Daniel Miessler's Blog, page 54

You’ve reached a piece of member-only content. Subscribe If you’re already a subscriber, please login here.No related posts.

ffuf is an acronym for “fuzz faster you fool!”, and it’s a cli-based web attack tool written in Go. Veteran web testers might think of it as Burp Intruder on the command line. The hardest thing about ffuf is figuring out how to pronounce it. It’s just “fluff”, without the “l”. Once you get the main concept, it’s…Related posts:Masscan Examples: From Installation to Everyday Use amass — Automated Attack Surface Mapping Information Security Assessment Types

I’ve somehow entered the shadow realm of audiophiles. It’s been a fun journey. Kind of in line with my tutorials, this post will have two purposes: Cataloging what I’ve learned so far Making that available to others Stepping in Another reason was that I’m preparing to make EDM music myself. I think the pandemic was the proximate cause.…Related posts:The Difference Between Studio Headphones and Regular Headphones Chasing the Perfect Podcast Microphone Sound How to Get NPR Level Clarity in Your Podcast

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.No related posts.

8/10 My One-Sentence Summary A hacker’s entertaining summary of all the basics around influencing people. Table of Contents Your New Superpower Know Yourself, So You Can Know Others Become the Person You Need to Be Nail the Approach Make Them Want to Help You Make Them Want to Tell You Stop Deviousness in Its Tracks Let Your Body…Related posts:Information Security Assessment Types The Difference Between Red, Blue, and Purple Teams An Information Security Glossary of Terms

You’ve reached a piece of member-only content. Subscribe If you’re already a subscriber, please login here.No related posts.

I read 3-6 books a month, and I just went through hundreds of my previous reads to find those that I plan on reading periodically. I thought this would end up being like 10, not 30. These are the books that are either so good, so motivating, or so content-rich that I feel I need continuous re-exposure. Here’s…Related posts:It’s Becoming Difficult to Discuss Interesting Topics With People Who Don’t Read Concise Argument and Evidence That Steven Pinker is Wrong About How Good Things Are How Russia is Helping America Destroy Itself

I’ve been quite troubled lately with all the talk of America’s fall.

First, I’m American. Second, I served in the military. Third, well, I’ve just read a lot about social cohesion, social unrest, and the various causes of the disintegration of a government and country. It’s troubling to imagine that happening to us.

So I was happy to hear another angle on America’s fall on Sam Harris’s podcast. The guest was Jack Goldstone, and the comforting idea was actually quite strange.

This my paraphrasing of what Goldstone said.

When you have a society that works for honor, and the richest try to make their communities strong, the world does wellWhen the elite tries to hoard their money, the country fallsPeople try to accumulate more wealthThey try to prevent public services People feel like they’re being left behind, and forgotten, and they turn against the government, the elitesThey end up joining various types of radical and extremist groupsTrump wasn’t the cause; this was already happeningHe tapped into it and exacerbated itThe cause is the changes in tech and societyThe post-WWII people grew up when manual labor was key to everythingThey became comfortable, and they were respectedAs they got older, the economy switched to finance and technologyThe digital economy doesn’t need as many people, and doesn’t give as much respect to manual laborSo they’re not able to Reduction in social mobilityReduction in quality of lifeThe big metro areas have lots of diversity and need to manage that diversitySo the regular people see everything going to the elitesAnd they start looking for a solutionAnd then the populist strongman steps inDonald Trump steps in as a pro-wrestling reality-tv star, and that’s itIt’s the people getting left behind who are setting the direction; in this case towards revolutionWe’ve been through this before with Carnegies and suchBut before there were lots of jobs as a result in steel and railroads, etcBut with finance and tech, only the top benefitsIt’s not that people are rich that’s the problem; it’s that regular people don’t have the basics of education and healthcare and financial safety for their kidsPeople mostly compare themselves to the people around themIf the rich spends their money on society it’s fineThe problem is when they spend it on just themselvesSo now we see the Yellow Vests, Chile, people in Brazil, etc.The people are fighting back

A lot of this is really fascinating to me.

First, it takes a bit of the sting out of America falling if you map it onto a common trend that hits many civilizations. Doesn’t mean I like it, but it feels less personal. Like being struck with a bad disease rather than being the victim of a hate crime.

Second, a lot of what he says echoes what many have been saying about Trump supporters for years. And in fact many Trump supporters have been trying to tell us the same thing as well.

Basically, they feel discarded. They feel condescended to. They feel disrespected. And they’re angry at the elites as a result of this.

It is a profound failure on the left to not understand this, and time to pay attention. People need to have pride. You take that away from them and they become dangerous. Not just dangerous as individuals, but vulnerable to someone who will come in and lead them to recovering that lost pride.

