Monday, 22 December 2014

OSCP Review



Introduction
 I'd wanted to take on the OSCP since it was known as 'PWB' (Pen-testing with Backtrack) a few years ago. Time and money got in the way, but having worked as a Security Analyst for some months, I figured there was no time like the present to start the journey - and a journey it was. The OSCP is the MMORPG of security courses.  When signing up, you get the option of signing up for 30 days, 60 days or 90 days. If you're new to pen testing/security concepts, you may want to build some skills before you take on this goliath endeavor, or you should opt for the 90 day package, as I did. I don't believe it's possible to complete the course in 30 days unless you're an experienced pen tester already, can dedicate serious time in those 30 days, or have prior experience.

So, a little bit about me. I'm 25, I was an IT Technician for approx. 5 years before I studied BSc Computer Forensics for 3 years before landing a job as a Security Analyst. I've got some experience with python/scripting, networking/security and I like to believe that I'm good at solving problems in a logical and sometimes illogical manner. Cert-wise, I held some Microsoft certs and the OSWP before signing up for this course. Let me tell you now....I STILL found the OSCP to be the most difficult exam/course I've ever taken. 

Three Headed Dragon 
 The OSCP is a three headed dragon. There are three main parts to it: the labs, the exercises and finally, the exam itself. Once you sign up, you'll receive your VPN login credentials which give you an IP address which will allow you to start interacting with the lab machines. You get a pdf which is essentially the study guide. This study guide contains lots of exercises to carry out, with the difficulty level starting low and rising to the point where you'll barely understand it (at least in my case!). The pdf is bundled with over 5 hours of videos to complement the study guide. Your mission, should you choose to accept it, is to use the study guide and video tutorials to complete the exercises at the end of each chapter, attack the labs and finally, take on the exam itself. 

The Labs
The labs are essentially a hacker's playground. The admins have worked very hard to build a very realistic network where everything is vulnerable in one way or another. With the first week, I'd already successfully attacked some machines. This soon came to a halt when I came up against some very tough scenarios. You'll find all sorts of operating systems from Windows 2000 to Server 2008, to freeBSD and Linux variants with different service packs/updates installed. As you'll read on other people's OSCP reviews, you'll get to know Bob, OTRS, WIN7 and if you're feeling brave, you can take on the three machines which are the stuff of nightmares: Pain, Sufference and Humble. I managed to root Pain and get a limited shell only on Sufference. I didn't get to attempt Humble during the time I had left but given the opportunity, i'd love to go back and get Sufference and Humble (read useful links at the bottom for more on this!).

The best advice I can give is this: enumerate your target and document everything with explanations on what you're doing and take screenshots. The OSCP will also improve your note-taking skills, which is imperative in a field such as this. One more thing: Backup your data. I had all my notes in a Word document which I uploaded to the cloud every single day so I knew that I had a backup no matter what.

I managed to compromise around 70-80% of machines in the lab - I probably would have been able to do more if I had purchased an extension... and I've purposefully mentioned this because before taking on this course, you need to be aware of the following: You could fail on your first exam attempt (apparently most people do and I can FULLY understand why), you could need to extend the course... This course could honestly run for 6 months - there is SO MUCH content. Even though I've passed, I'll be going back to read and study parts of it again. 

And finally - you need to dedicate A LOT of time to this course. I put in a minimum of 5 hours per day for 3 months - some days, I was working for 12 hours on the course. Let's say (30 days * 5 hrs) * 3 = 450 hours spent on the course, and that's not factoring in the 12 hour days I did. The Offensive Security motto is "try harder" and I could write an entire essay on what "try harder" really means...but I'll save that for now.

The Exam
Now, when you feel you're ready, perhaps your 30, 60 or 90 days is up. Perhaps you've had your extension and you feel as though you're ready for the exam, you can book it (instructions on how to do this are supplied, or you can ask one of the Admins on to do it on IRC. I highly recommend you use the IRC by the way. I used ChatZilla which is a Firefox add-on).

Taken directly from the Offensive-Security.com website: "The OSCP exam consists of a dedicated vulnerable network, which is designed to be compromised within a 24-hour time period. The exam is entirely hands-on and is completed with the examinee submitting an in-depth penetration test report of the OSCP examination network and PWK labs."

As above, you schedule your exam and you're given 24 hours to attack a vulnerable network. This was one of the most demanding exams I've ever taken. Why? Because You're supposed to know the study material inside out. You're supposed to have researched outside of lab material. Then you're in an environment where you don't know what you're up against and you have to successfully compromise as many machines as you can. In a nutshell, each target is worth X amount of points, you need to root systems for points. Once your 24 hours is up, you're given another 24 hours in which to write your pen-test report. (An OffSec template can be found online.) You will also be required to submit your report for your time in the labs. This is VERY much worth doing as it can help you.

I would like to say thanks to the OffSec team for putting together a very difficult, yet interesting course. Thanks to my friends who had to listen to me talk about the OSCP every single day for 3 months (I really am sorry for that...). I can honestly say I've learned a heck of a lot. The course was definitely worth the money. The "try harder" motto is one that I'm going to apply to every aspect of my life from now on. If you work hard enough, anything is possible. If you put the time and effort into this course, you will do it. Good luck on your OSCP journey.

Thank you for reading. Please feel free to comment and I'll get back to each and every one of you ASAP.

Useful links:
  1. The PWK syllabus can be found here
  2. OffSec have responded to people who have passed the OSCP and want to go back to the "hackers playground" I mentioned in this review. Click here to find out more.
  3. gotmi1ks OSCP review on his blog

Sunday, 14 December 2014

Ho ho ho, Merry Christmas!

With Christmas just around the corner, I should be relaxing with a nice, warm mince pie, but instead, i've booked my OSCP exam for the 20th of December - yes, 6 days! Add that to the fact that i'm working over Christmas and you'll be asking yourself: Is he mad?!

But enough about that, what can we expect in 2015? I'm eager to begin posting regularly again, as i've been so busy over the past 3 months that there hasn't been much in the way of content. I expect some big changes in 2015 and more courses on the horizon, so it looks like it's set to be an interesting year.

I'll be sure to let you know how I fare with the exam. But for those celebrating Christmas, have a good one! And for those who aren't celebrating Christmas, happy holidays! Expect an update in seven days time.

Friday, 28 November 2014

An update on the OSCP

Hello readers,

I have to give you an update on the OSCP course - yes - I am still hanging in there by a thread doing it. This course is by far the hardest course i've ever done, but that's because I was expecting the course contents to cover absolutely everything I needed to know to successfully attack machines. That...hasn't quite been the case and i've found myself doing alot of research.

