Friday, 20 June 2014

Prequel - An Investigation Into TOR Pt. 1 - Telnet (In)Security




Having recently joined a large security company, we'd been discussing TOR during training and then I spoken to a friend about TOR being on the news alot lately. So, i've decided to do some on-going investigative research into TOR. Before we get deeply involved with the networking, i'm going to make sure all my readers have a basic understanding of protocols. For this post, we'll be taking a quick look at an un-encrypted protocol: Telnet.

The first step is to go to 'Programs and Features', turn on Windows Features - Telnet Server. It was at this point that I actually learned something very interesting during the course of this post. "Local Users and Groups" has been taken out of non-pro versions of Windows 8/8.1. This is rather annoying because when you try to Telnet INTO Windows 8, you need the user you're telnetting in to be a member of the "TelnetClients" group. So as you cannot seem to do this via the GUI, we'll have to do it by commands; Rich Baldry over at SuperUser.com posted a command which you'll have to use if you wish to replicate this post.

Use the command 'net localgroup' as follows. This works on non-Pro Win 8 as well.
  1. Open a privileged command prompt: Open Explorer and search for 'cmd.exe'. When it appears in the file list, right-click and select 'Run as Administrator'.
  2. Run the command: In the privileged command prompt window, enter the command as follows:
    net localgroup [groupname] [username] /add
    
    To see a list of local groups available, just type:
    net localgroup
    
    To see other options, type:
    net help localgroup
    
 So in my case, I had to open command prompt and type in: net localgroup TelnetClients Simon /add

 After making sure the Telnet server service was turned on in Windows 8, I started up Kali Linux so I could telnet from Kali over to Windows 8. I should mention that both Windows 8 and Kali were virtual machines. On my local computer, I had Wireshark running, capturing the packets that were flying around the network.

The first instance of telnet shows that the following flags were set: PSH and ACK. PSH is short for PUSH and all you need to know, is that TCP buffers data and that without a PSH flag, it wont be PUSHED forward instantly. If you want a more in depth look at PSH, click here.


A quick look at Wireshark's statistical protocol hierarchy shows that the traffic was communicated using ipv4 and a significant amount of traffic was TCP and Telnet - as we know, Telnet uses TCP and operates on Port 23.

Just to make the point, Kali's port 57600 was sending traffic to Windows 8's port 23. Port 57600 uses the Transmission Control Protocol aka TCP. TCP is a connection-oriented protocol, and it requires what is known as a 'hand shake' to set up end-to-end communications. Only when a connection is set up can a user's data can be sent bi-directionally over the established connection.

It's important to note that TCP guarantees delivery of data packets on port 57600 in the same order in which they were sent whereas UDP does NOT. UDP port 57600 would not have guaranteed communication, whereas TCP on port 57600 would.

Security

So, how is all of this relevant to TOR. Well, telnet is an insecure protocol. Data is transmitted un-encrypted, which means that anyone sniffing the packets traversing through the network can pick up on what data is being sent in plain text. So, I started Wireshark to run and sniff packets, then logged into Windows 8 via Telnet from Kali; then I used the 'dir' command to show the directory list.

So, now, as an attacker, let's see what i've just picked up:



Oh dear. If this was a real scenario, the attacker has just got my username AND password. They can also see commands I have ran whilst I was using Telnet. This is why Telnet isn't really used anymore (or shouldn't be, although I have seen it being run in an IT environment before!).

So, in my next post, we'll move onto SSH and then we'll begin working out how TOR works. This wasn't even the tip of the iceberg. SSH Sniffing will be posted here around 30th June.

Sunday, 15 June 2014

Cookies & Advertisements

 So, you like cookies, huh?




This month, i've decided to go 'back to basics' and discuss internet advertisements. There are a massive amount of users using browser extensions to block Ads - but do most users know exactly what they're blocking? For this post, I used IE 11 and Firefox 30.0 which were the latest at the time of writing.

For those of you who remember using dial-up, you'll be familiar with ads. Banner ads used to be extremely popular - and still are to a degree. Adverts generate money - this is the most important thing to remember. When you click on an advert - someone just got paid; more clicks = more money. I remember vividly trying to navigate around websites without clicking on ads back in the 90's, it was almost impossible.

Websites would 'trick' users by having ads that seemed like part of the website, when in actual fact, they were a 3rd party advert that would send you to an obscure website you'd never heard of. These websites would leave what's known as a 'cookie' on your computer - a cookie is a text file which stores personal information and user preferences which is used to identify a user when browsing a website.

There are 'good' cookies and there are 'bad' cookies. The bad cookies sell your personal information such as your email address to 3rd party companies. Ever wondered why you get spam emails and they magically know your name? Cookies.

So, what else can cookies do? Well, if you've ever browsed on Amazon for a PS3 console, then gone to another website and got an advert for a PS3 on Amazon - again - cookies are tracking your activity. Therefore, it's important to know about the different kinds of cookies:

  • Persistent cookies - remain after your browser has closed (and can also be re-used)
  • Temporary cookies - deleted when your browser closes
  • First-party & Third-party cookies - first party cookies originate from the website you're currently looking at in your browser. Third party cookies originate from a different website than currently have open but are related to the current website you're viewing. (The Amazon example above is an example of this).
Many sites uses adverts from third-party sites and those sites track your web activity for the sole purpose of advertising. Most browsers allow you to configure them and block cookies that don't ask permission to gather your personal information. Lesson here is: check your settings. Check what you're allowing cookies to do on your computer.

Back to advertising. Is there anything more annoying than Google Ads? Google scans your emails and picks up on keywords, which then allows them to bring you tailored ads which are known as 'targeted' adverts. Recently, a friend and I were emailing back and forth about VPS. Low an behold, look at the ad in my gmail (IE 11 without ad blocking software):


Crafty, huh? There are debates over this sort of thing - and people have different opinions. Personally - I don't like the fact that software is scanning my emails for keywords and who knows what else it's doing - we simply don't know. I was browsing a popular news website, and got the following ad along the right hand side of the page (again, IE 11 with no ad blocker):

 
Installing the ever-popular 'Adblock' extension to your browser will stop this kind of thing. Here is a screenshot taken from Firefox 30.0 with Adblock installed:


 The screenshot above shows that Google's ad has been removed. And below, you'll see the ad was removed from the news website, hence the blank space in the screenshot. Although these ads were 'legitimate' and not malware, Adblock can help to minimize the risk that ads present. Not all ads are genuine, in fact, there's an increasing number of ads out there that aim to not only track you, but get you to inadvertently install malware or viruses on your machine. So there you have it: cookies & advertisements - not as tasty as they sound! (Sorry, I couldn't help myself...)