Wednesday, March 29, 2017

InsomniaHack Trip Report



Insomni'Hack Info:
https://insomnihack.ch/



Favorite talks
Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders

I really enjoyed this talk hearing how an organization defends in a BYOD & academic environment. Defense is difficult when you control the hosts, even more so when you you cant instrument the host and have to rely on network controls only.

My favorite slide was their alerting stack:


Not sure when the slides will be released but here is an older version of the talk I found:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraj

Awesome talk on breaking into 

  • HashiCorp Consul
  • Apache Zookeeper
  • CoreOS etcd
Tool they created:
https://github.com/torque59/Garfield


Modern reconnaissance phase on APT – protection layer
Paul Rascagnères

Fun talk on how APT have been implementing some checks to make sure the targets are valid prior to sending down the final stage of the attack. 

CERN
@cktricky and I also were able to give the talk at CERN. Background info on CERN: https://en.wikipedia.org/wiki/CERN

Archive of the talk:

Cool Pix:
Dropping Knowledge


Synchrocyclotron


Outside the Antimatter Factory

Thanks Twitter :-)
CG

Saturday, January 21, 2017

Kano review


Below is a quick review of the Kano computer.

WTF is it?

The kano computer is a raspberry pi based computer that is meant for kids to put together and build themselves.  Looks a bit like this:


propaganda video:


It ships with a nice guide that most kids will be able to follow to get the piece of the Kano computer up and running.  Optionally you can also buy a screen kit where everything can fit all together in a tidy package. The screen kit that houses the raspberry pi and and keyboard is the reason I went with the Kano over just piecing one together for the kids.




Once you get the hardware set up, the KanoOS walks you thru setting up a user account and starts off in story mode where you start off on SD beach and get to explore your computer in a RPG type environment.




You also have menu for kids where they can pick what they want to work on but also has a classic button if you want to get to a more normal Linux experience.



Not shown in the screenshot but definitely present in the menu now is a link to Scratch which this kids love. And of course no computer for kids cant not ship without Minecraft:




The OS is designed to get the kids to go through various quests to learn about the computer and as you complete quests more open up to you. More info around this is available on the Kano developer blog: http://developers.kano.me/2016/08/03/kano-os-beta-v340-released/

The Kano OS is available here: http://developers.kano.me/downloads/  if you want to throw it in a VM or raspberry pi you have around the house. It is also open source so you can contribute: https://github.com/KanoComputing

The Kano world portal also has fun stuff https://world.kano.me/projects 

As an added bonus Kano has been sending emails for the kids to experiment with stuff. 



This week's "Secrets of the Computer Kit" included an introduction to the Linux terminal and cowsay!

cowsay, with some Scratch on the other Kano

The kids also got their first real Linux experience by the screen flipping and it still being flipped after a reboot.  We eventually found an option in the menu to flip it back but it was a nice introduction to the hell that is running Linux...good times. Enjoy Linux hell boys I'll be here to help you <3 .="" p="">

Overall extremely pleased.  

Two negative experiences though:

One was the first upgrade process.  It took over 30 minutes to download all the updates. I ended up losing the kids for the nite during that process due to it taking so long.  

Second was the fact the computers showed up one day and the monitors the next!? WTF. I realize Kano doesn't have control of all things shipping but it was a real PITA to have computers and no monitors.  Suggestion: bundle kits should ship together.

Aside from the above, the kids have been enjoying their new computers.


I know it's coming so i'll just address it here: 250 bucks for a raspberry pi?!  Yeah kinda steep...but I did price something comparable out before I bought. Here is what I came up with:

https://www.adafruit.com/products/2718   Pi Foundation Display - 7" Touchscreen Display for Raspberry Pi  $79.95 

https://www.adafruit.com/products/2033  Pimoroni Raspberry Pi 7" Touchscreen Display Case - Noir  $14.95

https://www.adafruit.com/products/2253  Pi Model B+ / Pi 2 / Pi 3 Case Base - Clear  $5.00  LID 3.00

SD CARD 32 GB various $10-$20

https://www.adafruit.com/products/2876  Full Size Wireless Keyboard with Trackpad  $39.95


OR


Speaker:  ?? 10?

Misc cables to hook it al up ?? 20?

