DISQUS

Actually we used a wardialer on nearly every internal pentesting effort... some of our juiciest findings have been from what is attached to the end of modems. I'm not talking about PCAnywhere, I'm talking door card systems and electricity controls. Seldom is notable authentication coupling associated with the proliferation of legacy software with dialup support alone.

Yeah that's advertising for you... maybe they get kickbacks from Microsoft for lumping Linux's 4839021 kernel DoS and local privilege escalation attacks side by side OpenBSD's track record.

SANS clearly is smoking the same stuff by listing Mac OS X (the entire OS) as one of the Top 20 vulnerabilities.

I can't say I'm ashamed for leaving pentesting for s/w engineering. It's easier for me to laugh at now I suppose.

Thanks Jeremy, I redirected all the penguins here.

I could be wrong but iirc Linux doesn't offer strl* functions in their libc. You'll either want to include the functions in entirety or live in ifdef hell and replace strl* with strn* for the linux architecture. Yay Linux... i'm sure something similar holds true for arc4random and srandomdev. The glory of c portability -- ifdef fsckage or the autoconf nightmare. Thomas is just making an argument for why people use python and friends despite the almost negligible slowdown of bytecode.

For you Mac OS X users that are having problems...
I have made an installer of blackbag-0.4+libevent here. No fink/dports required. Installs libevent under /usr/local and blackbag defaults to /usr/local/bin (but is relocatable of course). Thomas, say so if this is not cool and I'll pull it -- just trying to make it easier for some.

Never underestimate the power of the pasteboard and base64 encoding for file xfer eh? I've had many a [pentest] customer boxen fall after they removed what they believed were all file transfer protocols and compiler/linker removal. One would think shuttling static binaries uuencoded when many people have the happy legacy uucp tools on every install would be entirely obvious. Glad to hear you mention 'the power of cat and pasteboard' -- I tend to believe it's as much of a lost art as wardialing.

I agree about the shortfuse toolkit stand-up when conducting security testing. All the cruft on packetstorm/securityforest/etc (albeit stamp collecting is fun) are not as useful as just a handful of useful tools (metasploit, scapy, maybe a couple others) and command of python, ruby, perl, whatever (preferably something you can find on your boxen as well as your targets).

As soon as I roll a pkg of libevent I'll test n pkg up your new toolkit Thomas. I took a short glance last night before I had to put my kids to bed and I think you've hit up some areas that would make my short list of useful code to carry with me. Thanks!

I've reached that point where port systems disturb me. Not so much from the end-user perspective, but simply trying to get anything into them (w >1 dependency) foregoing devoting your life to patches to obtain commit access and have any sort of command and control of the development process. For awhile I svk'd mirrored dports, then I gave up entirely.

There are a few protocol dissectors I find interesting despite the security nightmare of letting anyone know you are actually running ethereal at the time without your friends chuckling and breaking out their fuzzers.

I have an ancillary laptop I make a pkg of ethereal on via dports and then use the package to install on the primary laptop so I'm not forced to run/pollute a ports containment system on my more useful laptop. For the most part I get by nicely with tcpdump, old filters like Danny Dulai's fil, and there are a couple elegant Cocoa apps, one of them comes to mind, Eavesdrop.

Maybe I'm crazy but most code is easy to compile, so I just roll my own pkg/mpkgs. Like Thomas, I've managed to remove X11 from my life a long time ago... I don't miss anything after the years of migrating the xlib/gtk/qt hell to a less disturbing cocoa environment, substituting xfig/dia/tgif with omnigraffle and emacs with textmate.

I forgot to mention that although I have no idea who originally generated the 70 column version, I got this from Jeff Nathan several years ago when I was working on Nemesis. I believe it was conceived during Snort development. Anyhow, if you need an active reference on the same screen as your development, it's probably handy.

Thomas,

Here's an alternate layout for you that for me is a bit easier on screen real estate when developing from my powerbook. [packet.txt]

Excellent points made -- prior to checking out ServiceScrubber I was using Blacktree's Services PrefPane.

Regarding item 1:

An overwhelming majority of Cocoa applications provide easy access to reverse engineering... e.g. classdump (see CocoaReverseEngineering) Tis why you see many shareware apps not containing registration routines written in Objective-C.

Also, there is already multi-architecture spanning shellcode (written by nemo) for both PPC and Intel flavor binaries.

mach_inject/APE (malicious bundles) was probably the biggest stickler so far that shows how open the OS layers are for play.

While I wholeheartedly agree that vulnerability research will increase due to the increase of user population and exposure to familiar tools, I think the cat has already been out of the bag as to what category of attacks are plausible... finding a few dozen more stack/heap local root overflows is really a big non-event.

Apple's software updates will hurt them the most here. Patch turnaround is far too long. I have some bugs in Radar that are still Open after 1-1.5 years in the system.

Still impressive that the OS that has no shortage of hackers and sysadmin switchers with an OS so open has largely been consumed by local root stack smashes and plagued by the same loosely written C code that affects the rest of the FOSS market.

I'm not quite as convinced that Joe Hacker that wants to run OSX on his Dell is going to provide much more contribution to the blackhat community. The ship has landed, people that want to investigate the OS internals already are and there are significant resources for showing where holes lie above the Darwin BSD subsystem.

Hah if only HMI software was there biggest concern, eh? Yes Matt, your weblog has continued to kick ass, and is inspiration to expand the suite of packet injection tools to a new level. What's the fun in Snort signatures unless furthering the arms race through evasion.