Request Tracker IRC Bot in Perl

Posted on May 26th, 2009 in Security by LogicX

At work we use Request Tracker for our ticket management, and IRC for our internal communication.  I decided to take on a project of combining them in a more usable form.  This wasn’t too difficult with the available perl modules, but I could not find a single implementation example, so I’m attaching my script below.


#!/usr/bin/perl
#Example IRC Bot for Request Tracker (RT)
#Errors about a DBI already existing are expected (after the first time you save variables)
#Built off: http://search.cpan.org/~mdom/Bot-BasicBot-Pluggable-0.70/lib/Bot/BasicBot/Pluggable.pm
#http://wiki.bestpractical.com/view/Contributions
#http://search.cpan.org/~dams/Bot-BasicBot-Pluggable-Module-RT/lib/Bot/BasicBot/Pluggable/Module/RT.pm

use warnings;
use strict;

package MyBot;
use base qw( Bot::BasicBot Bot::BasicBot::Pluggable );

# with all known options
my $bot = Bot::BasicBot::Pluggable->new( channels => ["#chan1","#chan2","#chan3"],
                    server => "irc.example.com",
                    port   => "6667",
                    password => "your_server_password",
                    nick      => "rtbot",
                    alt_nicks => "rtbot_",
                    username  => "rtbot",
                    ssl  => 1,
                    name      => "Request Tracker IRC Bot",
                    ignore_list => [qw( dadadodo laotse dipsy)],
              );
#Load this new Request Tracker Module
my $rt_module = $bot->load("RT");

#Required by RT to set variables
#Be sure to uncomment after initial setting, or its a security vulnerability!
#someone could /msg botnick !vars RT
my $vars_module = $bot->load("Vars");

$bot->run();

Update: Always make sure to DISABLE the Vars module after setting your variables, otherwise someone can read your password over IRC!

New Colo Box

Posted on April 25th, 2007 in Security by LogicX

I’ve had a colo box with ColoPronto for over a year now. Its been a great, inexpensive box to play on. Since I’ve been in Boston I’ve been trying to locate a reasonbly priced local colo option, so I can be more ‘hands on’ with the server and upgrades. Unfortunately for the last year my search results have been pathetic. The best I’ve been able to find is around $100/mo for 1U with 1/4Mbit/sec (80GB/mo). That is just totally unacceptable, considering I get 500GB/mo with ColoPronto for $20/mo.

I recently received a reply to a post on WebHostingTalk where I asked for Boston Colo Options. Through this I learned of Prospeed.net. They offer 1U in their Cambridge, MA facility, with Level3 Communications, with generous bandwidth allowances. I’ve contacted Prospeed, and began the process of getting some space there. I ordered a Core2Duo 1U from AntOnline which arrived today; and I hope to get it live in the next few days.

What will I do with this box you ask? Well — for starters, it will run gentoo, and run vmware-server. I will then be able to run a number of VMs inside it. One of them will likely be a DekiWiki 5-User VM. I will also continue to expand my knowledge by being able to run servers and experiment with new OS choices, etc.

A broader goal — which I’ll write about in more detail later — is to offer VMs on the box to interested High School and College students who do not have the resources available to them — but would like to experiment with running a server, hosting sites, and the learning that comes with offering such services.

Update 4/24/08: I’ve been very pleased with ProSpeed.net for the time I’ve been with them now.  I’ve had very little downtime, service has been good and they even didn’t have an issue when my CC expired, and they weren’t paid for 5 months – they called me up and we cleared it all up.   I had a friend who was looking into colo services contact them however, and I don’t believe they’re offering this deal at this pricepoint anymore.

DekiWiki and MindTouch Deki Review

Posted on April 6th, 2007 in Wiki by LogicX

I work for an Information Security Consulting firm near Boston, MA — I’ve grown up using FreeBSD, Linux, and open source software, and personally run Linux and FreeBSD on my desktops, servers, and laptop. It should even be noted that I have a co-located FreeBSD server in Miami Florida that I host some of my websites on, I run and maintain the server, I also have a Dreamhost webhosting account, and I have access to a number of other dedicated servers which I help maintain.

