First up from:

Thursday, September 16, 2010 at 10:00 AM
- to -
Friday, September 17, 2010 at 4:00 PM (CT)

Is the first anual Cyber-RAID event.

What is Cyber-RAID you ask?

The Kansas City InfraGard program is hosting a two day cyber event which pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network.  This event will specifically focus on managing and protecting this existing “commercial” network infrastructure from a live cyber attack. Since the exercise network is hosted on a private managed network that is not on the Internet, production data and systems are not at risk.

Register here: http://cyberraid.eventbrite.com/?ref=ecount
Note: We need RED Team members!!!

Next up we have SecuityBsidesKC which begins at 10:00am on Friday September 17th and runs through until 5:00pm that night.  I’ve never been at a BSides event, or a Security Con for that matter, but I think it would be safe to assume it will run past 5pm.

Look at the current lineup for speakers, this is shaping up to be a pretty amazing/can’t miss line up.

Call for presenters is still open, so please submit any talks.  There will be barcamp style talk acceptance after the scheduled speakers.

Again, I can’t wait for september to get here so I can sponge knowledge off of people like @ax0n, @hevnsnt, @surbo, @jur1st and @davehull, and im sure there are more that I simply don’t know what their twitter accounts are

This morning I awake to find an envelope taped to my front door. It was blank, and I briefly peek around and see that the rest of the neighborhood has the same thing waiting.

I go ahead and open it, expecting to find a local resident selling mowing, painting or any other service but find something slightly different. Close, but different. In part below:

“Neighbors:

Since we don’t have a homeowners association everyone has done their own thing in regards to trash removal. I thought it would be nice to have one garbage truck come through each week instead of three so I contacted [REDACTED] who I was inquiring about a special.  I have attached their letter….

… If everyone thinks this is a good idea we can all have matching barrels put out at one time per week…

…Again, we dont have an association, but we can all act together if we choose. Their number is on the attached paper if you would like to use them.”

Ok, so whats the problem you ask? Well nothing really, I think it was a nice gesture, and think he was just trying to help his fellow neighbor.

HERE is the problem.

On the “Attached paper” was a browser printout of an email that was sent to his gmail account.  He made an effort to hide his gmail address and thats about it.  The nice little feature gmail provides to show the last account activity was in plain view.  The IP address was in tact.

Being the curious minded person I am, I couldn’t help myself and put in the IP into my browser. Bingo. “Welcome to Windows Small Business Server 2003″

I’d better close it right away… nah, Of COURSE I clicked on “Remote Web Workplace” and of COURSE I got:

“The site’s security certificate is not trusted!”

and of COURSE I was in a VM and so on and so for and moved forward. I was presented with a company name, and a logon prompt.  So a quick tally of what we have so far.

I have his full name, IP address of a machine I know he used, probably was logged into the SBS web desktop. I have his address (duh), place of employment and the phone number and address of his work place.  Oh well.

What I DON’T have

I dont have HIS email address, remember he redacted it.  I NEED that email address now, so when I call him I can send him an email as well.

This was an easy one, the “Attached paper” had the persons name, phone number and email that he contacted about a special. I had all the info I needed to just socially engineer my neighbors email address out of them.  I called the number and received the front desk.  I was informed the person I needed was out, but she could help me. She could take my name and number and get back to me. Stop.  That wasn’t really going to work for this little experiment.  I simply gave her some more details, like the my neighbors name and guess what. She has access to the mailbox that contained the email address.  After helping her troubleshoot a bit, she gave it to me without hesitation, and I even asked her to spell it again and asked if I couldn’t reach him by email If I could call her back because she has been “so helpful and really got me out of a pickle”. Another win for me . FAIL for them. They mindlessly handed out information about another customer.

Additionally, all of his gmail labels were in view on the print out. Pretty organized too, I know his church, hobbies and the fact he uses his gmail for work, Well, I’m assuming thats what the “Work” label meant. Wow. This is awesome.

What was the point of even bothering with this?

To help educate my neighbor that something seemingly harmless could have been bad.

I have contacted him, but haven’t heard back.  I will update this post as soon as I do.  Remember, own your information folks.

Update:  I spoke to my neighbor and he was very thankful that I wasn’t malicious. I think he understood why it was a bad idea, and mentioned “you got all of this from a note on your door about trash…different world we live in”  Protecting people, one neighbor at a time.

