Eclectic Security

The Turnkey Linux is an amazing project of various ready-to-use web applications, 45+ virtual appliances are packaged in multiple build formats, from VMDK disk image with OVF support and an installable Live CD which can be installed on bare metal and virtual machines. The most common appliances provided by Turnkey are LAMP server, Joomla, Drupal, WordPress, MySQL, MediaWiki, Domain controller, File server, Ruby on Rails, phpBB. Non official Turnkey Linux appliances are available on the web, such Sahana-Eden, LimeSurvey, Ampache along with the two intrusion detection solutions Insta-snorby and Smooth-Sec. In this how to, I’m going to show how to install from scratch  the Redmine Turnkey Linux appliance on a Virtualbox headless Server within minutes. If wondering how to install a Headless Virtualbox server, please check my related blog post on “phpvirtualbox, manage your virtual machines from anywhere.“

1) New Virtual Machine (choose a name)

2) Allocate the VM memory (512 MB will be fine)

3) New virtual hard disk (Create a new disk)

4) Type of the virtual disk (select the VDI, virtualbox default)

5) Virtual disk allocation (dynamically will be fine in most of the cases)

6) Virtual disk size . (This is up to you)

7) Last chance to edit the disk settings.

Attach the Turnkey Iso appliance.

9)  Start the VM and begin with the installation.

10) Disk partitioning.

11) Commit the disk changes.

12) Installation complete – Reboot the system.

13) Enter the new root password.

14) Enter the Mysql root password.

15) Enter the redmine admin password.

16) Enter the redmine admin email address.

17) Once arrived at the confconsolle you can manage your appliance.

18) Point the web browser to the appliance ip address and login with the credentials
previously inserted.

If want to experiment and try other appliances, please visit the turnkeylinux.org and get your appliance and don’t forget to give a shout-out to to Alon Swartz and Liraz Siri.

Yesterday I’ve released a new version (1.3) of Smooth-Sec, major improvements are Snorby upgraded to version 2.3.11 and Suricata upgraded to version 1.1 stable, compiled with with NFQ support.

Download here:
https://sourceforge.net/projects/smoothsec/files/SmoothSec-1.3/

For a better communication I’ve set up a Smooth-Sec mailing list, where everyone can share tips/tricks, ideas and issues related to Smooth-Sec.

https://lists.sourceforge.net/lists/listinfo/smoothsec-talk

Your favourite Intrusion Detection/Prevention System (IDS/IPS) is just installed and running, and you are probably wondering if everything is working as it should, logging or dropping evil packets. Here it comes Pytbull, a python based flexible IDS/IPS testing framework shipped with more than 300 tests, grouped in 9 modules, covering a large scope of attacks (clientSideAttacks, testRules, badTraffic, fragmentedPackets, multipleFailedLogins, evasionTechniques, shellCodes, denialOfService, pcapReplay).

Testing your IDS/IPS with Pytbull will save you a big deal of time!

Lets  assume we have an Ubuntu Linux testing box A with ip address 192.168.1.25 and a Smooth-Sec installation B with ip address192.168.1.1.

On the testing box A 192.168.1.25, install all the required packages and dependencies.

#apt-get install python python-scapy nmap hping3 nikto tcpreplay python-iniparse

Download Pytbull

#wget https://downloads.sourceforge.net/project/pytbull/pytbull-1.3.tar.bz2
#bzip2 -cd pytbull-1.3.tar.bz2 | tar xf -
#cd pytbull

Edit the Pytbull configuration file:

vim config.cfg

#Pytbull config file
[CLIENT]
ipaddr                  = 192.168.1.1 #ip address of the IDS to test.
iface                   = eth0

[PATHS]
report                  = report.html
sudo                    = /usr/bin/sudo
nmap                    = /usr/bin/nmap
nikto                   = /usr/bin/nikto
niktoconf               = /root/pytbull/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /usr/bin/tcpreplay
urlpdf                  = http://droid-protector.com/borrar_ya/md5
alertsfile              = /var/log/suricata/fast.log

[CREDENTIALS]
ftpuser                 = pytbull
ftppasswd               = pytbull

