Automated DNS Zone Transfer
DNS zone transfers are not new and a general considered bad if misconfigured to allow transfers from anywhere. Zone transfers will disclose all DNS entries and corresponding IP address for a given DNS zone. This is great for all your other DNS server to keep records in sync, but not so good if you're trying to limit the visibility into your network by an attacker. There has been a lot of talk about this information gathering technique and a quick Google search will likely find better and fully detailed explanations.
I'd like to share a quick script I threw together today to test a zone transfers on a list of DNS servers. It is a simple BASH script that calls dig. You supply it with a domain and file containing IP addresses of DNS server.
Usage: dns_zone_xfr.sh DOMAIN FILE
You'll need to remove the .txt extension and chmod +x dns_zone_xfr.sh to run.
Download: dns_zone_xfr.sh
Installing tcpdump and libpcacp on Debian 6
I ran into an issue when trying to install the latest version of tcpdump (4.2.0) with libpcap (1.2.0) on Debain recently. The error during the build process of tcpdump and looked like:
./print-ppi.c:16:17: error: ppi.h: No such file or directory
./print-ppi.c: In function âppi_header_printâ:
./print-ppi.c:23: error: expected â=â, â,â, â;â, âasmâ or â__attribute__â before â*â token
./print-ppi.c:23: error: âhdrâ undeclared (first use in this function)
...snip...
make: *** [print-ppi.o] Error 1
To fix this issue I grabbed the ppi.h file from the tcpdump Github project and recompiled.
cd ./tcpdump-4.2.0
wget https://github.com/mcr/tcpdump/blob/master/ppi.h
./configure
make && make install
mv /usr/local/sbin/tcpdump /usr/sbin/tcpdump # I prefer tcpdump be installed somewhere already in my path.
Running tcpdump --version to verfiy the program was installed correctly.
A side note, remove the version of libpcap (0.8) that ships with Debian, otherwise tcpdump will complain during the build process. Simply apt-get remove libpcap0.8 then compile version 1.2.0 as normal.
An Experiment in Python Scripting and Log Analysis
I’ve created this simple Python script, in an attempt to dive in and learn a little about the language while creating a useful tool to help with log analysis. This script preforms WHOIS queries on IP address found in a log file, then extract the registered country found in the returned information. Lip2cc.py (Logged IP to Country Code), as I call it, is an extremely simple start to what I have envisioned.
Currently all IP address are required to be pulled out of a log file (say access or secure log) with some bash fu and stored in a separate text file. Eventually I will work this function into the script so all that is required is the systems log file. Below is a simple bash script to find all IP addresses attempting to log into the system.
# cat secure*| cut -d" " -f11
| egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
|egrep -v "\<Bye\>" | egrep -v [a-z2\!]$ |sort -u > ips.txt
Bonus list all usernames attempting logins:
# cat /var/log/secure* | cut -d" " -f8,9
| egrep '\<^user\>'|sed s/user/user:/ |sort -u
I’m sure this is not the first IP to country code look-up tool, and it is definitely not the first Python script which quires WHOIS data, but it was an excellent Python learning experience.
Lip2cc.py takes one command line argument, -f (–file). This is required and should be a newline-delimitated file of IP address. I open the file and read in every line into a Python list, which allows me to easily loop through and lookup every IP given. I start by querying whois.iana.org looking for which regional registry the selected IP resides in. From there I am able to extract the correct URL needed to perform a WHOIS lookup. A second WHOIS query is done against the regional registry. I locate and extract the country field then print it to the screen.
The online Python documentation, Beginning Python by Magnus Lie Hetland and inspiration from some previously created whois.py scripts were valuable resources. This was a great to be able to explore many interesting aspects of Python functions, network sockets, text parsing, arg passing and regular expression searching. All in all, not to bad for my first jump into Python.
Download lip2cc.py (remove _.txt to run)
PHPVirtualBox on Headless VirtualBox Server
Update: This was an older post which was recreated after server rebuild. All steps haven't fully been tested with the latest environment but you should find the information you need to get you going in the right direction.
