Wikileaks Vault 7: CIA Tips for Git Workflow

Wikileaks has begun dumping a large number of files on the CIA's hacking tools. The dump is called Vault 7. It is a goldmine, not only for information about the CIA's activities, but also for information on things like how to set up a development environment or properly use Git in your everyday programming workflow. Here are a couple highlights from some cursory searches of the document dump:

CIA Git Tutorials

CIA Vim Tutorials

CIA Setting Up a Development Environment

Comments (9)

NSA = Not So Adept: Hackers Loot Brash Stash Of NSA Exploits & Data

Who watches the watchers?  Apparently, now it’s…well, everybody with a computer.  A massive hack against the NSA has revealed a treasure trove of previously-private exploits and other data, and it doesn’t make our “security agency” look very secure at all…


If the future won't let us have space-war, we'll have cyberspace-war.
(Image courtesy techworm.com.)

According to TechCrunch.com, the hack was perpetuated by a group called the Shadow Brokers, who lifted a stash of NSA-created malware from an internal hacking team called The Equation Group.  Two chunks of data have been published, one that is open to the public for perusal and one that contains “the best files”, which will likely be auctioned off at the starting price of $1 million.

An additional image collection of a file tree containing NSA exploits was released, as well as a page calling out “cyber warriors” and “WealthyElites.”  The full extent of the free file contains staging programs that the NSA could ostensibly use to inject malware into servers for the purposes of espionage.  These hacking tools include “RATS” – remote access Trojans – and exploits that target web and file servers.  Such programs could be used to remotely access a machine, copy or monitor its information, and then be deleted (theoretically) without a trace.


Well, that's...bold.
They couldn't name it "Punk Rock Tracks - The Exploited" or anything less overt?
(Image courtesy techcrunch.com.)

The files are mostly written in Python or shell script, with a few compiled binaries.  The Shadow Brokers have released the following statement regarding the acquisition:
"How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."

The stunted English grammar may imply Russian origin for the group, or may be ruse to throw others off the trail.  Regardless, the second file will be sold to the highest bidder via bitcoin, and the files are promised to be “better than stuxnet” (the computer worm that derailed Iran’s nuclear program several years ago.)


How nice...they even included user instructions.
(Image courtesy techcrunch.com.)

Wikileaks claims that they are already in possession of the “best” files, and will publish them “in due course.”  In the meantime, whistleblowing winner Edward Snowden calls the entire affair “not unprecedented.”  Snowden went on to elucidate, “This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server."


While this is not (yet) thought to be a tremendously devastating hack, it does not look favorably on the much-maligned NSA.  This sort of sloppy spywork is not the sort of thing that inspires confidence in those who repeatedly exhorted that they were keeping us secure by ransacking our privacy.  Loose ‘chips sink ships.

We don't know all of what we don't know,
but we learn more about it every day.
(Image courtesy sdxcentral.com.)

Comments

Pride Vs. Prejudice: Anonymous Gaily Hacks ISIS Twitter Pages

When acts of terror occur, one wonders at the source of the vitriol towards certain intended targets. Often, it seems that ignorance, hatred, and other motivators of malevolent acts may be based in a person (or a fanatical subculture’s) self-hatred, or repression of certain aspects of their lives. This creates a strong means of turning the terror back upon itself...for instance, in this faaaaaaabulous way.


Oh myyyy.
(Image courtesy techly.com.au.)


According to USA Today, the famed hacker collective Anonymous has worked their wiles on the websites of ISIS, a.k.a. the Islamic State, and has made one of the terrorist cabal’s most fiendishly-opposed lifestyles appear to manifest as their own. In a sick subculture where it is acceptable to kidnap civilians as sex slaves, mete out vicious vigilante justice against anyone deemed unholy, and generally make life miserable for those who think differently, ISIS would be loathe to indicate any form of love (that’s not a warped interpretation of their devotion to Allah.)

But now, thanks to Anonymous, the Islamic State – on Twitter, at least - is positively flamboyant with gay pride.

Ghost-jacker, you are beautiful in every single way.
(Image courtesy sitepronews.com.)

One Anonymous operative, known only by his Twitter handle WauchulaGhost, had originally filled the hacked ISIS accounts with pornography (which is strictly forbidden by the militants’ version of the Islamic faith.) He instead traded it for gay-positive messages and “PRIDE” slogans when women complained that his work might seem counterproductive to spreading decency to the militants.

Now, despite death threats and behests for beheading, WauchulaGhost (who is known only to be a straight, American male that had been angered by the recent Pulse nightclub attack) has filled the ISIS accounts with gayness and rainbows (literally.)


To a normal person, the bootleg Lisa Frank-style background
is the most offensive thing here.
(Image courtesy newstalk.com.)

"The morning of the attack I woke up and saw the news and I was just furious. All I could see was people mourning and crying. And I thought maybe I could do one thing that would lift some spirits," he explained.

Anonymous, according to Newsmax, had hacked some 1,500 jihadi accounts for the purpose of making them pro-gay pride. A further 150,000 ISIS-related accounts have been suspended by Twitter.

If only all acts of extremism could be so extremely pleasant.


The hashtag #DaeshBag was also involved.
Well done.
(Image courtesy wtsp.com.)

Comments (3)

Eyes In The Sky That Pry Via Wifi: Malware-Injecting Drones Swoop In To Spy

Hackers, in an ever-escalating bid to stymie security, have teamed up with an arm of one of the world's leading aerospace companies to create computer-death from above...


As usual, we're sure this is all to "protect your freedom"...
(Image courtesy youtube.com.)

As reported by RT.com, the Italian firm Hacking Team has teamed up with a subsidiary of Boeing to work on a drone-mounted device that can cause computer chaos simply via flyby.  The drone will be able to infect smartphones and computers with spyware by latching onto a wifi signal.

Hacking Team, a surveillance technology firm, was quoted from a series of emails released by Wikileaks in which the firm states that they seek to create a "remote traffic interception device", one that would be"ruggedized" and "transportable by drone."  Creepier still, the project was commissioned by the American company Insitu, who have previously sent spy drones such as the ScanEagle into the skies.

Nothing to see here, citizen.  Continue your nourishment from social media feeds.
(Image courtesy rafzen.wordpress.com.)

An Insitu engineer's email to Hacking Team states:
"We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System. Additionally, if you have any more marketing material you are willing to share with us prior to meeting, please let us know." 
Further communications reveal plans for an airborne TNI, or tactical network injector, which could bomb a target's computer or smartphone with spyware by intercepting their wifi connection and unwittingly forcing the user to download the malicious malware.

Maybe someday we can use this technology in better ways.  Not yet, though.
(Image courtesy townhall.com.)

So basically, if we're hearing about this, it's probably already happened.  No signal is safe.  Just try not to get on the bad side of Boeing, Hacking Team, or any of their allies/clients (like the US military, FBI, or DEA.)  And if you hear the buzzing of tiny little rotors above you, it's probably already too late...

The first person they're going to hack is this reporter with the horrible grammar and capitalizations.
Spyware from the sky is evil, but even evil needs proper punctuation.
(Image courtesy tapnewswire.com.)

Comments

To Have And To Hold And To Hack: Cheaters' Website Info Held Hostage


Cheating on your spouse is probably a really bad idea.  Cheating on your spouse and leaving a cyber trail which will be inevitably hackable seems like you're just asking to get caught...


This gets even worse when your wife learns the person on the left is a dude...
(Image courtesy ofwstories.com.)




According to Wired, the infidelity-inducing website Ashley Madison has been hacked, and all of the sordid details are now in the hands of those who could use them to wreak family-smashing, divorce-inducing, alimony-extracting havoc.  However, in an interesting twist much like a love triangle gone wrong, they don't want to chat about cheating.  The hackers instead want the website shut down.

Enough of the stolen data has been released to prove its authenticity, and the dirt is not limited to who is doing the dirty.  Company salaries and even maps of the internal network have been obtained and held hostage in the name of...rescuing?...romance.


Those wandering eyes better wander back home...or else.
(Image courtesy stunninggadgets.com.)

The hackers refer to themselves as the Impact Team, and could indeed make some major impacts (like a meteorite slamming into the earth and killing of the dinosaurs...of matrimony) against Ashley Madison's 40 million users.  While Impact Team will allow Ashley Madison's parent company, Avid Life Media, to keep its May-December, lads-for-older-ladies Cougar Life site online, anything extramarital is to be immediately removed.

As republished by Krebs, the Impact Life statement read: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails."


"Jesus, Stan, this is really dirty."
-"I know...who'd cheat on someone with grammar that awful?"
(Image courtesy insperity.com.)

To add further fascination to the fuckery, some of the hostage data is information that Ashley Madison had promised to "permanently remove" from their servers for an additional $19 fee.  That...didn't happen.  "Too bad for those men, they're cheating dirtbags and deserve no such discretion," the Impact Life team stated.

Ashley Madison claims to have secured their sites and hunted down the hackers, but should they choose to continue operations and risk the loss of their customers' most private persuasions, the losses will be both romantic and commercial.  Maybe profiting off of tragic romances should end in tragedy...but will it also take down millions of marriages in the process?


Hell hath no fury like a woman hacked.
(Image courtesy opposingviews.com.)

Comments (1)

Hacking Health: IV Pumps Can Be Remotely Reset To Cause Overdose


Last week we pondered the troubles of hacking a self-driving car.  Unsavory for sure, and a nasty way to go, but something that could possibly be thwarted with a manual override via steering wheel (surely those won't get phased out completely, right?)  However, what happens when the hack doesn't mess with your automotive ride, but rather your physical one?

An unlikely accomplice to chaos...
(Image courtesy turbosquid.com.)



According to wired.com, it is possible for hackers to infiltrate medical machines and wreak havoc where there should only be healing.  Several popular types of drug-infusion pumps have the problem of being hackable so that the operator could provide a possibly-lethal dose of drugs to the recipient.

The pumps, made by the Hospira company, number in the hundreds of thousands, and can be found in hospitals worldwide.  The "libraries" in the pumps that specify upper and lower limits for drug dosage are unsecured and can be accessed by anyone on a hospital's network.  Thus, the firmware for the drug library could be updated with upped doses, and anything from a bad trip to a massive overdose could follow.

And it's not like these things are getting better on their own.
(Image courtesy cdc.gov.)


The manipulation could be so thorough that the machine's screen might even display that the "proper" drug dosage was administered.  Security researcher Billy Rios explained, "...if you can update the firmware on the main board, you can make the pump do whatever you like.”

So, if you happen to get hospitalized and feel that certain powers-that-be have it out for you, be wary of the type of IV that's tapping your veins.  Not all murderous robots have to look like the "Terminator"...something as innocent as an IV could be used against you.