Create a nikto configuration file and add the following content

#start nikto configuration file
SKIPPORTS=21 111
USERAGENT=Mozilla/4.75 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
RFIURL=http://cirt.net/rfiinc.txt?
NIKTODTD=docs/nikto.dtd
DEFAULTHTTPVER=1.0
UPDATES=yes
MAX_WARN=20
CIRT=174.142.17.165
CHECKMETHODS=HEAD GET
@@MUTATE=dictionary;subdomain
@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)
#end nikto configuration file

Copy the Pytbull server script (reverse shell) used for client side attacks to the Smooth-Sec box 192.168.1.1:

#scp server/pytbull-server.py root@192.168.1.1:

Define the kind of tests that you want to run against Suricata, please refer to the end of the Pytbull configuration file config.cfg.

0 = disabled
1 = enabled

[TESTS]
clientSideAttacks = 1
testRules = 1
badTraffic = 1
fragmentedPackets = 1
multipleFailedLogins = 1
evasionTechniques = 1
shellCodes = 1
denialOfService = 1
pcapReplay = 1

On the Smooth-Sec box 192.168.1.1 B

#apt-get install vsftpd apache2
#adduser –home /var/log/suricata –shell /bin/bash pytbull
#usermod -G suricata pytbull

Start the reverse shell on the Smooth-Sec box 192.168.1.1

#python pytbull-server.py  --port 34567

                                 _   _           _ _
                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

Checking root privileges......................................... [   OK   ]
Checking port to use............................................. [   OK   ]

Server started on port: 34567
Listening...

 Run the test from 192.168.1.25 to 192.168.1.1

#python pytbull.py -t 192.168.1.1

                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

BASIC CHECKS
------------
Checking root privileges......................................... [   OK   ]
Checking remote port 21/tcp (FTP)................................ [   OK   ]
Checking remote port 22/tcp (SSH)................................ [   OK   ]
Checking remote port 80/tcp (HTTP)............................... [   OK   ]
Checking path for sudo........................................... [   OK   ]
Checking path for nmap........................................... [   OK   ]
Checking path for nikto.......................................... [   OK   ]
Checking path for niktoconf...................................... [   OK   ]
Checking path for hping3......................................... [   OK   ]
Checking path for tcpreplay...................................... [   OK   ]
Removing temporary file.......................................... [   OK   ]

TESTS
------------
Client Side Attacks.............................................. [   yes  ]
Test Rules....................................................... [   yes  ]
Bad Traffic...................................................... [   yes  ]
Fragmented Packets............................................... [   yes  ]
Multiple Failed Logins........................................... [   yes  ]
Evasion Techniques............................................... [   yes  ]
ShellCodes....................................................... [   yes  ]
Denial of Service................................................ [   yes  ]
Pcap Replay...................................................... [   yes  ]

-----------------------
DONE. Check the report.
-----------------------

Report view.

On the testing machine 192.168.1.25

cp report.html /var/www/

open http://192.168.1.25 with your web browser

Restore Suricata as it was. (192.168.1.1)

apt-get remove vsftpd apache2
deluser pytbull
rm pytbull-server.py

Early today Orweb v2 (0.2.1) was released, this new version now supports Android 2.x and 3.x, so i’ve decided to give it a try. Orweb is a privacy enhanced android web browser that run in conjunction with Orbot,the Tor on Android app. This privacy aware web browser doesn’t require any further configuration, it just run out of the box. Orweb in combination with Orbot will prevent others from eavesdrop your web browsing and circumventing web filters and firewalls, while also improving  users ability to remain anonymous online, hiding your physical location using the onion routing network. Orweb have some additional security features, blocking the cookies, not storing a local history and the possibility to change the browser user agent. Thanks to the guardianproject team for this amazing software.

1) Software installation.
Go to the Orbot market page and install it, do the same with Orweb.

2) Running the software.

once installed both applications, you need to start first Orbot until you see the message “successfully connected to the Tor network”

Then you can start Orweb

 Useful links:

https://guardianproject.info/apps/orbot/

https://guardianproject.info/apps/orweb/

WPScan is a security scanner which checks  WordPress weaknesses using a black box method. The main features are, username enumeration, multithreaded password bruteforcing, WordPress Version enumeration and Plugin vulnerability enumeration. In this how to I’m going to show how to perform a security auditing on a WordPress installation in wich the  user ‘mike’ has a weak password and the blog uses a vulnerable plugin.