So now, picture me, coming home after a 12 hour shift, where i've sat in front of the computer for 11 hours and I need to research X/Y/Z before I carry out X/Y/Z attacks in the lab. Yeah - it's rough. Well, as it stands, i've got this far:

59 days in, 21 machines popped, one of which includes the notoriously hard "pain" and i've *almost* got root on "sufference" which is much, much harder than "pain".

I've got 21 days left in the labs, so if I can manage to pop 1 every 2 days, that'd give me 10 more machines, which would give me a grand total of 31 machines popped which is much more respectable than just 21.

Monday, 22 September 2014

90 Days of OSCP

Day 1: 21st September

As does everyone who signs up for the OSCP, I managed to somehow get the starting time wrong. The OffSec website said 00:00 but actually arrived at 01:00 - thanks British Summer Time!
I received a rather lengthy email which consisted of videos to follow, the main pdf which serves as your source of information and your username and password for the VPN you'll use to connect to the lab. I managed to read 47 pages which were fairly straight forward - but I have learned 2/3 new things already. I'm going to get through as much as I can today and see how I find it.

Day 2: 22nd September

It's 00:15 at the time of writing. I've got dark circles around my eyes and this is only the second day. I spent 14 hours 45 minutes reading the pdf and completing exercises yesterday. I went to work and from 9:00am til 5:30pm I was in front of a computer screen.
Once I got home I ate a piece of bread and a single slice of chicken before going onto my laptop and working from 7:30 til 00:00. That's 4 hours 30. I'm sticking to my personal plan quite well but whether I can keep this up I dont know.

Day 3: 23rd September

No progress. Was too busy with other things to study...

Day 4: 24th September

It's proving to be very difficult. Batch scripting and FTP exploits are on my to-do list. I've found the 'reverts' system to be a tad annoying because you only get 6 reverts a day, you tend to use them very scarcely and if an exploit in the lab isn't working, then you've essentially got to use up a revert. If someone is working on the same machine as you (which is possible, albeit unlikely) you might need to revert. It's very early days but i'm not feeling overly confident with this one. On the plus side I've spoken to some really cool people in the IRC. I've even been told to "try harder!" By the offsec staff - not that I wasn't trying hard! And if I wasn't trying hard enough, I fully intend to use every spare moment of this weekend working on this.

Day 5: 25th September

Bob is still causing issues. For those who don't know, Bob is a bit of a legend at OSCP labs. Bob is a machine which requires alot of hard work and determination; if you ask for help be prepared to be told: 'Bob is laughing at you!'. Navigate to the IP in the browser and indeed, Bob really is laughing at you. I'm going to focus on other machines and will return later.

Day 6: 26th September
Bob has now been owned! I was trying the right things but missing a parameter. I've wasted alot of time on Bob. I'm going to do the exercises later and see if I can get through more of the pdf. Enjoying the course so far but i'm hearing ALOT of "try harder" on the IRC.

Day 7: 27th September

managed to pop 'ORACLE' today and make some further progress in the book. So far i'm finding the course quite interesting. The difficulty level is medium. I don't know whether i'll be able to pop all of the machines in the lab in 90 days - i'll certainly try but it has taken 7 days to pop 4. It's impossible to guess how long it'll take to pop others because the difficulty varies per machine.

Day 8: 28th September

Managed to pop another machine. I'm getting the hang of it now. Need to make progress on the exercises. Time isn't on my side at the moment. Lucky for me i've got a break on Wednesday where I can devote a full day to catching up on the exercises and might even pop another machine by then if i'm lucky.

Day 9: 29th September

Managed to pop a Linux machine which was nice. Enumeration really is key. The more information you gain the more avenues you can explore.

Day 10: 30th September

80 days to go. I've popped 6 machines of 54 - I feel like it'll be a race against time to pop them all and complete everything...

Day 11: 1st October

Friend came over so I only made a small bit of progress on a very difficult machine in the labs. Can only get a basic shell.

Day 12: 2nd October

Finally rooted a machine I've been after for two days. Updated my report and off for a day out for the gf's birthday. Will be spending 10-15 hours on the exercises tomorrow to make up for the time I've missed.

l will update each day for 90 days.

Saturday, 13 September 2014

Unshadowing + Password Cracking




In prep for the OSCP, i'm going over some relatively basic skills so that they're not only fresh in my mind, but so I understand them well enough to take it to the next level with the OSCP. I was researching privilege escalation and came up with a scenario. Let's say that a system administrator has made a boo-boo on the system and any user can see the /etc/shadow file along with the /etc/passwd file. Of course, this would be a, very, very rare occurrence (one would hope!) but it gives us somewhere to start.

So once you've got a hold of the passwd and shadow file, we can see that the passwd file isn't showing the passwords at all, not even hashed! (Great!). However, the shadow file is showing simon's password hash (Fig 1).

 Fig 1


Now, I run hash-identifier (Fig 2) to find out what hash we're dealing with here. This isn't too necessary in this case, but it's a fantastic tool which has helped me plenty of times. Windows users can download the python script from Github. Simply type in (or paste in) the hash and the script will attempt to identify what method of encryption is being used.

 Fig 2


Now I can see that we're dealing with a DES (Unix) password (Fig 3). Makes sense right, after-all, we're looking at a hashed password on a unix-like system.


Fig 3



 So now, it's time to get this hash cracked. We need to use the 'unshadow' feature/function to unshadow the 'passwd' and 'shadow' files. Essentially, by unshadowing, you're combining the files which will let us brute force them shortly with JTR.

In Fig 4 below, you'll see the way this is done - we call the unshadow script from sbin, select our passwd file followed by our shadow file and direct it to a database (file ext not necessary, but it just helps to convey the information).

 Fig 4


 You may notice that i've already cracked the file before taking this screenshot, so i've had to use the '--show' switch to let you see the password in plain text. All that's needed to crack the password is for you to run 'john <nameOfDatabase>', in my case 'john crack'.

In Fig 5, you can see the plain text password:

simon:password:1003:1003:simon:home/simon:/bin/bash

Of course, the more complex the password, the harder or more time consuming it'd be to crack.

Fig 5



Thanks for reading!

Saturday, 30 August 2014

OSCP - Finally Signed Up




I've done it. I've signed up for the OSCP. It has taken quite some time to decide whether or not I should go for it. In fact - it has taken a few years. The course was previously known as 'Pen testing with backtrack', whereas now, it has been updated to 'Pen testing with Kali', as Kali Linux has taken off where Backtrack left off.

In case you're wondering why it has taken me so long to sign up, the answer is simple: cost vs fear of failure. Prior to starting the OSCP, my pen testing knowledge is heavily rooted in wireless security. I've had experience with Bluetooth hacks, WEP, WPA etc but not so much with pen testing desktop computers/laptops/servers.