Don't be too paranoid about it, though.  That's even more paralyzing than the drugs.
(Image courtesy dreamstime.com.)

Comments (1)

Hackseat Driver: Will Autonomous Cars Be Too Susceptible To E-Intruders?

Hackers love taking on the challenge of manipulating technology that is supposed to be beyond any outsider's control.  This can cause havoc on computers, phones, and other devices...but what happens when a hacker targets a self-driving car?


Could hackers take you and your car for a joyride?
(Image courtesy computerworld.com.)


According to msn.com, the threat of cyberattack against self-driving cars is a serious issue - one that manufacturers as well as insurers are now scrutinizing.  With expectations for such vehicles to hit the road by 2020, it is time to start seriously assessing the damage a hacker could do, should they gain control of a self-driving vehicle's numerous ranging instruments.

These cars will be propelled in part by information gleaned from onboard cameras, sonar, radar, and LiDAR (light detection and ranging), all of which could be made vulnerable to hackers.


Electronic elements of an autonomous car, all of which could be hackable targets.
(Image courtesy google.com.)

"One attack scenario forces the car to accelerate, rather than brake, even though the obstacle avoidance system (using LiDAR) detects an object in front of the car. Rather than slowing down, the car hits the object ... at high speed, causing damage to the car and potential threat to the life and safety of the passengers in the car under attack and in the car being struck," according to a report by Mission Secure Inc., a US-based security firm.

Such attacks could be carried out so rapidly and violently that there would be no forensic technological evidence to determine what caused the problem.  This leads to worries from insurance companies, who will likely need to reassess premiums based on new concepts, such as what car companies claim their cars are capable of (versus what actually happens on the road.)

Google's cars have already rolled out, but can they be infiltrated from afar?

Countermeasures to car-hackers are being assessed by various security firms, and Google is rumored to have a team of its top engineers attempting to remotely control cars.  Google's own self-driving cars have been autonomously cruising in California since last month.

In the future, stealing cars won't involve smashing windows or using jimmy tools.  The thieves may not even need to be nearby the scene of the crime.  With new innovations come new issues...but let's hope that these hackers can be overridden if needed by some good old fashioned human steering behind the wheel.


Don't get too comfortable in your autonomous chariot...you may have to fight hackers
by remembering your driving skills!
(Image courtesy economist.com.)

Comments (10)

Spy vs. mSpy: Tracking-App Company Reveals Blackmail Attempt

With so many adults willing to give up their privacy in the name of security, it's no surprise that they'd levy that same treatment (with the same unwarranted sneakiness) onto their own children.  Amusingly enough, one firm that provides such products has now been hit by blackmailers.

Stalk your kids while sipping your coffee!  Except sometimes, it's not so simple...
(Image courtesy whiterosereader.org.)




According to the BBC, the mSpy company, which specializes in providing software for parents to track their children's electronic lives, had allegedly been the target of a major online security breach.  Security expert Brian Krebs had been anonymously alerted to a massive cache of mSpy data being hosted on the Tor "darknet" network, and upon further investigation, he was shocked at what he found.

"There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations," Krebs said.


Constantly, crazily pertinent.
(Image courtesy www.youcantwatchme.com.)

However, the cache was soon deleted, making the verification of its contents impossible.

The mSpy app functions as a means for everday snoops to read others' messages, listen in on conversations, and track movements.  Intended for parents who are anxious to keep tabs on their children, the app's abilities also make it a favorite for those who'd want to keep an extra eye on scurrilous employees or sneaky spouses.  


This intricately-detailed diagram unlocks the mysteries of iffy-ethical mSpy use.
(Image courtesy www.mmspyreviews.com.)

Though the app is intended only to be placed on phones or mobile devices of those who are aware they are being monitored, this might not always be the case.

While security experts claim that data-dumps of big companies' information are "relatively frequent" from those seeking to exploit blackmail-enabling material, often the data is falsified.  However, if it is indeed authentic, there's a good chance that more than a few of the spy subjects were unaware of their surveilled state.  

mSpy's data alone comprised (and could have compromised) some 400,000 customers.  So who's the more shady, the for-hire spies or the loot-seeking snoops who reveal them?


By the way, if your kid wants to find porn on the internet,
all the mSpys in the world aren't going to help.
(Image courtesy www.synthese-factory.com.)


 
Comments (8)

Euthanizing Youtube: Security-Testing Hacker Discovers Ultimate "Delete" Button

What if you had computer hacking skills of such astonishing power, you could bring an entire lane of the information superhighway to a screeching halt?  What would you do with your great and terrible force?  This week, one man was faced with this fascinating decision...

NOOOO!  NOT THE HARLEM SHUFFLE!
(Image courtesy answerbag.com.)


According to Gawker.com, a Russian hacker named Kamil Hismatullin decided to take his talents out for a spin this week. Hired by Google under a Vulnerability Research Grant to assess Youtube for security flaws, Hismatullin made an astonishing discovery: he could permanently eradicate any video with a simple string of code.

Suddenly, over a decade of humanity's finest and freakiest moments were up for grabs. An entire archive of human history (often stupid and ridiculous human history, but history nonetheless) was at the whim of one hacker. Visions of rap/opera mash-ups, cat videos, and rap/opera/cat-video-mashups vanishing became a tangible, terrible threat.

"LEAVE YOUTUBE ALONE!!!"
(Image courtesy kidzworld.com.)

Hismatullin let all of that slide, to the tune of five grand.

Despite a shockingly short study-period for this possible purge, and a looming lust that threatened to knock pop stars from their plastic pedestals, Hismatullin simply accepted a $5,000 bounty to solve the problem. Of his voyage through video Valhalla, he wrote, "In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber’s channel haha."


It is speculated that the footage of this hilarious skateboarding bulldog
ultimately convinced Hismatullin not to wreak havoc on the popular video site.
(Image courtesy allthingsd.com.)

While we don't necessarily agree with the results (Bieber should be banished and Mr. Hismatullin should be at least $10,000 more wealthy), the plausible annihilation of so much material brings ponderous questions to mind.  Are the seemingly-supple strands of the World Wide Web really mere gossamer?  Could someone hack voting machines in an election?  Could someone crack into a president's email?  Could someone tear down Twitter (please)?

There's no safety in this cruel world.  Just be thankful Mr. Hismatullin is not a wrathful man or one with an agenda, and go back to enjoying your videos...you now know that like fickle and fiendish fire of life, they could flare out at any moment.



A veritable burning of the modern Library of Alexandria could have taken place here.
Cherish this trove of wisdom while you still may.



Comments

IS Hacks U.S. Central Command Twitter Feed, Posts Prankish "Leaks" Like The Trolls They Are

It seems that our once-raging war against terrorism has now, at least publicly, been downgraded to some unpleasant cyberbullying.

As reported by the BBC, the United States Central Command's Twitter account was hacked by the revolutionary Islamic fundamentalist group IS, who referred to their online troll brigade as "the CyberCaliphate" in the attack.  Their "CyberJihad" didn't seem to accomplish much more than ruffling a few feathers, despite the "leak" of "secrets" like a few upper-echelon bureaucrats' mailing addresses.

Nerdy terrorists.  Great, just what we need.
(Image courtesy bbc.com.)

The Centcom Twitter account, which was known to report on strikes against IS (before the account was taken down after the hack-attack), provoked a standard "appropriate measures" response as to what was being done in retaliation.  The hack occurred while President Obama was giving a speech on cybersecurity.

Several maps and diagrams were "released" by the hackers, but these appeared to be vague logistics of maritime armaments along the Chinese coast, as well as maps of various installations in North Korea.  Nothing was more of a "secret" than a little googling couldn't uncover, with much of the (completely non-threatening) information sourced from U.S.-based think tanks.

The full feed.  This could easily be an Islamic twelve-year old.
(Image courtesy Reuters.)

According to Reuters, The Defense Department wasn't flustered, stating the government "views this as little more than a prank, or as vandalism...It's inconvenient, it's an annoyance but in no way is any sensitive or classified information compromised," Pentagon spokesman Army Colonel Steve Warren said.Nevertheless, when posted in conjunction with incendiary (fake) headlines reading "PENTAGON NETWORKS HACKED!", the IS troll brigade probably raised a few heartbeats in Washington.  For a minute.  Then we continued bombing them in real time, without needing to tweet about the success.  The "CyberJihad's" silence in America will speak to that.

Unfortunately in France, the AnonGhost cyberterrorism group, a pro-Islamic organization, have tried to terrorize French websites in wake of the Charlie Hebdo attacks.  The UK Mirror reports that larger and more notorious computerized collective Anonymous have vowed revenge for the Charlie Hebdo attacks and have been plaguing IS sites throughout the last week.  This e-poking might escalate to even further name-calling and photoshopped images of completely unbelievable terrorist victory.  In the meantime, they can continue to spam the internet with narcissistic content worthy of a facebook-addicted tween.

Just...no.  Not happening, guys.
(Image courtesy mirror.co.uk.)


Comments

Bitcoins And Biohacks: Dermally-Implant Your Dough?

Body modifications have been around as long as humanity.  We are constantly seeking new ways to embellish, improve, and artistically distinguish ourselves by pimping our corporeal rides, and now, technological innovations may be added to that mix.

As reported by the Telegraph UK, Dutchman Martijn Wismeijer has had 12mm NFC (near-field communication) computer chips embedded in his hands as a sort of human upgrade. On these chips, he stores the keys to his bitcoin wallet, as well as a personalized alarm clock where the chips must be held to a sensor to shut off his daily alarm.  

Easier than carrying around a sack of doubloons, for sure...but not as secure.
(Image courtesy techinasia.com.)

The 888-byte chips were installed via a ready-made syringe which delivered them to the fatty subdermal flesh.  While Wismeijer admitted that many doctors were recalcitrant to perform the modification, other body artists such as tattooists or piercers may be more amenable (although regardless of the surgeon, sterile conditions are still a must.)

The founder of Mr. Bitcoin, a company that deals in crypto-currency ATMs, Wismeijer says the chips are not secure enough to permanently carry the codes at the moment, but that his experiment in embedding them was a success.  He eventually would like the technology to include wireless key access for his home.  Wismeijer feels this type of "bio-hacking" is just the fingertip of the bigger body of possible uses for the technology.

In the beginning, there was the byte.
(Image courtesy storiesbywilliams.com.)

