The only 3 reasons to have a meeting

I, as well as most of you, feel as though we have meetings at work far too often so I'm putting down on "paper" my views on the subject. I recently read this article on the 3 reasons to have a meeting, my views are close to this but I'll extend and change that a wee bit. Drumroll please...

1. To provide information. This is one where I'll be even more specific than the other article, this isn't just a status update meeting, do those over email for god's sake. Don't make me sit there and watch PowerPoint slides of your stats and KPI's, email those out. The rule in my framework is this, if it's to a large group of people, say a department and you're sharing strategy this is a good meeting but please make it interactive. The other attribute is your proximity in the communication continuum, the closer you are to bad news the closer to being in person you should be. Meetings to develop projects, tactics or strategy often fall in this category.
2. To make decisions. This really should be #1, we can actually debate about whether or not #1 is even needed but this one actually is. Debates and quagmire happen over emails as they're async, fire and forget, processes and always lose inflection and tone. When you need to make a decision, especially a shared one, do it together. This is one of those that doesn't always need to be in-person, it can be done via a conference call.
3. To gather group feedback. This is one of the most important meetings you can have, things like lessons learned, brainstorming, working groups and such are far more effective using in-person meeting formats.

Blog theme

I really hate this blog theme, one day I must change it. But for just one day.

Installing new firmware on a Hak5 Packet Squirrel

A while back I acquired a Hak5 Packet Squirrel to experiment with but at the time the firmware (1.0) was still sort of weak and had issues. I recently decided to give it a go again since there's newer firmware (2.0) out. The problem I had is that here are there instructions:

Firmware Upgrades

From time to time the Packet Squirrel may be updated with new firmware to add features and
security improvements. It is highly recommended that you keep your Packet Squirrel up to date with the
latest firmware. To install the latest firmware:

1. Download the upgrade file. Make sure that the filename is upgrade-version.bin (where version is the firmware version, e.g. 1.2) and check that the SHA-256 sum matches.
2. Copy the upgrade file to the root of an NTFS or EXT4 formatted USB flash drive. Do not rename, unpack or otherwise alter this file.
3. Plug the USB drive into the powered-off Packet Squirrel
4. Flip the Packet Squirrel payload select switch to Arming mode (far right, closest to the USB flash drive)
5. Power on the Packet Squirrel from a reliable USB power source. This process takes 5-10 minutes and will be indicated by a series of LED lights. Do not power-off or otherwise interrupt the device until the flashing process completes.

During the firmware flashing process, the LED will indicate the following states:

1. Green flashing – booting up
2. Red/Blue alternating – beginning firmware flash
3. Solid Red or Blue – firmware flash in progress
4. Green flashing – rebooting
5. Blue flashing – upgrade complete, arming mode ready

Note that part that says it needs to be NTFS or EXT4 and as I discovered it really does have to be that. I tried ExFAT, FAT and even EXT2, none of them worked, oh well. Why did I try those and not NTFS? Simple: I'm a Mac user.

After digging around I tried to install Paragon, which failed to install, tried the Brew port of e2fs-progs as well as the NTFS-3G FUSE driver via Brew as well. None of them would do NTFS (write) or EXT4 so I just stuck the USB key in one of my Linux servers, here's the process.

(Note that your USB flash disk will likely NOT be sdf, use fdisk -l to see what it actually is. It's usually sdc).

1. fdisk /dev/sdf
2. Delete the partition and create a new Linux one, use the defaults for the size
3. Write that out and exit fdisk
4. mkfs.ext4 /dev/sdf1
5. mount /dev/sdf1 /mnt
6. cp upgrade-2.0.bin /mnt
7. umount /mnt

Plug that into the Squirrel and wait for the blinky blinky to stop, at that point it's done and RTG. No idea why I didn't do that to start with, it took a total of 5 minutes. Oh well, I now know 5 ways to NOT format NTFS or EXT4 on a Mac.

FYI, it took mine close to 20 minutes to flash up my squirrel, it's not the 5-10 they say. It's S L O W.

Ethernet Tap Board - Components

After ordering the boards I went off to research the various components and source them in. Step one was to use the BOM from Github to see what all is still currently available, it's 2-3 years old now. After researching and contacting DigiKey I have come up with this as my orderable BOM:

1,CL10F474ZB8NNNC,C1
5,CC0603KRX7R9BB104,C2 C6 C7 C8 C9   
1,UVR1A682MHD,C3
2,CL10B105KP8NNNC,C4 C5
1,690-005-299-043,CON1
1,CDBA140-G,D1
1,XZCBD53W-6,D2
1,MZ1608-102Y,L1
16,009176002032006,IDC-CONN
1,RC0603JR-0722RL,R1
2,RC0603JR-0710KL,R2 R3
1,RC0603FR-07100RL,R4
2,RC0603JR-074K7L,R5 R6
8,G6KU-2F-RF DC5,U1-U8
1,AP2120N-3.0TRG1,U9
1,PIC16F1454-I/SL,U10
2,MC74HC595ADG,U11 U12
1,MMA8653FCR1,U13

I then fed that into the BOM tool at Octopart who went around and found where they're available and what they cost. I chose to just order all the parts from DigiKey to make it easy but, in theory, you could save $80 if you order from all over the place. I'm guessing shipping would more than consume that. Here is the Octopart BOM to use, feed that to whatever supplier you'd like.

