Russ McRee's HolisticInfoSec™ includes articles and research, as well as feedback and an occasional rant. HolisticInfoSec™ promotes standards, simplicity, tooling and efficiency in achieving holistic information security.
Sunday, December 21, 2014
2014 Toolsmith Tool of the Year
If your browser doesn't support IFRAMEs, you can vote directly here.
Tuesday, December 02, 2014
toolsmith: Artillery
Prerequisites
Linux or Windows system with a Python interpreter
Introduction
I was reminded of Dave Kennedy’s Artillery while attending
and presenting at DerbyCon 4.0 in September given that Dave is a DerbyCon
founder. Artillery has recently benefitted from a major update and formal
development support as part of Dave’s Binary Defense Systems (BDS) company. The
BDS blog
announced version 1.3 on November 11, which further prompted our discussion
here. Artillery first surfaced for me as part of the ADHD project I covered
during my C3CM discussion in October 2013’s toolsmith. While
Dave’s investments in the security community have grown, Artillery was initially
maintained by Dave’s TrustedSec organization then transitioned to BDS, given
that group’s "defend, protect, secure" approach to managed security
solutions. Artillery is an open source project created to provide early warning
indicators for various attacks. Artillery was included in ADHD, the Active
Defense Harbinger Distribution, because it spawns multiple ports on a system, a
honeypot-like activity that creates “exposures” for attackers to go after. Dave
described the fact that it also made blue teaming a bit easier for folks. Additional
Artillery features include active file system change monitoring, detection of brute
force attacks, and generation of other indicators of compromise. Artillery
protects both Linux and Windows systems against attacks and can integrate with threat
intelligence feeds allowing correlation and notification when an attacker IP
address has previously been identified. Artillery supports multiple
configurations, different versions of Linux, and can be deployed across
multiple systems with centralized event collection. With a ton of support, and
additions coming in from all over the world to make Artillery better, Dave
mentioned that plans for Artillery include much better support for Windows, and
expansion to allow a server/client model, moving away from purely standalone
implementations. BSD’s plan is to continue significant development for
Artillery while ensuring it maintains its open source origins allowing
continued contribution back to the community Dave so readily embraces.
Laying In Artillery
Artillery installation is well
documented on the Binary Defense Systems site and is
remarkably straightforward. Note that I only installed and tested Artillery on
a Linux system.
On the Linux system you wish to
install Artillery, simply execute git
clone https://github.com/trustedsec/artillery,
change directory to the artillery
directory just created, run sudo
./setup.py, then edit to the config
file to suit your preferences. I’ll walk you through my configuration as a
reference.
1) I
created a directory called holisticinfosec,
and added “/holisticinfosec/” to MONITOR_FOLDERS
2) I
enabled HONEYPOT_BAN=ON, you’ll want
to consider your implementation before you do this or you may inadvertently
block legitimate traffic. You could also use WHITELIST_IP to prevent this issue and allow specific hosts but, as
good as they are, whitelists can quickly become arduous to maintain. Bans and
IPS-like blocks suffer from ye olde false positive issues when left unchecked.
3) I
used Yahoo for my SMTP settings (USERNAME,
PASSWORD, ADDRESS) and set ALERT_USER_EMAIL
to my holistincinfosec.org address for alert receipt. Caution here as well as
you can quickly SPAM yourself or your Security Operations Center (SOC)
monitored mail, and even cause an inbox DoS if your Artillery server(s) is
busy. You can control frequency with EMAIL_TIMER and EMAIL_FREQUENCY, I suggest
default settings initially (email alerts off) until you fine tune and optimize
your Artillery implementation.
4) Brute
force attempts monitoring is cool and worthwhile, I enabled both SSH and FTP
via SSH_BRUTE_MONITOR and FTP_BRUTE_MONITOR. Experiment with
“attempts before you ban” as, again, you may not ban initially.
5) The
THREAT_INTELLIGENCE_FEED and THREAT_FEED allow you to consume the BDS
Artillery Threat Intelligence Feed (ATIF). It’s represented as banlist.txt. You
can pull from the BDS site or establish your own ATIF server for all you
Artillery nodes to pull from. As with any blacklist, again, ensure that you
want to block them all as there are more than 86,000 entries in this list. You
can also add other lists if you wish as well.
6) One
of the most important settings are for your syslog preferences, you can log
locally or write to a remote collector. This speaks to my defender’s sensibilities
and we’ll discuss this further later as such.
The South Base Camp blog (@johnjakem)
also has a nice writeup on Artillery nuances; it’s a quick read and worth your
time.
Indirect Artillery Fire
I conducted basic tests of
Artillery functionality with email alerts and banning enabled.
For the folder monitoring
feature I wrote a file called test to
the /holisticinfosec directory
including the sentence “Monkey with me” and restarted Artillery. When I
monkeyed with test by adding snarky
commentary, I was alerted via email and a log entry in the local syslog file.
