Now I have got into vulnerability testing tools from the users’ perspective!  This week I set up a Metasploitable machine, to use Metasploit from my Kali VM to scan for vulnerabilities and generate tool output.  It’s very cool to see how Metasploit had writeups on the individual vulnerabilities and procedures to exploit them right from the command line.

Even cooler was Nexpose.  Again I got a solid overview of the sort of vulnerabilities found and how they could be exploited.  By referring to material outside the Metasploit Community, it feels very connected to the wider InfoSec world out on the internet.  The automatic report generation and automated scans were also handy features.

I have been working on some improvements to the base Dradis CE application this week as well, so this tied in neatly with the studies.  I have only just started with tool output generation, and already I’m manipulating data from Metasploit, Nexpose, and Nmap, all of which are supported in Dradis.  Now that I’m getting the actual user’s view of tool usage I can better put myself in the shoes of hackers starting out with Dradis for the first time to generate customised reports using data from multiple sources.

Having spent so much time with Dradis Pro, it’s fun to get back to basics with Dradis CE.  I’m not bothered by not having access to Word templates.  I gave up using Windows years ago, even my Steam library wasn’t worth the hassle of dealing with it – and I think there’s a lot of potential in well-made HTML templates.  For my purposes, learning and experimenting at home, and showing off to the people at the sailing club bar, it’s a good tool to play with; scan with all the tools and plug all the results into a simple collated report.

Next up in the course is client-side attacks; technical exploits as well as the social engineering exploits of the PEBKAC vulnerabilities!

The view from the bar

This week I finished up the section of the course regarding basic network hacking.  I learned some more about man-in-the-middle attacks, and got started with Wireshark to start actually analysing the data packets flowing through the network. Combined with attacks to make users use HTTP instead of HTTPS, that made target data (including usernames and passwords) totally readable and even searchable.

The obvious next step was “honeypot” attacks, creating a fake wi-fi access point using mana-toolkit. Combined with methods I learned earlier, this would make every user’s data transmitting through my fake network openly visible.  Once again I am struck by how easy all of this is, with freely available easy-to-use software and a cheap USB wi-fi device.  I am right next to a luxury marina and I have excellent mobile internet; it would be trivial to set up a fake hotspot to appear to be set up by the town for foreign visitors, and then ultimately read the visiting yacht owners’ data.

Having covered attacks and basic fake access point creation, I learned about preventing these sorts of attacks, for example by using Wireshark to look for unusual network activity and using XArp to detect ARP poisoning.  It was interesting to get a better look at more good reasons why the sysadmins of an organisation with a medium-sized or larger pool of devices face challenges protecting all their devices – hardly convenient to make the ARP tables static for hundreds of devices at once without good scripting and a good deployment system.

I have noted before that people and organisations in general seem to have a more lax view of data security than I would be comfortable with, but here at the system level, it feels a little more disturbing.  Perhaps I’m missing something, but I would think standard mass-market OSes like Windows, Ubuntu, Android, and such ought to have built-in tools for monitoring network safety and at least natively allow pop-up messages to show that your router appears to have changed its MAC address or that there are duplicates in the ARP table?  Microsoft regularly gets a lot of criticism for its update services, but how can their multi-GB updates not include simple utilities for guarding against MITM attacks?

By coincidence I’m looking into appropriate hardware for better internet connections on my boat, like a powerful active wi-fi range extender combined with mobile internet connections bridged into a router with failover.  If I’m going to be setting up a powered wi-fi antenna on the masthead, perhaps I should look at getting one with AP and Monitor mode capability…

Anyone for free wi-fi?

This week I have been learning about man-in-the-middle attacks.  This section of my course started out with learning more about network discovery, including my first hands-on experience with Nmap as an actual user.  First impressions of Nmap: it’s amazing how much data you can gather so simply.  Just discovering which devices are visible and which ports are open is very powerful information.  And then we get into the possibilities for exploiting that information!

Noodling around with MITMF is a lot of fun.  With just a few short commands and plugins, I could do cool tricks in no time:

• ARP spoofing for my Kali VM to become the MITM
• DNS spoofing – I get to decide which pages the victim’s browser gets sent to
• Screenshotting – I see what the victim sees
• Keylogging – obfuscated password field? Not to me!
• Javascript and HTML injection – here, have some popups

Two things really strike me here.  First, once again I’m astounded by how little is done for security or at least security-consciousness.  The above tricks were tested out using the MITM to turn HTTPS pages into HTTP.  Of course that’s a huge security issue, but the user-facing warnings in the browsers – particularly to people not in IT and not interested in computers, like my parents for example – are easy to ignore.  How likely are they to spot the missing padlock icon, how likely are they to even understand Firefox’s warning that the password field they are seeing is not secure?

