Mutillidae Session Hijacking Lab

Overview

This is a list of steps to perform to perform a web application session hijacking attack against a logged-in user of a web app. It uses the wonderful Mutillidae (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) vulnerable web application for the victim server, Burp Suite (free or pro, https://portswigger.net/burp/download.html) and a web browser (in this case, I’ve chosen Firefox).

Steps

This post presupposes that you already have Mutillidae, Burp and Firefox installed and running. If not, please refer to those sites for details on how to accomplish those goals.

  1. Set up Firefox to use Burp
    • Here you can edit the Network settings inside the Advanced section of Firefox’s settings area to add the Burp local proxy. Burp defaults to run on TCP port 8080. So you’ll need to use localhost for the host/IP and 8080 for the port.
  2. Launch Burp and confirm that you can get traffic from the browser. If not, troubleshoot that then move on.
  3. In the Mutillidae application, visit the http://YourIPHere/index.php?page=login.php page.
    1. Click the Please register here link at the bottom of the page to create 2 new users.
    2. Create 2 different users in this section.
  4. Go to the login.php page (http://YourIPHere/index.php?page=login.php) in your browser and log in to the application using one of the user accounts.
  5. Go to Burp and look for the response from the server for the successful log in. It should have 2 new cookies that were set in your browser.
  6. Go to the Mutillidae app in the browser and browse to another page.
  7. Send that new request from the Burp Proxy to the Burp Repeater and ensure that both application cookies were sent in the header of the packet.
  8. Press the GO button in the Repeater function to send an unmodified request to the server.
  9. In the response frame, you should see that that user is logged in (in the header of the response as well as in the HTML).
  10. Now, in Burp Repeater, alter each of the cookies that the application set and resubmit the request. See if the username in the response packet changes.

Next Steps could be…

  1. Extract the cookies from Burp and insert them into the browser to become the other user and browse around the application
  2. Use Burp Intruder to fuzz the cookie value and find other users that you could become. (Keep in mind who the first user of the application could be).

Ghostery: A Browser Extension You Need

What if you were driving down the highway in your car and had to slow down every mile to read an advertisement? And what if those advertisers knew where you had been and who had gone with you? That would annoy and cause concern for many people but we tolerate this on our computers and mobile devices all the time. Our web browsing behaviors (sites we visit, what we search for on those sites, what we do on those sites) are being used against us every day. But this does not have to happen and I’m going to show you how to stop it.

There is a free extension that you can add to your favorite browser of choice to stop advertisers and others from tracking your browsing behaviors: Ghostery (https://www.ghostery.com/).

WARNING

Extensions and add-ons are pieces of software that someone else has written. They, themselves, have the ability to track and alter the information you send and receive from web pages. I tell you this so that you don’t go wild and start installing untrusted add-ons in your browsers. There are malicious extensions out there. These two extensions, right now, as of the moment of this writing, are solid, pieces of software that you can trust.

 

Extensions in Google Chrome

Here is how you get to the “Extensions” area of the Google Chrome web browser. Press the settings button (pancake-like three lines in the upper right) of the Google Chrome browser.

chrome1

From there, choose More tools and then Extensions.

chrome2

Observant readers will note that the URL chrome://extensions/ will get you to this same place.

Now, you may not have any extensions loaded in your browser. If that is the case, your next screen should appear similar to the one below. You will want to press on the browse the Chrome Web Store link to go to the place where we will find the extensions.

chrome3

If you do have one or more extensions loaded, then you will need to scroll to the bottom of your browser window where you should see a link such as the one below to Get more extensions. That link should take you to https://chrome.google.com/webstore/category/extensions?hl=en-US (or the correct one for your area of the world).

chrom4

Just hang on while I get the Firefox users to the right place.

