Rogue One: My first field pentesting

Earlier that year, very - earlier - I had one technician of an international company calling me for some advice. She/He had a problem with the local networking staff and their "modus operandi" regarding network security. The company had a big assembly line and very powerful, automated machinery - which made the leaky security all the more troublesome. My job was to exploit one of those security holes and show - as clearly and easily as possible - said problems - so that they were getting finally fixed.

The first stage of the whole testing was the usual: Reconnaissance. Though, in this case, this was very easily achived, as my contact handed me over parts of the firewall ruleset as well as an access to their office lan. First thing that lit up like a christmas tree: They actually had the production and office networks seperated by a firewall - which is good. For the bad part: They did drop everything. Everything except everykind of ICMP packets. Well. Damn.

Second stage was to create an exploit to that happy little mishap: My contact wanted to be able to bridge office and production networks and access them via the - according to the networking department - water tight secure firewall. The exploit needed to be able to run on a Windows 7 machine as well. With that in mind, I went through different ICMP tunnels: HANS and Dhaval Kapils icmptunnel were the first one to be dropped from that list, as they did not satisfy all constrains. In the end, I choose icmptunnel or short ptunnel. With a bit of manual patching, I could get it to compile and work again on Windows, thanks to the efforts of Mike Miller.

For testing I recreated the network and firewall using a Cisco 1841 and a Cisco 3560 switch. As I needed to integrate ptunnel into the production network, I wanted it to look as innocent and inconspicuous as possible: So I used a Raspberry Pi 3 and dumped it into a DIN Rail case - then I outfited it with a Power over Ethernet adapter and could serve it network as well as power over said network connection.

The tests worked flawlessly and I even cramped enough speed over ICMP to get some remote desktop working.

On to stage three: Attack.

This stage turned out to be way cooler than thought: Due to certain circumstances, we meet at night, 0 dark thirty - you could say - and sneaked through the production line, past workers which did not take much notice in my presence. I inserted the "Rogue Pi" into one closet next to an Siemens Human-Machine Interface and plugged it into the network switch.

Then we left again. Back in the office, I tried to connect to my little helper and was immediately rewarded with a working ICMP tunnel - now transfering an SSH connection as payload. From that moment on, I could connect to a dozend different systems from different vendors in that production network. Last but not least, as "visual" demo, we created a little batch script to start the connection and connect to the Remote Desktop Interface / Human Machine Interface of a very heavy and very unsecured press - now leaving it to our control.

At this point, said connection was only opened in a "read/view only" mode so that - even by accident, we could not harm anyone. We had to bear in mind that this multi-hundred ton press was now at the mercy of our fingertips and we did not wanted to wreck hevoc at all costs - so - if you're conducting field exercises with real "heavy hardware" - find a way to interact safetly with that - before you engage any connection to it.

With this preparation, the technician was able to run the demo in front of the higher ups and finally got the attention, permission and support needed to bring security to a higher standard.

So that effort paid of in the end for the production security of that company - and rewarded me with my first - and hopefully not last - field pentest :).

[Dell] Using the Update CDs to get Dell Servers to latest firmware

Dell has an very comfortable way of getting new firmware to nearly all of its server components: The bootable media / ISO or Update CDs. You can find them on this website and very useful. On a basic level, you pick your server, download the ISO, compare the MD5 checksum and burn the ISO onto a DVD. After that, you should get the Servicetag of your server and check for BIOS and iDRAC updates - these should be installed manually first. After that, boot from the DVD and let it install all the needed firmware. Basically, the DVD will cycle through all firmware of components ever installed in the series of your particular server and installs updates if needed. After another reboot, you're done :).

Thanks Dell for being so helpful to your users! 🙂

[Dell] T30 Intel AMT Blank Screen on Ubuntu Fix

The Dell T30 is an awesome little Homeserver, packing a punch with the Xeon E3-1225 V5 - and being affordable at about 399 €. It also comes with Intels Active Management Technology / AMT which is an extension of the horrible Intel Mangement Engine (which was all over the place months ago when some genius figured out how to stop that Man-in-the-Middle-always-on chip with some simple commands) - but quite useful - nonetheless. The good thing about this, is that it acts like an DRAC (Dell) / ILOM (Sun) / IPMI (Supermicro) card - so it is an KVM (Keyboard Video Mouse, not the virtualization thingy this time, sorry ;)) extension which allows you to control the server via network as if you were plugged in directly.

