Confessions Of A Dangerous Mind

Friday, March 07, 2008

Wireless Under Linux : Monitor Mode

As some of you may already know , one of my biggest and oldest hobbies is linux.

As such , the first thing i will try with almost any computer \ laptop \ device i get - is to try a linux distro on it , and test it for playfulness . but most of the times , these computers are not mine , so its kind of helping guys out on the way.

This past week , ive been asked with a question by a collegue of mine , and that is actually a question that i get alot regarding wireless hacking with a linux box. the question is "how do i set my wifi card to Promiscuous Mode ?" which is something many new guys on a linux platform find hard to achive. and it is a very important knowledge for anyone in the Pentesting field , or if its a "hobbie".

The reason for that is preety simple... when you want to use your card for packet injection , and sniffing - you need to put it on a passive mode. this moe is called "Monitor-Mode" when refering to linux. after you do that - you can usually fire up any wireless hacking \ sniffing program that you want.

The problem is that on some cases , trying to set up the card to Monitor Mode by issuing the command : iwconfig ath0 mode Monitor , will result in an "Invalid Input" or a "Set Mode (8B06)" message on your screen. and any attempt to change that will not be succesful, even if you use patched drivers ( like MadWifi ) and such.

The solution to that is quite simple actually. use the wlanconfig tool.

In order to change the card's mode to the desired one , first of all - put it to sleep by issuing the command ifconfig ath0 down ( ath0 stands for the interface's name ). then use the wlanconfig tool by issuing the following commands :

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
ifconfig ath0 up

Thats it. your card is now in Monitor Mode.

In order to put the card to the original state , repeat this sequence of commands, but instead of choosing the wlanmode monitor , choose wlanmode managed.

Hope this short guide was helpful.

Labels: code, english, hacking, linux

Posted by barry at 5:17 PM | קישור לקטע | תגובות

Saturday, December 08, 2007

הקוד , לבקשתכם - XSS Translator

לפני מספר חודשים כתבתי עבור חודש XSS של גיא מזרחי כלי פשוט יחסית , שמטרתו הייתה בעצם להמיר מחרוזות פשוטות לדצימלי , ובכך לאפשר לבנות מחרוזות להתקפת XSS בצורה קלה יותר...

מספר אנשים פנו וביקשו את הקוד הפשוט יחסית , ובכן שיניתי מספר דברים בעקבות מיילים ותגובות בכל מיני מקומות שונים , כדי לפשט. הנה זה פשוטו כמשמעו ... כפי שוודאי ניתן להביא מדובר סה"כ בהמרות מהקסה למבנה דצימלי ובחזרה , כעת כבר לכל המחרוזת , שינוי שבוצע בעקבות בקשות במיילים.

ישנם ממירים רבים להורדה באינטרנט , חלקם אפילו נכתבו על ידי RSnake בכבודו ובעצמו, אך מי שמכיר אותי יודע שאם זה לא יצא מהידיים שלי , זה אומר שאני לא ממשיך הלאה לנושא הבא ...

הנה הקוד הסופי ... .NET כמו שאתם אוהבים .

For my english reading audience - this is my code for converting text into decimal codes for applying XSS attacks , in .NET for your convinence. enjoy ...

Public Class XSS_Translator

    Public Function hex2dec(ByVal hextext As String) As String
        hex2dec = Chr(Convert.ToInt32(Mid(hextext, 2, 2), 16))
    End Function

    Public Function myConvert(ByVal INPUT As String, ByVal Act As Integer) As String
        Dim myresult As String
        Dim i As Integer

        For i = 1 To Len(INPUT)
            If Act = 1 Then
                myresult = myresult & "%" & Hex(Asc(Mid(INPUT, i, 1)))
            Else
                If (Mid(INPUT, i, 1) = "%") And (i <= (Len(INPUT) - 2)) Then
                    myresult = myresult & hex2dec(Mid(INPUT, i, 3))
                    i = i + 2
                Else
                    myresult = myresult & Mid(INPUT, i, 1)
                End If
            End If
        Next
        myConvert = myresult
    End Function

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If RadioButton1.Checked = True Then
            outputBox.Text = myConvert(inputBox.Text, 1)
        Else
            outputBox.Text = myConvert(inputBox.Text, 2)
        End If
    End Sub

End Class

Labels: algorithmics, code, english, script, technology, vulnerability, xss

Posted by barry at 7:59 PM | קישור לקטע | תגובות

סוף שנה 2007

סוף שנת 2007 מתקרבת ( אפילו לפי ספירת סיסקו ) ואיתה הסיכום המתבקש לבוא לאירועי אבטחת המידע של 2007 , והטרנדים שהיו , או התגלו שלא היו ...