Firefox Add-ons

Firefox users should also click on the pancake-like settings menu in the upper right of their browser and then select Add-ons.

ff1

Again, you may or may not already have some add-ons installed in your browser. In either case, select the Get Add-ons option on the left side of your new window. Observant Firefox readers will note that the page that you are on is about:addons which is a fast method of getting to this page.

ff2

Safari (OSX/Mac)

Safari can load Ghostery too! So, launch the Safari web browser and go to the upper left menu item named Safari. Click it and you will see Safari Extensions… which you should click.

Why, Micah? Why?

Why am I showing you how to navigate to these areas of the applications you probably use every day? Sure I could just say “Click here and install the extensions” (which I will below). Just as it is important for you to understand how your car works, it is also important for you to understand how to modify your web browser settings.

How To Add an Extension/Add-on

If you have followed me to this point, adding the correct extension is simple. Firefox, Chrome and Safari all have search areas within their extension/add-on areas. Type in Ghostery and press the search button (or hit Enter).

For Ghostery, you can also just visit https://www.ghostery.com/try-us/download-browser-extension/ in your browser and press the appropriate button for your web browser. The links will take you to the correct add-on web page.

You are looking for a little, blue PacMan ghost like the one below.

Capture

You will want to add this to your browser or install it (each browser has a different name for it). Once installed, it may take you to a tutorial to help you understand the options. Go through it and set it up how you like. You will also notice a little ghost in the browser now (usually up top). This is the way you can quickly get back to Ghostery to change options.

The important piece for Ghostery is on the Blocking page. You will want to ensure you SELECT ALL to shut off all ads and trackers. See below for how it should work.

chrome6

I will warn you. This will block things that may cause web sites to not work. That is OK because you can always unblock certain sites or choose specific parts of a site to be unblocked.

 

Oh No! My Site Doesn’t Work!

Ghostery sometimes will cause web sites to not work properly since it prevents your browser from loading all of the widgets and trackers the web site wants you to. In these cases, you have a couple of options: Pause Blocking and Whitelist Site.

ghost1

Pause Blocking

If you just want to stop Ghostery from blocking anything for all the web sites you are visiting, choose the Pause Blocking option and reload the page. You will need to Resume Blocking to take advantage of Ghostery’s features again.

Whitelist Site

There are some web sites that you may trust and it may be fine for them to track you or provide you ads. In those cases choose the Whitelist Site option to essentially turn off Ghostery for just this site. Next time you visit this whitelisted site, Ghostery will not block content.

A Third Choice

There is a third choice in what to do when Ghostery is blocking a feature of a web site. That is to selectively turn on, one by one, the features that Ghostery is blocking. Turn one back on and reload the page. Did that fix the issue? No? Do it with another one and reload the page.

A Final Choice

The way that I browse the internet may be similarly to the method you use. I have my favorite browser and, whenever I need to go to the internet, I launch it and go. This browser definitely has Ghostery installed. If all of the above 3 methods for getting a site to work fail, I open a “less secure” browser that does not have Ghostery installed (for example, Internet Explorer) and visit the site there. This can help you. Protect your main browser and have a fall-back one that is less secure to use when sites look weird in your main browser.

Mobile Anyone?

Did you know that you can install Firefox onto many mobile phones and tablets? Google Chrome too. When you install it, make sure that you install the Ghostery extension to protect your mobile web traffic.

 

