The only 3 reasons to have a meeting

I, as well as most of you, feel as though we have meetings at work far too often so I'm putting down on "paper" my views on the subject. I recently read this article on the 3 reasons to have a meeting, my views are close to this but I'll extend and change that a wee bit. Drumroll please...

1. To provide information. This is one where I'll be even more specific than the other article, this isn't just a status update meeting, do those over email for god's sake. Don't make me sit there and watch PowerPoint slides of your stats and KPI's, email those out. The rule in my framework is this, if it's to a large group of people, say a department and you're sharing strategy this is a good meeting but please make it interactive. The other attribute is your proximity in the communication continuum, the closer you are to bad news the closer to being in person you should be. Meetings to develop projects, tactics or strategy often fall in this category.
2. To make decisions. This really should be #1, we can actually debate about whether or not #1 is even needed but this one actually is. Debates and quagmire happen over emails as they're async, fire and forget, processes and always lose inflection and tone. When you need to make a decision, especially a shared one, do it together. This is one of those that doesn't always need to be in-person, it can be done via a conference call.
3. To gather group feedback. This is one of the most important meetings you can have, things like lessons learned, brainstorming, working groups and such are far more effective using in-person meeting formats.

Blog theme

I really hate this blog theme, one day I must change it. But for just one day.

Installing new firmware on a Hak5 Packet Squirrel

A while back I acquired a Hak5 Packet Squirrel to experiment with but at the time the firmware (1.0) was still sort of weak and had issues. I recently decided to give it a go again since there's newer firmware (2.0) out. The problem I had is that here are there instructions:

Firmware Upgrades

From time to time the Packet Squirrel may be updated with new firmware to add features and
security improvements. It is highly recommended that you keep your Packet Squirrel up to date with the
latest firmware. To install the latest firmware:

1. Download the upgrade file. Make sure that the filename is upgrade-version.bin (where version is the firmware version, e.g. 1.2) and check that the SHA-256 sum matches.
2. Copy the upgrade file to the root of an NTFS or EXT4 formatted USB flash drive. Do not rename, unpack or otherwise alter this file.
3. Plug the USB drive into the powered-off Packet Squirrel
4. Flip the Packet Squirrel payload select switch to Arming mode (far right, closest to the USB flash drive)
5. Power on the Packet Squirrel from a reliable USB power source. This process takes 5-10 minutes and will be indicated by a series of LED lights. Do not power-off or otherwise interrupt the device until the flashing process completes.

During the firmware flashing process, the LED will indicate the following states:

1. Green flashing – booting up
2. Red/Blue alternating – beginning firmware flash
3. Solid Red or Blue – firmware flash in progress
4. Green flashing – rebooting
5. Blue flashing – upgrade complete, arming mode ready

Note that part that says it needs to be NTFS or EXT4 and as I discovered it really does have to be that. I tried ExFAT, FAT and even EXT2, none of them worked, oh well. Why did I try those and not NTFS? Simple: I'm a Mac user.

After digging around I tried to install Paragon, which failed to install, tried the Brew port of e2fs-progs as well as the NTFS-3G FUSE driver via Brew as well. None of them would do NTFS (write) or EXT4 so I just stuck the USB key in one of my Linux servers, here's the process.

(Note that your USB flash disk will likely NOT be sdf, use fdisk -l to see what it actually is. It's usually sdc).

1. fdisk /dev/sdf
2. Delete the partition and create a new Linux one, use the defaults for the size
3. Write that out and exit fdisk
4. mkfs.ext4 /dev/sdf1
5. mount /dev/sdf1 /mnt
6. cp upgrade-2.0.bin /mnt
7. umount /mnt

Plug that into the Squirrel and wait for the blinky blinky to stop, at that point it's done and RTG. No idea why I didn't do that to start with, it took a total of 5 minutes. Oh well, I now know 5 ways to NOT format NTFS or EXT4 on a Mac.

FYI, it took mine close to 20 minutes to flash up my squirrel, it's not the 5-10 they say. It's S L O W.

