My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.
The build out is pretty simple, it is the SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done.
Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:
In order to share these findings with the community I will copy all files written to these honeypots to honeyfiles.jgamblin.com.
I have a long way to go with this project as way too much of it is manual now. I need to invest the time to automate notification, moving the files to the web server and starting a new container.
If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.
Category: Hacking
I took some time tonight and read through the Security Summer Camp (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss.
I ended up with these 16 talks I am going to make a special point to see next week:
BSidesLV
Managing Security with the OWASP Assimilation Project.
I want to see how Alan is using this OWASP project and how it compares to commercial CMDBs.
Automation of Penetration Testing and the future.
I am really interested in this subject as security is seriously lagging behind in the automation arms race and I think it will be the hottest trend in security over the next year.
How to Get and Maintain your Compliance without ticking everyone off.
The outline for this talk is a little sparse but I am interested in seeing what these guys come up with since I know them and am interested in this subject.
How to travel to high-risk destinations as safely as possible.
Ryan will do an amazing job on this talk but I am going to go to this talk to see how many of these things I can steal for my own OpSec.
A Peek Behind Vegas Surveillance.
Um… because why not? I love Oceans 11.
Automation Plumbing.
Another automation talk…. I sense a trend.
BlackHat
An insider’s guide to cyber-insurance and security guarantees.
I am interested in this subject in general and how it will shape security in the next few years.
Cyber war in perspective: analysis from the crisis in ukraine
I have a read a couple of books and watched winter on fire about this conflict so it will be interesting to hear about it from cyber-war perspective.
Defcon
Universal Serial aBUSe: Remote physical access attacks.
This is going to be the best and most talked about talk at Defcon. If Dominic brings the tool outlined in the talk (and he will) you will be reading about this for the next month.
Realtime bluetooth device detection with Blue Hydra
I love hacking bluetooth devices and Blue Hydra is an amazing new tool.
BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
These guys know so much about hacking hardware and this talk and tool is going to be amazing. I hope Joe has a kit together by Defcon so I can buy it.
101 Ways to Brick your Hardware
Joe FitzPatrick is one of the smartest guys I know and watching this talk on how his failures will be entertaining, educational and inspiring. Amazing and truly talented people can always laugh at themselves.
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
um…. are you telling me you wouldn’t want to see this?
Hacking Hotel Keys and Point of Sale systems
I am glad I will be checked out of my room by the time this talk is given.
Other
Sun, Sin, Security: IOActive
IOActive does an amazing job with their event every year and they will have some amazing talks.
Securing the Internet of Things (SIOT)
I love IOT security and I will be speaking at this event.
I will just leave this here for discussion at another time but I am probably skipping the Blackhat badge next year:
Conference | Badge Cost | Talks | Cost Per Talk |
BSidesLV | $0.00 | 6 | $0.00 |
BlackHat | $2,295.00 | 2 | $1,147.50 |
Defcon | $240.00 | 6 | $40.00 |
We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)!
So it is time for everyone to write their annual blog posts about what you must do before you head out. I want to be one of the cool kids so here is my list of 6 things to do before you pack:
Delete All The Saved SSID’s On Your Devices
A common attack that hackers like to do is spoof common SSIDs so that your device will connect automatically and start using their AP so they can capture all your information. I actually wrote a script called mana-common that spoofs the most common to demo this problem.
You should delete all the saved SSIDS on your devices to stop from falling victim to this attack.
Get A Hot Spot
Connecting to a hotel network at a Hilton in Little Rock is dangerous. Connecting to a hotel network in Las Vegas is reckless. Connecting to a hotel network in Las Vegas during Security Summer Camp is stupid. You can pick up a mobile hotspot for about $25 a month.
Get A VPN
You could easily get a commercial VPN but if you want to go to the next step build your own streisand server or an openvpn server and delete it when you are done with it. It will help protect your data from anyone who may be snooping on you.
Change All Your Passwords (Before and After)
You should run your passwords managers auto-change feature before you leave for Vegas and when you get back just incase someone gets a hold of your account. You do use a password manager right?
Turn on 2FA On All Your Accounts.
You should at a minimum enable 2FA on all your social media and financial accounts before you head out. Twofactorauth.org has great information on how to configure your accounts to use 2FA.
PCAP All Your Traffic
This is the most paranoid of my tips but when I am at a conference I always PCAP all my data incase I do get breached I can hopefully figure out how or write a good blog post about it.