I’ve been frustrated for some time by the fact that I need easy ways to manage and update information, and I really like the idea of wikis, however I feel that I’m traveling back in time by doing the ‘let me try this syntax, now let me click a button to render the page and see if its what I wanted’ type of system that Wiki syntax is currently at. It feels to me very much like the early days of HTML — and along with it the myriad of poor -WYSIWYMG (What you might get) type solutions — I’ve previously tried, and am not a fan of generic WYSIWYG overlays for MediaWiki — such as fckeditor. (Specifically the fact that it does horrid javascript popups for things such as URL inputs).

At my current company I realized that we really need a system for managing our information — and so I’ve recently been evaluating Microsoft Sharepoint. To that end, Sharepoint has wiki functionality — once again, with a horrid WYSIWYG overlay, and I wanted to see what else is out there. I used WikiMatrix.org to narrow down my choices, and DekiWiki was one of the first ones I checked out. I was very thrown off by the OpenGarden website — particularly the front page — I had no idea what to make of it, could barely read the text under the DekiWiki and Dream options, etc. — I somehow came across a link to the Mindtouch site, and sighed in relief as the pleasant, easy to read site. I viewed the flash demo and was instantly impressed by the attaching of files — this was an excellent marketing tool.

Seeing as I use VMWare on a daily basis, I downloaded the VMWare image, and gave it a whirl. After a few initial problems getting it to properly start (I ended up having to delete it, re-extract and try again) — I got it up and working. Seeing as I work in the security field, I was surprised by the fact that the interface emailed me my password when I added an account, and so I immediately began tracing back the email to understand how it had sent it out, and what sorts of communications the VM was making out from our corporate environment. As I intended to use the Wiki to store sensitive corporate data, I would have to prove the security of the system to a supervisor. I ended up inspecting the host that the mail came from, and discovered an IRC server, connected, and ended up talking to a number of the developers about the security of the email system, and they informed me that they’re looking into the option of specifying your email servers in the configuration, so that mail stays local to your LAN. I can understand the need to make it work ‘out of the box’ and so relaying mail out to ensure delivery is a good method; however I think there should be the option to reassure administrators that passwords are not flying around the Internet unencrypted.

Talking to the developers I finally gained a better understanding of OpenGarden, and its role with DekiWiki, and Mindtouch’s commercialization of the product.
I shared this information with a co-worker and we decided to see how much was involved in getting DekiWiki installed on a Gentoo server at our office. While we did struggle somewhat, and still don’t have all features working, we were able to get it up and begin using it; and decided to stick with it for now over the VM, and see how it goes over in the office.

I then decided I wanted a Wiki for this site, and once again tried to turn to DekiWiki. I was unable to install the open source version on my FreeBSD server, as its running a 64Bit version of FreeBSD, and there is no mono support for AMD64 FreeBSD.

I figured that Dreamhost would not have all the required components installed to get it working there (I’ve since submitted a suggestion that they offer DekiWiki as a one-click install). I did some more searching and came across viawiki.com — The account creation functionality does not work, I emailed them and although received a nice reply, they had no ETA on when it would be working again. That was many weeks ago, and it still does not work.

I then came across Wik.is. I signed up for an account — there is very little technical information on wik.is as to what exactly it is. Exploring my account I saw many of the standard features, however I wanted to store some personal information in the wiki that I could lock down to only my account. I then read the why Upgrade page, saw the ‘Privacy: Make your wiki accessible only to selected users.” and decided that as this was what I wanted, and I was already now familiar with DekiWiki, and impressed by MindTouch backing all of this, I would signup. I also wanted to know more about the integration, as once again — I run my own server, host my websites, etc. — and wanted to see what exactly was in store for integration options.

Even after signing up — there’s almost no further information about what had just occurred. There was very little hand-holding, explanations, and no links to additional documentation to help me figure out how to take advantage of the ‘pro’ features I’d just purchased. The Customizable URL seems to be done well — I just took a stab, and set my DNS to the IP address I was being hosted at with a domain name — It still would’ve been nice to have some documentation that assured me ‘this is the IP address to resolve your hostname to — set it to the same value in this field in the configuration’. I consider myself a very technically advanced user; and so I shudder at the thought of others figuring these things out.

In the end it turns out that Wik.is provides only full public or private content functionality — no granular distinctions. As their target audience is not-so-technical consumers. They were nice enough to refund my money, based on my mis-understanding of their offering.

I really do think the MindTouch VM is an excellent idea, and the whole model of the VM and physical DekiBox, with the automatic upgrades, etc. — is a very good way to implement the product.
The unique way in which all the open source dependencies have been tied together to create a fluid product makes for a great final product, which however is difficult to setup; and MindTouch is doing a great job of releasing it in an easy to manage product.

