Bill’s Security Blog

Background

I’m playing with one of the De-ICE pen-testing CD’s, and I came across a file that was encrypted.

The problem is, I don’t know:

• The cipher used to encrypt the file
• The password used
• Whether or not the file was Base64 encoded

Discovery

By poking around the box, I was able to determine that OpenSSL was installed.  OpenSSL will reveal the encryption commands it supports by typing:

# openssl -help

So I know the set of algorithms that could have been used to encrypt the file.

I also have a candidate set of passwords that I believe were used to encrypt the file.  These were uncovered during the pen test.

I need to figure out if the file was Base64 encoded and the cipher used.

# file encrypted_file.enc
encrypted_file.enc: data

The file is not Base64 encoded or it would be type text.  I tested this by encrypting two files, one with Base64 and one without.  The Base64 file returned type text, the other type data.

To test for the algorithm used, I tried encrypting a file and decrypting with both correct and incorrect passwords.  Only clean decryptions (where the correct password was used) result in plain text (”ASCII text”) when using the “file” command.  Decrypting a file with the wrong password results in a file with file type “data,” or something else.

This will make scripting of a solution easy.

The challenge for me is that I don’t know much about shell scripting.  Fortunately, there is a sweet resource over at the LDP - the Advanced Bash-Scripting Guide by Mendel Cooper.  It was a huge help.

What I know now:

• Candidate passwords
• Candidate encryption algorithms
• The file was not Base64 encoded

What I don’t know:

• The combination of password/algorithm used to encrypt the file.

What I want:

• The decrypted file
• The password and algorithm used to encrypt the file

Scripting a Solution

Result: decrypt.sh
Given a set of candidate encryption algorithms and candidate passwords, the script will:

• Try all combinations of password/algorithm
• Save the decrypted results in the specified directory
• Save decrypted files wiith a file name of the type <password>_<algorithm>.txt
• Run the “file” command at the end, looking for any that have type ASCII text

If the algorithm is successful, at least one file with type ASCII text will have be a valid decryption of the original file.

The file worked like a charm to decrypt the file I found.

The Code

#! /bin/bash

SUPPORTED_ALGS=(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40)
PASSWORD_LIST=(passwd password test)
OUTPUT_DIRECTORY="/root/1_100/decrypt_output/"
ENCRYPTED_FILE="/root/1_100/encrypted_file.csv.enc"

echo "Num algorithms=${#SUPPORTED_ALGS[*]}"
echo "Num passwords=${#PASSWORD_LIST[*]}"

for password in ${PASSWORD_LIST[*]}
do
    for alg in ${SUPPORTED_ALGS[*]}
    do
        OUTFILE="${OUTPUT_DIRECTORY}${password}_${alg}.txt"

        openssl enc -d -in $ENCRYPTED_FILE -pass pass:${password} -out $OUTFILE -${alg}
    done
done

echo "Candidate files:"
file ${OUTPUT_DIRECTORY}* | grep ASCII

exit

So, I got my hands on a handy, used Dell Latitude 620 with 2GB ram for next-to-nothing.

I’m looking for something to do with it…

How about, set up a penetration testing platform complete with: safe, internal-only networking; hosts as attackers; hosts as targets; and do the whole thing for $0.00. And, how about doing the entire thing on a single piece of hardware? Sweet.

Purpose
The purpose of this exercise is to establish a safe environment to perform penetration testing on different target hosts and applications.

A single computer with host-only networking will be used to avoid sending attacks across the network where other hosts may reside.

Goals

• Establish the lab with no additional hardware or software investment.
• Ensure that the box does not leak attacks over the network.
• Provide an easy-to-maintain platform where new attackers and targets can be added or modified over time.

Basics: Establishing the virtual environment

The lab-in-a-box comprises a used Dell Latitude D620 with 2 GB ram, and 80GB hard disk space. Not a bleeding edge host, but more than adequate for this endeavor.

Software used:

• Host OS – Ubuntu Linux 9.04, Jaunty Jackalope
• Virtualization – Sun VirtualBox
• Attacker – BackTrack 4 pre-release
• Target – De-ICE Lab CD 1

Step 1. Download and install the Host OS

Download and install Ubuntu on the host. Get it up-and-running, patched, and configured to your tastes.

Step 2. Download and install VirtualBox

Virtual box can be downloaded from: http://www.virtualbox.org/

I’m using Ubuntu, there are a few kernel modules you may need depending on the version of Ubuntu  you are working with.  If you are using a different OS, do a little research.  The VirtualBox site has pretty good info on installing.