The relays, G6KU-2F-RF, are the most expensive part at $22 each so the total BOM today is $197 (plus shipping). Somewhere down the road I'll look into alternates for those relays using something lower cost (if possible). For now, it is what it is.

As I said, I ended up ordering from DigiKey and have a shared cart you can order from here. You'll be presented with some options because some of the parts are cheaper per unit if you order a higher quantity. If you want spare parts go for it, otherwise just keep the BOM specified amounts.

At the end of all of this, if the project works, I'll contribute all of this back to the Github project so it's current to 2018. Remember, don't commit non-working stuff.

With that part done it's time to start on the firmware development environment for the PIC16 controller using the MPLAB-X IDE development environment.

Ethernet Tap Board - The Board

I am using the rev3 of the board from Github here.

I went with OSH Park based on someone's recommendation and I cannot state how wonderful that place is. I put together a board order that anyone can use (based on rev3) here. I ordered 3 of them to start with which made each board cost around $16 (including shipping). Not cheap but not bad considering it's a rather large size board, about the max you can do.

It took 6 days for these to arrive at my door and DURING the xmas season! Love OSH Park, total purple crush.

You could order these boards from many other places, including from overseas, but OSH makes it super easy, they're made in the US, they communicate the entire process and what showed up is great quality. Now, if it actually works or not is another thing... On to components.

Ethernet TAP board

A while ago I watched this DEF CON 23 video on "looping" surveillance cameras and given how successful they appeared to be I just HAD to try it. They published all of their info and code on Github (of course) here so away I went to research. The first step was to figure out how to get some of the PCB's made so that'll be the first post in the series (when I get some time). Follow the TapBoard label/tag to see all of those posts. We're talking about making this a Burbsec south project so if others here come along for the ride I'll post links to their work along with our group progress.

And before you ask, it's a bit more than this:



So away we go!

Installing and using Tor on Max OS/X

I often have need to use Tor for various testing purposes, mainly to determine how an adversary uses it, and I often just want to run it from my Macbook Pro (cause I'm lazy). This doc will help you install, configure and use it. Not only that, I'll be able to do it again when I forget.

First things first, if you don't have Homebrew installed, do so. It's super easy to do, go here and run the command they say. if you don't want to read it, here it is:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Now you magically have Homebrew installed into your /usr/local tree. After that run the command 'brew install tor' and you'll get these files installed:

/usr/local/Cellar/tor/0.3.2.10/.bottle/etc/tor/torrc.sample
/usr/local/Cellar/tor/0.3.2.10/bin/tor
/usr/local/Cellar/tor/0.3.2.10/bin/tor-gencert
/usr/local/Cellar/tor/0.3.2.10/bin/tor-resolve
/usr/local/Cellar/tor/0.3.2.10/bin/torify
/usr/local/Cellar/tor/0.3.2.10/homebrew.mxcl.tor.plist
/usr/local/Cellar/tor/0.3.2.10/share/doc/ (4 files)
/usr/local/Cellar/tor/0.3.2.10/share/man/ (4 files)
/usr/local/Cellar/tor/0.3.2.10/share/tor/ (2 files)

• cd to /usr/local/etc/tor and copy the file torrc.sample to torrc
• Uncomment the line 'SOCKSPort 9050'
• Uncomment the line 'Log notice file /usr/local/var/log/tor/notices.log'
• Uncomment the line 'DataDirectory /usr/local/var/lib/tor'
• At the end add the following lines:
• AutomapHostsOnResolve 
• DNSPort                53530
• Save it and quit

So at this point we can start up Tor on the local machine and proxy traffic through it. So, start it up:

dy-mac:~ dyoung2$ tor
Dec 15 00:48:26.770 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 00:48:26.770 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 00:48:26.770 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 00:48:26.774 [notice] Scheduler type KISTLite has been enabled.
Dec 15 00:48:26.774 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 00:48:26.774 [notice] Opening DNS listener on 127.0.0.1:53530

And if you tail the log file:

Dec 15 00:49:04.000 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) opening log file.
Dec 15 00:49:04.885 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 100020ef: OpenSSL 1.0.2n  7 Dec 2017; running with 1000211f: OpenSSL 1.0.2q  20 Nov 2018).
Dec 15 00:49:04.904 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 00:49:04.904 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 00:49:04.904 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 00:49:04.909 [notice] Scheduler type KISTLite has been enabled.
Dec 15 00:49:04.909 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 00:49:04.909 [notice] Opening DNS listener on 127.0.0.1:53530
Dec 15 00:49:04.000 [notice] Parsing GEOIP IPv4 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip.
Dec 15 00:49:05.000 [notice] Parsing GEOIP IPv6 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip6.
Dec 15 00:49:05.000 [notice] Bootstrapped 0%: Starting
Dec 15 00:49:05.000 [notice] Starting with guard context "default"
Dec 15 00:49:05.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Dec 15 00:49:06.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Dec 15 00:49:07.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Dec 15 00:49:07.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 15 00:49:07.000 [notice] Bootstrapped 100%: Done

As you can see we now have a Tor circuit established so if we connect to local port 9050 we're going over the Tor network. The first step there is to install the torsocks brew (as in brew install torsocks).

