Category Archives: Security

The Cuckoo’s Egg

When rooting (pardon the pun) around YouTube a few days ago looking for some cyber security videos to watch, I discovered this little gem, the 1990 made for TV movie; The KGB, the Computer and Me. It is an adaptation of the astronomer, author and accidental security specialist Clifford Stoll’s 1989 book, The Cuckoo’s Egg.

What makes this the show so great is not only the fact that many of the real people play themselves, resulting in what is often unintentional comedic acting, but it tells a very real story of how one man almost by accident found himself at the heart of the investigation that would bring the notorious hacker and KGB agent Markus Hess to justice!

The full video is available here:

Diffie-Hellman: The Basics

The Diffie-Hellman Key Exchange is a method of securely exchanging cryptographic keys across insecure and untrusted networks. To do this a shared secret between two entities must be created, it does this with a mathematical one way function. A one way function is a problem that is difficult to solve in one direction, but easy in the other. Most major websites use one way function to store password hash digests rather than the users actual password.

A simple to under stand one way function can be explained with mixing paint. If you have three different colours of paint, and mix them together, it would be almost impossible to reverse engineer the mixed paint to discover the original colours.

Below is a simple to understand break down of the mechanism that Diffe-Hellman employs. It is explained both with mathematics and colours for simplicity. Bob and Alice want to create a shared secret and mutually authenticate each other, Eve wants to know what the secret is…how do Alice and Bob Stop her?

Step 1: Alice and Bob agree on of a Prime Modulus ie. 17 and a primitive root ie. 3. This is a number that when raised to any exponent (X) with modulus produces a equiprobable result. 3 is a prime root of 17.

step_1

Step 2: Alice and Bob both select random Private Keys. This number will be used as the exponent and is used as the exponent X in the agreed modulus equation. Without the Private Key this is very difficult to reverse. (A large prime modulus must be used, 17 is just for demonstration purposes)

step_2

Step 3: The results of this produce Alice and Bob’s Public Keys 6 | PURPLE and 12 | ORANGE These are then shared

step_3

Step 4: The Public keys is then shared, allowing Eve to intercept them. The private keys are kept secret so Eve does not know the private key/exponent to allow her reverse the maths to find them.
Now Alice and Bob can use each others Public Keys for the start of their Modulus equation. With their Private Key as the exponent once again.

step_4

10 | BLACK is the shared secret. Both sides will always find the same result as their Private Key is obfuscated in the Public Key. So the equations are basically the same. But Alice and Bob can workout each others Private Key. Eve can not work out the Private Keys or the Shared Secret.

This is a very basic explanation of the broad concept. Understanding each step involved here is vital, before endeavouring to learn Diffie-Hell in detail.

If you are struggling to understand this, have a look at Khan Academy’s excellent video on this subject that is presented by Birt Cruise.

The Imitation Game

Yesterday I went to see the new film about Alan Turing, The Imitation Game. Turing was a mathematician and computer science pioneer. During World War II he was instrumental in breaking the German Enigma machines cypher, allowing the allies to decode intercepted German communications. This was invaluable to the allied war effort, and is credited with ending the war years early and saving millions of lives.

Turing was a homosexual, which at the time was illegal in the UK, he was involved in an incident that subsequently lead to his conviction for gross indecency. Upon conviction he was given the option of going to prison or being chemically castrated with hormone therapy. He chose castration. Turing died in 1954, his death was more than likely suicide by cyanide poisoning, this was the finding of the official inquest. Although others debate this, including his own mother who thought his death was accidental.

Due to the secretive nature of his work, Turing’s achievements were never acknowledged, and were buried deep in the archives. The full extent of the part he played in Hitler’s downfall was not known until documents pertaining to it were declassified under the Official Secrets Act 50 year rule.

Although it appears as if the film has many historical inaccuracies in it, I personally thought it was excellent. What the film does do is assist in correcting a 65 year wrong, by bringing to the public’s attention the role Turing played in the war and his treatment after it.

I’ve included a few links with more information about Turing, including his 1936 paper “On Computable Numbers, With an Application to the Entsheidungsproblem” and his 1950 paper “Computing Machinery and Intelligence”. Chapter one of the former is titled; The Imitation Game.

The Turing Digital Archives

On Computable Numbers, With an Application to the Entsheidungsproblem

Computing Machinery and Intelligence

Shellshocked: 2014 The Year of the Superbugs

Broken Windows

It was announced this week that a 19 year old bug has been present in most of Microsoft’s Operating Systems (OS) dating back to Windows 95. The bug (in fact it appears to be a series of connected bugs) was present in server and clients OS’s and was still present in Microsoft’s most recent efforts Windows Server 2012 R2 and Windows 8.1. Not even the minimal, naturally hardened Server Core escaped its potentially fatal grasp. The flaw was in Microsoft implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS), Schannel. It was uncovered by a team of IBM researchers, known by the excellent superhero esque handle of X-Force. X-Force’s Robert Freeman described what they had uncovered in a blog post on IBM’s Security Intelligence website.

