2017

Home » Archives for 2017

Mounting an encrypted hard disk (LUKS) using Kali Linux live USB

   Tuesday, July 18, 2017      

Problem Statement 

My sister attempted to upgrade her laptop from Ubuntu 14.04 to 16.04. During the upgrade, there was a prompt that requested for a new encryption password setup. Of which she obliged and continued with the upgrade. All went well, until she rebooted the laptop. The grub menu loads up, then gets stuck on loading the kernel. Any Linux user knows that, if this happens, you either messed up badly of something went terribly wrong. In this case, unfortunately, the upgrade broke ☹.
The laptop was fully encrypted and contained tons of invaluable data both my sister’s and mine, which we both couldn't afford to lose. In terms of backup, the data was not fully backed up, i only had bits and pieces of my data that i really needed regularly, on an external hard drive. So basically, we both didn’t have a full or incremental data backup.
Now back to the problem. At this point, the laptop seems inaccessible with data that we both would like to gain access to. So, what now?? Let's see how i worked around this, to regain access to the encrypted hard drive and the data.
Disclaimer: Some of the images on the blog might not be as clear, please bear with me. My phone doesn't have the best of cameras.

Fact Finding

Now it was time to try and figure out how bad the situation really is. I boot up the machine and the grub menu loads up the grub menu. By default, the operating system will boot into the first option after a few seconds, if you don't select any of the other two options.
C:\Users\xtian\AppData\Local\Microsoft\Windows\INetCache\Content.Word\grub.jpg
It then proceeds to this screen and gets stuck trying to load the kernel 4.4.0-83-generic, as mentioned earlier. The cursor stays there for a very long time, which shouldn't be the case. 
C:\Users\xtian\AppData\Local\Microsoft\Windows\INetCache\Content.Word\boot_3.jpg

At this point, I couldn't do much, so I reboot the laptop by pressing down the power button. This is the only way I could turn off the laptop. It usually feels like this.
This time, I decide to select Advanced options for Ubuntu to see what options are available.

These are the options available under that section.
C:\Users\xtian\AppData\Local\Microsoft\Windows\INetCache\Content.Word\grub_3.jpg
Now this is good news. There are two kernels available i.e. 4.4.0-83-generic and 3.13.0-123-generic.  This is great, because I can select the other kernel and hope that Ubuntu can load into it and initiate the rest of the boot process.

I select Ubuntu, with Linux 3.13.0-123-generic and it successfully loads the kernel and boots up till the point it asks for the password to decrypt the hard drive. 
C:\Users\xtian\AppData\Local\Microsoft\Windows\INetCache\Content.Word\boot_5.jpg

Now this is where things get interesting. I enter the new password that my sister set up and it constantly failed. I honestly tried the password so many times, at one point I even thought maybe the keyboard local settings might have even changed. At one point, I was even trying the old password, just in case the upgrade had not altered it yet. Some wishful thinking but still no luck.

 At this point, I figured, maybe I could try boot up using a Live USB running Linux, and try mount the hard drive again from the live USB. I decided to use Kali Linux as the distribution of choice. You can download Kali Linux here.

 In order to make the flash disk bootable, I used unetbootin, which can be downloaded here. I prefer unetbootin as it's very reliable and someone rarely has any issues with the Linux OS refusing to boot up from the USB drive. I highly recommend using it to create Live USB drives. 

 To create a bootable Kali Linux USB drive, simply download the Kali Linux ISO file of your choice and unetbootin for your respective distribution from the links above. After downloading unetbootin, execute it and select the Disk Image option, the ISO you downloaded and confirm that you have selected the correct flash drive. Below is a screenshot of unetbootin on my setup, running on a windows laptop. Your mileage may vary on Linux and Mac. Click OK, sit back and let unetbootin do its thing. It should be done in a few minutes.
Before booting the Live USB, you will need to edit your BIOS options to boot from USB drive. On the HP Envy, hitting F10 as the laptop just boots up, gives you access to the menu below.
I hit F10 to get to get the BIOS setup screen, shown below. I played around with both the EUFI and legacy boot order.
After selecting the desired boot option and setting the USB drive as the first device in the boot order, you should be good to go, once you save the changes.
I had lots of trouble getting the laptop to boot from the USB in EUFI boot mode. It would not detect the USB drive, when selecting the device to boot from but it eventually worked when I re-enabled secure boot and disabled legacy boot. The legacy boot mode, worked just fine.
To get into the Boot Device menu, press F9 as the laptop boots up, after saving the changes above. You should see the several devices you can boot from, as shown below.