Now, to get things out over Tor you have several options, the first of which is this script called torify. I really don't remember where I picked it up at but it goes as follows (it's a wrapper around torsocks):

#!/bin/sh
# This script used to call (the now deprecated) tsocks as a fallback in case
# torsocks wasn't installed.
# Now, it's just a backwards compatible shim around torsocks with reasonable
# behavior if -v/--verbose or -h/--help arguments are passed.
#
# Copyright (c) 2004, 2006, 2009 Peter Palfrader
# Modified by Jacob Appelbaum <jacob@appelbaum.net> April 16th 2006
# Stripped of all the tsocks cruft by ugh on February 22nd 2012
# May be distributed under the same terms as Tor itself


compat() {
echo "torify is now just a wrapper around torsocks(1) for backwards compatibility."
}

usage() {
compat
echo "Usage: $0 [-hv] <command> [<options>...]"
}

case $# in 0)
usage >&2
exit 1
esac

case $# in 1)
case $1 in -h|--help)
usage
exit 0
esac
esac

case $1 in -v|--verbose)
compat >&2
shift
esac

# taken from Debian's Developer's Reference, 6.4
pathfind() {
       OLDIFS="$IFS"
       IFS=:
       for p in $PATH; do
               if [ -x "$p/$*" ]; then
                       IFS="$OLDIFS"
                       return 0
               fi
       done
       IFS="$OLDIFS"
       return 1
}

if pathfind torsocks; then
    exec torsocks "$@"
    echo "$0: Failed to exec torsocks $@" >&2
    exit 1
else
    echo "$0: torsocks not found in your PATH.  Perhaps it isn't installed?  (tsocks is no longer supported, for security reasons.)" >&2
fi

I save that either in $HOME/bin or in /usr/local/bin, it's entirely up to you.

So now how about we just torify a bash session?

dy-mac:bin dyoung2$ torify /bin/bash
ERROR: /bin/bash is located in a directory protected by Apple's System Integrity Protection.

Ugh. I've looked around and there's no way around that one with torify so how about we just toryify an ssh session?

dy-mac:bin dyoung2$ torify ssh dyvpn01
ERROR: /usr/bin/ssh is located in a directory protected by Apple's System Integrity Protection.

The answer is here, just copy /usr/bin/ssh over to /usr/local/bin/ssh. Done:

Before Tor:

dy-mac:bin dyoung2$ ssh dyvpn01
[centos@dyvpn01 ~]$ set | grep SSH
SSH_CLIENT='SOME.COMCAST.IP 59649 22'

With Torify:

dy-mac:bin dyoung2$ torify /usr/local/bin/ssh dyvpn01
[centos@dyvpn01 ~]$ set | grep SSH
SSH_CLIENT='185.220.101.13 34123 22'

So now I'm in over Tor for an ssh session.

I've tried to install the Bash Brew and torify that, it works but things inside still use the OS IP path, not the Tor proxy. I'd love to know how to have an entire shell session "protected" by a torify'd proxy.

Now, you have to be careful because ALL of the other traffic on the Mac is going over the clear, NOT over Tor, to take care of that add this script (torme.sh) somewhere. You'll have to adjust for the network adapter you're using, I'm on WiFi here.

#!/usr/bin/env bash
# 'Wi-Fi' or 'Ethernet' or 'Display Ethernet'
INTERFACE=Wi-Fi

# Ask for the administrator password upfront
sudo -v

# Keep-alive: update existing `sudo` time stamp until finished
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

# trap ctrl-c and call disable_proxy()
function disable_proxy() {
    sudo networksetup -setsocksfirewallproxystate $INTERFACE off
    echo "$(tput setaf 64)" #green
    echo "SOCKS proxy disabled."
    echo "$(tput sgr0)" # color reset
}

trap disable_proxy INT

# Let's roll
sudo networksetup -setsocksfirewallproxy $INTERFACE 127.0.0.1 9050 off
sudo networksetup -setsocksfirewallproxystate $INTERFACE on

echo "$(tput setaf 64)" # green
echo "SOCKS proxy 127.0.0.1:9050 enabled."
echo "$(tput setaf 136)" # orange
echo "Starting Tor..."
echo "$(tput sgr0)" # color reset

tor

Note at the very end it starts up the Tor daemon so what we did previously to start it up isn't needed, use this script when you want MOST traffic routed over Tor on the machine.

