‘;–have i been pwned?, you’ve heard of it, right? Let’s pretend you haven’t. It collects and lets people know if their email has been found in a data breach or credentials are up in a paste.
I want to check to see if my email is there. Cool. I can go to the website and type in my email address and see where it’s been collected. Trust me. It’s been collected.
Now, let’s say I want to check on everyone in my family after I hear about a breach in the news? Or I run IT for a small org that has me do everything. Or I am in charge of making sure those in the C Suite are kept safe.
What can I do? I can pay a vendor a lot of money to “protect” me. I can pay for identity monitoring.
I can also find a free script to run that will check this for me and give me the info I need with the freedom to change it for my needs.
There are many scripts out there that will do this. Here is one of them. Written in python.
By me. Using the API mentioned above.
Written a while ago – but updated recently do deal with the new API (which does cost $3.50/month to use – more on that here) I think it’s a good little ditty that will check one email or a set of emails from a file.
Who is this for?
First it was just for me, then my thoughts moved to the audience for this would be the family techie who is always watching out for the other, or the IT team of one for that small but very important organization without the huge budget.
My family, like many has been in stay at home for a while now. To the point where we are hearing about opening things up again – for the economy!™ Trust me. We want to get back out there. We want to mingle. We want to go to a restaurant. We want to go to a park and see our friends.
We have a 3 year old who for the first time is understanding a birthday party. And we want to give him it. But it’s in June.
We have camps contacting us about how we feel about whether we feel comfortable sending our child. We have the Y asking how we feel about starting up classes soon.
And my gut answer today is no. It is, I am sorry, no. I don’t feel comfortable going back to these things yet, no matter how much I want to. Not even for the economy! ™
Here is why. See. I know I am not the only person here. I know I am not the only person with kids and with parents. I want my kids to see my parents. They dearly miss their grandma who is close and those who are far. I want them to safely see each other. And we can’t. We can’t do that in May. We can’t do that in June if the kids are in the camps that they really want to reopen – because nothing has changed.
Yes. Those who are dying may get to a hospital, but the rules and ways for that to happen are too slim to risk my mother for that.
Listen, I trust my governor. He speaks with honesty and more honesty and I believe when he says he’s working for the best and if what’s happening isn’t for the best, they will work to change it.
I trust my mayor. He and the town are doing all they can to help everyone out.
I trust my doctor. She is who I will go to when I need to ask questions.
But this is where the trust stops – and I need more trust than that. I need trust that If my doctor says – hey, you or your family need a test – that my family will get it. No questions asked.
And you know what? I don’t trust my health insurer or the federal government to provide that unless we are damn sure to become a statistic. The government meant to protect us all wants nothing to do with us. They don’t want to help. Nothing new has come out to help people when we do open up. No guaranteed help for those who need it. No help to detect and prevent in all the time we have been asked to stay inside. Only blame.
The only reason my health care provider is providing testing is because it was mandated. Until the day it was noted they would be paid back, it was considered part of our deductible, and to this day, we need to get our sick body to a CDC approved testing site. And, while I am in the midwest, I am in a major metro area where there isn’t one.
So, my doc can try to help our family. My local government is trying to keep us safe, but until the insurers want to help and the feds are more worried about keeping people healthy and alive than how they are looking, I can’t open up and go back to trotting around.
I don’t want my kids to make my mom sick. I don’t want to make my mom sick.
I know there will be tests. There will be things we can do to keep everyone safe. Until that comes about… Until it’s available to all… I don’t know how to properly move forward.
Scrolling through Twitter this evening and I came across this.
It reminded me of when the NSA release Ghridra, but from the people who brought us Mulder and Scully. I love Mulder and Scully.
Having been playing around to see who apps are talking to this seemed like a good one.
I downloaded the app. It did not ask for permission to use anything on my phone. Before I could use it, I needed to agree to their rather simple privacy statement (there was also a health statement that was a bit longer above).
So, according to this info is only stored on my phone and not transmitted to, or saved by, the F B I (say it like Mulder).
They also wanted me to tell them my sex. I could change that at any time.
