Oh noes! They be stealin' our garage doors! (Misc)

A few things:

First, Cowtown Computer Congress finally got blueprints of the building our hacker space will be located in. That's good news. The bad news? The awesome garage door we thought we'd have might be on the chopping block according to the blueprint -- as shown below the lolrus (which is actually a huge seal since it doesn't have tusks) Not cool. We're gonna try to have them leave the garage door.

Also, CCCKC will be thowing a "build it for them to throw it" party on Nov. 22, a few days before the Plaza Lighting Ceremony. This event for CCCKC members will get a bunch of geeks together to build LED Throwies.  The plan is to use the throwies for the fund-raiser on the 26th. What better time of year to lob magnetized LEDs at things than the official kick-off of Kansas City's Holiday Season? Become a member of CCCKC, come out and help us build some throwies, and then kick it with all of us at the next fund raiser.

Last but not least, I posted a fun project over at i-Hacked today.  Not many people knew that my RJ45 cuff links at DefCon were actually functional ethernet loopback testers. I walk you through the steps to build your own ethernet loopback tester that you can keep on your keychain or use as cuff links (if you make two). Photos below:

OpenBSD 4.4 is hitting the mirrors now!

OpenBSD 4.4 is scheduled to be officially released November 1, 2008 (that would be tomorrow as of writing). It's already on some of the FTP mirror sites, though.

I am installing this TONIGHT. I may try Ubuntu Intrepid Ibex that was released this week as well, but I'm really more excited about OpenBSD. I'm a little bit of a fanboy, if you can't tell.

The Geek 100 Pt. 4: Development and Cryptography

See the whole series: The Geek 100

This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill... yet.

Props to my friend Joshua Kriegshauser for help with the Software Development skills. I'm not a coder. He's the Technical Director of the EverQuest II team at SCEA. That makes him more than qualified to help me out here.

Software Development. Every geek should be able to:

1. Competently program in a compiled language
2. Competently program in a script-interpreted language
3. Create dynamic web pages that are resistant to XSS, CSRF and Injection
4. Display at least casual knowledge of assembly language
5. Describe endianness and which endians are used on popular platforms
6. Have a firm understanding of object oriented programming
7. Integrate a captcha into a web form
8. Reverse-engineer and debug software
9. Use a hex editor
10. Use a revision-control system

Cryptography. Every geek should be able to:

1. Analyze a substitution cipher
2. Encrypt and tunnel arbitrary traffic
3. Explain both strengths and weaknesses of asymmetric encryption
4. Explain the significance of hash functions
5. Explain Enigma (Fun Link)
6. Implement a quick, secure symmetric cipher algorithm
7. Implement steganography
8. Set up full-drive-encryption
9. Set up SSH with public keys
10. Use an effective manual encryption scheme
    

See the whole series: The Geek 100

The Geek 100 Pt. 3: Attack and Defense

See the whole series: The Geek 100

This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill. Yet...

Today, I focus more on physical security and infosec. Let's see how well you do!

Attack. Every geek should be able to:

1. ARP-poison a network segment
2. Bypass the Windows XP login screen without rebooting
3. Crack WEP
4. Enumerate all hosts and running services on a network
5. Identify the weakest point in almost any security scheme
   
6. Replay a TCP session
7. Scan for wireless networks
8. Spoof/Change your MAC address
9. Use a password cracking tool
10. Use lockpicking tools to open an inexpensive lock

Defense. Every geek should be able to:

1. Harden an operating system
   
2. Implement an IDS
3. Install burglar alarm sensors (motion, breakage, window, door)
   
4. Install CCTV cameras
5. Know where to find information on Common Vulnerabilities and Exposures
   
6. Lock down a wireless network
7. Re-key a lock cylinder
8. Set up a log analysis tool
9. Set up a packet filter or firewall
10. Set up a VPN (not just an SSH tunnel)
    

See the whole series: The Geek 100

The Geek 100 Pt. 2: Sysadmin and Network Skills

See the whole series: The Geek 100

This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill. Yet...

This one is for all your Information Technology geeks, although it's a bit UNIX biased.

Systems Administration. All geeks should be able to:

1. Compile a kernel
2. Set up a file/print server that works across most operating systems
3. Set up RAID on a server
   
4. Set up an AMP server
5. Set up an Internet mail server that won't get RBL'd
   
6. Set up an RDBMS
7. Use a Logical Volume Manager
8. Use find with xargs
9. Use sed and awk effectively
10. Use sysctl
    

Networking. No, not Social Networking. All geeks should be able to:

1. Explain the difference between PAT, NAT and a DMZ
2. Flash new firmware to routers and switches
3. Make an ethernet crossover cable
4. Run cable through walls without tearing them up
5. Set up port security on a network switch
6. Terminate a fiber optic cable by hand
7. Terminate a punch-down patch panel
8. Terminate category 5 cable with RJ-45 plugs
9. Trace cables
10. Use a network sniffer or protocol analyzer

See the whole series: The Geek 100

The Geek 100 Pt. 1: Possessions and Lifestyle Skills

See the whole series: The Geek 100

This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. I've listed possessions first. The rest of the series focuses on skills and knowledge. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill. Yet...