It handles all the startup and teardown on ctrl-c so when you stop it the script "undoes" the network settings.

dy-mac:bin dyoung2$ ./torme.sh
Password:
SOCKS proxy 127.0.0.1:9050 enabled.
Starting Tor...
Dec 15 01:04:25.734 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 01:04:25.734 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 01:04:25.734 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 01:04:25.739 [notice] Scheduler type KISTLite has been enabled.
Dec 15 01:04:25.739 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 01:04:25.739 [notice] Opening DNS listener on 127.0.0.1:53530
^C
SOCKS proxy disabled.

And in the log file:

Dec 15 01:04:25.739 [notice] Opening DNS listener on 127.0.0.1:53530
Dec 15 01:04:25.000 [notice] Parsing GEOIP IPv4 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip.
Dec 15 01:04:25.000 [notice] Parsing GEOIP IPv6 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip6.
Dec 15 01:04:25.000 [notice] Bootstrapped 0%: Starting
Dec 15 01:04:26.000 [notice] Starting with guard context "default"
Dec 15 01:04:26.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Dec 15 01:04:26.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Dec 15 01:04:27.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Dec 15 01:04:27.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 15 01:04:27.000 [notice] Bootstrapped 100%: Done
Dec 15 01:04:29.000 [notice] Interrupt: exiting cleanly.

At this point the browser is going over Tor, which we can verify by going to Tor Check:

I haven't come up with a way to ensure ALL the traffic on the machine goes over Tor, I use a combination of torify, torsocks and torme.sh to handle things. For example, if you want to use Weechat over Tor just use this: torify weechat and away you go.

Go Tor it up.

Secure the "Internet of Things" (IoT)

I'm going to digress from my usual posts about security and the rambling of notes for my personal projects into an actual article about something of substance: the Internet of Things. To those of us connected to the Information Security field we know how insecure these systems can be and is often the bane of our existence. I, along with many others, keep saying how bad IoT vendors are about securing their devices, to the point of wanting legislation, so I'm going to briefly play devil's advocate and put myself in their shoes. I find this process is helpful for my own understanding of how something works and hopefully, if you're an IoT developer, get an idea of our perspective.

So, the background first... I'm in the midst of developing a product & service that relies heavily on the Raspberry Pi platform and specifically the ODROID-C2 incarnation of the RPi. My requirements lean heavily on open source security tools and rather than making all of them work on Raspbian I chose to go with a security based Linux, namely Kali. Kali runs on the ARM platform, both the one that comes with the RPi-3B+ as well as the chip that comes on the ODROID-C2. Add to that the scripts to build the ARM version are open source. So, I decided to take the base Kali ARM system, modify it to suit my needs, and build my own version of it from scratch. This is very much an IoT project and is similar to what many other people need to do in order to get their software to run on the hardware out there. So, now I'm going into 'why' I have found the IoT world is so insecure and maybe a little on what we can do about it.

This brings us to the first thing I thought about: nearly all of it is homegrown software. If you are going down the Linux path you will be building things on your own. I'm also guessing many of the IoT developers don't have what I do, namely 20+ years using and managing Linux systems. As a result of needing to build from open source software, usually on your own, there's a ton of room to make mistakes. I get that, really, I do. But at the same time if you're one of these developers you should also realize this. Admit you're probably out of your depth and get help. Yes, it might cost real money and yes it might add time to your project but by all means do it. I myself was quite rusty on the internals of Debian (which Kali is based on) so I took a month to tear apart the basic process of building a Debian install (debootstrap, etc).

The next thing I noticed was a distinct lack of updated software, this is even more apparent in the IoT hardware world. I chose the ODROID-C2 because it comes with 2GB of RAM whereas the RPi-3B+ comes with 1GB and I need the additional RAM. This choice means I have to settle for whatever Linux distributions I can find that will work on this hardware, in my case Kali was one of the options. I will use a specific example of outdated software. When I started digging in to Kali ARM and the installer scripts I found that it uses an older kernel, 3.14, which puts it at 3-4 years old. A quick look at the Linux kernel site shows there were something like 79 revisions in the 3.14 tree, I'm guessing at least one of those was a security update/patch. So, why not just use a newer kernel you say? Glad you asked. I experimented with going to the latest 3.x release, 3.16.56, and it failed to compile. And that's just a small incremental update, i'm sure going to the 4.x kernel could be major surgery. Looking around the Kali ARM Github area I can see that issues go for months without responses, that there are only a handful of people working on it and of those only a couple appear to be active. I'm guessing support will be, ah, spotty at best.

