Career, Hacking

A picture started floating around the internet of  Mark Zuckerberg holding an Instagram cutout:

920x1240

People almost instantly started to notice that his webcam and mic were taped over.   While Mark Zuckerberg isnt exactly known for having great security practices,  all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you via your webcam.  So being a huge fan of the POC||GTFO model of security I put together a quick POC using a 10 line bash script and imagesnap and put it on github.

Simply Running ./capture.sh & takes a photo every 60 seconds.

160623073527- 160623074642-

While I dont shower with my mac (that much) I will be  Zuckerberging my webcam from now so hackers can not see the strange faces I make at my computer when trying to figure out how to get a bash script to work correctly.

Career, Hacking

While rebuilding my iPad this weekend I noticed that I could name it an emoji.  So I named my iPad 📱(U+1F4F1):

Screen Shot 2016-06-19 at 7.41.30 PM

 

While  I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname.

Screen Shot 2016-06-19 at 7.54.13 PM

From there I renamed all of my lab machines emojis.  Mostly  variations of 💩 (U+1F4A9) because I am sophomoric:

In case you were wondering this is all totally illegally according to RFC 952 (that was written in 1985)  and shouldn’t be allowed but I have not found an OS the enforces it.

While doing some research on hostnames and emojis  I read that .ws (Samoa) and .tk (Tokelau) allow emoji domains with the help on punycoder so I registered  http://☠💻💩.ws which is either going to be the waste of $6 or the start of a $10B security startup.  I have not decided yet.

Screen Shot 2016-06-19 at 4.37.50 PM

If all of this isn’t ridiculous enough for you can even name your wireless network with emojis:

Screen Shot 2016-06-19 at 7.59.19 PM

…emojis: they just aren’t for 12 year olds anymore.  😎

 

Hacking

Earlier today I ran across this blog post on hijacking windows .lnk file so  I decided to build out and test a full POC for it using Windows 8.1. 

 

To reproduce this just copy these 7 lines into powershell and  ctrl+c now runs calc.exe instead of copying your text:

For extra jerkiness this will shutdown a windows machine when ctrl+c is pressed:

Using this technique you could easily natively remap common commands like ctrl+c , ctrl+v, ctrl-alt-delete to do anything the logged in user can do.  You could also copy these links into the common desktop (C:\Users\Public\Desktop\) to make anyone who logs into the machine have these mappings.

Here is a full video of the POC:

Career, Security

While getting ready to teach an “introduction to penetration testing with docker ” class I stumbled across the Shipyard-Project which brings an amazing web based interface to docker.

Installing on Debian on DigitalOcean is as simple as starting a droplet and running these two commands:
curl -sSL https://get.docker.com/ | sh
curl -sSL https://shipyard-project.com/deploy | bash -s

Update:  Running scripts you have not read through is a really bad idea (almost as bad as suggesting you do so). Make sure you take a look at the docker and shipyard  scripts before you run them.

From there you have an amazing docker interface at http://yourip:8080

 

Screen Shot 2016-06-09 at 8.32.08 PM

You Can Pull And Manage Images:

Screen Shot 2016-06-10 at 6.09.54 AM
Configure Containers:

Screen Shot 2016-06-10 at 6.11.36 AM
Easily Control Containers:

Screen Shot 2016-06-10 at 6.11.56 AMCheck Stats and Logs:

Screen Shot 2016-06-10 at 6.13.49 AM Screen Shot 2016-06-10 at 6.13.59 AMAccess Containers Console:

Screen Shot 2016-06-10 at 6.14.30 AM

While the CLI for docker isn’t hard to learn this does seem like the “Killer App” that could help people adopt containers.  I know I will be using it to manage my containers from here on out and recommending it to as many people as I can.

Career, Hacking

Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous  things like:

…but it is 2016 and you should never run code on your machine if you don’t know what it does.  These are mini-virtual machines and not magically secure little shipping containers*.  At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.

Pull the container first:
docker pull jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.23.35 PM

Use  Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.24.15 PMYou will want to carefully read through that output and take time to look at these fields:

  • Image The image this container is running.
  • NetworkSettings The network settings for the container,
  • LogPath The system path to this container’s log file.
  • Name The user defined name for the container.
  • Volumes Defines the volume mapping between the host system and the container.
  • HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
  • Config The runtime configuration options set when the docker run command was executed.

 

Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.45.48 PM

Protip:  CenturylinkLabs released a tool to create a Dockerfile from a container.

Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh

Screen Shot 2016-06-09 at 6.07.31 AM

After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.55.42 PM

If you do these basic things you can feel a little better about what you are running on your system.

* What a magically secure little shipping container might look like:
10-foot-side-view

Career, Hacking

I built a simple TOR  socks proxy container today to be able to easily use TOR to machines I am working on.

Getting it to run is as simple as:
docker run --name tor -ti -p 9050:9050 jgamblin/tor

This will run it as a daemon:
docker run --name tor -ti -p 9050:9050 jgamblin/tor

From there all you have to do is configure your  browser to use port 9150 and you are using TOR.

The dockerfile for this build is fairly simple and is on Github and Docker Hub:

As always if you are *REALLY* worried about security you should be using Tails but this works perfectly to get an “outside-in” real world look of your environment.   If you have any questions please reach out to me on twitter at @jgamblin.

Career, Hacking

My favorite open source tool for analyzing PCAP files is CapAnalysis  and I have always kept a virtual machine around to run this software but I have been on a kick of containerizing all my favorite tools recently so I decided to put CapAnalysis into a container.

It allows you to easily visualize the traffic flow, statistics, geolocation and a ton of other amazing information:

To get started you just need to run:
docker run -t -i -d -p 9877:9877 jgamblin/capanalysis

From there all you have to do is create a dataset and upload the pcaps you want to analyze.

Inside the container is:
Ubuntu 15.04
Apache2
PHP5
Postgresql

The Dockerfile for this container is:

FROM ubuntu:15.04

# Install packages
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get -y install \
wget \
curl \
gdebi \
php5 \
sudo \
apache2\
apt-utils

RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \
    && echo 'exit 101' >> /usr/sbin/policy-rc.d \
    && chmod +x /usr/sbin/policy-rc.d

RUN wget http://downloads.sourceforge.net/project/capanalysis/version%201.2.0/capanalysis_1.2.0_amd64.deb

RUN apt-get update && gdebi --n capanalysis_1.2.0_amd64.deb

RUN sed -i -e 's/PRIORITY=1 #(0..20)/PRIORITY=0 #(0..20)Z/g' /etc/init.d/capanalysis

CMD sudo service postgresql restart && \
sudo service apache2 restart && \
sudo service capanalysis restart && \
tail -f /var/log/apache2/access.log

If you have any questions or comments reach out to me on twitter at @jgamblin