Making new friends with kippo

Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.

Kippo - simply amazing

First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.


Installing kippo



For the base platform I used one of my Debian hosts and started with
kippo 0.4. It was good to see how to run it, but options are limited,
so go full steam ahead and get SVN version - it is well worth it!


By default kippo runs on port 2222 but I wanted it on port 22 as normal
SSH would be (running as unprivileged user), so I've set it up on one
of my unused IP addresses - the setup was very easy.



Before you grab the latest version from SVN repo, you should install
required python packages (dependencies will be pulled in
automagically):

apt-get install python-twisted

svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only

Main benefit of SVN version is that it can use MySQL to log events
(alongside the regular log file) and that it can actually bind to given
IP address - version 0.4 binds to all available addresses which is a
bummer for me when I want to spawn totally fake host and have normal
ssh working as well.



Honeypots - rule #1



DO NOT run honeypot as root!



Remember that honeypots are software components, they may (and most
likely do) have their own bugs. Of course you have to be root
to bind to port <1024, or do you?



Configuration



Couldn't be easier... create unprivileged, regular user  account to run
your honeypot (I called it honeytrap), create your own kippo.cfg using
kippo.cfg.dist as template, set MySQL parameters, honeypot hostname
(attackers will see it after they log in), IP address to bind to and
port. If you don't want to use MySQL - your call... it may come very
handy for reporting. That's it - you are ready to go.



Now the trick is to get it running on port 22. There is obviously more
than one way to do it. If you have only one IP address available, you
should most likely go to kippo's Wiki page that describes how to make
kippo reachable through port 22 but if you
have spare IP address... =B-]



Now, how do I bind to port 22 as regular user? Somebody must have solved that problem before, right?
Sure, and they even created a package that solves this issue! It's called authbind and it's amazingly easy to use.

apt-get  install authbind

touch /etc/authbind/byport/22

chown honeytrap:honeytrap /etc/authbind/byport/22

chmod +x /etc/authbind/byport/22

Authbind works almost like sudo, except for the ports - not the
commands. In kippo's directory you will find start.sh script - add
authbind in front of the startup command and you are good to go.



Ready, set, go!



Ok - don't do my mistake... test your install - ssh into the honeypit and
see if you can log in. The root password is in kippo.cfg. Testing setup
is important - if sql database is gone, then you won't log in and in
kippo.log it will say that the root password was incorrect, when in
fact the problem is disconnected sql log backend.



Observations



Kippo is really great tool to learn what the bad guys are up to. If
they add user, they can log in as that user later. If they change root
password, it will be there for them when they return. The best part is
that of course you can see those passwords and suddenly you will have
new 'accounts' added and new, correct and active at the same time root
passwords (yes, more than one correct password!).

I've spent some time
watching the sessions recorded so far - there's so much to see, laugh
and cry, but I'll leave that for another post...

BTW, I blame Andrew (@Infosanity) for all of that - he got me back to honeypots topic, then other great tweeps came back with advice (much appreciated), so make sure to visit his blog ;-)

Coder vs Security - friend or foe?

Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.

Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.

Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.


I used to work with many coders (people that write code) - some
extremely good and some extremely bad. When I look back I would happily
say that I was at some point doing a bit of both - at least in my own
opinion.

Developers vs code-slingers

There
is a significant distinction between those two groups at least as far
as I can tell. Developers do their job and write apps the best way they
can, they are proud of their job because they know they did the best
they could. Code-slingers, well... get it done, whatever... Usability is
something they may or may not understand (if it works, it's usable,
right?), quality and elegance rings the bell somewhere but that's not
in their church so nothing to worry about... and security is often
totally unheard of. Sad, isn't it?

I think we've all been there
and done more or less of that - it takes time to learn and even more
time to understand. That requires patience and a lot of energy, and
more than anything it requires a person to say "I want to do it right, I want to understand".

Recently in one of the emails I've found an anonymous quote by a person that was training newly hired staff - he said "I can teach them just about anything, but I can't give them a basic
sense of curiosity". I couldn't describe it better!

Developers vs Infosec

In
my opinion the real virtue of a good developer is aiming for perfection
and taking criticism as a chance to improve. It is sometime painful (I
know from my own experience) but we all make mistakes and no matter how
good we are, there will be someone better that will prove we are wrong.
Real developers know how to deal with it because they want their code
to be beautiful in all possible aspects and they are curious people.
Some of those can be real inspiration and you enjoy every second you
spend with them.

Code-slingers vs Infosec

Mostly
not as skilled as developers, often with bad habits, etc - you can say
'developers in training' and that is ok. The first shock of getting
something that actually does the job is hopefully passing by and they
want more - or they don't...  they are so happy that their code works
that nothing else matters - that's where the problems come from.

