Protected: Advanced Penetration Testing Day 2 – Building the Lab and other Tools
Protected: Advanced Penetration Testing Day 1 – Preparation and tools
Kernel Apple Vulnerability –
I have been away for some time.
In the first day of my return I have found the following vulnerability related with Apple.
It seems nasty… Although it cannot be remotely exploited it might be used in phishing campaigns that might trick the user to execute some software that takes ownership of the computer.
This local privilege escalation flaw resides in IOHIDFamily, an extension of the macOS kernel which has been designed for human interface devices (HID), like a touchscreen or buttons, allowing an attacker to install a root shell or execute arbitrary code on the system.
More info:
Fuck it, dropping a macOS 0day. Happy New Year, everyone. https://t.co/oG2nOlUOjk
— Siguza (@s1guza) December 31, 2017
Exploit / Proof of concept
https://siguza.github.io/IOHIDeous/
Exploring Mac OS Server – afctl Adaptive Firewall
I have learned a lot in the past months Mac OS X Server and his capabilities and what are services it can give with lower cost than competition.
The several services presented by OS Server are interesting, in the middle of the most eye candy services I have found one that allows us to improve security controls in a situation where for some time I thought there was not much to do in the native OS.
The bellow tool would allow us to mitigate brute force attacks in automated way. Something that was not known to me without extra tools.
Apple has implemented the Adaptive Firewall on Mac OS Server
Enable the service with the following command:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f |
afctl is a tool for temporarily blocking a given ipv4 or ipv6 address using the built-in firewall.
All blocking requests have a time to live; they are unblocked when it expires.
afctl also maintins a whitelist of addresses that it will not block.
All block requests are checked against this list before being added to the blacklist.
All the firewall rules managed by afctl are grouped into a rule set to allow for bulk enabling/disabling via -e & -d.
I did not find much documentation about this tool.
I will try to update this information while I learn.
For now what I have is the following from the man factl page:
afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address] [-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]
-v -debug_level Verbosity, ascenting numbers are more verbose. level 0 is default level 1 is basic progress.
-a -ip_address Add address to the blacklist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. An optional -t parameter allows the specification of the time in minutes that the address will remain blocked.
-r -ip_address Remove address from the blacklist. It will also be removed from the firewall rules.
-w -ip_address Add address to the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.
-x -ip_address Remove an address from the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.
-c -i interval Self configure. The afctl tool will query the system configuration and determine the addresses that need to be (routers, local interfaces, nameservers). It will also modify its launchd plist to invoke the tool every interval to remove old entries from the blacklist. If -i interval is not specified, then a default value of 15 minutes will be used.
-d Disables all firewall rules managed by afctl using a rule set (see man page for ipfw ). Currently ipfw only ( ip6fw does not support rule sets).
-e Enables the rules disabled by -d (above)
-f Forces afctl into a running state (sets the proper key in af.plist and writes out af_state )
We can also get a summary of the afctl activity running the following command:
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/hb_summary |
Information available from Apple is very restrict and almost resumes to this and user support questions:
https://support.apple.com/en-us/HT200259
I will post more as soon I have news.
OpenWRT and Raspberry PI Access Point
Today I decided to build one personal access point for my travels.
I had one Raspberry PI 2 in my drawers and I decided to use it.
I wanted to prepare something fancy based on web environment and not in bash.
Trying to see what exists compatible with raspberry pi I have found OpenWRT…
I tried to install it and everything work well until I tried to put the wireless cards working. 🙁
The wi-fi did not start-up, I could not make it work…
Until I found I had to install some packages…
I have installed the hostapd package
I have installed the hostapd-common
I have installed the hostapd-utils
This is required to transform the device into an access point.
To install this packages I used the web interface.
Menu System -> Software
Finally I discovered that the network drivers did not exist, I have installed the drivers for the wireless network cards…
1 | opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb |
The suddenly I have a new menu and I can see wi-fi networks… 🙁
But I am not still able to connect or able to advertise my SSID… 🙁
I Hope to be able to complete this post very soon with all the required steps.
List all IP addresses range in a 16 bit network v1.0
Objective:
Pass some IP address as part of a command string to test reverse proxy vulnerability and scan the internal network behind the proxy. Running one already existing python script that receives this Ip as one possible dmz host to scan open tcp ports.