This is what just happened to our country, and what may have come remarkably close to ending it.

The single most important issue we have right now, regarding the stability of our country, is millions of poor, rural white people who no longer have any pride. They feel completely disenfranchised and replaced by everyone. Immigrants, tech people, people living on the coasts. Elites.

And they are lashing out. We see that.

Now we can feel free to look down on them, and blame them, and point at them as the problem. And you might be right in some ways. They had their time, you might say.

Sure, but don’t just think about them. Think about their effect on the world. It’s not healthy to have millions of angry young men in a country who feel like something has been stolen from them. It’s dangerous. It will lead to more of what we saw at the capitol, and I fear—in Oaklahoma City.

Trump, or someone like him, will rise up and lead these people. He will speak the healing words of, “You deserve better.”, and those words will enable good people to do horrible things, just as with other religions.

Our risk isn’t the Trump-type. Our issue isn’t the white people. It’s the roles that they’re falling into that cause repeated patterns. The forgotten and angry, combined with the populist strongman. That’s the pattern we must immunize against.

The way to heal this is through empathy and conversation. Stop with the name-calling. You’re playing right into it.

To fix this country we must find a way to:

Have the hard conversations, with empathy, andLift up those who are hurting without pride, and give them their pride back

If we don’t do it as a country, they’ll find someone who will.

—
If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Something needs to be said about people’s obsession with their tools, e.g., Linux vs. Windows, Vim vs. Nano, Sublime vs. Atom, etc.

Your tools don’t matter to other people. What matters is what you create with them.

Dave has started multiple companies, employed hundreds of people, and created multiple tools.

Dave Kennedy—aka @HackingDave—has done more for the community (and the world) using Windows and Nano than 99.9% of people using Linux, Mac, Vim, Emacs, or an Oscilliscope-Abacus Transcriber.

Hmmm am I the only one that prefers writing emails, blogs, and docs in nano (nano > vi) first then pop it into work for spell checking ?

I’ll even add screenshots or what not as a separate file and incorporate them later…

— Dave Kennedy (@HackingDave) June 20, 2019

I even wrote a Vim Primer.

Listen, I’m a Vim Snob myself. I love Vim. As an athiest, it’s kind of a religion for me. But I don’t make the mistake of linking it with my output.

Before you start with your tool snobbery, maybe ask yourself what someone has produced, and compare that to yours.

GRR Martin uses Wordstar as his word processor

Ever noticed that most people using static-site generators only blog about their blogging platform?

George RR Martin uses Wordstar—an old clunker of a DOS word processor. Stephen King and JK Rowling use Microsoft Word. And the most prolific bloggers tend to use WordPress, not a free-range, organic, static-site generator.

I’m a Tool Snob too, but without the snobbery.

Judging content-creators by their toolchains is like judging chefs by their kitchen knives.

So by all means—tell me again about your .vimrc file with that condescending tone. But don’t think for a second that it makes you a better producer of code or content. The metric is output and the value of that output. Period.

If you produce nothing-garbage, nobody will care what you made it on. And if you produce stuff that people love, feel free to make it on Windows Vista running Notepad++.

Nobody cares.

Pick your tooling based on what gets you excited and motivated to create, give people the freedom to do the same, and judge people based on their output.

NotesTo be clear, it’s enjoyable to go off into your tooling. To optimize it, to give people good-natured shit about what they used and don’t use. That’s part of geek culture, and it’s good fun. But don’t buy into it as having anything to do with reality. Output is what matters.All that being said, people using Nano should be reported to The Hague. 😊

—
If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

There are recon tools, and there are recon tools.

@tomnomnom—also called Tom Hudson—creates the latter.

I have great respect for large, multi-use suites like Burp, Amass, and Spiderfoot, but I love tools with the Unix philosophy of doing one specific thing really well. I think this granular approach is especially useful in recon.

Related Talk:
Mechanizing the
Methodology

My talk on granular methodologies at Defcon’s Red Team Village in 2020

Basically:

Break your methodology into specific questionsAnswer each question discretely Create brutal combinations to accomplish your goals

Tom has built a serious following in the recon community by creating tools that enable this approach, and I’ve seen enough people asking him for tutorials that I thought I’d make a quick primer on a few of my favorites: gf, httprobe, unfurl, meg, anew, and waybackurls.

Let’s get after it!

He writes his tools in Go as well, so they’re wicked fast.