I selected the USB Hard drive option and the laptop successfully booted from the flash drive into the unetbootin menu screen below.
I selected the Live USB Encrypted Persistence option and it the kernel was successfully loaded from the USB drive and the boot initialization started. 
At this point, I entered the original encryption and it accepted it, yaaaay! 😊 Then the kali desktop showed up soon after. 
I opened the terminal to check if the hard drive and its partitions are recognised, using the fdisk command. 
The partition of interest is /dev/sda3. I then mounted the encrypted drive, using the commands below.
  • Install the necessary requisite tools
    • apt-get install lvm2 cryptsetup
  • Create directory to mount the drive to
    • mkdir /media/test
  • Load the dm-crypt kernel module
    • modprobe dm-crypt
  • Open the partition using cryptsetup and enter the encryption password
    • cryptsetup luksOpen /dev/sda3 test
  • Activate all volume groups available
    • vgchange -ay
  • Mount the partition to the directory created earlier
    • mount /dev/ubuntu-vg/root /media/test
  • Access the hard drive on the mounted location
    • cd /media/test
The screenshot below highlights the output of the commands above.
Now I had full access to the encrypted hard drive partition 😊. I then backed up all the necessary data on my external hard drive and formatted the laptop with an up to date Linux distro, and copied the required data back to the laptop.

Lessons Learnt

  • Always keep an updated backup of your data. This goes without say. It's basically the first unwritten rule of computing.
  • Keep within reach a live USB flash drive running Linux. You can never know when it can come in handy
  • Never forget your encryption password, EVER. If you ever do, it's basically GAME OVER.
  • Don't be too quick to format your machine, there would just be a way to get access your data, that you haven't thought about.

References


  

at Tuesday, July 18, 2017

iPhone SSH over USB on Linux

   Wednesday, March 22, 2017      

I recently got access to an iPhone 5C running iOS 10.2. I wanted such a device specifically to get it Jailbroken for iOS app reverse engineering and pentesting.The jailbreak was pretty simple using Yalu available on github here. 

 I will not go into the details on how to Jailbreak the iOS device because its out of scope for this post. There is more than enough tutorials online on how to do this. 

So after a successful jailbreak, it was now time to SSH into the device. Due to some OpenSSH issues, it is not compatible with iOS 10.2. So this means you can not connect to ssh over WiFi with the 10.2 jailbreak. This leaves us with the option of connecting to the device using SSH over usb.

 With a bit of googling, i came across this link. It basically gives a guide on how to SSH over USB on a Mac. This is the simplest one to follow:
  • Install iproxy
    • brew install libimobiledevice
  • Plug in USB cable
  • On one terminal run the following command. This will enable you to forward all traffic from port 2222 to port 22 over USB
    • iproxy 2222 22
  • Open another terminal and connect to the iPhone by running ssh
    • ssh root@localhost -p 2222
This simple guide is pretty simple and awesome for Mac but what about Linux? Kali Linux? You can do the same on Linux as shown below:
  • Install Dependencies
    • sudo apt-get install libimobiledevice*
    • sudo apt-get install libgcrypt20-doc gnutls-doc gnutls-bin usbmuxd
  • Plug in USB cable
  • Clone and run tcprelay
    • git clone https://github.com/rcg4u/iphonessh
    • cd iphonessh/python-client/
    • chmod +x *
    • python tcprelay.py -t 22:2222
  • On the other terminal run ssh
    • ssh -p 2222 root@localhost


Voila!!!

  

at Wednesday, March 22, 2017

Enumerating Android devices for Fun and Profit

   Saturday, March 18, 2017      

I mess around with android devices quite a bit. Poking around its internals trying to figure out what services and process are running, which apps are installed, what the binaries and libraries are responsible for and maybe if i can mess around with them.

Given that i have quite a handful of devices to play around with, going through them one by one became repetitive and boring. I also stumbled into the following challenges.