Second, I’m always amazed by how powerful and excellent free open-source software can be.  MITMF, and indeed Linux (and Kali as a subset) are all free and anyone can modify them, yet a simple video guide showing a few simple canned commands allow anyone to potentially access very sensitive data.

I think there will always be a game of cat-and-mouse, with major developers trying to construct more secure software and communication, and the open-source world finding the vulnerabilities and exploits.  State actors will continue to try to exploit infosec vulnerabilities for snooping, and the open-source world will find ways to protect their data, for those with the will and know-how to do so.  I used to play with VPN setups, and I found that one that I made based on SoftEther circumvented state censorship easily – very cool stuff with a day’s configuration of a spare server.  Will the Great Firewall of China ultimately harm information security, or in the long term, will it lead to improving it?

China built and maintained the Great Wall to keep out foreign invaders. Even so, the Mongols invaded and built a Chinese dynasty

Earlier I looked at the security and privacy issues surrounding AIS (the Automatic Identification System) and other navigational aids aboard ships.  Today there was an interesting article about this on the BBC.  Essentially, while commercial vessels are generally required to carry AIS transponders on board, it is also possible to switch them off.  Vessels have therefore been able to bust sanctions by switching off their transponders, e.g. to make deliveries or enter ports that they are not supposed to.  However, satellite imagery combined with big data analysis is being used to combat this.

Surface ships do not really have anywhere to hide on the sea, so they can be tracked by satellite imagery.  Their shadows will change depending on the size of the load they are carrying.  Data is available regarding which ports in which locations typically load or unload which types of cargo.  The result is that it is now proving possible to track shipping and even types of cargo on the high seas, using data and satellites.  Not only does this make it possible to detect when ships are carrying out illegal activity, such as ship-to-ship transfers circumventing sanctions, but also shows changes in the flow of trade, such as oil tankers diverting en-route to new destinations based on fluctuations in oil prices.

I’m concerned about privacy implications.  Once again it shows how actors with access to significant resources – hardware manufacturers, state intelligence agencies, software companies – can extract more data from users (and even non-users!) of seemingly straightforward products and services than we may be aware of or be prepared to accept.  As the resources required for big data decrease, with cloud computing and accessible user platforms, the barrier to entry will also decrease.  If a country’s coast guard is capable of identifying vessels and their cargo on the high seas, that’s one thing – if a RIBload of pirates are able to do so as well, that’s another.

One of the techniques I enjoy for hiding data is steganography, hiding a message in plain sight disguised as something else.  After all, even the best cryptography is susceptible to “ball peen hammer decryption” if someone knows you have something to hide.  Incredibly, the principle of steganography has even been used at sea.

During the Second World War, the Japanese invasion of the Dutch East Indies left the Dutch navy in the area in grave danger.  Their ships tried to escape to Australia, but were all soon sunk – except for one.  The captain of HNLMS Abraham Crijnssen realised that their ship was all too visible at sea from the air – so in a stroke of mad genius, he had the warship disguised as an island!  Moving only at night, and slowly, they evaded detection and arrived safely in Australia 8 days later.  HNLMS Abraham Crijnssen served out the rest of the war operating out of Australia, and well done to the ship and her crew. Read more here!

HNLMS Abraham Crijnssen at sea

The studies continue!  This has been a busy week, so I only got to cover the theory and practice behind cracking WiFi passwords – WEP, WPA, and WPA2.

WEP cracking is fairly straightforward.  Since each transmission contains the key that ultimately has to be cracked, it’s just a matter of gathering enough packets to analyse. Both gathering the packets and cracking they key is done with packages pre-installed in Kali.  The cool thing was speeding up the gathering of packets with ARP replay – forcing more authentication packets without the device owners necessarily noticing.

WPA cracking of course is far more complex. The course covers the exploitation of the WPS feature, a far simpler backdoor into a WPA network, but even around here WPS seems to be disabled by default or push-button-only.

For actual WPA cracking, I suppose it’s a testament to its level of security that the recommended attack is still a brute force dictionary attack. It was interesting to see what sort of ready libraries are available for download for testing – compilations of the top 10,000 passwords, actual dictionaries for different languages, and so on.

