Rogue One: My first field pentesting

Earlier that year, very - earlier - I had one technician of an international company calling me for some advice. She/He had a problem with the local networking staff and their "modus operandi" regarding network security. The company had a big assembly line and very powerful, automated machinery - which made the leaky security all the more troublesome. My job was to exploit one of those security holes and show - as clearly and easily as possible - said problems - so that they were getting finally fixed.

The first stage of the whole testing was the usual: Reconnaissance. Though, in this case, this was very easily achived, as my contact handed me over parts of the firewall ruleset as well as an access to their office lan. First thing that lit up like a christmas tree: They actually had the production and office networks seperated by a firewall - which is good. For the bad part: They did drop everything. Everything except everykind of ICMP packets. Well. Damn.

Second stage was to create an exploit to that happy little mishap: My contact wanted to be able to bridge office and production networks and access them via the - according to the networking department - water tight secure firewall. The exploit needed to be able to run on a Windows 7 machine as well. With that in mind, I went through different ICMP tunnels: HANS and Dhaval Kapils icmptunnel were the first one to be dropped from that list, as they did not satisfy all constrains. In the end, I choose icmptunnel or short ptunnel. With a bit of manual patching, I could get it to compile and work again on Windows, thanks to the efforts of Mike Miller.

For testing I recreated the network and firewall using a Cisco 1841 and a Cisco 3560 switch. As I needed to integrate ptunnel into the production network, I wanted it to look as innocent and  inconspicuous as possible: So I used a Raspberry Pi 3 and dumped it into a DIN Rail case - then I outfited it with a Power over Ethernet adapter and could serve it network as well as power over said network connection.

The tests worked flawlessly and I even cramped enough speed over ICMP to get some remote desktop working.

 

On to stage three: Attack.

This stage turned out to be way cooler than thought: Due to certain circumstances, we meet at night, 0 dark thirty - you could say - and sneaked through the production line, past workers which did not take much notice in my presence. I inserted the "Rogue Pi" into one closet next to an Siemens Human-Machine Interface and plugged it into the network switch.

Then we left again. Back in the office, I tried to connect to my little helper and was immediately rewarded with a working ICMP tunnel - now transfering an SSH connection as payload. From that moment on, I could connect to a dozend different systems from different vendors in that production network. Last but not least, as "visual" demo, we created a little batch script to start the connection and connect to the Remote Desktop Interface / Human Machine Interface of a very heavy and very unsecured press - now leaving it to our control.

At this point, said connection was only opened in a "read/view only" mode so that - even by accident, we could not harm anyone. We had to bear in mind that this multi-hundred ton press was now at the mercy of our fingertips and we did not wanted to wreck hevoc at all costs - so - if you're conducting field exercises with real "heavy hardware" - find a way to interact safetly with that - before you engage any connection to it.

With this preparation, the technician was able to run the demo in front of the higher ups and finally got the attention, permission and support needed to bring security to a higher standard.

So that effort paid of in the end for the production security of that company - and rewarded me with my first - and hopefully not last - field pentest :).

 

[Ubuntu] Secure your Apache 2 Reverse Proxy

We got an Apache 2, working as Reverse Proxy to some Docker instances (we won't talk about the nginx vs Apache stuff here for the same reasons we won't talk about vi vs emacs vs xyz ;)) - and somehow we realized that our apps are a little bit too sensitive to allow them from any ip.

First, we want to activate the needed modules. Normally that should not be necessary, but for sake of completeness:

sudo a2enmod mod_authz_core
sudo a2enmod mod_authz_host

Secondly, we want to allow them only from trusted ips. We do redirect them to the docker instances via ProxyPass - but need to create an Location / "catcher" - otherwise we could not use the mod_authz to deny other ips :).

<VirtualHost *:80>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

RedirectMatch ^/$ https://example.com

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

</VirtualHost>

<VirtualHost *:443>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

# Alias /static /srv/example_sw/sw/public_html/

SSLEngine on
SSLCertificateFile /etc/ssl/certs/hex.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/hex.example.com.key
SSLCertificateChainFile /etc/ssl/chains/example-ca-chain.pem

</VirtualHost>

That way, hosts from other subnets than 192.168.1.0, 2.0 and 3.0 won't be able to access the proxy and therefore our app :)!

[Security] BetterCrypto.org - Applied Crypto Hardening

So, now something a little bit more personal: We all know about the problems in our modern world: NSA, espionage, data stealing / selling, and such. We all use computer systems on an daily base and we know about the importance of cryptography. BUT: We don't really all have an masters degree in computer crypto or such. We all do things in a "well, should be quite right"-way. Because, well - we have a life and a lot of stuff to do. We can't really tell apart which ciffer to use and such. But now - we don't need to - anymore. Please visit https://bettercrypto.org/ and read their paper. It got excellent "Copy 'n Paste" configuration commands for your Apache, Postfix, Mail, etc, etc!