This is just a fun, arbitrary list I came up with mostly on my own but with some help just in case I was missing any skills I didn't even know I was missing. I'll give credit where due. Don't think I just took 100 things about myself and built up a geek paradigm from it. Most likely, you won't have all of these. I know I don't. The lucky ones will have a good chunk of these covered, though.

Possessions. Every geek should have:

1. A citizen-band radio
2. A computer that's incapable of running MS-DOS 6.0 natively
3. A graphing calculator
4. A notebook of tricks, tips, and things you don't want to forget how to do
5. A weapon that fires (relatively) harmless foam projectiles
6. An HTTP proxy
7. Action figures
8. An acoustic coupler, TDD, or acoustic modem
9. An obsolete video game console
10. Off-site backup storage

Lifestyle Skills. Every geek should be able to:

1. Convincingly perform a magic trick or card trick
2. Brew French-pressed coffee
3. Play a musical instrument
4. Point out discrepancies in movies that feature "hacking"
5. Recite a significant number of lines from at least one Anime movie
6. Scam free drinks from noobs at the bar (or at the lemonade stand if you're <21)>
7. Social engineer your way out of trouble
8. Speak a foreign language
9. Start a large, powerful bonfire
10. Use wordplay

See the whole series: The Geek 100

Twitter Terrorism?

Oh REALLY?

Could Twitter become terrorists' newest killer app? A draft Army intelligence report, making its way through spy circles, thinks the miniature messaging software could be used as an effective tool for coordinating militant attacks.

For years, American analysts have been concerned that militants would take advantage of commercial hardware and software to help plan and carry out their strikes. Everything from online games to remote-controlled toys to social network sites to garage door openers has been fingered as possible tools for mayhem.

I've written about Twitter As A Threat before, but this is completely different. The US is still looking for tools the terrorists are using (you know, like the ONE time that someone tried to slip explosives by the security checkpoints in a pair of shoes?) and not finding anything but the dumbest, sloppiest and most ham-fisted terrorists. Check this out, and try to refrain from falling out of your chair in laughter:

Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]... Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow ”B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.

Wait! Terrorists are on MySpace and Facebook now, too?!

Look, guys. We get it: Terrorists communicate. Terrorists can communicate the same way other people communicate. What's next? "Terrorists might drive cars?" Looks like we'd better beware of anyone found driving a Toyota. Seriously, how much money do we have to waste on reports like this, which state the obvious while putting a sensational movie-plot spin on things?

Where Are They Now: Quentin Stafford-Fraser

I've looked up to a lot of people in my day, and sometime in the middle of 1998, I was really looking up to the guys at the Olivetti & Oracle Research Laboratory (ORL for short) because they made something that at the time I considered truly groundbreaking and now, more than a decade later, I can't see living without it. If you've been around a while (or you're paying attention to my coffee mug in the photo) you may have guessed I'm talking about VNC, which now has quite a few forks, most of which surprisingly play very nicely with one another.

In 1998, I actually wrote an article about VNC in HiR's old text-zine format. Shortly after that, AT&T Swooped in and bought ORL. I contacted the team to ask if they had any of the cool VNC Mugs I saw on their Windows CE page (Archived here) and I actually was told by the team that "they shouldn't, because they had the old contact information on them" but they shipped me a pair of them anyways. Now, some 9 years later they're still some of my favorite mugs from which to quaff my morning coffee: I've got one at work and one at home.

QSF wasn't the sole inventor of VNC, but he put quite a bit of work into it and was one of the authors of the initial VNC whitepaper, first published in IEEE Internet Computing. When poring through mailing lists in my early days of using FreeBSD and OpenBSD on the desktop, I'd often run into QSF's helpful tips when dealing with compiling or troubleshooting issues.

QSF's also one of the creators behind first Internet meme I ever experienced (in early '94): the coffee-pot web-cam.

A few months ago, Frogman pointed me to Status-Q, QSF's blog (via shared articles in Google Reader) and I must say I've been hooked ever since. His blog content offers little in the way of what he's up to for a living these days (hint: the About Quentin link has those details), but it's full of sage advice, useful quotes, and fascinating observations. I'm happy to have run into him again!

The entire team of VNC people were and are, in my opinion, "real hackers" and visionaries. They might not be penetration testers or security researchers. They're certainly anything but cyber-terrorists. The team saw a need, filled it elegantly, and built something extensible and open-source that to this day is relied on by more people than I could count.

