[Owasp-leaders] Bring balance: force verification in scanning tools

Kevin W. Wall kevin.w.wall at gmail.com
Mon May 23 00:03:37 UTC 2016


On Sun, May 22, 2016 at 6:55 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Definitely Bev :-)
>
> In fact this is the kind of thing we should discuss.Should we start a
> formal process to bring this to a panel discussion?
>

​Let's let this thought experiment play out a little bit longer
before we do that.
​


> I started developing a tool 'Nmapalyzer':
> https://github.com/ossecsoft/nmapalyzer
> Is a tool to identify the data packages sent by NMAP probes. Reverse
> engineering of nmap TCP sent packages to a target machine
> https://www.gitbook.com/book/marylinh/nmapalyzer/details
>
> So Bev, there are commercial solutions doing this and some OS but not
> extensively. My plan with the Nmapalyzer is to help detect network
> traffic(passive) and set  the information with a nice dashboard. It is in
> research phase right now.
>
> ​A noble example, but one that will not be easy. Fy​odor designed nmap
with options, when appropriately used, that allows nmap
to be evasive and avoid detection. Good luck with that. On
the plus side, most people running nmap scans do not have
the patience or prerequisite knowledge to use nmap in that
manner.

>>But given that it IS open source, a hacker would simply fork it on GitHub
> or BitBucket or wherever and just point fellow black hats at the modified
> source at some other URL.
>
> Simply?😏 He do you have fellow blackhat friends that give you exploit
> kits for free?
>

​Okay; yo​
​u got me on that one--in the general sense. But in the
case of ZAP and Phineas, I think he would release the tweaked
ZAP for free. Phineas is doing this more as hacktivism rather
than profit and hacktivists are generally not motivated by
money.
​
​

> blackhats don't give anything for free.Which blackhats are developing
> 'open source hacking tools' and giving tools for free like we do? No one,
> wether you pay 1 dollar or 300 for anything, they need to make a living.
>

​Well, only hacktivists. I suppose whether you view them as
"black hats" or "gray hats" or "white hats" depends on
your perspective of whether or not they are engaging in
activities which you perceive as fair and just. But I think
that most in that crowd are 1) in violation of some laws,
and 2) freely share their hacktivist tools with their
colleagues for the greater cause.


> Have you check ZAP code? Maybe this part should not be at all documented .
> Believe me he will move to BURP or tamper data faster than just go and take
> the time to change this. and give it for free...
>
> Now a professional blackhat will invest his time/money and distribute a
> version but it will charge some money for it, just as done with malware
> exploitation kits.
>
> I bet you 100USD than the moment ZAP does this, download of this new
> version will decrease by 50% and  a blackhat will make a version for sale
> for a very good price in the dark web (charge USD20 instead of buying BURP
> for USD300/year)
> Want to bet?
>

​So, you are NOT disagreeing that ZAP would be modified and
made available, but rather that whether or not it would be
made available for free???

So don't you see the here? What you are proposing--to
have ZAP be restrained in some manner (e.g., by ​looking
for some specific file name or a file with some specific
contents)--would in fact cause black hats to PROFIT from
modifying and then reselling ZAP? So rather than restricting
ZAP from the hands of malevolent people, you instead--as
a likely unintended consequence--cause these same people to
further profit from ZAP.

Is that really what you want? I think not. We need to be
careful before we jump to conclusions here.  And even if
ZAP was not open source, the fact that it compiles into
Java byte code makes it trivial to decompile. (And obfuscators
can only do so much.)

But let's not do something that will leave the end situation
worse than what we started. You are a hacker, so when you
propose these things, think like one and how you would go
about getting around those obstacles.

-
​kevin​

-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160522/bff8c690/attachment.html>


More information about the OWASP-Leaders mailing list