We're growing into something new. Read More
jas

Jason Gerfen


Code

Speeding up nmap with node.js

The tool; nmap When it comes to network host discovery, enumerating details on remote hosts such operating system, device type and open ports nmap is the tool the majority of sys admins, hackers, pen testers & script kiddies turn to first. I consider it a great piece of software, however I also find it painfully slow. Performance While nmap has many options for tuning the performance of a scan I thought it might be a worthy challenge to increase this. The current documentation has this to say about performance of nmap scans... While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Fair enough, lets see what we can do shall we? node-libnmap While far from a complete solution, the current version (v0.0.3) of node-libnmap dramatically speeds up scans. It does this by creating equally distributed scan blocks based on the number of hosts per subnet range and the number of CPU cores on the machine. For example; the application generates a total set of blocks equal to 32 (8 core processor) for a machine residing on a network cidr of 10.0.2.0/24. Example: nmap -sn -oG - 10.0.2.1-31 nmap -sn -oG - 10.0.2.33-63 nmap -sn -oG - 10.0.2.65-95 nmap -sn -oG - 10.0.2.97-127 nmap -sn -oG - 10.0.2.129-159 nmap -sn -oG - 10.0.2.161-191 nmap -sn -oG - 10.0.2.193-223 nmap -sn -oG - 10.0.2.225-255 The next step uses nodes thread model to create a new child process executing asynchronously (with the help of the async module) for every block generated. benchmarks Here are some preliminary benchmarks and samples The results here are all coming from a virtual environment with limited system resources but should give an overall picture of performance of the scans. My VM environment is using 8 cores with 4 threads per core given a total returned from require('os').cpus.length = 32. Nmap host discovery $ time nmap -sn -oG - 10.0.2.0/24 # Nmap 5.51 scan initiated Wed Jan 8 18:54:07 2014 as: nmap -sn -oG - 10.0.2.0/24 Host: 10.0.2.2 () Status: Up Host: 10.0.2.3 () Status: Up Host: 10.0.2.15 () Status: Up # Nmap done at Wed Jan 8 18:54:26 2014 -- 256 IP addresses (3 hosts up) scanned in 19.33 seconds real 0m19.339s user 0m0.052s sys 0m0.080s Nmap host discovery using node-libnmap $ time node test/run.js { adapter: 'eth0', properties: { address: '10.0.2.15', netmask: '255.255.255.0', family: 'IPv4', mac: '52:54:00:12:34:56', internal: false, cidr: '10.0.2.0/24', hosts: 256, range: { start: '10.0.2.1', end: '10.0.2.254' } }, neighbors: [ '10.0.2.2', '10.0.2.3', '10.0.2.15' ] } real 0m3.323s user 0m0.326s sys 0m0.412s And an example with multiple adapters on multiple 802.11q segments $ time node test/run.js [ { adapter: 'eth0', properties: { address: '10.0.2.15', netmask: '255.255.255.0', family: 'IPv4', mac: '52:54:00:12:34:56', internal: false, cidr: '10.0.2.0/24', hosts: 256, range: { start: '10.0.2.1', end: '10.0.2.254' } }, neighbors: [ '10.0.2.2', '10.0.2.3', '10.0.2.15' ] }, { adapter: 'eth1', properties: { address: '192.168.2.15', netmask: '255.255.255.128', family: 'IPv4', mac: '52:54:00:12:34:57', internal: false, cidr: '192.168.2.0/25', hosts: 128, range: { start: '192.168.2.1', end: '192.168.2.254' } }, neighbors: [ '192.168.2.2', '192.168.2.3', '192.168.2.15' ] } ] real 0m3.447s user 0m0.493s sys 0m0.796s Mileage may vary

