What To Inspect When You Are Inspecting!

Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous  things like:

…but it is 2016 and you should never run code on your machine if you don’t know what it does.  These are mini-virtual machines and not magically secure little shipping containers*.  At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.

Pull the container first:
docker pull jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.23.35 PM

Use  Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.24.15 PMYou will want to carefully read through that output and take time to look at these fields:

  • Image The image this container is running.
  • NetworkSettings The network settings for the container,
  • LogPath The system path to this container’s log file.
  • Name The user defined name for the container.
  • Volumes Defines the volume mapping between the host system and the container.
  • HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
  • Config The runtime configuration options set when the docker run command was executed.

 

Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.45.48 PM
Protip:  CenturylinkLabs released a tool to create a Dockerfile from a container.

Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh

Screen Shot 2016-06-09 at 6.07.31 AM

After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.55.42 PM
If you do these basic things you can feel a little better about what you are running on your system.
* What a magically secure little shipping container might look like:
10-foot-side-view

Simple TOR Socks Proxy Container

I built a simple TOR  socks proxy container today to be able to easily use TOR to machines I am working on.
Getting it to run is as simple as:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
This will run it as a daemon:
docker run --name tor -ti -p 9050:9050 jgamblin/tor
From there all you have to do is configure your  browser to use port 9150 and you are using TOR.

The dockerfile for this build is fairly simple and is on Github and Docker Hub:
https://gist.github.com/jgamblin/3e1fd9aad19fcd496ed3d35d2cfe383b
As always if you are *REALLY* worried about security you should be using Tails but this works perfectly to get an “outside-in” real world look of your environment.   If you have any questions please reach out to me on twitter at @jgamblin.

Capanalysis Container

My favorite open source tool for analyzing PCAP files is CapAnalysis  and I have always kept a virtual machine around to run this software but I have been on a kick of containerizing all my favorite tools recently so I decided to put CapAnalysis into a container.
It allows you to easily visualize the traffic flow, statistics, geolocation and a ton of other amazing information:

To get started you just need to run:
docker run -t -i -d -p 9877:9877 jgamblin/capanalysis
From there all you have to do is create a dataset and upload the pcaps you want to analyze.
Inside the container is:
Ubuntu 15.04
Apache2
PHP5
Postgresql
The Dockerfile for this container is:

FROM ubuntu:15.04

# Install packages
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get -y install \
wget \
curl \
gdebi \
php5 \
sudo \
apache2\
apt-utils

RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \
    && echo 'exit 101' >> /usr/sbin/policy-rc.d \
    && chmod +x /usr/sbin/policy-rc.d

RUN wget http://downloads.sourceforge.net/project/capanalysis/version%201.2.0/capanalysis_1.2.0_amd64.deb

RUN apt-get update && gdebi --n capanalysis_1.2.0_amd64.deb

RUN sed -i -e 's/PRIORITY=1 #(0..20)/PRIORITY=0 #(0..20)Z/g' /etc/init.d/capanalysis

CMD sudo service postgresql restart && \
sudo service apache2 restart && \
sudo service capanalysis restart && \
tail -f /var/log/apache2/access.log

If you have any questions or comments reach out to me on twitter at @jgamblin

BurpBrowser

I always do this… I wrote KaliBrowser over the weekend and today at lunch I was thinking this same setup would be really handy to use with Burp so I put together BurpBrowser that lets you run Burp and Firefox in a browser.
Screen Shot 2016-05-31 at 3.18.23 PM
It runs the following packages:
Ubuntu 16.04
Burp Proxy
Firefox
OpenBox
NoVNC 
Getting started is as easy as:
docker run --name burpbrowser -d -t -i -p 80:6080 jgamblin/burpbrowser


and then point your favorite browser to:
http://ip
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
git \
xvfb \
x11vnc \
wget \
python \
python-numpy \
unzip \
menu \
geany \
openbox \
net-tools \
geany \
menu \
openjdk-8-jre \
firefox

Run cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD burpsuite_pro_v1.7.03.jar /root
ADD burpsuite_free_v1.7.03.jar /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoclean && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*
CMD /startup.sh
Here is what is in the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900

If you have any questions or comments reach out to me on twitter at @jgamblin
Happy Burping!  : )

KaliBrowser

I have been spending some time recently getting up to speed on Docker so this weekend I built KaliBrowser:
Screen Shot 2016-05-31 at 6.46.36 AM
It runs the following packages:
Kali Docker
OpenBox
NoVNC 
Getting started is as easy as:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser
and then point your favorite browser to:
http://ip:6080
To keep this image as small as I could (and it is still 841MB) I only included the base if you want to grab a “ready to go” version I built jgamblin/kalibrowser-top10 (2GB) that has the Kali Top 10 metapackage pre installed so if you want that  run:
docker run -d -t -i -p 6080:6080 jgamblin/kalibrowser-top10 
If you want to build a local copy or laugh at how terrible I am at docker here is what is in the Dockerfile:
FROM kalilinux/kali-linux-docker
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && \
apt-get install -y \
net-tools \
openbox \
git \
x11vnc \
xvfb \
wget \
python \
python-numpy \
unzip \
geany \
iceweasel
menu && \
cd /root && git clone https://github.com/kanaka/noVNC.git && \
cd noVNC/utils && git clone https://github.com/kanaka/websockify websockify && \
cd /root
ADD startup.sh /startup.sh
RUN chmod 0755 /startup.sh && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*

#The Kali Docker Image Is Out Of Date. : (
RUN apt-get update -y && apt-get dist-upgrade -y

CMD /startup.sh
and the startup.sh
#!/bin/bash
export DISPLAY=:1
Xvfb :1 -screen 0 1600x900x16 &
sleep 5
openbox-session&
x11vnc -display :1 -nopw -listen localhost -xkb -ncache 10 -ncache_cr -forever &
cd /root/noVNC && ln -s vnc_auto.html index.html && ./utils/launch.sh --vnc localhost:5900

If you have any questions or comments reach out to me on twitter at @jgamblin

A Docker Container To Capture All Traffic From Host.