There is an awesome guide from Christian on goNeuland, written in German on howto setup that thing without the need to buy VNC Viewer Plus.

However, my Ubuntu instance came in as blank screen after successfully connecting to the system. In the end, that turned out to be that way, as Ubuntu decided to deactivate the graphics unit - due to no monitor being attached.

Different solutions were talked about here, here and here.

In my case, following helped:

1.) Open your grub, i.e. sudo vi /etc/default/grub file

2.) Add nomodeset to your GRUB_CMDLINE_LINUX_DEFAULT line, so that it would read i.e. GRUB_CMDLINE_LINUX_DEFAULT="reboot=force bootdegraded=true nomodeset" (your commands will vary!)

3.) Save and close the file

4.) Update grub via sudo update-grub

And after a quick reboot, everything worked out :)!

[Dell] PowerConnect 2824 Switch

The Dell PowerConnect 2824 is an oldie but goldie 24 port Gigabit Managed Switch (with ports 23/24 being shared ports like on the Cisco 3560 PoE 8 - which have Gigabit Cooper Ports as well as SFP ports - but you can only use one at a time :)).

You can get them for about 80€ / delivered on eBay as used products and they are qualitywise very good and got an reasonable (although ugly) webinterface as well as SNMP and the usual stuff. They can work as managed or unmanaged switch, which can be switched via the "Mode" port on the front (holding it for less than 7 seconds during operation, it switches the Mode, longer than that -> reset).

To clean a newly acquired switch:

Connect to Serial port via Null Modem Cable, 9600, 8, None - the usual
Powercycle switch
An "Autoboot in 2 seconds" will show up. Press ESC during that time to enter a special menu
Enter 2 to "Erase flash file" and enter config to delete the config file. Press ESC to exit and boot
You will see that the switch will be boot in Unmanaged Mode, and the "Managed" LED will turn off. Now Press the Mode switch for about 5 seconds, and it will turn to Managed Mode
You can now setup the switch via Serial Console, or just wait 60 seconds for it to start up with the default values: 192.168.2.1 as HTTP Interface and admin as username - no password

The latest Firmware for this Switch 1.0.0.45, A07 (more exactly Software Version 1.0.0.45 / Boot Version 1.0.0.13) can be downloaded here: http://www.dell.com/support/home/us/en/04/product-support/product/powerconnect-2824/drivers - you can update this Firmware via TFTP or Web Interface, you will find the option under System -> File Management -> File Download and need to switch to "Download via HTTP" to Upload the Firmware files (Boot Code = rfb, Software Image = ros) via the Web Interface and then reboot / reset the Switch (System -> General -> Reset)

On word of advise if you want to use this system with VLANs - which works a treat: Switch -> VLAN -> VLAN Membership. Chose you VLAN ID, give it a name and then click on the Switch Picture the Ports to the correct mode. Just a grey field means nothing, T means the VLAN comes on this port as VLAN tagged, U means untagged.

To put this into perspective: Grey - No connection, U - this port can directly be connected to a PC or other equipment and got the VLAN as native / vanilla LAN on its port, T - it is tagged and good to transport of multiple VLANs / i.e. trunks.

Trunk config would be like that, i.e. Port 3 of the switch. With 3 vlans, I would go to my native VLAN 1 and set it to U, VLAN 2 to T and VLAN 3 to 3. From then on, I got VLAN 1 as native VLAN on the port and 2 and 3 tagged - and with that a nice little trunk to my i.e. Server.

Configurationwise, the Switch has some sensible defaults like Rapid Spanning Tree on all ports, Green Ethernet enabled. You should maybe remove all Community Strings from SNMP and disable it, if you would not use it and set some secure password. Other than that, good to go :)!

Play with Docker - New Version Online

In case you haven't noticed, we got a wonderful Halloween Gift from Marcos Liljedhal and Jonathan Leibiusky - the all new Play with Docker is online! 🙂

If you want to revisit the changes, just watch their video from Docker Con Europe 2017!

PS: Please disable your Adblocker like uBlock Origin, that stuff can cause serious problems on Play with Docker - had to find that out myself just now ;).

