about: Hacker challenges(the puzzle-kind).

Back in 2001, there was a website which intrigued me, made me look up all kinds of information on the internet and had a strong community:
http://www.cyberarmy.com (just back online after years)

This is where it all began, what made me go into IT, what made me such a security-freak.
It had a whole ranking system, a board/forum for each rank, increasingly getting more permissions with each rank increase, which initially could be done by beating the challenge for that rank in Zebulun.

With each increase in rank it would give you permission to view boards below you, even moderate posts at lower levels and it would gain you respect. You’d start out with a simple JavaScript challenge, talking to a bot (Eliza! I still hate you!) with responses piped to an IRC-channel for the giggles of those who already had beaten it, steganography, exploits, to even getting root in a box.

I’ll never forget the excitement I felt when I finally progressed to “LtKer” and the accompanying bragging rights.

Hackerchallenge-sites shot out of the ground with Cyberarmy being the rolemodel (The Pyramid, SERS, Net-force, slyfx, Electrica, HackThisSite, theblacksheep, I could go on for a while) and even got bundled and rated on hackerchallenges.net by Angela Byron (aka Snarkles) snarkles (http://www.snarkles.net). Angela was well-known throughout whole the (whitehat)hackercommunity and you should know her: she’s one of the co-maintainers of Drupal!

What made all these sites so succesful?
* Different kinds of areas on which to puzzle on (Programming, Cryptography, decompiling/reverse engineering, security holes, system-administration, Steganography, Mathematics, Cracking, Riddles).
* A stimulus to keep on going (ranking, levels, getting more permission, scores, bragging rights amongst peers, etc).
* Incrementing the complexity smoothly: Often a way in which the challenge stimulated into doing a lot of research before you could understand the problem, but also building on the blocks of stuff you learned before.
* A community in which us nerds could communicate through.
* Optionally: A storyline, allthough a lot of the good sites were basically a collection of challenges, some had a catchy stoyline.

All these sites made me curious, made me think out of the box, gave me hands-on experience on different programming-languages or -problems, taught me how to search for relevant information. I think it’s safe to say that these sites made me the developer as I am now.

Because most of us obviously registered on a lot of sites, there is a ‘The One Challenge Site To Rule Them All’, which is:

Here you can link all the challenge-sites to your user and see the progress you made. And of course bragging rights on a desolate idle IRC-channel.

For us old CA-ers: Please post your opinion on Eliza… I think even after 7 years it’s still starts to boil your blood ;).

Finally Certified!

Zend Certified Engineer PHP5

Today I got to do the Zend PHP5 Certification exam.
In preperation for it, I took the courses described in my previous post and I did the Vulcan mock exam 6 times (and passed it 6 times).

When I arrived at the test-centre, I got to know I was the only candidate, and I could take the exam anytime I wanted (read: earlier). My bag was taken in and then I was seated in a room with a computer, a plastic notepad and a sharpie.
No camera’s and totally alone, I could have looked up anything on my phone with internet, but I did not: I can’t tell customers with a straight face I’m a ZCE if I would’ve looked up some questions.

Anyways, I was faced with an application which looked like an old Windows 95 app, but at least with a decent mouse. Zend could improve a lot in upgrading the interface, but I guess that’s not in their hand: Pearson handles and administrates the exams. Vulcan looks neater, and works way faster, but to give credit to the Zend app: they indent their code-snippets better. The questions I got tasked with were not really different in complexity or obscurity than the mock exam, so I was done in about 35 minutes. I looked over the answers, and could fill in some blanks after I saw the same keyword later in another question. The Zend app gives you the opportunity to go to the previous questions and change answers, so the review-checkmark doesn’t always have to be checked to review a previous questions.

The most eye-twitching moment was when I hit the “End exam” – button: the computer started to rattle heavily and I got to see a dialog in which it calculated the score (just a progressbar) while I had covered my eyes in frustration. Aarrrgghh!! Finally it stated I had passed the exam: Hooray! while I was alone in my genuine enjoyment. Strolling to the desk I got to pick up my score report.

Now I’m facing a different challenge: to determine what the ZCE is worth. I could not find any good posts about it on the interwebs, but I guess I’ll have to find out by mere experience.

If there are any questions in relation to the exam, ask them!

Zend Certified Engineer


Self development
As you might know, I have been happily using PHP for like almost 6 years now. From PHP3 to PHP4 to PHP5, all with it’s own problems and perks. I never thought about looking into certification-course like Microsoft’s or Sun’s. Uptil almost a year ago.

ZCE’s speed course
I’ll skip the boring part: So I’m currently following Zend’s 90-day from noob to PHP-expert course.
It basically consists of 4 main stages:

  • PHP I foundations (basic syntax, operating, some functions, array handling…) 9 lessons, 2 hours
  • PHP II Higher structures (classes (thus OOP), design patterns, RegEx, Database handling)9 lessons, 2 hours
  • PHP5 Certification Training ( ehh well examtraining)9 lessons, 2 hours
  • The Exam itself.

At first I was a little bit sceptic: would they be able to keep me awake during the class? Right after the first e-mail conversation with a Course Manager (about if I could use my own IDE), they offered me to skip PHP I, as my question indicated a higher level of experience then “beginner”, and let me pick an other class instead. For free. For your curiosity: I chose PHP Security .

All Zend’s classes are online through a WebEx environment, and realtime. I don’t like the bugs and glitches (boo you, Cisco!), but ah well: it worked.

PHP II: Higher structures
And so I started with PHP II.
The presenter, the lovely Robyn Overstreet, used a microphone and a kind of Remote desktop view at her console, in which she presented the course-sheets, showed and run examples in her IDE, etc. The participants could use a microphone, but a common practice was a chat window, to ask questions or discuss matter. I was amazed about the flexibility(and patience) of the presenter. Allthough the lessons were not really new to me, it still learned me some little pittfalls and at the least it refreshed some stuff. The discussion I had were of good quality (and that’s worth something aswell), but I guess the discovery that Michael Kimsal was not a participant himself but merely auditing Robyn explained some stuff aswell I guess.

PHP5 certication training
The PHP5 certication training was a different story.
At first the presenter, again Robyn, refreshed PHP5 basics. But then there were the Pop-quizes, which occurred predictably after each covered topic. Every question seemed either too easy to be true(which was the case 98% of the time) or impossible to solve. It was here aswell I learned to examine a problem from every angle. Allthough the problems weren’t always reallife-examples,
Whats will be printed?
$a = 'b';
$b = 'c';
$c = 'a';
echo $$$$$$$$$b;

they gave a good enough indication where to look at when developing an application.
Because we covered almost all PHP5 topics, and a popquiz appeared right after it, I got to know a common trap for each and every section, and most of the time we spiralled down into problems popping up in the discussion(which was positive, really!). At the end we made a test-examn and reviewed it.


Not much to say yet, because I didn’t take the exam yet. Only thing I can tell is that I took 2 vulcan mock-exams and passed nicely. The PHP|architect’s claim the mock-exam is actually harder then the real exam, got burned down by a course-mate(Rodrigo)……

Maybe you readers could tell me your experiences of ZCE?

Personal Blog Online

Heya all,

I finally took it up and pushed myself to make a blog about myself. I will be using this place to share links, projects, resume and some non-organised stuff I feel I have to share with the netizens. If you want to share something, dump a link or hire me: feel free to contact me at: david [\A\T] davidvandersluis [D.O.T.] nl.