Wismeijer explained, “The reason I did take the implants is that I have real-world uses for it today, my phones and tablets are all compatible. I personally feel that by supporting these bio-hacking developments we can learn what works and what doesn't and that some day, in the not so distant future we will be able to implant more functionality like sub dermal glucose sensors or heart rate monitors and other vital health monitoring devices. Imagine a normally invisible tattoo on your arm glowing red when you get a heart attack, swipe your phone and your phone will notify doctor.

“By supporting these bio-hacking initiatives I believe we are paving the way for social acceptance while at the same time we support the bio-hacking technology that drives it.”

Bodymodding biohackers, use your new powers for good.
(Image courtesy hackpittsburgh.com,)

Comments

Hack Lab Intro: How to Set up a Home Hacking and Security Testing Lab

Introduction

This series of articles comprises an introductory tutorial on how to set up a home lab to experiment with common hacking and information security testing tools. Our setup will  allow us to explore the sorts of computer and network vulnerabilities that can be encountered on the internet, and to test the security of our own home computer network and networked devices, all from within an isolated and secure working environment. The series is geared toward individuals who have little or no prior experience with virtualization software or common hacking and security testing tools, but are interested in exploring network and computer security.

Over the course of the tutorial series, we will create two separate network configurations. The first will be a completely virtual environment populated by two virtual guest systems running inside a single host computer. This requires nothing more than an internet connection for the necessary downloads, and a computer with relatively modest RAM and disk resources.

The second configuration will be an everyday local area network of the sort that can be found in many homes, but which is isolated from the internet and where we can strictly control and monitor all network traffic. This setup is slightly more involved in terms of hardware than the first, requiring also a spare router.

Our monitoring and attack system in both configurations will be an instance of a Kali Linux virtual machine running inside an installation of the VirtualBox software package on our primary computer. Kali is a Linux operating system distribution intended for security testing and digital forensics.

In the first completely virtual network environment, our victim will be an instance of  Metasploitable2, a virtual machine that exhibits vulnerabilities that can be found on  everyday computer systems and software configurations. As noted at Offensive Security, "Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques."

In the second network configuration, we will use the Kali Linux virtual machine to compromise an everyday local area network router of the sort that can be found on many home networks, in order to demonstrate just how easy it can be to steal login credentials  passed from another computer on the network.

The tutorial is broken down into four parts:
  • Part 1 covers the installation of VirtualBox and provides a walk through of a full installation of a Kali virtual machine on your primary lab computer. Along the way, we'll take a short detour on how to quickly run live Kali sessions without a full installation of the machine.
  • Part 4 provides details on setting up our second network configuration, which models an everyday home local area network. With the attack machine, we'll conduct a simple man-in-the-middle attack against the network's router, and demonstrate a serious security vulnerability by stealing login credentials sent to it from the victim machine, in this case, the host computer. 
Comments (14)

Hack Lab Part 4: Compromising a Home Router on a Local Area Network

This is part four in our tutorial series on how to set up a home hacking and security testing lab. In part three, we set up a completely virtual network inside VirtualBox in order to use Kali to test the (in)security of the Metasploitable2 virtual machine. In the present article, we'll set up a local area network similar to one you might find in any home, and then walk through a man-in-the-middle attack against an everyday router.

Here's our hypothetical scenario: there is a malicious individual on a local area network listening in on the network traffic (sniffing it, as they say) using ARP poisoning in an attempt to steal login credentials from the router's administrator so as to hijack the device, and by extension, the network. In this scenario, Kali will once again function as the attacker but the host computer will be the victim.

This configuration will require a router specifically for the purpose of hosting our home lab's local area network. This could also be accomplished virtually, but having the external network will allow us to test the security of other external networked devices moving forward.

Configuring the Local Area Network
For the present test, which was successful, I picked up one of those ubiquitous Netgear WNR 2000 series home routers at a local flea market for ten dollars. You might even have an old router just lying around collecting dust. Plug the router in, turn it on, and configure it as desired. An online manual for this router stated that once you have connected your computer to it, you can navigate to the URL routerlogin.net or the device's ip address in a web browser to log in for administrative purposes. They further provided the factory default login credentials: 'admin' for the login name, and 'password' for the password. The first thing I did upon logging was to change the password using the router's so-called "Smart Wizard".

I prefer to hook up devices to the lab router through ethernet, and turn off wireless networking in the router when I'm feeling paranoid. Log into the router, and adjust settings as necessary. It should have DHCP, to provide ip addresses to hosts on the network. Keep it completely isolated from your actual home LAN that is connected to the internet, at the very least because connecting a second dhcp server to your main home network would cause a fair amount of chaos. We'll soon see whether this sort of interaction with the router is secure in any way. (Spoiler alert: in the case of the WNR 2000, it is not.)

Once your router is setup, open the Network settings in your Kali machine and change the attachment from the internal network to bridged mode, and attach it to the appropriate interface. (People who are more comfortable with managing multiple interfaces on Linux could just add a second adapter and switch between the two inside Kali.)  Under the Advanced section of Kali's Network settings, notice the drop down menu for Promiscuous Mode. This setting is important for our test. There are three options here: Deny, Allow VMs, and Allow All. Set it to Deny. This means that Kali will not be privy to any traffic directly to or from its host machine or other VMs that may be on the network.


Why have we set Promiscuous Mode to Deny?

Abstinence-Only Networking and the IP Stack
When Kali is running in bridged networking mode, so as far as the rest of the hosts on the network are concerned, it is a completely independent host. But it's not, it's a virtual machine, it shares its network interface with its host computer, and by extension with any other VMs that might also access that interface.

If we set promiscuous mode to Allow All, the Kali machine will pick up all traffic going over the network interface, to which it has access because it is itself bridged over this interface. That obviously includes the given network's traffic sent to and from the host computer on which the virtual machine is running, as well as any other virtual machines it might be running on that interface. If the host computer pings the router, Kali will pick up the traffic.

When promiscuous mode is set to Deny, on the other hand, Kali networks with the host computer (and any other virtual machines that might be on the network) as if they were all on completely separate physical devices. If the host computer pings the router, Kali will not pick up the traffic.

If there is a secondary computer on the network, even if Kali is in promiscuous mode, it will not be able to capture a ping from that computer to the router, or any other such traffic between them, for that matter, such as an http session.  

When we run the man-in-the-middle attack against the router and the host machine, however, we'll see that we can pick up traffic between them. One might wonder whether this is a true man-in-the-middle attack, because as we already know, the Kali guest and the host computer share an interface. Kali already has access to the host machine's traffic. Setting up the sniffer is basically just enabling promiscuous mode on the adapter setting.

However, we are not conducting a physical layer attack. ARP poisoning is conducted between the link layer and the network layer of the IP stack. This could be demonstrated with a secondary host on the network. An ARP attack by Kali against the secondary computer will still work even though Kali does not share a physical network interface with the victim, and could not detect such traffic even in promiscuous mode.


Reconnaissance and Scanning the Network
There should now be three hosts on the lab LAN: 1) the router, 2) the host computer (our victim), and 3) the Kali virtual machine (our attacker). Let's begin by conducting some passive monitoring of the network traffic.

Open up Wireshark on your Kali instance and conduct a live capture, to see what kind of traffic you can pick up on this network. (See part two in the series for info on how to properly configure Wireshark to conduct a live capture, if you haven't already.) Let the scan run for about half an hour. My capture picked up:
  • SSDP broadcasts from the router, alerting hosts as to its existence
  • ARP broadcasts from the victim computer and the Kali host machine, seeking out the router's hardware address from its ip address.
  • DNS requests to external websites for services running on Kali and the host machine, these are obviously unresolvable, since the network is not connected to the internet. (I would also like to shut down these services later if they are not system critical, as I don't like the idea of my machines contacting random services on the internet without my say so.)
Nothing really seems out of the ordinary here, so let's run a scan of the network. Here's the topology graphic produced by Zenmap from a default nmap scan of my lab network:


The router is at 192.168.1.1, the primary host computer is at 192.168.1.2 and the Kali machine is at 192.168.1.5. As you can see, Zenmap's color coding indicates that there may be some vulnerabilities in the router.

This scan discovered three open ports on the router, and found no open ports on any of the other hosts. Ports 23 (telnet) and 80 (HTTP) were found open by default on the router. We would expect port 80 to be open since you can log into the router with a web browser for administrative purposes. It seems a bit odd that the telnet port is open as well, as it is unlikely anyone today would be telnetting into the router on their home network. This is a security vulnerability, but, fortunately, this router does not actually allow simple telnet access to its administrative interface. Any basic attempts to connect to it via telnet are rejected, which makes one wonder why it is open to begin with.

Now let's attempt to systematically determine what traffic on the network the Kali instance is able to capture. All packets sent from or to the Kali VM will be captured in Wireshark, since the capture is running on that system: ex. ping requests to the router from Kali, ping requests to Kali from the host computer, HTTP traffic if you use a Kali web browser to navigate to the router's admin page, and so on.

As noted above, if your Kali virtual machine's network settings were in promiscuous mode, Wireshark would also capture any packets directly sent to or from the host computer. But this is not the case here as we have set promiscuous mode to Deny.

With promiscuous mode set to Deny, if you ping Kali from the host computer, the Wireshark capture will pick up all of these packets, since they are being sent directly to and from the Kali machine. However, if you ping the router from the host computer, none of the request or reply packets will be picked up by your Wireshark capture in Kali, nor will any other such traffic. For example, if you use a web browser on the host computer to navigate to the router's login interface, the capture will not detect any of this traffic.

With this observation, we have acquired our target. What we would like to do is two-fold: 1) pick up any direct traffic at all between the host computer and the router, 2) pick up any sensitive traffic (and any correspondingly sensitive information) sent between these devices.

Running a Man-in-the-Middle Attack with Ettercap
To compromise the traffic between the host computer and the router, we are going to use a program called Ettercap. As noted in its manual page, Ettercap is a "multi-purpose sniffer/content filter for man in the middle attacks." Ettercap can be run from the command line or through its graphical interface. To launch the graphical interface, type the following command into a terminal: sudo ettercap -G. The Ettercap graphical interface:


However, we're going to run Ettercap from the command line, as this conserves more resources on the host machine since it does not require excess RAM. Our plan is to use arp poisoning to capture traffic between the victim and the router. Reading through the Ettercap manual pages allows us to determine that we can use the following command to conduct our attack:
sudo ettercap -i eth0 -T -M arp /192.168.1.1/ /192.168.1.2/
Before we run the command, let's take a closer look at what's going on here: 
  1. sudo runs the command as a privileged user. This is necessary for Ettercap to conduct the packet capture.
  2. ettercap tells the shell to run the Ettercap program.
  3. -i eth0 tells Ettercap to run the capture on the eth0 interface inside Kali. This may be different for you depending on how you have your network adapters set up. If you try to run arp poisoning on an interface that is not enabled, Ettercap will likely complain that "No such device exists". If you run it on an interface that is enabled, but not connected to a network, Ettercap will complain that "ARP poisoning needs a non empty hosts list".
  4. -Tq tells Ettercap to run in text mode (-T), meaning it will print out any text characters found in its capture.
  5. -M tells Ettercap to run a man-in-the-middle attack.
  6. arp specifies that Ettercap should run an ARP poisoning man-in-the-middle attack.
  7. /192.168.1.1/ and /192.168.1.2/ specifies the two specific hosts we want to target.
Let's see if we can capture any traffic between the victim and the router. Start a Wireshark live capture on Kali. Now ping the router from your host computer, and just let it ride (ex. ping 192.168.1.1). If you are running in non-promiscuous mode, Kali will not pick up any of the ping requests and replies between the victim and the router.

