Preload or GTFO; Middling users over TCP 443.

Your website only has TCP 443 open and has a bulletproof TLS configuration. I hear you scream that I cannot middle your users to exploit them! On the surface of it you are correct. Let me lay out some basics, explain how we got here, and then show you that you are incorrect. We can middle your users (but it is unlikely).

Laying the basics about HTTP and HTTPS

The default port of the Internet is TCP 80 which is where requests prefixed with “http://” will go. This is a plain-text protocol and offers neither confidentiality or integrity of data being sent between the client and server.

The default port for the “https://” protocol is TCP 443. This is an encrypted protocol with the “s” meaning “secure”.

As the Internet matured it became apparent that pretty much every request needed to be secured. An attacker using man-in-the-middle techniques can easily subvert plain-text communication channels. Any personal information being exchanged would be theirs to steal. They would also be able to alter server replies to serve either phishing or malware payloads straight into their victim’s browser.

This opened up a front in the cyber war to force encryption for every connection.

Question: What … all of them?

Answer:


Redirect to secure!

A common strategy has been to leave both TCP 80 and 443 open but to configure a redirect from 80 to 443. Any request over plain-text (http://) is immediately redirected to the secure site (https://).

The problem with this strategy is that the victim’s web browser will issue a plain-text request. If that attacker was there when they did this, then they could still compromise the victim. It only takes a single plain-text request and response to enable them to do so.

Only offer secure

To get around this savvy administrators make no compromises and simply disable TCP port 80. If a web browser attempts an “http://” request the port simply is not open. It cannot establish a TCP session and so will not send the plain-text HTTP request.

The downside of this is that the user might assume the target application is not online. They would go and try and find another domain to buy whatever it was they wanted. This is why redirecting to secure has been such a pervasive strategy. Vendors simply do not want to lose out on important traffic which can drive this quarter’s sales chart.

What is this HTTPS Strict Transport Security (HSTS) stuff?

You can learn more about HSTS here:

My understanding is that HSTS was created to reduce the number of plain-text HTTP requests being issued. There are two modes of operation:

  1. A URL is added to a preload list which is then available to modern web browsers.
  2. An HTTP header (Strict-Transport-Security) is added to server responses which tells the web browser to redirect all “http://” to “https://” before issuing the request.

When a user types a URL into the address bar and hits enter the browser will check to see if the redirection must happen. Where required the redirect happens in memory on the user’s computer BEFORE the TCP connection is established.

For strategy 1. the target site is in the preload list. A well behaved web browser will never issue a single “http://” request to the target site. The problem of middling the connection has been successfully resolved.

For strategy 2. we are arguably no better than the server redirecting from “http://” to “https://“. A single plain-text request will be issued. If the attacker is middling at that point they can alter the response as desired to exploit users.

However, strategy 2. is likely to lead to fewer plain-text requests overall since the browser will not request via “http://” until after an expiry date. Relying on “redirect to secure” alone will result in a single plain-text request per visit the user makes to the site. This increases the number of opportunities to middle the victim’s connection.

Gap Analysis

The reason for writing this blog was because I had an interesting conversation with a customer. They enabled only TCP 443 (https://). They saw this as sufficient and did not want to enable HSTS as recommended in my report. I was challenged to show an exploit route that could work or they would not bother.

Fortunately the edge case I am about to explain has been public knowledge for a long time. So I didn’t have to think too hard to add it in. I am just adding my voice to bounce that beach ball up again for visibility.

Exploit Steps

The exploit route is like this:

  1. An attacker must be able to middle the victim’s traffic.
    • Chances are this is on the same network as the victim.
    • For this reason mass exploitation of users is unlikely and the risk is small as a result.
    • Lets proceed with the steps assuming that this attacker is ABSOLUTELY DETERMINED to exploit this one person.
  2. An attacker crafts a link and sends it to the victim to click on.
    • That link is: http://target:443.
  3. The victim clicks on the link and their browser dutifully establishes a TCP connection to port 443. Because the browser sees a service it can talk to it fires a plain-text “http://” connection.
  4. The server then rejects the connection because it is expecting “https://“. However, the damage had already been done. Our attacker had the single request that they needed for exploitation to occur.

The following screenshot shows the Wireshark capture when this example URL was requested:

URL: http://www.cornerpirate.com:443
DNS lookup and then HTTP request being captured

The only requirement for this to work is that the targeted TCP port is open. It is most likely that 443 is used but you can do the same thing with any open TCP port.

What is the solution?

The optimal solution is to enable HSTS via the preload method. Even if your website only has HTTPS enabled.

Adding a site to the preload list can done here:

All other solutions leave a victim’s web browser issuing at least a single HTTP request.

Unfortunately it takes time for a site to be added to the preload list. Therefore at the same time you should also enable the “Strict-Transport-Security” header as described:

That is the famous belt and braces manoeuvre to reduce the chances of the world seeing you butt.

