I was setting up some wargame boxes for a private group and wanted to reduce the risk of malfeasence/abuse from these boxes. One option, used by many public wargames, is locking down the firewall. While that’s a great start, I decided to go one step further and prevent directly logging in as the wargame users, requiring that the users of my private wargames have their own accounts.

Step 1: Setup the Private Accounts

This is pretty straightforward: create a group for these users that can SSH directly in, create their accounts, and setup their public keys.

1
2
3
4
5
# groupadd sshusers
# useradd -G sshusers matir
# su - matir
$ mkdir -p .ssh
$ echo 'AAA...' > .ssh/authorized_keys

Step 2: Configure PAM

This will setup PAM to define who can log in from where. Edit /etc/security/access.conf to look like this:

1
2
3
4
# /etc/security/access.conf
+ : (sshusers) : ALL
+ : ALL : 127.0.0.0/24
- : ALL : ALL

This allows sshusers to log in from anywhere, and everyone to log in locally. This way, users allowed via SSH log in, then port forward from their machine to the wargame server to connect as a level.

Edit /etc/pam.d/sshd to use this by uncommenting (or adding) a line:

1
account  required     pam_access.so nodefgroup

Step 3: Configure SSHD

Now we’ll configure SSHD to allow access as needed: passwords locally, keys only from remote hosts, and make sure we use pam. Ensure the following settings are set:

1
2
3
4
UsePAM yes

Match Host !127.0.0.0/24
  PasswordAuthentication no

Step 4: Test

Restart sshd and you should be able to connect remotely as any user in sshusers, but not any other user. You should also be able to port forward and check then connect with a username/password through the forwarded port.

One of my friends was recently asking me about some of the tools I use, particularly for security assessments. While I can’t give out all of these things for free Oprah-style, I did want to take a moment to share some of my favorite security- and technology-related tools, services and resources.

Hardware

My primary laptop is a Lenovo T450s. For me, it’s the perfect mix of weight and processing power – configured with enough RAM, the i5-5200U has no trouble running 2 or 3 VMs at the same time, and with an internal 3-cell battery plus a 6-cell battery pack, it will go all day without an outlet. (Though not necessarily under 100% CPU load.) Though Lenovo no longer sells this, having replaced it with the T460s, it’s still available on Amazon.

The StarTech.com USB 3.0 dual gigabit ethernet interface allows one to perform ethernet bridging or routing across it, while still having the built-in interface to connect to the internet. If you don’t have a built-in interface, it still gives you two interfaces to play with. Each interface is an ASIX AX88179 chip, and you’ll also see a VIA Labs, Inc. Hub appear when you connect it, giving some idea of how the device is implemented: a USB 3.0 hub, plus two USB 3.0 to GigE PHY chips. I haven’t benchmarked the interface (maybe I will soon) but for the cases I’ve used it for – mostly a passive MITM to observe traffic on embedded devices – it’s been much more than sufficient.

The WiFi Pineapple Nano is probably best known for its Karma trickery to impersonate other wireless networks, but this dual radio device is so much more. You can use it to connect one radio to a network and the other to share out WiFi, so you only have to pay for one connected device. In fact, you can put OpenVPN on it when doing this, so all your traffic (even on devices that don’t support a VPN, like a Kindle) is encrypted across the network. (Use WPA2 with a good passphrase on the client side if you want to have some semblance of privacy there.)

The LAN Turtle is essentially a miniature ARM computer with two network interfaces. One of those interfaces is connected to a USB-to-Ethernet adapter, resulting in the entire device looking like an oversized USB-to-Ethernet adapter. You can plug this inline to a computer via USB and have an active MITM on the network, all powered from the USB port it’s plugged into. This is a stealthy drop box for access on an assessment. (I haven’t tried, but I imagine you can power it from a wall-wart and just plug in the wired interface if all if you need is a single network connection.) My biggest complaint about this device is that it, like all of the Hak5 hardware, is really not that open. I haven’t been able to build my own firmware for it, which I’d like to do, rather than just using the packages available in the default LAN Turtle firmware.

