We have a civil duty to teach people in our society how to interact with technology, safely.
The next stage is to hide not just the communication, but to hide the metadata.
Metadata is the same information that a private detective collects, who met whom, at what time and where.
This correlates precisely with the EU’s goal of “Privacy Enhancing Technology”.
Basic questions to ask:
1. Do you log my IP?
2. Do you keep server logs and for how long?
3. What type of encryption is used? Look for Perfect Forward Secrecy.
1. Learn to use Encryption
2. Learn to use Privacy tools
3. Learn to use OpenVPN
Use VPN providers such as http://www.ivpn.net – who delete their logs every 10 minutes
4. Avoid search engines like Google.
Use EU proxies like http://www.startpage.com that hide your IP from Google, keep no server logs on your queries and have Perfect Forward Secrecy to secure your communications. Startpage do not store your IP or your queries.
They are audited by the EU – and have won 2 EU privacy awards (called the EU Europrise Award). They’re covering your back. Go for it!
Pixie or PXE booting is booting systems without a hard-drive, using RAM and a Network card. So how do we do this? Home routers won’t work, as you need a second DHCP function which does not conflict with existing DHCP servers.
Step 1 – PXE Capable Router & Client is needed
A home router won’t be able to PXE boot, as it needs to be able to operate 2 DHCP servers, a standard and an extended DHCP server – with extra pixie options.
Step 2 – Client sends the DHCP DISCOVER to Port 67
The client sends a DHCP DISCOVER packet extended with PXE options is sent to UDP port 4011 or UDP port 67.
Step 3 – Contact the “next server” by IP address
The client connects to the server that gave it the DHCP lease…. OR
If the “next-server” parameter is set, it will download from the IP set as the “next server” – ensure an IP not a hostname is used.
Step 4 – DHCP OFFER from server
The extended DHCP Offer replies to the client on UDP port 68.
DHCP is set up in the /etc/dhcp.conf
/etc/dhcp.conf can be configured to hand out pixie boot IP’s for a single IP, MAC or an entire subnet.
We need to look closely at 2 pixe specific sections…. SUBNET block and HOST block.
The Host block has 2 pixie specific parameters, “filename” and “next-server” 192.168.0.1
The “next-server” must be an IP address. If the “next-server” is omitted then it should default to the IP of the DHCP server, however there is a hiccup. Some motherboards will send packets to 0.0.0.0 if the “next-server” IP is missing.
This host block is for a single hardware MAC 00:0c:6E:64:D8:B4
We can set the IP to boot on an entire subnet.
The “filename” sets the file to be downloaded ie “pxelinux.o” in the above example.
Step 5 – Network Bootstrap attempts to Download file using TFTP
The PXE client attempts to download the specified file in Step 2 using TFTP.
It then executes this file.
PXE Stack before booting and after booting
The default hashing algorithm for /etc/shadow files is SHA512 in Kali Linux. Here’s the coding which relates “SHA512″ to $6$.
Step 1 – View your /etc/shadow file
Step 2 – Codes for other Hashing Algorithms
You can hash the passwords in several algorithms. These are revealed in the /etc/shadow file – for instance here we consider a $1 – which indicates MD5 hashing has been used.
$0 = DES
$1 = MD5 Hashing
$2 = Blowfish
$2A = eksblowfish
$5 = SHA256
$6 = SHA512
Field 2 format = 3 components
$Hashing Algorithm $ SALT $ Encoded password (includes the SALT).
- The encoded password is using MD5 hashing algorithm (because the of $1$)
- Salt value is Etg2ExUZ (the content between the second and third $ sign)
- And the hash value of “PASSWORD + SALT”.
What is the SALT?
If there is no salt, a plain dictionary attack could identify the password from the hash. If a salt value is in use, then 2 users with the same passwords will have different hashes. A random salt is generated when the password is being set.. therefore 2 users with the same password will have totally different salts, and totally different encrypted passwords.
Order of the /etc/shadow file – Useful to know
/etc/shadow” contains the following.
... user1:$1$Xop0FYH9$IfxyQwBe9b8tiyIkt2P4F/:13262:0:99999:7::: user2:$1$vXGZLVbS$ElyErNf/agUDsm1DehJMS/:13261:0:99999:7::: ...
As explained in shadow(5), each “
:” separated entry of this file means the following.
- Login name
- Encrypted password (The initial “
$1$” indicates use of the MD5 encryption. The “*” indicates no login.)
- Date of the last password change, expressed as the number of days since Jan 1, 1970
- Number of days the user will have to wait before she will be allowed to change her password again
- Number of days after which the user will have to change her password
- Number of days before a password is going to expire during which the user should be warned
- Number of days after a password has expired during which the password should still be accepted
- Date of expiration of the account, expressed as the number of days since Jan 1, 1970
Code for SHA512
Debian Linux – Authentication
How are passwords stored in Linux?