WPScan installation.

wget http://wpscan.googlecode.com/files/wpscan-1.0.zip

unzip wpscan-1.0.zip

sudo apt-get install libcurl4-gnutls-dev rubygems1.8  ruby
sudo gem install typhoeus
sudo gem install xml-simple

Non-intrusive method

Non-intrusive method will simply query the WP installation to obtain basic information about the WP theme in use, if the readme.html file exists and the WP version grabbed from the from meta generator.

#ruby wpscan.rb --url mysite.org/blog

| URL: http://mysite.org/blog/
| Started on Wed Jul 20 21:17:37 2011

[+] The WordPress theme in use is called News
[+] The WordPress http://mysite.org/blog/readme.html file exists.
[+] WordPress version 3.2.1 identified from meta generator.

[+] Finished at Wed Jul 20 21:17:41 2011

User enumeration

This test will enumerate the users that have access on the blog, this information is obtained from author querystring and location header.

#ruby wpscan.rb --url  mysite.org/blog --enumerate u

[+] Enumerating usernames...

We found the following 1 username/s:

mike

Wordlist password brute force on ‘mike’ username only

This test will try a brute force attack for the user ‘mike’ using a word list of common password. Below you can find some useful word lists.

http://packetstormsecurity.org/Crackers/wordlists/
http://www.isdpodcast.com/resources/62k-common-passwords/

#ruby ./wpscan.rb --url mysite.org/blog --wordlist mylist.lst --username mike

[+] Starting the password brute forcer

Brute forcing mike with 500 passwods...
SUCCESS! Username:mike Password:trustno1

[+] Finished at Wed Jul 20 21:27:19 2011

Generate a new ‘most popular’ plugin list

This will fetch the latest WP plugins and store them in /data folder.

#ruby ./wpscan.rb --generate_plugin_list

Number of pages not supplied, defaulting to 150 pages...

[+] Generating new most popular plugin list

New data/plugin.txt file created with 2220 entries.

Enumerate installed plugins

This test will enumerate all the WP installed plugins. Outdated or vulnerable plugins can be easily used as a way to compromise and exploit the WP installation.

#ruby ./wpscan.rb --url mysite.org/blog --enumerate p

[+] Enumerating installed plugins...

Checking for 2139 plugins...

We found 1 plugins:

wp-syntax

[+] There were 1 vulnerabilities identified from the plugin names:

* Title: WordPress Plugin WP-Syntax * Reference: http://www.exploit-db.com/exploits/9431/

Directory listing enabled: http://mysite.org/blog/wp-content/plugins/wp-syntax/

[+] Finished at Wed Jul 20 22:08:11 2011

Risk mitigation and countermeasure.

Remove the readme.html file from the WP root, this file contain the WP version.

Remove the meta name generator wordpress.

Keep WP plugins updated.

Keep WP updated.

Use non dictionary passwords.

Disclaimer: changing the “Transmit Power” can overheat the  router with a significantly shortly lifespan. I recommend not going over 100mW even with a fan installed. I don’t take responsibility on any damage which you make on your WIFI router .

In most of the cases the average Wi-Fi signal it’s enough to cover our daily needs. But Sometimes our Wi-Fi router may not be reaching our operational range, for example a terrace or a basement. A weak Wi-Fi signal can cause poor Wi-Fi performance and frequent signal lost. If you have a Linksys WRT54 Wi-Fi router with Tomato firmware installed, you can try to increase the wireless signal strength. Nothing special is required, except one small pc fan to prevent the router from overheating and a high gain Wi-Fi antenna to boost the signal.

What you need.

- A Linksys WRT54G/GL/GS  router
- 80mm PC Fan
- 2.4GHz 15DBi omni-directional antenna for Linksys WRT
- Tomato firmware
- Wifi analyzer android

Before the Hack:

“Transmit Power” set at 42 (Default value)
Without high gain Wi-Fi antenna
-95dBm wifi strength checked with Wifi analyzer

Signal strength before the hack, -62dBm

Hack it!

Pc fan and high gain Wi-Fi antenna.