Ethernet Tap Board - Components

After ordering the boards I went off to research the various components and source them in. Step one was to use the BOM from Github to see what all is still currently available, it's 2-3 years old now. After researching and contacting DigiKey I have come up with this as my orderable BOM:

1,CL10F474ZB8NNNC,C1
5,CC0603KRX7R9BB104,C2 C6 C7 C8 C9   
1,UVR1A682MHD,C3
2,CL10B105KP8NNNC,C4 C5
1,690-005-299-043,CON1
1,CDBA140-G,D1
1,XZCBD53W-6,D2
1,MZ1608-102Y,L1
16,009176002032006,IDC-CONN
1,RC0603JR-0722RL,R1
2,RC0603JR-0710KL,R2 R3
1,RC0603FR-07100RL,R4
2,RC0603JR-074K7L,R5 R6
8,G6KU-2F-RF DC5,U1-U8
1,AP2120N-3.0TRG1,U9
1,PIC16F1454-I/SL,U10
2,MC74HC595ADG,U11 U12
1,MMA8653FCR1,U13

I then fed that into the BOM tool at Octopart who went around and found where they're available and what they cost. I chose to just order all the parts from DigiKey to make it easy but, in theory, you could save $80 if you order from all over the place. I'm guessing shipping would more than consume that. Here is the Octopart BOM to use, feed that to whatever supplier you'd like.

The relays, G6KU-2F-RF, are the most expensive part at $22 each so the total BOM today is $197 (plus shipping). Somewhere down the road I'll look into alternates for those relays using something lower cost (if possible). For now, it is what it is.

As I said, I ended up ordering from DigiKey and have a shared cart you can order from here. You'll be presented with some options because some of the parts are cheaper per unit if you order a higher quantity. If you want spare parts go for it, otherwise just keep the BOM specified amounts.

At the end of all of this, if the project works, I'll contribute all of this back to the Github project so it's current to 2018. Remember, don't commit non-working stuff.

With that part done it's time to start on the firmware development environment for the PIC16 controller using the MPLAB-X IDE development environment.

Ethernet Tap Board - The Board

I am using the rev3 of the board from Github here.

I went with OSH Park based on someone's recommendation and I cannot state how wonderful that place is. I put together a board order that anyone can use (based on rev3) here. I ordered 3 of them to start with which made each board cost around $16 (including shipping). Not cheap but not bad considering it's a rather large size board, about the max you can do.

It took 6 days for these to arrive at my door and DURING the xmas season! Love OSH Park, total purple crush.

You could order these boards from many other places, including from overseas, but OSH makes it super easy, they're made in the US, they communicate the entire process and what showed up is great quality. Now, if it actually works or not is another thing... On to components.

Ethernet TAP board

A while ago I watched this DEF CON 23 video on "looping" surveillance cameras and given how successful they appeared to be I just HAD to try it. They published all of their info and code on Github (of course) here so away I went to research. The first step was to figure out how to get some of the PCB's made so that'll be the first post in the series (when I get some time). Follow the TapBoard label/tag to see all of those posts. We're talking about making this a Burbsec south project so if others here come along for the ride I'll post links to their work along with our group progress.

And before you ask, it's a bit more than this:



So away we go!

Installing and using Tor on Max OS/X

I often have need to use Tor for various testing purposes, mainly to determine how an adversary uses it, and I often just want to run it from my Macbook Pro (cause I'm lazy). This doc will help you install, configure and use it. Not only that, I'll be able to do it again when I forget.

First things first, if you don't have Homebrew installed, do so. It's super easy to do, go here and run the command they say. if you don't want to read it, here it is:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Now you magically have Homebrew installed into your /usr/local tree. After that run the command 'brew install tor' and you'll get these files installed:

/usr/local/Cellar/tor/0.3.2.10/.bottle/etc/tor/torrc.sample
/usr/local/Cellar/tor/0.3.2.10/bin/tor
/usr/local/Cellar/tor/0.3.2.10/bin/tor-gencert
/usr/local/Cellar/tor/0.3.2.10/bin/tor-resolve
/usr/local/Cellar/tor/0.3.2.10/bin/torify
/usr/local/Cellar/tor/0.3.2.10/homebrew.mxcl.tor.plist
/usr/local/Cellar/tor/0.3.2.10/share/doc/ (4 files)
/usr/local/Cellar/tor/0.3.2.10/share/man/ (4 files)
/usr/local/Cellar/tor/0.3.2.10/share/tor/ (2 files)

