After a short hiatus I finally got back into the swing of things. Unsurprisingly for me it was a new project that got me out of my slump and back in-front of the computer. Over the last month or so I’ve been working on a framework (modular) for account enumeration.
Scythe was designed with a couple of purposes in mind:
The ability to test a range of email addresses (or account names) across a range of websites (e.g. social media, blogging platforms, etc…) to find where those “targets” have active accounts. This can be useful in social engineering tests where you have email or account names for a company and want to convert that into a list of external services where these users have used their work email for 3rd party web-based services.
The ability to quickly create custom test-case modules and use it to enumerate for a list of active accounts. Using either a list of known usernames, email addresses, or a dictionary of common account names. The framework can handle cookie collection and CSRF token work that would otherwise make a POC enumeration a pain in the ***.
The modules are XML-Based and allow for both simple and more complex functionality (depending on what the user needs). Currently modules for the following websites are included as a starting point:
Twitter (Username and Email/Phone number)
GitHub (Email and Username)
BackTrack Forum (care of @digininja)
Tumblr (Email and Username)
Hopefully users will continue to add modules and feed them back to me for inclusion into the framework. This can be done via a PULL request in GitHub, or via email if you prefer. Examples are included in the modules directory (with GitHub being the example of a complex modules using cookies and matching CSRF token extraction).
Appologies for the quality, but Vimeo and Flickr dislike the video resolution
I presented a quick lightning talk on Scythe at the BruCON 2012 conference last week… the slides (and thankfully no audio/video) of the presentation are below.
This is my first attempt at a framework so feedback, comments, additions and PULL requests are always welcomed! If you find this useful, let me know. Inspiration to keep going is hard to come-by nowadays it seems!
In one of the many weird and wonderful hallway track conversations at this years BruCON conference, the topic of licensing came up. Not usually a wonderful topic, but something that seems to be a bit of a hot topic on a few fronts currently. As I’d just done some quick research on licenses for the Scythe framework, I thought back to the decisions I made on how and what my code could be used for. I wanted to make it as free as possible, but still retain some control over things. One thing I couldn’t control though was abusive companies using the software. Making something free for all to use means it’s free for ALL to use… not just the great people you meet at cons, be also the bad apples of the industry that continue to give us all a bad name.
This bought up a thought in my head, and despite that fact that people will poke holes in it, I wanted to share it with you before It drifts from my mind.
The basics are as follows. An addition that can be appended to any supporting license to add a single additional stipulation. That stipulation being that people listed on the Attrition.org charlatan list are not permitted to use the software. I’m no lawyer, but something like the following wording seems like it would make sense:
Redistribution, and use in source and binary forms, with or without modification, are permitted only to people or organizations not currently listed on the Attrition.org Charlatans list. An up to date version of this list can be found on the Arrition.org website at the following URL – http://attrition.org/errata/charlatan/
This clause does not affect or alter any other sections of the main license and is used only as an additional clause to a selected licensing scheme.
Feedback from the Twitters was mixed… and I know that licensing (especially amongst the GNU / Free Software community) is a tricky subject!
After the roaring success acceptance of my lightning talk from day one of BruCON I decided to quickly throw together some slides on the on-going work I’m doing on SSL Impersonation in Metasploit. It’s only a quick dance through the reasons for the module and what it can do… with the odd sarcastic comment mixed in for good measure. Still, have fun ;)
As always if you have any constructive feedback please let me know… if you suck this bad, you can only get better right ;)
Hope to see you all at BruCON next year. Like I said at the end of my talk. Bring your lightning talks next year, else I’ll have to talk again… and nobody wants THAT!
It’s that time of year again when all the European hackers flock to Brussels to experience the best beer security Europe has to offer. BruCON is in its 3rd year now, and if the first 2 years have any say in it, I’m sure year 3 will be a blast.
I’ll be helping out a little with the lightning talks on day 2 and hopefully (if I can get time to finish start some slides), doing a quick lightening talk about as well. So many topics, so little time ;) The organisers are still however looking for a few helping hands… so if you have an hour to help make BruCON great, head over here and put your name down! Be part of the solution!
If you’re interested in signing up for a lightening talk, head over to the BruCON site and sign-up… lots of fun to be had! There’s also a great list by @Security4all of the events going on around the conference (meet-ups parties, etc…). So make sure to check it out to get the best out of your trip.
I’ll be sticking around after the conference to attend the mobile application security testing class by Joe McCray… so if you’re around come and say hi!
The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.
"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."
Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!