Matt's Life Bytes
Matthew Sullivan's Thoughts on Security & Tech

The Heartbleed issue is actually worse than it might immediately seem (and it seems pretty bad already).

In case you’ve been out of the loop, Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the server’s memory. And yes, that’s really bad. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge / skill required to craft this attack isn’t particularly high, but likely out of reach for the average script kiddie user.

So why is Heartbleed worse than you think? It’s simple: the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged in user.

As of this morning, the most widely-shared proof-of-concept is this simple Python script: https://gist.github.com/takeshixx/10107280. With this script, anyone in the world can dump a bit of RAM from a vulnerable server.

Let’s have a look at the output of this utility against a vulnerable server running the JIRA ticket tracking system. The hex output has been removed to improve readability.

 [matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com
 Connecting...
 Sending Client Hello...
 Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 3239
 ... received message: type = 22, ver = 0302, length = 331
 ... received message: type = 22, ver = 0302, length = 4
 Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
 Received heartbeat response:
.@..GET /browse/
 en_US-cubysj-198
 8229788/6160/11/
(lots of garbage)
..............Ac
 cept-Encoding: g
 zip,deflate,sdch
 ..Accept-Languag
 e: en-US,en;q=0.
 8..Cookie: atlas
 sian.xsrf.token=
 BWEK-0C0G-BSN7-V
 OZ1|3d6d84686dc0
 f214d0df1779cbe9
 4db6047b0ae5|lou
 t; JSESSIONID=33
 F4094F68826284D1
 8AA6D7ED1D554E..
 ..E.$3Z.l8.M..e5
 ..6D7ED1D554E...
 ......*..?.e.b..
WARNING: server returned more data than it should - server is vulnerable!

 

This is definitely a dump of memory from a GET request that came in very recently. Did you notice the JSESSIONID cookie up there? That’s JIRA’s way of tracking your HTTP session to see if you are logged in. If this system requires authentication (and this JIRA install does), then I can insert that cookie into my browser and become that user on this JIRA installation.

Insertion of the session ID cookie into the browser.


Insertion of the session ID cookie into the browser.

After saving the modified cookie, we simply refresh the browser.
Insertion of the session ID cookie into the browser.


Reload of the JIRA installation. Note that we are now logged into this installation.

As you can see above, once we’ve taken a valid session ID cookie, we can access this JIRA installation as an internal employee. The only way to detect this type of attack is to check the source IPs of traffic for each and every request. It’s also worth noting that JIRA happens to be the software I chose for this demonstration, but the issue effects any web service that uses cookies to track the session state (almost every site on the Internet).

The Heartbleed vulnerability is bad, and with almost no effort allows a remote attacker to potentially perform a session hijacking attack allowing authentication bypass. Please patch your systems immediately.

· · ·

Oct/11

25

Clone ESXi Server Instances Easily

The Problem

Cloning ESXi servers sucks.  Trust me, I do it 4-5 times a year.

You see, multiple times a year I find myself setting up a “master” ESXi server, then needing to clone it over and over to give it out to students for classes, or to teams for our Cyber Defense Competitions.  This process is tedious and ridiculously time consuming.  Here’s why:

  1. ESXi instances don’t follow the hardware MAC addresses by default.  Once installed, the MAC addresses are dictated to the NICs by the ESXi OS settings, meaning that when you clone a box, those MAC addresses are going to collide.  There’s a setting to disable this, but in my experience it often automatically resets after a cloning, meaning I have to re-enter the setting by hand.
  2. ESXi Virtual Machines don’t like moving around.  If you clone an ESXi server you can be guaranteed that everything will explode, because the VMs won’t re-generate new MAC addresses automatically.  Every VM on each cloned box needs to have a new one set manually… EVERY… SINGLE… TIME.  And it sucks.
  3. Each instance has to have its management IP and DNS entries changed by hand after cloning, otherwise conflicts will abound.

Well, I’ve finally had enough.  After wading through pages and pages of busybox/ash shell documentation, I’ve produced two scripts which do all of the above for you.

The Solution

These scripts are only tested on ESXi 5.0; you are using them at your own risk with no warranty!

Also I’m assuming you roughly know what you are doing.  If this is your first spin with ESXi you’ll probably feel overwhelmed by what’s coming.  You’ve been warned.