A tour of Tom’s tools (nom nom nom 😋)

It’s unrelated to actual grep, but has the same functionality.

gf (grep 4, grep for, grehp-four)

gf basically extends the standard Unix grep concept to include common things a bug hunter might look for. So if you’re hunting for some HTTP oriented PHP stuff, you can do this:

grep -HnrE ‘(\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)|php://(input|stdin))’ *

Or you an use gf and do it like this:

You can even have gf autocomplete your various patterns.

gf php-sources

And there are tons of pre-made examples, including those for aws-keys, base64, cors, upload fields, and many more.

httprobe (HTTP probe, or HTTP Robe)

Pretty much all these tools are installed via go get -u
github.com/
tomnomnom/$repo.

httprobe answers the basic question of…

For the following domains, which ones are listening on web ports?

cat domains.txt | httprobe -p http:81 -p https:8443

web.acme.comweb2.acme.comprivate.acme.com

Part of the UNIX Philosophy

What I love most about httprobe and most of Tom’s tools is that they are truly Unixy. No need to run a standalone tool and obey its specific rules. Any place you get a domain from you can just pipe directly in.

cat domains.txt | httprobe -p http:81 -p https:8443

web.acme.comweb2.acme.comprivate.acme.com

Depends on the day I’m having.

unfurl (un-FURL, or unfuck-YOU-ARE-EL)

unfurl breaks URLs into their discrete pieces so they can be referenced and targeted in a granular manner.

echo https://sub.example.com/users?id=123&... | unfurl domains

sub.example.com

Isn’t that freaking fucking brilliant! Let’s do another, this time from a file.

You can pass -u to only get unique results.

cat big-url-thingies.txt | unfurl paths

/users

And you can do this for domains, paths, keys, values, keypairs, and even custom formats!

cat urls.txt | unfurl keypairs

You can then grep these for certain sensitive strings in a separate operation.

id=123name=Samorg=ExComeg (MÉHg)

meg combines domains and paths and makes requests at high speed in parallel. So if you have a list of domains that you hope are vulnerable, and a list of paths that would prove interesting (if they exist), you can use meg to request all of those paths on all of those sites.

If you just run meg it’ll request all paths in file ./paths on hosts in file ./hosts, and results are stored in ./out/index.

If you are only interested in certain response codes, you can use the --savestatus switch, like so:

meg –savestatus 200 /robots.txt

Because we passed the robots.txt path on the command line, this command will only look for that path in all hosts instead of looking at ./paths.

I love automated workflows that go off and find me interesting things to poke at manually.

Why is this command cool? Well, for lots of reasons, but the first thing that popped into my mind was using it in conjunction with my Robots Disallowed project, which captures the most common disallowed paths on the internet. I have a curated file in there that includes potentially sensitive paths.

Some top results from curated.txt

So for any given set of URLs that are in your scope you could keep a handy copy of head -100 curated.txt for your ./paths file, and combine that with --savestatus 200 to pre-seed some juicy targets during a test.

anew (uh-NEW)

anew adds the contents of an input stream to the output—but only if it’s not already there. Do you know how epically awesome this is? Much.

I hereby nominate this for being included by default in Linux.

So let’s say you’ve collected a massive list of vulnerable paths on a bunch of a target’s websites, and you think you found some more using a different process. Well, instead of doing multiple steps of cat, sort, and uniq, you can instead just send the new stuff to the existing stuff.

cat new-cool-shit.txt | anew old-cool-shit.txt

Now, old-cool-shit.txt has both the new and old stuff you wanted, with no duplicates!

waybackurls (WAY-back-you-are-ehls, WAYback-U-Are-els, wayback-Earl’s)

Or at least the ones that wayback saw.

waybackurls goes and finds all the URLs that have ever been part of a target domain. This is super useful for finding stuff that might no longer be indexed, or that might not even exist anymore but could show you something about how the creator/admin thinks.

cat domains.txt | waybackurls > wayback-urls.txt

Or if you wanted to be cool, you could use anew from above to add those to your existing URLs.

One example of the power of chaining.

cat domains.txt | waybackurls | anew urls.txt

Summary

Discret, Unixy tools are powerful because they can be combined in extraordinary ways. This is just a quick look at a few of Tom’s tools, which you can find more of here.

gf lets you easily grep for security-sensitive stuff. Linkhttprobe checks for webservers on domains. Linkunfurl breaks URLs into their bits and pieces. Linkmeg makes combined domain/path requests. Linkanew adds input to an output, if it’s new. Linkwaybackurls finds archived URLs for a domain. Link

Hat tip to @tomnomnom for the great work, and I hope he becomes an example for others to create small, useful utilities that can become part of complex workflows.

NotesYou can mostly ignore the pronounciation bits. I was just being silly.Half of these tools should seriously be included in major Linux distros. And I mean, like, pre-installed in /usr/bin/. Who do I need to talk to? Somebody find me a manager.

—
If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.