Terence Eden’s Blog 2024-09-04 Some thoughts on the YubiKey EUCLEAK Vulnerability https://shkspr.mobi/blog/2024/09/some-thoughts-on-the-yubikey-eucleak-vulnerability/ It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens. First up, as the research paper's abstract says: The attack requires physical access to the secure element So, straight off the bat, this reduces the likelihood of attack. Someone would need to actively target you. Of course, if you're the sort of person who secures all their secrets and cryptowallets with a FIDO token, you may be a juicy target! Secondly, the attack relies on: the adversary steal[ing] the login and password of a victim’s application account protected with FIDO So, you need to lose your username, password, and token for this attack to be successful. Again, this is unlikely to happen as a "drive-by" attack. Once the attacker gets your FIDO token, they need to analyse it using "expensive equipment". A cost of approximately $11,000 according to Ars. That moves the attack away from the hands of casual criminals. It isn't an insurmountable barrier for organised crime or nation states. Finally, Appendix A discusses how difficult it is to actually get the equipment close enough to the circuitry: […] capturing the EM signal with a small EM probe would not work if this probe is too far from the chip. We hence have to open the YubiKey plastic case to access its logic board. […] In both cases however, the device needs to be re-packaged if the adversary wants to give it back to legitimate user without him noticing. We did not study further this issue. Here's what it looks like when that probe is placed next to the circuitry: [Image: Photo of electrical equipment placed very close to a circuit board.] If you suddenly find your Yubikey smashed or cracked, then you may have been a victim of this attack! A reasonable way to defend against this is to get some glittery nail polish. No, seriously! Put a blob of glitter polish on the seam of your device. Something like this: [Image: Nails painted with polish. An intricate pattern has formed.] Take a photo. If the baddies grab your YubiKey and crack it open, they won't easily be able to get the pattern correct when they re-seal it. Regularly compare your photo to your device. The Real Issue With FIDO Tokens Physical tokens require physical security. I've moved to a an Encrypter Ring. I literally wear my FIDO token. I am extremely likely to notice someone removing my ring (or my finger). [Image: Photo of my fingers stretched out so you can see the width of the ring.] Is your token on your keyring? Where is your keyring right now? In your pocket or hanging up somewhere? Most people either leave their FIDO token laying around out of sight or have it permanently plugged in to their machine. I'm not sure which is worse. The other major issue is that it is impossible to revoke a FIDO token from all your accounts at once! You've used your token to register with a few dozen sites, you either lose your key or discover it has been tampered with. What do you do? There is no way to tell which sites you have used a FIDO token with. You have to remember (or keep a list somewhere). You will need to manually go to each site and revoke the stolen token. If you've forgotten one, you can't revoke it from your key, which means attackers could have unfettered access to that account. What should I do? The discoverers of this vulnerability take great pains to say: it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one. I think they are correct. But there are still a few things you should do to secure yourself against this class of attack. Ensure the physical security of your token. Either wear it as jewellery, implant it in your skin, or reduce the likelihood of it being taken. Ensure the physical integrity of your token. Use nail-varnish or something similar to help you detect if it has been physically compromised. Ensure that you know which sites have been secured with a Yubikey. Make a note of it in your password manager or other secure vault. Ensure that you are less of a target. Don't brag about your security. Certainly don't post on the Internet about which security products you use and the countermeasures you take. Oh shit. ------------------------------ 2023-10-11 Book Review: The Cuckoo's Egg - Clifford Stoll https://shkspr.mobi/blog/2023/10/book-review-the-cuckoos-egg-clifford-stoll/ [Image: Book cover - illustration of a person sat in front of a computer.] This book is outstanding. It's the mid 1980s, you're administrating a nascent fleet of UNIX boxen, and you are tasked with accounting for a 75¢ billing discrepancy. Naturally that eventually leads into an international conspiracy involving the FBI, NSA, and an excellent recipe for chocolate chip cookies. It is a fast paced, high-tension, page turner. There's also a sweet moral core to the story - as well as the somewhat saddening death of naïvety. It's hard to overstate just how fun this book is. Yes, with the benefit of hindsight running unpatched machines and letting any old hippy connect to them was always going to be a security nightmare. But some of the problems faced by those early pioneers are still present today. Default passwords, unmonitored systems, uninterested law enforcement, dictionary attacks, buggy permissions, the moral quandary of responsible disclosure - it's all in here. Of course, there are a few bits which look pretty dated now. Especially some of the attitudes to online privacy: “You’re not the government, so you don’t need a search warrant. The worst it would be is invasion of privacy. And people dialing up a computer probably have no right to insist that the system’s owner not look over their shoulder. So I don’t see why you can’t.” It's also nice seeing how internecine warfare between hackers has barely evolved: From long tradition, astronomers have programmed in Fortran, so I wasn’t surprised when Dave gave me the hairy eyeball for using such an antiquated language. He challenged me to use the C language ... VI was predecessor to hundreds of word processing systems. By now, Unix folks see it as a bit stodgy—it hasn’t the versatility of Gnu-Emacs, nor the friendliness of more modern editors. Despite that, VI shows up on every Unix system. There's some deep wisdom in there for any programmer to reflect on: If people built houses the way we write programs, the first woodpecker would wipe out civilization. I urge anyone with an interest in computer security to read it. There's a huge amount of entertaining history in there - and plenty of lessons that we still need to learn. ------------------------------ 2022-08-30 What's the most malicious thing you can do with an injected HTML heading element? https://shkspr.mobi/blog/2022/08/whats-the-most-malicious-thing-you-can-do-with-an-injected-html-heading-element/ A bit of a thought experiment - similar to my Minimum Viable XSS and SVG injection investigations. I recently found a popular website which echoed back user input. It correctly sanitised ------------------------------ 2021-11-05 Certified in The Art of Hacking - Day 5 https://shkspr.mobi/blog/2021/11/certified-in-the-art-of-hacking-day-5/ This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Verdicts Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one because the question told me to go to one URl, but I had to guess the one which was vulnerable. Felt like a bit of a "gotcha" moment. Perhaps in a proper lab environment it might have made more sense - but because we're mostly just learning how to use tools, I wasn't really prepared to use my critical thinking skills! Only a half day, again. Good discussion of XSS and CSRF - but only a surface discussion of what they can do and how to prevent them. That's the problem with these sorts of courses - they can only say "sanitise user input", they can't explain how to do it for every environment. SQL Injection. Good length of session. The standard Little Bobby Tables joke. And quite focused on Burp Suite and SQLMAP. A small bit on preventing them with parametrised queries. CIA triad was briefly mentioned - but not really discussed. I would have expected more on that as it is fairly fundamental. XXE. Malicious XML files. Billion Laughs Attack was (very) briefly covered. Web shells from insecure file upload. A few tricks on how to fool UGC checkers. But not too much on defending. The object serialisation stuff seemed a bit obscure. Not sure how relevant that is to the real world - but interesting none the less. In the end, my overall verdict is that this is a good practical course. But because it covers so much, and spends so long setting up environments, it only gives a brief overview. It's rather geared towards specific tools - and that means lots of syntax memorisation for the exam. The Exam I fucking hate exams. There are very few times in life where you have a hard deadline, no one to help, and no ability to consult external sources. Because of the intrusive spyware used on their proctoring system (more on that tomorrow), I'm going to have to go to a test centre to take the exam. The exam gives 70 minutes to complete 50 multiple choice questions. 50% needed for a pass mark. That seems achievable. But it really depends on how many Windows questions there are, and how many ask me to precisely remember command line options. [Image: XKCD comic. [Megan and White Hat stand next to a nuclear bomb. The bomb has a hatch open on top, and a small blinking screen. The two people are shouting off-screen.] Megan: Rob! You use Unix! White Hat: Come quick! [Megan, White Hat, and Rob look at the screen on the bomb. Rob peers closely. The screen is on the bomb, but is shown at the top of the panel in black with white letters, except ] Practice questions The first time I scored 10/10. I know this stuff ☺ John has run dirbuster against a target website looking for possible pages to investigate and receives the following results. What does the 401 response mean? HTTP 401 response means that the page is not available HTTP 401 response means that the server has returned an internal error HTTP 401 response means that the client should use the version in its cache HTTP 401 response means that the resource is available, but requires authentication credentials to be able to be accessed What port does BurpSuite use by default? 80 4444 8888 8080 What file is commonly used to inform search engines about the folders/files they are forbidden to index? robots.txt index.html search.csv spider.txt Sally wishes to retrieve all the pdf documents from targetsite.com. Which of the following Google Dorks would satisfy that demand? intitle:index_of *.pdf location:targetsite.com site:targetsite.com filetype:pdf pdf domain:targetsite.com targetsite.com filetype:pdf Connor is experimenting with a XSS vulnerability on a website. He uploads the following script but gets no response. What is the issue here? alert(XSS); The syntax should be alert("XSS"); The syntax should be ------------------------------ 2021-11-04 Certified in The Art of Hacking - Day 4 https://shkspr.mobi/blog/2021/11/certified-in-the-art-of-hacking-day-4/ This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! The penultimate day. Try not to worry about the upcoming exam! Today was lots of HTTP, TLS, and other low-ish level stuff like that. But mostly focussed on common website attacks. Verdict Bit of a repeat of yesterday's Windows session to make up for the broken labs. The exam requires 50% right answers to pass - so I feel quite relaxed if I fail the Windows portion. I reckon I should be about to get a few correct questions either by guesswork or memorising metasploit commands. With a bit of luck, I'll never have to interact with Windows in my professional life! Painful start trying to get half-a-dozen students to correctly configure Burp suite. Sort of thing which either needs to be built into the labs, or have fool-proof instructions. Discussion of OWASP - but only up to 2017. Lots of the stuff is a bit outdated. Tutor seemed to think the 2021 Top 10 was only in draft... There was a good demo website to attack NotSoSecureApp.com - lots of playing around with Burp and DirBuster. Again, only a short bit on mitigation. I think that would have been more useful for the target audience. And, again, lots of trivia. There was one slide on Certificate Authorities. What could have been an interesting discussion on how they work and their weaknesses, was reduced to "they exist". Similarly - there's an attack called POODLE. What is it? How does it work? Can it be defended against? Nothing. But, overall, good. It was really focussed on Burp and SSLscan - just learning the tools rather than the underlying problems. Practice Questions From the Windows session. Through guesswork, I got 7/10. What Windows service typically uses UDP port 5353? (This question was wrong. Should be 5355.) Kerberos LLMNBR NBTNS NetBIOS Responder is often used with the -f switch, but what does that switch do? Perform DNS lookups Enables fast mode Responds with false answers to DNS lookups Enables fingerprinting of hosts that issue LLMNR queries James has run the nbtstat command against a device and receives a code 1C. what does this code denote? The machine is a File Server Service The machine is a Domain Master Browser machine is a Workgroup member machine is a Domain Controller What does the RID value 502 denote? The account is an administrator account The account is a guest account The account is a bespoke user account The account is a Kerberos Key Distribution service A common command when using PowerShell