  • Create your “master” ESXi image. Install everything, get your settings right, and get your VMs all good to go.
  • Set all VMs to use manual MAC addresses and enter something.  It doesn’t matter what you choose, as long as it starts with “00:50:56:”.  This address will auto-regenerate upon cloning anyway.
  • Use wget to grab my scripts.  Alternatively, you can SCP/SFTP them up to your ESXi server, but SSH access will need to be enabled.
    cd /vmfs/volumes/datastore1 (or whatever your datastore path is)
    wget http://www.mattslifebytes.com/files/ESXi/Provisioning/provision.sh
    wget http://www.mattslifebytes.com/files/ESXi/Provisioning/macgenerate.sh
    chmod +x provision.sh macgenerate.sh
  • Use vi to modify provision.sh to your needs.  Some options are located in the top of the file.
  • Shut down your ESXi host and use Clonezilla (or whatever your favorite imaging suite might be) to clone the “master” to new slave hosts
  • This is important: when the clone is done, unplug networking before rebooting.  Why?  Every instance of ESXi will be attempting to use the master’s MAC address, and your network will explode.
  • Unplugged networking yet?  No?  GO DO IT!
  • Now boot the new clones up.   On each, you’ll need to log in via the support console (Alt+F1), then cd /vmfs/volumes/datastore1 (or whatever your datastore path is).
  • Now execute the script with no arguments, and you’ll be presented with a very rudimentary help menu.
  • When you are ready to fly, just execute the script by doing:
    ./provision.sh <desired IP suffix> <desired DNS uniqueness>
    (For more understanding about these options, have a look at the help menu and inside the settings area of provision.sh)
  • Once the script is finished your ESXi slave host will reboot.  Once it has reloaded, you can safely plug networking back in.

That’s it!  If you simply grab the scripts and follow this little tutorial you’ll be cloning ESXi servers like a champ in no time at all.  If you find this useful or have questions, feel free to hit me up via e-mail or the comment section (though the comment section is largely ignored by me).

· · · · · ·

So… last night I was taking out my trash.

Part 1: The Find

As I hurled the bag towards the dumpster, my 6’2″ stature allowed me to catch a glimpse of some electronic devices.  Never one to pass up a good offering, I climbed up the side and leaned in to view my catch.

Discarded technology and some soft-core porn. There’s bound to be an old broken sofa in here to go with that…

Sure enough, along the piles of trash bags was an old HP desktop, some accessories, and (as you can see from the picture) someone’s collection of Playboy magazines.  Underneath the Playboys was a rather nice collection of college textbooks, still in pretty good shape.  Worth trying to re-sell at the ISU bookstore?  You bet.

 

It was very apparent that whoever had dumped the computer was also responsible for the simultaneous dumping of the other items; they were pretty much the only things not in trash bags in the entire dumpster, with exception of a mattress that smelled like it was once a surgical experimentation table.

I read them for the articles.

I grabbed the books and desktop, and assessed my new collection.

 

Side thought to the person who threw this stuff out: nothing attracts women like a man who studies public policy, is sensitive to economic conditions, and keeps a fairly impressive stash of Playboy magazines in his dorm.

Not that I care if you believe me, but I tossed the Playboys back in and promptly washed my hands.  Because really… who is going to keep someone’s used Playboy magazines?  Exactly.  Besides, I don’t think the girlfriend would have approved.

Drive extraction in progress.

I pulled the hard drive and a PCI graphics card; the latter of which I often need, yet never seem to have.

 

The hard drive was quite chilly (it was about 40°F outside), so I let it warm up a little and worked on slightly more pressing matters (like studying for final exams).

I’m told this is how Gateway support used to do it as well.

Because of my unequivocal laziness I simply stuck the drive in my coffee mug rather than actually installing it properly.  You might attribute this carelessness to the fact that the drive wasn’t mine, so I had nothing to lose if it should fall.  I hate to admit to you that I do this with my expensive drives on occasion too, though.

 

Once powered on, the hard drive began spilling its secrets.  Within minutes I had gleaned enough information to steal two identities and ruin the owner’s reputation.  I’m not interested in doing either here though, so I’ve censored my findings, shown below.