From my previous life in the corporate world, I have heard most of the horror stories of password policies. This class is the reason why we keep hearing the same ones – “why is the password to the server with our expensive custom software ‘password1’?” A justification for borderline paranoia regarding information security in the modern world is the “password on a post-it note on the monitor” and social engineering.  You might have strong passwords and encryption, but those you communicate with may not. So you want to collect data? Carry a clipboard and go anywhere.

I enjoyed the discussions of cryptography and password policies in Neal Stephenson’s Cryptonomicon. And still, at times I feel like D. M. Shaftoe’s character, too paranoid to use cryptography as all, since if something is worth keeping secret, it shouldn’t be shared digitally at all.

My secrets are safe, though. Notebooks, illegible handwriting, and fluency in obscure languages.

Midnight sun in a land of obscure languages

My Atheros AR9271 USB device arrived!  Now I’m back into my courses as originally planned.  I now keep my course in one workspace and a Kali VM in another.  I have used Kali before, but never under guidance – just fiddling around with a Live USB.

Step 1 today was changing the MAC address of my wi-fi adapter.  Reminds me of the first time I lived in shared housing, back at Oxford University.  To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin.  I couldn’t be bothered, so I changed the MAC address to match the old one instead.

Step 2 was setting up monitor mode on my wi-fi adapter.  Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious.  I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi.  Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it.  The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.

Step 3 was my first ever deauthentication signal with aireplay-ng –deauth.  Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures.  Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.

I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously?  Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there.  In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.

That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing.  Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.

I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already.  Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.

A bleak winter’s day in –redacted–

Happy New Year! The local sailing club held a New Year’s Eve Regatta in the bay, a dozen vessels of very different sizes and types playing around. I couldn’t participate due to a broken cotter pin on the mast and the lack of a proper reefing system, but I did spend the evening afloat. Looking at the array of vessels from dinghies to superyachts in the bay or moored nearby, I got to thinking of maritime security.

Technology has vastly changed the maritime world. While an 18th-century ship of the line could have in excess of 1,000 souls aboard, and a 19th-century merchant ship could have a crew of hundreds, a modern cargo ship may not even have a dozen people aboard. In the 21st century, IT is everywhere. It is hardly a surprise that every yacht or commercial vessel today will have a GPS, even if only as a mobile device – but the IT aboard is more connected than you may expect.

The International Maritime Organisation’s SOLAS (Safety of Life at Sea) treaty mandates that all vessels of 300 tonnes or more (and all passenger ships regardless of size) must be fitted with AIS – the Automatic Identification System. Anyone with an AIS receiver may then see data of vessels equipped with AIS transponders – ID number and vessel name, position, status (e.g. anchored or under way), speed, and even destination and ETA. You can even see this data now at https://www.marinetraffic.com. I use it myself on occasion to identify superyachts (which, given my location, I affectionately refer to as “mafia tubs”) pulling into the neighbouring luxury marina.

One would think that this system would be designed with security in mind? Well, quite the opposite, according to Trend Micro.  AIS data can be hacked and altered. In theory one could stop marine traffic in busy channels or harbours by exaggerating the size of one’s own vessel – imagine your transponder claiming your vessel was one square kilometer in size, when the transponder could be aboard a rowboat. One could also spoof signals, for example broadcasting warnings about drifting mines, or faking a maritime distress.

The consequences are serious. In the best case, a fake signal would just be an annoyance on a clear day, and backup and visual navigation plus radio communications would move everyone along – although with a number of blaring alarms that could cause chaos either from distraction or by leading to crew ignoring real signals lost in the noise. In the worst case, malicious actors could shut down vessel movement in an area completely, which in the case of poor weather and low visibility, could lead to severe accidents – or the publicly-available data could enable piracy. Combine it with a hack of a corporate database to identify the most lucrative targets, and a modern-day Bart Roberts could make a fortune without exceptional skills.

It gets better! AIS is rarely an isolated system. In modern vessels larger than a pleasure craft, AIS is likely to be integrated with the other navigational systems, such as GPS, ECDIS (Electronic Chart Display), and by extension potentially the entire control system of a vessel. One alleged hack in 2017 of a vessel travelling to Djibouti led to the captain being unable to maneuver at all for 10 hours, with the intention being to direct the vessel into waters where pirates could board and seize the vessel.