The ALFA AWUS036NH WiFi Adapter is the 802.11b/g/n version of the popular ALFA WiFi radios. It can go up to 2000 mW, but the legal limit in the USA is 1000 mW (30 dBm), and even at that power, you’re driving further than you can hear with most antennas. I like this package because it comes with a high-gain 7 dBi panel antenna and a suction cup mount, allowing you to place the adapter in the optimal position. Just in case that’s not enough, you can get a 13 dBi yagi to extend both your transmit and receive range even further. Great for demonstrating that a client can’t depend on physical distance to protect their wireless network.

Books

Oh man, I could go on for a while on books… I’m going to try to focus on just the highlights.

There’s a number of books containing collections of anecdotes and stories that help to develop an attacker mindset, where you begin to think and understand as attackers do, preparing you to see things in a different light:

• Stealing the Network
• The Art of Deception
• The Art of Intrusion
• Dissecting the Hack
• Geek Mafia (and Geek Mafia: Mile Zero and Geek Mafia: Black Hat Blues)

For Assessments, Penetration Testing, and other Offensive Security practices, there’s a huge variety of resources. While books do tend to become outdated quickly in this industry, the fundamentals don’t change that often, and it’s important to understand the fundamentals before moving on to the more advanced topics of discussion. While I strongly prefer eBooks (they’re lighter, go with me everywhere, and can be searched easily), one of my coworkers swears by the printed material – take your pick and do whatever works for you.

• Red Team Field Manual: RTFM – A quick reference to commands and techniques across a variety of platforms.
• The Web Application Hacker’s Handbook – The definitive guide to web application assessment.
• Hacking: The Art of Exploitation – A great introduction to memory corruption vulnerabilities.
• Metasploit: The Penetration Tester’s Guide – The best written material I’ve seen for using Metasploit on a Penetration Test.

I’m not much of a blue teamer, so I’m hard pressed to suggest the “must have” books for that side of the house.

Services

I have to start with DigitalOcean. Not only is this blog hosted on one of their VPS, but I do a lot of my testing and research on their VPSs. Whenever I need a quick VM, I can spin one up there for under 1 cent per hour. I’ve had nearly perfect uptime (my own stupidity outweighs their outages at least 10 to 1) and on the rare occasion I’ve needed their support, it’s been absolutely first rate. DigitalOcean started off for developers, but they offer a great production-quality product for almost any use.

This is the 3rd, and final, post in my Hacker Summer Camp 2016 series. Part 1 covered my class at Black Hat, and Part 2 the 2016 BSidesLV Pros versus Joes CTF. Now it’s time to talk about the capstone of the week: DEF CON.

DEF CON is the world’s largest (but not oldest) Hacker conference. This year was the biggest yet, with Dark Tangent stating that they produced 22,000 lanyards – and ran out of lanyards. That’s a lot of attendees. It covered both the Paris and Bally’s conference areas, and that still didn’t feel like enough.

DEF CON is also what I measure my year by. You can have your New Year’s, I measure mine from August to August (though apparently next year it’ll be the end of July…). Probably the single biggest regret in my life is that I didn’t find a way to go to DEF CON before DEF CON 20. The people and experiences there are memorable and well worth it.

Crowds

I don’t talk about it a whole lot, but I actually have pretty bad social anxiety. I do a terrible job of talking with people I don’t know, introducing myself to people, etc. At most events, I’m what you would call a “wallflower”. That doesn’t combine very well with 22,000 people. That especially doesn’t combine well with the chokepoints in a number of places, especially the packet capture village. It was hard to get through the week, but I told myself I wasn’t going to let my social anxiety ruin my con, and I think I did a good job of that.