Figure 1 is the email alert indicating the change to the test file.
 |
| Figure 1 – Artillery alert for change to test file |
To blast the honeypot
functionality, a nice Nmap scan sufficed with nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
192.168.220.130.
The result was an alert flood
stating that [!] Artillery has detected
an attack from the IP Address: 192.168.220.131 with example content as seen
in Figure 2.
 |
| Figure 2 – Blocked and banned! Artillery stops attack traffic cold |
I used Bruter to try and pound
the FTP and SSH services but because the Artillery configuration was set to
only four attempts before banning, my dictionary attacks were almost
immediately kicked to the curb. Darn you, Artillery! For this experiment I
enabled SYSLOG_TYPE=FILE in my Artillery configuration, which writes event to /var/artillery/logs/alerts.log instead
of syslog.
Remember, if you find yourself
unable to connect to your Artillery server on a specific port or aren’t writing
test events, check your configuration file as you may have banned yourself. I
did so more than once. Instantly solve this problem as follows: sudo ./remove_ban.py 192.168.220.1 where
the IP address is that which you want to free from the bonds of iptables
purgatory.
Direct Artillery Fire
Artillery represents a golden
opportunity to harken back to my C3CM guidance, particularly Part 2, wherein
I discussed use of the ELK stack, or Elasticsearch, Logstash, and Kibana. You
can quickly set up the ELK stack up using numerous guides found via search
engine and customize it for Artillery analysis.
Rather than repeat what I’ve
already documented, I took a slightly different tack and utilized my trusty and
beloved Security Onion VM. Doug Burks' (@dougburks) Security Onion includes ELSA (enterprise log search
and analysis) which is a “centralized syslog
framework built on Syslog-NG, MySQL, and Sphinx full-text search.” I could and should do a toolsmith on ELSA alone, but it’s so well
documented by project developers and Doug, you’d do well
just to read their content. To make use of ELSA I needed only point Artillery
syslog to my Security Onion server by changing the /var/artillery/config file as follows:
1) Changed SYSLOG_TYPE=LOCAL to
SYSLOG_TYPE=REMOTE
2) Set the IP address for my Security Onion server with SYSLOG_REMOTE_HOST="192.168.220.131"
3) Restarted Artillery from /var/artillery
with sudo ./restart_server.py
“That’s it?” you
ask. Indeed. I logged into ELSA on my SO server after hammering the Artillery
node with varied malfeasance, queried with host=192.168.220.130,
you can see the results in Figure 3.
 |
| Figure 3 –Artillery events written to a remote Security Onion ELSA instance |
ELSA provides you
with a number of query options and filters so even if you have multiple
Artillery servers you can zoom in on specific instances, dates, or attack types.
A query such as host=192.168.220.130 groupby:program led me to
program=”unknown” which, in turn, alerted me that I ended up being banned from
Yahoo for spamming my account with alerts as seen in Figure 4.
 |
| Figure 4 – Artillery alerts me that I am a spammer |
It’s always good
to check your logs from a variety of perspectives. :-)
I intend to write some
additional scripts for Artillery analysis and parsing, and devise additional
means for incorporating threat intelligence to and from my Artillery instance.
Let me know via the blog comment or Twitter how you’ve done the same.
In Conclusion
Artillery, on many levels, is the epitome of simplicity,
which is part of why I love it. If you possess even the slightest modicum of
Python understanding, the Artillery source files should make complete sense to
you. Properly tuned, I can’t really think of a reason not to run Artillery on
Linux servers for sure, and maybe Windows boxes where you have Python
installed. Just remember to practice safe banning, you don’t want to drop
production traffic. I’m really glad Dave’s Binary Defense Systems interest has
taken over care and feeding for Artillery and can’t wait to see what’s next for
this fine little defender’s delight.
It’s that time of year again! Be ready to vote for your
favorite tool of 2014, I’ll soon post the survey to my website or blog and
Tweet it out by mid-December. We’ll conclude voting by January 15, 2015 and
announce a winner soon thereafter. Please vote and tell your friends and
coworkers to do the same.
Ping me via email or Twitter if you have questions (russ at
holisticinfosec dot org or @holisticinfosec).
Cheers…until next month.
Acknowledgements
Sunday, November 02, 2014
toolsmith: Inside and Outside the Wire with FruityWifi & WUDS
Prerequisites
I recommend a dedicated (non-VM) Kali distribution if you
don’t have a Raspberry Pi.
Introduction
I have noted to myself, on more than one occasion, now more
than eight years in to writing toolsmith, that I have not once covered wireless
assessment tools. That constitutes a serious shortcoming on my part, one that I
will rectify here with a discussion of FruityWifi and WUDS. These
tools serve rather different purposes but both conform to the same principle of
significant portability as both run on Raspberry Pi. Both also run on Debian
systems (Kali) which is how I ran both for toolsmith testing purposes.