$ npm install -g express
$ express --sessions --css stylus --ejs myapp

create : myapp
create : myapp/package.json
create : myapp/app.js
create : myapp/public
create : myapp/public/javascripts
create : myapp/public/images
create : myapp/public/stylesheets
create : myapp/public/stylesheets/style.styl
create : myapp/routes
create : myapp/routes/index.js
create : myapp/views
create : myapp/views/index.ejs

install dependencies:
  $ cd myapp && npm install
  
run the app:
  $ node app  

node.js, express.js & the redis sessions store with encryption

### node.js For those of you that are already familiar with the wonderful language that is [node.js](http://nodejs.org) please read ahead. For those that are not, lets close the gap. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. ### express.js Much like any other web or [interpreted language](http://en.wikipedia.org/wiki/Interpreted_language) ([Ruby](https://www.ruby-lang.org/en/), [PHP](http://php.net/), [Python](http://www.python.org/) etc), node.js also has existing framworks to cut down development time. [express.js](http://expressjs.com/) is one of those frameworks. One of the very nice things about [express.js](http://expressjs.com/) is performing operations such as the following:

var crypto = require('crypto'),
    dh = crypto.getDiffieHellman('modp5')

crypto.DEFAULT_ENCODING = 'hex'

exports.init = function() {
  dh.generateKeys()
  return {
    pubKey: dh.getPublicKey(),
    privKey: dh.getPrivateKey()
  }
}

exports.createDigest = function(key, obj) {
  var hmac = crypto.createHmac('sha512', key)
  hmac.setEncoding('hex')
  hmac.write(obj)
  hmac.end()
  return hmac.read()
}

exports.createSharedSecret = function(data) {
  return dh.computeSecret(data, 'hex', 'hex')
}

exports.createPayload = function(key, digest, count) {
  var a = [],
      b = digest.split(''),
      iteration = count || 3,
      ret = []

  do {
    a.push(key.substring(0, iteration))
  } while((key = key.substring(iteration, key.length)) != "")

  for (var n = 0; n < a.length; n++) {
    if (b[n] && a[n]) {
        ret.push(a[n]+b[n]);
    } else if(b[n] && !a[n]) {
        ret.push(b[n]);
    } else if(!b[n] && a[n]) {
        ret.push(a[n])
    }
  }
  return ret.join('')
}

exports.extractPayload = function(payload, size, count) {
  var num = count + 1 || 4,
      regex1 = new RegExp('.{1,'+num+'}', 'g'),
      data1 = payload.match(regex1),
      regex2 = new RegExp('.{1,'+num+'}', 'g'),
      data2 = payload.match(regex2),
      digest = [],
      pubKey = [],
      i = 0

  for (var n = 0; n < size; n++) {
    digest.push(data1[n].substr(count, data1[n].length))
  }

  data2.forEach(function(item) {
    if (i < size) {
      pubKey.push(item.substr(0, item.length - 1))
    } else {
      pubKey.push(item)
    }
    i++
  })