Step 3. Download the BackTrack and De-ICE ISO images

BackTrack can be found at Remote Exploit.
The De-ICE images can be found at De-ICE.net.

Step 4. Create the hosts in VirtualBox

Follow the installation instructions on the BackTrack site.

The De-ICE image is a bootable image, so you don’t need to create a big hard disk for this. I created a simple 1GB disk for it, and have the VM configured to mount the De-ICE ISO on boot. Pretty simple.

Step 5. Set up host networking

When I set up the VM’s, they had bridged networking. This means that each VM connects to the local network through the host computer. It is as though they are separate hosts on the network, and each receives an IP address via DHCP if so configured.

The problem is that two virtual machines on the same host will still communicate with one another over the LAN – and that could mean trouble.

The image below shows, in the upper-left hand corner, my BT4 VM doing an Nmap scan of my De-ICE VM in the upper right-hand corner. The window at the bottom is my host (physical box) doing a tcpdump.

Data Traveling Across Lan

As you can see from the host tcpump, the network traffic from BT4 is traveling across the net. That’s a big problem in fat-finger space.

I don’t want to be in the coffee shop and inadvertently fat finger a target and end up in the joint.

The solution, set the virtual machines to use a local-only network. In VirtualBox, this is called “Internal Networking.”

VirtualBox supports two types of local only networking. One is called “Host Only.” With this configuration, the host can still interface with the VMs, but the VMs cannot communicate off the host. This is pretty good. But I’m going for maximal safety. That is where “Internal Only” comes in. In this configuration, the virtual machines are assigned to a named network that is created by VirtualBox. Hosts on that virtual network can communicate with other VMs on that network, but not with hosts outside that network. Even your physical box (host) cannot communicate with the VMs…

Shut down and set both the network interfaces on the BT4 and De-ICE VMs to Internal Networking as shown in the screen shot below.

VirtualBox Internal Networking Setting

Note the default internal network name (in the screen shot it is “intnet”) as you will need this when configuring the VirtualBox DHCP server…

Next, we will set up the DHCP Server for the internal network. You may not need to do this step, but I’m following the instructions for the De-ICE CD which specifies that the DHCP server should be on 192.168.1.1 and have a lower DHCP lease range of 192.168.1.2. I set the upper range at 2.254 to accommodate other De-ICE CDs.

Using a terminal on the host, run the following command (all on one line):

VBoxManage dhcpserver add --netname intnet --ip 192.168.1.1 --netmask 255.255.0.0 --lowerip 192.168.1.2 --upperip 192.168.2.254 --enable

Sweet. All is well and good. Boot up the two images.

I performed two tests to make sure there was no data leakage.

First, I ran a similar test as I had above – running tcpdump on the host while running Nmap from the BT4 VM targeting the De-ICE VM.

Second, I disabled the host’s network connection and performed the same test.

In both cases the two VMs could talk to one another, but no data leakage, as shown in the screen shot below.

Internal Networking Enabled

Step 6. Have fun!

You are good-to-go. Fire up those virtual machines and have some fun!

A weekly snapshot of what’s been talked about in the IT Security realm over the past week.

Attacks

Adobe Flash ads launching clipboard hijack attack - From the ZDNet Zero Day blog:

Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

We’ve all got Flash.  Keep it patched, though I haven’ t yet heard if there is a patch available for this attack vector.

Bypassing .NET’s ValidateRequest security feature

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).

This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

We have a lot of .NET here, and my team is studying this paper.

Breaking News
From the Scottish Sunday Herald, “Revealed: 8 million victims in the world’s biggest cyber heist”

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

This raises (again) some important issues for the IT and corporate space.  How much data should you keep about your clients, and for how long?

Now matter how good your defense-in-depth, someone will get through.  What will you allow them to find?

I’ll blog more on this later.

Older News
Students from MIT that were going to do a talk at DefCon were stopped by a court order.

Their research showed how to subvert the Massachusetts Bay Transit Authority payment card system.

As a part of court filings, their full research was included.  Court documents are public domain, so, MBTA essentially released what they were trying to hide.

On the 19th, a judge lifted the restraining order, so the students are free to talk.

Will be interesting to see what happens.

I think this is the second time in the past few months where ‘private’ information was included in court filings and hence into the public domain.

Tools

Grendel-Scan - released at DefCon, this is a sophisticated, automated, Open Source web application penetration testing tool.

It appears to rival commercial tools.

I’ll be playing with this soon, I hope.

Countermeasures

Reduce attack surface!
Why allow access to anything by anyone who doesn’t absolutely need it.