• cd to /usr/local/etc/tor and copy the file torrc.sample to torrc
• Uncomment the line 'SOCKSPort 9050'
• Uncomment the line 'Log notice file /usr/local/var/log/tor/notices.log'
• Uncomment the line 'DataDirectory /usr/local/var/lib/tor'
• At the end add the following lines:
• AutomapHostsOnResolve 
• DNSPort                53530
• Save it and quit

So at this point we can start up Tor on the local machine and proxy traffic through it. So, start it up:

dy-mac:~ dyoung2$ tor
Dec 15 00:48:26.770 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 00:48:26.770 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 00:48:26.770 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 00:48:26.774 [notice] Scheduler type KISTLite has been enabled.
Dec 15 00:48:26.774 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 00:48:26.774 [notice] Opening DNS listener on 127.0.0.1:53530

And if you tail the log file:

Dec 15 00:49:04.000 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) opening log file.
Dec 15 00:49:04.885 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 100020ef: OpenSSL 1.0.2n  7 Dec 2017; running with 1000211f: OpenSSL 1.0.2q  20 Nov 2018).
Dec 15 00:49:04.904 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 00:49:04.904 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 00:49:04.904 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 00:49:04.909 [notice] Scheduler type KISTLite has been enabled.
Dec 15 00:49:04.909 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 00:49:04.909 [notice] Opening DNS listener on 127.0.0.1:53530
Dec 15 00:49:04.000 [notice] Parsing GEOIP IPv4 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip.
Dec 15 00:49:05.000 [notice] Parsing GEOIP IPv6 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip6.
Dec 15 00:49:05.000 [notice] Bootstrapped 0%: Starting
Dec 15 00:49:05.000 [notice] Starting with guard context "default"
Dec 15 00:49:05.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Dec 15 00:49:06.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Dec 15 00:49:07.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Dec 15 00:49:07.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 15 00:49:07.000 [notice] Bootstrapped 100%: Done

As you can see we now have a Tor circuit established so if we connect to local port 9050 we're going over the Tor network. The first step there is to install the torsocks brew (as in brew install torsocks).

Now, to get things out over Tor you have several options, the first of which is this script called torify. I really don't remember where I picked it up at but it goes as follows (it's a wrapper around torsocks):

#!/bin/sh
# This script used to call (the now deprecated) tsocks as a fallback in case
# torsocks wasn't installed.
# Now, it's just a backwards compatible shim around torsocks with reasonable
# behavior if -v/--verbose or -h/--help arguments are passed.
#
# Copyright (c) 2004, 2006, 2009 Peter Palfrader
# Modified by Jacob Appelbaum <jacob@appelbaum.net> April 16th 2006
# Stripped of all the tsocks cruft by ugh on February 22nd 2012
# May be distributed under the same terms as Tor itself


compat() {
echo "torify is now just a wrapper around torsocks(1) for backwards compatibility."
}

usage() {
compat
echo "Usage: $0 [-hv] <command> [<options>...]"
}

case $# in 0)
usage >&2
exit 1
esac

case $# in 1)
case $1 in -h|--help)
usage
exit 0
esac
esac

case $1 in -v|--verbose)
compat >&2
shift
esac

# taken from Debian's Developer's Reference, 6.4
pathfind() {
       OLDIFS="$IFS"
       IFS=:
       for p in $PATH; do
               if [ -x "$p/$*" ]; then
                       IFS="$OLDIFS"
                       return 0
               fi
       done
       IFS="$OLDIFS"
       return 1
}

if pathfind torsocks; then
    exec torsocks "$@"
    echo "$0: Failed to exec torsocks $@" >&2
    exit 1
else
    echo "$0: torsocks not found in your PATH.  Perhaps it isn't installed?  (tsocks is no longer supported, for security reasons.)" >&2
fi

I save that either in $HOME/bin or in /usr/local/bin, it's entirely up to you.

So now how about we just torify a bash session?

dy-mac:bin dyoung2$ torify /bin/bash
ERROR: /bin/bash is located in a directory protected by Apple's System Integrity Protection.

