Sunday, 13 July 2014

Quick Update: Offensive Security Wireless Professional (OSWP)




I signed myself up to do the OSWP course because i'd had a fair bit of experience pen-testing on other peoples  my home access points so I thought to myself: why not get certified in it? Would there be anything to learn? In short: yes. There is a lot to learn. The course cost $450 (£270) at the time of writing which I thought was fair value. You are expected to have all of the equipment e.g wifi dongle capable of injection and an access point from their list:
  • D-Link DIR-601
  • Netgear WNR1000v2
I purchased the Netgear from eBay for £12 and I already had a wireless card, but if I had purchased the "ALFA Networks AWUS036H USB 500mW" - it would have cost another £25-ish. So you're looking at around £320 all in if you don't have the equipment already.
Once you've paid, you get sent a coursebook and you get 4 months to study the material and within those 4 months, you must arrange your exam - which is easily done from a link in one of the first emails you get. IRC support is available and it's an absolute MUST. You MUST have IRC. I can't stress this enough!!!

Now, like I said, I have had wireless pen-testing experience, so I was able to breeze through the book in a week. It gets very technical and tells you everything you need to know for the exam. And...about the exam: it's not as easy as I expected. You're given 3hrs 45mins to complete the challenge - then 24 hours to submit a report detailing what you did - which I thought sounded very reasonable.

All I can say is: practice, practice and practice some more. It took me 2 hrs 30 mins to complete the challenge because I was nervous and making rookie mistakes. You should read the entirety of the coursebook, but make sure you do the practical work too - your success relies on practical work.

I wrote the report as I was going which added to my time of 2 hrs 30 mins, but i've heard some people have done the challenge in 1 hour and had the report done in 45 mins, but remember: it's not a race. If you try to speed through - you'll likely make mistakes. Cool, calm and collected wins the day!
Now, a final word about IRC. I've read another blog from a guy who said he had issues with one of the challenge and luckily, the IRC saved his @$$. Well - it did mine too. I was having no end of trouble with the final part of the challenge - but luckily, I had my IRC set up and help was available. Turns out there was something wrong and they fixed it so I could continue the challenge. Once again - make sure your IRC is set up! The guys are extremely helpful and you should make use of their help if you desperately need it.

If you're going to take this exam, I wish you good luck. Read it all, practice LOTS and you'll be fine!

EDIT: Officially passed within 1-2 days of posting this blog.

Friday, 11 July 2014

An Investigation Into TOR Pt. 2 - SSH Encryption

SSH (Secure SHell)

 
 
Fig #1

We're looking into TOR, so why did we go over Telnet and why are we now looking into SSH? Well, the answer is that I wanted to show you Telnet's insecurities and SSH's securities before we discuss the behemoth that is TOR. SSH is short for Secure Shell and should be used instead of telnet (although like I said in my previous post, I have seen Telnet used in the workplace!).

What's so secure about SSH? Well, SSH runs on port 22 as standard and encrypts traffic so that a 3rd party shouldn't be able to decrypt and read packets going to and from computers on the network - this is why it's more secure than Telnet. With that being said, there are 2 versions of SSH - v1 and v2. V1 has known vulnerabilities which is why v2 is often the default these days.

SSHv1 has a "remote integer overflow" vulnerability that allowed hackers gain root access, which in turn would let them run code (with root access). Fun fact: This vulnerability in the coding of SSHv1 is in a piece of code that was created to defend against CRC32 exploitation in the SSH1 protocol! Ettercap can decode SSHv1 in real time (Source: Cisco).

SSH1 and SSH2 share the following features:
• Client programs that perform remote logins, remote command execution, and secure file copying across a network.
• An extremely configurable SSH server.
• Several selectable encryption algorithms and authentication mechanisms.
• An SSH agent to cache keys for easy access.

SSH2 added a number of new features to provide a stronger, more comprehensive product. These features include:
• Encryption ciphers, such as 3DES and AES.
• The use of sound cryptographic Message Authentication Code (MAC) algorithms for integrity checking.
• Support for public key certificates.
(Source: Cisco).

So i've used Wireshark to capture an SSH handshake and 'dir' command. Let's see exactly what we've got.

 Fig #2


 What you're looking at above is a PCAP (packet capture) that I captured from SSH'ing from my laptop to my desktop PC. The PCAP consists of just 35 packets and we'll look through them now. At the beginning of this blog post, you saw the "SSH handshake". The first set of packets are the handshake. Let's recall the image at the start of this post:

 
Fig #3
 
 The client (my laptop) was connecting to the SSH server (my desktop PC). There is a TCP 3-way handshake that takes place (SYN, SYN/ACK, ACK). So let's look at this on Wireshark:

 Fig #4

 Packet 1 shows 10.0.0.53 which is my laptop's internal IP address sending a SYN packet via TCP over port 52421 (which is the TCP port). Let's investigate packet #1 a little further:

Fig #5

So i've opened up packet #1 a bit more. We can see here that the laptop (red) has found the PC (yellow) mac address, so they know each other's IP and mac address. The green highlight shows that the client (laptop) sent the SYN packet to 10.0.0.54:22 (the PC's port 22...SSH port).

So if you look at Fig #4 again, you'll see the entirity of the SYN , SYN/ACK, ACK sequence. Once this has taken place, referring to Fig #3, the server tells the client what version it's running and the client responds with that version of client it's running. We can see this very clearly if we analyse packet 4 in Wireshark:



 So we know that we're using FreeSSHd because of the (WeOnlyDo) server version and we know our client (laptop) is using PuTTY 0.63.0.0. Packet 5 & 6 is the KEXINIT negotiation - basically - the client and server negotiate the algorithms they will use to exchange keys along with, bulk data encryption, message integrity, and compression.

The peers will also let each other know the accepted host key types. In this stage they present their supported and preferred methods for the aforementioned functions in comma seperated list form (CSV). Preferred values are distinguished by placing them first in the list (Source: http://www.mnin.org/write/2006_sshcrypto.html).

 Packet 8 is the Diffie-Hellman Key Exchange Initialization - which essentially lets the client and server derive the exact same secret key (symetric encryption). An important thing to note is that the SSHv2 protocol is now in use. It was at this point I ran the 'dir' command from my client to the server - yet I cannot see this command in plain text as it's encrypted. The idea is to stop a 3rd party from listening in and seeing what commands are being run etc.

This does pose an interesting question? Can we decrypt SSH? The answer is: yes. SSH can be decrypted using a MiTM attack (MiTM-SSH) or by creating a rule on a firewall to generate it's own key (not certificate, as SSH uses keys, not certs). This may be a good topic to come back to..

The next post will be about TOR. I thought it necessary to discuss Telnet & SSH before we delve into TOR, as TOR is very complex and a good background on networking/encryption is useful. Thank you for reading. Expect a post about TOR towards the end of this month.








Tuesday, 8 July 2014

Update Coming Saturday 12th July



Apologies for not meeting my target for the Tor Investigation Part 2. I WILL continue the investigation and start with a quick look into an encrypted protocol such as SSH. I've been exceptionally busy with work and I am currently taking the Offensive Security Wireless Professional (OSWP) course.

I am due to take my exam on Saturday - so once my exam is over, I will make a post on here and give you my thoughts on the OSWP course. P.S On a side note - there has been a massive boost in traffic to the website. I've seen approx 1,000 hits in 2 weeks! Thank you to everyone who reads the blog and a big thank you to those who comment and help the community by sharing (legal) files. Next update will be this Saturday 12th July - wish me luck for my exam! Thanks all.