Exploit only accepts one DMZ ip as argument. Does not accept any range or array of IP addresses.
Requirements:
Script that provides me all possible IPs one per one in a network with 16 or more bits so the python exploit script can be called with the ip address as argument.
Missing:
The python script call from shell with the ip and argument for scanning the DMZ network.
Observation:
Script does nothing it only list all the ip address in a 16bit network starting from 192.168.0.0 until it reaches 192.168.255.255
Improvements:
Create multiple parallel requests as they are not dependent and will be faster if executed in parallel.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #!/bin/bash ############################################################################ # List all IPs in 16 Bit Network ############################################################################ let first_Octet=192 let second_Octet=168 let third_Octet=0 let fourth_Octet=0 while [ $third_Octet -lt 255 ] do while [ $fourth_Octet -lt 255 ] do let fourth_Octet=$[$fourth_Octet+1] host=$first_Octet.$second_Octet.$third_Octet.$fourth_Octet echo $host done let third_Octet=$[$third_Octet+1] let fourth_Octet=0 done |
INTRO TO BASH SHELL on MAC part 3
File Management
Working in bash will force us to understand file management and how to work with them.
Create Files
To create a folder / directory use the mkdir command the argument will be the folder name that you wish to create, you can use more than one argument and in that case it will create more than one folder.
touch command can be used to create files, like in the folders the argument is the file name. If you use more than one argument you will create more than one file.
Cat command outputs the content of a file to screen. It has no paging, if you open the wrong type of files your terminal might get mess up, you will need to use reset to make it return to initial state.
less also allows you to see the content of a command, the difference is that this command will allow us to search contents or move up or down in the file.
Less command also tries to identify the type of file.
Open command can be used to open a file with the program that is associated to it. This command will open the file in the graphic mode so you will leave bash.
open . |
The command “file” will tell you what type of the file is, this will allow you to understand if the file is a picture or a binary file for example.
Remember that the extension is not mandatory in the shell.
Use the “TAB” key for autocomplete
Working with Files
rm is remove command
mv is move command
In Mac OS the file names are not case sensitive. This is a difference between Linux and OSx
File names can contain almost any character except the “/”
Advises for file names:
- Use only letters and numbers if you use multiple words use a “-” or “_” as a separator
- Use only lower case characters
- Avoid using spaces specially if they are in the end of the file.
- Avoid using the following characters
- ‘
- “
- `
- *
- #
- !
- $
- ?
- @
- &
- |
- { }
- ( )
- : ;
- \
- < >
- “TAB”
- “SPACE”
- “DELETE”
- “BACKSPACE”
If we have file names with this previous characters we need to use an escape character.
- Backslash ( \ ) is the escape character and it can escape a single character.
- Single quotes (‘ ‘) can escape all characters between them
Path types
There are 2 types of file paths, relative and absolute paths.
Absolute paths normally start with a “/” or with a “.”
Example: /var/log
Relative paths
They do not start with a “/” or “.” and are resolved to a working directory.
Example: cd ~ will send us to the current user home path.
Handling Files and Folders
To copy files we use the command “cp” that stands for copy.
You can use now the “man cp” to know what you can do with the command. If you notice the command takes 2 arguments where the first argument is the Origin and the second argument is the destination.
It also can take multiple arguments as sources to one destination.
cp command will silently overwrite existing files.
To copy directories and the contents we need to use the option -R that states for recursively.
The command will be similar to the files “cp -R Origin Destination”
Like files we can also use multiple sources to one or multiple destinations.
Another command to deal with Files and Folders is the “mv” command that states for moving.
Like the copy command we need also 2 arguments, one for origin and another to destination.
Use the “man mv” to get more information about the command and his arguments and options.
Files can be deleted with the “rm” command, that stands for remove.
The command can receive one or more arguments that are the list of the files or folders to remove.
Because removing the files is permanent we can use the -i option, that will ask us to confirm for each file to remove.
The “-i” option can also be used for other commands.
INTRO TO BASH SHELL on MAC part 2
In the part 1 of this learning topic you had one introductory approach to BASH in this part we will go deeper in the knowledge of BASH in MAC OS
Now that we know how to open a terminal window in a MAC we will need to confirm that we are really running bash on that window.