Now run the Ettercap command above (with any necessary substitutions for your own network configuration) from a terminal in Kali. If successful, the Wireshark capture should now begin picking up the echo requests and replies between the victim and the router (as well as any other packets passing between them), and Ettercap will print to the terminal any text picked up in those packets. You can now stop the live capture, quit Ettercap and stop the ping from the host machine to analyze the results. 

The next question is whether we can pick up any sensitive information, such as login credentials, passing between the victim and the router. For this, we'll slightly modify our Ettercap command:
sudo ettercap -i eth0 -Tq -M arp /192.168.1.1/ /192.168.1.2/
As you can see, everything is the same here, except I've added a q to the -T option. This tells Ettercap to run in quiet mode, which means that it will not print any and all text it picks up in captured packets, but rather only text of potential significance, such as login credentials. For our test, we want to see if we can capture the victim's credentials when logging into the router.

Start a new Wireshark live capture in Kali. Run the Ettercap quiet mode command in a terminal. Now, on the host computer, use a web browser to navigate to the router and log in to the administrative interface. Here's the result in Ettercap when I ran this attack against the WNR 2000 router:


As you can see, Ettercap picked up the victim's user name (here: 'admin') as well as the password (here: 'supersecretstring'). Moreover, the router passed the login credentials over the network in plaintext six times when the victim logged in to the device! Obviously, 'supersecretstring' is not a very good password, but in the present case it doesn't really  matter how secure the password is, since the router passes it over the network in plaintext.  
The login credentials can also be found in the Wireshark packet capture run alongside the Ettercap ARP poisoning attack. My Wireshark capture picked up a lot of packets, so let's do a search for 'credentials':


Inspecting the first packet returned from this search, reveals the following under the HTTP section of the packet view:


And there they are, the user name and password, conveniently located under the authorization heading: 'admin:supersecretstring'.   In fact, it turns out the login credentials are sent in plaintext every time the victim loads another page in the router web interface!

The victim's router admin account has now been compromised. After the victim logs out of the router, the attacker can immediately log in with admin privileges, change the password and lock out the victim, or make changes to the system's settings, turning it off, etc. The "Smart Wizard" on the WNR 2000 router isn't so smart or wizardly after all!

Now the question is: does this attack work against the router on your home lab? Let us know in the comments.

Reflecting on this attack, one would probably ask: Can't we detect this attack as it was going on? Does it not create a whole load of excess traffic on the network? Wouldn't it be clear from a packet capture on the victim machine that the intrusion took place? Wouldn't it even identify the ip and hardware addresses of the attacker? The answer to all those questions is in the affirmative, but you'd need to have been monitoring the network traffic over the whole course of the login session to know that. A simpler solution for the potential victim is to check the system's ARP cache before logging in to the router. This will identify whether there are two hosts on the network with the same hardware address. Since hardware addresses are supposed to be universally unique, this is a tell-tale sign that ARP spoofing is in progress.


Moving Forward
Now that you have your lab's local area network set up, what can you do with it moving forward? Well, that's up to you! At the very least, you can use it to test the security of any given networked device you like, whether it's your main computer, a secondary computer, a cell phone, a tablet, a network drive or fileserver, a television or gaming console, and so on. Do you know what precise information your cell phone or laptop broadcasts to the entire local area network when you connect to any wireless device?

That concludes part four of our tutorial series on setting up a home hacking and security testing lab. If you've followed along from the beginning, you now have a virtual network you can use to explore the vulnerabilities in Metasploitable, an isolated local area network to test the security of any device you wish, and some familiarity with a handful of the many tools that are bundled with Kali.

As always, questions, comments, suggestions and criticism are welcome in the comments. Happy hacking!
Comments (8)

Hack Lab Part 3: Installing the Victim Machine on a Virtual Network and Basic Exploits

This post is part three in our tutorial series on how to set up a home hacking and security testing lab. If you followed along in parts one and two, you have installed a Kali virtual machine in VirtualBox on your primary computer, and have begun exploring your home computer network with nmap and Wireshark, both of which come bundled in Kali.

In the present article, we will walk through the creation and installation of our victim machine, a virtual instance of Metasploitable2, and then configure our first lab network: a completely virtual internal network inside VirtualBox. We'll place the Metasploitable2 victim machine and the Kali attack machine on the virtual network, and conclude by showing one way to begin exploring and exploiting Metasploitable's various vulnerabilities with Kali, and then provide some resources for further study.

On that note, it must be stated at the outset that Metasploitable is an intentionally insecure machine, with a ridiculous number of vulnerabilities. It should never be exposed to the internet, or to an untrusted network. This is why we will connect it to a completely virtual network, one that cannot even be accessed by the host machine that is running VirtualBox.


Installing Metasploitable2 in VirtualBox
There are number of subtle differences between creating a Metasploitable virtual machine and creating a virtual instance of an everyday operating system such as Kali in VirtualBox, as wel shall see. Metasploitable2 is a prepackaged system intended for security testing and practicing common exploit techniques. Once the machine is set up, it does not require any updates or further configuration as was the case with Kali.

The first step, of course, is to download a copy of the Metasploitable2. Metasploitable2 was developed by Rapid7, the IT security group that created the Metasploit Framework, "a tool for developing and executing exploit code against a remote target machine," as noted at Wikipedia. The Metasploit Framework, as you may know, is also bundled in Kali, and the intentionally vulnerable Metasploitable2 system was created to provide a way to test the sorts of exploits that can be launched from Metasploit, among other tools.

You can download Metasploitable2 from Rapid7, but it is also available from other sources such as SourceForge. Once you've downloaded the file, unzip it, and place it wherever you prefer. I keep all my virtual machine .iso files and the like in a dedicated folder.

In the Metasploitable2 download, you'll notice a few differences from your Kali download. For Kali, we used the .iso disk image file to install the system on the machine. There is no .iso file for Metasploitable2. Instead we are instead going to install the Metasploitable.vmdk file, which stands for virtual machine disk format.

Start up VirtualBox and click "New" to begin setup of the victim system. Name the new virtual machine, select its type and version. I've just used the defaults here: Ubuntu, 32 bit. Click "Next".


Since we will not be using the Metasploitable system directly, but rather only interacting with it as a target, we can lower the amount of RAM we allocate for it.  I've chosen 384 MB as the initial setting. After you get it up and running, you might find that you can reduce it even further. In my experience, response times begin to noticeably lag around 256MB of RAM. Click "Next".


We do not need to create a virtual hard drive for Metasploitable. Instead the .vmdk file will act as a virtual hard drive itself. Select "Use an existing virtual hard drive file", then click the file-browser icon, navigate to your Metasploitable download files, and select the .vmdk file. Click "Create".


The newly created instance should now appear in your VirtualBox interface. Notice I have grouped my kali1 instance and my Metasploitable2 instances inside a folder labeled 'lab'. Grouping becomes very helpful once you have more than a couple virtual machines set up.


Now we need to tweak a couple settings for our Metasploitalbe virtual machine. Open the Settings window. I uncheck 'Floppy' in the boot order under the System menu, though this is not very important. In the Network settings, you'll notice that the default is the same as it was for Kali: there is a single network adapter enabled with NAT, natural address translation.


We're going to change NAT to an internal VirtualBox network. In the "Attached to" drop down menu, change adapter one by attaching it to "Internal Network". You can also name your new virtual network. The default name is 'intnet'. I'm going to call mine 'labnet'. Click OK.


We're not quite ready to fire up our victim system just yet. Or at least, I'm not, because I've chosen a new name for my internal network. My experience with internal networks in VirtualBox has been a bit inconsistent. I clearly recall that the first time I used an internal network, it just worked and no further config was necessary. On another computer, I later found that the default internal network 'intnet' had to be configured as you would any custom internal network. If you fire up your Metasploitable virtual machine, log in and find that you have a functioning ip address, you're all set and can skip the following section. Otherwise, read on.

Configuring the VirtualBox Internal Network
I have to now enable the VirtualBox internal network 'labnet' to which I've just attached my Metasploitable virtual machine. If we take a look at the VirtualBox user manual section on Internal Networking, we read:
Unless you configure the (virtual) network cards in the guest operating systems that are participating in the internal network to use static IP addresses, you may want to use the DHCP server that is built into VirtualBox to manage IP addresses for the internal network. Please see Section 8.35, “VBoxManage dhcpserver” for details.
Rather than set up static ip addresses for our virtual machines on the virtual internal network, let's set up the virtual dhcp server. Reading through the VirtualBox user manual section on managing the dhcp server, we can conclude that running the following command in a terminal on the host computer will appropriately configure the internal labnet network.
VBoxManage dhcpserver add --netname labnet --ip 192.168.1.1 --netmask 255.255.255.0 --lowerip 192.168.1.2 --upperip 192.168.1.255 --enable
What's going on here? Let's parse this command.
  • There is the command for the VirtualBox dhcp server: VBoxManage dhcpserver
  • We want to create a new network, therefore: add
  • We indicate the name of the new network: --netname labnet
  • We specify the ip address of the dhcp server itself: --ip 192.168.1.1
  • We specify the subnet or netmask: --netmask 255.255.255.0
  • We specify the lower ip address for the server: --lowerip 192.168.1.2
  • We specify the upper ip address for the server --upperip 192.168.1.254
  • Finally, we enable the network so it starts any time a machine on the network is started: --enable
If successful, you can now fire up your new victim system and it will automatically be connected to the newly-configured internal virtual network. Go to the VirtualBox interface, select the system and click Start. This is the Metasploitable login screen:


Run ip addr or ifconfig to confirm that the system has been given an ip address and make a note of it. The victim is prepped. Did I mention? Metasploitable is an intentionally insecure machine, with a ridiculous number of vulnerabilities. It should never be exposed to the internet, or to an insecure network!