I also look forward to DekiWiki integration of OpenID, as detailed through their Open Web Initiative.

Jikto Source Code Situation

Posted on April 2nd, 2007 in Security by LogicX

I read Billy’s Post concerning the release of Jikto code, and want to share my thoughts.

Just to make sure facts stay straight –

I was at Shmoocon, and watched Billy Hoffman’s presentation about Jikto. At one point during the presentation he was trying to show how the code worked, and switched to a window displaying the URL it was including. As this part of the demonstration showed how it can be incorporated into sites such as Google Translate, jikto needed to be accessible to Google Translate. I was sitting near the front, caught the URL, and downloaded it.

I had put the code up on a site of mine for only a short while before Billy called me and kindly asked me to take it down, and explained the media frenzy surrounding the code, its purpose, and SPI Dynamic’s release of it. I meant no harm to Billy or SPI, and immediately took it down. My interest in the code was purely from the perspective of how it worked. I’m an Information Security Consultant with Security Management Partners in Boston, MA and imagined being able to use his proof of concept for Phishing exercises we create for clients.

We create fake websites, and email employees to test their compliance with policies regarding clicking links or attachments in emails. Obviously being able to include code which could perform reconnaissance of their Internal network before we even step on site would be an excellent demonstration to clients as to the severity of employees accessing unknown sites. Even more extreme is the fact that this can be included via XSS attacks, making it come from a real site such as cnn.com.

My understanding of Jikto is that it will not take down the Internet, or other alarmists reactions; but just that its a interesting Proof of Concept demonstrating an interesting way to enumerate information about systems while dealing with the constraints of the security model.

Regarding RSnake’s comment, I believe Billy did actually go to great lengths to protect the code, and still perform his demonstration. A testament to this is the fact that all I actually got was client-side code — I did not get the GUI control component, viewer, etc. So the piece released was incomplete, and not actually usable in its current form. I’ve not executed the code, and unless others have coded their own control/viewer component, its not that big of a deal that a small piece of it got out.

Update: IDG articles are released such as InfoWorld, ZDNet blogged about it, CNet Security Blog, I posted on VulnerableMinds.

Shmoocon Hack or Halo – Winner!

Posted on April 1st, 2007 in Security by LogicX

I competed in the Hack or Halo competition this past week at Shmoocon 2007.

There were about 40 people competing, in two sessions of 20. I completed 9 of the 22 goals, and was declared the winner during the closing ceremony Sunday afternoon. I received an Xbox 360!

I’d have to say that the Friday night practice session was very helpful. I had my work pentesting laptop along with me for the weekend, preloaded with all my tools, the only one I discovered to be lacking were tools to decode stegnography, so I quickly got steghide prior to Saturday Night’s competition.

Peaceful Warrior – Great Movie – Great Marketing

Posted on April 1st, 2007 in Misc by LogicX

Last night I went to see Peaceful Warrior downtown with my girlfriend Julie. Saw it for Free. In the last few weeks, every deal website on the net has been giving out free tickets through a best buy promo.

After I saw the movie, which was very good, I realized what had just happened. They had this great movie, and said “now how do we get people to come see it? We don’t have any names, and we don’t have any special effects” Will Smith’s Pursuit of Happiness recently was released, I felt it was a great motivational, ‘feel good’ movie, and did great — but it had Will Smith, who drew the crowds.

Someone on the marketing team for Peaceful Warror said: “We’ll give away free tickets opening weekend to those who are into technology — through Best Buy — they’ll see it, and blog about what a great movie it is, and millions more will come see it in theaters, making up for those few free tickets opening weekend.” And now it has happened.

Justin has enhanced my theory with a note that the movie was released in 2006, and re-released this year, according to IMDB, so potentially they released it, no-one saw it — and then the events above transpired.

Supporting evidence:
the Contrary Goddess:  “Well, they gave me free tickets, so it seems the least I could do would be to blog about it.”

WPAD

Posted on April 1st, 2007 in Security by LogicX

Insecurity at its best — At Shmoocon I saw a presentation on WPAD, which is essentially a means of dispensing new proxy settings to browsers. Of course this was implemented by Microsoft, with no forms of security in mind. Over the next few months I intend to use WPAD at clients to dispense rogue proxy servers, and see what sensitive information can be gathered.