Then I tried to do the sit up challenge. Okay, I moved it like a shake weight in my arm, but did the challenge to see what happened.
This was a very limited test, but the app is rather limited, so I stopped there.
It didn’t send my chosen sex at any time. It didn’t even send how awesome I was when I finished my “situps”. It just moved onto the next screen I looked at and did this for each screen.
I didn’t leave it running in the background and keep seeing what was happening. I didn’t do any big isolation tests and didn’t install on an android device to see what happens, so this really isn’t very complete.
What I do know though is my daily yoga app that I love and pay for talks to more places just when I start it up, then this app did when I gave it a quick run though.
Would I use the app? No. Out of privacy concerns? No.
I’m always interested in where my data is going. Who is using it? What data is being collected?
I use my phone a lot more then I use my (shiny new) computer so it made sense for me to see what data that is spilling. I also use an iPhone, so this can surely be ported to Android. I just don’t have the resources to do that.
What’s my goal?
I want to see what data my apps are sending and to where.
I want to be able to do this with tools I have on hand.
What do I need to achieve this goal?
First off. I do not need to buy an ASA on craigslist so I can monitor all the traffic. Yes, it’s fun. Yes it’s cool to see. But for my house, it’s overload and we have adequate heating. So, let’s not do that again. Okay, now that’s out of the way.
an iDevice with an app we want to see what it’s doing
We will use Zap. Zap comes on Kali, or download it to your favorite platform.
the iDevice configured to use the proxy and accept the certificate
We need to set up Zap to proxy our data as well as capture SSL traffic since most apps use https to make their calls.
Under the Tools –> Options –> Local Proxy let’s make sure the additional proxy is set to all (0.0.0.0) and a different port then the localhost port. I have it set to 8082
While in the options, let’s choose the Dynamic SSL Certificates and save that to the computer. We will need this in a few.
With this, we will be able to use apps and see the data being passed.
To get an iDevice to trust a cert we need to load it on the device and make some changes. The good thing is they don’t make this dead simple that it can happen by accident.
I will fire up Apple Configurator 2 then select File –> New Profile.
I will give it a name and an identifier.
Next I will give it the cert we made with Zap. This cert won’t be trusted, and that’s okay. We will take care of that in a bit.
Leave everything else as is and save it. It will save as a Configuration Profile file.
We are getting close to the fun part.
Transfer the file to the iDevice. I used AirDrop after emailing it to myself.
If you can’t AirDrop it, go for email or put it in Dropbox. When you get the file it should prompt you to install the profile.
Choose the Profile Downloaded
Install the Profile. It will warn you a few times. Read through the more details to see what’s happening. Always a good idea when following directions from the Internet.
You will get to the profile being installed. Click Done.
Now we need to trust the certificate. Just because it’s there, doesn’t mean we trust it. Navigate to the About Section, then scroll to the bottom to get the Certificate Trust Settings.
Enable the certificate that was presented and choose to continue.
Setting the Proxy
For all of this to work, we need to set the proxy for the network we are on.
Open the settings for the Wifi network. **This is specific to the network you are on. It will not proxy when on cellular or at your friends house or Starbucks.
It’s here that we set the proxy to the Zap server and port.
Click Save and we are ready to look at the data.
Viewing the data
Head on back to Zap and open up and app to see where the data is flowing.
One of the things I really like about Zap is that it groups the data by sites, so I can look to see what data is going where.
We can see we are getting https traffic and can decrypt the traffic just from woot here. We can see domains, requests, and responses.
Zap will let you manipulate this data to see what happens. That is for someone else’s blog post today.
Added bonus is seeing all the places that the app is sharing your data with and setting up a Pi-hole server to get rid of all that sharing your favorite weather app does.
We don’t always want our data going through the proxy. Some places are more finicky than others and will give weird results, so when done, always take the time to cleanup and undo the proxy settings and disable the trust in your certificate.
These can be turned back later when doing some more app reviews.
For a bit I was writing down the tools I had been working with and making. And then my blog blew up. Or more literally locked up and I lost the data because it was all on a dev machine that I didn’t care that much about.
I didn’t really stop working on things, but didn’t write much about it.