Now let's put our attack machine on the internal network. Network adapters can be changed in this manner even if the machine is running, though in my experience, this can also lead to minor glitches in the functioning of the VM, so I usually shut down if I'm going to change network settings for a VM.

Select your Kali instance in the VirtualBox application interface, click Settings, go to the Network settings. Change the adapter from Bridged to Internal Network, and select the name of your newly created internal network. I also "Allow All" in promiscuous mode under the advanced settings, as this allows the Kali network interface to detect any and all packets to and from the other virtual machine (as well as the host computer, if it were able to connect to the same network). Click OK.

Start up Kali and log in if the machine is not running. Check ip addr or ifconfig to make sure you have gotten an ip address from the virtual dchp server. If so, you're all good! Open up the Ice Weasel browser that comes bundled with Kali. In the address bar, enter the ip address of your Metasploitable instance. When the page loads, you should see the web interface that is pre-configred on the Metasploitable virtual machine. It comes packaged with 5 different websites/webapps that are intentionally insecure: TWiki, phpMyAdmin, Mutillidae, DVWA, WebDAV:


At this point, you now have a virtual internal lab network running on your host computer, and two virtual machines running on that network: your Kali attack machine and your Metasploitable victim machine. Remember, this network is completely internal to VirtualBox. Your virtual machines cannot communicate with the host computer over this network and the host computer cannot communicate with the virtual machines over this network. They are isolated.

Exploring Metasploitable's Vulnerabilities
Now the real fun begins! The first thing you might do here is passive network monitoring to see what kind of packets, if any, the victim machine is sending out over the network. Fire up Wireshark inside Kali, and start a capture on the appropriate interface for the lab network. (See part two of this series on how to configure Wireshark for live capture.)

From the packet capture, you'll soon notice that Metasploitable sends out workstation and workgroup announcements every couple of minutes for services that are running on it. If you inspect those packets more closely, you'll find that those packets contain a good deal of information about the host machine sending them, as well as about the services running on it.

An an exercise, confirm by inspecting the packets you've captured that Metasploitable is: 1) a workstation, 2) a server, 3) a print queue server, 4) a Xenix server, 5) an NT Workstation, 6) an NT Server, and 7) a Master Browser. You can doubly confirm that the machine is running such services by browsing its shares over the network in the file manager. But where can we find the network login credentials to view the shares?

Now that we have some idea of what we're dealing with, let's conduct a few port scans of the victim system to see what vulnerabilities that might expose. Let's just go through some of the various default scan types built in to Zenmap to see what they bring to light.

A ping scan reveals that the host is up. A quick scan identifies 18 open ports, among them the reserved ports for ftp, ssh, telnet, smtp, htttp, mysql and so on. A regular scan identifies 23 open ports. An intense scan also reveals 23 open ports, but it also provides operating system and version information, along with more detailed information about the services running on the various ports. For example, it notes that anonymous ftp login is allowed on port 21, identifies the SSH server's hostkey fingerprint, and so on. Run the more intensive scans to see what else you can find.

As an exercise, analyze the command options used in the various Zenmap scans to determine why those particular scans revealed that particular information.  

It is worth noting here that a couple leads for tracking down Metasploitable's network login credentials are provided already in the simple quick scan. However, it is indicative of the system's complete insecurity that these leads make the question of determining the network login credentials moot. Can you identify any such lead and why it moots our earlier question?

If you've followed along this far, you're probably asking yourself: what's next?  (That is, if you haven't jumped ahead already.) Well, you now have a fully functioning virtual hacking lab outfitted with one of the most powerful attack systems and one of the most vulnerable victim systems around. It's time to start exploring some of the more involved tools bundled in Kali and see what other kinds of weaknesses you can identify and exploit in the various services running on the victim machine, including in the five websites and applications running on the system.  That, however, is beyond the scope of the present article, but here are some resources to help get started:
Like nmap and Wireshark, all three of these tools are listed in Kali's "Top Ten Security Tools" menu.

That concludes the present article. In part four of the series, we'll set up an external local area network and demonstrate how it is possible to steal login credentials from a victim machine logging in to a compromised router. As always, questions, comments, suggestions and criticism are welcome below.
Comments (5)

Hack Lab Part 2: Exploring Your Home Computer Network with Kali Linux

This article is part two in our tutorial series on how to set up a home hacking and security testing lab. If you followed along in part one, installing a Kali Linux virtual machine in VirtualBox, you have installed VirtualBox on the primary computer for your home lab and created a Kali Linux virtual guest on this host machine. The Kali system has been fully updated and VirtualBox Guest Additions have been installed on it. Finally, your Kali VM has a single network adapter running in bridged mode and you have set up an administrator account on the Kali instance. 

Creating and configuring the virtual network setup outlined in the introduction, which we will do in part three of this series, requires a few more steps: we still have to download and install Metasploitable, set up the virtual network, etc. But if you're like me, you're probably already itching to start playing with all the toys Kali has to offer, if you haven't already!

Home Network Analysis 101
This article will show how some of the tools that come bundled in Kali can be used to explore your existing home computer network, and test whether you can successfully identify all the devices that are connected to it. In particular, we'll take a look at a set of tools that come bundled in Kali that can be used for network analysis: nmap/Zenmap and dumpcap/Wireshark.

These will come in handy in our eventual testing lab, but they can obviously also be used to explore your home local area network as well. Nmap is a command line network scanner, and Zenmap is a graphical interface to nmap. Dumpcap is a command line network traffic monitor, and Wireshark provides a powerful and versatile graphical interface to monitor network traffic and analyze network packet capture files.

Here's a simple experiment. Do you happen to know how many devices are currently connected to your home network? Can you identify all of them off the top of your head? Try to do so, and make a list of them. At the very least, we know there will be at least three: the Kali guest, the host machine you are running Kali on, and your router. There may also be more computers or cell phones connected to it, and maybe even your television, refrigerator or coffee maker!

We are first going to use nmap to see if we can identify any such devices on the network, and perhaps detect one or two that we did not think or know were connected to it. We'll then configure Wireshark and run a packet captures to get a sense for the normal traffic on the network, and then run another capture to analyze just how an nmap network scan works.

Determining Your IP Address
Before we can scan the network with nmap, we need to identify the ip address range we would like to examine. There are a number of different ways to determine your ip address on a Linux distribution such as Kali. You could use, for example, the ip or ifconfig commands in a terminal: ip addr, or sudo ifconfig.

(Note that if you are using an administrator account inside Kali, which is considered a best practice, when a non-root user enters a command such as ifconfig into a terminal, the shell will likely respond by complaining "command not found". In Kali, sensitive system commands like ifconfig have to be run as root. To access it from your administrator account, all you need to do is add "sudo" to the front of the command: sudo ifconfig.)

These commands will provide you will a wealth of information about your network interfaces. Identify the interface that is connected to the LAN (likely eth0), and make a note of the ip address indicated after "inet" for the ip addr command, or after "int addr:" for the ifconfig command. That is your ip address on your local area network. Here are a couple ifconfig and ip addr outputs posted by the Ubuntu Journeyman:



As you can see here, the ip address for this machine is 192.168.1.4.5. Yours is likely something similar to this: for example, 192.168.1.123 or 10.0.0.56 etc. Notice in the ip addr output above, the ip address is: 192.168.4.5/24.  That means 192.168.4.5 is the ip address of that specific machine, while the /24 at the end indicates the address space for the LAN's subnet, which in this case are all the addresses from 192.168.4.1 to 192.168.4.255.

If we were to scan this local area network with nmap, we would want to scope out all the addresses in the network's range, which means 192.168.4.1, 192.168.4.2, 192.168.4.3, 192.168.4.4, and so on, all the way to 192.168.4.255. One shorthand way of notating this is: 192.168.4.1-255. Another common shorthand is 192.168.4.0/24.  Of course, if your address were 10.0.0.121, then the shorthand would be: 10.0.0.1-255 or 10.0.0.0/24. 


Host Discovery
Let's assume your Kali VM has the ip address 192.168.1.5 on a subnet with possible host addresses from 192.168.1.1 to 192.168.1.255. Now that we know Kali's ip address and the address range we want to take a look at, open up a terminal and type: nmap. This will provide you with a long list of all the options available within the nmap program. Nmap is a powerful program and there are a lot of options! Perhaps the simplest possible network scan that can be conducted with nmap is a ping scan, for which we use the -sn option.

Now type nmap -sn 192.168.1.1-255 into your terminal and hit enter. (Don't forget to substitute the address range for your network if it is different from this!) This scan will tell you how many hosts nmap discovered by sending a ping echo request to each of the addresses in the range x.x.x.1-255, and provide you with a list of the ip addresses of the hosts that returned a ping reply. This is host discovery 101. Here is the ping scan output from nmap on a simple local area network I set up for the purpose:


The ping scan found 5 hosts up with the addresses: 192.168.1.1, .2, .3, .5 and .6.  Note that in the wild, this method of discovery may not work, as it is becoming increasingly common for administrators to configure their systems so that they do not reply to simple ping echo requests, leaving a would-be ping scanner none-the-wiser about their existence.

Did your scan find the same number of hosts that you had presumed were on your network? Were there more or less?

We can use the default nmap scan to further investigate known hosts and any potential ghost hosts the ping scan may or may not have uncovered. For this, simply remove the -sn option from the command above: nmap 192.168.1-255. Here's the output of the default nmap scan on the same network as above:


Nmap has returned much more information. It found three open ports on the router at 192.168.1.1, as well as an open web server port on host 192.168.1.2.  All scanned ports on the remaining hosts were closed.

You can also use nmap to further investigate known hosts. The -A option in nmap enables operating system detection and version detection. Pick out a couple of the hosts discovered by your nmap scans, for which you already know the operating system type and version. Now scan these hosts with nmap for OS and verstion detection by adding them to your host address target list, separated by commas.  For example, if I would scan the router and web server discovered above for OS and version detection with the command: nmap -A 192.168.1.1,2. This will return more information, if any is determined, on those hosts.

You can obviously also run an OS and version detection scan over the whole network with the command: nmap -A 192.168.1.1-255. Depending on the number of hosts on your network, this scan could take a couple minutes to complete. If you press <Enter> while the scan is running, it will give you an update on its progress.

If there are more and a handful of hosts on your network, the output can be hard to parse in the terminal. You could send the output to a file with:  nmap -A 192.168.1.1-255 > fileName.txt. Or you could use one of nmap's own built-in file output options.