Problem statement

  • Device file system enumeration was a slow, repetitive and tedious process
  • I was unable to quickly pull the device info, files and binaries from a device. 
  • I wanted to be able to pull the above info from any android device without having to worry about the changes at each android platform level. 
  • Wanted as much info and data i could get on a device to assist with some exploit development insight
The next question was, how do i want to solve this problem?? I simply wanted to;
  • Make my work a bit easier with regards to reverse engineering apps, binaries and libraries. 
  • Automate the slow, repetitive and tedious process
  • Head to the fridge and grab some food while the script runs :p
Disclaimer: I honestly don't like doing repetitive tasks the same way, over and over again. I'd rather automate it if i can. Yup! I get bored that quickly :-( 

Googling

It was now time to attend a session at Google university. After a couple of minutes of googling, i found a couple of linux enumeration scripts and blog posts but nothing much on Android. It's worthwhile to mention that i found a few really neat linux enumeration scripts i.e. LinEnum, linuxprivchecker and unix-privesc-check.

At this point i decided to try out the linux tools i found, just to see how they work and get some insight. These scripts pulled quite a ton of useful info from a Linux machine i was testing the scripts on. I also found g0tmi1k's excellent blog post on Basic Linux Privilege Escalation which has some really good pointers on what to look out for when you intend to enumerate a linux machine. 

The light bulb moment

At this point, is when i got a light bulb moment of porting such a script to android, given that linux and Android share a few similarities. I figured i could try make something that i could easily use to sort out my problems because i couldn't find any tool for android specifically that could perform the tasks at hand.  

So i decided to develop a tool to perform the device enumeration automatically provided i have plugged it into the computer via the Android Debug Bridge (adb). If you are unfamiliar with adb and what it is or does, you can read up on it over here. 

Before even working on the tool, i had to review the android internals on each of the devices i had access to, that were running android 4.2, 4.3, 4.4, 5.x, 6.x and 7.x and then proceed to validate if the info i wanted can actually be extracted. From then on, i could try identify any issues i could potentially run into. 

Some more challenges :( 

There are a couple of things that came up as i started going through the devices. Mostly to do with the android internals structure. I basically had to:
  • Run adb commands on multiple devices and comparing the output
  • Map the platform hardening measures across the various android versions
  • Compare the  amount of info i can extract per android version
  • Validate the approach i am using to collect data per platform. The regular apps and the app library locations on android 4.2 - 4.4 and 5.x are in different locations.
The main challenge being that, Android across 4.x to 7.x have subtle differences on where certain apps are located and what access is provided to their libraries.

This meant that the tool had to automatically figure out the android version running on the device and enumerate accordingly. Not to mention that it has to ensure that it focuses on the data it can pull as opposed to trying to extract everything from the device.

Getting down and dirty!!!

Now having a lot of great insight on what needs to be done and what challenges i am working with, i got right into it and after lots and lots of trial and error, i finally managed to pull the device info, file system paths, files and binaries from each device, just the way i wanted, in order i needed. 

As i was pulling data from the device, i found out that shell output from android 5.x and above gave me the output in  DOS/Windows newline (CRLF). This was a huge problem for me because i was working from Kali Linux and i needed the shell output in Unix newline (\n) so that my bash script can manipulate it accordingly. It took a few workarounds using both tr and sed to clean up the shell output, after quite a bit of googling. 

It took a few days, to get the script up and running as expected. All the hustle was finally a success. I present to you Twiga, an android device enumeration tool. It currently supports android 4.2 to android 7.1.1. I have uploaded a video here, if you would like to check out Twiga in action.


There are a few more features that i still need to add to Twiga, to make it more efficient and further improve its use case and value. These are:
  • Support for enumeration on a rooted device
  • Support enumeration on multiple devices at a time
  • Generate PDF report on the enumeration data

Conclusion

Working on this project really helped firm up my understanding of the Android internals cutting right across the various versions from 4.x to 7.1.1. It gave me the opportunity to learn a lot about bash commands. Not to mention, trying to figure out how to convert DOS/Windows newline (CRLF) to Unix newline (\n) in Bash. Most importantly, i had both fun and frustrating moments while working on this project.

One very important lesson, i learnt is that it's very important to clearly outline what you would like a tool to do beforehand and design a logical diagram before starting to code. Basically just follow the Systems Development Life Cycle (SDLC). I ran into some scope creep, and had to push forward some features for an update sometime in future, not to mention wasting some time simply because i hadn't really thought through some of the capabilities i wanted to develop and their limitations.

