Security Consultant

/Security Consultant

Sniffing the Network

This article is intended to provide a simple demonstration of how easy it is to sniff/intercept traffic on various types of networks, and serve as a warning to utilize secure methods of communication on a) untrusted networks and b) known networks with the potential for untrusted clients or administrators. The first consideration is the topology of the network we’re connected to. To consider 5 common scenarios: Wired ethernet hub network: Hubs are becoming more and more obsolete as they are changed to switches. Multiple devices can be connected to a hub, and any data received by the hub from one device is broadcast out to all other devices. This means that all devices receive all network traffic. Not only is this an inefficient use of bandwidth, but each device is trusted to accept traffic destined for itself and to ignore traffic destined for another node. To sniff such a network, a node simply needs to switch it’s network interface card to “promiscuous mode”, meaning that it accepts all traffic received. Wired ethernet switched network: Multiple devices can be connected to a switch, however a switch has greater intelligence than a hub. The switch will inspect the traffic sent on each port, and learn the hardware (MAC) address of the client connected to a particular port. Once learned, the switch will inspect any frames it receives on a port, and forward that frame to the known recipient’s port alone. Other devices connected to the switch will not receive traffic that is not destined for them. This offers enhanced bandwidth usage over a hub. Switches rely on ARP packets which are easily forged in order to learn which devices are on which ports. Wireless open networks: Multiple devices can connect to an open wireless network. All data is broadcast across the network in plain text, and any attacker can sniff/intercept traffic being broadcast across the network. An open wireless network may present the user with a form of hotspot login page before granting internet access, however this does not detract from the network itself being open. WEP encrypted wireless network: A WEP encrypted network requires a WEP key to encrypt and decrypt network traffic. WEP has long been an outdated and insecure method of wireless network protection, and cracking a wireless network’s WEP key is fast and requires low skill. WEP is not secure. In addition, all clients connected to the network use the same WEP key to connect. That results in any user on the network with the WEP key being table to view any traffic transmitted to and from other nodes on the network. WPA/WPA2 encrypted network: A WPA/WPA2 encrypted network is significantly more secure than a WEP network. Whilst attacks exist on parts of the protocol, and extensions such as WPS, no known attack is able to recover a complex WPA/WPA2 password within an acceptable period of time. Whilst all clients connect to the network with the same password, the protocol is engineered to create different keystreams between each connected client and the access point. This means that simple sniffing in the traditional sense is not possible on the network. […]

By | December 14th, 2014|Linux, Security Consultant, Wireless|0 Comments

Linux: You may have been Compromised when..

There are a number of warning signs that a system has been compromised. The cases below warrant further investigation. Of course, they aren’t all guarantees that your system has been compromised, however they can be strong indicators. 1. Your welcome banner shows the last log in from an unknown/foreign IP address: Last login: Tue Dec 2 16:08:41 2014 from 190.234.106.143 root@mt:~# 2. The load on a usually idle system is suspiciously high: root@mt:~# w 17:06:39 up 62 days, 22:37, 1 user, load average: 8.12, 8.14, 8.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 pwn 17:03 7.00s 0.00s 0.00s w This could indicate that unknown processes are running. […]

By | December 9th, 2014|Linux, Security Consultant|0 Comments

Burp Suite: Intercepting & Modifying HTTP Requests & Responses

Burp Suite is a powerful web application auditor with a huge range of features, from simple to advanced. One of its core features is an intercepting proxy server. This allows us to pass our web traffic through burp suite, allowing us to view and modify both our browsers request before it goes to the remote web server, and the web server’s response before it returns to our browser. A couple common request modifications: Add data to form submissions, modify hidden fields. View and modify browser AJAX data View and edit headers including cookies And a couple of common response modifications: Remove client side JavaScript (usually validations or other limitations) Add or remove cookies sent to the browser First, fire up Burp Suite, and browse to Proxy –> Options: […]

By | December 3rd, 2014|Linux, Security Consultant|0 Comments

Linux Namespaces

Starting from kernel 2.6.24, there are 6 different types of Linux namespaces. Namespaces are useful in isolating processes from the rest of the system, without needing to use full low level virtualization technology. CLONE_NEWIPC: IPC Namespaces: SystemV IPC and POSIX Message Queues can be isolated. CLONE_NEWPID: PID Namespaces: PIDs are isolated, meaning that a PID inside of the namespace can conflict with a PID outside of the namespace. PIDs inside the namespace will be mapped to other PIDs outside of the namespace. The first PID inside the namespace will be ‘1’ which outside of the namespace is assigned to init CLONE_NEWNET: Network Namespaces: Networking (/proc/net, IPs, interfaces and routes) are isolated. Services can be run on the same ports within namespaces, and “duplicate” virtual interfaces can be created. CLONE_NEWNS: Mount Namespaces. We have the ability to isolate mount points as they appear to processes. Using mount namespaces, we can achieve similar functionality to chroot() however with improved security. CLONE_NEWUTS: UTS Namespaces. This namespaces primary purpose is to isolate the hostname and NIS name. CLONE_NEWUSER: User Namespaces. Here, user and group IDs are different inside and outside of namespaces and can be duplicated. Let’s look first at the structure of a C program, required to demonstrate process namespaces. The following has been tested on Debian 6 and 7. First, we need to allocate a page of memory on the stack, and set a pointer to the end of that memory page. We use alloca to allocate stack memory rather than malloc which would allocate memory on the heap. void *mem = alloca(sysconf(_SC_PAGESIZE)) + sysconf(_SC_PAGESIZE); Next, we use clone to create a child process, passing the location of our child stack ‘mem’, as well as the required flags to specify a new namespace. We specify ‘callee’ as the function to execute within the child space: mypid = clone(callee, mem, SIGCHLD | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | CLONE_FILES, NULL); After calling clone we then wait for the child process to finish, before terminating the parent. If not, the parent execution flow will continue and terminate immediately after, clearing up the child with it: while (waitpid(mypid, &r, 0) < 0 && errno == EINTR) { continue; } Lastly, we’ll return to the shell with the exit code of the child: if (WIFEXITED(r)) { return WEXITSTATUS(r); } return EXIT_FAILURE; Now, let’s look at the callee function: static int callee() { int ret; mount("proc", "/proc", "proc", 0, ""); setgid(u); setgroups(0, NULL); setuid(u); ret = execl("/bin/bash", "/bin/bash", NULL); return ret; } Here, we mount a /proc filesystem, and then set the uid (User ID) and gid (Group ID) to the value of ‘u’ before spawning the /bin/bash shell. […]