Capture the Packet

So, since DEF CON 21, I’ve always played in Capture the Packet. At DC22, I even managed a 2nd place overall finish (just one spot away from the coveted black Uber badge). This year, I went back to play and discovered major changes:

• Rounds are now two hours instead of 1.
• There is now a qualifying round, semifinals, and finals.
• They’re really pulling out the obscure protocols.
• Significantly lower submit attempt limits (like 1-2 in most questions).

On the other hand, they had serious gameplay issues that really makes me regret spending so much of my con this year on Capture the Packet. These include:

• Every round started late. The finals were supposed to start at 10:00 on Sunday, they started at 12:30. That was two and a half hours of sitting there waiting.
• There were many answers where the answer in the database contained typos.
• There were many answers where the question contained typos that made it difficult or impossible to find the traffic (wrong IP, wrong MAC, etc.)
• There were many questions that were very poorly phrased. It was nearly impossible to parse some of the questions. One question asked for the “last three hex” of a value, but it wasn’t clear: last 3 bytes in hex format, last 3 hex characters, etc.

Combining the problems with questions and the lowered submission limits, it meant that several times we were locked out of questions just because it wasn’t clear what format the answer should be or how much data they wanted. The organizers clearly need to:

• Increase the limits. (I’m not asking for unlimited tries, but on text answers, give us at least 3-5.)
• Build some sort of fuzzy matching (case insensitive, automatically strip whitespace leading/trailing, etc.)
• Write questions more clearly.

I’m actually amazed that Aries Security is able to sell CTP as a commercial offering for training to government and companies. It’s a wonderful concept and they try hard, but I’m so disappointed in the outcome. I spent ~12 hours sitting in the CTP area, but only 6 of those were actually playing. The other 6 were waiting for games to start, and then the games were disheartening when they didn’t work correctly. I’ll probably play again next year, but I really hope they’ve put some polish on the game by then.

Parties

As usual, DEF CON had a variety of parties to choose from. Most importantly, I got my hit of Dual Core in at the Friday night EDM night, and spent a little bit of time at the Queercon pool party. (Though it was too hot and humid to spend much time by the pool unless you were in the pool, and I’m not someone anyone wants in the pool…)

Just keeping track of all of the parties has become a major task, but the DCP guys have you covered there. I’d love to see some more parties that are a little more “chill”: less loud music, more just hanging out and having a drink with friends. (Or maybe I was just at all the wrong ones this year.)

Next Year

I can’t wait for next year – DEF CON 25 promises to be big, and we’re moving over to Caesars (2 years is all we got out of Bally’s/Paris). I’m trying to come up with ideas of how I can make my own personal DEF CON 25 bigger and better, without ripping off ideas like the AND!XOR badge, but I want to do something cool. Suggestions to @Matir or find my email if you know me. :) Hopefully I’ll see all of you, my hacker friends, out in Las Vegas for another fun Hacker Summer Camp.

Continuing my Hacker Summer Camp Series, I’m going to talk about one of my Hacker Summer Camp traditions. That’s right, it’s the Pros versus Joes CTF at BSidesLV. I’ve written about my experiences and even a player’s guide before, but this was my first year as a Pro, captaining a blue team (The SYNdicate).

It’s important to me to start by congratulating all of the Joes – this is an intense two days, and your pushing through it is a feat in and of itself. In past years, we had players burn out early, but I’m proud to say that nearly all of the Joes (from every team) worked hard until the final scorched earth. Every one of the players on my team was outstanding and worked their ass off for this CTF, and it paid off, as The SYNdicate was declared the victors of the 2016 BSides LV Pros versus Joes.

What worked well

Our team put in incredible amounts of effort into preparation. We built hardening scripts, discussed strategy, and planned our “first hour”. Keep in mind that PvJ simulates you being brought in to harden a network under active attack, so the first hour is absolutely critical. If you are well and thoroughly pwned in that time, getting the red cell out is going to be hard. There’s a lot of ways to persist, and finding them all is time consuming (especially since neither I nor my lieutenant does much IR).