אשמח לקבל מכם Input לפני שאני מסכם ומוציא לאור פוסט שכזה.

While 2007 is coming to an end soon ( even by cisco's calander ) - a summary of all security events , trends and things that went wrong - is just behind the corner...

I would love to get some of your input on this , so my summary will be more complete when its finally out.

Labels: blog, english, news, social

Posted by barry at 7:48 PM | קישור לקטע | תגובות

Thursday, September 27, 2007

Cisco.com XSS Vulnerability Found

A few days back , I have read about a Cross-Site-Scripting vulnerability in cisco's search engine. this vulnerability enables a hacker to use the cisco.com website for phishing purposes and for "man-in-the-browser" attacks.

With the code ( posted as a link ) following , one could send a user to cisco's website and bounce off to his own bogus machine. i did not check for any further enrichments of this exploit , but it seems strange that this kind of thing could come out on a website that is as secure as cisco.com. I really believe that there are Application Layer Firewalls defending cisco's website, and if there are any - are they misconfigured ?

I have reported this vulnerability to a friend of mine at cisco's security proffesional services team in EMEA , and i hope this will soon be fixed.

Here is the POC code :

http://cisco.com/pcgi-bin/search/search.pl?searchPhrase=%27+onmouseover%3D%22location.href%3D%28%27http%3A%2F%2Fwww.cnn.com%27%29%22+value%3D%27&x=20&y=15&accessLevel=Guest&language=en&country=US&Search+All+Cisco.com=cisco.com

Notice that the code bounces you to www.cnn.com website , but anything can be put here. which makes you wonder ...

Anyway, I cannot give credit to this code to any specific Hacker\Hacking Group because i have seen a similar code at more than one of my resources , each from a different country . strangely enough - they all came out in the same 24 hours. script kiddies ?

As i was promised by my cisco friend - this is not a light weighted issue for a company of that size , and i believe that the fix will come very soon.

Labels: english, hacking, sbn, vulnerability, xss

Posted by barry at 1:32 AM | קישור לקטע | תגובות

Monday, September 17, 2007

MSN Messenger - Ad Block - Revisited

Following some email requests ( too many for that specific question ) that ive got to help various FORTIGATE ( by fortinet ) owners - to set their firewall security policy to block MSN Advertisment within the client ( as a Proof Of Concept ONLY ) ... and following an old post ( that i have posted here on march 13th 2007 - Link ) i am posting the requested configuration for the machines.

I have devided to re-post this , with better technical explenation - and in english this time , as a gesture to the "Security Bloggers Network" ( which i only post english feeds to , and this is one worth mentioning ).

the main concept is to block 3 reg-ex uri links that the messenger client gets its advertisment ads from. ( as you may or may not know , this IM uses HTTP to get things done , well - lets break its path...

[ note : configuration is made for the FortiOS mr5 patch 2 and tested on FGT60 ]

As i previsously posted , this is a good way of handeling messenger usage within organizations that do not approve end-user advertisment on its computer environment.

There are two ways of doing it ... one through the url filter engine , and the other one is through the IPS ( which i find much more exotic way of getting things done through deep packet inspection ).

Method 1 - URL Filter :

1. goto the CLI on the machine and paste the following configuration -

config webfilter urlfilter
    edit 1
            config entries
                edit "ad.msn.co.il/js.ng"
                    set action block
                next
                edit "rad.msn.com/ADSAdClient31.dll"
                    set action block
                    set type regex
                next
                edit "config.messenger.msn.com/Config/MsgrConfig.asmx"
                    set action block
                    set type regex
                next
            end
        set name "block-msn-ad-engine"
    next
end

2. choose the "block-msn-ad-engine" within your protection-profile of choice.

Method 2 - IPS :

1. go to the Intrusion Protection >> Signature >> Custom menu and add the following signatures -

F-SBID( --name "bs_MSN-AD-Stop.A"; --protocol tcp; --flow established ; --regex "ADSAdClient31.dll"; --no_case)
F-SBID( --name "bs_MSN-AD-Stop.B"; --protocol tcp; --flow established ; --content "ad.msn.co.il"; --no_case)
F-SBID( --name "bs_MSN-AD-Stop.C"; --protocol tcp; --flow established ; --regex "MsgrConfig.asmx"; --no_case)

2. choose appropriate severity and include the severity in the desired protection-profile.