I prefer to run VirtualBox on a headless (no GUI) Linux server which allow more hardware resources to be dedicated to virtual machines instead of the pretty window manager. Setting up phpvirutalbox to manage a headless VirtualBox 4.2 server is a simple process that will allow you to easily manage and administer virtual machines from a web browser.
My environment: CentOS 5.5 x64, VirtualBox 4.2, php 5.2.10 and httpd 2.2.8 (apache2)
1) Download and install ViritualBox for Linux Hosts
http://www.virtualbox.org/wiki/Linux_Downloads
note: you could also install/configure the VBox repositories for Debain or RHEL based system
2) Download and install VirtualBox 4.0.4 Oracle VM VirtualBox Extension Pack which is needed for USB support and console access.
# VBoxManage extpack install FILE
3) Configure VirtualBox environment
4) Install apache and php using your distros package manager
# yum install httpd php
5) Download phpViritualBox
wget http://code.google.com/p/phpvirtualbox/downloads/detail?name=phpvirtualbox-4.0-4b.zip&can=2&q=
6) Extract the the zip file and copy to the webserver’s root directory
# unzip phpvirtualbox-4-2.zip
# cp –r phpvirtualbox-4-2 /var/www/html/phpvirtualbox
7) Set the correct permissions to the phpvirtualbox directory so apache can read from the web directory
# chown apache:apache -R /var/www/html/phpvirtualbox
8) Edit phpvirtualbox/config.php
Add your vbox user, password, location, and disable authentication (for now)
var $username = 'vbox';
var $password = 'vboxpass';
var $location = 'http://127.0.0.1:18083/phpvirtualbox'
var $noAuth = true;
9) Run the following command with the IP of your server
# su vbox -c "/usr/bin/vboxwebsrv -b -H 127.0.0.1 --logfile /dev/null >/dev/null
Be sure Apache has been started (service httpd start).
10) Add the command above with your server IP to /etc/rc.local
This will allow Viritualbox and it's web interface to run at startup.
11) Navigate to http://SERVER-IP/phpvirtualbox
Windows 2008 Advanced Firewall with Honeyports
Windows 2008 has a fantastically good firewall, as long as you configure it properly. A honeyport is a listening port with no operational service that will log specific information about a connection that is made to it. The idea is that only a port scanner will find this port and an attacker will further investigate. As defenders, we can use firewalls and honey ports in combination, as demonstrated by John Strand's (@strandjs) tech segment on Pauldotcom.com Security Weekly episode 203, to block potential attacks.
I've made very slight modifications to Strand's original script, including a "log" output to better track when port scans happen. I've also included a minimal Windows 2008 server firewall policy with web, file sharing and active directory ports open. It has been packaged up with nc for windows and a few scripts to make things easy to run. A couple caveats, you will need to modify some of the IP address within the rules to match your system. This can be done by navigating to the rule properties and selecting the Scope tab. Next you will need to change the default rule to block all incoming and outgoing. Navigate to the properties Windows Firewall with Advanced Security. In the State section you will see Inbound connections and Outbound connections. Both should be set to Block. Lastly, this could be used to create a denial of service condition where the attacker spoofs a legitimate IP, this is for learning purposes only and should not be used on production systems.
Now you may extract the contents of Win2k8-Honeyport.zip to C:\ and run import_fw.cmd to configure the new firewall rules. Launch run_honeyport.cmd to start monitoring for port scans and blocking potentially malicious connections. Scan you system with nmap (nmap -sS -sV -v -PN -A <IP_ADDR>)
A Windows 2003 version using wipfw is in the works. Download the Win2k8-Honeyport.zip.