Beginning Less than a year ago,

I decided it was time to stop being defined by the job I was doing, I noticed I was on the path of complacency and wanted to belong to an area I have always been an outsider looking in on. Information Security.  I am no stranger to technology, and have had a strong passion for anything related to it for as long as I can remember. I just lacked focus…

Jump

When I finally made the decision shift focus to InfoSec it was scary to say the least.  The more I learn, the less I know. Not only that, but I realized this was a close community with a solid history and more talented people that I could ever imagine.  I felt like it was my first day in prison (disclaimer: I’ve never been to prison) and I felt like I needed to make a name for myself.  Each passing day I was trying to draw comparisons between an existing community with years and years of experience to what I was doing.   I hope I caught that mistake in time, that could have been bad.

Slow Down

Frickin’ Newb, Its only been 8 months…ish.  In that time, I obtained a  C|EH, completed Offensive Security PWB 101 training (No OSCP, on attempt 2) [Update: I passed the OSCP exam in May of 2010], visited my local hackerspace a handful of times ( I recommend doing the same) . I joined Infragard, ISSA and OWASP.  No, I’m not trying to be a braggart, and no, I don’t think this is the path to 1337ness. It served me two purposes really.  First it was an attempt to learn and surround myself with people that built the very community I am trying to get into.  Secondly, It was a good way to test the waters.

Welcome to the Thunderdome

Have you guys seen what you have built? The security community is amazing.  I wont get into a naming of names, but the twitter users alone are not only impressive but if you follow the right people you could socially engineer yourself into an InfoSec job just by regurgitating tweets.  Podcasts? Yeah, you got em.  Need Videos?  There are too many security video sites to count. Cons. Nuff said. I am going to make an effort to hit as many of these cons as possible this year.  Finally,  Blogs? 0_O

Going Forward

I always hear, “give back to the infosec community”, and that is something I plan on doing.  I don’t have much to offer at this point. Writing isn’t my strong suit (<<Captain Obvious) and podcasts from a noobs perspective (hmm catchy) would be a waste of everyone’s time.  I decided the best thing I can do, for myself and the community is to STFU and learn.  The last thing “we” (ducks) need is a wreckless wannabe. I have no idea where I fit in, and its better that way.   I have a long way to go, but the journey so far has been worth the jump.  I only wished I made it 10 years ago.

twitter

A couple of test gadgets; iPod touch (Gen2), G1, iPod Shuffle seemed to work just fine.  The tin does get hot, and there is a buzzing and hissing noise that emits from the tin.  Perfectly Normal.
From the F.A.Q

“How many charges/hours of use can I get out of a MintyBoost?”

I would suggest this for anyone needing a quick burst of juice on the go.   This is also a nice beginners soldiering project.

As always, comment with questions or contact me via twitter.

ax0n

This document will reference his article A.LOT. I suggest you stop reading this (for now), and head directly to his article to familiarize yourself with it.

I am simply going to focus on OSX (Snow Leopard – 10.6). I wanted this to be available on my MacBook at the drop of a hat.

“So, uh…other than that, what’s the point of this ‘article’ ?” . Hmmm… great question. I better get started before you leave.

Note: I’m assuming you have met all of the hardware requirements in the h-i-r.net article.

Step 1: Flashing the Fon

Enable redboot! I used this guide. The problem however, is that once I had established the ssh connection to the Fon, I was unable to wget the files. Additionally, I was unable to ping anything external. I’m sure I was doing something wrong, and there is a simple fix (comment if there is). So what should I do now? I mean, stuck at the second step in the instructions? Fail. To correct the issue, Grab the files referenced in the instructions from here and here and while your at it grab this (you’ll need all of these files), launch a tftp server, unpack the files and place them in the tftp server directory. Then start server. (be sure to make note of the IP address ). I placed the files in a root dir called “tftp” this makes it a little easier when typing the path.

Enabling Redboot

Now that we have the files living in the tftp server dir, Launch a terminal, connect to the Fon via ssh and issue the following commands using the following syntax to grab the files (wget http://[ip.add.re.ss]/[dir]/[filename]):

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma 
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
root@OpenWrt:~# reboot

After the Fon comes back online, ssh back in and follow the remaining steps in the instructions to enable redboot.

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/out.hex
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
root@OpenWrt:~# reboot

Once you get to the section “now your ready to flash”, you can stop. Those instructions follow a path we aren’t going to.