FruityWifi is an open source platform with which to audit wireless networks, allowing
users to conduct various attacks via the web interface or remote messaging. It
is modular, feature-rich, and just celebrated a v2.0 release with many
upgrades. WUDS, or the Wi-Fi User Detection System, on the other hand, is a
proximity-based physical security concept that alerts on unapproved Wi-Fi probe
requests bouncing off a WUDS sensor. Per the WUDS introduction, “The
combination of a white list of unique identifiers for devices that belong in
the area (MAC addresses) and signal strength (RSSI) can be used to create a
protected zone. With tuning, this creates a circular detection barrier that,
when crossed, can trigger any number of alert systems. WUDS includes an SMS
alert module, but the sky is the limit.”
WUDS comes to us courtesy of toolsmith alum Tim Tomes
(@lanmaster53) whose Recon-ng, the 2013 Toolsmith Tool of the Year, we covered
in May 2013.
For FruityWifi highlights I reached out to xtr4nge
(@FruityWifi), the project lead/developer.
The initial idea was to create an open source application to
audit wireless networks and perform penetration tests from a Raspberry-Pi, or
any other platform or device in a flexible, modular and portable manner.
Soon after the first version was published, FruityWifi was
presented to a Rooted Warfare Spain audience (Rooted CON) in March 2014.
FruityWifi was well received at the conference and by users from the onset, and
many users sent feedback and ideas to improve it.
A new version of FruityWifi (v2.0) was published a few weeks
ago featuring many changes and updates; a new interface, new modules, Realtek
chipsets support (confirmed in my testing with my Alfa card), Mobile Broadband
(3G/4G) support, a new control panel, and more. The tool is under constant
development and new modules and improvements are being published regularly.
Tim kindly provided detail regarding his favorite WUDS
features and use case. His favorite feature is the alert system, and I strongly
second this; I’ll show you why later in the article. Tim built a really simple
interface for creating new alerts for the system, which does not require the
need to dig into core components of the code to create new alerts. You need
only add a function to the alerts.py
file, name it correctly, and add associated options to the config.py file, and you’re finished. Tim’s script originally
included just an SMS alerting mechanism, but he has since added a Pushover
notification alert (5 minutes and 8 lines of code to implement); he exclusively
uses the Pushover alert.
Tim’s favorite WUDS use case story is cited in his article, about
the deliveryman alerting the system during testing. He’d been doing some
testing the night before and in the middle of the afternoon the following day,
an SMS message came through to his phone notifying him that someone had crossed
his detection barrier. He was about to write it off as a false positive when
the doorbell rang and it was a delivery service dropping off a package. The
alert served as positive affirmation that the concept is a sound one.
In the future, Tim plans to either expand WUDS, or create
another tool all together, that does the exact opposite of WUDS. Rather than
alert on foreign MAC addresses, this tool would allow the user to configure the
sensor to alert when certain MAC addresses leave the premises during specified
windows of time. This would provide a sort of latchkey system that is not
challenged by MAC randomization issues; devices will be properly connected to
the local WAP with their normal MAC addresses when on premises. That said, the
tool would need to be expanded to sense more than just probes.
I ran FruityWifi and WUDS on a dedicated Lenovo T61p laptop
with Kali 64-bit installed and utilized the onboard wireless adapter. Both tools are optimized to perform well on
Raspberry Pi, but as I don’t have one, I experimented with both Ubuntu and Kali
and was far more satisfied with Kali, no muss, no fuss. All installation steps
that follow assume you’re running on Kali.
FruityWifi
installation
FruityWifi installation is very
simple. Download
the master zip file or git clone the repository to your preferred directory,
then cd /FruityWifi from there. Run ./install-FruityWifi.sh. If you have any
issues after installation where FruityWifi isn’t available via the browser, it
may be related to the Nginx/PHP5-FPM deployment. You can follow the FruityWifi
Nginx wiki guidance to correct the issue. Thereafter, browse to
http://localhost:8000 or https://localhost:8443, login with admin and admin
(change the password), and you’re off to the races as seen in the UI’s
configuration page per Figure 1.
 |
| Figure 1 – FruityWifi configuration page |
FruityWifi inside the perimeter
Building on the same principles
as the Pwn Plug,
a FruityWifi-enable device can wreak havoc once unleashed inside any given network.