We really jelled as a team and worked very, very, well together on the 2nd day. We hardened faster than I thought was possible and got our network very locked down. In that day, we only lost 1000 points via beacons (10 minutes on one Windows XP host). Our network was reportedly very secure, but I don’t know how thoroughly the other teams were checking versus the “low hanging fruit” approach.

What didn’t work well

The first day, we did not coordinate well. We had machines that hadn’t been touched for hardening even after 4 hours. I failed when setting up the firewall and blocked ICMP for a while, causing all of our services to score as down. I’ve said it before and I’ll say it again: coordination and organization are the most important aspects of working as a team in this environment.

The Controversy

There was an issue with scoring during the competition where tickets were being counted incorrectly. For example, my team had ticket points deducted even when we had 0 open tickets: the normal behavior being that only when you had a ticket open would you lose points. This resulted in massive ticket deductions showing up on the scoreboard, which Dichotomy was only able to correct after gameplay had ended. This was a very controversial issue because it resulted in the team that was leading on the scoreboard dropping to last place and pushed my team to the top. The final scoring (announced on Twitter) was in accordance with the written rules as opposed to the scoreboard, but it still was confusing for every team involved.

Conclusion

Overall, this was a good game, and I’m very proud of my lieutenant, my joes, and all of the other teams for playing so well. I’m also very appreciative of the hard work from Dichotomy, Gold Cell, and Grey Cell in doing all of the things necessary to make this game possible. This game is the closest thing to a live fire security exercise I’ve ever seen at a conference, and I think we all have something to learn from that environment.

Just returned from Hacker Summer Camp (Black Hat, BSides LV, DEF CON) and I’m exhausted. 10 days in Las Vegas is a lot of Las Vegas, even if you don’t spend a lot of time at the slot machines, table games, and shows.

My week started off with a training class at Black Hat: Hardware Hacking with the Hardsploit Framework taught by a couple of guys who clearly knew their hardware. I’ve previously taken Xipiter’s Software Exploitation via Hardware Exploitation, which helped with some of the basic concepts, but the two classes were definitely complimentary. SexViaHex predominantly focused on dumping firmware from embedded microcomputers (that is, they had a kernel, typically Linux, and were running applications on them) and analyzing them for exploitable software vulnerabilities (mostly memory corruption-esque issues). HH with Hardsploit, on the other hand, mostly focused on microcontroller-based embedded devices. This was much more a class of dumping flash to locate stored secrets, understanding the hardware of the device, and working from there.

I’m not going to list every thing taught in the class (I don’t think the authors would like that much) but I’ll cover my highlights:

• Unlocking an electronic door lock (actually a dummy PCB to simulate an electronic door lock with keypad)
• Use GNURadio and an SDR to locate, identify, and receive an unknown wireless protocol. We then had to write scripts to decode the received data and understand this wireless protocol.
• Use the techniques we learned before to do a drone CTF capstone consisting of trying to reverse engineer your drone, patch the flaws, and then exploit the flaws against other drones. (Unfortunately, I feel there wasn’t enough time left by this point, so we weren’t able to get all the way through this exercise.)

This was only a two-day class, but I believe I learned a ton of new things and got to exercise some skills I don’t get to touch very often. It was an intense experience, and I’d rather think they could do so much more ina 4-day format. I would have no doubts about recommending this class to others, or to taking another (more advanced) class from Opale.

As far as Black Hat Trainings are concerned: well, it includes breakfast and lunch, which is nice, but the food is literally the worst food I had in Las Vegas all week. It was completely stereotypical hotel ballroom food: breakfast was fruit platters and pastries with mediocre coffee and bottles of juice, and lunch was a random assortment of “banquet quality” items (i.e., pasta that wasn’t drained properly so is now sitting in a puddle, salads that are swimming in dressing, etc.). There was also an afternoon coffee/tea service each day, which was surprisingly nice (though swamped by attendees). Having coffee all day long for trainings would have helped my brain, but YMMV.

Next I’m off to BSides Las Vegas and Dichotomy’s Pros versus Joe’s CTF.