Mind over body

This 5 minute clip from the 2006 movie “Facing the Giants” (http://www.imdb.com/title/tt0805526/) recently made me think about my dedication and drive. It is “The Death Crawl Scene” where an unmotivated person shows himself and his team that if you cannot see the “finish line” you can push your body harder and farther than you thought you could.
Many times our minds quit WAY before our bodies. In this time of instant information and feedback (how many steps you took, how far you have walked|biked|run, how fast you went…), we sometimes prevent ourselves from just going and doing.
This past weekend I left my GPS at home when I went backpacking. I was going with 8 highly-skilled people and, on the Appalachian Trail, you really just follow the white paint marks (blazes) until you reach your destination. With this crew and the well-marked trail, I wasn’t afraid of getting lost.
I’ve not really hiked/backpacked for about a year due to work and injury and, because of this, I wanted a short backpack hike. I knew I couldn’t do more than 5-7 miles. We picked a simple 5.5 mile hike to a camp site and then a 1.2 mile day hike (without stuff in our backpacks) to Chimney Rock overlook. I focused on not twisting my ankle, talking to my friends, and enjoying the hike. I knew we were only going 7ish miles and I could do that.
We got to our camp site, set up camp, relaxed, and then went on the extra hike to a gorgeous overlook. Took our time there and then came back. I knew my legs would only take me 7ish miles. Mentally, that was my limit but because I hadn’t brought my GPS or my smart watch with me to monitor the distance and my steps, I didn’t know how far we’d gone. When some of the others in the group checked their GPSs and found we’d gone over 11 miles I was stunned and thrilled that I hadn’t let my mind stop my body from enjoying a beautiful trip and a great trip.
20160903_133701

Harvesting Whois Data for OSINT

At work I was given the task of figuring out at least one method to find some of the domains that were registered by my company’s employees but that we may not have known that they registered. Anyone can visit GoDaddy or PSI or 1and1 and register a domain. We wanted to find out anyone that that registered a domain with an “@MYCOMPANY.com” email in the domain registry. Once I figured out how to do this, I found some really interesting things!

Registering a Domain

In case you don’t know this, when someone registers a domain name like “webbreacher.com” or “osint.ninja” they use a registrar such as Go Daddy or Network Solutions who then does the work of reserving the domain and tagging it as owned by a certain person/organization. There is some personal or business information that you must provide to the registrar for them to make the registration of the domain you want. Most will want your credit card info first🙂 and also personal information such as your name, home/business address, phone, and email(s).

Personal v. Private Registrations

When you register a domain, many times you have the choice to have the registrar “mask” your personal information that you use to purchase the domain. This is helpful to keep your personal information, well, personal. Instead of using your personal data, the registrar uses their data and then keeps track, internally, who is the actual owner of the domain. For my purposes of finding out what employees are registering domains using our company email address, this masking of their info presents a problem.

Whois

One of the main tools that people use on unix, linux and Mac systems to look up the registration information about a domain is called whois. From a command line or terminal window, a user can type whois example.com and the registration information for that domain will be returned. This should include names, emails, phone numbers and more…unless the registrant is using the whois masking feature of their registrar.

Some caveats here are that whois data is many times stale, old, or just very wrong. Many registrars never check the information that is self-submitted when registering a domain. If I wanted to register insertmydomainhere.info as Barack Obama at 1600 Penn Ave, Washington, DC, there are some registrars that would be happy to take my money. Take whatever responses from whois as suspect data until verified or corroborated with other information.

Using whois is great if you want to retrieve the information about a single domain. In my case, I wanted to search ALL domains for any registration information with my company’s email address domain. Using whois for my task, I’d need to request every single domain name with whois and then scrape the results for “@example.com” to complete my task. Laborious if not impossible.

ViewDNS.info

The best place I found that had a reverse whois lookup that would allow the searching of whois data using registrant information AND wildcards (such as *) was the viewdns.info site. Let’s show an example using the dhs.gov domain. Using the ViewDNS web page at http://viewdns.info/reversewhois/?q=%40dhs.gov you can retrieve the first 500 hits on domains having the @dhs.gov string in them somewhere. Below are some of the results.

@dhs.gov entries found in Whois records

 

This was a huge time saver for me. ViewDNS also has a great API to pull these records down in XML and JSON formats which are easily used in scripts and other programs.

So…I was happy and yet confused. I thought that there may be something wrong with the site. Looking at the bottom of the above picture, you can see that fema.net is a domain that has the @dhs.gov string in the registration somewhere. This makes sense since fema.gov is a DHS entity and fema.net is something DHS might register to prevent someone else from registering it and tricking users. But, did you see the farrellswebservice.com and celticwarriorsmc.com domains? Those do not look like DHS domains. Let’s take the farrellswebservice.com domain and do a command line whois on it.

farrellwebservice.com whois data

Well that solves it. There was no problem with the web site. Under the red arrow is the @dhs.gov email account that the viewdns.info site found: keith.farrell@dhs.gov.