Docker Con Europe 2017 - A recap

Welcome 🙂

Being an Docker Campus Ambassador, I got the oppurtunity to visit Docker Con Europe 2017 - which was an awesome experience which I want to share here. As it has been quite some time since I've been to a bigger conference - and this trip does not only include visiting Docker Con - I am going to seperate this blog into two sections.

First, I am going to go for the main take-aways, which should have been posted everywhere in the net already. Secondly, I'm going to go through the whole story and add some pictures of the beautiful city of Copenhagen.

So lets get started 🙂

1.) Take aways

Modernize Traditional Apps (MTA)

Docker has found itself a new usecase: Use Docker to deploy legacy apps in your DevOps enabled workflow. Docker does present tools for that during its keynote, like the Docker Application Converter. However, these tools are not given out to users and only work in the specific field of Tomcat Java Web Apps or IIS Web Apps with .NET. The only way to get your apps converted in a professional way, is to buy Docker Enterprise Edition and get a Docker Partner like Avanade or Amazic over to your premises and do the work for you. So it is not magic, but hard work to convert your old apps. More infos here.

Docker with Swarm and Kubernetes

Docker is going to include Swarm and Kubernetes in the future - side by side - which is awesome. However, the reason behind that might not tbe that Docker wants to do something for its users, but more for Google: In the past it was looking like Google is going to seperated from Docker and doing its own thing. So embracing Google and Kubernetes might be the thing that keeps Google from running away - and leading the pack away from Docker. I personally think that after some iterations, Swarm and Kubernetes might disappear and lead way to another tool, which consists of parts of Swarm and Kubernetes. You might want to buy KubeSwarm.com today? 😉 Oh, and if you want to join the adventure early: beta.docker.com will get you started.

Docker Certified Associate

There is a official Docker Certification available now, which can be found here. Due to beeing a Beta Tester, I was already in that program - however, the first experience was kind of rough, which should be corrected by now to a more pleasent one. To get you started, we prepared a little DCA Prep Guide on Github. PRs are very welcome!

ARM (IoT) - Resin

Finally I got to meet up with the nice guys and girl of resin.io - if you're a regular on my blog, you might have seen a load of different articles and videos about their Infrastructure platform for IoT, as well as their OS resinOS for IoT applications. Basically: They get Docker running on Raspberry Pi and similiar platforms. And they also created balena, which I already talked about in this post.

ARM (Server) - Qualcomm

DockerCon is a Software Convention by design, so vendors like Cisco had a hard job getting to people. But the hardest job among all, had Chandni Chandran and Elsie Wahlig from Qualcomm. They actually showcased the coolest piece of hardware of the overall convention (just fighting with the bleeding-edge new specialized Prototype Raspberry Pi from resin ;)) - the Qualcomm Centriq 2400 - a 48 core ARMv8 CPU - ready for datacenter usage - and yes, it does run Linuxkit! Meeting Chandni, the Product Manager for this Server Series, and Elsie, the Director of Product Management for Datacenter Technologies was a huge honor, as well as it was a blast for an ARM fanboy as I am ^^'. The cool thing about their technology is, that it might come soon to packet.net (which I did review sometime ago) - so, lets get our fingers crossed that this beautiful and awesome machine finds its way into the racks of every major hoster - and maybe onto my table 😉 [Hey, it is as cool as you could *really use it* without building a server closet around it - and.. for the other insane path - dreaming is allowed, ain't it? :3]

Monitoring

Felt like the "hot-*hit" of this Docker Con: Nearly everyone was holding up a product in that area. Be it DataDog, sysdig or Instana. However, as some booth-visitors pointed out - some of these products, like DataDog, only exist in a SaaS solution and cannot be used on-prem. Quite the security breach you got there... I would go with Instana.

Security Solutions

CyberArk, BlackDuck, Aqua Security, Twistlock and cilium - among others. I would vote for cilium, as they do Open Source.

Storage

StorageOS, Virtuozzo Storage, elastfile, NetApp, Zenko CloudServer where the main players, however, next to the raw storage, also storage adapters were available like the Zenko Multi Cloud Connector or the ever famous RexRay - it seems like quite a trend to go more and more to Amazon S3 compatible interfaces. For reference I linked only vendors which had Community Editions or Open Source Software available ;).

Virtualization

VMware, Cisco, IBM, Nutanix. Well, that was a surprise. While VMware stays on track with its vSphere Integrated Containers 1.2, Cisco trys to wrap up Docker in its UCS and Flexpod series via RedHat. IBM starts up with its IBM Cloud Private - which even comes in a Community Edition - and seems interesting. Same goes for Nutanix Community Edition which can be checked out here.