Total ~ $180

or 

https://www.adafruit.com/products/3116  Pi-Top - GREY - A Laptop Kit for Raspberry Pi B+ / Pi 2 / Pi 3  $274.95

None of the above with the exception of the Pi-Top fit nicely together, I'd end up having build it for the kids and I wanted them to build it themselves.  Plus the Kano comes in fun colors with stickers so they can make it their own.  I'm satisfied with the purchase but you could technically do it for the price of a raspberry pi and SD card if you have the other gear laying around.

In a similar vein is the Piper computer if you are considering things for kids:





CG

Wednesday, January 18, 2017

DevOoops: In-Memory Databases (Redis) Part 2


Doing part 2 first as the altcoin mining stuff is interesting with the mongoDB/elasticsearch ransomware stuff currently going on.

A redis developer dropped an interesting piece of info here

http://antirez.com/news/96

Namely:
“However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”

He goes on to show how someone could echo over SSH keys and use the config command to write them to the appropriate place if you have permissions.  He used a key name of "crackit" so I thought I'd see how prevalent it was....I checked a few and saw it a good chunk of them.

go go shodan




I did find something interesting while looking thru some open redis boxes.  I found:



A cron job? running a shell script. Can you do that from Redis???

What's in the shell script?!



alt coin mining! sweeeeeet.

I had no idea what an XMR is but I wanted to see how this person was doing with the money making. Thankfully you can just query the payouts for any XMR address. So I did:






They've made around $20,000 USD in BTC. I guess crime does pay :-)




To satisfy my curiosity started a miner up on a linode and was getting around 60 H/s. This person is cranking out 70 KH/s, so they have a few boxes working for them.


Extending the idea that a good hack yields plenty more I stumbled across this gem. https://phpinfo.me/2016/07/07/1275.html with several different ways to get code exec on redis.

I created some gists from the previous link in case the post disappears.



-CG-


CG

Monday, January 16, 2017

DevOoops: Client Provisioning (Vagrant)


Notes from the 2015 Devoops Talk

Vagrant used to ship with a default keypair and was difficult to rotate.

**fixed with new versions of Vagrant. Finding hosts using the default key still pretty likely.


Did you change your SSH keys?


Default Credentials

root/vagrant  vagrant/vagrant

No pass to sudo :-)


Scanning for the default key using metasploit (ssh_login_pubkey module)



Identify real from fake by ssh version scan



Log in with private key

CG

Friday, January 13, 2017

DevOoops: Client Provisioning (Kickstart Files)


Notes from the 2015 Devoops talk. Posting it so i can remove it from the slide deck but still refer to it.  Also relevant from a common problems with devops theme.

Kickstart Files

3 ways to set root password

1. Enter during installation

2. Crypted hash in the kickstart file
“rootpw --iscrypted”

3. Clear text in the kickstart file
“rootpw --plaintext”

Examples



 Kickstart Files Takeaways

Don't leave these files in open shares

Use the crypted password option for files

Have a process to change the password after initialization

Rotate the initial root password regularly





CG

Thursday, January 12, 2017

DevOoops: Client Provisioning (Chef)


Notes on Chef from the 2015 Devoops Talk. Posting it so i can remove it from the slide deck but still refer to it.  Also relevant from a common problems with devops theme.

Chef allows you to define the state your servers (local or cloud) should be in and enforces it.

Web Interface





Environment Leakage


databags


knife is a Chef command line utility. The credentials are stored in data bags. Credentials can be encrypted.

Example:

$ knife data bag list



Chef/knife (encrypted data bag)


Chef/knife with path to secret file




Chef Takeaways

Be aware of what you put into chef recipes


Protect secrets/passwords

Info on securing chef: https://learn.chef.io/skills/be-a-secure-chef/
CG

Wednesday, January 11, 2017

DevOoops: Elasticsearch


Notes from the Devoops talk on Elastic Search

Elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.

*GET request to port 9200 will show version
"version" : {
"number" : "1.2.4"


No Authentication (initially)

Can search stored data via HTTP API

Update data with PUT request

Join an open cluster and receive all data

RCE prior to 1.2.0 (CVE-2014-3120)
RCE prior to 1.5.0* (CVE-2015-1427)

exploit/multi/elasticsearch/script_mvel_rce


Kibana

Searching via curl/browser is cumbersome...Kibana FTW

Edit config.js to point to open Elasticsearch

Open index.html in local browser or host on a server




Viewing the content of the document


Import your own data and visualize



Elasticsearch solutions:

Apply authentication if possible

Segment elasticsearch from Corp (and the public in general)

Be aware of the data you put in elasticsearch
-->anyone can search it

Logs Logs Logs

osquery
CG