Moving into OSINT

I hear some of you saying “So what?” Well, in the world of OSINT we try to tie pieces of data together. Getting email addresses, phone numbers and addresses for people is key to furthering investigations. We can use this data as pivot points (additional search terms to use to find even more information about a target) to augment your OSINT data. In the above pic for the whois output of the farrellswebservice.com domain, we have all of these pieces. Keith Farrell’s name, home address, phone number, personal and business email addresses are out there in the public for anyone to harvest.

So what happened here? It seems like some people use their work emails for personal registrations. While I only use my work email for work purposes, I do know people that use their work email for non-work purposes.

Applying this Information

OK. So we can easily pull up all the domains registered with a certain email domain. Again, so what? Well, what if those domains showed interests of the employees of that company? What if they showed personal information or pictures of a person’s family? In fact, if you visit some of those domains from our results above in a web browser, that is exactly what you get. Check out http://farrellswebservice.com/ and http://bostonjrhuskies.com/.

So now we have:

  • First and last name
  • Home address
  • Phone number(s) which may be work and or personal
  • Email(s) which are work and may also be personal
  • Personal interests
  • Pictures of family
  • In some cases we have much MUCH more (check out http://dancommiato.com/)

Attackers could use this information:

  • For reconnaissance prior to a cyber or physical attack to gather information
  • Phishing or pretexting data to better-craft emails or scripts that victims may fall for
  • Social engineering
  • Espionage….and so on

We can also take this data, export it to a CSV (Comma Separated Value) file and import it into a spreadsheet program or visualization app like Paterva’s Casefile (free – http://paterva.com/web7/buy/maltego-clients/casefile.php). Doing that, we can see connections in the data such as all domains registered on a certain date or by a specific registrar. This data can help you determine if a specific domain was registered by the organization and is most likely a work domain or if someone else may have registered it.

Conclusions

How do you prevent this? Most domain registrars allow you to make your domain registrations “private” or “masked” so that, instead of your personal (or work) information being displayed when someone looks up the domain registration, it is the information of the registrar that is shown. For example, let’s look at what the whois data for the osint.ninja domain are:

whois osint.ninja

When I registered that domain, I selected to pay a little additional and have GoDaddy replace my personal information with some generic information pointing to their systems. Anyone having an issue with the domain (or network traffic coming from it) could contact GoDaddy and then they would know to contact me.

Additionally, try to limit the places where you use work information for personal purposes especially if that data is or could become public.

For all you OSINT people out there, I bought the $20/month API access to viewdns.info’s data and have scripted this process (and doing subsequent lookups). It does require an API key from the site. If this is something you do regularly, I highly recommend purchasing the API key. Oh, if you are thinking of just scraping the data from the web site…don’t. Viewdns.info actively blocks IP addresses that do this. Trust me. I still cannot get to this site from home.😦

Like this post? Tweet to me @OsintNinja or @Webbreacher.

 

Career Days

I have had (and continue to have) the pleasure of helping my two children learn and grow into the amazing, wonderful young adults that they are today. Every year their schools have “Career Days” where people in the community take some time away from their work and share with students what it is like to work in their careers. Each presenter usually has about 25-30 minutes to convey important aspects of their profession such as:

  • What is a typical day like for you?
  • How much money can people make in your field?
  • What are things that students in [insert grade here] should do to become a/an [insert profession here]?
  • Are there certain college majors that would be good for people to choose to become a/an [insert profession here]?

I’m sure that you get the idea. Every year I create my presentation and try to…

Connect with the Audience

When creating my talks, I try to think about topics in my profession that the audience, by they elementary, middle or high school students are affected by and can relate to. Discussing how reused a Apache Tomcat default username and password to upload and deploy a customized WAR file to an application server to compromise the system and then how the WAR file sent a reverse TCP/IP shell to my host pentester server in my cloud instance…this would not go over well with any crowd that was not infosec savvy.