I've passed the OSWP (Offensive Security Wireless Professional) course and found that it was written very well; one can only hope that the OSCP will follow suit. I've read reviews online which suggest it's very possible to pass providing you put many hours each day into it. I'm prepared to do that in order to pass. Which brings me onto my next point. I've been afraid to take on this course incase I fail, yet I know that its going to be a learning curve - just of bigger proportions.

I've had to remind myself that over the past few years, i've learned first hand that the key to success is trial and error. Do you remember when you first tried to ride a bicycle as a child? You fell off it, right? You got hurt and thought: "I'm not doing that again!" - but you persisted and ultimately, you could ride the bike. The same applies to swimming, relationships, driving etc. You fail more often than you win, but it takes determination to continue until you win.

I'll give you a story. There was a kid born in 1847. Couldn't concentrate in school. His teacher referred to him as "addled". It was looking as if this kid wasn't going to make it; dropping out of school and then being home schooled, this kid didn't look like he was going anywhere. When he was older, he created an automatic voting system, which, as an entrepreneur, should have gained him fame and prosperity. It didn't. It wasn't wanted: it was a failure.

All this guy knew was failure, up until age of 30 when he created the telephone. This guy was Thomas Edison. Failure didn't deter him - and look what he created. You get out what you put in. I know that whatever happens with the OSCP, i'm going to learn alot throughout the course. I don't know if i'll pass the exam first time, but if I don't, i'll try again, and again, and again until I do; afterall the moto is "try harder".

Friday, 29 August 2014

MSN Messenger - The Eulogy

15 years after MSN Messenger was introduced to the world, it has now sadly gone (completely). The service was turned off in 2013 and Skype took its place for those of us not living in China; the Chinese were lucky enough to have the service until it's due to be turned off permanently in October, 2014. I thought i'd write a quick eulogy to give MSN Messenger a good send off.

In 1999, I was 10 years old. I was there when MSN Messenger first arrived. It felt like something sent from God. It was a serious rival to the likes of AOL's AIM (AOL Instant Messenger) and ICQ. At the time - AOL was king; disks advertising 'x days free trial' for AOL were all the rage. But over at Microsoft, they'd designed a great tool, with a memorable logo. The logo was simple - eye catching and became an instantly recognisable symbolization which appeared all over the web. Here is how it looked:


If I asked people today what a .NET Passport is, they might look at you with a confused look in their eyes. A .NET Passport was your passport (your registration) that allowed you to use MSN Messenger.




The screenshot to your left is how the early MSN Messenger looked. Simple - uncomplicated - fast - reliable(ish). The whole point of MSN Messenger was to contact your friends. You'd simply add them via email address and you'd be able to see whether or not they were online - think of it like WhatsApp....but in 1999.

Not only could you have instant conversations with your friends - but you could see whether you had any new emails. Eventually, MSN Messenger began to evolve. Updates added functionality and the MSN Messenger service grew. Up until 2009, there were 330 million users. At the time - everyone had MSN.

MSN was often used by people to chat up the hottest girls in the year. Rejection via instant messenger was less painful than rejection in real life. "BRB m8", "LOL", "TTYL" - acronyms that we still use daily formed by avid users of MSN. As soon as you got home from school, you'd jump onto MSN, say "wuu2?" to your friends and wait eagerly for their reply which would be something like "nm, u?". It was better than it sounds - honest.



The screenshot to the right shows what MSN Messenger was becoming. It was now a place where you could add a fancy tagline, such as: ☆đση'т ¢σρу, вε σяιgιคℓ☆. There were literally hundreds, if not thousands of websites dedicated to people sharing quotes, taglines, custom profile pictures - the works.

With later versions of MSN Messenger - there were all the signs of adverts coming into the picture. As you can see, there was space for ads on the bottom and ads on the left hand side of the software; MSN Homepage links at the top too. It was so great - yet starting to get annoying to use, especially if you were used to the first few releases.







Microsoft changed the branding of MSN Messenger to Windows Live Messenger for v8 in 2005 - this caused some anger in the community, as we'd gotten used to calling Windows Live Messenger "MSN". Ads and general bloated software lead to more annoyance, but we continued to use it anyway, because quite frankly, it was a fantastic tool.

2012 signaled the end for Windows Live Messenger when Microsoft acquired Skype for £5.1 billion ($8.5bn). As Skype already had an instant messenger built in, most of us knew deep down that the days of MSN would become just a memory. In 2013, Microsoft shut down the service as users made the transition to Skype.



It's a real shame to have to say goodbye to MSN Messenger - it really did pave the way for services like Whatsapp, Viber, iMessage and other copycat services that still exist today. For all the reasons listed above and many more, it really does prove that technology never stands still. Things move on and we must enjoy them whilst they last. So whilst you're snapchatting, Whatsapping and tapping on your technology today, know that it might not be there in years to come. Good bye MSN Messenger.

Sunday, 3 August 2014

Why I'm Getting Rid Of My Nokia Lumia 920...

I should have had an update out about TOR - and I apologize to my readers about that. I've been super busy. Between full time work and catching up with friends, it makes things pretty difficult to keep up with. That post will come out, but first, I thought i'd get in a post about the state of the mobile market today.

I'm no stranger to mobile phones/smartphones. The very first mobile phone I owned was a Ericsson t28, passed down to me by my Uncle, who had 'upgraded' to a Ericsson t66!! (Wow!). Those phones were fantastic. Ultimately, I ended up getting the best phone to ever exist (at the time): the Nokia 3310. I found out that these phones could be 'unlocked' for free online by typing in your IMEI number and getting an unlock code - I was charging kids in the school playground like £3 a pop. I was a little entrepreneur .... well, almost. You see, there weren't as many kids with phones - in fact, most adults didn't have a mobile phone back in the year 2000.

These days, it's hard to find someone who doesn't have a mobile phone. Kids grow up amongst phones/tablets and the world as we know it is becoming much more reliant on technology as a tool to communicate, live and work with. Having loved the Nokia 3310 and all of the other models i've owned (trust me, it's hard to name a Nokia that I haven't owned), I went back to the Nokia world that I had fond memories of and purchased a Lumia 920. The biggest change is that Microsoft now own Nokia...

The home screen on the Windows Phone 8 device is actually quite nice. It's a 'live tile' which updates when you get emails, or texts, or calls. Missed a call? No problem, you get a '1' on the live tile. Weather? The weather will update live on the tile. News? Yeah - that's covered too. The problem with Microsoft's Nokia range is the user-interface that sits behind the home screen. It's absolutely WOEFUL.

My Nokia Lumia 920 shipped with Windows Phone 8 as the OS and soon enough, there was a sneaky way to upgrade to the developers preview of Windows Phone 8.1. Of course, I did this, and there were some good changes. What I was extremely unhappy to find - was that the user interface was exactly the same, but with more options. This makes for a horrible mess of an interface which Microsoft/Nokia haven't addressed. Now this might not sound like a big deal, but when Apple's flagship iPhone series have virtually perfected their interface - it's a BIG problem.