Part 2: The Results

Driver’s License

Cory, this PC’s previous owner, had scanned his Iowa Driver’s License and saved it to his My Documents folder.  Big, big no-no.  Keep information like this off your electronic devices.  Even though the License itself isn’t the jackpot for an identity thief, the information gleaned would be invaluable for a social engineering attack.

 

Loan Application

Jackpot; this is what an identity thief is looking for.  Loan application, scanned in with social security numbers, addresses, and full names of two individuals, the owner of the computer and a family member.  It’s always best to never store electronic documents with sensitive information on them in the first place, but if you have to, be sure you properly remove them before discarding the computer.  How does one properly remove them?  We’ll cover that in just a bit.

 

The “Remember password” feature on Chrome, Internet Explorer, and Firefox are a hacker’s best friend.  With freely available utilities, these passwords can be stolen almost instantly.  Our target, Cory, only has Internet Explorer installed, so I ran Nirsoft’s IE Pass View utility to recover the passwords stored with his account.

Nirsoft’s IE Pass View in action.

One result came back.  It seems that Cory has a membership to an “Ultimate BBW” site.  I, being completely naive, figured that BBW stood for something sports-related (I have no understanding of anything in the sports world), so I browsed to the website.  Well… I assure you that “BBW” has nothing to do with sports.

 

It was sort of like this… only not nearly as cute.

Apparently “BBW” stands for “Big Beautiful Women”, and this website caters to individuals who have a sexual fetish for very, very large women.  Of course I didn’t happen to know this beforehand, so now “what has been seen cannot be unseen”, as they say.

 

But anyway, do yourself a favor and don’t type that into your address bar.  I cannot be held liable for if you are emotionally damaged by the material contained within.

Now back on topic: Cory (or someone using his computer) has a thing for the larger ladies, it seems.  And to him I say, “To each, their own”, but often times people aren’t so lucky.

The bear says so.

Time and time again, we’ve seen hackers or dumpster divers recover potentially embarrassing information, only to turn around and use it as blackmail against the individual.  This is especially true of “sexted” pictures, when the sender or receiver isn’t careful about how those items are stored.  So remember kids, wipe your sensitive data from your drives before disposing of them (or even lending them to others).

 

Part 3: The Wrap-Up

Gangster’s Paradise.

Remember how I found those books along with the computer?  The next day I took them to the university’s book store, hoping that I’d get a few dollars out of them.  To my delight, the pile had a total value of $57.  On top of that, I won a candy bar!
Day == Made.

 

The money went to a nice dinner at our local pizza place, and it was delightful.

Additionally, if I were a real identity thief, I would have done pretty well with minimal effort.  I had obtained:

  • The social security numbers, full names, addresses, and phone numbers of two individuals
  • The driver’s license number of the owner, Cory
  • Potentially embarrassing personal data for blackmailing purposes
  • $57 from re-sold books

I’m not going to count the Playboy magazines or the membership information for the porn website, but perhaps for a small subset of thieves this accomplishment would be note worthy.  Personally, I don’t wish to have either.

Alright, from here on we’re getting helpful and preachy.  Don’t mind my tangents.

Part 4: Destroying Your Data

To ensure your data is destroyed, I encourage you to seek help from someone who is tech-savvy if you don’t feel comfortable doing these things yourself.

Here’s the deal: when you tell your computer to delete something, it doesn’t actually remove that file.  Instead, it just tells the drive that if needed, that space can be utilized later by a new file.  This is a simplification of a complex process, but we’re just on the basics right now.  So, even if you delete “super_secret_nude_picture_of_myself.jpg” from your computer, it takes all of two seconds for someone with the right know-how to get it back.

So how do we solve that issue?  Well instead of just deleting the file, you can use special programs that actually write random data to where the file used to be located on the memory, effectively rendering the file’s recovery impossible.  Had Cory done this to his desktop, I would not have ever known about his social security number or sexual fetishes.  Sounds like a good idea now, doesn’t it?

Eraser

One great utility for destroying your data is Kill Disk, a free CD-bootable software package that can completely erase your drive’s contents.  Just download the software, burn to CD, and reboot.  But remember, once you’ve started the process, there’s no turning back.