I try to think of an example that each person can understand. Some examples I’ve used:

  • Elementary Schoolers – “Find the vulnerable system” – I bought 100 #2 pencils and broke 2 of them in half so their eraser end was still in place. I then picked them up and made it so all the erasers lined up. The 2 shorter pencils were inside the normal ones. I had the students grab a pencil and see if their system was shorter/was the vulnerable one. Then I told about how many times I have hundreds of systems I need to assess and my first job is to find the systems that are more vulnerable to attack…just like finding a broken pencil in our pile.
  • Middle Schoolers – “What is a ‘good’ password?” – By the time my kids were in middle school (grades 6-8), they had a lot of experience with passwords. So when I presented to their classes I showed examples of a variety of passwords in my preso and asked them to rate if they were good (strong) or bad (weak). To make this more interesting I threw in there passwords with keyboard walking such as !QAZ2wsx#EDC4rfv which looks good but which is easily guessed using techniques from https://github.com/Rich5/Keyboard-Walk-Generators. Describing how an attacker can use a weak password, can “crack” passwords using huge password lists and can gain unauthorized access to systems are easy discussion points here. Passwords lead into other things that hackers do and so this was a natural method of “reaching” my audience.
  • High Schoolers – “Peaking Behind the WiFi Curtain” – I’ve written up a longer blog post at https://webbreacher.com/2014/04/16/all-is-not-what-it-appears-to-be-a-high-school-demo/ describing how I used the FakeAP software to make some WiFi access points that the students could see on their phones/devices. This allowed me to address how being an attacker is partially about tricking our victims. They shouldn’t trust everything they see on the internet. This naturally leads into discussions about fake social media profiles, stalkers, and more.

Break it Down

Some of you know that I’ve had a few other “careers” besides infosec/computers. In my early 20s, I applied to medical schools to become a surgeon. I remember at one of the medical school interviews, an interviewer said to me:

I only have one question for you. Let’s say you are in a truck crossing a desert in a foreign country. I [the interviewer] am a native of that country, am riding on my horse and speak English. I stop you, point at your vehicle and ask how it works. Tell me what you’d say. 

So I described at a high level how my vehicle needs energy (gas) to move much like his animal needs food to get its energy.

Tell me more…

was all he said. You can probably see where this is going. He had one question with 1,000 follow-ups to get me to go deeper into the explanation. At the end, I was explaining the molecular interactions between atoms and many physics topics that I’ve long since forgotten.

At some point, he stopped with the “Tell me more…” responses and explained that in the medical field they have to explain some very technical and complicated issues to people of a variety of educations, experience, and knowledge. I’ve found this to be very true within the infosec world. Talking to an executive versus a developer, I use different language and concepts to describe weaknesses and risk. This extends to my presos at career days as students in the 5th grade have different life experiences and overall impression of the world than an 11th grader. Leverage this.

One other point that I tried to get across to the students was that, when I was in X grade, my position, my job, my career had not been invented yet! Their career too may not have yet been invented/created/conceived so, try things, fail and be flexible.

Make it Exciting (or at least not dull)

Realize that career days can be amazing events that open childrens’ eyes to future career possibilities or they can be just another boring day at school. It depends on me, the presenter. This is where my Infosec Cheerleader persona really comes into play. I want kids to look at the wide variety of positions in infosec and understand, like sports, that we are a team and each person, whether on the defense, the offense, a referee or an owner, we all work together (or should).

Get Feedback

The best part about presenting to the middle school my kids went to was getting feedback from the students. The school mandated that each child write up a note to the person who had a presentation that they enjoyed most. I love reading these letters (even though I know the school makes them write these as assignments) as they have some insights into what topics made an impact on the kids. Below are some of the feedback I received.

20160604_143152

Let me know

Do you have techniques that you use when doing these talks? Let me know on Twitter or in the comments below.

