Saiweb

So you wanted to get your aircrak suite on under OSX, getting airodump etc to work I can tell you will be a nightmare (infact just dont use a VM with a USB wifi for that, however there is an alternative …), after a lot of searching there is a native tool under OSX that will let you cap packets, list networks etc.

Credit goes to d3in0s for his awesome forum post.

Doing a frame cap.

You will see your airport icon changes to now hit ctrl+c to stop the cap

Tweet

In theroy this: http://www.exploit-db.com/exploits/17423/ could be used to facilitate phishing,

To patch this update to 1.9.28, and apply this patch: https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch

UPDATE 07072011 .9.30 does not suffer from this exploit.

Tweet

In theory this: http://www.exploit-db.com/exploits/17423/ could be used to facilitate phishing,

To patch this update to 1.9.28, and apply this patch: https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch

update This: http://wordpress.org/news/2011/06/passwords-reset/ causes a 1.9.29 version to be rolled out.

1.9.29 is still vulnerable to this, the patch instructions above still work for 1.9.29

Tweet

Go ahead and run

You will get

As an attacker looking to hit a web app, one of the first things you’re going to want to look into is what version of web server is running, in this case you can see this blog in fact runs apache … but there is not much else to go on here is there.

That’s intentional, and by manual configuration changes I have put in place, this is not the case of a default LAMP install, take for instance, this snippet from another website,

This already has given me a wealth of information to go on and begin prepping an attack, I now know the site is running php version 5.2.14 Apache version 2.2.16 and that the underlying OS is Debian.

See the dilemma? your default roll outs are just declaring their running versions to anyone willing to listen, so lets make it a little more stealthy.

First and foremost if you are using php, edit your php.ini and set the following:

Now head into your httpd.conf and set the following

and

With these 3 simple steps all the headers will now return is Server: Apache this is the first step to shielding your app, I’ll be covering further steps as time allows.

Tweet

With work returning to “normal” levels I began digging through my backlog of seclist updates, errata updates and security related podcasts,

One particular attack method has me concerned as a typical Paranoid Systems Admin, namely the one covered by Darren @ Hak5.org,

Where combining jasager and airdrop-ng can allow you to easily set yourself up as a m.i.t.m transparently, so I began thinking how would you defend against such an attack, with most if not all wifi clients switching to jasager transparently without the user ever knowing, now remember this is all theory at this point it could be completely wrong, please leave feedback in the comments.

before I beging let’s make a couple of assumptions.

1. You are the admin for your network
2. You are in control of all AP’s on your network

If you can not confirm 1 & 2 then you can land yourself in a whole heap of trouble, so think before you do please …

That said onto a possible defense scenario, making airdrop-ng work as a “shield”.

The main premise of airdrop is to send DeAuth packets forcing a wifi client to reconnect, Darren’s jasager + airdrop  podcast (“Airport wifi challenge”) used this in conjunction with jasager to force clients to reconnect but to jasager instead, essentially denying access to the real AP’s and masquerading as them using jasager.

With me so far?

1. Client is connected to REAL Access Point
2. airdrop-ng sends DeAuth for all BSSIDs except jasager’s
3. Client Attempts to reconnect, jasager masquerades as the REAL AP
4. Client is now pwned.

To re purpose airdrop-ng as a “shield”, we change step 2 above .

1. Client is connected to REAL Access Point
2. airdrop-ng sends DeAuth for all BSSIDs except the REAL access point

Now this does cause a problem for any genuine “pop up” wifi, such as the share functionality on mac osx, and  mobile hotspots (wifi 3g), but it is one possible method of defense.

If you have some theories related to detecting and defeating WiFi m.i.t.m attacks please let me know, I’d love to hear them,

I’ll work on getting a screencast for this up as soon as possible.