1) Connect the fan on the linksys-wrt54 Wi-Fi router:

Please follow this how to:

http://yltan.com/blog/guide-linksys-wrt54glgsg-fan-mod/
or
http://www.youtube.com/watch?v=8ZfPYlkvT94

2) Add the High Gain 2.4GHz 15DBi omni-directional antenna for Linksys WRT

3) Start the Wi-Fi router and go to the Tomato router, in the left sidebar click on Advanced  and then Wireless, , on “Transmit Power” change the default value to 100, Tomato supports till 251mW, but I recommend to stay around 100mW if you don’t want to overheat and damage the Wi-Fi router.
Click the “Save” button.

4) Start again your favorite Wifi analyzer and measure the wifi strength.

Signal strength after the hack.

In my previous post, “Secure IPsec/L2TP VPN for on the road android devices” I have written on how to set up an IPsec/L2TP VPN server and connect to it from any android device. I was really impressed how simple it was to configure a secure VPN tunnel with IPSEC, so I decided to go a bit further and try to use the same tunnel with Ubuntu Desktop. Unfortunately the IPsec/L2TP client side isn’t well supported under Linux, this is maybe beacuse everyone is using OpenVpn. At the end I stumbled into Werner Jaeger launchpad page, where I found a GUI to manage IPsec/L2TP connection from Ubuntu Desktop, the connection set up is very straightforward and without glitches. Along with a simple PSK configuration, the GUI allow to use certificate for authentication and more advanced L2TP options as redial- timeout and attempts and of course all important PPP options.

A more extended guide can be found at http://wiki.l2tpipsecvpn.tuxfamily.org

l2tp-ipsec-vpn installation

apt-add-repository ppa:werner-jaeger/ppa-werner-vpn
apt-get update
apt-get install l2tp-ipsec-vpn
reboot

1) Right click on the icon in the notification area,
and go to ‘Edit connections’.

2) Authenticate as root.

3) Choose a name for the VPN

4) IPsec configuration:

Remote server: The ip address of the VPN server
Use pre-shared key for authentication: use the passphrase
from the server /etc/ipsec.secrets

L2TP Configuration:

Select Length bit

PPP configuration:

Select only CHAP authentication and enter the User name and

the password from the server /etc/ppp/chap-secrets copy

Click on OK

Connecting to the VPN: Go to the icon in the notification area and
click on vpnhome, wait for a couple of seconds and you must be
connected to the VPN.

I recently bought a  Sure Electronics 8×32 LEd Matrix display and I wanted to connect it to my Arduino Duemilanove board. After a quick search on the net I found a great library written by Adam Thomas, this library comes along with clear instructions and examples how to wire and to use the display within few minutes.

Connect the display according to this schema.

| Display Label | Arduino DIO | Sure's Connector |
|      CS1      |      4      |        3         |
|       WR      |      8      |        5         |
|     DATA      |      9      |        7         |
|       RD      |     10      |        6         |
|      GND      |    gnd      |       11         |
|      +5V      |    +5V      |       12         |

Download the HT1632-AVR library and copy it in the Arduino environment.

git clone git://github.com/devdsp/HT1632-AVR.git
cp -a HT1632-AVR/libraries/* ~/arduino/libraries/
cp -a HT1632-AVR/simple8x32/ HT1632-AVR/marquee8x32/ ~/arduino/examples/7.Display/

Open the arduino sketch editor and open File > Examples > 7.Display > marquee8x32

Go into the code and change:

char *string = "Welcome to Make, Hack, Void. Have a safe and productive day.";

to

char *string = "something you like ";

Add ” delay(60); ” at the beginning of the loop in order to control the speed of the text.

Compile and upload this sketch to Arduino and enjoy.

Here you can find a video example of my first sketch.

From HAR2009 to CCC2011

Two years have passed already from the Hacking at Random 2009, and it seems ages. This year the CCC2011 will take place, and again we are preparing our stuff to join and be part of the biggest hacker gathering in Europe, for five days we will exchange technical, social, political ideas, last but not least a lot of fun and Club Mate. I’ll be there from August 9th to August 14th 2011, give me a shout.

What ?

Chaos Communication Camp 2011

When ?

From August 10th to August 14th 2011

Where ?

Finowfurt near Berlin, Germany, Europe, Earth, Milky Way

More on https://events.ccc.de/camp/2011/wiki/Main_Page

If you don’t have any idea of what a hacker camp looks like, below you can find some pictures taken during the Hacking at Random camp.