Your very first hike

The weather is turning hot|cold|warm|sunny|cloudy…just like you like it.

You know that there are these dirt|gravel|paved paths in some parks but never knew what they were for.

You are intrigued, pulled by some primal urge to go outside and get some sun|pollen|wind on your face|body|brand new clothes.

You my friend, need to…

Go for a hike!

That’s right. Walking outdoors. Listening to trees and animals make all the same sounds as your “nature sounds” alarm clock that you got last year at the Boxing Day Party your friend had. That is mostly what hiking is, just walking outside. For those that may want to stick to the paved, “improved” surface trails let me tell you, walking on dirt|rock|gravel is a great experience and much different from paved surfaces. Let’s talk a little bit about…

Going for your FIRST hike.

Don’t just run out of the house and hit the trail. Let me give you a brief run down on…

What Essentials to Bring

  • Water – Bring more than you think you’ll need especially if it is hot and/or humid out. Rule of thumb is 1 liter per person per hour if it is warm|hot and/or if it is challenging terrain. Bring all the water you think you will need with you. Do not count on sources of water being available at the place you are starting your hike. I’ve been to many parks where the only water fountain is broken|turned off for the season|missing. Oh, and bring some extra water and keep it in the car for when you get back from the hike. You will appreciate that.
  • Clothing – While we are born naked, hiking naked is not common and frowned upon in many parks.
    • Shoes – Wear comfortable shoes for the terrain. Walking on a straight, flat path like the C&O Towpath in Washington DC and Maryland? Sneakers|trainers|exercise shoes should be fine. But if you are doing the Billy Goat Trail, right off of the C&O Canal, you will want something with a sturdy sole like a light hiking boot. Planning on going through/near water? Going to rain? Consider waterproof shoes.
    • Weather Gear – Check the weather before you go and ensure you have raincoats, hats, sunscreen, sunglasses, jackets and whatever is going to make you feel comfortable should the weather turn sour.
  • Backpack – I’m told that some women love purses. Well, I’m the same way about backpacks. I love them. You might think that you can just wrap your jacket around your waist and carry your water bottle on that 5 mile jaunt and you probably can. Just realize that when you go to scramble over that log|rock you will drop your water bottle because a chipmunk surprised you. Then you will watch in horror as the bottle, the ONLY water you brought on your 100 degree, 100% humidity first hike rolls down the cliff|hill|bank and disappears from view, forever. Bring something you can toss a few things into and wear on your back. It is worth it.
  • Food – This advice goes for adults only. Kids have different rules here. Bring something light to eat on the trail. Take something you enjoy. It can be healthy or not. Doesn’t matter. It’ll add to your first hike and make it more enjoyable.
  • Alcohol – Leave the alcohol at home. Alcohol dehydrates and impairs vision and reflexes. Alcohol is illegal in many public parks at State and National levels too. Just don’t.

So you have packed up all your things and you are ready to…

Pick a Place

There are many avenues that can be used to find a good first hike. Talk to friends. Visit an outfitter like REI or a sporting equipment store and ask a person there. Use Google or DuckDuckgo.com to find a good place for your first hike. Not sure how to do that? Let me show you http://lmgtfy.com/?q=good+places+for+first+hike.🙂 With some ideas in your head, now is the time to…

Think About Distance

This is where you need to know yourself. Do you sit behind a desk 50+ hours a week and get out of breath opening the microwave oven door? Yeah, doing that 16 mile out and back hike with 10,000 feet of elevation change may sound like a neat idea but probably should not be in your near future. Many people start out with easier hikes and move to more challenging ones. Hiking trails get “harder” to hike with elevation change (going up AND going down), the type of trail (scrambling over rocks versus a towpath), and a couple other factors. To understand the terrain, my suggestion is to…

Get a Map

If you pick a National, State or even local park, their web sites may have maps that you can print and bring with you. And yes, you have to print it AND bring it. Trust me here. When you are cold and it is starting to get dark, you’ll want to know that about 100 meters east of your current location is a road that will take you to a place that sells coffee. These things matter.

