Security Practical – Exploit task 2

So now we have the first flag we can move on to level01 in which we receive some code that has a vulnerability in that it constantly runs arbitrary programs.

So getting right into it we can try calling flag01 which will return this – Nebu01

Now this flag assumes you know a little about coding, because if you did you would realise that usr/bin/env is not a good way to find the location of echo. In fact usr/bin/env is a fixing path commonly seen in Python, and it runs through all of the directories specified in the PATH, thus provoking arbitrary programs.

So if we want to get the flag we know we should be looking to add the flag to the path so that it runs when the search for the echo is invoked.

Neb0101

Once that is completed we now need to create a symbolic link between home/level01 and bin/getflag

Level0101010

Once that is done it’s important that you remember not to getflag from the level01 account.

Level0101

And then simply execute the /flag01

Level0101010101

And there we have it. We have been given the task of finding out why this program is executing arbitrary programs and have then discovered the vulnerability with the path. We then proved this by making a link between the home and the flag and executing the program, thus exploiting the vulnerability.

Security Practical – Exploit task 1

Whilst theory is important, there is only so much information you can absorb before you need to start practicing it. Theory is the underpinning and practical the execution.

One of the first things you will need to install for the vast majority of exercises on the net is a virtual machine player, you can grab a copy of VM ware Here.

You’ll also want to install Kali Linux which is set up with security tools from the go, and used in the vast amount of text based examples.

In the future we will be working from Georgia Weidmans Pentesting book but for today we will be working through a simple exploit which you can find here At exploit exercises

Download the first nebula task and load the ISO into your VM player.

Nebu

You will then see something like this.

Our task is to find a set user ID service that will allow you to set the user as “flag00”

From here it would really help if you have experience in Ubuntu, especially simple commands like finding man pages or changing directory. It would be worth spending an hour or so just familiarising yourself with the basics as it will be invaluable experience.

Essentially you are looking to run an application under the user flag00, as with most things there plenty of ways to go about this, the easiest is to search the user, find the bin and run the exe..

 

Security Fundamentals; What is hacking?

As anyone with passing interest in security (or even just common sense) will know – hacking is not like in the movies where our action hero types at 100 WPM and hacks into the ‘main frame’ of the network and takes it over.

Movies represent hacking in this way because security experts staring at screens of code or typing commands in terminals is not anywhere near exciting.

But alas, the reality is that ‘hacking’ as a broad term, tends to involve quite a bit of genuine hard work and knowledge. Which is why it commands such a high price. Unless of course you are just running ready made exploits, which requires much less skill.

Hacking in it’s purest form is not just constricted to computing, any type of technical tinkering and tweaking of hardware/software or engineering is hacking. But most only know hacking of the nefarious kind.

However for the purpose of this post we will be specifically focusing on hacking of the technology kind, and especially infiltration and attacking foundations.

We will take a common example of an attacker infiltrating a companies network.

First the attacker will want to set up a strategy for the attack, the most efficient attackers will have the entire play planned out, some however will adjust as they go.

A good way for the attacker to do this is to test for vulnerabilities on the network.

One of the main ways an assess this is to sniff the traffic between the company’s internal network and the outside network. By inspecting the data a knowledgeable attacker can inspect the packets and gain more knowledge of the target.

It is important to do this so as build up an idea of the network and then choose the right tool for the job. It is also important to remain hidden during this stage, It is definitely recommended that you use a tool like TOR to route your traffic somewhere else and ideally not use a connection linked to your home name and address.

You can read more about that Here at leak source

Once the network has been assessed it is then time to choose what attack method to deploy, as well as the attack vectors available to you based on the information gathered during the reconnaissance.

One common method would be to continue the reconnaissance from behind the firewall which will illuminate a much deeper breadth of services, additionally we may wish to simply use distributed denial of service. It is here that you might want to run scripts and often hear the term ‘script kiddies’. The more experienced attackers will develop their own scripts for use, where as the novices are best to use tried and tested exploits.

Whilst this guide has shown the general gist of how an attack is deployed, There’s no use rehashing the valuable and bountiful information available on the net.

For example –

Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers

So now we have seen what hacking is, we have a general idea of what we might do if we wanted to attack a local company for example.