But this is also where Zenmap comes in quite handy. Open up Zenmap from Applications->Kali Linux->Information Gathering->Network Scanners. If you are running as an administrator and not root, as you should be, you will get a message stating that not all of nmap's functionality can be accessed without root privileges. Root is not necessary for basic scans. However, you can run Zenmap as root by opening a terminal and typing: sudo zenmap. The Zenmap interface:


The Zenmap interface is pretty straightforward. Enter the target ip address or address range into the target field. Changing the scan profile from the drop down menu changes the scan command. You can also manually enter or edit commands in the command field. After you run a scan, Zenmap also helpfully breaks down the results for you, providing host details, port lists, network topology graphics and more.

Play around with the various built-in scan types. Can you identify all the hosts on your home network with a ping scan? a regular scan? an intense scan? Can you identify all the open ports on those hosts? If you have a laptop or another device that you frequently use to connect to the internet over public wi-fi hotspots, you can also do intensive scans of those devices to determine if there are any open ports that would represent a potential security vulnerability. Identifying open ports is important for vulnerability assessment, because these represent potential reconnaissance or attack vectors.


Network Traffic Capture and Analysis with Wireshark
Nmap scans a network and probes hosts by sending out ip packets to, and inspecting the replies from, its target at a given address. With 255 addresses to scan along with 1000 ports on all discovered hosts in the default scan of the subnet above, that's a lot of network traffic! What does the packet traffic generated by a scan look like on the network?

To answer this question, we can use Wireshark and dumpcap. Dumpcap, as its name implies, is a command line tool that dumps captured network traffic. Wireshark provides a graphical user interface to analyze these sorts of dump files, which are collections of all the network traffic to which the given network interface was privy.

If run with the proper privileges, Wireshark can capture live network traffic as well. In Kali, you can find Wireshark under: Applications->Kali Linux->Top 10 Security Tools. Unless you have already configured Wireshark with the appropriate settings, when you open it for the first time you will be informed by the "Capture" panel that "No interface can be used for capturing in this system with the current configuration."


In its documentation, Wireshark recommends appropriate settings to enable capture privileges. This also suggests confirming that Wireshark can also be run as root. To run Wireshark as root, you can log in as root, or run sudo wireshark in a terminal. When you run Wireshark as root, you will first be given a usage warning and provided with sources for how to set up proper privileges. This forum post on AskUbuntu boils the process down to three simple steps.

Now that you've enabled live captures in Wireshark, let's run one! Click "Interface List" in the Capture panel of the default view. Choose the interface that is connected to the network (it will indicate your ip address on that network), and click Start.

This will immediately begin a live capture of all the packets on the network to which the interface has access. At the very least, it will detect: 1) packets it sends out, 2) packets it receives directly, 3) packets it receives indirectly if they are broadcast to all the hosts on the network.

If you have never viewed a network packet capture before, you may be surprised what you can see, and what information is simply being broadcast over the network. You'll probably find messages from your router, you'll see internet traffic packets if you are viewing a webpage in a Kali browser, or on Kali's host computer (depending on whether or not Promiscuous Mode is enabled in the VirtualBox advanced network settings for your Kali machine). You might find that one device is especially chatty for no good reason. There might be devices pathetically sending out calls to other devices that have been removed from the network, such as a laptop searching for a printer that has been turned off, and so on.

The default Wireshark packet capture interface numbers each packet it captures, and then notes the time after the capture began that it received the packet, the ip address of the source of the packet, the ip address of the destination of the packet, the protocol, the packet's length and some info. You can double click an individual packet to inspect it more closely.

If you ping your router (which you should have been able to identify via nmap analysis) from Kali, you'll see all the requests and replies, obviously, since the Wireshark capture and the ping are running on the same machine. But the Kali guest shares its interface with the host machine. If you enable promiscuous mode in the advanced network settings inside VirtualBox for your Kali instance, when you ping your router from the host machine itself, the Wireshark capture will similarly allow you to see all requests and replies, they're going over the same interface! If you disable Promiscuous Mode, on this other hand, this will not be the case. In this case, packets to and from the host computer will not be picked up, as if it were a completely separate physical machine. Similarly, if you ping your router from a different computer, you will not see the request/reply traffic at all, though perhaps you might pick up an ARP if the requester does not already know the (hardware) address of the request's intended recipient.

After getting a feel for what the base level network traffic looks like on your network, start a new capture, and then run a simple scan from nmap or Zenmap, and watch the result in Wireshark. When the scan is finished, stop the capture and save the file. Capturing the simple nmap ping scan from above on my network resulted in a file with over 800 packets! Now you can analyze the network traffic generated by the scan itself. You'll probably want to play around with Wireshark for a bit to get a sense of what it offers. There are tons of menus and options in Wireshark that can be tweaked and optimized for your own ends.

Well, that's it for this article. In part three of our hack lab tutorial series, we'll install our victim machine, an instance of Metasploitable2, in VirtualBox and set up a completely virtual lab network to explore some more tools that are bundled in Kali. As always, comments, questions, corrections and the like are welcome below.
Comments (18)

Hack Lab Part 1: Installing a Kali Linux Virtual Machine in Virtualbox

In this article, which is the first part in our tutorial series on how to set up a home hacking and security testing lab, we will walk through the creation and installation of a Kali Linux virtual machine inside VirtualBox. This system will then function as our main monitor and attack machine in subsequent tutorials. After setting up the virtual system, we will:
  1. run a live Kali session
  2. do a full install
  3. update the system
  4. install the VirtualBox Guest Additions
  5. configure appropriate user accounts
  6. and finally switch over to a bridged network adapter in preparation for the next tutorial in the series
The whole process may take a few hours to complete, more or less, depending on the specifics of your own situation, ex. computer, internet connection speed, and so on. This session took me about three hours from beginning to end.


Virtualization
There are a number of different free virtualization packages available online. For this tutorial series, we've chosen to go with VirtualBox because it's open source, beginner friendly, and there is a lot of documentation and support information that can be found for it online, especially regarding the systems that we will be installing. For example, since Kali and Metasploitable are derived from the Debian Linux distribution, support information on other Debian-based operating systems such as Ubuntu or Crunchbang is often also applicable to Kali and Metasploitable, as we shall see in this and subsequent articles.

The first step is to download and install the VirtualBox software package onto the primary computer chosen for your lab setup. Make sure you download the right version for your operating system and hardware architecture (32 bit vs. 64 bit). Instructions for installation on various operating systems are readily available if you run into any snags. Also make sure to keep a handy copy of the VirtualBox user manual, which comes packaged with the software and can also be found online.

Once you install VirtualBox and run it for the first time, you'll be presented with the application's welcome prompt, which provides an orientation for the interface. Poke around in the menus to get a feel for the software.

Next, download a copy of the Kali Linux operating system .iso disc image. Again, make sure you download the proper ISO file for your computer's architecture. Depending on the speed of your internet connection, this may take some time, as both the 32 bit and 64 bit files are 3GB in size. Kali's documentation can be found here.

As Kali is a security sensitive system, once you have downloaded the file, it is recommended to check its SHA1SUM hash value against the one supplied on the download page to make sure the file had not been corrupted in transit. For more on how to check a file's hash value, follow the link to our previous article providing an overview of the process.

If you plan on playing around with a number of different virtual guests on your computer, it is probably a good idea to create a permanent folder somewhere on your system where you will keep all the necessary operating system .iso files.

Creating a Virtual Machine
Now let's return to VirtualBox and set up the virtual machine on which we will install the Kali operating system. Open VirtualBox and click "New". Provide a name for your Kali virtual guest system. Choose Linux as the type and Debian as the version, since Kali is derived from Debian Wheezy. As you can see below, I'm using the 32 bit version. Click Next.


Choose the amount of memory you want to allocate to the virtual instance once it is up and running. In my experience, Kali can use a lot of RAM, and the computer I'm running it on has a fair amount to spare, but for now I'm going to leave it at the default of 512MB.  You can also adjust these settings later to optimize them for your own setup. In my experience, Kali runs pretty well in VirtualBox even on a laptop with only 4GB of RAM, though you may have to conserve by shutting down memory intensive applications running on the host computer. After you've set your memory size, click Next.


Choose whether you want to create a virtual hard drive for the virtual machine. We're going to need one for our home lab, so check "Create a virtual hard drive now", then click Create.


For the "Hard drive file type", check "VDI (VirtualBox Disk Image)", then click Next.


In the "Storage on physical hard drive" window, you'll probably want to choose "Dynamically allocated." This means that space will not be taken up on your physical hard drive until it is actually written to the virtual disk. If you choose "Fixed size" then the virtual disk drive will take up a set amount of space on your physical hard drive even if that space has not been written to by the virtual machine. Click Next.


In "File Location and Size," choose where you want the hard drive files for the virtual system to be stored by clicking on the folder icon. I just use the default folder. This is where VirtualBox will store all files related to your virtual machine. Also, on this screen you may increase or decrease the amount of hard drive space you want to be allocated for the virtual instance. 8 GB is the default. I'm going to push mine up to 10 GB. Click Create.



The new virtual system should now appear in your Virtualbox interface. As you can see I have three folders in my left sidebar, and have placed the kali1 instance I just created into a new "lab" group. In the main interface we can see the settings for the new systems, which are a mixture of defaults and configuration settings we determined ourselves in the creation phase. Before starting up the instance for the first time, I usually adjust a few settings first.


Click "Settings" for your new virtual machine. I'm going to add a description under the General menu, because I have other Kali instances on my computer.


In the System menu, under Motherboard, I uncheck "Floppy" in the boot order.


Also in the System menu, under the Processor sub-menu, we have to check "Enable PAE/NX" for Kali to operate properly.


Finally, under the Display menu, I add more Video Memory to the default 12MB, bumping it up here to 36 MB to start. Again, this can be adjusted later to optimize your particular setup.


That's it for now. Browse through the other menus. Notice in the Network setting we can add up to 4 different network adapters for our virtual machine. Later we will play around with the network setting, after we've fully installed the Kali operating system. For now, a single network adapter running on NAT (i.e. Natural Address Translation) will suffice for our purposes.


Click "OK" to save your changes.

Fire up your new machine by double clicking it, or single clicking it and then clicking Start. You will be prompted to "Select start-up disk". We now have to choose the startup disk for our new virtual machine. This is the Kali .iso file we downloaded earlier. Click the folder icon and navigate to the folder where you've stored the Kali .iso file on your host computer. Select it, then click start.



Booting into a Kali Live Session
Kali should boot as if you were booting a real physical machine from a cd with the Kali operating system file on it. Notice that if you click inside the guest window, your mouse pointer will be "captured" by the guest. From then on, your keyboard and mouse activity will control the virtual machine. To switch back to using your host machine, you have to hit the host key, which by default is Right-Control on my computer. It may be different depending on your operating system. The Virtualbox interface will tell you what the "Host Key" is in the bottom right of the window.