Let's make the world an better and more secure place. For us and all our users!

Thanks :)!

Ubuntu 10.04 - Install Madwifi and Aircrack-ng

PreWork:
1. apt-get update
2. apt-get install build-essential
3. apt-get install libssl-dev

Install Madwifi for AR5007EG / AR5001
1. Download latest from http://snapshots.madwifi-project.org/madwifi-hal-0.10.5.6/
2. tar -xvzf madwifi-hal-0.10.5.6-r4126-20100324.tar.gz
3. cd madwifi-hal-0.10.5.6-r4126-20100324
4. make
5. make install
6. System, Hardware Driver, mark "Activate Alternate Drivers"
7. Reboot

Install latest Aircrack-ng
1. Download latest from http://www.aircrack-ng.org/
i.e. wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
2. tar -xvzf aircrack-ng-1.1.tar.gz
3. cd aircrack-ng-1.1
4. make
5. make install

Lets go! ^^

Iptables Basic Introduction

Iptables are the Firewall of many Unix based Systems. Its quite easy to install and more easy to manage than most ppl would think of. Lately I became the SysAdmin of an Linux based Root Server and wanted to secure it as much as possible. So I went for my first exercise with Iptables and found that they are quite to manage as long as you know some important things.

1.) The Chains
The Iptables are in fact tables. There are three possible "Chains": Input, Forward and Output.

2.) Position Counts
The Position of an Rule in these tables is VITAL!
I.e. normally you start with the Input Table and write in which Services are allowed to access your server. I.e. Apache (Webserver), SSH, etc. Then you set an big DROP. Everything after this Drop, even if it says Accept - does not count: The Packet gets dropped. Watch out for your chain and the position of the rules!

3.) Established Sessions
If you server asks for an service or website, it maybe would call over Port 80. But the answer from the other server could come on an different port. The Iptables would then drop this answer as it does not know what to do with that. If you set in an Global Allow on Input for all Established or Related Connection (i.e. already running connections, things we sent out ourselves and such..) this will not happen and your stuff will run without problems. You NEED to do that.

Show current Iptables and rules:
iptables -L

Show current Iptables and rules with more details:
iptables -L -v

Allow incoming traffic on Webport for Webserver:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This does say the iptables to Append this rule to the Input Table
The pRotocol is tcp. The dEstinationport is 80.
jUmp to Accept and let the Packet pass

Allow incoming traffic for SSH:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow everything on the Loopback Interface:
iptables -A INPUT  -i lo -j ACCEPT
-i means the interface

Allow Established Sessions (see 3.!)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if error:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Drop everything else:
iptables -A INPUT -j DROP

After the last line, everything except the Apache and SSH Server will not be accessible anymore.
To insert an new Accept Rule before the drop, use
iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
INsert on place 1 the new Rule with TCP on Telnet Port and Accept everything connection.

To save iptables enter:
iptables-save > /etc/iptables.rules
You write the iptables to the named file

To load the iptables enter:
iptables-restore < /etc/iptables.rules

Delete all rules and therefor disable the firewall temporarily:
iptables -F

Everything taken from: https://help.ubuntu.com/community/IptablesHowTo

Appendix for Ubuntu:
Autoloading and Saving Iptables?

Autoloading: Create in /etc/network/if-pre-up.d an chmod+x file i.e. iptablesload:
#!/bin/sh
iptables-restore < /etc/iptables.rules ip6tables-restore < /etc/ip6tables.rules exit 0 Autosaving: Create in /etc/network/if-post-down.d an chmod+x file i.e. iptablessave: #!/bin/sh iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules fi ip6tables-save -c > /etc/ip6tables.rules
if [ -f /etc/ip6tables.downrules ]; then
ip6tables-restore < /etc/ip6tables.downrules fi exit 0 [shariff]

Astaro Security Gateway v7 Factory Reset

Access to SSH or console with root passwords:

/etc/init.d/factoryreset reset
No Access to SSH or root passwords are lost:

Connect a keyboard and monitor to the system.
Wait for boot prompt
Enter:
boot: default factoryreset

After that you can go to your during the installation definied IP like: https://192.168.0.1

Alternativ:

1. Boot on the ASG from a Knoppix CD
2. Login as root
3. Mount the root partition of the ASG with: mount –t ext3 /dev/sda7 /mnt
4. Go to the config on the ASG: cd /mnt/etc/wfe/conf/; vim setting
5. Change reset_pwd = 0 to reset_pwd = 1
6. Save
7. Run cd /; umount /mnt; reboot
8. Access the install IP