But perhaps you want to destroy personal data without erasing the entire drive?  Give the free utility Eraser a try.  Eraser adds an option to your right-click menu, so all you have to do is right-click on a file or folder, and eraser will take care of the rest.  It fills the memory back up with random data and prevents prying eyes from ever recovering the information.

Part 5: Sexting

Sexting wasn’t such a big deal 10 years ago when photo clarity wasn’t a part of the camera phone’s feature set.

If you have pictures of yourself or a loved one that you’d rather not have other people see, take a moment to just delete them (securely!) right now.  The longer you hold on to them, the more likely it becomes that eyes other than yours will be viewing them as well.  It’s not worth risking your reputation, so just don’t do it.

I’m always amazed when I hear about people sending nude photos via MMS (cell phone “picture messaging”).  Have any of these people stopped to think about the sheer number of server administrators who have access to those files at the cell phone companies?  That’s right, 47 year old Ned (who isn’t really a “people person”) has probably already lifted that picture of you without underwear on and copied it to his flash drive.  Have fun sleeping with that thought tonight.

Additionally, most young-adult relationships have a shelf-life shorter than skim milk.  So once you break up in a week, what’s he/she going to do with those pictures?  I’ll put down a few hundred that the answer is not a secure deletion using proper data destruction methods.  Unless you count posting the picture on a porn website as secure deletion… but I don’t.

Part 5: If You Are A Victim

If you have reason to believe your identity or credit card information has been stolen, be sure you notify the appropriate agencies and continue to watch your credit.  The FTC has a great website for anyone who has questions about any part of the process as well.

If you are being blackmailed, just contact the police.  If you give in once, the attacker will just keep pressing harder; it’s a vicious circle.

Alright, that’s all I’ve got. Have fun, kids.

Post-Publishing Updates

I did not, at any point, log into this person’s online accounts.  All of my actions were legal, as anything you throw in a dumpster forgoes an expectation of privacy (see California v. Greenwood).  The line of illegality would have only been crossed if I had I used the information I gleaned.  I am a strong advocate for responsible disclosure, hence my censoring of the subject’s full name and personally identifiable details.

Additionally, I zeroed the drive with a three-pass erasure before disposing of it to ensure that this individual’s personal information would be protected in case anyone else were to come across the drive.

 

· · ·

Wi-Fi Analyzer

A Wi-Fi Analyzer for Android Phones

Deauthentication Attacks

A successful WEP attack often involves using a deauthentication attack. What does this mean? Well, the 802.11 specification has commands, called frames, for managing the wireless infrastructure. One of these commands is the deauthentication frame. This frame is usually sent out by the access point, and it tells the clients that communications are about to terminate, so they should look elsewhere for a valid connection.

When someone wants to be a party killer, they can send out deauthentication frames non-stop while pretending to be any nearby access point. If you send deauthenticate frames on all Wi-Fi channels, whilst impersonating all Wi-Fi access points, you can effectively kill the entire wireless infrastructure. Wireless (802.11, that is) simply stops working, with no indication to the end-user as to why.

This evening as I completed my upcoming lecture for the Iowa State computer security group, I pondered what would happen if you were to create a device that flew around and killed off Wi-Fi networks in mass. I know that sounds completely nuts, but think about it for a second. Let’s say I go out and buy a $1,000 RC helicopter, then attach a small device running some flavor of Linux or Android. Now I run a custom-made program that searches for all the broadcasting APs, and my device sends a deauthentication frame while pretending to be the real AP.

Things to think about:

  1. The helicopter wouldn’t need to stay flying the whole time. You could land on top of a really high point. At Iowa State, maybe I’d choose the campanile; it’s a central location and it’s high up. Or perhaps the old water tower, as many buildings with considerable Wi-Fi usage are very close in proximity.
  2. The small device (PDA or smart phone would probably be preferable) could be attached to an external battery pack and would be able to run for many, many hours.
  3. We are used to Wi-Fi killing out once we’re just a few hundred feet away. We are experiencing a high degree of packet loss, so requests start failing, etc. A deauthentication frame is one packet, meaning that the probability of at least one of those deauthentication packets reaching really far (past where Wi-Fi normally would be accessible) is very, very high. So yeah, we might be really far from a client PC we’re trying to kick off of the Wi-Fi, but at least some of these packets will make the distance.