Anyway, i worked on this tool out of necessity to solve some of the problems i was facing, the best way i knew how.  Maybe this tool could be useful to you and in your research. So i figured i might as well share it with the infosec community. Have fun enumerating Droids :-)

Credit

I would like to thank Chrispus, Ruby, Charles and Gav for their feedback on Twiga. The beta testing across the various device make, model and android versions really helped validate how well the tool works. This is alongside the necessary feedback that assisted in figuring out what to fix and improve on, in future. 

References


  

at Saturday, March 18, 2017

Achari - Converting KeepNotes to PDF and PNG

   Monday, February 20, 2017      

KeepNote is a note taking application that allows you to take notes quickly and efficiently. Keep Note is quite popular in the infosec community, more so given that it's the recommended note taking application for the Offensive Security Certified Professional (OSCP) certification. In case you are not familiar with OSCP, it's basically a completely hands-on offensive information security certification. It's highly coveted by infosec professionals and usually denoted as a sign for advanced penetration testing skill and insight.

Given that i had never used KeepNote before, i simply used to keep my pentest notes in a specified folder, that contained the various screenshots and scan outputs dumped to a text file. My to-do list was stored on Evernote for fast and easy access as i moved around. I can't say that this approach was efficient but, well, it worked for me. You can check out this link for a neat guide on note taking apps.

The light bulb moment!!!

After getting to see how KeepNote can come in very handy from Jade and Trune, then getting a chance to have a look at Gabby's notes, i was sold on it. KeepNote just made is easy to aggregate notes into one manageable location, where i can easily separate each project into various notes.

One thing that came up though, is Jade jokingly mentioning that it would be really great if there was a tool that could convert the notes in KeepNote to PDF for easy sharing and probably even submit the notes as a report. This was with reference to Gabby's incredibly detailed pentest notes. I'm not kidding, his notes are precise and really spot on. That suggestion was great but i really didn't put my mind to it.

Fast forward to a few days later, as i was researching online. I came across wkhtmltopdf and remembered that snorby (snort IDS gui) uses the wkhtmltopdf to convert it's html reports to PDF. This is when i had a light bulb moment and decided to see if it could convert the keep note files to a PDF document.

Getting down and dirty!!!

The first thing was to understand how KeepNote structures it's notes. This meant manually looking through my notes and some sample notes i had borrowed. It turned out that the default file where the notes are kept is the page.html file. The next step was playing around with the wkhtmltopdf binary to validate if it's possible to convert the notes into a PDF document and PNG image. After some trial and error to figure out how the tool works, i managed to converts a few specific notes to PDF and image.

At this point, the next logical step was to create a simple script that would recursively go through a specified KeepNote folder and grab all the page.html files, then proceed to convert all of them. On the first few attempts, sorting the html files and any available images (screenshots) was simply a mess. The PDF document had all the notes re-arranged and not in the order i required.

After lots of googling, i resolved to arranging the folders and subfolders in numerical order, in ascending format. This made it easier to sort the files and consequently generate the PDF document with all the notes, in the exact order i desired. I put together a simple bash script that i could use to point it to where my notes are and then proceed to convert them.

It was great to see the tool able to convert the notes quite smoothly. This script then morphed into a tool now called Achari and it's available here on github. I must admit that the tool is not perfect and it still has a lot to be worked on but it's pretty neat and can come in very handy.

What is Achari???

Achari is a simple bash script based tool, that converts Keep Notes into either a PDF document or a PNG image. Achari heavily utilizes the wkhtmltopdf binary for the conversion. 


The tool at the moment can only convert Keep Notes located in a specified folder. This means that the tool is limited to converting one note at a time. The other consideration is that all the folder and sub-folder names MUST be preceded with a numerical value in ascending order, as illustrated below. 



Given that KeepNote supports an extension system, Achari has quite some potential to become a KeepNote extension. This would make it easier for it's users to quickly convert their respective notes to PDF documents. Probably even facilitate PDF customization and an enhanced note taking experience.  

Conclusion

The most simple conversations can give rise to a noble idea, that when acted upon, can grow into an actual resource that someone, somewhere can make use of. I believe, this is how a vast majority of infosec tools start. Ideas, turned into tools that fulfill a defined objective or goal. It is my hope that Achari proves to be a useful companion to your note taking. 

References


  

at Monday, February 20, 2017

Demystifying CTFs: Learning the fun way

   Friday, January 13, 2017      

What is a CTF??

