Chris Maddalena’s programming skills have come a long way in the past year. An information security consultant at eSentire, he relies heavily on other peoples’ open source ethical hacking tools for his practice, but recently decided to start developing his own. In his talk at SecTor this October, he’ll describe how creating your own set of ethical hacking tools can supercharge your productivity by giving you exactly the features you want – and how you can also adapt other tools in the process.
Maddalena’s project started, as all good projects do, through a personal need. He was handling some red team activities at eSentire, in which a group of cybersecurity pros try to find holes in an authorized target. His team used a range of open source tools to to help find soft spots.
“These tools are very simple to use, and have been designed that way, but it means that you can get by without having any idea of how they work,” he said. That can cause problems because professionals don’t always take advantage of a tool’s entire feature set.
This desire to know what was happening under the hood drove him to start developing his own. Python was his language of choice. He’d only spent a year studying computer science before transferring out, and he had never been that confident with programming, but he challenged himself to create a tool or two that would help automate some of the more repetitive tasks challenging the red team. He started with a tool called Cooper, designed to complement the team’s phishing work.
One of the challenges for a professional phishing team is creating web sites that look like the target’s site. If you want the employee of a company to try and log into a fake site, it had better be convincing. Copying the site’s HTML isn’t enough – the team would usually have to tweak certain things such as image locations, for example.
“We’d have to spend maybe an hour going through that HTML and making changes, and I realized that a lot of what we did was consistent no matter what we were creating,” he said.
Cooper scrapes the target’s web site and handles those mundane tasks, inserting fully-qualified URL names for images so that a fake version can be hosted outside the company’s domain, and processing those images to make them more easily hostable. It decodes base 64 email addresses in web sites, and alters login pages so that information is sent back to eSentire’s team.
Some key dos and don’ts
Maddalena built Cooper mostly from scratch, drawing on external libraries as all Python programmers do. It was this that taught him how to use Python. Along the way, he learned a couple of things about open-source programming.
“Make sure you always understand the code before you run it,” he says. An inquiring mind not only helps you get more out of the tools that you’re using, but it might also save your system.
He relays one prank he heard of last year, where a programmer released what was supposedly proof of concept code for an exploit. Buried in mounts of legitimate-looking code was a single command: rm -rf – which if run in superuser mode would wipe out the user directory and all associated files. Anyone who blindly ran the code without checking it out first would have been in danger.
“The second point is that once you’re familiar with looking at code, try to learn more by enhancing existing code”, he said. He enhanced a friend’s OSINT tool with some error correction to stop it crashing, and in the process learned Git, a popular version control system used by many Python programmers, which enabled him to fork the code and upload his enhanced version.
This ethos led to his second project: enhancing an open source intelligence (OSINT) tool called Harvester, designed for gathering information about email addresses from different search engines.
“I was interested in figuring out whether any of those email addresses were included in a recent security breach. Were they out there on Pastebin or ghostbin?” he said. “Could I find their Twitter accounts or their LinkedIn profiles?”
He developed those functions and added them into Harvester to create a new product of his own. It searches domain names for email addresses and then checks HaveIBeenPwned to see if they’re listed. He also added a module that looks up Twitter handles and finds the account details – including their Twitter followers.
“I can find an email address, match it with a Twitter account that seems to be associated with that company, and maybe have their LinkedIn profile, and have that put into a report for me,” he said. The tool will also search Shodan and other sites to gather intelligence about domain names.
Maddalena’s Cooper and open source intelligence tools join other esteemed tools like Harvester, TrustedSec’s Social Engineer Toolkit, and many others. He has put his tools on his own Github account now, and he invites readers to play with them. Perhaps enterprising Python programmers might be willing to fork and enhance what he’s done. After all, that’s the spirit of open source programming – and Maddalena is a convert.
If you want to hear Chris speak about DIY toolkits and how to get started building your own, come hear him talk at the SecTor conference, which runs from October 18-19, with a day’s training on 17th, at the Metro Convention Centre in Toronto. Register here.