Disclaimer : this is a POC only , this kind of usage may conflict with the MSN Messenger usage aggreement , and i am not to take any responsibility for and unethical or illegal usage of this article and the information it provides. and although i tink using this information to violate any EULA or other agreement is wrong - if you use it - you are taking for responsability for it.

i am not sure that there is any violation , since all this solution does is changing the availability of web data to an application - so basically treating the application as a user in the network and denying it from getting to some internet content . legitimate isnt it ?

Labels: english, sbn, script, solution, utm

Posted by barry at 1:08 AM | קישור לקטע | תגובות

Friday, September 14, 2007

Security Bloggers Network

לבקשת מר אלן שימל - VP פיתוח אסטרטגי בחברה האמריקאית - StillSecure , ומחבר אחד הבלוגים האמינים והאיכותיים יותר בתעשיה ( קישור כאן ) , הצטרפתי לרשת הבלוגרים העולמית לאבטחת מידע בשם SBN . רשת זו נחשבת אמינה באופן יחסי מבחינת סוג האנשים אשר מקושרים אליה , ולכן שמחתי לקבל הצעה זו ממר אלן ולהצטרף.

קישור לרשת הSecurity Bloggers Network נמצא כאן

כמחווה , אני רואה לנכון להוסיף לתפריט הבלוג ( צד ימין למטה ) את הבאנר הרלוונטי לרשת זו. ואני מקווה שקו הבלוגר שלי יפעל להרחיב אופקים גם כלפי חו"ל. אגב - זה אומר שיהיו כאן מידי פעם פוסטים באנגלית. לפחות יותר מהרגיל.

Following Alan Shimel's proposal to join the SBN ( "Security Bloggers Network" ) a few months back , after getting some feedback from Richard Stiennon to my article about UTM , and the followup by Alan Shimel , And because of some path changes that i have decided to take recently . i am proud to say that i am a shiny new member of the SBN , and i hope to bring the voice of israeli information security expertise to the more borad public of security/networking and system professionals .

I have Added the SBN widget to my sidebar in order to let israeli crowd. this means that although i usually write in Hebrew, i will most definetly write in english more often . thank you alan.

Labels: blog, english, news, sbn

Posted by barry at 11:40 PM | קישור לקטע | תגובות

Wednesday, July 18, 2007

I Would Like To Thank Mr Richard Stiennon

חברים , אבקש להודות למר ריצ'ארד סטיינון , כיום CMO של חברת Fortinet , ולשעבר
אנאליסט אבטחת מידע בכיר בGartner.

ריצ'ארד נפגש איתי בארץ לפני מספר חודשים במהלך כנס של פורטינט בו הרצתי , והינו המחבר של אחד מהבלוגים הטובים ביותר בעולם לגבי אבטחת מידע - ThreatChaos שאני מאוד מעריך.

ריצ'ארד נחשב היום בין 50 האנשים המשפיעים ביותר בתעשיה העולמית בכל הנוגע לאבטחת מידע בתקשורת נתונים , ואתמול - בחר לכתוב POST באתר שלו , אשר מתייחס למאמר שפרסמתי פה באנגלית בעבר ( קישור למאמר ) ולציין אותי בבלוג שנקרא עלידי מאות אלפי אנשים בחודש , ואני רוצה להודות לו באופן אישי.

קישור למאמר בבלוג של ריצ'ארד
קישור נוסף למאמר שכתב המקביל לשלי

כמו כן , נכתב FOLLOWUP בבלוג נוסף - הקישור כאן

Thank you Richard for your comment , and for your post about UTM
keep on writing great columns .

Labels: blog, english, links, syndication, utm

Posted by barry at 8:29 AM | קישור לקטע | תגובות

Tuesday, July 10, 2007

Fedora 7 on HP nc2400

all of my hebrew readers . please excuse me , but because i want to make this post handy for other nc2400 users - i will post it in english.

i have got my hands on a new HP NC2400 laptop that replaced my older Dell D620 laptop. and here is how i set up my fedora 7 on it.

first of all ... i must admit - almost everything worked out of the box . which is quite amazing for a branded laptop ... maybe the only 2 things that didnt work were the wireless "Intel IPW945/PRO Wireless (rev 2.0) wireless card , and the AutheTed fingerprint reader . well since i do not use the fingerprint reader - i did not even set it up , so excuse me all of you finger print users.