Sysadmin Sunday: Apache Name Based Hosting mini-howto

Apache Name Based Hosting configuration
by Asmodian X

Contents
1. Description
2. Getting started
3. Base Filesystem Layout
4. Base Configuration
5. Name based hosting configuration (WWW only)
6. Name based hosting configuration (SSL single site)
7. Implementing the configuration

1. Description

Apache name based hosting configuration using Debian Linux or Ubuntu Linux Server edition. This is intended for intermediate Linux/UN*X administrators. You will require the Apache mod_vhost module, along with apache2, openssl and whatever other apache services you want.

2. Getting started

If you have not already installed apache ...

At the Ubuntu/Debian Linux prompt:

 $sudo apt-get install apache2
 $sudo a2enmod vhost_alias
 $sudo a2enmod ssl

3. Base Filesystem Layout
htdocs layout:

/data/sites
 •    ssl
     ⁃    symlink to site folder in www
 •    www
     ⁃    site_url
     ⁃    htdocs
     ⁃    cgi-bin

This could easily be turned into Suse's standard of /srv/www/sites/www ...etc . the site_url needs to be exactly what the end user will type in as their dns url. so there needs to be a folder

called host.example.com as well as www.host.example.com. This is easily accomplished with symlinks in Linux.

Config layout: (based off of ubuntu/debian standard)

/etc/apache
 •    sites_available
 •    sites_enabled
 •    modules_available
 •    modules_enabled
 •    ssl
     ⁃    sitename
     ⁃    certificate file

The ssl directory could easily be in /etc/ssl but this is up to you.

4. Base Configuration
This is the default Debian/ubuntu apache.conf file. No changes were made here.

  ServerRoot "/etc/apache2"
  LockFile /var/lock/apache2/accept.lock
  PidFile ${APACHE_PID_FILE}
  Timeout 300
  KeepAlive On
  MaxKeepAliveRequests 100
  KeepAliveTimeout 15
  <IfModule mpm_prefork_module>
  StartServers          5
  MinSpareServers       5
  MaxSpareServers      10
  MaxClients          150
  MaxRequestsPerChild   0
  </IfModule>
  <IfModule mpm_worker_module>
  StartServers          2
  MaxClients          150
  MinSpareThreads      25
  MaxSpareThreads      75
  ThreadsPerChild      25
  MaxRequestsPerChild   0
  </IfModule>
  User ${APACHE_RUN_USER}
  Group ${APACHE_RUN_GROUP}
  AccessFileName .htaccess
 <Files ~ "^\.ht">
  Order allow,deny
  Deny from all
 </Files>
  DefaultType text/plain
  HostnameLookups Off
  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  Include /etc/apache2/mods-enabled/*.load
  Include /etc/apache2/mods-enabled/*.conf
  Include /etc/apache2/httpd.conf
  Include /etc/apache2/ports.conf
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  LogFormat "%{Referer}i -> %U" referer
  LogFormat "%{User-agent}i" agent
  ServerTokens Full
  ServerSignature On
  Include /etc/apache2/conf.d/
  Include /etc/apache2/sites-enabled/
  Listen 80
  Listen 443

5. Name based hosting configuration (WWW only)

UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
DirectoryIndex index.html index.shtml index.php index.htm
<Directory /data/sites/www>
    Options FollowSymLinks
    AllowOverride All
</Directory>
<VirtualHost *:80>
    Servername host.example.com
    CustomLog /var/log/apache2/access_log.host.vhost vcommon
    VirtualDocumentRoot /data/sites/www/%0/htdocs/
    VirtualScriptAlias /data/sites/www/%0/cgi-bin/
 </VirtualHost>

WWW name based hosting requires the use of the mod_vhost apache2 module. Any interface that apache is listening to will check to see what hostname was being called and match it to a directory name in /data/sites/www/.

6. Name based hosting configuration (SSL single site)

UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
DirectoryIndex index.html index.shtml index.php index.htm
<Directory /data/sites/ssl>
    Options FollowSymLinks
    AllowOverride All
</Directory>
<VirtualHost 1.2.3.4:443>
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/generic/generic.crt
    Servername host.example.com
    CustomLog /var/log/apache2/access_log.host.vhost vcommon
    VirtualDocumentRoot /data/sites/ssl/host.example.com/htdocs/
    VirtualScriptAlias /data/sites/ssl/host.example.com/cgi-bin/
 </VirtualHost>

Alternatively you can add another virtual host for port 80 in-case you want to exclude this site from the name based section above.