So, what do you do? Continue to use a version of software that likely has vulnerabilities? Switch to a different distribution that might be more supported? Commit the time to make the latest release work (and donate it back)? I'm not sure which option I'll take at this point but it will likely be patching the more recent version and making it work. But what happens to other people using this, or comparable systems, that don't know how to do that? My guess is they just go with what works, possibly oblivious to the fact that what they're going to release is likely insecure. About that refrigerator running a 7 year old kernel...

As I have been developing this product I keep coming into situations where I am staring at what I consider to be "best practices" for security and catch myself thinking (and saying) "I'll work it out when I harden the device" which leads me to... You DO have a plan and time set aside for system hardening and security testing right? That's the phase in which you pretend like you're a bad guy and try to cause harm to your baby, seeing how much you can break in the process. Which leads me to... You DO have the ability to do this right? If not, again, GET HELP if you don't. There are people and companies out there that can do this. Yes, it will cost money and yes, it will take time but really, just do it. I have a suspicion many of the insecure devices we see never went through this phase. I'm also willing to bet many of the people that developed them didn't even know this was even a thing.

Now, the problem with the "I'll deal with it during hardening" is that things get missed, it happens, we're human and make mistakes. To counteract this you MUST fight the urge to "punt" until later and adopt secure practices throughout the entire development lifecycle. When gathering requirements, which I'm hoping you actually do, bake security in there. When you're actively developing use secure practices in your code, tools and processes. You DO know how to do this right? By now I hope you're getting the point here: get help when you need it. Again, yes, it might cost money and yes it might add time but you know it's the right thing to do.

Note how all the above represents a process of continuously asking the question "is what I am doing secure" and addressing those issues when they come up. I'm not punting to the next version to fix something, it gets done now.

/rant

Installing RabbitMQ on CENTOS 7

Good guide, works out of the box correctly.

https://www.vultr.com/docs/how-to-install-rabbitmq-on-centos-7

ImportError: No module named MySQLdb

pip install mysql-python

error installing libmysqlclient-dev on kali linux

When trying to install the libmysqlclient-dev package on Kali you get the following error:

Package libmysqlclient-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'libmysqlclient-dev' has no installation candidate

Install apt-get install default-libmysqlclient-dev instead

Python Celery MySQL results error

While trying to store Celery results in a MySQL database I received the following error:

Native table 'performance_schema'.'session_variables' has the wrong structure")

After some searching I found something that said to run 'mysql_upgrade -u root -p' then restart MySQL, this fixed the issue for me. The order in which things were done:

• MySQL was installed using brew on OS/X 10.13.4 (mysqld  Ver 5.7.22 for osx10.13 on x86_64 (Homebrew))
• mysql.server start
• mysql_upgrade -u root -p
• mysql.server stop
• mysql.server start

The Celery code:

#!/usr/bin/env python
from celery import Celery

app = Celery('tasks', \
        broker='pyamqp://guest@localhost//', \
        backend='db+mysql://root:password@localhost/pigpen')

@app.task
def add(x, y):
    return x + y

Celery output worker side:

celery@dy-mac.local v4.2.0rc3 (windowlicker)

Darwin-17.5.0-x86_64-i386-64bit 2018-05-20 15:20:01

[config]

.> app:         tasks:0x10e073590

.> transport:   amqp://guest:**@localhost:5672//

.> results:     mysql://root:**@localhost/pigpen

.> concurrency: 8 (prefork)

.> task events: OFF (enable -E to monitor tasks in this worker)

[queues]

.> celery           exchange=celery(direct) key=celery

[tasks]

  . tasks.add

[2018-05-20 15:20:02,927: INFO/MainProcess] Connected to amqp://guest:**@127.0.0.1:5672//

[2018-05-20 15:20:02,941: INFO/MainProcess] mingle: searching for neighbors

[2018-05-20 15:20:04,071: INFO/MainProcess] mingle: all alone

[2018-05-20 15:20:04,117: INFO/MainProcess] celery@dy-mac.local ready.

[2018-05-20 15:20:32,312: INFO/MainProcess] Received task: tasks.add[9a6c0983-64cf-4053-a64f-04894704badf]

[2018-05-20 15:20:33,263: WARNING/ForkPoolWorker-5] /Users/dyoung2/anaconda/lib/python2.7/site-packages/sqlalchemy/engine/default.py:507: Warning: Invalid utf8 character string: '80024B'

  cursor.execute(statement, parameters)

[2018-05-20 15:20:33,266: INFO/ForkPoolWorker-5] Task tasks.add[9a6c0983-64cf-4053-a64f-04894704badf] succeeded in 0.950585585s: 6

Python client side results:

Python 2.7.13 |Anaconda 4.3.1 (x86_64)| (default, Dec 20 2016, 23:05:08)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
Anaconda is brought to you by Continuum Analytics.
Please check out: http://continuum.io/thanks and https://anaconda.org
>>> from tasks import *
>>> result = add.delay(3,3)
>>> result.status
'SUCCESS'
>>> result.ready()
True
>>> result.get()
6

Python notes

A few interesting Python things that I always forget how to do. The problem is I don't write Python code on a daily basis, nor have I done so for many years like I did Perl, so I tend to forget things in between the times I do write it. I'll add more here as I come across them.