Ref: (http://pauldotcom.com/wiki/index.php/Episode203#Tech_Segment:__Windows_HoneyPorts)
Ref: (http://www.securityfocus.com/tools/139)
Jasager Hardware Update
I thought I would take a few minutes and comment on the Jasager project. Unfortunately I haven’t had time to follow what @digininja and the @hak5 community are doing with it, but I have heard some questions about the Fon hardware. It appears Fon has made it extremely hard to get a hold of a Fon 2201 or a Fon 2200, i.e. they have stopped selling them on the online store in favor of the Fon2.0n (which from what I’ve heard, is a fantastic router, but doesn’t support Jasager/Karma and the nice form factor like the old Fons). Enter OpenMesh (www.open-mesh.com). They are selling wireless APs hardware identical to the Fon 2100 (AP only, one LAN port). Ubiquiti is another company making APs with compatible hardware. Theirs is called the Bullet (www.ubnt.com/bullet), a very slick piece of kit designed for outdoor use. I haven’t had a chance to try out either of these, but have heard from many sources that these are two APs are becoming more popular to run Jasager on. Really the only requirements needed to run Jasager is an Atheros wifi chipset and an MIPS processor. Check out http://www.hak5.org/forums/index.php?showforum=49 for more discussion on Jasager, Karma on the Fon.
WIPFW – Windows IP Firewall
For those looking for a full featured, scriptable and light weight firewall for Windows XP and Sever 2003 (or earlier) check out WinIPFW (http://wipfw.sourceforge.net). While versions on Windows prior to Vista have a built in firewall, it is limiting. The Windows firewall will not filter egress traffic and has poor logging capabilities. Fine grain filtering control of IP address, protocol and port of both ingress and egress traffic are all features of WinIPFW. Advanced logging of any desired traffic is possible as is the ability to create Windows batch script files for automatic configuration.
If you install WinIPFW blocking all in-bound and out-bound traffic you must specifically open ports for web browsing, etc. Also, always install and configure firewalls using a local console to avoid blocking remote administration services (SSH,VNC,RDP).
OpenWRT basic command line configuration
OpenWRT is an open source third party firmware, originally built for the Linksys WRT54G. Support has been expand to include networking devices ranging from consumer to enterprises grade routers and wireless access points.
OpenWRT has a variety of web based user interfaces, as you would expect with any networked device, but because the operating system is based on the Linux kernel, the command line is where its flexibility really shows.
If you are familiar with any *inx operating system, you will find working and navigating in Dropbear, OpenWRT's terminal, simple. The binary I will be focusing on is uci or Unified Configuration Interface. As its name implies, uci is the program responsible for making all configuration changes to system files located /etc/config/.
The syntax is broken into three parts. The first two are mandatory with the [arguments] field being optional depending on the [option]
uci options commands arguments
[commands] is also broken down into three parts: file.section.option. Section can be called by their name, such as lan, wan as in /etc/config/network or wifi0 in /etc/config/wireless. Sections that do not have names can be called their position in the array of sections. An example of this is wireless.@wifi-iface[0].ssid
To view a configuration file such as /etc/config/network:
uci export network
Making or adding a new value to a section, in this case the default gatway, is easy as typing:
uci set network.lan.gateway=10.168.1.1
OR
uci set network.@interface[1].gateway=10.168.1.1
To add and delete options use uci add or uci delete:
uci delete wireless.@wifi-iface[0].encryption
It is also possible to set DHCP options, such as the gateway or DNS servers to push to clients. Refer to this website to find the DHCP option codes.
uci add_list network.lan.dhcp_option="3,10.168.1.1"
When done making changes you must run:
uci commit [configuration]
example: uci commit network
It is possible to change the behavior of startup services.
root@OpenWRT:~#/etc/init.d/network
Syntax /etc/init.d/network [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart
Script
OpenWRT does not try to set the correct time and date at startup. It is possible to install an NTP (Network Time Protocol) client that will run as a daemon, but I chose to write a script utilizing the already built-in rdate to configure the date and time.
1. Set the your timezone. Refer to this document from sun.com for a list of timezone codes
uci set system.@system[0].timezone=CST6CDT
uci commit system
2. {Download} (or copy and paste) the set_date.sh script to /etc/init.d/setdate on the device running OpenWRT.