I know some people will read all of this and ask “who cares?” Well I admit, this idea isn’t some revolutionary invention by any means. However there are applications for this type of denial-of-service attack. Perhaps an attacker wants to be sure everyone in a physical area wanders to his wide-open access point. For example, Iowa State University’s wireless network is called “IASTATE”. One could create a small wireless network (also called IASTATE) that performed man-in-the-middle attacks by tampering with data as it hits the custom-programmed APs. Then you can tailor your deauthentication attack to only effect those APs which aren’t yours.

Wi-Fi Traffic Sniffing

Perhaps this situation is a little more practical: a custom-programmed Android phone, running as the RC helicopter payload. This unit listens in on unencrypted Wi-Fi traffic over a broad area, capturing useful-looking packets for later analysis, while tracking its own GPS coordinates in flight.

Or perhaps you know a business or other point of interest has Wi-Fi secured with a crackable encryption type, but physical access near the signal is very limited. You need to get in, capture WEP IVs (for WEP cracking) or WPA handshakes (for WPA-TKIP cracking). This remote, mobile intruder could fly in to the area outside, park somewhere unseen, and then an attacker could watch for useful data and information.

Warflying isn’t anything new, but it’s still cool.  One could warfly over a small area to tag and better understand nearby APs, without the area restrictions that normal wardriving entails, or the costs that full-size aircraft-based warflying involves.

A Third Way To Use An RC Helicopter

And this one has nothing at all to do with Wi-Fi.  To gain access to a system inside a gated or guard protected facility, you could craft malware-ridden flash drives, and then drop them over internal building entrances, etc.  Even someone who has been repeatedly trained to not insert foreign flash drives might still be tempted to do so if they feel that the drive must be safe, considering it was found at a “secured” area.

I suddenly want an RC helicopter :)

No tags

Sep/10

1

IASG Lecture: Social Engineering 101

My lecture on Social Engineering for the Information Assurance Student Group at Iowa State University (IASG @ ISU). I demonstrate a real Social Engineering attack, then follow up by explaining how Social Engineering simply blends technology and social psychology.

This event and my comments regarding Social Engineering also received coverage from the Iowa State Daily, the Iowa State University campus newspaper:
http://www.iowastatedaily.com/news/article_388022f8-b559-11df-8095-001cc4c03286.html

Ethics Statement:

Please take this knowledge and use it to better understand the mindset of an attacker and the anatomy of a network attack. I do not support unethical behavior in any way. I will not answer any questions regarding malicious use. This video does not show you how to cover your tracks, meaning that any malicious activities you perform can easily be traced, so don’t do anything stupid!


Download Lecture Slides:

Microsoft PowerPoint 2007 (pptx @ 1,574kb)
Adobe PDF (pdf @ 1,142kb)


· ·

Introducing GNOME Security

Introducing GNOME Security

GNOME Security is based on the Fedora Security Spin. The spin includes many tools for security auditing, but comes with the LXDE Desktop Environment, of which I’m not a big fan. So I removed LXDE and added GNOME. The result is a fast and easy to use security auditing tool set based on Fedora that fits on one bootable CD or 1GB USB flash drive.

Interested? Read more over at the GNOME Security page!

No tags

Apr/10

15

IASG Lecture: The Magic of Ettercap

A month or two ago I gave a lecture about the rather magical software suite Ettercap for the Information Assurance Student Group at Iowa State University (IASG @ ISU).  Ettercap can do crazy things with Ethernet traffic, including packet tampering, injection, and dropping.  Anyone with an interest in security should watch this; I post it hoping it gives you a better understanding of an Ettercap attack.

Ethics Statement:

Please take this knowledge and use it to better understand the mindset of an attacker and the anatomy of a network attack.  I do not support unethical behavior in any way.  I will not answer any questions regarding malicious use.  This video does not show you how to cover your tracks, meaning that any malicious activities you perform using Ettercap can easily be traced, so don’t do anything stupid!


Download Lecture Slides:

Microsoft PowerPoint 2007 with Hi-res Graphics & Backgrounds (pptx @ 562kb)
Adobe PDF With Backgrounds & Graphics Removed, Basic Text (pdf @ 1,792kb)


·

Theme Design by devolux.nh2.me