SSL wants a static port, IP or both. Its easier to have a static IP but either will do. Also, you will need a dedicated ssl certificate for each site (lest you get an SSL error message on the client side) or you need to get a Wildcard SSL certificate for your domain. This is assuming you are assigning sites under the example.com domain such as site1.example.com, site2.example.com ...etc.

If you are dealing with different DNS names for each site then individual certificates are needed.

7. Implementing the configuration
When installing the configuration take these steps:

1. Remove the /etc/apache2/sites_enabled/default configuration symlink
2. Create the generic name based hosting files (listed above) into files in the /etc/apache2/sites_available folder.
3. Create symlinks from the sites_available configuration files into the sites_enabled folder.
4. restart apache.

Embedded Webapp Fun: NetScreen

I like to tunnel SSH, whether it's for getting around a captive portal at an airport or for encrypting your traffic at DefCon.

At home, I use an old NetScreen¹ 5XP-Elite firewall. The "Elite" has absolutely nothing to do with its mad $k1llz. It just means it's got an unlimited network license, which is good because I have a lot of freaking computers in the Lab-O-Ratory.  

I wanted to run SSH over port 53 (DNS) as well as 22 to aid in tunneling SSH where external DNS is allowed (more often than you'd think) but I got this error via the GUI:


On the CLI, I was met with this:

ns5-> set vip untrust-ip 53 SSH 192.168.0.56
###Invalid reserved vip port number 53 for SSH service!

Well... CRAP!
I don't usually take "no" for an answer too easily. Some javascript told me I couldn't do it. Some little parameter within the CLI told me the same thing. I have a pretty hard time believing that the kernel of my firewall is incapable of spawning an SSH forward on port 53 when port 22 or 31337 would work just fine.  Skepticism of limitations is one of the fundamental elements of having the security mindset.

I poked through the web-page source code that renders the page, but it's all on-the-fly javascript. I decided that if I wanted to see what the form post was passing, it would be easier to sniff the session. I went ahead and fired up my old friend, Wireshark.² 

Notice that the web admin interface is only running on the internal interface, so I'm tunneling port 80 direct to it through one of my systems on the inside, hence the localhost:80 http session. I opted to redirect port 2201 to the internal SSH box, since it's well within the range of acceptable ports. I did a "Follow TCP Stream" and VOILA!



This gives me everything I need to make a quick HTML file that posts whatever port number I want as the "port" variable. I decided to take the easy way out and see if NetScreen's web interface would accept the variables as a GET, by pasting it into the location bar instead, just to see. I broke it up into three lines here, but you can see the only thing I changed was "2201" to "53".

http://localhost/n_vip_l.html?
port=53&srv_vip_l=37&to_ip=192.168.0.56&
confirm=++++OK++++&idx=-1&p_port=-1

Success!

What's the point? This was a practical example for how to putz around with stuff you may already have and dabble in the fascinating world of web application security.  As mentioned before, it's also an exercise in thinking beyond limitations.

Footnote 1:

NetScreen was founded by a bunch of ex-Cisco guys and the IOS-esque "ScreenOS" as it's called really shows it. In 2004, NetScreen was snarfed up by Juniper Networks. Juniper's low-end SSG-5 is about the closest living relative to my beloved yet crufty home firewall. 

Footnote 2:

On an odd side-note, Frogman and I got to see Gerald Combs (creator of the project now called Wireshark) give one of his very, very rare talks on TCP/IP, which included a lot of Ethereal's backstory.

Response: "Is Twitter the newest data security threat?"

Lori MacVittie posted a compelling piece asking "Is Twitter the newest data security threat?"

In my opinion, the answer is "No." It's merely one of tens of thousands of potential avenues of exploitation that can be used intentionally or unintentionally by the real security threat: Those whom you trust to access your data in the first place.

Data Loss Prevention suites, Network Access Control, filtering web proxies and other technological solutions are only masking the problem while making it harder for your employees to work efficiently. Michael J. Santarcangelo, II's book, Into The Breach concisely discusses the real problem behind breaches and a sound Strategy to make it better. It takes everything we already acknowledge as security professionals and re-arranges it in a way that makes a lot of sense.

In short, security researchers, employers, and journalists need to wake up. Use technology to assist properly-trained employees who are held accountable for their mistakes instead of using technology to restrict clueless employees, and allowing the blame to fall on some software package when things go wrong. When do you start ACTUALLY trusting the people you trust with your data?

The issue of customer service via Twitter is a different bag of worms. The decision to use twitter as an enterprise avenue of support is a strategic decision that's better left to marketing, PR and CxO-types. I'd hope they'd analyze the potential impact of making a subset of their customer list public.

Friday Geek-Out: WiFi Disruption Edition!

If anyone still wants to go to Daily Dose tonight, that's fine. Some of us will be at Casa De Ax0n hacking on wireless stuff.