And you should definitely do as I say and not as I do:

Hope that helps

Captain’s Log: November 2020

The Good

  • 10k a day steps challenge – I have managed this every day again. That-is-11-months. Almost an entire freaking year. If I get to Christmas eve I will have actually done something I said I would do. Which in this whole crazy wreck of a year is something to be celebrated.
  • 150 active minutes a week challenge – I hurt my thigh as I started running again at the end of October. I needed to rest that up for a week or so. But I banged into November with bad news (see “The Bad”) regarding my health. After the thigh issue cleared up I had an excellent run of it (pun gleefully intended). Most weekday mornings I would be out jogging before work and I got both fitter, and thinner as a result. I ordered an exercise bike which was said to be “next day delivery” that I have not seen any more about. I ordered before England locked back down so I was expecting to get a bike :(. Update: It eventually arrived 3 weeks later, but I haven’t had time to build it.
  • Eating well challenge – (see the rabbit food ^^^) I don’t think I really ate too badly before but lockdown definitely accelerated the amount of crap I was eating. After the bad news (see “The Bad”) I went back to tracking calories. The act of having to scan barcodes and weigh spinach is so damn annoying that I definitely eat less as a result. The first bit of weight loss for me always goes really well. So into the baggy clothes and feeling good part of the process. Back to sorta where I was pre-lockdown when I started this series of posts. It is paying off.
  • Audiobooks – I moved back to feeding my brain with Sapiens. It started by reminding me about the Naked Ape which I read a good 20 years ago. I am intrigued by the speculation around what happened 70k years ago when suddenly one of several species of tool using humans came to dominance. The theory is that there was a cognitive revolution after which one species was capable of more complex language allowing both gossip and shared fantasies like religions. This allowed evolution through co-operation instead of time consuming genetics. The most fascinating point was that this is why we have anxiety about various things that logically do not make sense. Genetically speaking we are not apex predators but it turns out we are purely because of cognitive abilities. We get anxiety about things that would kill us on the plains of Africa. We have obesity because sweet things are great for survival (high calorie content) but rare in nature. If a chimp finds a ripe fig tree they immediately gorge the whole supply. Exactly how we cannot stop ourselves with a box of chocolates. Looking forward to where it is going.
  • Testing – I have done several testing projects this month. I learned lots of things. I found lots of things. This is always brilliant.
  • PS5 – There was a whole awful Saga where I can rant about how crap the vendor I ordered from were. But it eventually arrived the day after launch more because of luck that I had a postal redirect setup than the effort of the vendor. It remained in its box until the 29th and then it was an expensive massive brick while it downloaded update upon update upon update. I haven’t really played it. The Spiderman game seems good.

The Bad

  • I was tentatively diagnosed with a liver disease – This was found as a result of blood tests I had ordered due to me feeling extra shitty after moving house for weeks. The results said I had fatty liver meaning that I need to now actively lose weight and eat right for a real reason. We do not know the extent of the problem until I get an ultrasound and other tests done. But the chances are this is extremely early stage and if I lose weight the problem will reverse. That’s the hope. So I have thrown myself into that.

Highlights of the month

Football – Scotland Qualified for Euro 2020 through a delightful playoff win against Serbia. I honestly was calm throughout. I had no doubt we were going to do it and didn’t even waver when Serbia scored in the last minute. I just felt it was going to happen.

To be clear I have supported Scotland for a long time now and I have never once felt like that before. I have been hopeful, but always sort of knew it would implode. Because we had done the penalties so well in the previous game I just expected us to do it again when we had to play extra time.

InfoSec Community – The lovely people over at Ladies of London Hacking Society asked me to do a workshop on CVE bug hunting. Despite me being an absolute fraud with only one CVE to my name I took that on. It seemed like everyone had a good time – me included. It was recorded here. I am starting at 31 minutes and 05 seconds if you just want to see my face:

That’s all folks.

Captain’s Log: October 2020

The Good

  • 10k a day steps challenge – Completed for another month. There were some tricky days. Some extremely tricky days where I was just stressed beyond belief and somehow managed to fight fatigue to stay on target. Probably the hardest month to be fair. The idea of hitting 22 active minutes a day was mostly out the window due to the stress and disorientation of the month (see below).
  • Audiobooks – I completed the Rama series of books this month. Overall I really enjoyed them. The first one for the mystery. The follow ups slowly peel back the mystery and then leave you with a tale of growing old that absolutely rings with me at the moment. I have never felt the aging process so much as I am now. Autumnal thoughts and all that. I would highly recommend this. I then lightened it up a bit with the Alan Partridge: From the Oast house. I was recommended this by Mr Paul Mason in our final conversation and I admit I am chuckling along knowing exactly why he loved it. Hand in glove with the aging thing. You do start to think a bit more Partridge the older you get. The writers and acting play an absolute blinder with this character every time.
  • I moved house – Most of this blog post is going to be dominated by this lets be honest. At its basic level I moved from a flat to a house and gained myself a little garden, and an office space which is outside of my bedroom again. In terms of lifestyle going forward this should be major. Given lockdown(s) are going to continue for a while you need to be more comfortable with the space you have. Now I have options. I can walk away from work, close the door and be done with it when the task is over which is nice. I can play PC games at night with a microphone since I am at least not at the foot of the bed where my partner is trying to sleep.
  • It has a garden – I have completed the majority of my 10k steps a day challenge in a corridor of my flat which was about 1 metre wide by 8 long. The garden is an upgrade and gets me fresh air at the same time. It also has one solid step to elevate the heart rate on before getting onto the light jogging I am capable of. It ain’t much. But as of the 16th of October I have cleared the space and found all the running stuff from the myriad of boxes and am set to get back to the “lets get 22 active minutes a day” side mission.
  • Good weekends – We managed a pretty relaxing weekend or two at the end of the month which helped me recover. While hard to do we built 3 new flat pack beds on a Sunday. A great thing is building furniture with the eldest. They want to help but have been “far too silly” until just about now (I have tried). They got to thwack things with a hammer and screw in screws until they were thoroughly bored of it. We did some Halloween drawing with the kids, we played some board games. It was overall pretty decent.

  • Borat Subsequent Moviefilm – I mean. An absolute stunning work this one. They had a point they wanted to make about #MeToo and politics in general. They went after it and it is as fascinating as is it funny to witness. Making it part of the “freely” available content on Prime instead of charging a fortune for new content shows they wanted to make the point land on as many screens as possible. A truly fascinating project and absolutely worth a watch.
  • Left4Dead 2 – I played a round of L4D2 on Halloween eve. I really like that game when you have a squad to play then it is a satisfying online gaming experience since it rewards teamwork and not lone wolves with sniper rifles. Great times.

The Bad

  • Loss of a friend – The legend that was Paul Mason sadly died the same weekend as my house move. I have covered this a lot already as he was worth his own blog entry and more.
  • Panic Attack(s) – I have not had one in a long time this year fortunately. As this monthly blog tracks them I think the last entry was pre-Glasgow Defcon in February. The month has been a total blip of panics which I have mostly been fine about as the effects are more easily mitigated. However, I believe the stressors are now removed so I hope we get back our regular schedule of hardly any a year. Classical cause reason: poor sleeping patterns.
  • They say moving home is stressful. I have never really experienced that before as it was mostly fun to pack stuff up and cleanse your life from unnecessary possessions and go on a new adventure. The problem with that rosy attitude is I had never experienced the full lawyer experience. If you both have to SELL a property and BUY one you get both barrels of them.
  • There is definitely a blog post in me only about the experience I had on this with a slant on incident management brewing. I may calm down enough to let it lie.

Highlight of the month

I would say actually getting moved and starting to make a new place our home.

Basic code review tools for Ruby

This blog post is to document how to get started analysing a Ruby code base for trivial security vulnerabilities. Particularly in the case, like me, when you have absolutely no ability in Ruby. If you are being asked to do an actual code review then I feel sorry for you dear reader. This will help you get started, but you cannot replace having developed something sizeable within the target language and elbow grease.

The sum total of my Ruby experience was my entirely unpopular module for metasploit a few years ago called “git_enum“. This is a post exploitation module which will seek to rob any stored git passwords or authentication tokens from a user’s home folder. I wanted to merge it into MSF but I am locked in anxiety about how awful that was to write, and assuming it will be laughed out of town if I dared try and contribute it!

I digress. My point was that I am not going to be getting scheduled on any Ruby source code reviews any time soon. The syntax is just alien enough to successfully spurn my interest.

This has been prompted by me having access to source code during an application test. This is a move from a black-box to white-box methodology to aid defence in depth recommendations to be made. There is no assumption that I am reading everything line by line. In saying that, when I have access to source code so I like to leverage automation where possible to maybe point toward weaknesses.

Overview of the process

  1. Obtain the source and save it locally
  2. Identify Static Code analysis tools for the target language
  3. Identify tools to check dependencies for known vulnerabilities

I don’t need to say much about 1. so I will move right on to discussing 2. and 3. below.

Static Code Analysis Tools for Ruby

There is almost always some very expensive commercial tool for doing automated static code analysis. They are probably very good at what they do. However, they always have eye watering license fees and I have never actually had the privilege of using one to find out!

As this is not a full code review you will likely have no budget and so you need to find open source projects that support your target language. A great place to start is this URL from OWASP:

I picked two tools from that list which were open source and which seemed active within the last 2 years of development:

Both were easy to install and use within a Kali host. The other tools may be as good but for me I had two static analysers and that was enough for me.

Brakeman installation and usage

gem install brakeman
brakeman -o brakeman_report.html /path/to/rails/application

Dawnscanner installation and usage

gem install dawnscanner 
dawn --file dawn_report.html --html /path/to/rails/application

Dependency Scanning Tool for Ruby

A dependency is an extension from the core language which has been made by a project and then made available for others to use. Most applications are made using dependencies because they save development time and therefore cost.

The downside of using dependencies is that they are shared by hundreds, thousands, or millions or of other applications. They therefore get scrutinised regularly and a vulnerable dependency can be a bad day for many sites at a single time. One thing you have to stay on top of is the version of dependencies in use and that is why it is an important check to make even if you are not doing a full code review.

The best dependency scanner out there is OWASP’s own Depedenency-check. This tool is getting better every time I use it. It integrates with more dependency management formats all the time. As per the URL below:

This is capable of doing Ruby but to do so it uses “bundler-audit“. For this one I went straight to Bundler-Audit.

Bundler-Audit Installation and Usage

gem install bundler-audit
cd /path/to/rails/application # folder where the Gemile.lock file is.
bundler-audit chec

I would include one vulnerability in my Report for the outdated dependencies which summarises in a table the known vulnerabilities and the CVSS risk rating taken from the CVE references from bundler-audit. If there are hundreds of known vulnerabilities you should prioritise and summarise further.

That is it for this blog post. You have to interpret the results yourselves.

Hope that helps.

In memory of Paul Mason

It is with regret that I am writing this because the world has lost a bright light. This page lists the stories people volunteered about Paul. Mainly from InfoSec Twitter but all sorts of lovely people who knew Mr Mason managed to find me. They are included and very welcome.

If you are reading this and you want to add to the list you can use the comments if you prefer, or I will still take them over Twitter if you have that. The intent is that these will be combined and used to produce a photo album or book for his parents.

There will be an effort to remember Paul at the next Glasgow Defcon on Tuesday 1st of September via Discord/Twitch. As Paul was all about sharing knowledge there will be a talk scheduled and then a virtual “wake” after the event where people can share stories. You are all welcome.

Lisha Sterling/@lishevita

Andy Gill/@ZephyrFish

Robert a.k.a Rab Ray

Spoken poetry for 2 hours.

Paul Ritchie/@cornerpirate

One of the many things that I thank @PMason00 for is the insanely generous gift of a travel guitar that he gave me after work took us away for a ski trip.

I got it out and have given it a bash here it sounds great for a wee guitar.

Neither of us wanted to ski. So we had planned a bunch of things to do ranging from lock picking to rocking the hotel to its core.

He handed me this wee travel guitar at Glasgow airport and I think he had some other instrument with him I honestly forget what. We go to check-in and the extremely low budget airline was kicking off about instruments and bags. He frankly charmed the pants off the lady behind the desk.

Said we were a band and had been booked to play a hotel. They had booked our flight and, stupidly, forgot we would need instruments! Then bosh we were checked-in without paying a penny both with an instrument case over the allowance. Witchcraft I tell you. Witchcraft. 

The rest of the company were off skiing. But we were sharing a room. For us it was two days of absolute chillaxing. Up for breakfast, back for a snooze.

Then afternoons were spent passing this guitar around playing songs and talking about all kinds of things. To set this in time we stopped to watch Trump’s inauguration on CNN at one point. 

I tried to hand the guitar back to him at Glasgow airport. He said something like:

“No man you keep her. Take care of her she seems to like you”.

He stubbed out a cigarette and was off in a taxi while I tried to process the insane generosity of that action.

I installed it as the office guitar. Which @longjonsouza said “brought the promise of music” to us.

I was going in two days a week back then and I made sure I was in early to belt out songs before 8:30am. If I was stressed I would break it out. I would also infamously play it during job interviews from that point on. I think @__shabab__ was the only one to survive the new more rigorous application process.

Look if you cannot crack a password while someone plays the Mario theme badly at you are you even a hacker? This guitar has now survived my house move and it sits in my new dedicated office room right next to me.

Part of moving to a house with a garden came with a picture in my head of me and Paul sitting out there playing songs and relaxing as the summer sun toddles off to the west.

Instead as I stood out there for the first time as the owner of the place I got the call from his father breaking the sad news. While I won’t be out there with him. I will be playing his beaten and much loved travel guitar.

Don’t worry Paul I am taking good care of her.

Love you. 

Clare Cavanagh/@Clarecav01

Stefano Sesia/@StefanoSesia

Lewis Binnie/@LewisBinnie1

Daniel Dresner/@DanielGDresner

Cooper/@Ministraitor

Campbell Murray/@zyx2k

James Hemmings/@MrJamesHemmings

d4n_tweets

Josh Fraser/@jishf

Steve Porter/@SteveDPorter

Jon/@Candlelands

Miguel Marques/@z0mbi3

Lorenzo

“Paul and I were colleagues. Even though we parted ways, I’ll always remember him for the little time we shared together. How he showed up at a customer meeting once wearing just everyday clothes, proudly stating (and I quote) ‘he would never wear a suit again because he has been a teacher and had had enough of that’. And then he brought to the table the most amazing and interesting stories and managed to “connect” with people and just made everything great while showing the same customer a degree of knowledge, professional attitude and passion that I’ve seldom seen elsewhere. Immediately, no matter who they were, no matter their background or language or stance in life, he just made friends.

When he talked – and he could talk a lot! – he absolutely captivated the audience like no one. Even in a crowd of hundreds, you could always feel he was talking to you and to you alone.

He helped – always, at any time, without asking too many questions when questions were a nuisance. He was always there. Always. He just .. gave freely and never, ever asked for anything back. He showed me what it means to enjoy a conversation, to be proud of what you do and find the fun side in everything. He made me laugh to the point of crying, even though English isn’t my first language. He talked about his family at times, especially his dad, about his life and achievements and funny stories and I wish we could have had that famous beer and listen to more.

I’ll always remember him. In some small but meaningful ways he changed my life when I switched careers and moved onto the cyber security side of things. He believed in me so much, and I think I made him a little bit proud.

I’m pouring myself a whisky now, and my thoughts are for all the people whose life he steered in better directions. I’m sure there’s more than he could imagine; I hope others will reach out to you to show how proud you should be of him.

My sincerest condolences.”

Youri Van Der Zwar/@yourniz

Paul Fennell/@Digit4lbytes

John A Ferguson/@jafwords

I’ve known him for 15 years. I loved his take on the world and loved his wisdom. We taught together and as much as he left that world of secondary teaching behind him I know that he made a massive difference.

The children that Paul taught loved him. He was a phenomenal English teacher and helped shape the lives of so many young people. The pupils looked up to him and respected him. He was forward thinking and helped shape some of the ways we teach that many will just take for granted now.

He was a champion of interdisciplinary learning, allowing pupils to see the link between all of the subject areas found in school.

What cyber security gained, we definitely lost in education and it was a huge loss. The pupils who had Paul as a teacher will remember him fondly, and his friends who taught with him will miss him deeply.

Infospectives/@trialByTruth

Callum/@dangerwank

Tallulah/@tallulahjc

Giovanni Interi

I first met Paul at a company meeting where he delivered a fantastic talk about education and IT security I was impressed at his vast knowledge both technical and human.

We worked in the same company for a while, not on same projects however, and had opportunities to exchange very interesting conversations. What was transpiring always from being in contact with Paul was โ€ฆ his BIG HEART. Even when he wasnโ€™t happy with someone or some situation. He really had time for everyone, would discuss any subject and would respect different views, and choices. When he expressed his, Paul was always able to explain clearly and unequivocally.

On one of the ski trip mentioned in these memories he was so attentive to the trip companions and also to the other passengers on the plane close to us. I remember he started talking to a Jewish passenger (distinguishable by his traditional clothing and looks) with a genuine interest of their life and faith and showed a solid historical and contemporary knowledge of their lifestyle and traditions. That particular chat impressed me particularly as it highlighted his openness and respect of all walks of life.

One particular moment of that trip was snapped in a โ€˜friendlyโ€™ snooze in the smoking room of the Hotel where we were staying:

A pile of Paul’s (Paul Mason, Paul Johnstone)

Thank you Paul! Rest in peace!

Gio

Persistent SSH Sessions

If you win the lottery and start a job working as a penetration tester the chances are you will need to learn a couple of vital lessons sharpish. One that I like to drill into people is about SSH sessions that persist even if your client connection dies. A complete rookie mistake – that we all make – is to lose data when our SSH connection dies. Maybe the Wi-Fi disconnects or you close your laptop to go for lunch? Who knows.

Don’t blame yourself. The chances are you partly educated yourself and you were using either a Linux base machine or a VM. In that scenario your terminal lives as long as you want it to with no questions asked.

Now that you are on someone’s payroll the chances are you have a fancy “penetration testing lab” that you have to send connections through for legal reasons. While I like that I won’t lose my liberty it does introduce this complexity into our lives.

Tmux

I am a relative noob to Tmux but it really seems to be worth the investment of time.

If I had a time machine I would get future me who understands Tmux completely to come and teach me. Maybe in a fancy silver car with a… I am gonna say it… *pffft*. Ok ok, calm down. In a fancy silver car with a tmux-capacitor! I know some of you liked that pun and that means you are as bad as me.

The absolute basics are these three commands:

tmux new -s <session_name>    # used to establish a new session.
tmux new -s customerA         # I name a session after the project for ease.
tmux ls                       # list the sessions that exist
tmux attach -t <session_name> # used to attach to your previous session
tmux attach -t customerA      # attaching back to the session created last time.

If you create a new session you can then kill your client SSH connection by disconnecting from Wi-Fi or whatever. On reconnecting when back online you attach to that and you have lost nothing (assuming the server has remained online and the issue was client side only).

For the purposes of this tutorial you have done all you need to do to prevent yourself losing work. Go you.

However, Tmux is capable of lots more things such as splitting an SSH session horizontally and/or vertically when you want to show two processes at once in a screenshot. Or what about having multiple “windows” in a single SSH session and a relatively easy way to move between those windows? Instead of having additional instances of Putty on windows or tabs in “MTPutty” you can do everything over a single SSH session inside of Tmux.

There is a full cheat sheet here.

https://tmuxcheatsheet.com/

Totally worth the learning curve.

Captain’s Log: September 2020

The Good

  • 10k Daily Steps Challenge + **New Goal** – Still rumbling along with this nicely. I upped my game to now add a sub task to aim for 22 active minutes a day. That means having the heart rate properly elevated. This is going to take a while to get habitual but I have made a decent start and lowered my resting heart rate a couple of beats at the same time. The month went well until the final 2 days where I had a beast of a cold and sore throat. I managed the 10k but it took a lot of effort. I whinged on twitter about a possible chainbreaker while being sick and @TIA568B reminded me to keep going so voila:
Some days this is what success looks like
  • Blog Posts – I got an actual technical blog post out the door getting re(started) with iOS app testing. I prefer this blog maintaining its technical edge but I was never prolific with that stuff with at most 8 a year. The commitment to track my 2020 with the Captain’s Log series has drowned out the few technical posts.
  • Audio Books – Absolutely still devouring the Rama series of books by Arthur C Clarke. I am on to “Rama Revealed” which is the final book. The first book was a wonderful and relatively short story but the later instalments have been much longer listens with this one being 20 hours. Very much worth watching.
  • Youtube Channel – I have been watching Kurzegesagt with my kids. It is probably a bit beyond them but my eldest is getting all kinds of joy out of the existential and space series. I keep regularly having “mind blown!!” reactions to these videos. Honestly they are amazingly well put together. Delve into the series on ants… Pro tip.
  • Sleep – The youngest has started to sleep through the night! Hopefully this continues. So I relocated myself from sleeping on their floor to an actual bed. Like a real person I have slept on a bed! As I write this on the 7th of September for 4 consecutive nights. Long may this continue. *update.. It continued :D*. This is the real shift as it enabled the new exercise goal. If you don’t get sleep you cannot recover from exercise and so it was of limited value without this.
  • Games – XCOM: Chimera Squad. I had no idea that this had been released! I am a long time lover of the XCOM series. Over the years they have tried multiple different game modes including flight simulator, FPS etc. This is an interesting twist which is close to old school final fantasy game dynamics. Each mission is a series of breach and clear engagements. Upgrade kit to make more breach possibilities occur i.e. a brute force device to defeat doors locked with keypads, or explosives to make entries in walls. It has been interesting and a different direction for the series.
  • Weekends – We managed to get to the park most weekends for outside activities. Getting this done early in the weekend sets us up for a happier time over the weekend. Even ventured out to the forest for a roam about in nature. The kids were mainly asking where the slides were until they discovered a massive pile of rocks to climb.
  • CENSIS Talk – I was asked to speak at an event for CENSIS. Work were all for it, and gave me time in the busy schedule. The talk was around security practices in the IoT ecosystem space. While I tell everyone I am not the expert in this area I do slowly improve my understanding of it. The real positive about this was that we had agreed to do a live hacking demo. No bother when the event was face2face, but I needed to record it. The process of recording and editing was enjoyable and I really get a kick out of making little films.

AWS Snafu Finally Solved!

In April I bought a book called “AWS Pentesting with Kali”. I had decided to fire into some cloud skills as I am increasingly back on customer engagements again and it is always nice to learn new things. Sadly I have not even opened the book yet. But I did develop a tool (still not released) to enable data in and data out of restricted environments.

Data in via typing, and data out via QR codes which are both established techniques already but I like to make my own tools for these things sometimes.

Anywho, I needed a Windows server over an Internet connection and RDP to get the right feel for speed. So I went with opening an AWS account, woohoo! I would spin up a new instance each time I worked on the tool and then crush it as I went to bed using my free-tier allowance like a boss.

Unfortunately ever since May I have been sent an email every month warning my of my free-tier allowance being at 85%. But.. but.. I have nothing running? I log in to the dashboard and see nothing even paused. As the months roll on I eventually tweeted about it:

Enter the heroes I needed: @JGMSoftware, @UK_Daniel_Card, and @joe_jag who all deftly informed me I know nothing about AWS because I had assumed that dashboard showed me everything when it is indeed tied by region. I have honestly no idea why the server was spun up once in Ohio when I seem to default to Virginia on the dashboard.

Lesson very well learned and THAT is why I bothered opening an AWS account in the first place. Now that my test server is properly wiped I can now crack that AWS book open in the dead of winter and not incur costs immediately as I will have my free-tier amount back.

To the helpers. I salute thee. Keep being beautiful.

The Bad

  • Stress – I had a very stressful couple of weeks over the end of August and start of September. Some times are tough but this one was pretty up there. On being positive about it something good should come of it mid October unless there are delays or catastrophe. Fortunately the uptick in weekends being relaxing and sleep came just as it ended. Nicely timed.
    • I would like to caveat this with the fact that, after the initial rocky start, the increase in sleep quality and duration by sleeping on an actual bed made it vanish.

Highlight of the month

Work took me to places where I needed to record multiple videos for different audiences. Some for internal training, and then this one which I can share with you.

This is notable because it was made for a non-security audience. That meant doing some background theory in risk analysis and threat modelling before going into a live hacking demo to help contextualise what was happening.

Research it is not. But a reasonable demo against a vulnerable spoofed IoT ecosystem which was fun to put together.

Getting started with iOS testing

Jailbreak a device (At your own risk)

Disclaimer: I would never jailbreak a device that was going to carry my personal information. You should not either. It is absolutely at your own risk.

This blog post is about getting started with assessing iOS apps. I had not done this in a few years and so this is notes to bridge the past with modern which may be of use to you.

There is currently a stable root exploit called “checkra1n“. This works at the bootloader level and so long as you prevent your rooted handset from rebooting you will have a rooted handset. There is stable exploitation tools for Linux and now for Windows.

I use Windows as a host OS. I do this for many reasons but the simplest one is because Linux works better in a VM than windows does in my experience. I tried checkRa1n in a kali VM with the phone passed over USB directly to the VM. This was a dead end. The exploit process looked like it was working but it never completed, do not enter this cul-de-sac.

To get around that I could have tried the Windows exploit tools. But I selected to use “bootra1n“. This was a bootable USB Linux distro which included checkRa1n and it worked exactly as advertised.

Install the device via app store

  • Setup a test account without any of your real personal info.
  • Sign in to the app store, and then install your target app on the device.

There are other ways to install apps including “3uTools” (see section later). For me this did not work as my target app was not available in the app store they maintain. If your target is available for install then you will find an easier process where you don’t need to dump the IPA file as described in the next section.

Dump IPA file from handset

  • On Jailbroken Handset
    • Open Cydia and install “frida-server” as per this guide.
  • Inside a Kali VM (I used a VM, you can go barebones. Process did not work on Windows).
    • Install frida
pip install frida-tools
  • Inside Kali install “frida-ios-dump”
apt-get install libusbmuxd-tools
ssh -p 2222 root@localhost # leave yourself connected to this session
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
pip install -r requirements.txt

Now all you need to do is run “dump.py” against your target as shown:

python3 dump.py <target_app_name>

To obtain the correct target app name use “frida-ps” as shown:

frida-ps -Uai

Getting MobSF The Quick Way

MobSF is an excellent tool for gathering some low hanging fruit. As a minimum I would advise throwing every IPA (and Android APK) through this for static analysis. It does a good job of finding strings which may be of use, as well as analysing permissions and other basics. This post is about getting you started and MobSF will be an excellent place to end this post.

Install docker as per this guide. Then after you have that up and running you can get access to MobSF using this:

docker pull opensecurity/mobile-security-framework-mobsf
docker run opensecurity/mobile-security-framework-mobsf

This will start an HTTP listener bound to 0.0.0.0 which is great. But you need to know what IP address Docker just gave you. First list your running containers:

docker ps

Then use docker inspect with a grep to get that for you:

docker inspect <container_id> | grep IPAddress

Fire up your web browser at http://YOUR_IP:8000/ you can now upload the IPA file and it will give you that static analysis juice.

3uTools

This is a beast which gets around having to install iTunes. A bit of software I have a ~15 year old past with which I frequently refer to as a “virus”. It is simply not possible for iTunes to be as shit as it is/was. Therefore, it must have been maliciously generated.

3uTools allowing you to dodge the virus that is iTunes

A lot (but not ALL) of apps from the app store are available for install using this. You will still need to supply legit app store creds to use that feature. If you can install using 3uTools then you get a super easy way to export the IPA file. But it only works on apps installed via 3uTools. In my case the app I needed to examine was in the app store, but not in the 3uTools equivalent.

Thats it from me, I am not going to rehash how to test an iOS app here as there are excellent resources explaining how to do that.

Your next steps would be to Google the heck out of these things:

Best of luck on your road to pwning iOS.

References

Pitfalls in Pentesting

In this post I am going to cover some pitfalls of Penetration Testing. It is kind of three rants stitched together. Loosely around the theme of how we generally interact with customers, as well as the reporting processes that I have seen over the last 15 years.

A person whose job it is to respond to penetration testing findings was asked this question:

  • What are the pain points you have experienced when responding to Penetration test findings?

This is what they said:

“…For my part, as an engineer that gets the fallout from these things I can tell you that I really hate that these scans report stuff thatโ€™s been fixed by back-porting by the suppliers. Iโ€™ve lost count of the number of times Iโ€™ve had to explain to SecOps, Managers and developers that the hundreds of โ€œalertsโ€ they have can be ignored because RedHat have already backported fixes not reflected in the reported version numbers. Time to get off one of my soap boxes!..”

— Anonymous fighter in the trenches

It is also worth noting that this was not a customer of ours.

I yelled “preach!”. Whoever this was I really love that they hit the nail on the head. I opened my most recent report where I had tackled that concern , I hope, adequately:

An except from a report

I hope that if the anonymous responder were to have seen my report. That they would at least see that I considered their plight, and that I have given them an easy out when responding to their manager. “Look, this guy even said it is possibly a false-positive”.

The target had a server banner which, if true, was vulnerable to several things. Unfortunately the OS was not listed in the banner (and was not otherwise 100% confirmed) so I could not prove or disprove the versions without either exploiting the issue, or being given more access. Had the banner said “RedHat” then I would most definitely have changed what I said. It would say there is a high potential that backporting was being used.

This set me off thinking again about how our industry often fails the customers we are paid to help.

If our industry has heroes they may or may not wear capes. But they almost definitely work on the blue side in my opinion. The brave souls tasked with the gargantuan task of interpreting penetration testing reports. From multiple consultants, from different vendors. The variability of output is enormous. These warriors have to find someway to make it work regardless of what thing has arrived as the deliverable.

I have seen Pentest companies who try to solve it in two ways:

  • Dictatorship – Based on one person’s vision you set a reporting standard.
    • You develop a rigid knowledge base of vulnerability write ups which tells everyone exactly how to report something. This includes fixed recommendations which must be provided.
    • You retrain every consultant in your team to meet that standard.
    • You yell at people during QA to remove any sense of individuality in reporting.
    • You fall out over CVSS risk ratings because “we need to risk this exactly the same way as the customer got an XSS which was 6.5 last week”.
    • Some Customers LOVE This. They don’t want any variability because the master spreadsheet they have with all vulns exists. They want the exact risk score for every instance of a vulnerability ever. They just like it neat.
    • The goal is to make every report as identical as possible across any customer and from any member of the team. Robotic Reporting.
  • Cheerful Anarchy – You set a baseline standard for reporting by providing a structure for the reporting and a style guide. Then you let folks have at it!
    • You accept that Pentesting is consultancy profession. Which is influenced by the experience of the consultant doing the work along with their understanding of the risk appetite for the customer.
    • You provide a basic knowledge base of vulnerability write ups which covers a consistent title, background, and baseline risk score. Then encourage the consultant to produce the remaining content just for that project.
    • You train your consultants to understand risk calculation and expect them to alter the baseline risk considering every instance they see.
    • The goal of this is to make every report tailored. Therefore inconsistencies will exist such as two consultants finding the same vulnerability with the same impact but providing different risk ratings.

Of the two I have always preferred cheerful anarchy. I know that some customers absolutely want a penetration test to deliver consistent results over time. It helps them sleep at night. I argue that a little anarchy might be good since the consultant should be free to express their opinions SO LONG AS THEY EXPLAIN THEM WELL ENOUGH.

In truth you need to essentially support both in 2020. Big accounts who want the consistency need to get it. Other customers who are perhaps in earlier stages of their security maturity processes should be given tailored findings in my opinion. They haven’t necessarily encountered an SQLi before, so you need to contextualise it a lot more. So I recommend being so flexible that you can be rigid… I suppose?

Places where a penetration tester needs to be super clear is when dealing with potential false-positives. If the only evidence you have is from a vulnerability scanner then you have not done a good job. I implore you to always find some other means of confirmation.

In situations where the vulnerability is raised only based on banners.. Then your flow is to:

  1. Find a working exploit. If you can, then try to exploit a docker container or VM with the same software first to verify the payload works well. Ask the customer if you can use the exploit. If you have done it in your lab first you can explain that it works well without a risk to stability. Otherwise you can warn them that it may trigger an outage. They can then make the decision themselves as it is their risk.
  2. If no exploit is available. If you can, then execute OS commands to verify the installed patch. In most cases you do not have this access. You can either document the finding with caveats (as my report did), or.. and I appreciate this is a revolutionary idea. You can ASK the customer to confirm the installed version themselves and provide a screenshot. In my case the time was not available to do so and I was forced into the caveat approach.

I know, I know. I suggested you speak to the customer! Worse still I say you should ask them to support you improving the quality of how you serve them. You should not forget that a Penetration Test is a consultation, and that you are on the customer’s team for the duration of the engagement.

They say you should never meet your heroes. But it has been going really well for me when I speak to them so far.

Hope that helps.

Encrypting files with openssl using a password

I needed to send an encrypted file to a user with a Mac. They were unable to install additional software on their machine, and I have no Mac to verify things on.

By default Mac’s roll with openssl installed (thanks Google), so the solution seemed to be to use that.

You can debate the encryption algorithm choice and substitute as appropriate. But the basic syntax for encryption and decryption using AES-256 is shown below:

Encrypt file with password

openssl enc -aes-256-cbc -iter 30 -salt -in report.pdf -out report.enc

Note: running this command will result in a prompt to enter the password, and confirmation.

Decrypt with password

openssl enc -aes-256-cbc -iter 30 -d -salt -in report.enc -out report-decrypted.pdf

Note: again this command will prompt for the password to be entered before extracting.

Warning; running with scissors

This is securing with a password. Go big or risk exposure here. Someone could always try brute force and you want to make sure that takes way way longer than the validity of the information you are protecting. I recommend 72,000 characters long as a minimum to be sure.

Now you have a key distribution problem though. How to get the password to the other person securely? You cannot email them the password since this is the same delivery mechanism for my scenario.

  • Generally WhatsApp (or other end to end encrypted chat client to a mobile phone) is good.
  • Phoning and saying a long password can be awkward but works (so long as they promise to eat the paper they write the password on immediately).
  • SMS is less secure but still verifies that the user is in possession of that person’s phone.

Hope that helps.