Don’t forget to bring the toilet paper!!!

Today people are using more frequently public hotspots, many Cafe, Restaurants and Pubs offer wifi connection for free.  Who doesn’t check their Facebook or send a tweet while having an espresso macchiato or enjoying a fresh beer? I guess everyone. The downside of using a public hotspot is that you put your personal data and information at serious risk. Connecting to a public hotspot can expose your data and the system to various attacks, like man in the middle, password sniffing and  credential stealing. If we really want protect our data wen we are on the road, we need to use a VPN connection, a VPN is a particular service that encapsulates our network traffic keeping it private. Fortunately android has a standout built-in  VPN connection tool that allows to use various VPN technologies, such 2TP/IPSec PSK, PPTP VPNS and many other. In this post i’m going to show how to  set up a VPN gateway and connect with your android device safely while  using a public hotspot.

First of all you need to have a linux server, in this case I’m using Ubuntu Linux 10.04. A public ip address is required.

You need to install the xl2tpd openswan ppp from the apt repository and then download the newest version from the Ubuntu 11.04 repository, otherwise the VPN won’t work.

apt-get install xl2tpd openswan ppp
wget http://se.archive.ubuntu.com/ubuntu/pool/universe/o/openswan/openswan_2.6.28+dfsg-5_i386.deb
wget http://ubuntu.linux-bg.org/ubuntu//pool/universe/x/xl2tpd/xl2tpd_1.2.7+dfsg-1_i386.deb
dpkg -i openswan_2.6.28+dfsg-5_i386.deb
dpkg -i xl2tpd_1.2.7+dfsg-1_i386.deb

In the /etc/ipsec.conf file copy:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=x.x.x.x
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

In the /etc/ipsec.secrets file copy:

x.x.x.x   %any:  PSK "somegoodpassword"

Start the IPSEC service with /etc/init.d/ipsec start

Please verify the IPSEC service with :  ipsec verify
you must get no errors.

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.28/K2.6.32-32-generic-pae (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking that pluto is running                              	[OK]
Pluto listening for IKE on udp 500                          	[OK]
Pluto listening for NAT-T on udp 4500                       	[OK]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

Create a file  called ipsec.vpn in /etc/init.d/

case "$1" in
  start)
echo "Starting my Ipsec VPN"
iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec start
/etc/init.d/xl2tpd start
;;
stop)
echo "Stopping my Ipsec VPN"
iptables --table nat --flush
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec stop
/etc/init.d/xl2tpd stop
;;
restart)
echo "Restarting my Ipsec VPN"
iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

;;
  *)
 echo "Usage: /etc/init.d/ipsec.vpn  {start|stop|restart}"
 exit 1
  ;;
esac

Disalble the ipsec default init script with
#update-rc.d -f ipsec remove

And enbable the custom one.
#update-rc.d ipsec.vpn defaults

In the file /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

In the file /etc/xl2tpd/l2tp-secrets copy:

Choose a good challenge-response authentication string,The secret should, ideally, be 16 characters long, and  should probably  be longer to ensure sufficient security. There is no minimum length requirement, however.

* * exampleforchallengestring

In the file  /etc/ppp/options.xl2tpd copy:

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

In the file /etc/ppp/chap-secrets copy:

Note: you can add as many user you like.

user1 * chooseagoodpassword *
user2 * chooseagoodpassword *

Starting the VPN.

/etc/init.d/ipsec.vpn restart

Connecting to the VPN

On the Android mobile:

Go to Settings  > Wireless & networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN >

VPN name > the name you like
Set VPN server > ip address of the VPN server (x.x.x.x)
Set IPSec pre-shared key > somegoodpassword
Enable L2TP secret > enable
Set L2TP secret > was exampleforchallengestring

Press back, then connect using the PPP username/password (user1 chooseagoodpassword)

Wait for the message VPN connected on the mobile.

Debug.

In case of problems this are a few commands that can help out the debugging.

tcpdump -i ppp0
tail -f /var/log/auth.log
tail -f /var/log/daemon.log

Devices:

So far I’ve tested this configuration on only two devices, the ideos u8150  and the HTC Desire HD.