By | November 23rd, 2014|BASH, C/C++, Linux, Networking, Security Consultant|1 Comment

MySQL Master-Master Replication, Heartbeat, DRBD, Apache, PHP, Varnish MegaHOWTO

I created this HOWTO while building a new development environment today. The intention is to take a single Apache2/Varnish/MySQL environment and scale it to two servers, with one effectively a “hot-standby” – increase redundancy and continuity whilst maintaining current performance. This HOWTO is based on Linux Debian-76-wheezy-64-minimal 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 Our current server has IP 192.168.201.1/24 and our new server has IP 192.168.201.7. Section #1: Set up MySQL Master/Master Replication First, we’ll set up MySQL master to master replication. In this configuration, data can be written and read from either host. Bear in mind that issues may exist with autoincrement fields when written to at the same time. There are other caveats with replication so ensure to research them along with how to deal with corruption and repair before considering this setup for a live application. Also be sure to be using the same version of MySQL on both servers – this may not always be necessary, however unless you are very familiar with any changes between versions, not doing so could spell disaster. […]

Staying safe on unknown networks

Staying safe on unknown networks isn’t too difficult, as long as you keep security in mind. I often hear hoteliers advising “secure WiFi”. I even took some IT training with a Company (who shall remain nameless) some years back advising using their “secure WPA2 network” for sensitive transmission. The statement is ambiguous in any case, but there is little security to the user in being connected to an encrypted wireless network, where the network operator and the other network users are untrusted. Let’s look at some risks: Regular Ethernet Cabled Network Risks: Interception of your data in transmission through a tap/RF emissions Interception of your data through network manipulation by malicious user on the network (DHCP spoofing, ARP spoofing, etc) Interception of your data at the router controlled by the local system admin, or any other router along the way between any number of admins along the route to your destination. The risks of open WiFi and WEP secured WiFi are the same as above, save that no tap is needed. The medium is the air, and anyone with access to the medium can intercept and manipulate traffic. WPA/WPA2 is a slightly more interesting case. Passive sniffing is out – the access point negotiates different keys per connected client. Therefore one client sniffing the network will observe encrypted data only. That said, network attacks such as DHCP spoofing and ARP spoofing work just fine. […]

By | July 16th, 2014|Security Consultant|0 Comments

My 5 step offshore interviewing process

Often being called on to assemble and manage teams of designers or coders in particular through projects, I’ve developed a few tips and tricks in 12+ years of off-shoring which I wanted to share. They may be obvious to some. With experience, I’ve found that most off shore contractors are hard working and keen to grow but can sometimes be challenging or even impossible to work with. Can a job applicant read? Usually, the job description will contain the old test, “please include the word ‘blah’ at the top of your reply to prove you’ve read this description”. This makes sure that the applicant has read the description rather than just posted a cut and paste canned application to multiple jobs. Sometimes, applicants respond to questions that they prepare rather than actually reading and understanding your questions. I was hiring someone to work on some Google AdWords campaigns. I asked, “can you let me have some stats/supporting evidence/case study on any recent previous job – click through rates, impressions, conversions and metrics.” What I’m asking is, what did you do, and what were the results? The applicant on the other hand, seemed to answer the question, “can you tell me anything y0u can think of about some of your past work?” As an applicant, if you can’t read my requirements and queries accurately, how can I work with you? If you want to save yourself the hassle, have a look at our php programmer services. […]

By | July 15th, 2014|Development, Security Consultant|0 Comments

Open relay mail server fail

After my near fail with a potential phone malware infection, the only thing that could top my week was an actual fail! I managed it in style by managing to publicly expose an open mail relay – talk about basics 101! I’ve been traveling pretty extensively over the last 6 months and frequently find myself on connections where port 25 outbound (SMTP) is blocked. So I’m sitting in an internet cafe in south Peru, on a connection sporting something like 64kbit down and 5kbit up. I’ve just beaten my worst latency record with a ping time of about 5 seconds to 8.8.8.8. I have 4 items sitting in my outbox and I’m wondering if they’re not going because the port is blocked, there’s an issue with my mail server, or whether they’re about to go at any minute but just can’t make it past the huge connection latency. (In case you were wondering, I’m just setting up my excuses!) Eventually some debugging with netcat and tcpdump lead me to confirm that port 25 is blocked. No problem, it’s my personal mail server after all, I’ll just set up a proxy listener on port 2525. With a one liner to execute simpleproxy, my mails start leaving and all is good. I daemonize simpleproxy for later and go and do something else. […]

By | July 14th, 2014|Security Consultant|0 Comments