To top it off, Microsoft have said that Windows Phone 8.1 is going to be released in the UK in "late 2014", Source: http://www.pcadvisor.co.uk/news/mobile-phone/3510108/windows-phone-81-cortana-release-date-new-features-uk/

Personally, i've waited 7 months since owning the phone for Windows Phone 8.1 - and when I purchased the phone, it was already an aging phone. To make me wait longer AND not improve the user interface - I'm out. Although I wanted an iPhone, i'm actually opting for an Android (and believe me, I hated Android in the past).....but I am going to try it and see how things go.

I may end up going back to the iPhone if the Android phone doesn't work out - and i'm not the only one who thinks this way! There are millions of avid consumers out there wanting the latest and greatest phones which do everything they want - and then some. It really highlights that the mobile phone market is more competitive than ever and there's a-lot at stake. It wouldn't surprise me if companies end up going bust trying to compete in the current climate as consumers want the best deal for their hard earned cash.

Until next time - thanks for reading.

Sunday, 13 July 2014

Quick Update: Offensive Security Wireless Professional (OSWP)




I signed myself up to do the OSWP course because i'd had a fair bit of experience pen-testing on other peoples  my home access points so I thought to myself: why not get certified in it? Would there be anything to learn? In short: yes. There is a lot to learn. The course cost $450 (£270) at the time of writing which I thought was fair value. You are expected to have all of the equipment e.g wifi dongle capable of injection and an access point from their list:
  • D-Link DIR-601
  • Netgear WNR1000v2
I purchased the Netgear from eBay for £12 and I already had a wireless card, but if I had purchased the "ALFA Networks AWUS036H USB 500mW" - it would have cost another £25-ish. So you're looking at around £320 all in if you don't have the equipment already.
Once you've paid, you get sent a coursebook and you get 4 months to study the material and within those 4 months, you must arrange your exam - which is easily done from a link in one of the first emails you get. IRC support is available and it's an absolute MUST. You MUST have IRC. I can't stress this enough!!!

Now, like I said, I have had wireless pen-testing experience, so I was able to breeze through the book in a week. It gets very technical and tells you everything you need to know for the exam. And...about the exam: it's not as easy as I expected. You're given 3hrs 45mins to complete the challenge - then 24 hours to submit a report detailing what you did - which I thought sounded very reasonable.

All I can say is: practice, practice and practice some more. It took me 2 hrs 30 mins to complete the challenge because I was nervous and making rookie mistakes. You should read the entirety of the coursebook, but make sure you do the practical work too - your success relies on practical work.

I wrote the report as I was going which added to my time of 2 hrs 30 mins, but i've heard some people have done the challenge in 1 hour and had the report done in 45 mins, but remember: it's not a race. If you try to speed through - you'll likely make mistakes. Cool, calm and collected wins the day!
Now, a final word about IRC. I've read another blog from a guy who said he had issues with one of the challenge and luckily, the IRC saved his @$$. Well - it did mine too. I was having no end of trouble with the final part of the challenge - but luckily, I had my IRC set up and help was available. Turns out there was something wrong and they fixed it so I could continue the challenge. Once again - make sure your IRC is set up! The guys are extremely helpful and you should make use of their help if you desperately need it.

If you're going to take this exam, I wish you good luck. Read it all, practice LOTS and you'll be fine!

EDIT: Officially passed within 1-2 days of posting this blog.

Friday, 11 July 2014

An Investigation Into TOR Pt. 2 - SSH Encryption

SSH (Secure SHell)

 
 
Fig #1

We're looking into TOR, so why did we go over Telnet and why are we now looking into SSH? Well, the answer is that I wanted to show you Telnet's insecurities and SSH's securities before we discuss the behemoth that is TOR. SSH is short for Secure Shell and should be used instead of telnet (although like I said in my previous post, I have seen Telnet used in the workplace!).

What's so secure about SSH? Well, SSH runs on port 22 as standard and encrypts traffic so that a 3rd party shouldn't be able to decrypt and read packets going to and from computers on the network - this is why it's more secure than Telnet. With that being said, there are 2 versions of SSH - v1 and v2. V1 has known vulnerabilities which is why v2 is often the default these days.

SSHv1 has a "remote integer overflow" vulnerability that allowed hackers gain root access, which in turn would let them run code (with root access). Fun fact: This vulnerability in the coding of SSHv1 is in a piece of code that was created to defend against CRC32 exploitation in the SSH1 protocol! Ettercap can decode SSHv1 in real time (Source: Cisco).

SSH1 and SSH2 share the following features:
• Client programs that perform remote logins, remote command execution, and secure file copying across a network.
• An extremely configurable SSH server.
• Several selectable encryption algorithms and authentication mechanisms.
• An SSH agent to cache keys for easy access.

SSH2 added a number of new features to provide a stronger, more comprehensive product. These features include:
• Encryption ciphers, such as 3DES and AES.
• The use of sound cryptographic Message Authentication Code (MAC) algorithms for integrity checking.
• Support for public key certificates.
(Source: Cisco).

So i've used Wireshark to capture an SSH handshake and 'dir' command. Let's see exactly what we've got.

 Fig #2


 What you're looking at above is a PCAP (packet capture) that I captured from SSH'ing from my laptop to my desktop PC. The PCAP consists of just 35 packets and we'll look through them now. At the beginning of this blog post, you saw the "SSH handshake". The first set of packets are the handshake. Let's recall the image at the start of this post:

 
Fig #3
 
 The client (my laptop) was connecting to the SSH server (my desktop PC). There is a TCP 3-way handshake that takes place (SYN, SYN/ACK, ACK). So let's look at this on Wireshark:

 Fig #4

 Packet 1 shows 10.0.0.53 which is my laptop's internal IP address sending a SYN packet via TCP over port 52421 (which is the TCP port). Let's investigate packet #1 a little further:

Fig #5

So i've opened up packet #1 a bit more. We can see here that the laptop (red) has found the PC (yellow) mac address, so they know each other's IP and mac address. The green highlight shows that the client (laptop) sent the SYN packet to 10.0.0.54:22 (the PC's port 22...SSH port).

So if you look at Fig #4 again, you'll see the entirity of the SYN , SYN/ACK, ACK sequence. Once this has taken place, referring to Fig #3, the server tells the client what version it's running and the client responds with that version of client it's running. We can see this very clearly if we analyse packet 4 in Wireshark:



 So we know that we're using FreeSSHd because of the (WeOnlyDo) server version and we know our client (laptop) is using PuTTY 0.63.0.0. Packet 5 & 6 is the KEXINIT negotiation - basically - the client and server negotiate the algorithms they will use to exchange keys along with, bulk data encryption, message integrity, and compression.