Misc

Somehow everyone seems to go out for an Enterprise Edition now: Create.io, Redis Enterprise and nginx+ (Load Balancer). But somehow, some of these corporations deserve special treatment: nginx+ is all about trust, as you get your binaries delivered without "call-home" - which is a nice thing and I would love to see this being the "norm" again. Other than that, jFrog was there with awesome coffee and lovely designed shirts, as well as Atlassian and other DevOps tool makers like Puppet, Chef and Rancher. Also - Microsoft, Amazon and Google had their booths as well but... well, that was kind of a must, so ;).

2.) The whole story

Well, now that we got through this, we might add some images to complete the overall picture ;)!

Flight from Luxemburg to Zurich

Just short before Zurich

Zurich Airport - here I got information that resins new Moby Clone balena had been released. So I just grabbed the next Wifi Connection, downloaded all files - and went back into the air - next stop: Copenhagen!

Zurich from above

balena Experiments in Flight

... and working!

Arrived in the heart of Copenhagen

My sleeping and dev place for the next days to come 😉

Skt Alban Church

Kastellet

North Atlantic House

Folketheatret

Bicycles

Soylent Green - anyone?

Food - some assembly required

Chili from Berlin, Wine from Trier and Water from Copenhagen - does taste awesome

Working on the JCTixx v2 Portable Scanner Type M / Munin

Crew on board!

Bella Center on Monday, fist Docker Day!

Already a cool start

On Monady, we got to attend the Community Leaders Summit. We finally got to meet a big part of the Community Leaders familiy, Meetup Organizers from all over the world - and other Campus Ambassadors, which was awesome. I finally got to meet Karen Bajza, Bret Fisher, Jean-Marc Meessen and Jens Doose, which was really cool :).

The obligatory picture with the floating Moby on Day 2 was even an event on which one was awarded a special pin.

Breakfast was awesome, I loved those pancakes...

... and did I mention we got a load of coffee everywhere around the Bella Center? During all that time, I could meet up with Xinity, Gildas Cuisinier, Oliver Robert and Xiaowen - waiting eagerly for the keynote.

The first Keynote was one of the biggest events

... and Modernize Traditional Apps (MTA) was the big buzzword for the days to come...

... I could not help but start hacking around with image2docker during the keynote... The results were mixed.

#dinoselfie - with Michael Irwin!

resin.io's beautiful new custom Raspberry PI Board...

..with some awesome features!

Cisco is also commited to Containers

... and jFrog had some awesome designs

OpenFAAS with Alex Ellis

Qualcomm Centriq 2400

Qualcomm Centriq 2400 - thats what I call hands-on!

Docker Party at the second evening...

...in an old train hall...

...with lots of space...

... and games!

Tivoli park 🙂

Bella Center in the morning of Day 3

The famous jFrog Universal Coffee Registry

... and the even more famous resin.io Demo -
with a Raspberry Pi - running resin.io - in resin 😉

Working on balena demos at the resin booth

Lunch was awesome, too 😉

I finally meet Chanwit Kaewkasi during a Hallway Track and as he is a fellow ARM fan - I could not help but bring him to the Qualcomm booth to get him some demotime - I think I liked it ;).

Elsie and Chandni are demo-ing LinuxKit on their new Qualcomm System

A last selfie with Karen 🙂

And I needed to pay the container bath a visit - on the Hallway Track

Leaving Kopenhagen on Day 4 - and last thing I see...

... is a container ship. Well. Ain't going to get more Dockerized than that ;)!

I was very lucky and attended the MTA Pin Challenge - during that I bumped into Mano Marks - finished the Challenge as first one, and got an custom WASD Keyboard with some nice finish. Nick Harvey found out about that - and my new job - and completely went bananas - as he figured out that this keyboard might soon receive code which could go to space... Well... Let's hope so ;).

And with that, I conclude my little Docker Con recap. I hope you enjoyed the ride as much as I did - there are certainly interesting times ahead ;)!