But we also have an idea of what attackers do, and can begin to think about how we might go about securing a network or organization.

For example we know that attackers really desire poorly-configured services or old/ unpatched software/hardware. Even the best firewall will struggle to stop an attacker once they are client side of it. So we know that one step is to remove the discoverable services, and those that can be discovered by whois attempts are secure, and not open with no authentication.

You can also set up fake services or servers that alert you if any suspicious activity is discovered on them.. as well as this you obviously want to ensure all the staff in the clients organization are following secure practices and that inside network escalation is limited, as often attacks are carried out from the inside.

As we go forward in this fascinating journey we can begin to map out the process of both attacking and defending. Next we will focus on something more practical.

 

 

 

 

 

Security Fundamentals; SS7

Even though SS7 has been covered in the media many people still haven’t even heard about it, let alone realised how it can effect their lives.

The problem with these stories is that the news gets hold of them and for a short time people become embroiled in the paranoia. Images of nefarious attackers waiting at their laptops like dogs at the post enter the imaginations, ready to strike anyone at any time.

But once the show is over, the message is lost, leaving many wondering what all the fuss was about.

SS7 is interesting from a security practitioners point of view, because as you will see it highlights that any system of infrastructure can be vulnerable, and knowing how it’s exploited helps you to build up the knowledge base.

To provide the information on SS7 I have copied in a piece I wrote for a university module.

Security holes in the mobile networking technology Signaling System Seven (SS7) have been found after research was carried out by German researchers.
SS7 was developed in 1975 and is the backbone to services such as call forwarding/ending, SMS(Short Message Service) messaging and prepaid billing as well as other mass marketing services.
It consists of dedicated channels known as signaling links which interact with the three signal points – Service Switching Points, Signal Transfer Points and Service Control Points. The traffic is routed by packet switches whilst the SCP’s and STP’s tend to be mated so service can resume if one network suffers downtime.
Essentially the entire mobile network is vulnerable to the exploit which is similar to a man in the middle attack between network signals that exploits the top level authentication and communication vulnerabilities.
The exploit allows attackers a multitude of attacks which include eaves dropping on calls, location tracking as well as fraud and exploits in the billing systems, it was even suggested that the right request could force the operator to hand over the crypto keys for the session.
The vulnerability – whilst a pressing issue is not a new find, and has been widely known about since 2012 when German researchers demonstrated the attacks at a security conference.

In February 2015 AdavaptiveMobile launched a project to survey and secure the traffic traveling via SS7 over operator networks. By combining a firewall and advanced reporting and intelligence gathering they protect an estimated one fifth of the worlds subscribers.
However the flaw in SS7 remains a threat to personal security and with the infrastructure being so pervasive in nature there is little one can do to ensure personal security against the inherent vulnerabilities in SS7.
For organizational security Adaptivemobile offers a dedicated firewall;’AdaptiveMobile SS7 Protection secures the network against privacy & fraud attacks by combining SS7 Firewall
capability to block suspicious traffic with our Advanced Analytics algorithms that automatically identify and report on threats to the network in real time, and our unparalleled Threat Intelligence services to discover new and emerging vulnerabilities’

So as we can see SS7 was known to vulnerable around four years ago(probably longer) and it took three years for to proactively come up with a solution.

The problem with SS7 is that there is no broken handle just swinging around in the wind, the entire protocol is old and developed based on the principle of hard wires, and whilst it could have potential fixes (such as layer 2 authentication over the top of the protocol) you would then need all of the carriers, the people involved to be on board with this.

So as it stands, the mobile networks are completely open to this and whilst a personal attack on you isn’t likely, you can be sure there are powerful people or bodies of people who will be both victims and attackers.

It’s interesting from a security practitioners standpoint though because you get to see how long it actually takes to fix something as high risk as this. An attack vector that has the capability to track your movements and steal all of your SMS messages. It’s been widely known about for four (if not more) years now and the protocol is still vulnerable.

Often times it is bureaucracy that stands in the way for many reasons. Often it can just be an unwillingness to implement secure procedures, especially collaboratively. As with IPv6 or HTTPS, it appears to be a lot of work to bring change, and it’s not like any handles are physically broken off and swinging in the wind, so why bother?