Given the fact that all things Karma have the potential to disrupt nearby WiFi service, we've opted to take the geek-out away from the normal venue this week. I really don't feel like getting banned from my favorite bar and coffee shop.

Like many others before me, I've freed my Fon from the wall outlet with a clip holding 4 AA batteries wired in series for 4.8 Volts. I'm currently using a 6-cell clip with the last two slots bypassed. It will hold five cells just fine for the full 6VDC that it was designed to use. I may do that this evening.

Asmodian X and I have been tinkering with these Fon routers for a few days now. We've both bricked (and subsequently un-bricked) them, and they're both running the latest version of OpenWrt.

Now it's time to see what we can do with them. The HiR WiFi Lab is going to be in full swing this evening. RSVP if you think you want to show up. I will need to clear it with w1fe 1.0, who probably doesn't want TOO many geeks coming over.

Catalyst On Tour: Michael Santarcangelo in Kansas City

Michael Santarcangelo is Catalyst On Tour! Next week, his travels will bring this nomadic security expert right here to Kansas City. For those who don't know, he wrote the recently-released book Into The Breach. I've invited him to talk to the Cowtown Computer Congress , so he'll be at the meeting on October 23rd (7pm, Javanaut at 39th and Wyoming). We'll likely partake in food and drink afterwards, and continue the conversation. Trust me, this is someone you want to meet.

BT3 / Karmetasploit / Alfa update

People have been asking me about how my adventures with Karmetasploit have been going. Well, I have some good news on getting Karmetasploit working on BackTrack 3 with the Alfa AWUS036H USB WiFi Adapter, but it's still not working 100%. This is an update to the quandary I posted a little more than a month ago. It's after 1:00 am and I need to be up bright and early so I have to call it a night. I hope to have more info in the coming week as I get some lab time to put into this project.

What I've got is pretty raw, but this is just as much for our readers as it is for me to document for myself what's worked so far. Out of literally dozens of tries, this is the closest I've come to getting this to work the way I want it.

First and foremost, the version of aircrack-ng that ships with BT3 is old and lacking some functionality that's needed for what I'm trying to do. Among other things, airbase-ng doesn't have the -P option that lets it reply to all probes. This is stuff that's normally handled by the MadWifi drivers when you've got an Atheros adapter. Since the Alfa's using the RTL8187 chipset, we need to rely on airbase-ng. Updating airbase-ng is easy, but if you're running BT3 from CD and without saving changes, you'll have to do it every time. Just snag the latest aircrack-ng source via Subversion and compile it right there in the BT3 environment with the following commands.

svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
cd aircrack-ng
make
make install

Then, airbase-ng will be updated with the functionality needed for karma. Keep in mind that Karma's just the "greedy access point" part that uses probe requests to rope in wireless clients.

Use airmon-ng to enable monitor mode on your Alfa:

airmon-ng start wlan0

I run airbase-ng in its own terminal window and in verbose mode so I can watch as crap scrolls by. If it gives you an error about not being able to create a tap interface, run "modprobe tun" to load the module it's complaining about.

airbase-ng -P -C 30 -e "HiR WiFi Lab" -v wlan0

You should see all probe requests and get messages whenever anyone associates.

In another window, I bring up the at0 interface. I know using a /24 netmask on 10.x.x.x is a sin, but that's how the dhcp configuration comes on BackTrack:

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

Then we clear the dhcp leases and start the dhcp server:
echo > /var/state/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf at0

At this point, I have a computer that's running BackTrack 3, broadcasting as an access point named "HiR WiFi Lab" but will snag any wireless client in range trying to associate to a network, regardless of their SSID. It will issue a DHCP lease and the DNS specified by dhcp will point to the BackTrack 3 box.

Now, to start the "metasploit" part, which should start a fake DNS Server (which makes all services point to the BackTrack 3 box as well) and a bunch of fake services for password grabbing, etc:

/msf3/msfconsole -r /msf3/karma.rc

All the services appear to come up just fine in Metasploit Console, but the fake DNS isn't working. In fact, lots of the fake services aren't working as they should. The fake FTP server, for example, just opens a session and sits idle without prompting for a login. If I point my browser to 10.0.0.1, however, it loads the "evil" cookie-grabbing web page (which consists of a bunch of invisible iframes to grab cookies from several popular domains), but since DNS doesn't work, the pages within the iframes never resolve.

So, I'm a lot closer to having Karmetasploit working with the Alfa on BackTrack, but it seems like there's still a lot of troubleshooting to do. Also, with having to download and re-compile aircrack-ng every time I boot BackTrack on my lab box, I'm thinking I might install BT3 to an old hard drive to make things a little easier.