It's
not a problem of skill, it's a problem of attitude. You can spend a lot
of time with them trying to explain, demonstrate or even send to some
training that deals with secure coding... still they couldn't care less -
oblivious, ignorant, often arrogant and portraying you (the infosec
person) as their biggest enemy because you prevent them from doing
their job. Yes, I've been there and worked with such people.

Free vs 'for money'

Your
options vary depending on environment. In 'for money' space you have
tools to deal with that - you can and should mentor such people to help
them understand. Sometimes a cup of coffee, friendly chat at the
whiteboard going through the requirements and proposed solutions or
ideas can really make huge difference. If you are not so friendly then
get your company to pay for some good training that will give those
people some good base to do their work (get rid of bad habits, don't
post code snippets on forum with URL to the product, etc) so they get
the carrot.
If that doesn't help, go for the stick - at the end of
the day, that code-slinger or his/her supervisor or their supervisor
will have to face a dilemma of signing off a code for production - it's
a business decision. If you can't block it and don't communicate your
security concerns it will be your fault if things go wrong and your
head on the chopping block. Brutal but simple - isn't it?

In the
free software world, where coder does something for little money (let's
say donations) or no money at all, what is the carrot and what is the
stick? If people care, they get good ratings, maybe more donations,
good publicity and are praised for their work, but if they don't give a
s**t... Oh, hi Daniel!

Free software users will complain, do a lot
of bad PR and a lot of them will go away migrating to other products,
but hold on... in this particular case THERE IS a commercial support
for OpenCart. What will the paid customers do with such response like
we've seen? How do they feel? They pay for support that they clearly
don't get :-(

Lessons to take away

If you are so called code-slinger
try to understand that writing code that works is not all you have to
do. You should create solutions - not problems. Don't behave like a
little kid, put your pride aside for a few minutes and listen to what
people have to say about your work - it really helps, even if it will
ruin your day.

If you are developer, please, be a mentor to the
code-slingers so they understand the beauty of the code and what it is
all about. Be a role model - calm, patient, their best friend and
inspiration - that's how miracles happen.

If you are the infosec
person please remember that saying 'no, you do it wrong' doesn't get
you anywhere. You have to be patient more than ever, explain why you
said 'no' and help find a solution - otherwise you have just created
another problem.

Whoever you are - remember that people
sometimes get frustrated, they have a bad day, they say things they
later regret - it's a design flaw we all have.  Daniel had just
demonstrated it and it got public. Simple 'sorry' can clear the
atmosphere and create a place to work together and solve the problem.


At the end of the day, we should all be friends, not foes... so I'll better shut up before I say something I will regret :-)

AirView2 Spectrum Analyzer

Recently I had some serious problems with wi-fi at home - especially one of the laptops was dropping off and couldn't come back. Quick survey using Kismet and other tools to scan what's flying around has proven that my network is in less populated part of the spectrum (at least here) but still, problems are getting worse and worse.

I was fully aware of Wi-Spy by Metageek, seen it in action previously but never had a chance to buy one. Part of the decision was the price back then, maybe now it would be another game, but anyway - I got myself another device, made by well known wi-fi vendor Ubiquiti and it's called AirView2.

What's so special about this one? Why it's better than Wi-Spy?

First of all I didn't say it's better. It's different, woks with Linux, Mac OS X and Windows, has a nice price tag and does pretty much the same as Wi-Spy. Let's have a closer look then, shall we?


It's different

Well, obviously it is... it comes from different vendor... and this post is not a sales pitch - it's just what I've experienced myself. On a bit more serious note, it's smaller than all the Wi-Spy models I've seen so far. Smaller is good, right? Yes - takes up less space, No - easier to loose (looks almost like USB stick).

Works with Linux, Mac and Windows

Yes, it does... better or worse but it does and it's not a matter of hardware or bundled software, but clearly it depends on the host OS and Java. You got it right - Java!
Software is written in Java to be really cross platform, but those that are not Java developers but use it a bit know quite well what a pain in the rear Java can be. Same is here - Ubiquiti warns about compatibility issues, there are long posts on the forums why this particular version of AirView software doesn't work (mostly on Mac OS X) and how to fix it, etc.

Windows - OK, even inside VM with USB passed through to the guest VM (tested VirtualBox, VMWare Workstation and Fusion - all with Windows 7 and latest Java). It was all very slow, loosing connection with the device and re-initializing it all the time, but worked. In native mode with Windows 7 on bare metal box worked like a charm (tested on a netbook PC).

Linux - didn't try, not enough time - sorry.