The peers will also let each other know the accepted host key types. In this stage they present their supported and preferred methods for the aforementioned functions in comma seperated list form (CSV). Preferred values are distinguished by placing them first in the list (Source: http://www.mnin.org/write/2006_sshcrypto.html).

 Packet 8 is the Diffie-Hellman Key Exchange Initialization - which essentially lets the client and server derive the exact same secret key (symetric encryption). An important thing to note is that the SSHv2 protocol is now in use. It was at this point I ran the 'dir' command from my client to the server - yet I cannot see this command in plain text as it's encrypted. The idea is to stop a 3rd party from listening in and seeing what commands are being run etc.

This does pose an interesting question? Can we decrypt SSH? The answer is: yes. SSH can be decrypted using a MiTM attack (MiTM-SSH) or by creating a rule on a firewall to generate it's own key (not certificate, as SSH uses keys, not certs). This may be a good topic to come back to..

The next post will be about TOR. I thought it necessary to discuss Telnet & SSH before we delve into TOR, as TOR is very complex and a good background on networking/encryption is useful. Thank you for reading. Expect a post about TOR towards the end of this month.








Tuesday, 8 July 2014

Update Coming Saturday 12th July



Apologies for not meeting my target for the Tor Investigation Part 2. I WILL continue the investigation and start with a quick look into an encrypted protocol such as SSH. I've been exceptionally busy with work and I am currently taking the Offensive Security Wireless Professional (OSWP) course.

I am due to take my exam on Saturday - so once my exam is over, I will make a post on here and give you my thoughts on the OSWP course. P.S On a side note - there has been a massive boost in traffic to the website. I've seen approx 1,000 hits in 2 weeks! Thank you to everyone who reads the blog and a big thank you to those who comment and help the community by sharing (legal) files. Next update will be this Saturday 12th July - wish me luck for my exam! Thanks all.

Friday, 20 June 2014

Prequel - An Investigation Into TOR Pt. 1 - Telnet (In)Security




Having recently joined a large security company, we'd been discussing TOR during training and then I spoken to a friend about TOR being on the news alot lately. So, i've decided to do some on-going investigative research into TOR. Before we get deeply involved with the networking, i'm going to make sure all my readers have a basic understanding of protocols. For this post, we'll be taking a quick look at an un-encrypted protocol: Telnet.

The first step is to go to 'Programs and Features', turn on Windows Features - Telnet Server. It was at this point that I actually learned something very interesting during the course of this post. "Local Users and Groups" has been taken out of non-pro versions of Windows 8/8.1. This is rather annoying because when you try to Telnet INTO Windows 8, you need the user you're telnetting in to be a member of the "TelnetClients" group. So as you cannot seem to do this via the GUI, we'll have to do it by commands; Rich Baldry over at SuperUser.com posted a command which you'll have to use if you wish to replicate this post.

Use the command 'net localgroup' as follows. This works on non-Pro Win 8 as well.
  1. Open a privileged command prompt: Open Explorer and search for 'cmd.exe'. When it appears in the file list, right-click and select 'Run as Administrator'.
  2. Run the command: In the privileged command prompt window, enter the command as follows:
    net localgroup [groupname] [username] /add
    
    To see a list of local groups available, just type:
    net localgroup
    
    To see other options, type:
    net help localgroup
    
 So in my case, I had to open command prompt and type in: net localgroup TelnetClients Simon /add

 After making sure the Telnet server service was turned on in Windows 8, I started up Kali Linux so I could telnet from Kali over to Windows 8. I should mention that both Windows 8 and Kali were virtual machines. On my local computer, I had Wireshark running, capturing the packets that were flying around the network.

The first instance of telnet shows that the following flags were set: PSH and ACK. PSH is short for PUSH and all you need to know, is that TCP buffers data and that without a PSH flag, it wont be PUSHED forward instantly. If you want a more in depth look at PSH, click here.


A quick look at Wireshark's statistical protocol hierarchy shows that the traffic was communicated using ipv4 and a significant amount of traffic was TCP and Telnet - as we know, Telnet uses TCP and operates on Port 23.

Just to make the point, Kali's port 57600 was sending traffic to Windows 8's port 23. Port 57600 uses the Transmission Control Protocol aka TCP. TCP is a connection-oriented protocol, and it requires what is known as a 'hand shake' to set up end-to-end communications. Only when a connection is set up can a user's data can be sent bi-directionally over the established connection.

It's important to note that TCP guarantees delivery of data packets on port 57600 in the same order in which they were sent whereas UDP does NOT. UDP port 57600 would not have guaranteed communication, whereas TCP on port 57600 would.

Security

So, how is all of this relevant to TOR. Well, telnet is an insecure protocol. Data is transmitted un-encrypted, which means that anyone sniffing the packets traversing through the network can pick up on what data is being sent in plain text. So, I started Wireshark to run and sniff packets, then logged into Windows 8 via Telnet from Kali; then I used the 'dir' command to show the directory list.

So, now, as an attacker, let's see what i've just picked up:



Oh dear. If this was a real scenario, the attacker has just got my username AND password. They can also see commands I have ran whilst I was using Telnet. This is why Telnet isn't really used anymore (or shouldn't be, although I have seen it being run in an IT environment before!).

So, in my next post, we'll move onto SSH and then we'll begin working out how TOR works. This wasn't even the tip of the iceberg. SSH Sniffing will be posted here around 30th June.

Sunday, 15 June 2014

Cookies & Advertisements

 So, you like cookies, huh?




This month, i've decided to go 'back to basics' and discuss internet advertisements. There are a massive amount of users using browser extensions to block Ads - but do most users know exactly what they're blocking? For this post, I used IE 11 and Firefox 30.0 which were the latest at the time of writing.

For those of you who remember using dial-up, you'll be familiar with ads. Banner ads used to be extremely popular - and still are to a degree. Adverts generate money - this is the most important thing to remember. When you click on an advert - someone just got paid; more clicks = more money. I remember vividly trying to navigate around websites without clicking on ads back in the 90's, it was almost impossible.

Websites would 'trick' users by having ads that seemed like part of the website, when in actual fact, they were a 3rd party advert that would send you to an obscure website you'd never heard of. These websites would leave what's known as a 'cookie' on your computer - a cookie is a text file which stores personal information and user preferences which is used to identify a user when browsing a website.

There are 'good' cookies and there are 'bad' cookies. The bad cookies sell your personal information such as your email address to 3rd party companies. Ever wondered why you get spam emails and they magically know your name? Cookies.