I’ve figured out that I like being on mountains and being able to see/hear water. Those hikes recharge my mental/emotional batteries the quickest. Figure out some elements of the outdoors that you and your companions like. Want to see a lot of birds|reptiles|fish? How about plants|trees|rocks? Lots of options for you to choose from.

You can get maps from REI and other outfitters or online for the park. For instance, I live in Montgomery County, Maryland and they have a web site http://www.montgomeryparks.org/PPSD/ParkTrails/trail_maps.shtm that has links to PDFs of each park’s trail map. Your county|city|local park may have that too. Some places, such as one of my favorite local hikes at Sugarloaf Mountain, not only have trail maps you can bring with you but they print them and place copies at the trail heads so you can take a copy at the start of your hike and then leave it when you go back to your car.

Thinking about using your cell phone for a map? Maybe tracking your hike for some “count your steps program”? Cool! Charge up your phone before you go and consider (depending on your course and hike) bringing an extra battery to charge your phone. Oh, and still print the map and bring it. I’ve been on MANY hikes where I’ve brought a map just because of habit and I’ve run into some novice hikers that had no map and no idea where they were. They were very happy to purchase my home-printed map at a high price. I love capitalism. But seriously, someone else may need your copy of the trail.

OK, let’s say you have found a map, you probably need to…

Plot a Course

Figure out what is a reasonable trail to take and reasonable distance for you and your companions. Places like Sugarloaf Mountain, have descriptions of each of their trails on the map (http://www.sugarloafmd.com/sl_trails.html). These descriptions are valuable tools in helping you decide not only what your primary path is but if there are “bail” places. Let’s face it. Sometimes we go somewhere and, for whatever reason, we don’t have a good time. Perhaps you go on this first hike and you find out on the trail that you are allergic to every single tree around you. Knowing that there is a shortcut to go back to your car is a great feeling.

I like doing circuit or loop hikes where you essentially walk in a circle, starting and ending at the same place and not retracing your steps at all. Out-and-back hikes where you hike for X amount of time|distance and then turn and retrace your steps is another popular course you might choose. There is no right way to do it and the trail(s) you decide to take may determine the type of hike.

Walking in the woods, on a trail is mostly slower-going than walking on a road. I normally walk around 3-4 miles per hour on the sidewalk but there are many hikes where we have to struggle to go 1-2 miles per hour. Plan for more time than you need. If you are going on a 5 mile hike on fairly even terrain and are in good shape, you may be able to pull off 2-4 miles per hour hiking. With longer hikes, you will need to take breaks. Plan for that. Plan for slowing down to appreciate the views too!

With your map and course(s) plotted, it is important to…

Tell a Friend

If you are going hiking alone or going into a remote area where there are not a lot of people, text|SnapChat|email|call a friend or family member to let them know where you are going and when to expect you back. I’ve seen things go wrong on the trail. It happens. Don’t be fooled into thinking “Well I’ll have my cell with me. I can always just call someone from the trail” because accidents will happen just when you get into that cell phone dead area where you have no signal. Thanks to my buddy Eric for reminding me about this important point. 

Since someone knows where you are going, you may want to…

Check the Weather

Going to rain today? Prepare for it. Getting sunny|hot|cold|snowy? Prep for it too. You will appreciate your preparation if inclement weather arises. One thing many people don’t think about is bringing extra towels and plastic trash bags with them in the car so that when you return and you and your gear are wet, you can dry off and protect your car from your gear.

Don’t be put off by poor weather forecasts. My family and I have had entire parks to ourselves on cold, snowy days. You see the trails and nature differently in different weather. One of my most memorable backpack hikes was on the Appalachian Trail in the rain. Myself, my son and two family friends stood on the Route I70 pedestrian overpass in the rain and waved our arms at cars and trucks until they honked their horns.

This should get you out and about on your first hike pretty well unless you are…

Bringing Kids?