my set up is quite simple - gnome with beryl , 2.6 kernel and the rest are networking\pentesting tools ... that are not worth mentioning

wifi -
i am thinking of how to give you the easiest way to bring it up ...
well its easy ...

fist esit the file "/etc/modprobe.d/blacklist file and add the following lines :
--
#IPW3945
blacklist iwl3945
blacklist mac80211
--

and reboot it ...
then add the "freshrpms.net" repository ... and run "yum search ipw3945"
install the dkms package , the ipw3945d package and the ipw3945 firmware package ...
reboot and your done .

the 12.1 inch resolution was also automatic , so no use for 915_resolution tool , you may want to install the wpa_supplicant tool in order to connect to wpa2 easier.

i would also recommend running the NetworkManager tool to manage the network connections from within gnome . i personally disabled the eth1 ( the wifi interface ) automatic dhcp via the /etc/sysconfig/network-scripts/ifcfg-eth1 file

thats about it . everytning is running fine , yum update rand perfectly , and its a gogogo from now on.

enjoy linux.

Labels: english, linux, technology

Posted by barry at 7:16 PM | קישור לקטע | תגובות

Tuesday, December 05, 2006

How To Assure yourself by Common Criteria

There is a great deal of gray area around Common Criteria Certifications . not because they is anything wrong with them, But the opposite - RFP's come out for answers without asking For any legitimate source of information about the capabilities Of the product they request.

What happens is as follows :
When a firm\company needs a technological product , lets just Say - a firewall. They put out the specifications they require And ask for a certain throughput , vpn abilities , content Inspection abilities and so on . The integration\product provider usually answers this RFP by Implementing best knowledge and whitepaper cut-outs .

In that way - the firm\company that requested the product May get a product that is cheap but answers for all required Technical specifications , but the product itself is poorly Implemented and written , the documentation of the product Says that it supports just about everything and that the Product is "very secure and hardened"

Common Criteria comes as a legitimate standard of checking The entire process of product development , deployment And benchmarking , therefore giving a certification to a Product in such a way - that a customer can rely assured that He is getting a product of at least a certain level of standard Checks.

The 7 different steps of the Common Criteria are known as EAL "Evaluation Assurance Level" and is marked as such :
A product that gained EAL level of 4 may get the certificate Of "EAL4 Certified".

Therefore When requesting an RFI\RFP - one should request An EAL level that is the minimum for this product . by that The company assures itself it gets a product that satisfies Its needs.

There is some great information at the common criteria portal
( "http://www.commoncriteriaportal.org" ) . for instance You can read the user guide and get familiar with the different
Levels of EAL and the ways each level is checked at :
http://www.commoncriteriaportal.org/public/files/ccusersguide.pdf
http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf

as a security engineer , when a customer asks me for consultancy about a product or a solution for securing an element of his IT\IS my first question for this product will always be : "What is its CC-EAL level certification" .

Always remember , when a standard is being requested , and the Product\solution you get is certified to that standard , you Usually get what you pay for , nothing less , maybe more.

Labels: english

Posted by barry at 3:40 PM | קישור לקטע | תגובות

Monday, December 04, 2006

UTM – Antithesis For The Current Concept Technology

The world of IT security technologies has evolved greatly for the last 5 years.
By understanding the structure of the current threats that threatens the IT environment of corporate infrastructure – security vendors have created very highly crafted technologies to deal with these threats. We had some major breakthroughs with IPS technologies that currently serves both signature based and proactive scanning methods, Antivirus and AntiSpam technologies can now inspect information to the deepest levels . and there are more than enough URL filtering mechanisms that serves about every major company that require these kind of services to be implemented on their users surfing habits.

UTM is something pretty fresh In that aspect, we’ve seen it growing In the last
couple of years as a major aspect for creating “All-In-One” solutions. The concept is
brought to life by taking one machine that is taking care of stateful firewalling , advanced routing ,IPSec connectivity, and giving it the extra edge by allowing it to connect to modules such as the IPS, AntiSpam, Antivirus and the URL Filtering mechanism to create a full blown inspection gateway that scans just about everything that passes through it, and decide based on scan results if to pass the traffic or rather stop and log it and that point of entry.
Now lets look at the problem. By the UTM concept – our IT should be “secured”
If we are using a UTM device at our core network environment . but – what about
blended threats ? , what about attack and code mutations?
In the second half of 2005 , many analysts and security engineers have faced new
types of attacks , the blended ones , and the mutated ones. These attacks were crafted to skip from one method to the other , from one technology to the other , and IT security measures where if you had a virus , an antivirus solution would have taken care of it, And if you had a DoS attack , the Firewall would have taken care of it , but when an attack would have begun as an Exploit that injects a virus that later on sends out spam and infects other entities via IM , or via SMB – systems are useless to these attacks.