So, what else can cookies do? Well, if you've ever browsed on Amazon for a PS3 console, then gone to another website and got an advert for a PS3 on Amazon - again - cookies are tracking your activity. Therefore, it's important to know about the different kinds of cookies:

  • Persistent cookies - remain after your browser has closed (and can also be re-used)
  • Temporary cookies - deleted when your browser closes
  • First-party & Third-party cookies - first party cookies originate from the website you're currently looking at in your browser. Third party cookies originate from a different website than currently have open but are related to the current website you're viewing. (The Amazon example above is an example of this).
Many sites uses adverts from third-party sites and those sites track your web activity for the sole purpose of advertising. Most browsers allow you to configure them and block cookies that don't ask permission to gather your personal information. Lesson here is: check your settings. Check what you're allowing cookies to do on your computer.

Back to advertising. Is there anything more annoying than Google Ads? Google scans your emails and picks up on keywords, which then allows them to bring you tailored ads which are known as 'targeted' adverts. Recently, a friend and I were emailing back and forth about VPS. Low an behold, look at the ad in my gmail (IE 11 without ad blocking software):


Crafty, huh? There are debates over this sort of thing - and people have different opinions. Personally - I don't like the fact that software is scanning my emails for keywords and who knows what else it's doing - we simply don't know. I was browsing a popular news website, and got the following ad along the right hand side of the page (again, IE 11 with no ad blocker):

 
Installing the ever-popular 'Adblock' extension to your browser will stop this kind of thing. Here is a screenshot taken from Firefox 30.0 with Adblock installed:


 The screenshot above shows that Google's ad has been removed. And below, you'll see the ad was removed from the news website, hence the blank space in the screenshot. Although these ads were 'legitimate' and not malware, Adblock can help to minimize the risk that ads present. Not all ads are genuine, in fact, there's an increasing number of ads out there that aim to not only track you, but get you to inadvertently install malware or viruses on your machine. So there you have it: cookies & advertisements - not as tasty as they sound! (Sorry, I couldn't help myself...)

Thursday, 29 May 2014

How To Use SOPIA Suite



DuFF - Duplicate File Finder



FiBS - File Investigation Bite-size



 

SHIFT - Simon's Hash Info Finder Tool




SPIES - Simon's Portable iPhone Exif-extraction Software

SOPIA Suite Overview

An overview of SOPIA Suite

 


You can download/contribute to SOPIA Suite here

Wednesday, 28 May 2014

iPhone Backup Forensics - Manifest.mbdb



When I think of iPhones, I remember my own iPhone 3g, 3gs, 4 and whilst I didn't own a 5C or 5S, my girlfriend and my sister owned them respectively, so I have used them. I've used Ipad's and Macbooks and I understand why people love iPhones - so do I. I think they're much better phones than androids, however, when need to do forensics on an iPhone backup, it's slightly time consuming.

As ever, I like to speed up processes. I like scripting, I like automation, and iPhone backups are crying out for some sort of automation forensic-wise. But fear not! It exists! But, let me tell you why it's needed. An iPhone backup is stored in the following locations:


  • Windows XP: %HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}
  • Windows Vista/7/8: %HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID} 
  • OS X: ~/Library/Application Support/MobileSync/Backup/{UDID}


The UDID is a 'Unique Identifier' and having worked as an app tester, a developer can provide you with an app they're developing that will only work on your UDID - but the important thing to take away, is that it's unique. Looking inside an iPhone backup, you'll see that it is full of files with funny looking names. These names are SHA-1 hashes and don't make much sense on their own, however, included in the backup are four important files:


  • Info.plist 
  • Manifest.mbdb
  • Manifest.plist
  • Status.plist


The Manifest.mbdb file is of great importance. Essentially, this file lists every file included in the backup, in plain-text. The downside, is that you have to manually convert each line to a SHA-1 hash. For example: HomeDomain-Library/Safari/Bookmarks.db would become F0EC7DF5C552FCA6871EDA5621AB225CB5EFEDA4 as a SHA-1 hash. Then we'd have to look through the files, but do you see how that would get annoying? Having to get a string and SHA-1 hash it? I created a python script with a batch file to help quickly turn the string into a SHA-1, which works, but I still wanted the process to be faster. You can download my script here.https://github.com/smc13/otherTools and look for shaConverter.

As I mentioned, I wanted a quicker, more efficient way of getting all strings converted to a SHA-1 hash. As mentioned above, the Manifest.mbdb contains all the files in the backup. After a quick search, I found the following tool: 'iPhone Backup Browser'. This tool can be found here and is created by a guy called Rene. What we're interested in, is the mbdbdump.exe file.

Once you export the Manifest.mbdb file into the same directory as the mbdbdump.exe, all you need to do is run this simple command: mbdbdump.exe > mbdbDump.doc (or .txt, or .csv etc). Once this is done, you'll see data in the following format:

record 7 (mbdb offset 6)
  key    25f31bdb3de9bdead048a0090097d5c1091296d2
  domain CameraRollDomain
  path   Media/DCIM
  mode   dir (488)
  time   28/02/2013 10:04:26
  data   41E8 00000000 0000003F 000001F5 000001F5 512F2BAA 512F2BAA 50CE9157 0000000000000000 04 00

We can verify the hash if we want by taking the domain (CameraRollDomain) adding a '-' and then appending Media/DCIM on the end, so it looks like this: CameraRollDomain-Media/DCIM and you guessed it, we get the same SHA-1 hash (see picture below)


(The software being used in picture is called 'Text Checksum' by Benoit Ferace and can be downloaded from the Windows Store)


So there we have it. There's no need to look in the Manifest.mbdb file and manually convert every string, just export the file and dump its contents. Happy investigating!



Tuesday, 20 May 2014

Domain Extension + The 28th



Domain Extension!

As my 3 year University course finishes, I decided to take a quick look at where this blog started. At the time of writing, it has been 9 months since the blog started. I was debating whether to revert to hackingtheperimeter.blogspot.com or whether to extend the domain name for another year.

Whilst the cost of this site is very low, the domain name and whois charges cost approx $15 per year. Statistics seem to show that I get hits from the USA and UK mainly and if I was to hazard a guess, i'd say I have 100+ regular readers. If those 100 readers clubbed together $0.15 each, that would be another year's domain costs paid.

Now, this isn't a post to beg you for your cash - I've just paid for a years renewal, because when I started this blog, I wasn't expecting 1 regular reader. To have at least 100 is amazing and I was more than happy to pay for another year of Hacking The Perimeter.

28th Day

One or two readers have let me know that they would much prefer me to post on a specific date rather than whenever I feel like it. I know some of my readers use RSS feed, but some don't. Therefore, I am now going to post once a month, on the 28th day of that month.

So....you're telling us there's only going to be 12 posts a year?!? ......Yes.....from me. That's where YOU come in. I will be asking YOU to write a mid-month article on anything IT-related. It could be cloud-computing, green energy reducing IT equipment, forensics, security, hacking - whatever. Each month there will be an opportunity for a reader to make a post. That means each month there *could* be two posts.

Quality over quanity, folks, quality over quantity!