La Fonera lab: Fon un-bricking howto

I've bricked my Fon twice now. That's pretty much the name of the game when you tinker. Fortunately, the Fon has redboot, and if you enabled telnet access to it (you know, BEFORE you brick it!?) you can un-brick it over the network.

Here's a log of my un-bricking session. The bold, bright green is stuff I typed in the console. Dark-green is terminal output and normal text is my commentary as I go along.

As I mentioned, I'm running a tftp server on my MacBook, with the kernel and rootfs files (you can get them here) in /private/tftpboot (the default shared folder for tftpd). For reference, I'm relying on the MacBook's MDI/MDIX auto-crossover functionality (a staple in several ethernet adapters) and using the Fon's ethernet cable connected directly to my MacBook. You may need to use a crossover cable. My MacBook's IP is 192.168.1.2 for this lab.

Power on the FON, and as soon as the "Internet" light comes on, telnet to port 9000 of 192.168.1.254. This is RedBoot's IP address.

$ telnet 192.168.1.254 9000
Trying 192.168.1.254...

I held the return key down for quite a while (5, 10 seconds or so?) until the RedBoot prompt came up. Control C does NOT WORK! Okay, it didn't work for me. Your mileage may vary. I had a whole screen of blank lines for a while and a matching whole screen of "Executing boot script" messages to match them. I spared you from that and only showed three below..

Connected to 192.168.1.254.
Escape character is '^]'.
== Executing boot script in 9.990 seconds - enter ^C to abort
== Executing boot script in 9.990 seconds - enter ^C to abort
== Executing boot script in 9.990 seconds - enter ^C to abort
RedBoot>

UPDATE: A reader showed us the awesome redboot.pl script. See the comments of this post for a little more info.

Once in redboot, we set the ip address of the Fon's local ethernet port (192.168.1.254 is just fine, so we'll enter that) and the tftp host for the firmware images. Again, I'm using 192.168.1.2.

RedBoot> ip_address -l 192.168.1.254 -h 192.168.1.2
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.2

These steps download the kernel, initialize the flash and write the kernel to the Fon.

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? yes
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040800-0x80100800 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

This shows the block of free space left, we'll need these numbers to properly create the root filesystem

RedBoot> fis free
0xA80F0000 .. 0xA87E0000

Now we need some bc-foo or at least some hex math skills. We'll need the hex difference between the first and last free block. You need to do this in another window. obase=16 and ibase=16 set bc in hexadecimal mode.

$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
obase=16
ibase=16
A87E0000 - A80F0000
6F0000

(Control-D exits bc)

For me, the length of the free space is 0x006F0000. Jot yours down and make sure it's prefixed with 0x and it's 8 hex digits long (padded with zeros if need be). You'll need it in a bit to determine where to write the OpenWrt root filesystem. Now, back to the RedBoot session on the Fon:

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x801607ff, assumed entry at 0x80040800

(use the length of the free-space IN PLACE OF
0x006F0000 below if yours differs.)

RedBoot> fis create -l 0x006F0000 rootfs
... Erase from 0xa80f0000-0xa87e0000: ...............................................................................................................
... Program from 0x80040800-0x80160800 at 0xa80f0000: ..................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
^] (control close-bracket escapes the telnet session)
telnet> close
Connection closed.

Wait a few minutes for the fon to boot, then you can access the actual OS with telnet. I used -lroot so that the telnet client hands the username "root" to the telnet server. By default, BSD's telnet client hands off your current username to the remote server. You may or may not need to use -lroot.

$ telnet -lroot 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------


BusyBox v1.4.2 (2007-09-29 07:21:40 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
         |__| W I R E L E S S   F R E E D O M
KAMIKAZE (7.09) -----------------------------------
* 10 oz Vodka       Shake well with ice and strain
* 10 oz Triple sec  mixture into 10 shot glasses.
* 10 oz lime juice  Salute!
---------------------------------------------------
root@OpenWrt:/#

Of course, you should set a root password (using the passwd command) ASAP, and probably enable wireless as below:

root@OpenWrt:/# uci set wireless.wifi0.disabled=0
root@OpenWrt:/# uci commit wireless && wifi

So now all the fun stuff I've done to my Fon (I'm calling it The Patriot for its ability to wreak Surface-To-Air Carnage) are un-done. Fortunately I have most of it backed up.

Jasager Lives! Muahahaha!

Meet Jasager, a mash-up of OpenWrt and Karma running on a La Fonera router. After seeing the Jasager walk-through on Darren Kitchen's website and then seeing Hak5 Season 4 Episode 5 (about 11 minutes into the episode), I had to give it a shot. If you can't tell, I've been lusting after Karmetasploit for quite a while.