For that it is required to execute a simple command.
The command bellow will check if we are running bash.
echo $BASH |
Notice that if you do not use the capitals in “BASH” you will not get the return.
If your output is not “/bin/bash” then install and enable BASH in your machine.
Command Arguments
A command is a word that is written in the shell.
In the previous example the command is “echo”.
Everything that comes after the command is called argument.
In the previous example “$BASH” is the argument for the command echo.
Options
If an argument starts with a ” – ” then it is considered an option.
Examples:
- ls -a
- ls -l
- ls -la
In this example the command is “ls” that corresponds to list and the -a is the option that instructs ls command to list all the files including the ones that are hidden, -l is the option that instructs the command to list the files in long format.
Help
The commands might have several options available. To list those options or to know how to use the commands we can call the manual for that command.
For that we use the command “man” and then as argument the name of the command that we wish to receive help for.
This will open the manual page for the specified command.
Space key will move down a page, “b” will move back a page.
Search will be done with the “/” and exit with “q”
Test this new commands and pay attention to the differences in the output.
CISCO CCNA Wireless 640 – 722 Cheat Sheets part 1/?
I am currently studying to do the cisco exam.
I will use this blog to post my notes and help the others that are currently studying to the exam also.
Hope that this will be useful to you as it is form me.
Here I will post several topics and explanations that I think they are important to know in order to achieve success in the exam.
Wireless Network Topologies
- Wireless personal-area networks (WPAN)
- Short Range
- Use the 802.15 family
- Low power consumption e.g.: bluetooth
- Wireless local-area networks (WLAN)
- Consume more power but extend the connection (100 meters)
- Wireless Metropolitan-area Network (WMAN)
- Connectivity over a wide geographical area e.g.: Mobile phone networks
When a wireless device connect to another it creates what is called Basic Service Set (BSS).
Haddock Networks do not rely on any device other than the stations, they form a Independent Basic Service Set (IBSS)
Ad-hoc networks are limited because no central device is present to decide common rules. (Radio parameters, priority, range etc.)
AP (access point) organises the BSS, acts similar to a HUB and relays the signal to other wireless or wired networks.
Area that is being covered by one AP is called Basic Service Area (BSA)
Wired section that can be reached though the AP is called Distribution System (DS)
When a DS links two AP the group is called Extended Service Set (ESS)
When a station moves from one BSA to another BSA from another AP it is called roam between cells.
Neighbouring Cells are usually on different channels to avoid Interferences.
Service Set Identifier (SSID) – To allow the station to recognise neighbouring AP offers to the same connection we use names to identify the wireless connections.
AP with the same SSID are differentiated from each other because the MAC Address is associated to the SSID string.
Basic Service Set Identifier (BSSID) – Mac Address of an SSID
Ad-Hoc networks are limited to 2.4Ghz, 802/11 data rates (1,2,5.5 and 11Mbps) No authentication and encryption is used, only WEP security (Shared Key)
Some AP can only have one SSID others can have multiple SSID, those access points are called Multiple BSSID.
They should be used for traffic differentiation and not for increasing capacity of the AP. Stations connecting to this AP will use the same RF space but are isolated from each other by different authentication / encryption mechanisms.
Cisco AP receive the encrypted wifi frame and decrypts it and encapsulates the 802.11 frame into a Control and Provisioning of Wireless Access Points ( CAPWAP ) packet and forwards to the controller.
To achieve isolation the controller can map each SSID to a different VLAN before release the forward traffic to the wired side of the network.
Specialised Devices
AP can be configured to repeat the signal of another access point. (repeater)
AP can be configured as a Workgroup Bridges (WGB) – can connect one or several non wireless devices to the wireless network.
Bridge Mode is used when we want to use 2 AP to connect 2 different networks e.g.: connect two different buildings.
Mesh Network – When we have several AP configured in different ways, where some of the AP are not even connected to a wired network. In this configuration the AP uses a specific protocol to determine its possible paths to the wired network. Paths can change according with several variables such as: traffic loads, response times, radio conditions, traffic prioritisation.
RF Principles
Radio wave is an electric and magnetic field used to transport information.
Different waves have different sizes that are expressed in meters.