From this menu, you can boot into a number of different types of live session, or you can do a full install of Kali on the virtual hard drive we previously created inside Virtualbox. As we shall see, there are numerous advantages to doing a full install of Kali for the purposes of our home hacking lab, but one of the advantages of a live session is that we can jump right in without any further configuration. Let's select the default Live session. Here is the Kali Desktop after booting into live session (note the time and day, yes, this is how I prefer to spend Saturday evening):


You will soon notice that there are certain limitations to the virtual machine's interface. For example, your mouse wheel will not work, you cannot enlarge the size of the screen, or go full screen, there is no tab completion in the terminal, and there are other interace issues as well. This is not a limitation of the live session, or Kali itself, but rather of the virtual machine we've created. However, all these issues can be addressed by installing the Virtualbox Guest Additions, but we'll save that for our future full install of the system.

Notice also that there are limitations to the default NAT networking interface. Under NAT (natural address translation) the Kali guest is not treated as its own independent node on the wider local area network. It does not have an independent ip address on the local area network. Its virtual ip address is translated by the ip address of the host machine. This can be addressed by adding a second network adapter to the virtual system or changing the present one, as we shall see later on.

However, despite these limitations, you can already begin exploring the ridiculous number of tools that come bundled with Kali. Here are Kali's Top Ten Tools:


Since all appears to be working well, let's take a snapshot of the virtual machine. VirtualBox snapshots are a way to keep a log of your virtual machines in a given state. If you are experimenting with a new configuration, and everything suddenly goes to hell, you can always revert back to your previous snapshot like nothing happened. Go to the VirtualBox interface window, select your Kali guest, click "Snapshots" in the upper right. Take a snapshot by clicking on the camera icon. Name the snapshot, and give it a description. Now, if we seriously screw up something on the machine, we can always just revert to this prior state of the system.


Now let's reboot to do a full install. Click the root menu item in the top right of the Kali Desktop window. Then choose reboot or do a full shut down and boot from the VirtualBox interface. In the process, you will be prompted to remove the disk from the system. Of course, we are using a virtual disk image, so there is no physical disk that needs to be removed. Just click enter to continue. Now reboot . . .  OH NO!!!!! "FATAL ERROR: No bootable medium found! System failed."


If you've been following along thus far, you've likely just been delivered this disturbing warning by your virtual machine upon reboot. It's a good thing we took that snapshot! Actually, this was only to be expected. Remember when you had to remove the virtual disk from the machine upon shutdown or reboot? Well, we now have to re-insert the virtual disk, that way we can reboot into Kali and move on to a full install of the operating system. So solve this "Fatal Error," with your virtual machine still running:
  1. Point your mouse toward the Oracle VM VirtualBox application menu on your host machine and find the Devices dropdown menu
  2. Select "CD/DVD devices"
  3. Select "Choose a Virtual CD/DVD disk file..."
  4. Select or navigate to your Kali .iso operating system file
  5. Close the virtual guest by exiting the window and powering off the machine 

After the machine closes down, restart it from inside VirtualBox, it should boot into Kali from the newly inserted virtual disk.

Full Installation of Kali in VirtualBox 

Now let's move on to our full installation of the Kali virtual instance. Once your system reboots into the main menu, choose the Install option and hit enter.


The installation process will begin straight away. Note that over the course of the installation, the various menus are not graphical interfaces. You cannot point and click, you have to enter info via the keyboard, and use the arrow keys to navigate. We're not going to do anything fancy here for the purposes of this simple home lab setup. In most cases the defaults will suffice. Simply follow the directions on each page. This process took about an hour on my computer. Here's the first screen:


  1. Choose your language.
  2. Select your location.
  3. Select your keymap.
  4. Enter the new host's name. It simplifies things to choose the same name you chose for your VM inside VirtualBox, but these need not be the same name. You can also always change both names later if you so wish.
  5. Enter a domain name. I'm going to leave it blank and hit enter.
  6. Enter a root password, then re-enter to confirm. These will be the credentials for the root super-user on the system. Be sure to make a note of the password you've chosen.
  7. Select your time zone.
  8. Partition Disks, select 'Guided - Use Entire Disk'. Not to worry, here 'Entire Disk' means the virtual hard drive we created upon initial setup of the VirtualBox machine. In my case, this will eventually claim up to 10GB on my harddrive, as this was the size I specified when I created the VM.
  9. Select disk. This is the virtual hard drive we configured earlier.
  10. Select partition scheme. Let's choose default, all files in one partition.
  11. Confirm selections, or go back if necessary.
  12. Select yes, to commit the changes by writing them to disk.
  13. Select network mirror if any. None is needed for this home lab setup.
  14. Select proxy if any. None is needed for this home lab setup.
  15. Install grub boot loader (default).
  16. Installation complete! Select continue.

Let the machine do its thing, and then reboot the system. Upon reboot, log into kali using 'root' as your username along with the password you chose for root during installation.

Congratulations, you now have a virtual instance of Kali Linux installed on your computer! But we're not done with our configuration of the new virtual machine just yet. We still have to update the software on the system, and then we're going to install the VirtualBox Guest Additions in order to enable full screen mode, tab completion in the terminal and so on. This process might take you another hour or so, depending on your internet connection.

Updating Kali and Prepping for Guest Additions
If your host computer is connected to the internet, you should have internet connectivity from inside your Kali VM over your NAT adapter. You can check this by opening up the bundled Ice Weasel browser and making sure you can get online. Ice Weasel can be opened by clicking the icon next to the Places drop down menu in Kali. You can also try pinging google.com or some other website from inside a terminal. You can open a terminal by clicking the terminal icon next to the Ice Weasel icon. We are going to need a working internet connection to update the system.

Let's update the system. Open a terminal in Kali and enter the following command:
apt-get update
This will make sure Kali checks the most recent repository for any software updates. Once this process completes, enter:
apt-get dist-upgrade
This will update all software on the Kali system. Depending on your internet connection, this may take some time. The process lasted around 15 minutes for me this time around. Once that is complete, you now have a fully updated Kali virtual machine. But we are still lacking some basic functionality, so now we're going to install the VirtualBox Guest Additions.

Installing Guest Additions in VirtualBox can be tricky. To prepare the system to handle the Guest Additions, we have to run a couple more commands inside the terminal, so open up a new terminal shell and run the following series of commands, one after the other, after each completes:
apt-get clean
apt-get autoclean
apt-get update
apt-get install build-essential linux-headers-`uname -r` dkms
Notice that `uname -r` is inside backticks, not single quotes in the final command here. Yes, this matters. The backtick key should be located just above the tab key on your keyboard. This series of commands was suggested on this CrunchBang forum post, and it has yet to fail me in setting up Guest Additions for a Debian-based machine inside VirtualBox. Once this process has completed, we can now install the Guest Additions themselves.

Installing VirtualBox Guest Additions in Kali
While engaged in the Virtual system, in the Oracle VM application menu, go to the Devices dropdown menu again. Notice the "Insert Guest Additions CD" option. Select it. You will get a pop-up inside Kali asking you if you want to run the file. If it succeeds, great! If not, that's not a problem. In my experience, it has never worked off the bat, so I click cancel.


Selecting the "Insert Guest Additions CD" menu option has inserted a virtual disk into your virtual machine. The files on this disk can be found in the folder: /media/cdrom/. Confirm that they are there by navigating to this folder in the graphical file system manager or in a terminal.

To install the Guest Additions for Kali, we need to run the VBoxLinuxAdditions.run file on the Guest Additions cd. However, you cannot simply run the file from the /media/cdrom/ directory. First we need to copy it and change its permissions.

Copy the file to your Desktop from inside a terminal with the following command:
cp /media/cdrom/VBoxLinuxAdditions.run /root/Desktop
You should see a copy of the file appear on the Desktop.  Change to the Desktop directory inside the terminal:
cd /root/Desktop
Change the permissions on the file with the following command:
chmod 755 VBoxLinuxAdditions.run
Run the additions file:
./VBoxLinuxAdditions.run
Success? Success!


If you experience any snags along the way here, you'll have to do some trouble shooting. There is a ton of info online regarding installation of Guest Additions in VirtualBox VMs, likely in large part because the process can be tricky. Remember also, that support info for other Debian-based systems such as Ubuntu and CrunchBang will also apply to Kali in many cases. But the series of commands above has yet to fail me.

Upon successful installation of the Guest Additions, we have to shut down the machine for the updates to take effect. Reboot and log in as root again. Once the system reboots, the simplest way to confirm that the Guest Additions have been successfully installed is to see if you can maximize the window for the guest system. You should now also have code completion in the terminal, among other things. You can now eject the Guest Additions virtual CD from the Virtual cd drive. Click the Computer icon on the Desktop, then click eject under the devices menu.

We now have a fully updated fresh install of a Kali virtual machine with the VirtualBox Guest Additions installed. Let's shut down the machine, take a snapshot and switch the network adapter into bridged mode in preparation for the next tutorial.

Switching to Bridged Networking
After the VM has shut down and you've taken your snapshot, open up the settings of your new virtual system and go to the Network menu. Unless you've already chaned these settings, you should have network Adapter 1 enabled, and attached to NAT. Change the attachment to a bridged adapter. This will allow our guest to act as an independent host on our local network, rather than have its address translated by the host computer the virtualization software is running on.


Finally, the adapter Name has to connect up to the appropriate network adapter of the host machine, i.e. the one that is actually connected up to your local network, whether it is a wireless connection, an Ethernet connection, or whatever. The appropriate one should be selected by default. Click Okay.

Start up the guest. Open a terminal and ping a known website or host, or use a browser to visit a web page. If it works, CONGRATS! You're in bridged mode.

If you have no networking capability, and can't even ping other computers on your home network, let along a website. You have to do some trouble shooting. Here are some troubleshooting questions:
  • Are your networking settings correct in VirtualBox?
  • Is the adapter for the guest machine connected to the right interface on the host computer?
  • Is Kali's /etc/network/interfaces file structured properly?
  • Is the appropriate interface up as indicated by ifconfig?
  • Have you tried restarting Kali's networking service?
  • Is Kali's /etc/NetworkManager/NetworkManager.conf file structured properly?
  • Have you tried restarting the network-manager service?  
As the old saying goes, when all else fails, read the manuals!  

Setting up an Administrator Account
If you've followed along this far, you are now logged into your Kali VM as root, have a fully updated system, and the VirtualBox Guest Additions installed. It is not good to get into the habit of running everything in Kali as root. Best practices dictate setting up an administrator account and using sudo to run security-sensitive commands.