Yesterday I was in a situation where  I was helping someone who needed to monitor and record all the traffic from a couple of servers for a day to investigate a strange issue that was happening.

Normally for this I would just tell them to run this command to record a day’s worth of traffic into 15 minute chunks.:
tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96


…but this is 2016 and we have containers!20-ft-container(Not An Actual Docker Container.)


So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.

So now in the future when anyone wants to record all the traffic from a server all they have to do is run
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump
and the pcaps will save in their home directory.
Screen Shot 2016-05-28 at 11.23.15 AM
If you want to build your own copy here is everything I have in the dockerfile:
FROM debian
RUN apt-get update && apt-get install -y \
tcpdump
RUN mkdir /pcap
RUN cd /pcap
WORKDIR /pcap
CMD tcpdump -G 900 -w '%Y-%m-%d_%H:%M:%S.pcap' -W 96
From here if you wanted to display the PCAPs in a browser for easy access all you need to do is run
docker run -h tccdumpweb -p 1337:80 -v ~/pcap:/var/www/html/ -d eboraas/apache
and all  files captured will be displayed at http://hostip:1337.
Screen Shot 2016-05-28 at 11.50.16 AM
Happy tcpdumping!

Slack Commands For Security Professionals

At work we  are moving to slack as a communication method and since I am spending so much time in the tool I decided it was time to start building in some of the tools I use on a regular basis.  So far I have put together the following tools:

/NMAP

Nmap-For-Slack runs a basic scan (nmap –top-ports 50 –open) against a host and returns the results.  I have to do such a basic scan because the timeout is 3000ms so it limits what I can do.
Screen Shot 2016-05-15 at 3.31.44 PM

/DNSRECON

DNSRecon-for-slack allows your to run a basic DNSRecon scan from inside of  Slack.
Screen Shot 2016-05-15 at 3.43.28 PM

/IPINFO

ipinfo-for-slack looks up and displays information from ipinfo.io.
Screen Shot 2016-05-15 at 3.36.01 PM

/HOSTLOOKUP

Hostlookup-for-slack grabs all the A records for a domain and displays them.
Screen Shot 2016-05-15 at 3.42.15 PM

Technical Configuration:

 

download

 
This configuration needs the following: 
Slack team.
Publically Accessible Web Server Running:
Apache
PHP
Valid DNS Record and TLS Cert
I really like a $5 DigitalOcean droplet for this.
A list of APIs you want to query or installed local security tools (nmap, dnsrecon) you want to run. 

To Do List:

Figure out how to display json blobs as flat text in html.
Figure out how to bypass 3000 ms timeout to run more complex commands.
Build a bunch more of these tools (nessus, shodan, censys.io are on the list).
If you want to help me on any of these please reach out to me on twitter at @jgamblin or via email.

Hijacking a Sonifi Hotel TV

The TV in my hotel room this week advertised how easy it is to control it with the stayconnect app.  So I downloaded it and was pretty impressed by how well it worked…. until I remembered my phone was still on 4G and VPNed through a server in Europe.
2016-05-08 16.35.47
So I fired up Burp Suite to see exactly what was going on.  To my surprise the app wasn’t posting the data like it should it was passing it as part of the URL string:
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a 
Here is a terrible proof of concept video I shot in my room:

Here are some of the commands I found to control the tv:
TV Power Off: 
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
TV Power On: 
https://rci.lodgenet.com/mobile.php?method=tvOn&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
Mute Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=0
Max Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=30
Change Channel:
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=8
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=7
While not a major vulnerability and to exploit it you would have to capture traffic from your victim’s phone it does show really poor programming practices.

Raspberry Pi OsoYoo TFT

Last week I saw this 3.5″ Touchscreen LCD and case on Amazon for $20 so I ordered it thinking it would be fairly easy to install and get to work.  I was wrong and spent the better part of a Saturday looking at this:
2016-04-30 18.49.13
After spending 5 or 6 hours digging through forums, reddit posts and reinstalling my Raspberry Pi 3 times I finally got it to work:
2016-05-01 15.04.47
Hoping that no one else has to go through this I put together instructions and posted them on GitHub.
Now I have a cool desk clock (sudo apt-get install tty-clock) that on the backend can be doing all kinds of amazing stuff (like being a persistent reverse SSH tunnel):
2016-05-01 16.22.05
 

OSX System Information Script

This morning I needed someone who I was helping to provide me some basic information about their Macbook and realized while I knew how to get that information it wasnt all in one easy to digest place so I wrote sysinfo.sh to quickly gather that information:
Screen Shot 2016-04-29 at 9.29.52 AM
Here is the code:
https://gist.github.com/jgamblin/aa9a6eda5bce6797ab8394e0c47d3676
You will need to install iStats (gem install iStats) or comment out the lines 9, 10, 12 and 13 to get the script to run properly.

Site Footer