In the post he highlights some of the take home points of this threat: It has been around since Internet Explorer (IE) 3, it allowed reliable execution of arbitrary code from a remote location, It sidestepped IE’s Enhanced Protected Mode, and even secure protocols such as HTTPS can be easily exploited with the proper knowhow. When you step back and look at some of these points the severity of the flaw is plain to see and explains why the bug, now being dubbed by some as WinShock has been given the maximum CVE severity rating of 10. CVE-2014-6321 states that WinShock has a low level of complexity to exploit the bug and that a massive amount of damage that can be done with it. Being able to execute arbitrary code without authentication and often with elevated privileges is a massive problem, it effectively compromises every part of an affected system, the effects of this bug could have been devastating, if an unprotected system is exploited by the wrong person (or organisation) then it is effectively game over, data is compromised, systems are hijacked nothing is safe. To Microsoft’s credit they had released a fix to the issue in this weeks patch Tuesday update, the same day that the vulnerability was made known to the public.

Heart Breaking

Amazingly WinShock isn’t the first major security flaw discovered in protocols designed to securely transport data across the network in 2014. In April, SSL and TLS were at fault again (its not clear if the WinShock bug is related) when the Heartbleed vulnerability was made public. Heartbleed compromised some of the most widely used security transport protocols in the world including OpenSSL, GnuTLS, and Apples Secure Transport. Untold numbers of systems were left wide open by WinShock and Heartbleed, if you have used a computer in the last few years you were almost certainly exposed to the undetected hidden threat posed by these security flaws. All of this goes to not only undermine the integrity of our data, but the integrity of our privacy, safety and trust in the systems designed to keep us safe.

Bashful

The computing industries annus horribilis doesn’t stop with WinShock and Heartbleed. In September yet another vulnerability with a CVE severity rating of 10, effecting millions of computers, and allowing for arbitrary code to be run from remote locations, was made public. This time it was a 25 year old vulnerability in the BASH shell (and its derivatives) that had a gaping hole in its security. In fact it wasn’t just one flaw, by the end there were six published vulnerabilities relating to BASH.

Dubbed Shellshock it exploited a feature that allowed unauthenticated environment variables to be exported to function definitions, trailing variables could have arbitrary code placed inside them, when BASH forks, the environment variables were written into memory and the code from the trailing variable executed. Shellshock was startling for a number of reasons, not only did it undermine the perceived security benefits of Linux systems, it was also very easy to exploit. The amount of devices left vulnerable was staggering, from servers, to clients, to phones and even smart washing machine, fridges, TVs and other smart devices. Shellshock had the potential to cause massive amounts of catastrophic damage to an incredibly diverse and large array of systems.

Within hours of Shellshock being publicly released there were detailed tutorials online on how to exploit the vulnerability, it wasn’t long until reports on how the bug had been exploited began to appear in the media. There were tales of Romanian Gangs and massive Botnets running riot all over the the internet. By late September security researchers at Incapsula reported that it had seen a rate of 725 attacks per hour relating directly to Shellshock.

What 2014 has taught us is that major security vulnerabilities have existed undetected for years, these vulnerabilities have affected the entire gamut of computing. The free software community, the open source software community and proprietary software vendors have all seen major flaws in their software exposed. It begs a few questions; what else is out there that we don’t know about? What other bugs are lurking deep in the code of the software that is present on our computers, our internet, our corporate infrastructures, our national infrastructures and just about every connected device we have come to take for granted? What dangers are lurking just around the corner? With Heartbleed, WinShock and Shellshock we may have gotten off lightly, each of these flaws were recognised and fixed in an extremely timely manner, the consequences could have been far worse if they had gotten into the wild before the good guys discovered them. That’s not to say that the consequences still may not be felt, they could just be in hibernation, backdoors waiting to be opened, time bombs ready to explode, and stolen or compromised data waiting to be exploited. Of course the doomsday scenario is an extreme one, but one that cannot be ignored.

Richard Stallman describes Shellshock as just a “blip”, hopefully he is right, hopefully all these bugs and others like them are just a series blips, the inevitable consequence of the growing pains associated with the incredible pace of technological advancement and the complacency of not checking old code thoroughly when implementing it in new systems. We can only hope that these “blips” do not turn into a constant tone, a tone that could signify the flat lining of people’s trust in modern computer networks.

100 Greatest Hacking Tools! (Link)

100 Greatest Hacking Tools!

I thought I would share this handy guide from the EFYTimes for some of the best, most popular and widely used hacking security tools. They have gathered together a list of 100 security tools and broken them down into different categories, so you can easily find the correct tool for the job. Conveniently they have also linked to each tool, so downloading them should be a breeze.

One of the tools they have on their list is the Metasploit Framework, which you can read about here a very user-friendly security tool for exploiting security holes in software without too much effort. They also have a range of password crackers, wireless crackers plus many more categories to keep even the most committed of you busy for a while. Whatever tool you decide to play about with, have fun with it, but most importantly don’t go getting yourself in trouble by carelessly breaking the law.

I haven’t forgotten about my series on Mobile IPv6, part 2 will be up in the next few weeks. If you haven’t read part 1 yet, then you can here.

100 Greatest Hacking Tools! – EFYTimes

100 Greatest Hacking Tools!
efytimes.com

The Metasploit Framework

When it comes to penetration testing there are many applications available. Some can be used for footprinting and enumeration, others for gaining access to the network, and others for exploiting weaknesses in the network setup, or less than secure code. The Metasploit Framework falls into the latter category. Developed by the Metasploit Project (now acquired by Rapid7), The Metaspolit Framework is a tool that it used to run and develop exploits for penetration testing remote devices. The Metaspoit Framework is open source, and modular, allowing for the development of individual exploits, these exploits target a range of software and a range of operating systems, from The Windows family, Linux/UNIX distros and the iterations of Apples Mac OS X. There are various other free and commercial versions of Metaspolit, these include versions with GUI’s and more advanced features. This Guide however, will be based on the standard Metasploit Framework Edition, which is one of Kali Linux’s built in tools.

Various exploits with various payloads can be crafted to attack various patch versions of various software, as you see, that is a lot of variables so there is no guarantee a given exploit will be successful on a given target.

This guide however should be successful; it is a known exploit on a known target. The first thing you should do is setup a small virtual network running two VM’s. I used VirtualBox, but if you would rather use different software it shouldn’t make any difference. On the first VM install Kali Linux, this is the de facto Linux distro for penetration testing, it comes with a huge variety of tools including The Metasploit Framework. On the second VM install Metasploitable (Download here), this is a custom made Linux VM, that is designed to be used for penetration testers to hone their craft. Once you have this setup with both machines pinging each other, you are ready to go.

Step 1

The first step is to find a vulnerability that you can exploit. One of the best methods is by using nmap to scan for open ports and services that may present an open door. Namp can be run in many modes with many options, some are stealthy and will avoid Intrusion Detection Systems, some are not so stealthy, for the purpose of this guide however, we are going to run nmap in a not so stealthy fashion, purely for the purposes of demonstration. We know our target machine (as it is the only other device on our network) so we will target it directly and perform a scan that gives us a list of open ports, services running and what patch level the software is at, it will also fingerprint the target OS and give an estimation on what OS is running (it does this based on the individual nuances built in to the OS’s TCP/IP stack).

As you can see in the screenshot below, we have discovered a range of services and the versions of each service.

## -v = verbose; -A = All; this will perform a detailed scan with detailed output ##

#nmap –v –A 10.0.1.20

metasploit_step_1

Step 2

The next port of call is Google. Searching for exploits via the web will give an idea of potential security vulnerabilities in the target machines software. Search for weaknesses in each individual service that you have discovered, you may find that you can get the same end result in a number of different ways, some a lot simpler than others. In our machine you will see that it is running UnrealIRC version 3.2.8.1. This is popular and widely used Internet Relay Chat software. After searching the web you will discover that this version has a flaw in it that when exploited, can give an attacker root access to the Linux server running it.

Step 3

It is now time to move on to The Metasploit Framework. First, launch the tool. You will notice that the command prompt changes to the Metaspolit Framework prompt. Once the console has been launched you can use the search feature to find built in exploits, it does this by searching its database of exploit modules for the string of text you input. In this example; ‘unreal’.

This will return a list of modules that have ‘unreal’ in the title, you will find that it returns three exploits, two of which are for Unreal Tournament 2004, looking at the path you can tell there is one for Linux and one for Windows. You will also see how they are ranked, with both being ranked as good. These are not relevant to the UnrealIRC software, but the third one is. Examining the path shows that it is an exploit for UNIX systems, the correct software and the correct version of software, additionally you can see that this module is rated as excellent.

Using the info command followed by the path of the exploit will display a host of information about the module, including a description, licensing details, setting and links to references about the exploit.

[email protected]:~# msfconsole
msf > search unreal
msf > info exploit/unix/irc/unreal_ircd_3281_backdoor

step_3

Step 4

Now that we are satisfied that we have discovered an exploit module for our target software and OS, it is time to launch the module, this is done with the use command followed by the path of the exploit. Once launched the command prompt will change to the module path, you can now use context commands for that module, the show options command with display remote host IP settings and port settings.

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit (unreal_ircd_3281_backdoor) > show options

step_4

Step 5

To set the target IP address using the set RHOST command followed by the target machines IP address. The target port will be set to the UnrealIRC default port 6667, confirm from in the information discovered with nmap that this is indeed the port being used by the service, if not use the set RPORT command to configure the target port.

msf exploit (unreal_ircd_3281_backdoor) > set RHOST 10.0.1.20
msf exploit (unreal_ircd_3281_backdoor) > set RPORT 6667

Step 6

The final step is to execute the exploit. This is done simply by using the exploit command, the screen will output information on the working of the exploit, once it is complete you should now have access as root to the target machine, confirm this by running a root level command or by using the whoami command.

msf exploit (unreal_ircd_3281_backdoor) > exploit

step_6