#!/bin/sh /etc/rc.common
START=10
start() {
DATE="1969"
while [ $DATE = "1969" ]; do
/usr/sbin/rdate 128.138.140.44
if [ $? -eq 1 ]; then
sleep 60
fi
DATE=`date +%Y`
done
exit 0
4. change mode and enable the script to run at boot
chmod +x /etc/init.d/setdate
/etc/init.d/setdate enable
5. Reboot the device and check the date.
date
Mon Dec 28 11:36:28 CST 2009
Jasager, Karma on the Fon.
Karma is a set of tools for sniffing wireless network probe requests coming from wireless clients. Karma will automatically respond to any SSID probe and pretend to be the requested AP, giving the wireless client a good reason to connect.
Robin Wood (@digininja) took Karma to the next level by rebuilding it with the La Fonera routers, specifically the original Fon 2100 and the Fon+ 2201, in mind because of their low cost and small footprint. He also created a web interface for easy visualization of connected clients and to control functionality. He released this package as “Jasager, Karma on the Fon” in November 2008.
Fon+ 2201
Jasager comes in three different packages. First, Jasager also comes as a binary package, installable on a device that has an Atheros Wi-Fi card and already running OpenWRT. Then is the official Jasager firmware, built, tested and hosted by Robin Wood on the projects homepage. Finally, Jasager has also been integrated into Piranha 2.0 alpha4 Firmware created by Orange (http://piranha.klashed.net/). Piranha 3.0 DOES NOT have Jasager integrated. I will be flashing my Fon+ with Piranha 2.0 alpha4 because of extra functionality Orange has built in, including a web interface for configuring the router.
As with most things in life, there are several ways to go about flashing a Fon with third party firmware. For simplicity, I will be using a GUI app called Fon Flash (http://www.gargoyle-router.com/download.php), but if you are interested in getting into the nitty gritty of flashing, check out the installation instructions on Jasager project page.
First you must flash the Fon with the firmware of your choice. I used Fon Flash and pointed it to the .squashfs rootfs file and the .lzma kernel file.
Fon Flash GUI
- Connect the Fon/+ through the LAN port to the NIC on your computer.
- Set the NIC’s IP address to 192.168.1.2 netmask 255.255.255.255.0 and gateway 192.168.1.1
- Press the “Flash router Now!” button on Fon Flash
- Reboot the Fon and you should see Fon Flash discover and connect to the router
- The .squashfs and .lzma files will be uploaded and installed. This process will take about 20 minutes. Be patient.
- The router will reboot and you will need to set your computer’s NIC to DHCP
- TELNET to 192.168.1.1:23
- To start the OpenSSH server you must set the root password with the command : passwd
OpenWRT login message
For this setup, I will be using Jasager to bait wireless clients into using the Internet provided by my evil gateway:
- Remove wireless security, change the SSID, and change Fon’s IP
-
vim /etc/config/wireless
- *note* Jasager firmware users change option disabled 1 to option disabled 0
- change option ssid default to option ssid ‘SOMETHING INTERESTING’
- *note* Piranha firmware users. remove option encryption psk2 and option key k4m1k4z3
-
uci set network.lan.ipaddr=10.168.1.254 #set Fon's IP
-
uci set network.lan.gateway=10.168.1.1 #set Fon's GW
-
uci commit network
- Start Jasager on boot
-
vim /etc/init.d/jasager
- make iwpriv ath0 karma 1 the last line of the start() function.
- Configure DHCP to provide a DNS server and an Evil gateway (our laptop)
-
uci add_list dhcp.lan.dhcp_option="3,10.168.1.1" #config GW
-
uci add_list dhcp.lan.dhcp_option="6,10.168.1.254,4.2.2.2" #config DNS
-
uci commit dhcp
- reboot the Fon.
- SSH to 10.168.1.254. Login as root with the password you set.