Converting int to a string inside a print statement, note the %(var)s part.

print("\nServices running on localhost:%(port)s\n" % {'port': port})

Catching CTRL-C:

def signal_handler(signal, frame):
        print('You pressed Ctrl+C!')
        print("Exiting...")
        sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

Full absolute path for a log file

logfile = join(dirname(normpath(abspath(__file__))), 'file.log')

OpenVAS Performance Tuning

As part of a project I'm working on right now I wanted to know what the "optimal" settings were for running OpenVAS on an ODROID-C2 Raspberry Pi type system. This single board computer (SBC) has 4 CPU cores and 2GB of RAM along with a 1GB ethernet adapter. My test system is running Kali Linux, 2018.2, with all current updates before being tested.

For the tests I picked one scan target to run the jobs against, a single IP address on my network that I know had a few minor vulnerabilities. I wanted to test the various settings such as max_hosts, max_checks, be_nice and whether or not the host was already in the database. I made one change at a time and submitted the job to the default scanner using the "Full and fast" scan type each time. My submission XML looks like this:

<create_task>
  <name>New 10.0.0.9</name>
  <comment>cmdline scan</comment>
  <config id="daba56c8-73ec-11df-a475-002264764cea"/>
  <target id="5b9c2dde-77ab-4511-b439-c96984843f5b"/>
  <preferences>
    <preference>
        <scanner_name>max_checks</scanner_name>
        <value>12</value>
    </preference>
  </preferences>
</create_task>

My script to submit that to the scanner is:

#!/bin/bash
#
RETVAL=$(cat create_task.xml | omp --xml -)

TMPTASK=$(echo $RETVAL | awk '{print $2}' | awk -F= '{print $2}')
TASK=$(echo $TMPTASK | tr -d \")

RETVAL=$(omp --start-task $TASK)

I tracked the results of each scan, here's the raw data:

max_hosts max_checks be_nice num hosts host in db? alterable run time min 4 2 yes 1 yes yes 31 4 4 yes 1 no yes 26 4 4 yes 1 yes yes 26 4 4 yes 1 yes yes 25 4 4 no 1 yes yes 25 4 6 no 1 no yes 24 4 6 no 1 yes yes 25 4 8 no 1 yes yes 24 4 10 no 1 yes yes 30 4 12 no 1 yes yes 50

And a couple charts based on that data:

What did I find?

• Whether or not the host is in the database doesn't appear to impact performance. There appears to be no appreciable benefit on a single host scan if there is existing data.
• The be_nice setting in openvassd.conf doesn't appear to have an appreciable impact on performance.
• After 6-8 checks per host there is no noticeable positive effect on performance, it plateaus around there then starts to drop, by 12 performance is BAD. But remember, this system only has 4 cores in it.
• Load average on the system went pretty high during the scans, as much as 5 at some points but the system was still useable while at that level. I'm amazed at these little boxes. vi would hesitate a bit on load but nothing terrible.

So, what happens if you want to scan a dozen hosts? If you're using only one ODROID I'm recommending you don't exceed 8 active plugins running at any point in time, so you'd set max_hosts to 2 and max_checks to 4 or just allow 1 host at a time and 8 checks, up to you. I plan on testing multiple hosts next, we shall see if there's any benefit in running more than one host at a time. The other option? Split that scan up across multiple ODROIDS using something like Celery and RabbitMQ, that's what my service is built on.

Caveats, notes and todos

• The target I tested had very few minor vulnerabilities though OpenVAS runs whatever was specified in the scan config regardless.
• Remember, this system only has 4 cores.
• Need to run the same tests against a VM that has vulnerabilities, Metasploitable or DVWA.
• Test multiple hosts at the same time to see where things get crappy.
• No idea if the decreases in performance around 10 are due to I/O, I wasn't monitoring it but my gut says no, it's not.

Metasploitable exploitability guide

A good intro to Metasploitable: https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide

Metasploitable root access

To gain root access to metasploitable you first need to log in to the console as the user msfadmin with the same text as the password (msfadmin). From there do an sudo su, enter that same msfadmin password and away you go.

OpenVAS Commands

This is about the best reference source I've found for reference on the XML you need to create for submitting commands via the omp command.

http://www.openvas.org/omp-2-0.html

Change OpenVAS password

For some reason my last automated install of OpenVAS didn't catch the creation of the random password at the beginning, here's how you can change it manually:

openvasmd --user=admin --new-password=<new_password>

OpenVAS on all interfaces

By default OpenVAS only listens for connections on 127.0.0.1, if you want to access it off-machine you'll need to do this:

cd /lib/systemd/system && sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i.BAK

After that do a systemctl daemon-reload and either reboot or restart those services using systemctl. The grep command will create a file of the same name with a .BAK extension in that directory should something go wrong.