is the IEX command. What does IEX stand for? IEX is an alias for Invoke-Expression IEX stands for Import Executable IEX stands for Interactive Executable IEX is an alias for Import-External module Simon has PowerShell capabilities on a Windows 10 device and wants to record details about the default program installation paths, etc. What command should Simon use? Get-ChildItem env: ComputerInfo System AppvStatus Carl has attempted to run enum4linux against a Windows host device and has received the following error message: Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. What is the most likely cause of this error message? The host isn't a Windows host Carl needs to run enum4linux with the -NT switch RestrictAnonymous registry key on the host is most likely set to 1 RestrictAnonymous registry key on the host is most likely set to 0 Sandra has access via PowerShell to a Windows 10 host and wants to enumerate the machine to try to identify those users who are members of the Domain Admins group. What does she need to do to do in order to get this information? Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroupMember -identity "Domain Admins" Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroup -identity "Domain Admins" Use the Get-SmbShare command to access the $IPC share on the domain controller and then run Get-GroupMember -Identity "Domain Admins" Run the Get-DomainAdmins command Vernon has downloaded a ps1 file he wrote from his server to a Windows Server device, and now wishes to execute the file. What should he check before attempting to run the script? The ExecutionPolicy should be checked to allow Vernon to run the unsigned script which has been downloaded from the Internet That the PowerShell service has been started That windows bitlocker is disabled That he is an administrator James has gained access to a Windows network and has enumerated a device for SIDs. He has received the following 4 SIDs: S-1-5-21-2000478354-1708537768-1957994488-500 S-1-5-21-2000478354-1708537768-1957994488-502 S-1-5-21-2000478354-1708537768-1957994488-1000 S-1-5-21-2000478354-1708537768-1957994488-1001 Which of the SIDs is identified as the default admin account? Notes HOSTS file manipulation Basics of HTTP. Statelessness. Requests. Headers. User Agents. curl -v -X TRACE http://www.example.com Intro to Burp. Would have been better off watching https://www.youtube.com/embed/nECt-0zW0O4 DirBuster. Automated finding of common directories Passive Scanning with Google. Bug Bounties (!) Useful info - defaults, directories, plugins, cms, server version, error messages. Extra methods like WebDAV being enabled. Google "Dorks" - search for filetypes and common patterns. 2FA, authentication, OAuth. GitHub info leakage. OWASP cheat sheet. Base64 basic auth. Digest MD5. NTLM. Username enumeration. Login error messages can leak info. Burp intruder - generates lots of server side logs. Intruder to iterate through usernames and passwords. Password strength, HaveIBeenPwned. Password recovery. Stored hashed and salted. Poor account recovery questions like Mother's Maiden Name, Increase security means reduced usability. Use of sslscan to look for SSL/TLS errors. Hash collisions. Store above SHA1. Token expiration times and reuse. Don't store sensitive info in logs etc. TLS to encrypt in transit. How to share keys? Diffie-Helman! AES for symmetrical. TLS stages - asym to start, then sym. Certificate authorities issue certs and validate them. SSL is obsolete. TLS1.1 also obsolete. Disable old ones. Cupers > 128 bit. Vertical attack - standard user elevating themselve. Horizontal - accessing someone else's info. Business logic attacks. Parameter tampering. WebScarab to check entropy of cookies. Session fixation - copy cookies to get access. Session ID in URl. Can be resused to get access. Use POST for those requests. Basics of XSS. Reflected (sent by user). Stored (on server). Header manipulation. ------------------------------ 2021-11-03 Certified in The Art of Hacking - Day 3 https://shkspr.mobi/blog/2021/11/certified-in-the-art-of-hacking-day-3-2/ This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Day 3 - the day I was dreading most of all… Windows! I've been avoiding M$ WinDoze (LOL!!!) since long before it was fashionable. Even at my earliest jobs, I'd find a way to convince the IT department to let me run Linux on their kit. I'm penguin-powered, baby! So, what can an Ubuntu toting geek learn about the gentle art of cracking Windows wide open? Not much. It was mostly a whistle-stop tour of various Linux tools and a brief explanation of Windows security models. Verdict The demo Windows network wasn't working, so all a bit theoretical to start. Once it was up, we had another "script kiddie" day. Run nmap, run enum4linux, run metasploit. Vaguely interesting, but not sure what parts we need to remember for the exam. Some of the tasks weren't possible unless you had a Windows machine. Most people had a "GoToMyPC" instance they could use - but those of us on Linux machines were basically stuck watching the tutor run some demos. Lots of memorising of Windows Powershell commands. But, again, no idea if they'll be on the exam. Some team exercises which was a nice change. I hosted an exploit, another student executed it. But, in the end, the code didn't work. The labs are a bit broken. Afternoon descended into farce because GoToMyPC went down and lots of students couldn't get back in. Combined with yesterday's inexplicable half-day, meant a lot of confused and frustrated students. The course description was: Unlike [Certified Ethical Hacker], where the focus is to run a tool to achieve an objective which helps attendees pass the exam, we focus on the underlying principles on which tools work and provide attendees an understanding on what is the root cause of the vulnerability and how does the tool work to exploit it. We also talk about how the vulnerability should be mitigated. But, at the moment, it is just running metasploit and a few other tools. Nothing much about the principles. And only a passing comment on how to defend against things. Similarly, it says: we do not talk about hacking windows XP and 2003 servers (unlike CEH) but talk about circumventing controls in Modern OS such as Windows 2012 / 16 servers. High impact vulnerabilities such and or mass compromise vulnerabilities are taught in the class. Yet there was lots of discussion of Windows 7 and outdated versions of Chrome. Not quite what was advertised. Turns out the exam isn't on Friday. We have a voucher and we can book the exam in the next 12 months. Think I'll take it sooner rather than later - but will give myself enough time to cram and memorise every command line option in existence. Practice Questions - Linux Hacking Here are the test questions from yesterday. Once again, it's mostly "can you remember the exact command line without running --help - which I'm not sure is useful. I got 6/10. This really needs a practical exam. A CTF or similar. Sure, with a bunch of hackers, it could turn into the "Kobayashi Maru" exercise. But that's better than trying to rote learn the command line. Which of the following is NOT an attack against SSL? Heartbleed POODLE FREAK RowHammer What is the maximum amount of data retrievable by each Heartbleed heartbeat? 