Friday, July 28, 2017

Switch upgrade

Recently I upgraded the switch on which my Tor relay sits from an FS108 (unmanaged switch) to a Ubiquiti US-8 (managed), and the traffic throughput of the relay approximately doubled, recently hitting an all-time high of 3.15 MBit/s average speed, with 32 GB transferred total in a single 24-hour period. I'm still trying to figure out how having a managed switch worked this magic. Granted, I also increased the max bandwidth rates permitted, but the change in traffic was noticeable before that increase.
Replaced switch on July 09, 2017
Update: A colleague suggested QoS as the most likely improvement in a managed switch.

Wednesday, July 26, 2017

Check out my Guest Post on the Internet of Things

Check out a guest post I wrote last week on IoT. After being sent an inaccurate image of "IoT Attacks: Top 10 Things you need to know" I got riled up and wrote a more accurate summary.

http://elephantscale.com/2017/07/iot-top-10-things-need-know-non-fluff-version/

Note: To make it snappy I avoided being pedantic. While routers with smartphone apps for remote access could fall into the IoT or "smart" category, there is a difference between the former and routers that have issues with their firmware or the web management interfaces (for internal use). The original graphic gets mixed up between the two.

Friday, July 21, 2017

Groceries of Interest - Wilmington, DE

While enjoying the flow of oxygen during exercise, a delusional thought arose, that perhaps it is worth writing about the supermarkets and groceries I seek out when traveling. Each is a reflection of the area, and each has something to distinguish them. For me it's something fun to do in new destinations, and I am always on the search for kosher products and interesting foods. It is something else to write about, even if it is spoken from the perspective of a white, Jewish, privileged male ("dazed choir boy" comes to mind, thanks to Terry Pratchett).

The last several weeks have seen me visiting Wilmington, Delaware, a town with a business center in downtown filled with people who all commute from the suburbs, some even from Philadelphia. The downtown core is also surrounded by some of the most dangerous neighborhoods in the United States. In this way it is reminiscent of Detroit, although not in the same bereft, rundown manner. Half the downtown area is still very much urban core, while the other half is financial and covered in sleek glass buildings. It was here that I encountered a grocery that redefined my expectations of such markets, forcing me to read the definition of a grocery on Wikipedia. Turns out, "supermarket" and "grocery" are not the same. One is like a dry-goods store, the other usually has fresh produce. In need of something to eat for a weekend stay, caused by a visit to a local refinery for work that stretched too late for a flight back in time, I went to a market somewhere on 2nd street in Downtown. While the couple behind the counter did sell sandwiches and other foods, there was no produce at all, just canned foods, chips, diapers, and cleaning equipment, and milk in the refrigerators. No yogurts either.

Now perhaps this is what supermarkets look like in food deserts, but privileged me hadn't ever seen this sort of thing. Fortunately, canned spinach and asparagus is just fine.

There was an actual grocery store at the outskirts of downtown, dingy and dark. In the evening, bins of potatoes and wilted cabbage are covered with burlap, while a row of artificially flavored sodas sits nearby. Apples are not to be found. Aside from some sparkling cider, the grape juice to be had is full of corn syrup and lots of artificial purple coloring. A bit depressing.

Check out my Guest Post on the Internet of Things

Check out a guest post I wrote last week on IoT. After being sent an inaccurate image of "IoT Attacks: Top 10 Things you need to know" I got riled up and wrote a more accurate summary.

http://elephantscale.com/2017/07/iot-top-10-things-need-know-non-fluff-version/

Note: To make it snappy I avoided being pedantic. While routers with smartphone apps for remote access could fall into the IoT or "smart" category, there is a difference between the former and routers that have issues with their firmware or the web management interfaces (for internal use). The original graphic gets mixed up between the two.

Update due to link rot: https://web.archive.org/web/20171028125822/http://elephantscale.com/2017/07/iot-top-10-things-need-know-non-fluff-version/
 

Monday, July 17, 2017

Dump1090 and Munin

I first encountered munin on a pentest. Then I found this glorious page, which looked like it used munin to generate graphs from ADS-B data via dump-1090. That got me to install munin server on a VM running Lubuntu, following this great guide from DigitalOcean (which has a bunch of other useful tutorials on their site). Munin-node is on all the accessible PIs in the house with the exception of my Tor relay.

Today, while waiting for the laundry to finish, I finally got a dump 1090 plugin to work, namely this one: https://github.com/strix-technica/ADSB-tools. The only changes I made were:

1. Change JSON_DATA path to /run/dump1090-fa/.
2. Install python-geopy
3. Change the softlinks to link to /usr/share/munin/plugins instead of /usr/local/share/munin/plugins.