The problem with the UTM concept today – is that companies that manufacture
these solutions , are applying OEM solutions with other vendors . one could OEM with
the best-of-breed antivirus company for his AV module , and OEM with the best-of-breed IPS company for the IPS module and pass the traffic through the both of them . but ! and here is the problem – the modules of different vendors , could not speak to each other . each module of its own honorable vendor is written as a closed source application and can receive traffic from one end , check it and pass it through , but when the IPS module and AV module co-exist but cannot take mutual decisions on the traffic that passes through – blended threats could not be inspected in any way . mutations of the traffic will pass as if there was nothing there to stop them.

Let me explain further more : when the UTM device is used to establish a layer 3
up to layer 7 connection between two entities , it inspects the traffic . now – if there is a mutation attack of some kind ( here is just an example ) – a session is being established
via VPN between two entities , and runs just http traffic between the two. The
termination of the IPSec is being done by the UTM device , which cannot see up until
now if there was an attack hidden in the traffic that came through the IPSec tunnel . then the data is getting into the http server with a 0day exploit on it , so the IPS does not know it. And sends a file that was previously accepted by the UTM device because of the tunnel access control rules. Contains a virus , and the attacker entity is passing it through an IM service . the new crafted virus is the populating itself not via IM , but via SMB , and when that occurs – the virus manipulates itself to attack the core switch via a simple DDoS attack. no UTM device would stop this attack , no single entity to take care of one module will stop this attack. The solution is being send from one or two vendors today , that have come to
mind that if they write their own antivirus , they can manipulate it , and if the IPS code is their proprietary code , they could manipulate is , and where the URL filter is a service which they own . modifications and alterations could be performed . the main issue here is that if you are the sole vendor for all modules inside your UTM device , you can ask them to speak to each other , you could take access control decisions based o blended results of the traffic that passes through your device , and because of stateful technologies, you could understand the deep behavior of your traffic , and so – have access control decisions done by the deepest analysis available.

By creating a single-vendor solution , one is able to interconnect the different
security modules and create a real UTM device , in my terms – “Real UTM” is applicable only if the device , and the different modules come from the same vendor , so it could sanitize the traffic using decisions based on a matrix check of each packet.

The following diagram ( D01 ) shows how a current concept UTM device actually passes
the traffic :

On current UTM environments , the packet actually has to go through each and every
module as a stage of inspection. What may happen is that one module might not be
certain if the packet contains an attack and so not mark it as attack and pass it on. The attack will pass between the different “Best Of Breed” modules and no decision will be taken to drop the packet , because no module found a specific attack in the mechanism and if it could , it wouldn’t be able to tell the following module about the attack because of different technologies , and vendor code confidentiality.

The following diagram ( D02 )shows exactly what happens to a packet that runs through
what is considered a real utm :

What is clearly visible from this diagram , is that a packet that runs through a real
UTM mechanism , runs through each and every one of the modules . note : if a packet is being intercepted by the IPS mechanism – it will ask for the antivirus to check it too , and so on for the AntiSpam and every UTM module. And later on , the UTM mechanism will decide based on scan checks from all of the modules , if to pass it on , or to drop the packet. It is not session based , but packet based.
Now , what is happening in that environment is that each module can give some
kind of grading to the packet , even if it is not sure it is an attack . next , the UTM consolidation engine can grade the packet based on all of the modules , and have a sophisticated decision to drop or to accept the packet , and that is after a real deep inspection.

A new UTM RFC/Protocol is required.

One cannot realize how major vendors will exchange code parts between them,
But maybe some kind of a consolidation protocol is needed here . we had ICAP in the
past to check for different traffic methods, maybe now is the time to write a new protocol that inspection modules could grade traffic by , and a consolidated decision could be made.

In conclusion , the UTM world is a wonderful and insightful world, the best of the
vendors are doing a great effort in order to give us the best practice results and the solutions we require. But because of misleading assumptions ,that “attacks may be more sophisticated but they still spread in the same ways” the UTM world will not be complete. What should be the concept is “an attack can come In different ways and
blended ways , check them all and never skip a phase”.

Labels: english, technology, thesis, utm

Posted by barry at 10:42 PM | קישור לקטע | תגובות