A capture the flag (CTF) is a competition where participants compete against each other, by either attacking or defending computer systems just as in the real world. Sometimes both, at the same time. CTFs are tailored towards solving computer security based problems in the most innovative and creative ways.  CTFs vary in terms of difficulty i.e. beginner,intermediate, expert. The higher the level, the more difficult the challenge. However, the difficulty stages are quite an abstraction, as some CTFs have up to 5 difficulty levels.

CTFs are typically for anyone interested in solving computer based challenges, or solving digital puzzles. Some CTFs require teams and others individuals to solve the various challenges. Hence the participants tends to vary from students to security professionals to security enthusiasts. The duration a CTF takes can vary from several hours, to days or weeks. This is usually dependent on its difficulty, complexity and the size of the CTF lab.

CTF games often touch on many other aspects of information security: cryptography, steganography, binary analysis, reverse engineering, mobile security, forensics, web applications and many others.
Hence participants in a CTF require a general set of skills as as prerequisite. These skills can very depending on the type of CTF. A few notable ones are reverse-engineering, network sniffing, protocol analysis, system administration, programming/scripting, web administration, digital forensics, decompiling/disassembly and cryptanalysis. Possessing at least half of the mentioned skills, increases the odds in your favor.

Hacker conferences around the world tend to have CTFs running concurrently to the hackers event. It's usually a good time to test your capabilities against fellow enthusiasts and professionals in the industry. AfricaHackon follows a similar tradition where we host a CTF either during the annual cyber security conference or after, to allow the participants to test their hacking capabilities and the winners awarded with various prizes.

Types of CTFs

The three common types of CTFs are Jeopardy, Attack-Defence and mixed.

  • Jeopardy-style CTFs involve solving a series of tasks in order to gain some points for each successfully solved task. There are more points for more difficult tasks. Usually, the tasks are chained, such that one successful completed task, opens the next one, and so forth. A timer is used to start and stop the CTF and once the timer finishes, the game is over. The team with the most points at the end wins. 
  • Attack-Defence CTFs are another interesting type of competition where every team has its own network or a single machine with a few vulnerable services or applications. In this type, there can be only two teams where the defense team has to protect its own machines by patching the vulnerable services and successfully defending the machines while the offense team has to identify vulnerable services and exploit them. There can also be three or more participating teams, and so as to gain points, a team can maintain ownership of as many systems as possible while denying access to the other competing teams. In this case the participating teams have to both attack and defend their systems at the same time. 
  • Mixed competitions can take up elements from both types above. 

How a CTF Competition Works

The basic goal of a CTF is that there are flags to be collected, and whoever collects the most or all the flags first wins. Flags can be in the form of text files, images, folders, keys etc. Different approaches and hacking tools can be used in order to compromise the machines with due consideration to the rules governing the CTF.

 The rules basically ensure that the participants do not take advantage of each other as well as promote a fair play. These rules are shared to the participants well before starting the CTF. In the event of a rule violation, the participant or team, can be either penalized or disqualified.

At the end of the CTF game, the winner is usually the team or individual with the most points in total.  The winners are usually ranked from 1st, 2nd and 3rd place and awards provided according to the rank.

CTF Write-ups

After each CTF competition, the participants are encouraged to document the steps they took to attack/defend the various systems. The documentation usually highlights what you have learned while participating in the competition. These documents usually referred to as write-ups are then posted on websites.

For each CTF you take part it, do remember to document how you went about solving the challenge and share it with the infosec community. There is always something new, someone else can learn from reading it. Be it the approach, tactic or even the tools that you used.  Why you used them, where and how and when.. 

Conclusion

I spent quite some time online, looking for mobile based CTFs and it turns out, they are not as many as i thought. Most of the ones i came across were android based, possibly due to the fact that it's quite a popular mobile phone platform.

Anyway, i decided to create a small list of the CTFs and some excellent write-ups here for ease of access. I also threw in a few links to vulnerable mobile apps to the github list, that you can use to practice on how to identify mobile app vulnerabilities. I hope the list proves useful.

CTFs are a great way to learn and improve your skills, more so validate how much you really know. Its until you get stuck in a challenge, that you discover how creative you can be and how much more potential you possess. Infosec is all about continuous learning and growth. What better way learn than having fun while at it. Happy hunting!!!

Reference


  

at Friday, January 13, 2017
Subscribe to: Posts ( Atom )