• this will not protect against BSSID / MAC spoofing,
• this will only prevent against a rougue AP BSSID masquerading as your valid AP.
• this will only work within range of your wifi device generating the DeAuth packets.
• improper configuration could cause D.o.S of nearby REAL Ap’s and generaly piss people off.

Update 04/10/2011 Seems that this project wifijammer can do exactly what I outlined above. via: HackadayTweet

For some background you may want to read the Original Story leading to this write up.

The first thing that caught my attention was the fact Logwatch was reported login failures in the order of 1000′s from unassigned.psychz.net without an accompanying fail2ban email notifying me the offender had been banned.

And this as it would turn out was because the attack was clearly intended to defeat such protection methods, this is due to the logged host being unassigned.psychz.net, when the authentication failure is logged, a reverse lookup is made within vsftpd to resolve the host this PTR record returns unassigned.psychz.net, and as such is written into the log.

fail2ban no uses regex to extract the host from the logs, and attempts to make a forward lookup on unassigned.psychz.net (A/CNAME records required) to resolve the ip address, and ban the offending ip, this is where things go awry.

psychz.net maintains their own DNS servers,

1. DNS1.PSYCHZ.NET
2. DNS2.PSYCHZ.NET

These provide a PTR but no A/CNAME record, as such fail2ban can not resolve an IP and the attacking ip is left to run their attack unhindered, see this log file: fail2ban name resolution failure log

The only way therefor to gain the attacking ip was to match the ftp connection times to those of the reported login failures using iptables to log all accesses to ftp, quickly get a count of connecting ip’s using:

A complete log can be found here: iptables.log, and a whois can be found here: whois.txt

Disclosure steps taken:

1. 26/07/10 psychz support informed given deadline of 09/08/10 for resolution
2. Same day standard reply of “thanks for contacting support we are looking into this” …
3. 27/07/0 Attacks continue 173.224.208.0/20 network black holed as a result

   1	iptables -A INPUT -s 173.224.208.0/20 -j DROP

4. 09/08/10 deadline passes without update
5. 25/08/10 this blog post published

Tweet

Time was when a photo was just a captured moment in time, /end nostalgia

Nowadays though what people do not realize is the shear amount of “extra” information is embedded in “that picture you just uploaded to flikr/facebook/photo bucket” especially if you are uploading from a “smart phone” as more and more people are now.

Most photos now contain GPS data embedded in them, this information will survive a resize / upload process, at the time of writing images tested from Facebook appear to have the exif data stripped out (thumbs up for facebook maybe), and it appears php GD by default replaces all EXIF data with it’s own (bug maybe?).

For non sanitized images however you can discern a wealth of information such as:

1. Make of camera
2. Model of camera
3. Software version
4. Unix timestamp of time taken
5. DateTime stamp of time taken
6. Focal length used
7. Shutter speed
8. if flash used

And if GPS is embedded:

1. Longitude
2. Latitude
3. Altitude
4. GPS timestamp
5. Direction facing when photo taken

There is yet more data such as the colour profile used, and image resolutions, in my tests photos taken from my iPhone 4 were within 10 meters of where I was actually standing when I took the picture, and in which direction I was facing when I took them.

So one more thing to note in your applications “data sanity” is to strip EXIF tags from uploaded images, lest your contributors private details be leaked from your application.

For example:

1. User uploads photo for competition
2. Site uses resized photo on competition page to allow visitor voting
3. malicious user, saves image from site (or just uses the copy from thier browser cache), gets gps data from photo
4. malicious user now knows exact whereabouts photo was taken aswell as the time.

And it doesn’t have to be a malicious user, it could be anyone/anything, if you want to check your images for EXIF data you can use my tool here: http://www.saiweb.co.uk/tools/exif_data.php

No data is stored, and images are deleted immediately after processing, you use this at your own risk however, if you misuse the tool you accept all liability for the legal action to follow, you have been warned.Tweet

Most of the time when I review our log watches each morning I become enraged at the number of automated attacks,

But ever so occasional I find one that frankly intrigues me.