We all love Notepad++, luckily we can install this on Kali.
Step 1 – Install Wine
sudo apt-get install wine
Step 2 – Download Notepad++
Step 3 – Use wine to open npp.6.6.7.Installer.exe
Open a terminal
Step 4 – Make 64 bit machines “Multi Architecture”
In a root terminal type
dpkg –add-architecture i386
apt-get install wine-bin:i386
Now, lets try step 3 again.
Okay > Next > I Agree
Accept defaults in Setup
Next > Next >
Tick the box to create a shortcut on the desktop
Install > Finish > Run Notepad++
Viola! Easey Peasey
Step 1 – Install Synaptic Package Manager
apt-get install synaptic
Step 2 – Install the AMAZING Lazy Kali Script
Use Lazy Kali to install hackpack.
Step 3 – Make 64 Bit into a multi architecture system.
dpkg –add-architecture i386
apt-get install wine-bin:i386
This is really useful where your printer drivers are 32 bit and your Kali is 64 bit.
Step 4 – Set Vista in Wine
Applications > System Tools > Configure Wine
Select “XP” or “Vista”.
Step 5 – Run Office 2007
Places > Office 2007 CD > look for setup.exe
Right click Setup.exe > Open with Wine Windows Program Loader
Step 6 – Run Office 2007
Applications > Wine > Programs > Microsoft Office
All apps apart from Powerpoint will work.
Step 7 – Fix Powerpoint
Applications > System Tools > Configure wine
“New override for library”
Select “riched20.dll”, then click ADD
Step 8 – Launch Office 2007
Applications > Programs > Microsoft Office > Word
Step 9 – Install Nessus
32 or 64 bit version – check the package name).
dpkg -i Nessus-5.2.1-debian6_amd64.deb
Step 10 – Install Notepad++
The for loop starts with a list of items and works it’s way through them until it reaches the end. A for loop does not test conditions.
Step 1 – Root Terminal and Nano editor
Start a root terminal, then enter the word nano – the nano editor will appear.
We save a file using Ctrl+O.
Step 2 – Write a for loop for 3 items
Step 3 – Make the script executable
chmod +x fruit.sh
Step 4 – Analysis of For Loop
The for loop is reading in a fixed list (apples, orange, pear).
It assigns a variable called fruit – and writes each item of the list into this variable
The first time fruit=apple, second time fruit=orange, third time fruit=pear. The variable fruit is changing as it runs through our fixed list.
Do is the start of the loop.
Done shows the end of the loop.
After the loop is complete, it prints out “lets make a fruit salad”!.
Different ways of “feeding” the FOR LOOP with data
fruit = “apple orange pear”
User Input to “FEED DATA” into our FOR LOOP
echo -en “Please tell me your favourite fruit: “
for fruit in $fruit
University of South Wales Reading list
PARKER, S. 2011. Shell Scripting – Expert recipes for Linux, Bash, and More. Indianapolis: John Wiley & Sons.
Who knew InfoSec was so popular? Half a million views – thank you so much guys.
I also graduate tomorrow – so it’s a significant milestone and a celebration for all the right reasons.
OMG, I have a Masters… that is unreal!
If any of you are considering studying Cyber Security or Information Security at the University of South Wales, then definitely go for it.
The teamwork on the course is spectacular. The teams have been second to none for co-operation, hard work, cross training and motivation. The people on the course, make it what it is. We all have strengths, and we all play to them.
And to everyone on my course… see you guys tomorrow :)
Batman capes at the ready :)
How do you spot USW Graduates… by the red Griffindor strips and harry potter capes.
Yeah, this was me today. Okay.. I can hear you laughing you know….
The NSA whistleblower questions the need for emergency legislation in an exclusive Guardian interview, saying the move mirrors a hastily introduced US law in 2007, and asks whether it would ‘really be so costly’ to take time to debate the issue
Watch the full interview on Thursday 17 July 2014
Here we automate NMAP scans to only scan production servers IP’s rather than an entire network.
Step 1 – Use Notepad to create a list of IP’s to scan
Notepad+ was used, enter in the IP’s to scan. Avoid the use of hostnames – use IP’s.
Create a directory called nmap. c:\nmap.
Create a file called scan_me.txt (use notepad or notepad+). c:\nmap\scan_me.txt
Step 2 – Use Zenmap the Gui for NMAP
Enter the path to the scan_me.txt.
nmap -sP -iL c:\nmap\scan_me.txt
Remember the -sP is the Ping Scan to generate an inventory of active stations on the network. On the local subnet it uses ARP. On remote subnet it uses ICMP echo and TCP ACK to port 80 (to double the chances of success).