Thanks for reading. Here's to another year of HackingThePerimeter!




Saturday, 17 May 2014

Old Doesn't Mean Useless (Priv Escalation)

I have what you could describe as 'geeky' friends - so geeky, that one of them set me a challenge. I'm in the process of re-locating and as i'm without internet access, my friend offered me his - but only if I could beat his challenge. After making my way to his house, I was greeted at the door by a grin and a laptop. The laptop was running Windows 7 64-bit. My mission, should I choose to accept it, was to gain root access.

All I had was a standard user account called 'local' and an Administrator account called 'Simon' - but I didn't know the password for this (see screenshot below).



I checked the machine for any signs of Windows updates - and it looked as if the system was installed and no updates had been downloaded, though the Administrator had installed AVG anti-virus 2014 - which I thought would destroy any hopes of downloading code and executing it on the machine - or would it? Now i'd posed the question, I wanted to test my theory. For those of you who have a better memory than me, you'll remember CVE: 2010-3888 - which was a 0-day exploit. Apparently the Stuxnet worm was using this to elevate privileges.

I however, didn't remember it, however, after a few minutes of Google searching, I figured it would be worth a shot. My main worry, would be that AVG 2014 would detect it and my friend would laugh at my feeble attempt. So, I proceeded to download the code and take some screenshots along the way.

To my amazement, AVG 2014 didn't flag the file once it had downloaded onto the desktop. As you can see in the screenshot below, I used 'cscript <script>' to run the file and it ran through with no errors.


I then checked to see whether an administrator account had been created and it had.


More proof:


I scanned the file with AVG 2014 and it wasn't detected!


Now, this exploit is 4 years old at the time of writing - in the real world, most, if not all machines will be patched, but it brings up an important thing to note: having an anti-virus DOESN'T mean you're protected, even if the exploit is old. I personally use Vipre Anti-virus when i'm using a Windows machine and I did check, and Vipre does pick up this code. This isn't to say AVG 2014 is bad, lots of anti-virus software don't pick up this particular script (according to the results from VirusTotal, where just 17/52 AV's picked up this malicious code!).


Until next time...





Tuesday, 13 May 2014

Presentation Tips

Presentations can be tough, especially if you don't know your audience, haven't prepared, or are simply nervous. This post has came about because whilst i've been at University, I have taken part in several presentations and have picked up a fair amount of valuable information which I want to share so that you can have 3 years worth of experience handed over to you in a page worth of text.

The 3 P's: Prepare, prepare, prepare. It's no good thinking you can 'wing it'. A presentation requires you to know your subject and to articulate your thoughts into understandable sentences which capture the imagination of the audience and don't send them to sleep. Preparation doesn't stop there, though; in fact, preparation includes knowing your environment and audience.

At the time of writing, I have not long come out of a presentation which could have landed me with a job - so yes, this was an important presentation. I made a mistake by not knowing the environment I was presenting in. My laptop was set up with a powerpoint and two virtual machines - which I would be using for a live demonstration. Unbeknownst to me, the environment didn't support HDMI and I ended up having to remotely log into my laptop, which completely threw me off track and despite trying to regain composure, I didn't feel as if it worked. All this could have been avoided by knowing the environment and testing it prior to the presentation.

Know your audience. Are your audience technical? Are they non-technical? It's important to gage how well your audience understand the subject area, as this lets you know how technical you can afford to be. Now for some brief points you should think about before you go and do your presentation:

  • Have Eye Contact - Too many people avoid looking at the audience. I too have been guilty of it in the past. Whilst it may not be appropriate to glare at one of your guests all the way through, look at them, talk to them, it helps to invite them into your conversation.
  • Slow down! - I found that alot of people tend to talk fast, which may be due to nerves, but it's quite important to go at a slow and steady pace, rather than quick and risk losing your audience.
  • Know Your Speech - I always try my best to know what i'm going to say. I know lots of friends who use notes or write notes under their presentations - I've got nothing against it, but I don't like to try and memorize a set of notes too much, or the presentation risks looking a little un-natural and becoming robot-like. Have an idea what to say, but don't stick to the script TOO much.
  •  Have A Backup Plan! - After tonight's experience, I will never again go to a presentation without a solid backup plan. If something goes wrong, you need to have a plan. This could be having your powerpoint on 2x USB sticks, just incase one is lost, corrupt etc. In my case, I needed a pre-recorded video of my 'live-demo' so that I could have showed the audience my software if any technical issues meant that I couldn't hook up my laptop.

I don't proclaim to be perfect at presentations - far from it. I like doing presentations because I feel like there's alot to learn from each one. Each presentation offers a slightly new scenario and new challenges. These tips are just as much for you as they are for me. I will most certainly use these myself whenever I have a presentation in the future.

Remember one thing you should always do, without fail....enjoy your presentation!

Thanks for reading.

Thursday, 8 May 2014

The Art of Doxing



Doxing (or Doxxing) is an abbreviation of 'Document Tracing'. Tracing documents can be part of a penetration test, as you need to find out information about a target. Now, we're going to look at elements of doxing and how you can help yourself stay safe. Doxing usually begins with something small, such as an email address, a forum username or a name.

From here, doxers (is that a word? It is now!) can search for information about that person. Doxing differs slightly from information gathering, because information gathering usually aims to target a server or computer rather than doxing, which tends to use freely available information for the most part. So, I for the purpose of this post, I went onto Twitter and looked at one of the first names that I came across. I wont publish any private information about the person(s) involved such as real name etc.

So, Twitter allows a username in the format @UsernameHere and your name. Now, this person had used her real name as well as a username. So already, I had a username and real name to go on. A quick search on Pipl.com showed that Twitter mining websites had collected previous posts by the lady, lets call her 'Helen'. Helen had posted a photograph which unbeknownst to her, contained a piece of paper in the lower left of the image with her address on - although on her real twitter, it had been deleted. So, normally, that's about as far as you'd need to go with doxing, however, that was too easy, so I continued to dig a little deeper. The photographs posted by the woman showed the following:

  • A pet Labrador
  • Her at a Chelsea football match
  • Her at a Michael Mcintyre gig
  • Her at University (I wont mention which one)
  • Her at a Drake concert

Underneath the photograph of the pet labrador,  was the name of the dog. The text underneath the Chelsea football match had the date she went to the game and so on... The one that struck gold was a tweet saying what her favourite chocolate was. This was almost certainly going to be the secret word/phrase for her email account. And if not, I could have used the brute-force technique in one of my previous posts to attempt to gain access.

At this point - I'll admit, I was thrown off the trail. I almost gave in because I couldn't find any more information about this person.....until I found peekyou.com. Peekyou.com is similar to Pipl.com in the way it harvests information - and it's very scary from a security point of view.