I wrote a blog post on doing this with docker earlier this summer so I now can run this to save the pcaps to my dropbox:
docker run -v ~/Dropbox/pcap:/pcap --net=host -d jgamblin/tcpdump
The truth is these 6 rules should be followed all the time if you want to have a decent operational security posture. OK, you might not need to PCAP everything, I am just paranoid…follow the first and you will be ok.
Also while at Security Summer Camp drink plenty water, don’t sleep much and have fun!
While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean.
While there are great guides like:
My First 10 Minutes On a Server – Primer for Securing Ubuntu
My First 5 Minutes On A Server; Or, Essential Security for Linux Servers
I do not have the time to manually follow these guides on a server I may shut down in an hour so I have slowly been building a shell script to do a lot of this for me.
Now the first thing I do when I log into a box is:
curl -sSL https://raw.githubusercontent.com/jgamblin/quickinstall/master/quickinstall.sh | sh
The script does the following:
Enables UFW and denies all inbound traffic except for SSH.
Sets the timezone to Universal Coordinated Time
Installs Python, Ruby, nodejs, Docker.io, Fail2Ban and unattended-upgrades
Launches a PCAP docker container to capture all server traffic in a PCAPs.
While it is not pretty it does what I need:
# #Install and configure firewall # echo -e "\nInstalling and configuring firewall\n" apt-get install ufw -y ufw default deny incoming ufw default allow outgoing ufw allow ssh cat /etc/ufw/ufw.conf | sed 's/ENABLED=no/ENABLED=yes/g' > ~/ufw.conf chmod 0644 ~/ufw.conf mv -f ~/ufw.conf /etc/ufw/ufw.conf # # set timezone to Universal Coordinated Time # sudo timedatectl set-timezone UTC # # Upgrade installed packages to latest # apt-get update && apt-get dist-upgrade -y # #Install stuff I use all the time # apt-get install -y build-essential checkinstall docker.io fail2ban git git-core libbz2-dev libc6-dev libgdbm-dev libncursesw5-dev libreadline-gplv2-dev libsqlite3-dev libssl-dev nikto nmap nodejs python-dev python-numpy python-scipy python-setuptools tk-dev unattended-upgrades # #Install Ruby # curl -L https://get.rvm.io | bash -s stable --ruby # #PCAP Everything # docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump
I will continue to build this out in this github repo .
There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.
I am a huge fan of the Streisand privacy stack because it includes and L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.
The problem with Streisand though is the install is amazingly complicated using ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).
The steps are as follows:
Create a new digitalocean
Ubuntu 14.04 droplet named streisand
with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).
Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5
Download and configure strisand with the follwoing commnads:
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/127.0.0.1/g' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html
(This takes between 10 and 15 minutes to complete. )
Use streisand for safer internet:
Copy generated-docs/streisand.html
to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html
) and it will have all the information you need to use your new privacy server on almost every device you own. You can also share this information with your family or team as one server should support 4 or 5 users.
If you trust me (and you shouldnt) here is a bash script to automate the install:
https://gist.github.com/jgamblin/3100b682510119722c56f5667fa2e18b
One of the tips that security professionals love to give is to use a VPN on public wifi networks. This is great advice and (I personally like PrivateInternetAccess and NordVPN). Recently I noticed nike.com blocks traffic from TOR and VPN providers:
That got me wondering what other websites were blocking traffic from these sources so I decided to test the Alexa Top 1000 websites.
First I needed to get a list of the Top 1000 websites. To do this I used this line of command line kung fu that grabs a CSV of the top 1 million websites and puts the top 1000 in a urls.txt file:
curl -s -O s3.amazonaws.com/alexa-static/top-1m.csv.zip ; unzip -q -o top-1m.csv.zip top-1m.csv ; head -1000 top-1m.csv | cut -d, -f2 | cut -d/ -f1 > urls.txt
Here is the output from this command.
I now needed to automatically take a screenshot of 1000 websites. I had started to write my own terrible python script using selenium until Chris Truncer pointed me to his amazing project called EyeWitness.