  return {
    digest: digest.join(''),
    pubKey: pubKey.join('')
  }
}

node.js DH key exchanges and using an HMAC message digest

Security is difficult to understand, cryptology doubly so. I recently read a wonderful blog post regarding '[cryptographic "right answers"](http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html)'. Seeing as this particular blog came from an expert in the field of cryptology implementation (et al; the [developer of 'scrypt' hashing algorithm](http://www.daemonology.net/blog/2009-05-09-scrypt-key-derivation.html)) and security (former BSD security officer), I thought it would be worth sharing. In his blog he mentions the use of an HMAC for message digest & verification. The problem I can see is in terms of HTTP protocols, or more specifically the header information sent from client -> server & server -> client. Most people utilize headers to embed the HMAC for message verification, for those that are familiar with [network traffic analysis](http://blog.monitorscout.com/2012/04/17/importance-of-monitoring-the-network-traffic-flow/) or signals analysis are familiar with the plain text values available to anyone in the route of the traffic. With hackers sitting on the same network segment implementing a proxy by essentially performing a common attack known as [ARP spoofing](http://www.watchguard.com/infocenter/editorial/135324.asp) this HTTP header value can easily be recalculated based on any inected or modified streams to fool the server/client's into thinking valid traffic has been recieved once a [re-calculation of the HMAC](http://www.wolfe.id.au/2012/10/20/what-is-hmac-and-why-is-it-useful/) has been performed. I know what your going to say.. "why not use TLS/SSL?" My retort is not about using or not using TLS/SSL, as if communication must be secure this is the standard. However TLS/SSL attacks are not uncommon, quite the contrary, please review the following attack vectors regarding encrypted streams; [session renegotiation](http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html), [cipher downgrades](http://f0rki.at/static/slides/f0rki-downgrade-attacks-by-example-bsidesvienna2012.pdf), etc The following code example of a [diffie-hellman key exchange](http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) is specific for [node.js](http://nodejs.org/) and really isn't about the key exchange itself. As I mentioned I am more concerned with the message digest & how I can "hide" the [digest](http://en.wikipedia.org/wiki/Cryptographic_hash_function) within the [public key](http://en.wikipedia.org/wiki/Public-key_cryptography) payload to make it more difficult for attackers to forget requests in the event of a [MITM attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack). Here is a simple module that exposes a simple interface to the [node.js crypto module](http://nodejs.org/api/crypto.html) that can help with a Diffie-Hellman key exchange including the ability to include an HMAC hidden within the payload.

node.js & certificate authentication

I have become a [node.js](http://nodejs.org/) fanboy. So much so I spent some of my spare time implementing a [lesser known feature](http://en.wikipedia.org/wiki/Spkac) of web development. The [patch I submitted](https://github.com/joyent/node/commit/7bf46ba4cedefe8d3b6548a314ad64fc0cfd89f1#diff-25d902c24283ab8cfbac54dfa101ad31) to the core development team for node.js has recently accepted my contribution which has prompted me to put together a quick [demo](https://github.com/jas-/node-spkac) application to showcase its use. The project provides detailed history, use cases & additional information however to sum it up here is an example form you can embed in your web application detailing the usage of the ** element.

Discussion

secStore.js

If your one that reads [news articles](http://www.paritynews.com/2013/09/03/2581/software-developer-releases-tool-that-claims-to-reveal-mega-users-master-key/) like this and shudders, or see tools like [megaPWN](http://nzkoz.github.io/MegaPWN/) and asks questions like; am I doing it right? am I protecting my users? will one of my projects be laughed at due to an oversight such as this? I know I do, and have developed a project to assist in protecting sensitive client data. A prime example would be the use of a [cryptographically signed](http://en.wikipedia.org/wiki/Digital_signature) authentication [token](http://security.stackexchange.com/questions/19676/token-based-authentication-securing-the-token). Two examples arise. A [XSS](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) flaw in the browser allowing a malicious user the ability to bypass the [same-origin restrictions](http://es.slideshare.net/shreeraj/xss-and-csrf-with-html5), or the even easier attack of targeted emails containing an XSS laden link as part of a [phishing](http://www.webopedia.com/TERM/P/phishing.html) or [whaling](http://www.scamwatch.gov.au/content/index.phtml/itemId/829460) party. Implementation is simple and provides greater protection of '[at rest](http://en.wikipedia.org/wiki/Data_at_Rest)' data stored within the browser. For more information please refer to the documentation. **In this example the token is hard coded but a real-world production env, this value should be either retrieved from the server using websockets, xmlhttprequests or aquired through the cookie param.** Example use to save the token : $(window).secStore({ appID: 'myWickedApp', data: {token: 'abcdefg12345'} }); Example use to retrieve the token : $(window).secStore({ appID: 'myWickedApp', callback: function(result){ console.log(result); } }); View project '[secStore](https://github.com/jas-/secStore.js)' Please keep in mind that using javascript within the browser for encryption is not without its faults, however that being said making every attempt to secure and protect authenticated user accounts etc. is not without its merit.