Other unit of measure is Hertz (Hz), express how often a wave occurs or repeats per second.
A wave that repeats each second is said to have a frequency of 1Hz
A wave that repeats one billion of times has a frequency of 1GHz.
Lower-frequency signals are less affected by air and travel farther. Wireless networks use the 2.4GHz and 5GHz band, the 5GHz band has slightly less range.
Wave Length – Physical distance from one point of the cycle to the same point of the next cycle.
Wave length is represented with a Lambda symbol.
Waves also have Wave Strength and amplitude, this is usually represented by the greek symbol gamma. – It represents the distance between the highest and lowest crest of the cycle.
Reflection – When a wave hits an obstacle and it bounce the obstacle. The angle is the same as the original angle. Obstacles might have different behaviours based on signal frequencies.
Reflection causes a phenomenon called multi-path, same signal arriving to a station at different time, original and copies reflected by obstacles.
If two of the same waves are receive at same time it causes a power to increase (crest, double positive crest and double negative crest) this condition is called upfade.
If a negative wave is received at the exact same time as a positive wave is received this waves will attenuate each other resulting in no signal at all. (noise cancelation principal).
To fight multi path effects many wireless systems have two antennas linked to the same radio circuit. This is called diversity.
Scattering – Reflections on the air caused by dust or air humidity.
Refraction – Occurs when a wave changes direction.
Signal attenuation form source is called free path loss. – Free path loss is taken into account to determine how much energy must be sent from an emitter to reach a receiver in good conditions.
For long-range radio links, the earth curvature prevents RF line of sight as soon as the range exceeds 7 to 10 miles. You then need to raise the antennas to maintain the line of sight.
Because the RF wave might have been affected by obstacles in its path, it is important to determine how much signal is received by the other endpoint. The value that indicates the amount of power received is called Received Signal Strength Indicator (RSSI). It is a negative value measured in dBm. A higher value (closer to 0) is better and shows a louder signal.
The capability for a wireless card to convert the received signal into data is also affected by the other radio waves hitting the receiver along with the main signal. This unuseful signal received at the same frequency as the main signal is called noise, and it is a negative value measured in decibels (dB).
The difference in strength between the main signal and the background noise is called Signal to Noise Ratio (SNR)
The dB scale is widely used in wireless networks because it enables you to compare relative powers instead of absolute powers.
The decibel scale is logarithmic, which is a little difficult to calculate mentally. To simplify your task, remember three simple values:
- 0 dB: A measurement of 0 dB is the reference value A=B
- 0 dB: When the power is 10 dB, the source being examined is ten times more powerful than the reference value. This also works in reverse: If the power is −10 dB, the source being examined is ten times less powerful than the reference value.
- 3 dB: If the power is 3 dB, the source being examined is twice as powerful as the reference value. With the same logic, if the examined object is half as powerful as the reference value, it will be written −3 dB.
The dB scale is also used to compare the relative power (called gain) of antennas.
Some measures are normally referenced as dBi Where the i stands for Isotropic antenna.
This imaginary antenna is called the isotropic antenna and is imagined as an antenna that would be one point wide and would radiate its signal perfectly equally in all directions. It is normally used to compare antennas with a common reference point.
Some prefer to use an existing antenna as the reference. The antenna chosen is the simplest possible antenna, Dipole Antenna. The comparison is expressed in dBd.
Antena Principles
Polarisation
Different antennas have different ways of focussing the energy received from the transmitter. All of them emit an electric field (radio wave).
Vertically polarised Antenna types.
Horizontally polarised Antenna Types.
Circular Polarisation
Polarisation mismatch might make the received signal weaker.
Radiation Patterns
Antenna vendors use radiation pattern charts to describe the signal sent by an antenna. It provides a view from above the antenna H-pane and E-plane.
Antenna Types
There are Two main types of Antennas. Omidirectional and Directional.
Omnidirectional Antennas radiate equally in all directions in the H-Plane.
Directional Antennas are designed to cover a specific direction.
Effective Isotropic Radiated Power (EIRP) – Measurement unit that is used to determine how much energy is actually radiated from the antenna. It is represented by the following formula:
EIRP = Tx power (dBm) + antenna gain (dBi) – cable loss (dB)