OpenVAS port 80

By default the OPenVAS security assistant listens on port 80 and redirects connections to port 9392, this causes issues if you want to run a web server on the same machine. This manifests itself with the following showing up with lsof:

root@pi-5785:/var/log/openvas# lsof -iTCP -sTCP:LISTEN
COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd        349     root    3u  IPv4  12027      0t0  TCP *:ssh (LISTEN)
sshd        349     root    4u  IPv6  12029      0t0  TCP *:ssh (LISTEN)
gsad      12465     root    5u  IPv4 471034      0t0  TCP *:9392 (LISTEN)
gsad      12468     root    5u  IPv4 471736      0t0  TCP *:http (LISTEN)
openvasmd 14004     root    4u  IPv4 479681      0t0  TCP *:9390 (LISTEN)
postgres  16285 postgres    3u  IPv6  36152      0t0  TCP localhost:postgresql (LISTEN)
postgres  16285 postgres    6u  IPv4  36153      0t0  TCP pi-5785:postgresql (LISTEN)

Note gsad listening on port 80 there as well as 9392.

To completely disable port 80 on Kali Linux, and only use 9392, edit the file /lib/systemd/system/greenbone-security-assistant.service and add the --no-redirect option to the ExecStart part:

ExecStart=/usr/sbin/gsad --foreground --no-redirect --listen=0.0.0.0 --port=9392 --mlisten=0.0.0.0 --mport=9390

After that run systemctl daemon-reload then systemctl restart greenbone-security-assistant and port 80 won't be listening.

systemd and rc.local

Once again while in systemd land I discovered something, how to re-re-enable rc.local. Granted, from what I’ve read rc.local should really go the way of the dodo but I don’t feel like writing the new systemd stuff.

Link here.

To summarize it up:

The solution 

As you can see from above, The unit file have no [Install] section. As such Systemd can not enable it. First we need to create a file:

sudo vi /etc/systemd/system/rc-local.service

Then add the following content to it.

[Unit]
 Description=/etc/rc.local Compatibility
 ConditionPathExists=/etc/rc.local

[Service]
 Type=forking
 ExecStart=/etc/rc.local start
 TimeoutSec=0
 StandardOutput=tty
 RemainAfterExit=yes
 SysVStartPriority=99
[Install]
 WantedBy=multi-user.target

Save and close the file. Make sure /etc/rc.local file is executable.

sudo chmod +x /etc/rc.local

After that, enable the service on system boot:

sudo systemctl enable rc-local

Output:

Created symlink from /etc/systemd/system/multi-user.target.wants/rc-local.service to /etc/systemd/system/rc-local.service.

Now start the service and check its status:

sudo systemctl start rc-local.service
sudo systemctl status rc-local.service

Kali default runlevel

As I’m customizing the Kali image for my pen bot I once again came across the hell that is systemd, what would have been rc.local is now of course a steaming pile of systemd stuff. The same goes for the default run level since init is now a thing of the past, this Stack Exchange answer was helpful. You can no longer just set the initdefault level in /etc/inittab.

Debian as-shipped boots towards the graphical target. You can see this yourself:

$ ls -l /etc/systemd/system/default.target...No such file or directory

$ ls -l /lib/systemd/system/default.target... /lib/systemd/system/default.target -> graphical.target

So to boot towards the multiuser target all you need do is to put in own target:

$ cd /etc/systemd/system/

$ sudo ln -s /lib/systemd/system/multi-user.target default.target

It is highly recommended not to mess with the manual symlink-ing, but rather use appropriate options of the systemctl command. In this case, to set the default target you should run:

# systemctl set-default multi-user.target

OpenVPN server on a Raspberry Pi

I am in the middle of configuring a Raspberry Pi 3 to act as an OpenVPN server for my remote pen test bots to use as Command and Control (C2). Ultimately C2 will run in AWS but for now I'm prototyping at home using my crappy Comcast connection. The first issue to get around is the lack of a static IP for the clients to connect to so I'm setting up NoIP as the dynamic DNS for this, here's what I've done.

Step one, go to www.no-ip.com and create a free account. Once that’s done create a hostname for your dynamic connection.

Step two, obtain and install the No-Ip Linux client on the Pi like this:

cd /usr/local/src/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xvf noip-duc-linux.tar.gz
cd noip-2.1.9.1/
make install

This leaves /usr/local/bin/noip2 in place, run it and you will be prompted to enter the username/password for the noip account created in step 1, this will create /usr/local/etc/no-ip2.conf

Step three, create an init script. Edit a file /etc/init.d/noip2 and add the following contents to it:

#!/bin/sh
# /etc/init.d/noip2

# Supplied by no-ip.com
# Modified for Debian GNU/Linux by Eivind L. Rygge <eivind@rygge.org>
# Updated by David Courtney to not use pidfile 130130 for Debian 6.
# Updated again by David Courtney to "LSBize" the script for Debian 7.