Modern commercial shipping relies so much on integrated computer systems that losing access to those systems, or receiving deliberately deceptive data from those systems, can raise absolute havoc. Cargo ships are not exceptionally maneuverable at the best of times – witness the recent Norwegian frigate collision, with a frigate sunk and a ship damaged even with all their computer systems working, due primarily to human factors and low visibility.

I recommend the Trend Micro report for further reading, as well as this.

I do not see a clear solution, nor a legal alternative for commercial vessels, beyond pressing ship owners to harden their security as much as they are able. As for myself – I’m well below the tonnage to require AIS and have no need of it, and can use a radar reflector on the mast to be more visible to ships less able to maneuver easily. I have a VHF radio and paper charts and am fully capable of navigating safely enough day or night by dead reckoning, charts, binnacle compass, and even celestial navigation and sextant if I were to head offshore. Low visibility? Down anchor, break out the rum.

Simpler rules for simpler vessels from a simpler time

Today I got started with the basics of wireless network hacking.  The instructor went through the basics of what networking is and how it functions.  Obviously the key is that in any network, the assets (like individual laptops, mobiles, tablets) do not connect to the end resource (a server, or the internet) directly, but all go through a router or similar.  With wireless networking, that provides ample possibilities for pre-connection attacks, attacks by gaining access, and post-connection attacks.

I ran into a small hardware roadblock at this point.  Since I’m now doing things “properly” with a Kali VM for learning and practise, my VM can’t properly access my wireless card.  Therefore I need a USB wireless adapter so the VM can access the wireless hardware through the USB. The instructor recommends the Atheros AR9271 chipset, and sells them alongside the course… since I live in a tiny agriculture-based non-EU nation that doesn’t even exist in many online stores’ dropdown menus, my options for buying a suitable device were limited.  So the instructor made another $23 off me with his online store. Well, merry Christmas to me.

While I’m waiting on shipping, I get to think about connectivity through the ages.  I grew up in Africa, and my first experience with the internet was borrowing my dad’s connection at work to find out in real-time how Garry Kasparov’s chess match against Deep Blue was going.  Yep, I was that kind of teenager. In later years in Africa I would get my own connections at home, with the 28.8 modem running across the phone line, which meant the connection would drop if anyone picked up the phone.  Later there was a habit of phone lines getting crossed, which meant that when I was trying to get online I could hear diplomats’ phone conversations through my modem – quite a security problem in itself, especially as I spoke their language as well.

Now, of course, wi-fi is ubiquitous, and most people don’t give a second thought to their network access at the local bar or coffee shop.  I was in Cuba some time ago, and there, internet access is controlled by the state (with domestic LAN-based alternatives replicating a surprising amount of internet functionality on the island for free).  Every hotel would have its outside walls lined with Cubans accessing the outside world on their Android devices. How security-conscious are they, I wonder? As for myself, I thought it safer to stick to the rum and cigars, offline.

I look forward to learning more about the intricacies of networks.  Networks aren’t my strong point. Fortunately, they are my girlfriend’s strong point, so she advises me whenever I’m stuck.

Old and new in Havana

I am venturing into the as-now uncharted waters of ethical hacking…

For context: I have been using computers daily since the age of 4, where I would sneak in my brother’s room to borrow his Commodore 128 (who remembers 5 1/4 inch flippy disks?).  Growing up in Africa I got addicted to flight simulators and would reprogram my joysticks. Internet access arrived in 1996 where I lived, on a 28.8 modem on an “iffy” phone line. My formal studies were in history, but my work ultimately took me to overseeing bespoke simulator software and antivirus tech support. Even so, I stuck with operations and administration – until I got a Google scholarship for Android development, which brought me into Java programming. It turns out that was addictive.

Thus, by the time I joined Security Roots to join the Dradis Support team, I had a fair bit of IT operations experience, an awareness of best security practices, and a budding interest in programming and development. My skills are being tested daily, and growing as a result. So now I want to get deeper into the InfoSec and security testing worlds!

I have signed up to a number of online security courses about Ethical Hacking and purchased a virtual pile of books for my e-book reader for long nights aboard my sailing yacht. I will start with a general course covering most aspects of Ethical Hacking going into practical exercises for each realm. Next, I have a particular interest in learning about Android security and wireless hacking. To start my journey I have set up a fresh Kali virtual machine, and my first semi-formal training in network hacking begins tomorrow. I feel at home with Linux (even being no stranger to Kali and Tails, which I explored earlier out of curiosity), less so with networks. Let’s go!