Mac OS X - yeah... that sucked! If you have the latest patches installed most likely the software will hang on detecting the device. Of course the reason is Java + OS X (I'm on 10.6.2 as of now with Java 1.6.0_17 in 64-bit mode).

java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/librxtxSerial.jnilib:  no suitable image found.  Did find:  /Library/Java/Extensions/librxtxSerial.jnilib: no matching architecture in universal wrapper thrown while loading gnu.io.RXTXCommDriver

Exception in thread "AirViewer-Initializer" java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/librxtxSerial.jnilib:  no suitable image found.  Did find:  /Library/Java/Extensions/librxtxSerial.jnilib: no matching architecture in universal wrapper

WTF?! File not found... but found? Never mind - luckily the solution is very simple - AirView comes with it's own version of librxtxSerial.jnilib so the one that came with OS X needs to be disabled temporarily and problem will go away. That can be done very easily with one command in the terminal:

mv /Library/Java/Extensions/librxtxSerial.jnilib{,-disabled}

That's it, now it works :-)

Price tag

This argument is obviously quite important. Is it that much cheaper? I'm not so sure... of course you can get the basic Wi-Spy for about £65+VAT so even if AirView2 would be equal to it in hardware terms, it would cost a bit more - £69+VAT... There is one catch to it though - AirView2 comes in several versions. I bought the AirView2-EXT for £64+VAT and this one has MMCX connector for external antenna (because it doesn't have a built-in one) and with clip-on omnidirectional antenna (~3-5dBi I guess) in the package. To buy Wi-Spy with RP-SMA connector you would have to spend at least £120+VAT which is almost double the price of AirView2-EXT.

HINT: Wi-Spy with RP-SMA is 2nd generation - faster with better scan resolution than the first generation of the device. So far I didn't have enough time to grab the full spec for AirView2 and compare them side by side - that would be very interesting (it's already on my TODO list).

Does it do the same stuff?

I would say YES based on what I can see, but as most of those devices are SDRs (Software Defined Radio), they can do all the software allows them to do and I didn't have a chance to compare recent version of Wi-Spy software to the AirView one, so please take my words here with a grain of salt and look for other sources to confirm that.

Conclusions

The device worked for me like a charm - it turned out that the signal from my AP was attenuated by temporary objects that came in the way (books - whole piles of them) and as the amount of networks around at least doubled in the last 12 months, somebody put up some very messy device that is transmitting all the time with a very wide signal, exactly in the area of channel I was on - so here come the interference!
Quick look at the graphs and it was clear, that simple channel change should cut down on the interference and moving books a bit will improve signal strength in a place where this unlucky laptop is used most of the time - it worked very well, no more problems!

Looking at the bottom line, for me that's a money very well spent! I was asking myself a question 'how often I will use this thing' and now I really appreciate the power of seeing something that Kismet and similar tools won't see.

Using spectrum analyzer like AirView or Wi-Spy (doesn't really matter which one - pick one that suits your needs) is like reading between the lines - there is a lot of valuable information out there... if only you can see it!

The Hex Factor at SANS London 2009

The competition is now officially over and I have to say it was AWESOME!

Those that made it to BruCON had a chance to play it, those that came to SANS London 2009 also had their fun, all the rest of you - bad luck :-/ maybe next time.

The Hex Factor was run for four evenings/nights at The Fox Bar and Restaurant located literally next to the Excel center where SANS courses were hosted. What can be better than beer, hacking and a spirit of competition?!

Tasks set by the authors were varied in difficulty and topics they covered. One category was about history and culture of hacking with a bit of general teaser tasks and was called Once Upon A Time, like finding a name of candy shop at <street name>, so that was a soft introduction.

My favorite category was Out Of The Box category (also known as Pure Leetness), where questions were really 'out of the box' and solving them was the best fun I had for a long time! First 100 points for finding a number 'hidden' in the message was really simple and here's how I did it:



I didn't have time to do the one for 200 points, but finally after some time I managed to solve the 300 points one - finding a secret number hidden in the PDF file - hats off to Didier Stevens for this task - it was amazing! Didier's blog was a great guide and help in the process.


Third category was Pwned and consisted of physical box with
sensors you had to trigger in the right order to get the code and two
systems to be penetrated. As I said, the difficulty was varied and so
were the nominal point values for each task, from 100 to 300, but you
could also get the partial points if you did only part of the task
properly. Of course during competition like this one you are never alone... Hello brotha!

Anyway, it was all very very friendly competition - beer infused with brains hurting after the classes (typical for 'SANS Fire Hose Syndrome').

Third category of tasks was Binary fu where you had to work your way through programs delivered as .exe files and get the secret codes out of them. First one was easy, but again I had no time to go through the remaining two. That is the reason why our team (I was working with Chris Riley, better known as @ChrisJohnRiley) was called Drunk and going home.

At the end we were #4 at the leader board but as it turned out, two teams of the first three were the same people, so kind of we are #3, so here we are - two of three winning teams, already in The Hex Factor t-shirts!

I'd like to say THANK YOU to all the people behind The Hex Factor - it was really awesome experience and great fun, so I hope it's not the last time we see The Hex Factor. See you next time!