Kids make hiking awesome. I loved walking with my little ones on the trails. They appreciated all the new sights and sounds so much more than my adult senses could. A red leaf on the ground. A big bug crawling across a branch. A bunch of poison ivy leaves that they made into a bouquet for their highly allergic dad. Ah…those were the days.

If you are an experienced parent, you will know that kids slow you down until they get to a certain age. At this point, you slow them down. Weird how that happens. Plan for shorter hikes with younger kids. Even if you are carrying them in a backpack carrier, shorter hikes. And add more time to the trip for kids.

Bring a ton of snacks. Healthy, sugary, whatever. Bring extra food for them. It keeps them busy (and quiet!) and gives them extra calories. Win. Win. Win.

Older kids can help plan the course (and be the course director when on the trails) and carry things. Put them to work!

At this point I should congratulate you because…

You made it! Now Appreciate it.

Oh, you just got to the trail with your backpack and everything. You are prepared and ready to tackle that road|hill|mountain. Awesome! When you are out there on the trail, away from sounds of cars and trucks. Away from the stresses of work. When you walk onto the trail and are the farthest away from what you consider “civilization”, I want you to stop. Yup. Right there on the trail. Well, step to the side of the trail and stop. Look around at the colors and shadows. How the light plays off the stream|vines|sand|trees|rocks. What sounds to you hear? I’m not trying to get all mushy on ya here but some of the coolest things I’ve experienced, times when I’ve felt most centered, was standing on some trail and just looking around, listening and, well, just being. Take pictures to bring back and show friends|use as a desktop background|email to your companions. I love taking pics of nature.

If you are in the DC/Maryland area and looking for some good recommendations for your first hike, see below:

  1. Sugarloaf Mountain – Dickerson, MD – This private mountain is open to the public and is my favorite place to visit. All the trails are very well-marked, the maps are excellent and the views from the top of the mountains are amazing. My suggestion for a good starter hike is:
    • Park in the West View parking lot
    • Take the green trail up the mountain. There are a bajillion stairs going up but there are places to rest.
    • Eat something at the top and take pics.
    • Take the red trail down the back of the mountain and make a left on the blue trail at the mountain base.
    • The blue trail takes you right back to the West View parking lot.
  2. Billy Goat Trail – Great Falls, MD – This is a more challenging trail that has it all from 50 foot rock climbs to bouldering and walking on dirty trails in the woods. The variety of paths in this 1.5 mile trail next to the Potomac river makes it a fabulous trail. Due to its location on the C&O canal, this trail is heavily used and some lines form in certain places. I suggest hitting this on off-peak times.
  3. Visit the Montgomery County Parks Page – Lots of hikes to choose from here. Pick one, pack a backpack and go!

After you finished your hike, do me a favor and Tweet your favorite part of the hike to me at @WebBreacher.

 

Fake Name Generator

When performing testing activities, whether it is web application penetration or usability testing, it is helpful to have example content to submit in web form fields. The same can be said for people trying to create sock-puppet or alias accounts on the Internet. We need to have sample/fake information so that we can set up the accounts that we need to perform our OSINT (Open Source Intelligence).

You see, some web sites require a login to access their data. And some show additional information to authenticated accounts versus anonymous ones. Other web applications will notify a user account which other user accounts have performed searches for their name or who viewed their profiles. For all these reasons, OSINT analysts need alias accounts. For all of these reasons and more, OSINT analysts need to generate sample/fake user profile information and we can turn to a web application to help us out. I’m talking about http://www.fakenamegenerator.com/advanced.php. This feature-rich, free site will create good dossiers for non-existent people. Take, for example, the profile I just created below.

Capture

To create this profile, I chose the default settings, an American male or female from 19-85 years old. The web app did the rest. Not only does it give the above info though, there is more data to help set up a fake account:

Capture2

Some people have commented that this site’s foreign profiles are not perfect and sometimes don’t make sense (wrong names, non-random content…). I think the site provides a great value for your money (free!) and gives the analyst a head start on creating an alias profile to perform their OSINT.