64kb 1Mb 512kb 256kb True of false, Shellshock affects BASH v 4.4 True False Which command allows you to display the full kernel version on a Linux system? cat /etc/kernel uname -a echo version cat /env/kernel Jenkins is a popular continuous integration service, often run on Linux servers. What port does Jenkins listen on by default? 80 443 666 8080 True or false - The Jenkins web console is vulnerable to a deserialization attack? True False Simon has managed to obtain a meterpreter shell on a remote Linux machine by exploiting a weak implementation of WordPress. What command should he run to see what user-instance he is using? sysinfo ps whoami getuid Rebecca has managed to get a meterpreter payload on a victim machine which is configured with a reverse TCP setting which will attempt to connect to ker Kali machine on 80.17.222.34:4444. She needs to set up a netcat listener on her Kali machine to receive any TCP sessions from the victim machine when the payload is executed. Which of the following commands would do this? nc --listen 4444 nc -nlp 4444 nc -tup 4444 nc -nl 4444 James has obtained a meterpreter shell on a remote machine but only has restricted user access. He decides to try using a post-exploitation command to try to elevate his privilege level, but he needs to return to his msfconsole prompt to load an auxiliary tool. What command should James use to keep the meterpreter session alive, but allow him to return the msfconsole prompt back exit suspend background James has identified a suitable auxiliary command to use in conjunction with an existing meterpreter instance. How can James identify which meterpreter instance to use? session -i session -l sessions -l meterpreter -l Notes netbios - old and unused, should probably be disabled. LLMNR useful is DNS resolution has failed. Generates a lot of sniffable traffic. Can force Windows machines to give up data. Set up a fake server to received the LLMR broadcasts. Some services are blocked on IPv4 but open on IPv6. If DNS fails to resolve a host, LLMNR and NBT-NS will ask other hosts in the network if they know the IP address. Net NTLMv2 Challenge response hash is sent by the victim, the fake machine intercepts the hash and can start to crack it. Tell john the --format=netntlmv2 to crack it. If SMB signing is disabled on the target, you can relay the original hash to a new target. NetBT is netbios over TCP/IP. It does IP to name resolution. A legacy protocol, should probably be disabled. EPM is End Point Mapping (?). RPC is Remote Procedure Call (an API?). Bunch of other random acronyms and port numbers. nbtstat on Window, nmblookup on Linux. 1c for domain controllers. Windows enumeration usually on 135, 137 (UDP), 139, 445. Harder to detect attacks on 135 as it gets lots of traffic. 139 is obsolete from Vista. Used to be able to connect to InterProcess Communication shares using anon / null session. rpcclient -U "" -N 192.168... Relative Identified - RID. Unique but sequentially assigned. Can cycle through them, RID also identifies role of the user. SID is the security ID. Primary key for objects in active directory. Unique. Has relative level, top level authority, the domain, the RID. RID 500 is Admin, 501 Guest, 502 Kerberos. Everything else 1000+. RPC can do user to SID and SID to user. ridenum and enum4linux both good tools for this. Registry key has restrict anonymous usernames. Can be set to default, don't allow enumeration, no access. RID cycling over NULL doesn't work on Win 2008+. If you can do RID cycling with a valid domain user it might leak interesting information. Use of hash-identifier to see what sort of hash it is. Online services to check weak MD5 hashes. Once into a Windows machine, use PowerShell as it runs in memory and isn't detected by antivirus. Use GetExecution Policy to change policies. Powershell is case insensitive. Variables start with $. There are per-user preferences. Can declare arrays $a = 1,2,3 etc. To execute Import-Module .\scriptname.ext IEX (iwr 'url') to execute a URL?? Get-ComputerInfo and Get-ChildIntem env to find out about the target. Get-ADDomainControler to find other stuff. Open Shares an issue - can allow us to read and write. Default installations of web apps are often insecure. Printers are highly trusted, they receive all the hashes, so if you can get in with default credentials you can sniff everything. Printers have LDAP - can start malicious LDAP services. Use of client side attacks. Use metasploit (again) to host the exploit - get the target to access the metasploit server. Can host malicious web pages, documents with macros. Use Metasploit handler to listen to what's going on. Chrome 72-73 are vulnerable to Array.map, buffer overflow, read arbitrary memory. Chrome must be in --no-sandbox Electron - a shell around Chromium rendering and Node.js runtime - basically a web browser specifically for cross platform apps. Multiple processes. Joplin, also built on Electron. Can POST to the /notes API to deploy a payload. Can use JS to exec() a local .exe Looks for Kernel exploits, weak permissions, DLL hijacking etc with post/multi/recon/local_exploit_suggester. Look for PATH environment variable, and place DLLs earlier in the enumeration. Look for credentials using things like findstr or reg query. Or User Access Controls. Windows 7 issues. Cleartext creds in memory. No default antivirus. All apps are trusted. Win10 security features. Device guard - hard and software, locks down device, code integrity, prevents malicious code. Cred guard. Virtualised, isolates LSASS secrets. Enabled via the registry. Returns encrypted strings rather than NTLM hash. Local Security Authority (LSA). Prevents memory access to creds. AMSI - anti malware scan interface. In memory scans for malicious powershell script execution. whoami /priv to see privileges. winpeas to automate searching. CVE against things like IE, AppX, allow you to elevate privs. CVE against cryptoAPI - crypt32.dll allows you to self sign a malicious executable. RDP vulns. EternalBlue (ancient!) and Fuzzbunch. Microsoft COM RCE with device deserialisation flaws. AMSI can be bypassed via signatures? And ScanBuffer? and C# version? WHAT? Mimikatz can register a malicious DLL for a Security Support Provider and get creds. Can also bypass LSA. ColdFusion - lots of exploits. Directory traversal, misconfiguration, default password, FCK Editor - doesn't sanitise input so can upload and execute. Metasploit web server can bypass AV. Post exploitation is vital. Once you're in, what can be done? Dump users, password hashes, escalate, pivot (use as a staging post to get further into the network), replay credentials to masquerade as someone else, persistent access, permanent backdoor. Windows credential vault can store web passwords in plaintext. LSA has logged in user's passwords. Security Accounts Manager (SAM) - can't be accessed while system is running. Might be able to grab a backup snapshot. Can be accessed on the Domain Controller. Meterpreter can run hashdump in memory - so AV isn't triggered. Previous 10 unique logins are cached if DC not available. This is to allow the user to login to the system. Salted hashs. Salt is the username. Encrypted with LSA NL$KM account (??) cachedump can do this. LSA protected storage for passwords for users and tasks. System privs needed to extract. LSASS process memory - cleartext passwords for RDP login. Mimikatz is the main tool for this. Adding new accounts to Domain Admin group is very noisy - great way to get noticed. NTLM challenge response. 16 bit challenge, hashed with the user?? Pass the hash ------------------------------ 2021-11-02 Certified in The Art of Hacking - Day 2 https://shkspr.mobi/blog/2021/11/certified-in-the-art-of-hacking-day-2/ This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Day 1 was all about password cracking and metasploit. Today? Linux Hacking! Sadly, we aren't learning anything to do with distributing 1337 cracks for warez (so 1998!). One point to note is that the questions we're set are extremely vague. Here's a sample: Exploit the HeartBleed vulnerability on 192.168.123.123 to get administrative access to the login interface on the server That doesn't tell me anything about what HeartBleed is, what tools I should be using, or - importantly - what exactly I'll be tested on. Do I need to know the exact sequence of bit to fire at a server? The name of a tool? How it could be defended against? The teaching slides we have are OK - but make large logical leaps. For example, telling us to run a curl command against a specific path without telling us how we would know about that specific URl. Practice Questions Got a bit more info about the sort of questions. Mostly trivia really. Some of the topics weren't really discussed yesterday. Here are the Port Scanning questions. I was a bit narked to get 50% (a barely passing grade). How well would you do? Sam has scanned a device in his network with nmap, and has identified a service running on port 22. What service should Sam assume this is? FTP SSH HTTP SNMP Jackie wants to scan all TCP ports with her nmap scan. What switch will enable Jackie to scan all ports? -P -p -p- -A Simon wants to scan a number of devices in his network with a half-connect scan. What switch should Simon use to accomplish this? -sU -sT -oA -sS If an nmap scan is executed with the -F (fast) switch set, how many ports does nmap scan? The 1st 1000 ports The first 100 ports The top 1000 most common ports The top 100 most common ports Which timing switch is more commonly known as the insane mode? -T1 -T5 -T0 -T9 James wants to scan the SSH service on his device. Which of the following will allow James to do this? -p 22 -p ssh -p T:22 Sandra has run the following scan; what does it do? nmap -Pn -O -sV -oA scan_results 192.168.0.1 Performs a ping scan, OS enumeration, Service enumeration, and outputs data to a file called scan_results Performs a scan of all ports, performs OS enumeration, performs a half-connect scan and outputs results to a file called scan_results Does not perform any nmap discovery scans, performs an overt scan, a verbose scan and outputs results to a file called scan_results Does not perform any nmap discovery scans, performs an OS scan, a service enumeration scan, and outputs results to a file called scan_results Which of the following outputs is NOT a nmap file output type Normal Grepable XML HTML True or False, performing a TCP Half-Connect (-sS) scan required privleges on the scanning computer? True False How many TCP ports does nmap scan by default unless told otherwise? 100 1,024 1,000 10,000 Mostly convinced me that most UNIX tools need a better CLI UI! A DB quiz. Again, mostly trivia. And some stuff not covered. I got 7/9. Art of Hacking - Database hacking Sarah has scanned a server and has identified a service running on port 3306. What is this service likely to be? MySQL Postgresql Microsoft SQL Mongo DB When attacking a MySQL server, which common account should you try to attack that is normally not configured to lockout? Admin User1 MySQL Root Gary has identified a weakness in a MySQL database installation and has managed to use the database to extract the contents of the /etc/passwd file from the underlying server. what command would Gary have used to do this? select LOAD_FILE('/etc/passwd'); select READ_FILE('etc/passwd'); select * from /etc/passwd select all from FILE('/etc/passwd'); What is the default port for a postgres SQL database? 1234 5544 2345 5432 What is the default user for a postgres SQL database? root admin postgres user0 James has recovered a set of credentials for a MySQL database running on IP address 192.168.0.43. The credentials he has discovered are: user = root password = P@55w0rd. What syntax should James use to gain access to the database? mysql -u root -p P@55w0rd -h 192.168.0.43 mysql -u root -p -h 192.168.0.43 mysql -a root -p -u 192.168.0.43 mysql -u root --password -h 192.168.0.43 David has managed to locate a vulnerable Microsoft SQL database application and wants to find out the version of database in use. What syntax should David use to obtain the version data? UNION SELECT @@version -- SELECT * FROM DB_VERSION # VERSION FROM TB_DATABASE WHERE V >1 -- SELECT * FROM @@version # What is the name of the file that all databases have that describes the database structure, including database names, table names, column names, and data types, amongst others? DB_STRUCTURE db_schema data_definitions information_schema What sqlmap switch would you use to retrieve all the contents from a targeted database table? --ALL --download --dump --loot Password questions - again, trivia. I got 7/10 with a few guesses. Kali Linux comes with some pre-installed word lists for use when conducting password attacks. What is the location of these files? /usr/share/wordlists /var/temp/wordlists /usr/wordlists /etc/wordlists What switch should Carl use to provide hydra with a single username to try in an online password attack? -L -D -p -l Denise is trying to use hydra to attack an ftp server which is running on the non-standard port (2121) - what syntax should Denise use when configuring hydra to target this service? :2121 -p 2121 -s 2121 p:2121 Joanne has extracted the following data from a Linux server; What hashing algorithm is the system using to generate the password hash? root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: SHA-512 Blowfish SHA-256 MD5 What encryption standard did Windows LanMan use to secure its hashes? DES AES 3DES RSA In order for John-the-Ripper to process Linux passwd & shadow files, they have to be unshadowed first and the results placed into a new file. What is the correct syntax to achieve this? unshadow /etc/passwd /etc/shadow > hashfile unshadow /etc/shadow /etc/passwd > hashfile /etc/passwd /etc/shadow unshadow | hashfile unshadow /etc/passwd /etc/shadow | hashfile What does the "-a0" switch denote when using hashcat? To use only 1 core of the CPU for processing To output all results to the screen To use a brute-force attack To use a dictionary attack Which password hashes does Windows salt The SAM file NTLM hashes Cached domain hashes The NTDS.dit file Which of the following is not a hash function MD5 Blowfish SHA-1 RIPEMD-160 What is the maximum length of a LanMan password 14 charters 20 characters 7 characters 32 characters Verdict Lots of students hadn't been exposed to Linux or these tools before. Concern expressed about lots of rote memorisation. All the above questions could be answered with -h - but not able to do that one a proctored exam. Quite a "script kiddie" day. Lots of loading up metasploit and just guessing until things work. A few infrastructure problems - broken test servers made things quite frustrating. Lots of technical jargon without any explanation. Jenkins, Groovy, Sandbox, Metaprogramming. What are they? What definitions are needed for the exam? Nothing so far about law and ethics… Which is a bit worrying. We're only working on a restricted demo lab, and all the exploits are ancient. There's still no checking if students have done the tasks. It would be helpful if each student had to, say, retrieve a specific file or string from the target and present it back to the tutor. I know a couple of students who are a bit bewildered but a bit nervous to ask for help. A short day - so off to Cloud Academy to brush up on my skills. Notes Heartbleed - get up to 64KB data from memory. Ask for specific length, bounds aren't checked. Only on old versions of TLS. Can also check key length - under 128bit may be vulnerable. Heartbleed to find username / password. Log in via the web. View source to find .cgi path. Metasploit - use the right module and configure. Exploit and then cat the /etc/passwd file. Shellshock - as above. Copy and paste commands. LD_PRELOAD need to ensure you keep privileges. Use of nc to get remote machine to connect to your machine in order to get a shell on it. Use of history to check for entered passwords and other interesting bits. Weak Linux permissions. Can you overwrite a command run by root? cron jobs a good source of this. Use of local Python server to transfer files across. linpeas.sh Always compile exploits on target machine to ensure architecture compatibility. Basic use of wget and chmod Exploiting other Linux things like JBoss, Tomcat, Jenkins. What is our attack surface? Weak defaults. Outdated versions with CVE. Data Serialisation. Can be weaponised into a payload which will be parsed and executed. Tools like CommonsCollections1. CMS targets like Joomla, Drupal, WordPress. Lots of complexity leads to misconfiguration. Vulnerable plugins and add-ons. Version leakage. joomscan and wpscan both useful automated tools. As are DroopeScan and DruPwn for Drupal Injection of serialised objects into HTTP_HEADER. Chain with x-forward-for to trigger the payload. Basics of scanning for unknown ports then running droopescan and wpscan. EXIF metadata can also be used to hide information - old WP plugins particularly vulnerable. Use of dirb to find directories on remote webservers. ------------------------------ 2021-11-01 Certified in The Art of Hacking - Day 1 https://shkspr.mobi/blog/2021/11/certified-in-the-art-of-hacking-day-1/ As part of my MSc, I have to take three "Professional Practice" courses. The course provider, QA.com, let me choose anything from their online catalogue. The first I'm doing is Certified in The Art of Hacking. As regular readers will know, I'm pretty reasonable at hacking. I have received bug bounties from Google, Twitter, Samsung, and a bunch of others. I don't claim to be an expert - and I doubt I'll be on any top-10 lists - but I have a reasonable, albeit informal, background. It's that "informal" which is annoying me. I want a bit of paper which says that, yes, actually, I do know what I'm talking about. Computer Science - and hackers especially - eschew formal qualifications. The earliest hackers and phreakers learned their craft on the mean streets of the early Infobahn. Geeks don't need qualifications! We're not nerds! But, hey, a free qualification is not to be sniffed at. I know it probably won't be as rigorous as some other certifications - but it was all that was available to me. Looking through the course agenda there were a few things I knew well - XSS, Port Scanning, Password Hashing - but it's always good to pick up a reminder. Some things I've heard of but not used - Burp, Heartbleed, Metasploit - so will be good to get a solid understanding. And some things way outside my experience - Windows stuff, Tomcat, XXE - yay new learning! The thing that I'm looking forward to the least is the exam at the end. It's multiple choice and requires 50% correct - but I always find myself second-guessing those sorts of questions. Especially if there's lots of "well, technically" type questions. Also - concentrating for 70 minutes!!? And proctored? Does that mean I can't run to Wikipedia for help?!? Anyway, I'm going to try and keep a diary of what I've learned. Hopefully that will let other learners know what the course is like, and if it is worthwhile. Verdict A bit more theory than I was expecting. Diving straight in to TCP flags was a bit alienating for some students - although I already knew about them. Similarly, lots of discussion of ports - but didn't actually explain the fundamentals of what they are. Lots of terminology thrown at people - so probably not great for complete beginners. Similarly, the nmap discussion was a bit whistle-stop. It was mostly a case of following the PDF instructions without much explanation. Lots of people (me included!) got tripped up by the command line flags. Some of the practical exercises were a bit copy-and-paste without much understanding of what was going on. Not much feedback from students. No one was asked to prove they'd got the right answer. Crucially - I have no idea what sort of questions are going to be on the exam! Is it the port numbers? The name of tools? The specific syntax? Had to ask. Turns out will need to remember port numbers, nmap options, etc. Day 1 Notes Started on a poor note - had to use GoToMyPC which doesn't have a Linux client. The Linux option was use OpenVPN to connect to the provider's infrastructure, and then SSH into a Kali Linux image. Installing your own Kali would also be possible, but you still need to connect to the VPN to "attack" the provided vulnerabilities. Would have been useful if they gave those instructions beforehand. Wasted half an hour while people worked out what to do. Brief discussion of password cracking. Looking at HaveIBeenPwned and various top 10 lists. Basics of the Cyber Kill Chain. Enumerate, identify vulnerabilities, exploit, post-exploit, use privileges, repeat. No real discussion of it, or its shortcomings. Module 1 - port scanning ARP - layer 2 of OSI. Below IPv4. ARP maps hardware MAC to IP. Note - only for IPv4. ARP broadcast can ask machines on a local network for the IP addresses. arp-scan to find the live hosts. Basics of TCP. 3 way handshake. Flags. Segment Header format. SYN. SYN/ACK. ACK. Use of Wireshark to examine TCP packets. UDP - what it is, why it is unreliable, header formats. Ports - what they are, reserved ports, port state. Basics of netstat. Basics of nmap. 3 way handshake then RST. Don't need special privileges - handy if you have compromised a machine. Plays by the rules, so less likely to trip firewalls. Slower than a half-open scan, so use -sS for SYN, SYN/ACK, RST. Requires privileges, and might get picked up by Intrusion Detection Systems (IDS). UDP scan -sU. Requires privileges, sends empty UDP packet to every targeted port. Can send specific data --data. Might be blocked by firewalls. Ports can be filtered. UDP is often used on VPN, NTP, DNS, SNMP. Dump to file(s) for later ingestion into metasploit: nmap -sS -sV -nvv -O 192.168.3.0/24 -oA portscan_tcp Module 2 - password attacks Online and offline attacks. Sending repeated requests vs looking though a dumped file. Enumerate users. What are lockout policies? Admins are often exempt from lockout. Throttle brute-force attempts. Often generates lots of log entries and / or alarms. Intro to SNMP. UDP 161. 1 & 2c have no auth or encryption. Need to know the "community string" or use manufacturer's default. Public string vs Private string. onesixtyone can bruteforce common strings. OID values. No real explanation of what they were. snmpwalk -v 1 -c ???? 192.168.?.? Need to learn that syntax. Attacking MySQL Old RCE. SQL Injection. Abusing phpMyAdmin. Brute force. Root user is almost always there and has no lockout. hydra to guess passwords Once logged in, can use Select LOAD_FILE('/etc/passwd'); Or Select * from mysql.user; to get all users. Quite a good exercise, find a MySQL server via nmap, use hydra to try common passwords, log in, get credit card data and other password info. Chaining Using the above, use nmap to find the ssh port. Use one of the users found and brute force their password. use ssh -t to exfiltrate data. ssh -t user@192.168.3.123 -p 1234 "cat /etc/passwd" Then brute the postgres user password and get shell using sqlmap -f -d postgres://postgres:password@192.168.3.123:5432/postgres --os-shell Metasploit basics Loading output of nmap into it. msfconsole. Most exploits can be detected by common anti-virus. Use show axillary and show exploits and show payloads to get list. bind - waits for a response. reverse shell - the machine connects directly to you. Useful for bypassing firewalls. meterpreter is the most advanced payload. Grepping through metasploit. Getting reverse shell on an IRC (!) server. Cracking Passwords MD5, SHA1, LM/NTLM, Blowfish, SHA256, SHA512 hashing etc. Rainbow tables to use offline attacks. Salting etc. Encoding, encrypting, hashing. Transforming clear text via a reversible algorithm eg Base64. Asymmetric encryption relying on public and private keys. Hashing is a one-way function - usually produces a fixed length string. Salting - a way to obfuscate the hash. openssl passwd -1 -salt 123 password use MD5 password with salt. Salt can be cached domain credentials like the username. Unix uses random salt. LM (LanMan) is an insecure Windows hashing for XP and earlier. John The Ripper - can brute force per character (slow) or a word list (faster). unshadow /etc/passwd /etc/shadow > hashes john --single hashes john -w=wordlist Hashcat can use a GPU for password cracking. ------------------------------ 2021-04-24 What playing football taught me about hacking - Part 1 https://shkspr.mobi/blog/2021/04/sports-hacks-part-1/ This is a two-part blog post about rewriting the rules. I hated playing sports as a teenager quelle surprise. In a vain attempt to get me to love the beautiful game, a PE teacher once made me team captain for a kickabout. My rival? Sporty Dave. Head boy, house captain, and conqueror of puberty. The PE teacher made us pick our teams. I went first and, naturally, chose the weakest of my classmates - Fat Derek. He was overjoyed not to be picked last for once. "You idiot!" whispered Dave. He picked his mate Phil - who was similarly blessed in the sporting department. I chose Asthmatic Gary next, while Dave signed up another sporting hero. And so it went. I assembled a team of wheezers, misfits, and the terminally unfit. Dave had the cream of the crop - all of whom snickered at us. We went off to give our teams a pep-talk before kick-off. "Right lads," I said, "Do any of you actually enjoy playing football?" They looked around sheepishly and agreed, collectively, that they found the whole experience pretty miserable. "OK, so here's how we have fun while making the other team feel as crappy as we usually do..." at which point, in the TV adaptation of my life, the camera pulls out and the sound trails off. In reality, my plan was simple. Our aim was to help the opposing team score as many goals as possible. If the ball looked like it was coming towards us, we had to sidestep it. If we were ever unlucky enough to be in possession of the ball, we had to pass it to an opposing player. Whenever they scored a goal, we had to applaud them. The whistle blew, and we were off. The opposing team couldn't believe their luck! Goal after goal flowed. By the time we were 5-nil down, the novelty of it had worn off. Once the score was 15-love, Sporty Dave jogged over to me. "Ummm... Do you think you could play, please?" "What do you mean?" "Errr... It just isn't fun doing it like this?" "I dunno mate," I looked over at my team who were grinning away, "We seem to be having a lot of fun. We're not tired and sweaty, we're not getting pushed, shoved, or humiliated, and we're enjoying helping you win." "But it doesn't count!" He