Today is just such an occasion where I have had multiple Brute force login attempts, the ingenious part is this attack has been designed to bypass tools such as fail2ban, blockhosts etc, and this is how

1. Attack is launched from
2. has PTR set for
3. Failed login attempts record due to reverse lookup
4. There is no A record, attacker maintains their own nameservers for the
5. fail2ban notes failed logins, attempts to resolve to an IP but fails, due to missing A record
6. Attacker can continue brute force attempts unhindered by being banned

I am still reading into how to counter this and will update this post as I figure out how to work around it, it’s a very sneaky and frankly quiet clever method of working around most automated blacklisting/banning tools.

Update 1:
One method I am trialing is the “log target” feature of iptables, in an attempt to match login failure times to the iptables log, I’ll post back with results.

Outputs

Update 2: Defeating the hack

Now granted this would be a lot worse had the attacking IP been dynamic, fortunatly in this case it’s not

Ip’s have been masked to prevent anyone complaining or threatening legal action (again) for inferring you should block their ip / network range … and me firing off the obligatory “Well if you policed your own network I wouldn’t have to post this no would I” email,

Maybe I am just being Cynical in my “old” age …

Any how as you may have guess I’m black holing the ip with the 390 connection entries.

Thanks

Being as I spoke to a load of people during the course of this I realy can not remember who contributed what to this solution, so I’ll just have to thank you all let me know if you want a crediting link.

Tweet

Before you read any further note, I will not be including the original hack file, simply due to peoples stupidity in putting this on a production environment to play with, if you use the code you do so at your own risk, and by reading this blog entry / using the code provided you agree to accept all liability upon yourself for your own actions. Don’t be an idiot.

Around 10 days ago I came across this seemingly innocuous little file.

What I am going to cover in this entry is dissecting the ‘payload’ and not so much the web app in question or methods used to compromise it,

Whereas I will not at this time provide the original file, I will provide you with the md5 and sha1 hashes of the file so you can check it’s not lurking on your systems:

md5: 9ee3e6523d154114460d320477a8665a
sha1: 9c64fecea5620d70a716bbd74f6e89612a4a79c7

The bit we are interested in is the last line of the file:

Were you to run this line you would get

Confused yet? now I can appreciate the thinking behind packing a payload to avoid detection, but in this case the payload is packed 12 times, and no before you ask I did not manually run each returned statement to find this out.

Enter Python-Fu:

Copy the first payload lines into a file named payload.raw, take the above code and copy it into a file named dissect.py.

When dissect.py is run you will get the following output:

As such you may want to run it using the following command:

And what you will find after unpacking 12 times in total, the “payload” is the r57shell, this script is an information gathering tool and pseudo shell, meaning it will run any command on the host server that php can, providing in most cases ssh esq access to the exploited host, allowing you to do pretty much anything you wanted at this point, some of the features also include /etc/passwd /etc/shadow dumping, aswell as searching for a tirade of common file *.sql* admin* etc, it’s a one stop script for information gathering on a LAMP/WAMP based host.

Defense: modify php.ini to disable eval(), exec, shell_exec and all none essential functions.

And of course, ensure your web apps are patched and up to date as well as the host they are running on.

Tweet

Or, as one of my colleagues this morning said, firmware programming which in the literal sense of the word I suppose it is firmware.

I’ve decided as some of my twitter followers may already know to produce a library / framework for the teensy arduino which is available from subversion here: http://svn.saiweb.co.uk/branches/teensy/trunk/ under the GPL v3 license

At the time of writing I have worked through this tutorial on operating an RGB LED.

I’ve taken the examples an reworked them into a re-usable library incorporating a multitude of functions,

Being as I have all the parts to work through the full set of tutorials at pjrc, the library will be first updated to incorporate these examples, once complete I’ll be heading over to the HID programming aspect, and there will be a library for a plethora of “fun” applications

Tweet