PS: I heared the recorded videos are online now :3

State of Decay: M.Sc. / Docker Campus Ambassador / Work

Hi there,

the last year was quite a ride, so I wanted to share some more or less private stuff about what is going on in my life currently:

a) As not mentioned here on the blog, I did my Bachelors Degree on Applied Computer Sciences at the University of Applied Sciences (htw saar) in Saarbrücken. After that, I started my Masters Studies in Computer Sciences at the University of Trier. I concluded my studies with the degree Master of Science in July of this year :).

b) As of July, I also started working as an Docker Campus Ambassador.The main idea of said program is to give students access to a fellow peer which is involved in Docker and could be kind of mentor to them in all Docker related questions - which was something I was already involved with back in early 2016, i.e. at the Saarcamp 2016 - so I decided to do said work in a more official way 😉

Sadly, I am going to need to resign from said position soon, as I am going to leave the University Trier at the end of the year. Which brings me to c):

c) I am going to move to another city at the end of the year and start to work for an yet to be disclosed coporation in the aerospace sector as IT Engineer with some additional work loads - which I am very excited about.

d) I am still working on my Ticketing / Convention Management System called JCTixx, and that system just got an big upgrade, in terms of new ticket scanners, which come in two different types: The big appliance version and a smaller, portable version:

Also, I had the oppurtunity to visit docker con Europe 2017 - which I am going to write about in a upcoming post.

So to sum it all up: This year was quite a ride and I am very happy how it turned out so far - and I am hoping for some vacation as soonish as possible - and more time to produce content for this blog :)! Thanks a lot for sticking with me, I just recalled that this blog is going to be 10 years old next year - which is quite awesome and I hope to continue this work with interesting articles and insights maybe from a higher - earth viewing perspective - quite soon ;).

All the best,

Nico

Running resin balena on Raspberry Pi 3

Just two days ago, resin.io announced balena their new, moby based container engine. Basically, it is a Docker-dropin-replacement for IoT Devices: It is compatible with Docker and Docker Hub, gains a lot of stabilty with atomic pulls, more conservative flash memory use - as well as smaller updates due to true container delta pulls. Also, it comes bundled as single file, is smaller in size and as easy to use as Docker. So - a very good bundle.

However, this comes with the disadvantage of losing Plugin support, Swarm, Cloud logging, Overlay networking and Non-boltdb backed stores - which is a small price to pay, as none of these features are really needed in an IoT scenario.

balena is going to replace Docker in resin.io and resinOS in the near future - but I wanted to testdrive it right now, which ended up in me pluggin my Raspberry Pi 3 inflight from Zurich to Copenhagen and getting it "flying" ;).

To get it working, little is needed :):

1.) Download and install the latest Raspbian image (Stretch Lite should do the trick)

2.) Login to the RPi and run the installer: curl -sfL https://balena.io/install.sh | sh

(Always check the file before running it to shell, to be sure nothing bad happens!)

3.)

sudo balenad &

4.) Now you can use balena like docker with the command sudo balena

The whole thing works pretty good - this short scrible is just to get it working for using it in a hackish way - a real tutorial will come as soon as I get the time to make it really persistent and auto-starting... But.. Well ;). Living on the edge comes with sacrifices :).

If you're on Docker Con and want to meet up, just send me a message via Twitter, E-Mail or the Hallway Track - see you soon ;)!

[Talk] Allesnetz 11 Podcast: Docker Container für IoT mit Resin.io

For my German readers: I took part in Leonid Lezner's Allesnetz Podcast 11 - about Resin.io and Docker - together with Resin.ios very own Jonas Hermsmeier - you can check out the podcast here.

Upgrade WSL (Windows Subsystem for Linux) on Windows 10

I had installed WSL (Windows Subsystem for Linux) a long time ago to gain access to Ubuntu 14.04 LTS directly from my Windows 10 Desktop. However, as time passes, Software grows old. Upgrading the Ubuntu Subsystem via apt-get update / do-release-upgrade should work, but that could have some nasty sideeffects, considering that the 14.04 LTS WSL release had been a beta test - so, a reinstall should be better.

Luckily, TechRepublic got this covered. Just open a CMD and run:

lxrun /uninstall /full /y

to uninstall the current WSL version.

Afterwards, try

lxrun /install

to reinstall it. With this "reinstall", Ubuntu 16.04 LTS will be installed.

Nonetheless, I recommend a nice

sudo apt-get update
sudo apt-get dist-upgrade

afterwards in your BASH session to get the WSL to the latest version ;).