The command I used was:
./Eyewitness.py --web -f urls.txt
During my first test using PrivateInternetAccess I found 11 of 1000* blocked access with a 401/404:
hilton.com
nike.com
craigslist.org
tickermaster.com
tradeadexchange.com
blog-newstime.com
brightonclick.com
adnetworkperformance.com
kissanime.to
neobux.com
loading-delivery2.com
With craigslist.org, nike.com, ticketmaster.com and hilton.com being the most inpactful websites on that list:
I then ran the test again through tor (using the tor container I built) and found 40 of 1000* blocked access with a 401/404: :
adnetworkperformance.com
nordstrom.com
overstock.com
asos.com
prjcq.com
avito.ru
quikr.com
bestbuy.com
retailmenot.com
blog-newstime.com
secureserver.net
brightonclick.com
shopclues.com
craigslist.org
ticketmaster.com
expedia.com
tradeadexchange.com
foxnews.com
trulia.com
garmin.com
tube8.com
groupon.com
usbank.com
ticketmaster.com
irs.gov
usps.com
justdial.com
walmart.com
kohls.com
wayfair.com
lowes.com
hilton.com
whitepages.com
macys.com
xbox.com
newegg.com
zara.com
nike.com
zhihu.com
With many more asking for a captcha before gaining access:
Epilogue: I play defense in my day job. I understand the need stop malicious traffic from reaching your website. This isn’t an indictment just an academic exercise although if more and more websites take this approach tools like TOR and commercial VPNs will become less useful.
Final Notes:
I was surprised at how many porn websites are in the top 1000 overall websites.
It takes 1.8 gigs of storage to screenshot the top 1000 websites.
*Your results will vary on what is blocked based on exit node, VPN, time you test and what color shirt you have one.
I had a 2014 Dell Chromebook 11 I was not doing anything so I decided to turn it into a stand alone Kali box using the Chromium OS Universal Chroot Environment.
The installation steps are pretty simple:
Add a l33t hacker sticker:
Enable Developer Mode (this will wipe the device).
Login and download the latest crouton.
Access the terminal by pressing:
CTL - ALT - T
Run the following commands:
shell
sudo sh -e ~/Downloads/crouton -r sana -t xfce
Go eat lunch (it takes about 30 minutes to pull down the image).
Hack (legally) all the things:
You have a couple of options on how to use Kali on the ChromeBook. The option I will use the most is just the terminal option. You can access it by typing: sudo enter-chroot -n sana
You can also access a full gui by typing: sudo startxfce4 -n sana
Couple of notes:
Kali-Rolling is working on crouton right now due to an abandoned package issue. They are working on it.
The install of Kali is super light weight. The meta-packages will be your friend when building your image.
A picture started floating around the internet of Mark Zuckerberg holding an Instagram cutout:
People almost instantly started to notice that his webcam and mic were taped over. While Mark Zuckerberg isnt exactly known for having great security practices, all his social media passwords were Dadada. This started a discussion in the office if someone could really spy on you via your webcam. So being a huge fan of the POC||GTFO model of security I put together a quick POC using a 10 line bash script and imagesnap and put it on github.
Simply Running ./capture.sh &
takes a photo every 60 seconds.
While I dont shower with my mac (that much) I will be Zuckerberging my webcam from now so hackers can not see the strange faces I make at my computer when trying to figure out how to get a bash script to work correctly.
While rebuilding my iPad this weekend I noticed that I could name it an emoji. So I named my iPad 📱(U+1F4F1):
While I don’t have any problem using the iPad it basically makes it unreachable on the network via hostname.
From there I renamed all of my lab machines emojis. Mostly variations of 💩 (U+1F4A9) because I am sophomoric:
In case you were wondering this is all totally illegally according to RFC 952 (that was written in 1985) and shouldn’t be allowed but I have not found an OS the enforces it.
While doing some research on hostnames and emojis I read that .ws (Samoa) and .tk (Tokelau) allow emoji domains with the help on punycoder so I registered http://☠💻💩.ws which is either going to be the waste of $6 or the start of a $10B security startup. I have not decided yet.
If all of this isn’t ridiculous enough for you can even name your wireless network with emojis:
…emojis: they just aren’t for 12 year olds anymore. 😎
Earlier today I ran across this blog post on hijacking windows .lnk file so I decided to build out and test a full POC for it using Windows 8.1.
To reproduce this just copy these 7 lines into powershell and ctrl+c
now runs calc.exe
instead of copying your text:
https://gist.github.com/jgamblin/4aa897a2cca6912eeea96a12d73d8cd6
For extra jerkiness this will shutdown
a windows machine when ctrl+c
is pressed:
https://gist.github.com/jgamblin/9ca3be57c24d4b422e385d296763d903
Using this technique you could easily natively remap common commands like ctrl+c , ctrl+v, ctrl-alt-delete
to do anything the logged in user can do. You could also copy these links into the common desktop (C:\Users\Public\Desktop\
) to make anyone who logs into the machine have these mappings.
Here is a full video of the POC: