Packet Squirrel

On these days I could get my hands on a really cool device from hak5, the Packet Squirrel, which can be used for an Ethernet man-in-the-middle attack, being able to use it as a sniffer or to get remote access to a network.

Capture.PNG

This tiny device has a button to turn it in, an Ethernet in port, an Ethernet out port, a microusb por for power, a usb port for storage and a switch to select which of the payloads to run.

31948633_10156605872783311_5151475695712468992_n.jpg

squirrel

The default payloads the packet squirrel has are:

  • TCP Dump: . It allows the user to display TCP/IP and other packets being transmitted or received over a network
  • DNS Spoof: Alters the DNS directions from the victim to show a different page
  • OpenVPN: Provide remote acces to the network or client tuneling

To use de TCP dump you just need to select the first payload, moving the swithc until the left and connect it to the device you want to see the traffic. Then the led will start to flash yellow indicating it is saving the traffic in the usb flash until you push the button to indicate you are done. Finally plug the usb to you PC to see a pcap file, which you can inspect the traffic with a protocol analyzer, like Wireshark.

dumptrafico

In the case of the DNS spoof you need to enter the arming mode of the packet squirrel (rightmost side), and configure the spoofhost file with the domain and the ip you want to set.

putty

With the OpenVPN you can provide remote access to the network, the target device will have access to the network in the Ethernet out port without interruption, the OpenVPN will be established enabling remote acces to the pcket squirrel

Also it can be used to tunnel the traffic from the target device through the OpenVPN connection, by changing the configuration to allow 1 client.

sjfad

To set the OpenVPN server side there is a set of videos from hak5 that can be quite useful.

From the shell in the cloud server you need to write to start setting the OpenVPN

wget https://git.io/vpn -o openvpn.sh && bash openvpn.sh

This will generate a client.ovpn file that needs to be copied on /root/payloads/switch3/config.ovpn. With all that you can try the OpenVPN moving the swith of the packet squirrel to the third position.

From all I could see while using the Packet Squirrel I think it is a great device, it is really small, so you can carry it easily with you, it is simple to use, just moving the switch to adifferent position and it can be configured in no time with the default payloads or create your own payloads.

 

*I didn’t receive any money for this post.

Master Key for hotels

There are may things someone takes i count to select a hotel to stay, the luxury, wifi connection, pool, air conditioner and many others. but something really important is that your stuff remains safe, knowing that no one can enter without your permission, including the cleaning staff.

Blog-Post-3-Photo-1.jpg

That is why a new exploit discovered by F-Secure researchers is important,  a vulnerability in a popular and widely used electronic lock system (Assa Abloy) that can be exploited to unlock every locked room in a facility

 

For this hack, the attacker needs access to any target hotel key, even though it isn’t from a room or it has expired. Then he would need a portable programmer with a custome code they created, it is hold near the lock to open and in a minute it will be unlocked.

 

 

The researchers, for obvious reasons didn’t released the code for the master key and, in fact, showed the findings to the affected company. With Assa, the worked for over a year to recently release an update that fixes the problem

References:

https://thehackernews.com/2018/04/hacking-hotel-master-key.html

Researchers Find Way to Create Master Keys to Hotels

Honeypot

A way to be prevented in case someones is trying to access your server is to put a fake system, a trap to detect when an attacker is trying to access without the administrator’s permission. It is a great way to protect a system because it turns the tables tpo the hackers, not letting them access,helping the admin to know when he is being attacked, learn from it and improve the security.

honey

In general there are two main types of honeypots:

Production Honeypot: Used by companies and corporations for the purpose of researching the motives of hackers as well as diverting and mitigating the risk of attacks on the overall network.

Research Honeypot: Used by nonprofit organizations and educational institutions for the sole purpose of researching the motives and tactics of the hacker community for targeting different networks.

When configuring your honepot you should have logs for all devices in the honeypot sent to a centralized logging server, and all the security stuff must be noticed when someone is doing an attack, that way the staff will be ready to monitor al keep track of what the hacker is doing and make sure the real environment is not compromised.

It is also important that your honeypot system is attractive to a potential attacker. This can be done by keeping it not so secure to encourage the attacker to go for the honeypot:

  • It should have ports that respond to port scans, have user accounts and various system files.
  • Passwords to fake accounts should be weak,
  • certain vulnerable ports should be left open.

 

 

 

honey2

Advantages

  • Collects real attacks data.
  • Reduced false positives.
  • Does not require high-performance resource.
  • Hacker activity is captured, even if its encrypted.
  •  Simple to understand, deploy and maintain.

 

References:

http://www.thewindowsclub.com/what-are-honeypots

https://www.techopedia.com/definition/10278/honeypot

https://www.networkworld.com/article/3234692/lan-wan/increase-your-network-security-deploy-a-honeypot.html

Skygofree

Most of mobiles Malware do relatively simple stuff, stealing data, mining cryptocurrency or encrypting files, but some months ago a very sophisticated one was discorevered, Skygofree.

ChessMaster_s-Recovered-Recovered

Some of the functions that make Skygofree terrifying are:

  • It can turn on the microphone for audio recording when the device is in a determined location
  • It can connect to networks controlled by the hackers, even with Wi-Fi disabled on the device, giving access to all the user’s traffic (passwords, credit cards, sites visited).
  • The stealing of WhatsApp messages via Accessibility Services
  • Secretly turning on the front-facing camera and take photos or videos

The main way on infection is through fake Mobile operators pages, where the user downloads an “update” and get infected. Once on the Phone, it shows a progress bar while waiting for instructions on what to do from the attackers.

The virus also has a way to protect itself, it can show a fake notification to prevent killing the background services it use.

Skygofree uses exploits to get the root privileges by looking for the device in a database of mobiles, to adjust itself on what it is attacking and exploiting its vulnerabilities.

180115-skygofree-13

So far Skygofree has only been seing on some parts of Italy, however, due to all the damage it can cause it is better to be prevented by only downloading apps from official sources and disabling installation of third-party apps.

References:

https://www.kaspersky.com/blog/skygofree-smart-trojan/20717/

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

Let others mine for you

Why bothering in using your own resources, GPU, CPU, etc. zxcon mining cryptocoins when you can trick others to make it for you? That’s what the people who use Coinhive think.

According to Krebs, “Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code uses some or all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine bits of the Monero cryptocurrency.”

zcvThat means that when someone visits site with Coinhive on it part of the resources from the device the user is using to browse the page will be used to mine for the person who put the code there.

 

Even though Bitcoin is the most famous cryptocurrency, Coinhive uses Monero for a good reason, it has a better privacy than Bitcoin. It is virtually untraceable, without a way others besides the parts of the transaction can track it. Their transactions  automatically have privacy features applied. You never have to request and then verify whether other people have enabled a privacy mechanism when sending you funds.

zbx

The most common use of Coinhive is adding directly on the page, without the administrators permission many times, a part of code in the <head> </head>  tags. With that and adding your public key for all the the Moneros you earn you are ready to let others do the mining

como-agregar-el-codigo-de-coinhive-a-mi-web

For more information on setting Coinhive and all of its uses you can check the documentation at https://coinhive.com/documentation/miner

 

 

References:

https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

https://moneyonlinenow.top/coinhive-espanol-que-es-como-funciona/

https://coinhive.com/documentation/miner

https://www.monero.how/why-monero-vs-bitcoin

Your facebook data

Recently, there has been seeing in the news that the information facebook gathers of its users has been used by private companies, like Cambridge Analytica, more specifically in the use of information for electoral purposes in many countries, like USA.

A man poses with a magnifier in front of a Facebook logo on display in this illustration taken in Sarajevo

After that scandal, Facebook has been the center of the atenttion on all the media, because Facebook’s users has realized all the information it keeps from them. if you would like to know all they have about you, it is posible to download that data.

Steps:

First you go to the drop-down menu at the rightest part of the navigation bar and select settings.

1qaz

It will open the General Account Settings, where below the account info you can find a link to download a copy of your facebook data.

2wsx

It will take some time to download a kind of heavy zip file with the data. After downloading it, it’s time to extract it and see all they have about you.

 

If you would like to go a little step further you can check de script by Dylan Mckay on Ruby to collect phone statitics from your facebook user data. To use this script you need Ruby 2.1 or greater and the Nokogiri library.

To run the script you put in in your facebook folder alongside hrml, messages, and photos folder and run ruby facebook-contact-info-summary.rb

qsqsqs

In my case I am glad I didn’t give the permissions in my cellphone, but it is interesting to look at all the could get from me if I had.

References: https://gist.github.com/dylanmckay/2b191a10068bd87d0fffba242db44b52

Autosploit

Autosploit is a tool developed by a cyber security enthusiat that combines two tools, Metasploit and Shodan, making it pretty easy to hack someone by using automated tools anyone could use without lots of skills.AmateurHacker-TopArt

According to its author, “AutoSploit attempts to automate the exploitation of remote hosts.” To do that, the Python script uses command line interfaces and text files to extract data from the Shodan database, which is a search engine that taps into scan data on millions of Internet-connected systems. AutoSploit then runs shell commands to execute the Metasploit penetration testing framework.

You just ype in keywords to locate certain devices or targets, and AutoSploit will both list available targets and allow hackers to launch a menu of pre-loaded hacking techniques against them.

In the Shodan part, you type the query you want it it will return you the IP address from the device, then in Metasploit it uses the text that was used for Shodan and run the exploit, if everything works well, the script will then kick off Metasploit attacks against all the hosts.

AutoSploit

The release of Autosploit caused a controversy, security experts thought that releasing automated tools that would do the hacking easier is a terrible error,  because anyone could do something with the tool even without hacking knowledge. Personally I think releasing Autosploit can make a lot of damage, giving scripts anyone could use is very wrong, people may not know what they are really doing and create a great damage, and it also makes hackers job easier, putting in risk thousands of devices.

 

Bibliography

https://github.com/NullArray/AutoSploit

Gallagher, S. (2018). Threat or menace? “Autosploit” tool sparks fears of empowered “script kiddies”. Arstechnica. Recovery date: February 2nd 2018. Recovered from: https://arstechnica.com/information-technology/2018/02/threat-or-menace-autosploit-tool-sparks-fears-of-empowered-script-kiddies/

Greenberg, A. (2018). SECURITY NEWS THIS WEEK: ‘AUTOSPLOIT’ TOOL MAKES UNSKILLED HACKING EASIER THAN EVER. Wired. Recovery date: February 2nd 2018. Recovered from: https://www.wired.com/story/autosploit-tool-makes-unskilled-hacking-easier-than-ever/

Remote Desktop Protocol

Remote Desktop Protocol (RDP) is a proprietary protocol created by Microsoft. It allows a system user to connect to a remote system with a graphical user interface.descarga

Even though the client-side is built into the Microsoft operating system by default, it can be installed on non-Microsoft operating systems, such as those from Apple, various flavors of Linux, and even mobile OSes like Android.

On the server side of RDP, it is installed on a Microsoft operating system and receives requests from the client agents to display some graphical form of a published  application, or remote access to the system itself. By default, a system will listen on port 3389 for requests from clients to connect via the RDP.

remote-desktop-connection

RDP uses port 3389. Opening up this port on the firewall means that as attackers scan for open ports, your vulnerability can easily be found. Once found, hackers can instantly launch a brute force attack against your server resulting in 1000s of authentication attempts with random user names and/or dictionary passwords to see if any of them matches and passes the authentication. If a match is found, the attacker is in.

Not using proper encryption for the end-to-end connection is another issue. This means that your connection is prone to man-in-the-middle attacks.

Some good practices for securing RDP practices are:

  • Use Strong Passwords: Passwords are your first line of defense
  • Don’t Save Login Credentials in Your RDP Files: Saving them can be a potential security exposure because it bypasses the remote login.
  • Limit Administrators Who Don’t Need Remote Desktop: If not all your administrators need access to Remote Desktop, then you should consider removing the Administrator account from RDP access.
  • Use Lockout Policies to Strengthen Password Protection: Locking out the system for a specified period of time after a number of incorrect guesses.
  • Take Advantage of Network Level Authentication: It provides a level of authentication before you establish an RDP session and the login screen appears.

Bibliography

Smalley, F. Securing Remote Desktop (RDP) for System Administrators. Berkeley. Recovery date: February 2nd 2018. Recovered from: https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system

Pascucci, M. (2012) Remote Desktop Protocol security: How to secure RDP network endpoints. Techtarget. Recovery date: February 2nd 2018. Recovered from:  http://searchsecurity.techtarget.com/tip/Remote-Desktop-Protocol-security-How-to-secure-RDP-network-endpoints

Otey, M. (2017) Guest Blog: Best Practices for Securing Remote Desktop Connections. Devolutions. Recovery date: February 2nd 2018. Recovered from:  https://blog.devolutions.net/2017/5/best-practices-for-securing-remote-desktop-connections

Nahal, R. (2016). Why Direct RDP for Remote Users is a Bad, Bad Thing. Tektegrity, Recovery date: February 2nd 2018. Recovered from: https://www.tektegrity.com/news-and-articles/2016/09/07/why-direct-rdp-for-remote-users-is-a-bad-bad-thing/

Rescuing your data

Probably you’ve heard of someone who can’t access the data of its computer unless he pays some money to a criminal, that is ransomware we are talking about.

your-money-or-your-data-750x354

Ransomware is usually spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. But there can be infections through RDP (coming on next Blog) or approaches that don’t require interaction with the user.

Once your device is infected with malware Trojans it can make changes on it in many ways:

  • It can block completly the access to it
  • It can encrypt the data on the victim’s disk.

The changes usually are seen when the device is restarted, the user notices he can’t access his data (or can’t control its device) and receives a message demanding a payment (in cryptocoins) to decrypt the files or restore the system.

Some of the most famous ransomwares are CryptoLocker and WannaCry

cryptolocker2

A widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used — when properly implemented — was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.

Wana_Decrypt0r_screenshot

WannaCry was able to infect and encrypt more than a quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files. Payments were demanded in bitcoin, meaning that the recipient of ransom payments couldn’t be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied. During the thick of the week in which WannaCry was most virulent, only about $100,000 in bitcoin was transferred

Bibliography:

Ransomware & Cyber Blackmail. Kapersky Lab. Recovery date: January 24th 2018. Recovered from: https://usa.kaspersky.com/resource-center/threats/ransomware

Krebs, B. (2017). Ransomware for Dummies: Anyone Can Do It. Krebs on security. Recovery date: January 24th 2018. Recovered from: https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/

Rouse, M. (2017). Ransomware. SearchSecurity. Recovery date January 24th 2018. Recovered from http://searchsecurity.techtarget.com/definition/ransomware