Just remember that -sP is an inventory that uses 2 formats – ARP on the local subnet, and ICMP echo + TCP ACK to port 80 on remote subnets.
Step 3 – Scan Results
Note that only the IP’s within the scanme.txt file were scanned. This is how you automate scanning.
You can now carry out targeted or focused NMAP scans.
In the results above, we hit a printer. Often printers react badly to scan, so we may chose to exclude the IP.
nmap -sP -iL c:\nmap\scan_me.txt –exclude 192.168.1.64
Notice how even where the scan_me.txt included the IP 192.168.1.64, the –exclude option takes precedence and the scan never runs the excluded IP.
To Create an EXCLUDE FILE
Create a no_scan file.
nmap -sP -iL c:\nmap\scan_me.txt –excludefile c:\nmap\no_scan.txt
–exclude = IP’s
–excludefile = IP’s in a text file – which is easier to automate.
nmap -sU -iL c:\nmap\scan_me.txt
Professor Messer Guide to NMAP
Download NMAP with Windows Installer (Zenmap)
Nmap Commands – Cyberciti
NMAP SCANNING Book – Written by the developer of NMAP **AMAZING STUFF
ITIL rules in the UK, whereas the German Federal Bureau of Information Security is IMHO, the greatest and easiest system to put into action. The Germans live and breathe data protection – these guys are the ones to follow.
Penetration Methodology – The Visual Guide
The Bureau have adopted some BSI guides…
Just draw circles around each box, so that the outline of the Penetration Test is scoped within 2 minutes. Easy right, when we work in visual mode.
Just get a pen and put a circle around the level of aggressiveness and scope, and you’re half way there. It’s literally that simple. The devil may be in the detail, but with diagrams and visual guides it’s easy to get agreement.
Tools such as NMAP can be customised to be less aggressive than the default. Whereas T4 is the default scan, prehaps a T1 or T2 scan might be more appropriate.
T0 = Paranoid. A port scan every 5 minutes – this would be too slow, but a hacker may need this.
T1 = Sneaky and a port scan every 15 seconds.
T2 = Polite. If you’re on production servers you may not want to add pressure to the network.
Focused – how to target specific production servers
NMAP offers 2 files – a file of IP’s to include and a file of those IP’s to exclude.
EXCLUSION ALWAYS HAS PRIORITY
We can create a file that lists only one or two IP’s of say webservers, or a list of subnets.
Next we have an exclude file. If an IP is in this exclude file, then NMAP won’t scan it. There maybe production servers that must not be scanned, and we would add the IP to this file.
AVOID NOISY SCANS – PORT Mnemonic.
-sP = ICMP Echoes – lots of network traffic generated
-sO = Protocol Decode – looks odds and gives away the attacker in a heartbeat
-sR = RPC Grind, lots of packets, listed in App logs, Avoid this.
-sT = Opens a session, the attackers IP is logged, lots of RST’s are generated. SCAN OF LAST RESORT!!
The Mnemonic of noisy scans to avoid is PORT. -sP, -sO, -sR and -sT (the scan of last resort).
-P0 = Disable Ping – for heavens sake, use -P0, -PD or -PN. PLEASE!!!
-n = Turn off Reverse DNS. Use the IP not the hostname. If you must use hosts, enter then in the local LMHOSTS file.
So you can see how easily the visual penetration testing methodology converts into NMAP scans, and how it may switch off many default settings to protect the network.
Even more important, if you’re the attacker, you now why you should NOT be using the NMAP default settings. Think of the logs as more a sonar in a submarine. You can tell so much from the bounced signals. In an -O scan we see sets of 6 pings. So if anyone mentions seeing 6 pings in the logs, we know it’s an attack profile.
OS Recon -O
Step 1 – IPID = 6 probes = sequence generation. The IPID monitors the sequence ID of the packet. Often used with the Zombie Scan or Idle Scan -sI. If you see 6 pings… look out for a Zombie Scan. Of course, look for a UDP and ECN just in case it’s a -O scan underway.
Step 2 – ICMP = 2 probes
Step 3 – UDP = 1 probe = must be sent to a closed port to generate a RST. Remember to think of this as SONAR, the reflected signal, from a closed port is more important, so the port MUST be closed to assist in the attack, in order to get a bounced signal and hence a footprint.
Step 4 – ECN (Congestion Notice) = 1 probe
Step 5 – TCP = 6 probes = malformed TCP packets.
NMAP will issue malformed TCP packets, including:
**** No Flags set
**** F, S, P, U Flags set
**** F, P, U Flags set
So suddenly the methodology has come to life. The visual guides assist us in getting the settings right for the production environment.