Discussion

Secure offline storage for your HTML5 app needs

[jQuery.handleStorage](https://github.com/jas-/jQuery.handleStorage/tree/sjcl) is a project I wrote to handle offline storage for CMS WYSIWYG editors. This allows your mobile HTML5 application to store form content, div, or user supplied content locally until the device has a connection with which to push changes. The project has quite a few features such as support for localStorage, sessionStorage, cookies, pre, post & error handling callback functionality, AES encryption & a few others. Although I have posted this project in the past the last two days have been spent reformulating from the ground up to create an easier to read, manage code base while also moving to the [SJCL (Stanford javascript crypto libraries)](https://github.com/bitwiseshiftleft/sjcl) for the (optional) advanced encryption option available. This latest revision is not considered a stable branch at the moment but if interested in the project and the feature set you can clone it and the required sub-modules like so... git clone -b sjcl --recursive https://github.com/jas-/jQuery.handleStorage.git Once done you can simply bind it to your form of choice like so (this example will enable the AES encryption support, auto-save interval set to every 3 minutes, debugging out to the console and use the sessionStorage option). $('#form-id').handleStorage({ storage: 'session', interval: 1800, aes: true, debug: true }); Cheers! Any feature and/or bug reports can be filed at [the project support](https://github.com/jas-/jQuery.handleStorage/issues?direction=desc&sort=created&state=open) page.

Discussion

sqlSec - Database robot

Just kidding. Its not a robot per se'. [sqlSec](https://github.com/jas-/sqlSec) is a series of stored procedures for new & existing MySQL databases. History A few months ago @KhalidOkiely created a [post](http://forrst.com/posts/Encrypting_Database_content_PHP-HIo) asking about encryption of database content. My [suggestion](http://forrst.com/posts/Encrypting_Database_content_PHP-HIo#comment-635877) was to offload the heavy lifting from the application layer to the database layer of the application. This is a working example of my suggestion. I have done some preliminary benchmarks and it is suitable for large record sets on a scheduled task. Or a robot, tee hee. Benchmarks Linux x86_64 Dual-Core AMD Opteron(tm) Processor 2218 AuthenticAMD GNU/Linux with 4GB of RAM = 2.5 million individual records (5 tables with 1 encrypted field per table containing 5k records) in one hour and eleven minutes. Details During installation the following is performed: 1. A new user is created as well as its default permissions 2. A new encryption key is generated 3. Two new tables are created on the existing database to handle mapping information for stored procedures 4. User is asked if any existing fields are encrypted 5. A backup (optional) is performed of current database contents 6. User is prompted for all table/field combinations which require encryption Install? Here is a example of the installation process ./install.php servername dbname Enter MySQL root password: Successfully created new user account Successfully created tables on 'dbname' Successfully created stored procedures from 'sqlSec-procs.sql' sqlSec installation details: Username: 59279858ea0fdefs Password: 48862f22fccaadb3a5xefe Backup path: /var/lib/mysql/dbname/ Lets define the table & fields you wish to store encrypted data in... Already using encrypted fields? n Create backup first? n Enter table: myTest Enter field: myField Another record? n Use? Simple, here is an example of rotating the data (using the random user/password combination listed above). In this example we force a backup & debugging output. mysql -u 59279858ea0fdefs -p48862f22fccaadb3a5xefe dbname -e 'CALL KR_Main(1, 1)' Documentation? Yeah, that... it is coming. Issues? Questions? Suggestions?

Discussion

GitHub Private Repository (A poor mans guide)

Recently @th posted a [question](http://forrst.com/posts/Two_Computers_One_Piece_of_Code-HPK) regarding syncing multiple machines for a project that requires some security. I [suggested](http://forrst.com/posts/Two_Computers_One_Piece_of_Code-HPK#comment-636629) using [GitHub](https://github.com) along with a combination of a shared symmetric encryption key. Instead of simply suggesting it I went ahead and created a sample *.bashrc* file along with a [project](https://github.com/jas-/top-secret) to help illustrate. Enjoy