As a security practioner it also offers a great chance to ponder how you would defend from this? what could you implement or do that would make you able to continue using your phone?

 

 

 

 

Security Fundamentals; Cryptography

What is Cryptography and why is it important?

Cryptography in it’s basic form is a method for obscuring things so they can not be discovered in transit.

The Caesar cipher – one of the most famous earliest forms of cryptography was used to prevent the armies messages from being intercepted and read. By shifting the alphabet by three,the message would hopefully make no sense to anyone who intercepted it on route.

Of course with the curtains and cloak pulled back it seems trivial. But at the time many of the enemies were illiterate and the message would have seemed very obscure, as if written in a foreign language.

This bears much resemblance to today’s security.  You can never make a device completely secure, but if you can make your security stronger than the attackers will, and obscure the methods of vulnerability enough to create an seemingly insurmountable task then you have a chance to maintain long term integrity of your network and devices.

Cryptography has come a long way since the Caesar Cipher and is widely used in today’s technology, especially with mobile phones or debit/credit card transactions.

Today’s cryptography is ever more rooted in math.

For public key encryption we begin by creating a cryptography hash function that turns a string of text into an arbitrary bit string ‘summary’ of the input and effectively creates a one way function, infeasible by today’s power to invert without knowing the basis for the hash.

There are a number of hash functions we can use, however over time many have proved to be vulnerable or suspect, for example SHA1 has no known collisions yet, however the way technology has evolved gives us reasonable evidence to suggest that it will become vulnerable at some point in the not too distant future, so mitigation to other hash functions (in the SHA family for example) is suggested.

Whilst there is far more to cryptography, and especially the fascinating math that goes into creating hashing algorithms, you now have a general idea of what cryptography is, and how it works.

 

 

 

 

 

 

 

 

Security Fundamentals; Firewalls

Firewalls can be an active form of protection for your home and organizational network, but how do they work?

A firewall will inspect packets coming into your network and drop any that don’t meet the filter requirements for the firewall.

These inspections can be carried out via static packet filtering or dynamic (stateful) inspection. 

Static packet filtering will assess parts of the data within a packet and according the the firewall rules will make a decision to accept or drop the packet by inspecting the Protocol ID, Source IP address and number, Destination IP address and port number as well as the router interface.

Dynamic packet filtering will inspect the outgoing packets and only allow the corresponding reply packets. As soon as the first packet is sent out through a public network, the reverse filter is created to facilitate the response packet.

You can read more about that here (https://www.novell.com/documentation/nbm38/?page=/documentation/nbm38/overview/data/ae70q0b.html)

The reason such importance is placed on packet filtering is because attackers can send malformed packets to open, unguarded and vulnerable ports and exploit holes within the operating system. Another attack vector is flooding using packets, in which an attacker can use a botnet and send a continuous stream of packets to overwhelm defenses.

A firewall can circumvent this to an extent by dropping extra packets as they enter your network, however a determined attacker will render your network useless through denial of service.

The effectiveness of a firewall is both dependent upon the configuration as well as the attack in question. The most secure firewall possible would block all ports – this of course would render the network inoperable. It can be a good idea for those experienced in networking to to block all ports, and only allow the necessary.

 

 

 

 

 

 

 

 

Fundamentals; Routing

Routing is the process of finding the best path for data transmission based on a variety of algorithms that determine a range of criteria in ascertaining the best path for the data.

It is possible for admins of small networks to manually create a network topology for routing which is called static routing. However in an expansive network dynamic routing is used to build the network’s topology and has various fallback methods to ensure continued productivity of the network should any individual components suffer an outage.

LinkState – linkstate routing protocols such as IS-IS and OSPF create the topology and then become the instigator at the root of the tree. LinkState protocols use Dijkstra’s Algorithm ( open shortest path first) to determine the route, as opposed to a hop count.

DistanceVector – Protocols such as RIP use hop counts to determine the path. Essentially the hopcount is the number of times a packet will need to go through a router to reach it’s destination. The maximum for RIP is 15, anymore hops will be considered as an unreachable network.

We will cover routing in more depth in ‘Advanced knowledge; Routing’