Typing in the lady's twitter name brought up her profile from whenever she'd created her twitter, which told me what school she went to. From there, I could look on Facebook and filter by education - found her! (She wasn't showing up on any searches until I got her previous-education history.)

Helen's Facebook URL had been set to a custom name - different than her Twitter. appending @gmail.com to her custom Facebook URL gave her email address. From here, it was a case of going to Gmail.com and clicking 'forgot password' to confirm that the email address DID exist Someone with different motives than me could have attempted to gain access to her account by simply going back to the login screen and attempting to brute-force the account OR attempt to reset the password using the 'forgotten password' method.

Or, what about phishing? Now a potential attacker has a known email address to target...the options are almost endless. At this point, I told her how to secure her account and insisted she use two-factor auth; we've since had a laugh about it.

Conclusion


So, what can we learn from this? Whatever you put on the information can reveal all sorts of things about you, which can be used in a social-eng attack. Ensure you use complex passwords that aren't your pet names, favourite football club etc. Your password should not be found in the dictionary either.

Be extremely careful when naming your twitter or facebook profile and be careful what you upload. Uploading pictures and tweeting paints a picture of YOU. It allows a 'bad guy' to profile you. In this case, I was able to profile the lady and *probably* would have had some success in stealing her account if I was that way inclined. I would be inclined to hide your Facebook profile from public search and protect tweets so only selected followers can see them.

And finally - implement two-factor authentication. Many websites now allow you to add your mobile phone number to your account - so whenever you log in, you get a text-message with a number on - you simply type that number into the box on the website and you're logged in! This method means that a 3rd party wouldn't be able to access your account.


Stay safe online. Until next time!

Sunday, 4 May 2014

Ubuntu 14.04 - Booting up to a black screen




This post isn't the security post i'd promised - that will be this coming week. No, this issue is Ubuntu 14.04 LTS - again. It seems that every step Ubuntu takes forward, it takes several back. At the time of writing, the Ubuntu forums are filled with people having sound issues and graphics issues. I daren't check the networking forum, because I know how many wi-fi issues I was having with Ubuntu 14.04 LTS last week.

Today's issue was different. Ubuntu 14.04 LTS booted up to a black screen. At first, I pressed my brightness function key, because HP laptops are known for booting with low brightness, but that didn't fix it. At this point, I began to panic a little bit, because I knew I was looking at a possible re-install of Ubuntu.

I dropped to a shell and ran 'ls' which showed my files were all there, 'cat' showed that they were still in tact. This seemed to be a driver issue. Now, I hadn't done any fiddling with drivers, so there's absolutely no reason this should have happened. I looked around on the web and people were talking about re-installations until I found one guy who said he dropped into command line and removed lightdm and installed gdm.

Before I tell you how to do that, what is lightdm? "Lightdm is the most user visible aspect of the display manager is the login screen, however it also manages the X servers and facilitates remote logins using the XDMCP protocol. It was added as default display manager display manager in Ubuntu 11.10 (Oneric) replacing GDM which has been the display manager since the beginning." (Source - Wiki Ubuntu).

So essentially, GDM was replaced by lightdm. I followed the guys suggestions:


  • Boot into recovery mode (or you can actually just hit ctrl + alt + f1 to drop into a shell from your black screen, which is what I did)
  • type in: sudo apt-get remove lightdm
  • sudo apt-get install gdm
  • sudo shutdown -r 0
Your machine should now boot up with a different (and imho, better) login screen. You should now be able to login without seeing a black screen. I know what you're thinking: wouldn't it be better to boot into recovery, un-install lightdm....and re-install it? Yes - it probably would. But this is what was suggested and this is what worked for me.

Hope it helps someone out there. 

Tuesday, 29 April 2014

Ubuntu 14.04 + Windows 8.1 + Realtek RTL8188EE + Google Earth

Wi-Fi Woes (caused by Realtek RTL8188EE)


What a ride it has been. I've encountered some weird and wonderful times with my laptop which has taken me right back to my IT Technician days. Firstly, I partitioned my drive, installed Linux Mint and despite me choosing 'Install Mint 16 over 14'....it formatted the drive. Now the main issue here, was that it overwrote the recovery sector - in other words, it was FUBAR.

Since most of my work is encrypted and backed up on cloud services, I hadn't lost anything of importance, so I did a full re-installation of Windows 8.1. Now, I am unfortunate enough to own a HP laptop with the 'Realtek RTL8188EE' chipset. Let me tell you - this chipset is a NIGHTMARE. At the time of writing, it's not always recognised by Ubuntu 14.04 LTS (which is the new Ubuntu LTS) or when it is recognised, it's EXTREMELY slow and intermittent. Soon enough - I couldn't get a connection at all. Both Windows 8.1 and Ubuntu 14.04 couldn't connect.

After much searching on the web, and encountering people with similar issues, I managed to find a fix. It was the strangest fix in a while, but seemed to work: resetting the BIOS to default settings. This got me a connection on both Ubuntu & Windows. However, wi-fi was still unstable on both OS's. I installed a kernel (3.14) in Linux, which seemed to solve the issue.

If you're on Ubuntu 14.04 and your wi-fi is slow, intermittent and generally crap, you should follow some instructions I posted over on the Ubuntu forums: http://ubuntuforums.org/showthread.php?t=2218962

The user 'basgoossen' on the Ubuntu forums also found that his wi-fi was still unstable, although it was faster when it worked.

The REAL fix seems to be changing the channel in the router; I've since changed the channel of my wi-fi via router settings and so far so good...I'm getting a good speed:



This sounds like a trivial issue, although it taken a hell of a long time to figure out how to fix this. There have been quite a few of us on the Microsoft / Ubuntu forums trying to figure out just what is wrong with our chipset (Realtek RTL8188EE) and it turns out that it might actually be the router that's at fault!

TL;DR - You can try the following fixes:

  • Delete old driver in Windows (Device manager) and re-install the Realtek driver from your manufacturers website
  • Reset BIOS to default settings, then boot into either Ubuntu 14.04 or Windows 8.1
  • Change the channel your router is broadcasting on from 'auto' to something like '2 + 6' if you're on Virgin Media, or another setting if you haven't got this. (Please ensure you have an ethernet cable before you attempt any of these fixes, because you might just need it if things go pear shaped).


Google Earth


And finally, that brings me onto Google Earth. Installing Google Earth on Ubuntu 14.04 isn't as straight forward as downloading the debian file and double clicking - no. That's because ia32-libs is required, and guess what? It is deprecated (since Ubuntu 13.10). I wondered whether it would be possible to install Google Earth anyway - and it turns out that you can - but it requires a bit of hacking to get it to work.

You can go to here or here for instructions on how to install Google Earth on a 64-bit Ubuntu 14.04 installation. Good luck, and have fun googling!

Next week i'll update the site with something a bit more security/forensics related.