Cyber Warfare
Some discussions resulting from the attacks of Georgian IT infrastructure by Russian hackers during the past few weeks.

Conclusion seems to be: we don’t have a real definition of what cyber war is, so it isn’t really warfare.

In my mind, true cyber warfare is using attacks against IT infrastructure as a force multiplier, or as a means of applying coercive pressure to an enemy of the state.

I do not think that the attackers have to be state sponsored.

Some would debate whether or not a DDOS is an act of warfare.  I say it is if it is intended to achieve: apply a coercive pressure to an enemy of the state.

A DDOS against a critical communications network, or safety critical control system would certainly qualify.  A DDOS against a n00b’s website, perhaps not.

On the Horizon

With elections right around the corner, I’m sure we will see the debate over electronic voting heat up.

Bill

This afternoon I tuned-in to a presentation by Tripwire regarding the upcoming release of a NERC CIP policy compliance module that’s due out September 16 for their Tripwire Enterprise product.

I had used Tripwire back in it’s open source days.  Back then it was all host-based integrity checking.  And that was a Long time ago.  I kind of long for those days.  The product was simple and reliable.  Host based integrity checking, IMHO is still a cornerstone of good security, and I have yet to find a suitable small-footprint replacement.

I must admit that I fell out of touch with the product after it went closed-source and they started building a business around it.

Well, the little script that was has turned into a rather mature, end-to-end, device agnostic policy auditing and compliance solution.  Tripwire can audit firewall configurations, router configs, hosts, you name it.

Their Enterprise product is modular, allowing you to install pre-built policy checks for tons of stuff (PCI, CIS, FISMA, COBIT, SOX, ISO 27001, FDCC), or build custom checks.

The purpose of this particular presentation was to learn about a new policy compliance module geared toward evaluating compliance with NERC CIPs.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are given, essentially, force of law by the Federal Energy Regulatory Commission (FERC).

I don’t want my reader’s eyes to glaze over, as frequently happens when discussing the myriad of regulatory bodies in the energy space, so I’ll break it down for you:

$1,000,000 per day, per infraction for failure to be in compliance with NERC CIPs.

Let me see if I can explain that in plain English:

$1,000,000 per day, per infraction for failure to be in compliance with NERC CIPs.

The Tripwire policy module focuses on compliance for the technical CIP’s (CIPs 002 to 009, with a focus on 003, 003-6, 005, 007).

Tripwire has a matrix mapping their compliance and auditing checks against the specific NERC CIP requirements, and provides a holistic approach to auditing and assessment.

One nice feature is that where non-compliance is detected, remediation recommendations are presented that can then be attached to a change order so that technicians can implement the recommendations.

The Tripwire people also discussed their products ability to maintain the required auditing and compliance documentation for the minimum required one year.

Concerns

It wouldn’t be one of my posts if I didn’t express some concerns :)

I have two:

1) Does the Tripwire product require an installation on the devices to be audited.

Though I’m not a control system guy, I have heard that some of these devices are extremely ‘fragile’.  Certainly no one wants to install a security module that decreases the availability or integrity of a control system device.

I also get nervous because, in some cases, making any modification to a control device can trigger a rather nightmarish change control process that has serious cost and can have serious regulatory implications.

2) Does the Tripwire system generate a great deal of network load while checks are run.

Again, the worry here is that, from what I’ve read, some control networks are extremely sensitive to latency and load.

Spikes in network traffic or device load can have negative consequences.

Special consideration must be given when considering implementing an automated, scheduled auditing system.

Competitors?

Tripwire is a household name in the IT security space, but are there other solutions out there?

Certainly.

Whereas Tripwire is coming from the IT security space, Digital Bond is a control system security research and consulting outfit that, well, specializes in control system security.

Our friends over at Digital Bond have been developing the Bandolier product.

At the moment, the focus of the product seems to be heavily weighted on the assessment side.  Nevertheless, there is documentation on how to use Bandolier to test for compliance with the NERC CIP’s.

I expect that as the Bandolier product matures, automated CIP compliance reports may be generated from the product.

Conclusions

I first got interested in control system/criticil infrastructure protection when I began hearing reports of what I perceived to be complete failures of security surrounding SCADA and other control systems.

The more I research, though, I see that there is a lot of work being done in this relatively small space.

And I read more and more about vendors coming to the table.

One neat trend I’m seeing… Vendors who build control system hardware are coming to security outfits with their wares asking for help on how to make them more secure.

Now that’s good stuff right there.