whined. "It's just too easy." "You're scoring lots of goals. Isn't that what you wanted?" "Yes... but..." "Well then? My team get to be fresh and alert for the double-maths we've got after this. And you get to run around chasing the ball. Let's carry on!" And so we did. We rewrote the rules of the game so that we could have fun. Our idea of fun was radically different from the sporty-boys - but we didn't care. You don't have to play the same game as other people on the pitch. Even if you're bound by the same rules of play, you can alter your success criteria to be something that you want to achieve. We ended the game triumphant. For the first time in living memory, we were happy after PE. Our rivals, despite their 37 goals, looked miserable and dejected. They didn't want to win. They didn't even want to play. They wanted to humiliate their rivals. Once we were no longer able to be humiliated, they found the entire experience as demoralising as we usually did. After that incident, I was only ever picked to be team captain once more. But that's tomorrow's post. ------------------------------ 2021-02-04 Creating a public, read-only calendar https://shkspr.mobi/blog/2021/02/creating-an-public-read-only-calendar/ Last year, I blogged about why I make my work calendar public. It is useful to have a public website where people can see if I'm free or busy. But the version I created relied on Google Calendar which, sadly, isn't that great. It doesn't look wonderful, especially on small screens, and is limited to only one calendar feed. So I used the mighty power of Open Source to build my own! https://edent.tel/calendar [Image: A bright and easy to use weekly view of my diary.] It uses two cool components. First, the DHTMLX Scheduler tool - a GPL-licensed project to make beautiful web calendars. Secondly, Open Web Calendar by Nicco Kunzmann. It takes multiple ICS feeds and transforms them into a format suitable for the scheduler. With a little bit of prodding and poking, I was able to create a responsive web calendar which shows my personal, work, social, and group calendars all at once. There are a few snags. The project uses Python Flask - which meant learning a new programming paradigm. I might try to rewrite parts of it to use PHP. Because I'm using someone else's code, I've hacked away parts which aren't of use to me - let's hope nothing was load bearing! Similarly, as it's a small personal project, there are no tests. There are a few aesthetic touches I'd like to make - but it is quite serviceable. I also need to set up a better way to deploy it rather than FTP'ing files and restarting Flask. But, for a weekend of sporadic hacking, I'm quite pleased with the result! The code is available on my GitLab. Privacy and Risks All the entries on my various calendars are set to private. That means if you send me a meeting invite, your details shouldn't appear on the page. This co-mingles my personal and work calendars. Because I don't want someone booking a meeting when I've got an evening Zumba class. Is there a risk that you knowing that I'm busy from 19:30 to 21:56 reveals the train journey I'm taking? If something is in both my personal and work calendar - it shows up as a double booking. Should I merge these? Could advertisers mine my data to better target me? It's not very granular, and I block adverts. If someone annoying wants to meet with me, it's harder to fob them off with "my diary's chockablock." When I jet off to an exotic foreign country (*sobs in pandemic*) will it be obvious what timezone I'm in based on my appointments? By opening up this data, am I participating in a destructive form of "quantified self"? Will people judge me / themselves on how busy I am? ------------------------------ 2019-10-20 Book Review: Permanent Record https://shkspr.mobi/blog/2019/10/book-review-permanent-record/ [Image: Edward Snowden, a geek in glasses, looks away from the camera.] Edward Snowden, the man who risked everything to expose the US government’s system of mass surveillance, reveals for the first time the story of his life, including how he helped to build that system and what motivated him to try to bring it down. I'm a civil servant in the UK. Luckily, I suppose, I don't often have access to TOP SECRET information. I suppose I could leak the canteen's lunch menu, but that won't make headlines. What drives a person to jeopardise their career, their family, their life, and - depending on who you believe - their country and its allies? This is a good book, badly written. The opening few chapters are a bore. I suspect it's to "prove" he's a genuine, mom-and-apple-pie, red-blooded American. But that's not really why we're here - you can happily skip the first third of the book. I'd recommend skimming from there to about the halfway point. Even then, it's flabby. Meandering descriptions which go nowhere. He conflates wasteful public spending with mass surveillance. There's a page randomly dedicated to what the word "whistle-blower" means in different languages. And some pedantic nitpicks of what sort of software career he had. It becomes a mish-mash of political ideas and workplace gripes. The end is spectacular. A gripping description of the emotional and practical side of exfiltrating data and going on the run. I've seen Snowden speak (via telescreen) at a conference. He's articulate and passionate. His knowledge and persuasive manner make him a fascinating character. But the book feels like half autobiography and half political manifesto - without doing either particularly well. ------------------------------ 2019-10-19 Book Review: Helpful Hackers https://shkspr.mobi/blog/2019/10/book-review-helpful-hackers/ [Image: A locked gate.] The Netherlands is a world leader in responsible disclosure. The Dutch like to resolve conflicts through a process of general consultation: the famous ‘polder model’. In this book, we hear from the hackers, system owners, IT specialists, managers, journalists, politicians and lawyers who have been key players in a number of prominent disclosures. Their stories offer a glimpse into the mysterious world of cyber security, revealing how hackers can help us all. A short but essential volume. A pleasing ramble through Dutch infosec and how they built up a culture of responsible disclosure. Lots of great examples of where things have gone well - and some shocking examples of where disclosure has failed. It's a well written look at what happens when a responsible security researcher finds a vulnerability. There are court cases, intrigue, international diplomacy, and some spectacularly inept decisions on display. It is, by its nature, a little parochial - but provides an excellent template for how industry can work with "freelance infosec professionals". ------------------------------ ␃␄