Ugh. I've looked around and there's no way around that one with torify so how about we just toryify an ssh session?

dy-mac:bin dyoung2$ torify ssh dyvpn01
ERROR: /usr/bin/ssh is located in a directory protected by Apple's System Integrity Protection.

The answer is here, just copy /usr/bin/ssh over to /usr/local/bin/ssh. Done:

Before Tor:

dy-mac:bin dyoung2$ ssh dyvpn01
[centos@dyvpn01 ~]$ set | grep SSH
SSH_CLIENT='SOME.COMCAST.IP 59649 22'

With Torify:

dy-mac:bin dyoung2$ torify /usr/local/bin/ssh dyvpn01
[centos@dyvpn01 ~]$ set | grep SSH
SSH_CLIENT='185.220.101.13 34123 22'

So now I'm in over Tor for an ssh session.

I've tried to install the Bash Brew and torify that, it works but things inside still use the OS IP path, not the Tor proxy. I'd love to know how to have an entire shell session "protected" by a torify'd proxy.

Now, you have to be careful because ALL of the other traffic on the Mac is going over the clear, NOT over Tor, to take care of that add this script (torme.sh) somewhere. You'll have to adjust for the network adapter you're using, I'm on WiFi here.

#!/usr/bin/env bash
# 'Wi-Fi' or 'Ethernet' or 'Display Ethernet'
INTERFACE=Wi-Fi

# Ask for the administrator password upfront
sudo -v

# Keep-alive: update existing `sudo` time stamp until finished
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

# trap ctrl-c and call disable_proxy()
function disable_proxy() {
    sudo networksetup -setsocksfirewallproxystate $INTERFACE off
    echo "$(tput setaf 64)" #green
    echo "SOCKS proxy disabled."
    echo "$(tput sgr0)" # color reset
}

trap disable_proxy INT

# Let's roll
sudo networksetup -setsocksfirewallproxy $INTERFACE 127.0.0.1 9050 off
sudo networksetup -setsocksfirewallproxystate $INTERFACE on

echo "$(tput setaf 64)" # green
echo "SOCKS proxy 127.0.0.1:9050 enabled."
echo "$(tput setaf 136)" # orange
echo "Starting Tor..."
echo "$(tput sgr0)" # color reset

tor

Note at the very end it starts up the Tor daemon so what we did previously to start it up isn't needed, use this script when you want MOST traffic routed over Tor on the machine.

It handles all the startup and teardown on ctrl-c so when you stop it the script "undoes" the network settings.

dy-mac:bin dyoung2$ ./torme.sh
Password:
SOCKS proxy 127.0.0.1:9050 enabled.
Starting Tor...
Dec 15 01:04:25.734 [notice] Tor 0.3.2.10 (git-31cc63deb69db819) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Dec 15 01:04:25.734 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 15 01:04:25.734 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Dec 15 01:04:25.739 [notice] Scheduler type KISTLite has been enabled.
Dec 15 01:04:25.739 [notice] Opening Socks listener on 127.0.0.1:9050
Dec 15 01:04:25.739 [notice] Opening DNS listener on 127.0.0.1:53530
^C
SOCKS proxy disabled.

And in the log file:

Dec 15 01:04:25.739 [notice] Opening DNS listener on 127.0.0.1:53530
Dec 15 01:04:25.000 [notice] Parsing GEOIP IPv4 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip.
Dec 15 01:04:25.000 [notice] Parsing GEOIP IPv6 file /usr/local/Cellar/tor/0.3.2.10/share/tor/geoip6.
Dec 15 01:04:25.000 [notice] Bootstrapped 0%: Starting
Dec 15 01:04:26.000 [notice] Starting with guard context "default"
Dec 15 01:04:26.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Dec 15 01:04:26.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Dec 15 01:04:27.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Dec 15 01:04:27.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 15 01:04:27.000 [notice] Bootstrapped 100%: Done
Dec 15 01:04:29.000 [notice] Interrupt: exiting cleanly.

At this point the browser is going over Tor, which we can verify by going to Tor Check:

I haven't come up with a way to ensure ALL the traffic on the machine goes over Tor, I use a combination of torify, torsocks and torme.sh to handle things. For example, if you want to use Weechat over Tor just use this: torify weechat and away you go.

Go Tor it up.