### BEGIN INIT INFO
# Provides: noip2
# Required-Start: networking
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start noip2 at boot time
# Description: Start noip2 at boot time
### END INIT INFO

# . /etc/rc.d/init.d/functions # uncomment/modify for your killproc

DAEMON=/usr/local/bin/noip2
NAME=noip2

test -x $DAEMON || exit 0

case "$1" in
start)
echo -n "Starting dynamic address update: "
start-stop-daemon --start --exec $DAEMON
echo "noip2."
;;
stop)
echo -n "Shutting down dynamic address update:"
start-stop-daemon --stop --oknodo --retry 30 --exec $DAEMON
echo "noip2."
;;

restart)
echo -n "Restarting dynamic address update: "
start-stop-daemon --stop --oknodo --retry 30 --exec $DAEMON
start-stop-daemon --start --exec $DAEMON
echo "noip2."
;;

*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Install it to run at startup using the command: update-rc.d noip2 defaults the run it via service noip2 start. You can check it via the command service noip2 status, you should be good to go.

Kali Pi Linux plus Mana

One to try:

https://dantheiotman.com/2017/11/21/using-re4sons-kali-pi-the-mana-toolkit-on-a-raspberry-pi-3/

malDuino

Another interesting bad USB key:

https://shop.malduino.com/

Raspberry Pi Pentest

I've been in the process of building out a Raspberry Pi 3 with Kali ARM Linux that can run some of the Kali included security tools, namely OpenVAS and Metasploit. After getting it installed, which I'll document more when it's ready, I got OpenVAS working but when I ran Metasploit I received the following:

       =[ metasploit v4.16.28-dev                         ]
+ -- --=[ 1715 exploits - 984 auxiliary - 300 post        ]
+ -- --=[ 507 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.10/lib/active_support/core_ext/kernel/agnostics.rb:7:in ``': Cannot allocate memory - infocmp (Errno::ENOMEM)
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.10/lib/active_support/core_ext/kernel/agnostics.rb:7:in ``'
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:1815:in `get_term_capabilities'
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:2027:in `_rl_init_terminal_io'
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:2564:in `readline_initialize_everything'
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:3849:in `rl_initialize'
from /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rb-readline-0.5.5/lib/rbreadline.rb:4868:in `readline'
from /usr/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:162:in `readline_with_output'
from /usr/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:100:in `pgets'
from /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:189:in `run'
from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
from /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
from /usr/bin/msfconsole:48:in `<main>'

The Raspberry Pi 3 only has 1GB of RAM and around 750MB of it was being used by the OS and OpenVAS, Metasploit couldn't get enough. I'm considering moving to an ODROID-C2 that has 2GB of RAM but that would require a new Kali image. While watching htop as msfconsole fired up I noticed that the Kali ARM dist doesn't have a swap partition or file so there's no swap space.

You can see this by running the 'free' command:

root@pi2222:/home/support# free
              total        used        free      shared  buff/cache   available
Mem:         949568      470544       68604       42588      410420      420912
Swap:             0           0           0

Run the following to create a 1GB swap file in /var and add it to the OS. Increase the dd command to 2000 to make it a 2GB file.

root@pi2222:~# cd /var
root@pi2222:/var# ls
backups  cache lib  local  lock  log  mail  opt  run  spool  tmp  www
root@pi2222:/var# touch swap.img
root@pi2222:/var# chmod 600 swap.img
root@pi2222:/var# dd if=/dev/zero of=/var/swap.img bs=1024k count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 94.6194 s, 11.1 MB/s
root@pi2222:/var# mkswap /var/swap.img
Setting up swapspace version 1, size = 1000 MiB (1048571904 bytes)
no label, UUID=91f5050f-ca7e-4fe8-9fc5-21ac5aecb478
root@pi2222:/var# swapon /var/swap.img

Now we have swap space:

root@pi2222:/var# free
              total        used        free      shared  buff/cache   available
Mem:         949568      468852       11584       42588      469132      422628
Swap:       1023996           0     1023996

Now msfconsole works, albeit a little slowly, so we'll see how it goes. I might just try an ODROID-C2 to see how it works, it has more cores and is 64-bit as well but is also double the cost of a Raspberry Pi 3.

Special thanks to this page for guidance on how to do this: https://www.optiv.com/blog/create-a-budget-friendly-virtual-private-server-with-a-metasploit-instance

Nikto on OS/X

How about that, a homebrew for Nikto on OS/X: brew install nikto.

Kali Linux 2017 VirtualBox Guest Additions

I normally run Kali in a VirtualBox VM locally and never really dug into the guest additions, not having host to guest copy/paste finally annoyed me enough to find out how to install the guest additions. Turns out it's easy.

https://www.blackmoreops.com/2017/01/24/install-virtualbox-guest-additions-in-kali-linux/

Run apt-get update && apt-get upgrade && apt-get dist-upgrade then reboot. After that run apt-get install virtualbox-guest-x11 and reboot. Done.