Jasager doesn't provide the "evil" that metasploit offers (that is, the password-grabbing fake services, cookie-snarfing and browser exploiting parts), but Jasager DOES gleefully do the "Karma" part. No matter what SSID you try to connect to, Jasager will take your probe request and play the SSID back as a beacon. If the real access point is out of range or has a weaker signal than Jasager, it WILL rope you in. Mubix put together a post today with a lot of background to Jasager and where it's going. His ideas as well as Robin Wood's skills and Darren Kitchen's passion were a driving force in my interest in Karmetasploit from the get-go. This has been in the works for quite some time, as Darren couldn't stop gushing about it when I hung with him in Springfield. (Note to self: Fix the damn photos on that old post.)

The latest version of Metasploit Framework contains dozens of megabytes of code (mostly written in Ruby) and the La Fonera only has a few megabytes of flash for storing files, so setting up a full Karmetasploit ownage rig using a Fon isn't going to happen. That's not to say there isn't plenty of fun to be had. If you set this up on a public network, you can man-in-the-middle stuff with the Fon. Darren suggested using upside-down-ternet. You can do some hacking to make Jasager work with another full-fledged computer that can run Metasploit. The options are as limitless as your imagination even with a standalone Fon running Jasager. Be creative!

Now, on for some errata to Darren's howto:

I used OS X and command-line scp and ssh to do all the stuff Darren did with the windows equivalents. This is pretty straight-forward for command-line users.

In Step 8, you transfer 2 files into /tmp, but out.hex gets erased after the reboot in step 9 and before you're told to use it in step 10. So just SCP it over after the reboot in step 9.

I actually bricked my Fon at step 11 (where you use some goofy Windows GUI to flash the Fon). Fortunately, the walk-through enables RedBoot over Telnet early on. If you're not running Windows, then set up a tftp server on a workstation on an internet-separated network. I just used an ethernet cable to my MacBook. You can flash the firmware to the Fon via RedBoot with these instructions I got from the Fonera section of the OpenWrt Wiki.

Preparation for flashing:
La Fonera will use 192.168.1.1 and 192.168.1.254, so set your Ethernet interface to something in the 192.168.1.2-253 range on the system that you will use to tweak the Fon. Make sure it's got a tftp server on that system as well. Make sure you have the openwrt-atheros-2.6-vmlinux.lzma and openwrt-atheros-2.6-root.squashfs files. Make sure the network is segregated from the Internet, and make sure no DHCP servers are on the network.

I was using Mac OS X, and used this TFTP configuration front-end to control OS X's built-in tftpd. Note: TFTP is NOT FTP and an FTP server won't work in place of tftpd.

Once I got the Fon un-bricked and OpenWRT installed via TFTP and RedBoot. all the steps from 12 on worked fine. Hopefully using the above help, you won't need Windows nor will you brick your Fon.

Asmodian X has at least one Fon to play with as well. We'll cover our various experiments with them and label the posts with fon.

Do you think this guy's a gamer?

I saw this in my parking garage at work a few days ago. These stickers were adorning some cargo boxes bolted to a nice-looking BMW Motorcycle. Taking a guess, I'd say this guy takes his games pretty seriously. 


My wife tells me "For the Horde!" is a World Of Warcraft reference. She plays it, I do not. Yet.


I particularly got a kick out of this one.

Open Source... Bicycle Parts?!

Okay, I'll admit that my inner cyclist is a little giddy about this. While it certainly isn't programming or security related, it squarely falls into "other interesting topics" and the Xtracycle guys undoubtedly operate with a "hacker" and "maker" kind of attitude, all the while embracing sustainability and empowering others to use human powered machines for tasks that would previously require a car. The initial premise, realized almost a decade ago, was to build an extension frame that would bolt up to a plain old bicycle and move the rear wheel back quite a ways while adding structure and attachment points to support weight-bearing bags and platforms.

(Creative Commons photo by arifm)

Now, many manufacturers are running with the idea, and the guys at Xtracycle have decided to open-source their design in order to engage the community in collaboration and to allow anyone with the equipment and skill to make their own and build onto an already tried-and-true design. (Click for higher res)


They're using a Wiki to collaborate right now (and I should note that it's not working all the way yet). I'm not sure I'm ready to sell my car and break out the torch to weld one of these up myself yet, but it's a fascinating project, and it's the first time I've seen this kind of detail in their design.

A Peek Inside A Simple ATM Machine

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 22:3 (Autumn 2005). If it looks familiar, that's why.

In [2600 Magazine] issue21:4, I discussed the workings and "unofficial" reset method for
LaGard ComboGard vault locks. [Also archived on HiR] This time, I've got a whole ATM to work with.