-
-
-
The laptop will be acting as the default gateway. This way, all traffic can be easily captured going out to the Internet. For this set up to work correctly, the laptop must be configured to accept traffic from the Fon and forward it out an interface connected to the Internet.
- On Linux and other *nix based OS, iptables can be configured in Masquerade mode to allow traffic forwarding. I’ve created a bash script to easily allow users to configure their computes to do this. {DOWNLOAD}
- On Windows, Internet Connection Sharing (ICS) needs to be enabled on the interface connected to the Internet. The interface connected to the Fon should have an IP address of 10.168.1.1 netmask 255.255.255.0
- Everything should be set up and all packets should be flowing through your evil gateway.
The final setup
Sidejacking with Hamster
Websites need to somehow protect users’ passwords when sent from the browser to the server. To do this, sites will encrypt the password into a session cookie and pass that securely to the server. An issue arises because the website server does not or cannot preform a check as to the authenticity from where this session cookie coming from. Sidejacking or session hijacking is when an attacker captures network traffic, specifically web traffic containing the users authentication token (session cookie) for a website, and then replays the token to gain access to the user's account.
A set of tools released by Errata Security (http://erratasec.blogspot.com) called Ferret/Hamster automate this process and provide a web interface to replay the cookies. Ferret is a specially built packet sniffer that collects only packets containing session cookie. The session ID and associated website are entered into a file. Hamster is a web proxy that runs locally and reads from the file that Ferret created for easily replaying of the captured cookies.
Ferret/Hamster 2.0 can be downloaded from http://hamster.erratasec.com/. The tool comes as either a Windows binary or *nix source that can easily be complied. I have had some issues with Hamster crashing on Windows 7, but Ferret was able to run just fine.
After obtain the executables by either downloading or compiling them, run ferret -W from the command line to list available network adapters.
The output on my test machine of ferret -W. I'm interested in interface 1 (eth0), 3 (wlan0) and 4 (bnep0 - my 3G cellphone modem).
To start sniffing for session cookies traveling from your machine to the Internet, run ferret -i <interface>. On Windows you will be using the number associated with the interface. On Linux you are able to specific eth0, wlan0, etc. Session cookies will be collected and stored in a file called hamster.txt in the directory with the executables.
In a command prompt, navigate to where ferret/hamster is saved a start hamster. You will notice that the proxy will be running on http://127.0.0.1:1234. To access this web page, you must set your browser to use a web proxy running on port 1234. I like to use a Firefox plug-in called FoxyProxy to easily change the browsers proxy settings.
Hamster's HTTP Proxy Setting in Firefox
Now that ferret is collecting sessions and hamster is ready to replay those sessions, use a browser to navigate to http://hamster. You should see a list of IP addresses that sessions have been collected from. When you click on one of the targets, a list of websites will appear on the left hand panel. Click on one and with any luck, hamster should automatically pass the session cookie and redirect you to the post authenticated webpage.
- Hamster's web interface. Notice no traffic has been collected or sessions found.
Defense
You see how easy it is for an attacker to obtain access to your websites. There are several preventative measures users can take to protect themselves. Do not connect unsecure wireless access points. Connecting to unsecured wireless access points will make you the most vulnerable because you do not know and cannot trust other computers connected in the area. That being said, much of the time it is impractical to totally avoid using a wireless connection so use a VPN connection or SSH tunnel to encrypt network traffic sent from your machine. I have found that sites using SSL such as gmail (not by default) are less likely to be prone to this attack. Be aware of what high impact sites you are visiting. Most of the time attackers are not interested low impact sites Facebook or Twitter profiles, but rather, they are looking to gain access to high impact sites like corporate web email and financial websites. The simplest action any web user can do to mitigate the risk of sidejacking is to logout of the website because once you logout, the authentication session cookie is no longer valid. Morel of the story, always be weary when you are connected to untrusted wired or wireless networks.
“Just because you are paranoid, it doesn’t mean they are not out to get you”