Installing the Jasager Firmware

Head over to digininja’s site and follow the instructions here “for firmware users”. I skipped the redboot.pl installation, as we already have redboot enabled and working. Download jasegar, unpack it and place it in your tftp dir. (if you didn’t do it earlier) The ONLY tricky part during the flash process is to be SURE you copy and paste the commands or triple check your typing. I mistakenly forgot to load vmlinux.bin.17.  It didn’t brick the Fon, but I was scared to reboot it.

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
 
< Wait for a while > note: This took about 2 minutes
 
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040400-0x80100400 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs
 
< Wait for a long while > note: This took almost 15 minutes. Don’t panic. It’s working.
 
... Erase from 0xa80f0000-0xa87e0000: ...........
... Program from 0x80040400-0x801e0400 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
 
RedBoot> fconfig
Run script at boot: true
Boot script: 
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (My default was 10)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
 
^]
telnet> Connection closed.
root@desktop ~ # 

Sweet!

The hard part is over. So what happens if you make a mistake in fconfig like
me? Type fconfig -n it will list all of the nicknames of the fields you can
change. The shell doesn’t know what delete is, and there are all sorts of redboot keyboard-fu you can use to control input. I found it easier to type at the reboot> fconfig field_name [input]. So for
example, if you accidentally entered 192.168.1.11 for the IP address. You could fix just that line by typing: fconfig boot_my_ip 192.168.1.1

Let the Fon reboot, make sure you can ping 192.168.1.1 after all the lights
look good, then open your browser and hit http://192.168.1.1:1471 .

The jasager interface *should* open. If it does not after a few minutes… try the following.

1. Make sure you are loading and executing vmlinux.bin.17 in fconfig
2. Reboot the Fon
3. Double and triple check fconfig.

If all else fails, repeat the process. I ended up flashing almost 10 times
due for various reasons, ranging from mistakes I made in the network config, to
the Fon not playing nice with DHCP. If you need to reflash, redboot is only
available for a few seconds while the fon device is booting. I hope your
SMB, 3-1 infinite guy timing is still there. Here is what I had to do to hit
the timing properly.

1. Remove power from Fon
2. Launch a terminal and start pinging 192.168.1.254
3. Launch another terminal and PREP a telnet session to 192.168.1.254 9000
4. The first reply you receive from ping, press enter on your telnet session
5. If it fails. Repeat process until you get it.

Now, head back to

part 1 of the h-i-r instructions and follow along starting with “tinker
time”

Step 2: Install the pWn

This is the easy part. Below are simply notes regarding the process.

Metasploit and Karma

This is the part where I point you back to h-i-r.net’s part 2 for the complete setup of this step. I was able to drop in the framework to my tools directory with no additional steps required. However, you may want to update ruby if you desire. Then Download karma.rc, put it in the root directory with the framework and we are in the home stretch to put this all together.

Head to part 2 of the h-i-r instructions. Follow from “Time to tweak stuff”. You will need to edit karma.rc before you run it.

Hamster and Ferret

Last files we need to grab are hamster and ferret.

I was having some trouble getting hamster and ferret to compile, even after installing xcode. Luckily, the binaries are compiled for us already . Download them and place them in a directory you will remember.

You will need to set your browsers proxy to 127.0.0.1:1234 to view the Hamster interface. Be sure you add an exception for your NIC’s ip address, so you can monitor Jasager as well.

You can now head back to ax0n’s work and button up the rest of the project.

Starting the entire process

Here are the steps I use when booting this rig.

1. Power on the Fon and connect it to your PC with an Ethernet cable.
2. Make sure Jasager is online and Karma is active. I opted to control its state, instead of automatically starting it.
3. Open a terminal and Launch Metasploit and Karma with> sudo ~./msfconsole -r karma.rc
4. Open another terminal and launch hamster with> sudo ~./hamster
5. Enable your proxy. Or use quickproxy for firefox to quickly enable.
6. Open the Jasager (192.168.1.1:1471) and hamster (127.0.0.1:1234) interfaces
7. Gratz ur l33+

Conclusion

While this guide wasn’t meant to be as comprehensive as the article it was based on. I hope you will find a quick reference for installing this on your Mac Box.

All the files referenced, I have zipped up and stashed them here. Comment with questions or hit me up via twitter