CONFidence09.02 - post mortem

Well... my plan to blog live from the CONFidence was good but still remained to be more of a plan than a reality. Twitting went much better (possibly because you can twitt between chats with people, drinks, etc) so I'll wrap up what happened and how it went.

The conference was great - I really liked the lectures (those I actually made to), loved the chat with speakers and it was awesome to meet some old friends and make some new contacts. Overall, if you didn't come to Warsaw for CONFidence09.02 you missed quite a lot.

Day 1 summary
There was very nice presentation by Felix "FX" Lindner on how 'awesome' Cisco IOS is, Claudio Criscone (@paradoxengine) talked about security in virtualization environments, Frank Breedijk renamed hist AutoNessus to Seccubus (new twitter feed at @seccubus), Leonardo NVE Egea showed us how you can use the satellites to work as your downlink (and it seemed much easier than actually you would think), Pavol Luptak pretty much owned the RFID there (yes, the basic cloning kit is just €30), Elisa dropped the pressure a bit with Power Point Karaoke where Felix "FX" Lindner was presenting about detecting unknown alcohols, Raoul Chiesa gave great presentation about knitting (yes, knitting) and I was rolled into a presentation about IT slang/acronyms and there was something about insulting someone :-) and that was just the first day.

Day 2 summary
For those that survived the 'afterparty' on the evening/night/morning you had a chance to see nice explanation of the cold boot attack given by Nadia Heninger, Nick DePetrillo discussed 'what could go wrong' with intelligent power grids and believe me... there's a lot! Jacob Applebaum (@ioerror) gave us some TOR love and a lot of TOR laptop stickers. Alessio "mayhem" Penasilico (@mayhemspp) and Raoul Chiesa gave nice presentation on history of hacking telcos - there was some good info there... just before Raoul killed it all with final presentation dissecting the underground economy (with some slides show just after the cameras and other recording equipment was turned off). That was a really good one...

Finishing off, Frank has posted a bunch of posts about presentations we saw in Warsaw. They are:

• Fusing 3rd party threat feeds to obtain better threat intelligence - Eddie Schwartz
• Router Exploitation - Felix "FX" Lindner
• My Seccubus slide deck (slides from Frank's presentation)
• My TLS renegotiation vulnerability slides (Frank's lightning talk during one of the breaks)
• Mifare Classic anaysis - Pavol Luptak
• Power Hungy People - Nick DePetrillo
• The Tor Project - Jacob Appelbaum
• Underground economy - Raoul Chiesa
  

That's it for now - just make sure you get there next time :P

Claudio Criscione - Virtualization security

Claudio gave today brilliant presentation about virtualization security... Just a few bullet points from the presentation.

• It turned out that VMWare hypervisor is running Tomcat to give you the admin interface - oldie (shall I read it 'unpatched') but goldie, right?
• You can do MiTM against VMWare VI Client... and as presented at the demo, that works like a charm, plus...
• ... if you can MiTM you can pwn the box - clients.xml that is served by the server contains a URL of the client .exe to be executed - boom, you can change that!

Just to give you the idea - during live demo Claudio forced the admin PC (the one running VI Client) to format drive C: and there was no option to stop it, it pretty much kicked off right away.

There was much more than that - also Xen and Ubuntu got their share here but the practical demo was based on VMWare.

Lessons learned?
Treat VM hosts and their apps just as another computer, another system and make sure you secure them the same way as any other system. Think of patch management and what happens when you revert to a snapshot (it may be old and unpatched so you bring back unpatched or already compromised system), think of separation of duties and access (physical and logical).

CONFidence09.02 - day 1 kicked off

Almost half of the day at CONFidence09.02 has already passed. Some interesting stuff of course...

Starting with Dragorn's and RenderMan's "Wireless threats; They're not dead yet!" we've heard once again how bad and how dead WEP really is. Good refresher for some people I guess. Best part was discussing client side attacks via wifi - airpwn style but without goats this time, using malicious JS with such a nice feature like browser side caching, defeating SSL, hiding all of that in plain sight with call-home feature that will be very hard to notice in most of environments.

Then I skipped several presentations - I really needed a reboot :-)

Next one I made to was Felix "FX"Lindner talking about how sweet hacking Cisco IOS can be. Frank (@autonessus) has already blogged about this one so I'll just put a few notes here.

• Cisco's HTTP admin interface runs off their understanding of HTTP and not Apache.
• IOS doesn't have recovery procedure for software crashes due to it's monolithic structure - the only remedy is to reboot the whole box (quite easy to spot even by untrained admin - the networkz are down!) which takes time (even several minutes).
• Cisco has added TCL scripting in some versions of IOS :-)

More to follow... and yes, we use #confidence0902 as hashtag.