There are a significant number of modules you can install and enable, a
veritable fruit basket, depending on what you wish to accomplish, as seen in
Figure 2.
 |
| Figure 2 – FruityWifi modules galore |
If you utilized the earlier
version of Fruity, you’ll really appreciate the update that is 2.0. Clean,
fast, intuitive, and lots of fresh functionality. Red-teamers will enjoy
AutoSSH, which allows reverse
SSH connections, and automatic restart for connections that have been closed or
dropped. FruityWifi 2.0 includes Nessus, Nmap, and Meterpreter as well. MDK3 is
particularly attractive if you’re conducting an aggressive pentest and you want
to create a distraction or a disruption. You had better have permission before going
off with MDK3, wireless hacking is deemed criminal in more than one state. MDK,
or murder, death, kill for WLAN environments, utilizes a variety of SSID,
authentication, and de-authentication flooding techniques to create wireless
DoS conditions, and on occasion, WLAN hardware resets. My favorite recent
addition to FruityWifi isn’t one of the hacking or enumeration tools, it’s
actually vFeed from our friend @toolswatch. To
quote vFeed’s description from the Fruity UI, is a vulnerability database
(SQLite) that “provides extra structured detailed third-party references and
technical characteristics for a CVE entry through an extensible XML schema.”
You can search it right on your FruityWifi instance, after you’ve run Nmap and
Nessus scans, identified potentially vulnerable targets and want to look up the
related CVE. The available data includes:
- Open security standards: CVE, CWE, CPE, OVAL, CAPEC (all per Mitre), and CVSS
- Vulnerability Assessment & Exploitation IDs: Metasploit, Saint Corporation, Nessus Scripts, Nmap, Exploit-DB, milw0rm
- Vendors Security Alerts: Microsoft, Debian, Redhat, Ubuntu, and others
I looked up CVE-2013-3893, as
seen in Figure 3, and was treated to a summary and exploit details. Take note
of the vFeed export feature as well. I love vFeed so much I wrote an R parser
to turn the XML export into human readable Excel docs for broad reporting and
consumption without the machine layer. I’ll be sharing that via the
HolisticInfoSec blog and website.
 |
| Figure 3 – FruityWifi’s vFeed module informs the analyst |
FruityWifi represents a fabulous
way to establish a foothold inside a given perimeter, pivot to additional
targets, and conduct complete compromise. Let’s now explore WUDS, intended to
help you defend the perimeter. First a little red, then a little blue. Wi-fi
not?
WUDS Installation
Tim’s Bitbucket installation
guidance is short and sweet:
sudo apt-get install iw python-pcapy sqlite3 screen
# launch a screen session
screen
# install WUDS
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/wuds.git
cd wuds
# edit the config file
leafpad config.py
# execute the included run script
./run.sh
You really need to get your
config.py implementation correct. Default settings work well initially until you
get to your ALERT_SMS CONFIG. You’ll need SMTP server access, including the
outgoing SMTP server with the TLS port along with username and password, in
order to send alert messages. Android and iOS users (there are browser plugins
too) can also take advantage of a Pushover account, as Tim mentioned.
Debug is enabled by default, if
there are issues, when you run ./run.sh
you’ll receive failure notice.
WUDS defends the perimeter
Once WUDS is running there’s not
a whole lot to actually see. No sexy UI, just a SQLite database and alerts of
your choosing. Figure 4 represents a sqlite browser view of logs.db the WUDS
datastore.
 |
| Figure 4 – A view to the WUDS database |
You’ll note that the detected
devices all have received signal strength indications (RSSI) of higher than
-50. Recall, how much I stressed config.py. The default RSSI threshold for
triggering alerts is -50, but you can adjust it depending on how you wish to
define your perimeter.
The real pleasure comes from the
first alerts received on your mobile device. As you see in a screen shot from
my phone (Figure 5), proximity alerts advise me that a variety of devices have
been detected on the premises. Ruh-roh!
 |
| Figure 5 –WUDS alerts of perimeter violations |
True story. When I first enabled
WUDS in my office at work, I immediately received alerts for an HP device that
was beaconing for my home wireless AP. This freaked me out for a minute as I
knew of no HP devices currently in use and certainly not those looking for my house
infrastructure. After looking around again, and calming down a bit, a spotted
it, an old HP printer under my desk that I’d brought in for scanning, had
turned it on years ago, and literally forgotten about it ever since. And there
it was, blindly beaconing away for a WAP it would never again communicate with.
Thanks WUDS!
You’ll find all sorts of
interesting devices chattering away when you enable WUDS. Just remember, the
more dense the population area, the noisier it will be. Avoid self-induced
mobile device DoS attacks. :-)
In Conclusion
Great tools from xtr4nge and Tim, I’m thrilled to have
gotten off the schnide regarding wireless topics with FruityWifi and WUDS. I’m
thinking there’s actually an opportunity to incorporate WUDS in FruityWifi. You
heard it here first. Enjoy these tools, they’re both a ton of fun and
incredibly useful at the same time.
Ping me via email if you have questions (russ at
holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
xtr4nge, FruityWifi project lead
and developer
Tim Tomes, WUDS project lead and
developer
Subscribe to:
Posts (Atom)
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ... -
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, cons...
-
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ...