Then yesterday I had an idea. It wasn’t an original idea. It was really a how can I make that so I can use it and not need to install more software.
I came across this tool in a tweet. https://github.com/hakluke/hakcheckurl Written in Go, it checks on URLs, looks like it spiders and gets status codes for the URLs. Cool I thought. Go I thought.
Can I do it in python (I thought)? I played around. I looked around. I really didn’t want to rewrite a crawler. Lazy I know, but it’s my project and time.
Sites have places they don’t want crawled. They put these places in a file in hopes that crawlers will respect this and not look there.
Most of these files/folders will be benign, style folders, images taken out of context, but some can help people looking for vulnerabilities out.
So, why not work out a way to take a look at them solo or in batches of sites?
Right now it’s pretty simple. Choose from one site or provide a list of sites and we will go check if they have a robots.txt file and log that data for review.
I’m hoping to add the ability to switch between http and https if one doesn’t show results soon for a site. The thought of piping the disallows to be followed and see what’s there has also crept into my mind.
Download it. Give it a spin. Give it a whirl. Please help me improve it.
This year I have been able to go to a bunch of conferences. There was BRRCon, and DefCon and even Tenable Edge (vendor con where I can’t fin the link to anymore). This week – BSidesMSP.
I wrote about all of the other cons, pro and con in my previous, non backed up, lost to too much futzing around dev blog. Because that’s what dev blogs are for.
The big difference between the other three and this one is, this time I didn’t just attend. I was a first time con speaker and a volunteer at the DC612 lock pick table. I got to do it all!
I was given a cool Bowling/Gas Station Attendant shirt for speaking. Also, I was an attendee.
The organizer and the event volunteers were amazing. Being there the night before to help setup was great. I got to meet people who were working and learn the layout of the land.
Day one was keynotes, then I was manning the lock pick table. Before I got to the table I was stopped by a gentleman while I was walking. He called my name. I didn’t know him. Then I realized my name was on my shirt. Damn, OSINT!
Turns out he works for the vendor I was going to talk smack speak about the next day. We communicated on the community forums and he was able to help out with some script writing I had been working on a while back. It was great! I got to meet someone from the internet and it wasn’t creepy like it was in the early 00s.
We hung out. We picked some locks. He said he’d be at the talk the next day and not heckle Gabe or me. I appreciated that, and was happy we’d have at least one person in the audience.
I was able to get to Harvesting Botnets for Unusual Data where I got a great high level overview of what researchers are doing to follow the information and how these botnets work as a network.
Day 1 Ends – say good bye to new friends and hit Minneapolis traffic. Ah, so glad I work from home.
Day 2 I was able to attend more presentations and the CTF started too. The lock pick table was a part of the CTF and I lent my magic box from DefCon as a challenge.
At BrrCon I saw an excellent talk by Yolonda Smith on working with developers. To totally break the talk down to one sentence, it was about communication.
I’m noticing a theme here. In our world where people talk over twitter and there is so much information, simple communication can go a long way. There was a great talk about Top Gun from Jason Blanchard at Black Hills Info Security. Or was it about persuading people? I think that’s what it was about.
I was happily surprised at the number of people in the room who were using Nessus. It made me hopeful that the work we had done can help or give some people ideas on how to work around all the issues we ran into. Hopefully people will find the tools helpful.
The crowd was smaller then the other talks I went to. The crowd was also much more homogeneous. Most of the crowd looked like me. Maybe with some more hair, but looked like me. I mention this because this isn’t what I saw when I was walking the con. Here and at BrrCon there was an array of people and viewpoints, just not at my talk.
I had to skip out early right after my talk when my kid got sick so I didn’t get to after party but like BrrCon and unlike DefCon I walked away from this with a really good feeling about the people and the industry I chose to enter.
People want to learn. People want to make things good. People want to include people. People want people to succeed.
So, I went to Defcon27 – and made a blog post about it. Then I did something to the web site that blew away the backend database so I couldn’t see it anymore. Then I made it worse, and decided to start up over here on where I don’t need to back things up.
That’s the short story of it.
All old posts from themonkeyplayground.dev – gone…