At last (this will be updated later with more pretty data):


Look at all the useful categories :)

On a side note I also cleared out /etc/munin/plugins of all the symlinks to unnecessary plugins such as kernel errors and irqstats (which was throwing constant errors).

Munin is the first step to visualizing network data. A long-term step will be to build a rudimentary network dashboard with traffic from all connected devices. P.S. Ntop is useful but confusing.

Update:


 

Sunday, July 16, 2017

Fond memories of an old Rockstar game

While going through my files, clearing out space and trying to understand where the cruft really was (hidden files), in advance of possibly purchasing a Synology device to start regular backing-up all my important documents, I found some interesting tidbits from days past. One of them is Wild Metal Country, a PC game created by Rockstar of GTA fame. For several years, this game, along with GTA 1 and 2, were available online from the Rockstar website, but not anymore.This is supposed to be the first game without a set storyline, just like GTA, except this one comes with you as a mech on an alien planet, killing other robots of a variety of shapes and sizes in search of cores. You have a choice of six-odd different vehicles to control, including low profile, three-wheeled, and one-big-wheeled. You have 9 different armaments, including guided missiles, mini-nukes, and bouncing bombs. There are three main areas with a boss level. The config file can be hacked to change your armaments to be infinite, and that's how I got through areas 2 & 3. The zip file can be downloaded here. You might need to use a wired mouse and keyboard to play it.

Tips: Your speed can also be hacked. My top speed in game is ~400 km/h before my vehicle exploded do to friction. 

Monday, July 03, 2017

Today's endevours

It wasn't until I'd posted the earlier item that I discovered that today is a work holiday too.


A few days ago I received a LiFePO4wered device for a Raspberry Pi 3. It seemed like a good idea, though the price tag is a bit high. To play with it, and also to follow up on something else I'd wanted to try, I installed the ARM image of Kali Linux on the Pi. This worked fine and was snappy, but the kali-linux-full package I would like to have had was too big for the 8 GB microSD card on the Pi. Additionally, the LiFePO4wered battery software is tested only for Raspbian Jessie, and didn't quite work for Kali ARM. So Kali was replaced with Raspbian Jessie with Pixel. In what can be considered slight overkill, I downloaded and installed this package of pentesting tools, leaving me with about 500 MB of spare space. A better idea might have been to add the Kali repository and install a kali metapackage such as kali-linux-wireless, which was the target goal.

The LiFePO4wered battery on the left, with an Alfa card attached.

The primary benefit of the LiFePO4wered battery so far is that it includes a touchpad on/off button, which is great for keeping the pi running while you switch from external battery pack to plug power. It also means that the pi won't accidentally turn off if you're performing a wireless audit and the cable to the external battery pack comes unplugged. In fact, with the setup above the Pi could probably run over 2 hours with a small adapter like this, albeit with reduced range. The time could be extended with a solar panel, which the LiFePO4wered battery is designed to work with.

Next, I plugged in an Alfa 052NH and walked around the apartment complex, got stopped by a neighbor, installed a spare cloud camera for him to monitor his car outside the window, all for about 1.5 hours, during which time kismet was running. It produced a 127 MB pcapdump file, plus some extra for the nettxt and netxml files. With that benchmark, it's probably safe to stick with the current tools list rather than start over with a Kali metapackage. (Interesting ESSIDs include a Thermostat with an open network, nepeta, and 2cups_1girl and 2cups_1girl_the_sequel for 2.4 and 5 GHz respectively).

Today, I spent too much time trying to connect the Pi to my PirateBox so it could communicate with my laptop on a local wireless LAN. Turns out the PirateBox is designed to be private, which means that cross-router communication is not possible. (Missing routes in the routing table? Maybe client isolation is enabled in OpenWRT?) Either way, it's a feature, so instead I did some research and decided to purchase a different model of TP Link travel router, one which hopefully doesn't have an app that needs to be connected to be used. This one I can eventually use to follow this great guide to make myself a private VPN for work travel.

Next I reflected on the lack of backup solutions in my network. It would be great to have a copy of the music on the Plex device USB to transfer around in case I'm travelling and want to have my latest downloaded music with me. It would be good for backups too. Or how about if I could use youtube-dl to download very large playlists of youtube videos? With enough storage that becomes feasible.

So here are my requirements (thinking out loud):

1. Ideally it should be accessible via SSH. Alternatively, as long as it's network attached and there's a web interface of some sorts, just make sure attaching it works fine.

It would be great to have a script on the backup device that uses SFTP or SCP to ssh into all my devices and backup data or generate traffic stat data to visualize on an internal monitoring page, separate from the munin installation. Alternatively, I could split the job, putting the scripts on a VM to pull the visualization data, and also have scripts to perform backups to the storage device.