The ATM I scored is a Diebold CashSource+ 100. This is one of those smaller
indoor ATMs that you would find inside a convenience store. It features a
monochrome LCD, eight option keys beside the screen, a number pad with four
function keys (Shift, Cancel, Clear, and Enter) receipt printer, slots for
one cash box and one "reject" box. The card slot is a horizontal swipe-through
under the screen. There's a single five-tumbler lock on the front door. Once
opened, you're given access to 3 things: The combination dial, the vault door
bolt control, and a pair of buttons that let you swing the top compartment
upwards.

Once you squeeze the buttons together and swing the top compartment open,
you're given access to the printer, the main power switch, the modem, and some
Macintosh-style serial cables plugged into the backside of the LCD/Keypad.
The printer uses standard thermal receipt paper, and there's only one printer,
so there's no "live" paper audit trail. I'd imagine it's stored in memory, but
it may not keep an audit trail at all. The modem in my ATM is a generic 33.6k
serial modem. When I power the unit on, it attempts to dial the mother ship,
but I am not curious enough to hook it up to a phone line to see what happens.



Of course, all the interesting stuff is held within the vault. On my CSP-100,
the vault lock was a LaGard 3332-3, which is a 3-number (0-100) mechanical
combination lock with wires that can be used for sensing bolt position and
a "duress" combination. These wires on my ATM were simply wire tied and un-
used. A duress combination is the combination you dial in when you're being
forced against your will to open the vault. To activate duress mode, you dial
in the combination normally, except the last digit, you dial to the "change"
index, which is another mark about 20 degrees to the left of the "open" index.
This causes a plastic arm inside the lock to trigger the duress switch.



The duress wiring (white and blue wires) can be used in combination with a
silent alarm or telephone dialer to notify the police or an alarm monitoring
company. The bolt position switch that I mentioned (red and black wires)
operates in the same way, but is triggered whenever the lock is opened
regardless of duress mode. This can also be used with an alarm system or
with a buzzer so that an audible alert is heard when the vault is opened.



This lock can be easily replaced with one of many combination locks on the
market, including electronic combination locks such as the LaGard ComboGard
I wrote about in 21:4, Kaba Mas (or Mas Hamilton) Cencon S2000 or Auditcon.
The combination on the existing mechanical lock can also be changed, provided
you have a change key, which my ATM came with, taped to the vault door.
Detailed combination changing instructions are available from LaGard, I found
them by Googling for: change combination instructions group 2m

Once the correct combination (or the duress combination) has been entered,
the other knob will turn, which retracts the locking bolts that hold the door
shut. Once that knob is turned, the door opens, and you've got full access to
the cash boxes, reject box, the main power supply, control board, combination
lock housing (for changing the combination using a change key) and the
conveyor belt that moves the money around. The reject bin is where money goes
that comes out of the cash box "out of spec", that is, multiple bills stuck
together, comes out at an angle, folded, or damaged. There are several kinds
of cash boxes. The one that came with my CSP-100 was a locking cash box that
had a red/green tamper indicator on it. The locks on my reject box and cash
box were both operated by the same 7-pin cylinder key. The tamper indicators
will trigger at almost any sign of forced entry including simply removing them
from the ATM. The boxes can not be re-inserted when the indicator is red, and
the key is needed in order to clear the indicator.

The ATM knows what kind of cash boxes are inserted by means of an array of
buttons inside the ATM that are operated by plastic nubs on the back of the
cash box. I do not know what the coding is, but the reject box had its
plastic nubs in a different pattern than the $20 cash box that my ATM came
with. Most cash boxes can hold upwards of 2,000 bills (2,500 if they're
fresh, crisp, new bills), so a fully loaded cassette of $20 bills could store
up to $50,000. It's doubtful that you would see an ATM of this puny stature
loaded with more than a few thousand dollars at any given time, though.

Pressing the small blue button on the lower front of the inside frame of
the ATM allows allow you to firmly yank the innards out on a rolling rail
system. This gives you better access to the money conveyor belt system,
the main system board, the sides of the cash box area, and the main power
supply.



The vault is made of heavy guage steel, which probably is the main reason that
this thing is so heavy. I certainly see why not very many ATM's get stolen.
They might look small and easy to manage, but you would need 2 or 3 men and
a pickup truck to make a successful and timely getaway with this small ATM,
and good luck getting the vault opened up. It would certainly be more
trouble than it's worth.

I have not even tried to get into the ATM's diagnostics or settings yet. There
are no power outlets in the storage unit I'm keeping the ATM in, so I'll have
to move it somewhere else to continue tinkering beyond the mechanical realm.
Given the severe lack of external controls (and a user or installer manual),
I am thinking that the setup/maintenace process needs to happen either over
the on-board modem, or with an external device such as the ATM programmers
I've found in the dumpster before. I can't see where I'd hook such a device
up, though.

That's the mechanical breakdown of a simple ATM. As I experiment some more,
look for another article on programming, setup, auditing, and diagnostics.