Bill

Updated 20080627:

More vendors joining the automated NERC CIP compliance front:
Nexant, Promia to Offer Compliant Cyber Security to Energy Firms

Processingtalk.com posted an article describing new passive monitoring module for the Tofino security product.

Sounds pretty neat.

When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder.
…
It also guides the user through creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic.

Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making the normally byzantine art of firewall configuration easy for the controls professional.

I guess there’s been a history of typical IT security tools wreaking havoc on control systems:

In 2005, Sandia National Laboratories released a report describing a number of serious events from use of these tools, including this example: “A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang.

The outcome was the destruction of USD50K worth of wafers”.

A concern I’d have about a product like this is the need to assume that all the systems on the network are trusted at the time you are configuring the rule set.

Another is that caution must be used when such a device is operating in the presence of safety systems.

This system has the capacity to block communication, and in a safety system, that could be hazardous.

But all things considered - much of the control system infrastructure seems to be “tough to secure” without unacceptably high cost.

Bolt-on security is rarely effective, but if the system offsets sufficient risk, they may provide the needed security.

It’s also nice to see a product that doesn’t require the user to have in-depth knowledge of protocols and firewall configuration.

If the control systems people know the devices on their networks, what they do, and which devices should be communicating to which other devices, the Tofino product may be a big help.

If that’s not the case, then the product may be of little value, and simply help provide a false sense of security.

It would be good if Tofino creator Byres Security offered some kind of auditing process to verify that users are implementing the system correctly.

Bill

How NTFS and share perms work is fragile, and easy to screw up.

Here’s a great article by Derek Melber on how they play together, and some best practices:

http://www.windowsecurity.com/articles/Share-Permissions.html

Bill

Every now and again I stumble across a tools site that knocks my socks off.

Here’s one: DNSstuff.com - every kind of tool for testing network connectivity to your site/network, right at your fingertips, right when you need it.

Queries are run from off-site, so you can really get a view of your network from outside, in the cloud.

Some tools can be used freely, and there are different fee rates to use the more advanced features, but it’s well worth it.

They have a development tools area (where they beta test new tools) and there is lots of fun stuff there…  Here’s the description of a few that caught my eye!

VectorTrace

What is this tool?

VectorTrace is unique in that it allows for traceroutes to be performed simultaneously from multiple locations and that information displayed in context of each other. For example, on initial launch VectorTrace will trace from three discrete locations and display the route taken to the requested destination.

How do the results help me?

This will allow the user to understand critical common points in the path. This will help identify the most critical points with poor performance so that you can remedy that situation by working with the administrators of that point or giving you the information to choose a better location for the final destination. As the product matures we will offer options to present the data on a map and even automate and alert on the quality of the paths taken.

DNS Traversal

What is this tool?

This tool is essentially similar to the “dig” tool and is more advanced than our nslookup. When you change your name servers and need to verify your changes are being seen throughout the world the traversal tool looks at what each root server is returning. If any are not correct then all subsequent DNS servers that look up your domain from that root server are going to be getting incorrect information.

How do the results help me?

Displays which DNS servers the world thinks are responsible for your domain and what information they are returning.

Speed Test

What is this tool?

Speed test measures the performance of your Internet connection. If you are experiencing performance issues use this tool to get a good understanding of what it really is.

How do the results help me?

Measures speed of your connection - Download/Upload/Latency

Here’s a quick rundown of some of the tools available to you:

Some free tools:

WHOIS/IPWHOIS Lookup
Country IP Range Lookup
RFC Lookup
IP Information
Traceroute

Some paid tools:

DNS Timing
WHOIS/IPWHOIS Lookup - Advanced
Spam Database Lookup
Reverse DNS lookup - Advanced
Traceroute - Advanced
DNS Lookup - Advanced
Zone File Dump
Ping
ISP Cached DNS Lookup
Top Level Domain Lookup
Web Site HTTP Headers
SPF
ASN Information
ASN WHOIS
MAC Address
SSL Examination
Find Nearby IPs 

Enjoy!
Bill

Another note I’m putting here to remind myself of something…

I’ve been experimenting with whether or not I could replace my work computer with an Ubuntu box.

Naturally, the only piece of hardware available was a 5 year old laptop :(

Add this to the startup options to boot to console:

telinit 3

Works well if your X config is screwed up and you need command-line only access.

Bill

Yes, this tool is very old, but I always forget where to find them, or what the tool is called.

Who the heck will remember fciv.  Only Microsoft would come up with a name like that.

I’ll wait for fcivapvwsp2 to come out soon…

FCIV.exe

• Instructions
• Download