2. I need to be convinced to bother with RAID 6. The easier the setup the better, as my primary homelab focus is learning basic network infrastructure in support, or pursuit, of primarily application security and also penetration testing. That is, the majority of my projects so far have involved setting up web servers or products that include web servers. Plug and play with minimum amount of fuss is my goal, not spending days getting a backup solution to work.

3. The faster the better. Network cabling is entirely Cat6, and most of the PCs have gigabit NICs. The raspberry PIs do not, and would be the primary bottlenecks.

4. The quieter the better. I sleep in the same room as the nascent home lab, meaning silence is golden.

5. Smaller form factor is preferable, but not mandatory.

6. Low power requirements would be nice.

I'm looking at Synology devices, but am open to other solutions, such as NUCs with FreeNAS.

Tomorrow I hope to practice two items:

1. Practising with iptables on the pentesting Pi.
2. Setting up a simple captive portal on the Ubiquiti AP AC Lite to try to get the EvilAuth modules for the Pineapple Wifi to work.

BlackHat and Defcon Talks to look forward to (and why)

Some talks are being presented at both. 

BlackHat


Must See:


Breaking the Laws of Robotics: Attacking Industrial Robots
Practical attacks against industrial robots with real hard data? Sign me on
 
Don't Trust the DOM: Bypassing XSS Mitigations via Script Gadgets
For making me think deeply
 
Escalating Insider Threats Using VMware's API
Could be useful when encountering VMware products on the network, once potential for other low-hanging fruit has been exhausted
 
Exploiting Network Printers
Following in the vein of previous publications
 
Fighting the Previous War (aka: Attacking and Defending in the Era of the Cloud)
I had an engagement where Google products were used almost exclusively, e.g. GMail, Docs, Drive. This meant: most communication was via HTTPS; there was limited chatter visible just by plugging in; and no AD environment, no Outlook, etc. Short of ARP spoofing on a limited segment, I ran out of ideas.
 
Ichthyology: Phishing as a Science
I want to learn more about phishing.

Practical Tips for Defending Web Applications in the Age of DevOps
Yup, dynamic analysis just doesn't cut it when the focus is on integrating security earlier into the SDLC. See also SecDevOps

The Industrial Revolution of Lateral Movement
I'd like to know how this is presented (industrial revolution?)
They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention
You can never stay in one spot, relying on a few tools. Even in the glacial world of enterprise security, NBNS/LLMNR will stop working eventually.
Why Most Cyber Security Training Fails and What We Can Do About it
Introduces a framework for comparing cyber security training. Useful for anyone in a corporate environment where testing against frameworks and standards is a trusted baseline.

For Fun:


Tracking Ransomware End to End
Ties into phishing. Big picture of ransomware should be great as a high- and low- level overview.
 
What's on the Wireless? Automating RF Signal Identification
Anything from Michael Ossmann is a must-see.
 

Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization
I'd like to see how the presenters deal with large quantities of data, having encountered increasing amounts of files and logs with each engagement, and not just as a CYA measure.

The Active Directory Botnet
AD and botnets are unfamiliar territory. 

Defcon: https://www.defcon.org/html/defcon-25/dc-25-speakers.html

(P.S. Check out the bios of the EFF panel speakers, intensely qualified each and every one)

Must See:

Game of Drones: Putting the Emerging "Drone Defense" Market to the Test 
Last year's presentation is fantastic, this year should be great ( a new DangerDrone???)
Introducing HUNT: Data Driven Web Hacking & Manual Testing
Another burp plugin, to make my life easier? Yes please

I Know What You Are by the Smell of Your Wifi
Can I find more vulnerabilities with it?
D0 No H4RM: A Healthcare Security Conversation (Panel)
Medical industry security is a hot topic. I've had one engagement in the industry and the mindset of health-care professionals is one to come to grips with before you start working.
Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods
101 indeed.
Dark Data
 
Wiping out CSRF
CSRF has always been a weak point for me.
Game of Chromes: Owning the Web with Zombie Chrome Extensions
Owning stuff with new attack vectors? Yes please
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
I click blindly on anything that has SSRF in it.

There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers
Could be dry, or not


For Fun: 

Popping a Smart Gun
 
Hacking travel routers like it's 1999
Given my habit of using a PirateBox on the plane, this could be fun.
Breaking Wind: Adventures in Hacking Wind Farm Control Networks
One of several presentations at either Defcon or Blackhat about hacking esoteric ICS stuff (there's another one about vulnerabilities in radiation monitoring devices).