Create an administrator account by going to the root dropdown menu in the top right of the Kali Desktop. Then select: root => system settings -> user accounts -> create an administrator account. Create an administrator account with a separate password.  Then log out, and log back in with your new admin account.  Using an administrator account such as this creates a bit of extra work (ex. having to use sudo for otherwise everyday commands such as ifconfig, having do to a bit of extra configuration for applications such as Wireshark and Zenmap), but it is a good habit to get into so as to avoid becoming careless with the root account. After setting up an administrator account, shut down the machine and take another snapshot.

In part two, we will use two tools bundled in Kali to explore your home local area network. Thanks for following along. As always, leave any questions or comments below. 
Comments (3)

Hack Lab Intro: How to Set up a Home Hacking and Security Testing Lab

Introduction

This series of articles comprises an introductory tutorial on how to set up a home lab to experiment with common hacking and information security testing tools. Our setup will  allow us to explore the sorts of computer and network vulnerabilities that can be encountered on the internet, and to test the security of our own home computer network and networked devices, all from within an isolated and secure working environment. The series is geared toward individuals who have little or no prior experience with virtualization software or common hacking and security testing tools, but are interested in exploring network and computer security.

Over the course of the tutorial series, we will create two separate network configurations. The first will be a completely virtual environment populated by two virtual guest systems running inside a single host computer. This requires nothing more than an internet connection for the necessary downloads, and a computer with relatively modest RAM and disk resources.

The second configuration will be an everyday local area network of the sort that can be found in many homes, but which is isolated from the internet and where we can strictly control and monitor all network traffic. This setup is slightly more involved in terms of hardware than the first, requiring also a spare router.

Our monitoring and attack system in both configurations will be an instance of a Kali Linux virtual machine running inside an installation of the VirtualBox software package on our primary computer. Kali is a Linux operating system distribution intended for security testing and digital forensics.

In the first completely virtual network environment, our victim will be an instance of  Metasploitable2, a virtual machine that exhibits vulnerabilities that can be found on  everyday computer systems and software configurations. As noted at Offensive Security, "Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques."

In the second network configuration, we will use the Kali Linux virtual machine to compromise an everyday local area network router of the sort that can be found on many home networks, in order to demonstrate just how easy it can be to steal login credentials  passed from another computer on the network.

The tutorial is broken down into four parts:
  • Part 1 covers the installation of VirtualBox and provides a walk through of a full installation of a Kali virtual machine on your primary lab computer. Along the way, we'll take a short detour on how to quickly run live Kali sessions without a full installation of the machine.
  • Part 4 provides details on setting up our second network configuration, which models an everyday home local area network. With the attack machine, we'll conduct a simple man-in-the-middle attack against the network's router, and demonstrate a serious security vulnerability by stealing login credentials sent to it from the victim machine, in this case, the host computer. 
Comments (3)

Hacked Printer Shows How Lax Security Could "Doom" Your Company

We live in a world of instant gratification and hyper-connectivity. Unfortunately, the connections that bring us easy and immediately pleasant results can turn on us just as quickly as they work for us. Nowhere is this more true than in the field of technology. This was recently illustrated when a Canon office printer, connected to an outside computer server, was hacked to play "Doom."

According to pcgamesn.com, the security flaw was intentionally manifested to prove that the overly-accessible printer proved a threat to office data security. The Canon Pixma printers have a web-accessible interface that required no authentication, enabling Context Information Security analyst Michael Jordon to sneak into the system and run a copy of "Doom" on the Pixma's LED screen. This was a playful but serious reminder than any party with unpleasant intent could create firmware to monitor or manipulate the printer's output, which could be instrumental in corporate espionage or sabotage.

As Jordon explained to The Guardian, “If you can run Doom on a printer, you can do a lot more nasty things...In a corporate environment, it would be a good place to be. Who suspects printers?”

Canon has assured its users that an update, requiring a username and password for the Pixma interface, will solve any rogue infiltration programs in all models that had previously been at risk to be compromised. Who says video games never teach you anything?

There are even worse things than these guys waiting to grab your office intel.  (Image courtesy cdn.bloodydisgusting.com.)

Comments

Hashing: How and Why to Check a File's Hash Value

Consider the following situation. You have been working for days on a PowerPoint presentation for work or school, and have been keeping the file on a shared computer, a network drive or even a personal flash drive. You put the final touches on your presentation the night before it’s due, save the file and get ready for a good night's sleep. The next day, you confidently begin your presentation. But imagine your surprise when you and your audience see the following image on your third slide:


You’ve been pranked. If you're lucky, everyone got a good laugh out of it. If not, there may be more serious consequences, depending on the situation. This sort of everyday  scenario raises an obvious question. Short of opening the file and manually perusing each slide in the presentation, how could you be sure that it had not been modified by any of the pranksters you may share your computer or network with? More seriously, how can we verify the integrity of a file that may or may not have been modified by a malicious individual seeking to infect out computer or network with a dangerous piece of malware?

In this article, we’ll consider these questions and discuss the pros and cons of one simple means by which we can verify a file’s integrity to ensure that it has not been tampered with, namely, by verifying its hash value. We’ll conclude with a quick tutorial on how to verify a file’s hash value on Mac, Linux and Windows systems, and provide some links to a few lectures on cryptographic hash functions culled from the series of courses listed in our collection of free online computer science courses. Our primary sources along the way will be Everyday Cryptography by Keith M. Martin, and Applied Cryptography by Bruce Schneier.

Malware comes in many different guises. As the Electronic Frontier Foundation writes in their Surveillance Self-Defense Project, malware is frequently spread by "trick[ing] the computer user into running a software program that does something the user wouldn't have wanted." Let's say you decide to download a file from a website you know and trust, and from which you have safely downloaded files in the past. How do you know, for example, that the file you have downloaded onto your computer is in fact the one intended by the trusted website? How do you know it was not altered in transit? How do you know it was not swapped for another file by a malicious attacker? And how can you determine this without running the file first? 

One simple way to verify a file's integrity is by confirming its hash value. In Everyday Cryptography, Martin writes: “Hash functions can be used to provide checks against accidental changes to data and, in certain cases, deliberate manipulation of data . . . As such they are sometimes referred to as modification detection codes or manipulation detection codes” (emphasis in original, Martin, p. 188). In our opening example, a suitable hash function would have allowed you to detect that your presentation had been modified in some way without ever opening it.

So, what is a hash function? The primary practical property of a hash function is that it compresses arbitrarily long inputs into a fixed length output (Martin, p. 189, Schneier, section 2.4). Furthermore, slight differences in the input data result in large differences in the output data. “A single bit change in the pre-image [i.e. the file you’re hashing] changes, on the average, half of the bits in the hash value,” (Schneier, section 2.4). Two of the most commonly used cryptographic hash functions are known as MD5 and SHA1. Schnier quotes NIST’s description of the SHA hash function as found in the Federal Register:
The SHA is called secure because it is designed to be computationally infeasible to recover a message corresponding to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will, with a very high probability, result in a different message digest. (Schneier, section 18.7.)
Here’s a simple example. I have created a plain text file named hello.txt on my Desktop. The file contains a single line that reads: “Hello there.” Applying the well-known sha1 hash function to the file produces the following hash value:
4177876fcf6806ef65c4c1a1abf464087bfbf337.

If I edit the file and remove the period from the end of the line so that it reads “Hello there”, the hash function now returns an entirely different value: 33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d.

If I then return the file to its original state by adding the period back in to the end of the sentence, the hash value of the newly edited file will be the same as the original hash. And we would have seen much the same result (though it would have taken a good bit longer to compute!) if my original file had been a copy of the complete works of Shakespeare from which I then removed a period.  

Let’s consider a more practical example. The Electronic Frontier Foundation provides a number of recommendations on how to reduce your risk of malware infection in its Surveillance Self-Defense Project. At the top of their list, we read: “Currently, running a minority operating system [their examples are Linux and  MacOS -ed.] significantly diminishes the risk of infection because fewer malware applications have been targeted at these platforms. (The overwhelming majority of existing malware targets only a single particular operating system.)” This is more security through obscurity than anything else, but it’s still fun to try out new things, so after a bit of reading you decide to download a copy of the latest version of Ubuntu from an online repository.

How can you check to make sure that the file you’ve downloaded is the official one intended by Ubuntu’s developers and has not been manipulated or corrupted in transit? One way is to confirm that the file’s hash value is equivalent to the one provided by the developers. So you go to the page that lists the download’s hash value and make a note of it. Next, you run the hash function on the file you downloaded. If the resulting value is equivalent to the expected one, you have successfully verified the file’s hash.

However, it is critical to note here that verifying a file’s hash value by itself can only establish a relatively weak form of data integrity, in comparison with more robust mechanisms such as digital signature schemes which can provide a stronger form of integrity verification and even authentication. (Martin, pp. 186-189.) This is because a hash value such as we are discussing here cannot tell us anything about the origin of a digital file. For example, assume that unbeknownst to you, the site you’ve downloaded your file from has itself been compromised, and the attacker has: 1) replaced the download file with a piece of malware, and 2) also replaced the corresponding hash value that you use to check the file’s integrity with the hash value of the malware.

If you then verify the hash value of your downloaded file, you have done nothing more than verify the integrity of the malware! And you’re none the wiser because the site itself was compromised! At the same time, however, if you found out through another source that the site and file were compromised, you could then identify the malicious file and distinguish it from the legitimate source file. In a digital signature scheme, as mentioned above, the developer could digitally sign the legitimate hash value with a trusted key. In this way, the question of trust is then displaced to the question of signature authentication.

A second concern regarding this method of determining data integrity is the security of the hash functions themselves. There are known practical and theoretical vulnerabilities in two hash functions that are among the most common in use for these exact purposes on the web today: MD5 and SHA1. A discussion of these vulnerabilities is beyond the scope of the present article, but more information can be easily found online.

Still, as Bruce Schnier states, “we cannot use [one-way hash functions] to determine with certainty that the two strings are equal, but we can use them to get a reasonable assurance of accuracy.” (Schneier, section 2.4). In other words, hash functions can help us establish a basic level of data integrity. In our opening example, simply making a note of the hash and then checking it the next day would have sufficed to establish that the file had been tampered with. But, of course, if the file had been secured or encrypted to begin with, it never would have even been an issue in the first place.

Finally, how does one actually compute the hash value of a file? It is actually rather simple, but the specifics depend on your choice of operating system. MacOS and Linux systems come bundled with basic functionality to check any file’s hash value, while Microsoft Windows systems require you to download a piece of software to accomplish the task. Two of the most common functions used to verify file hashes are known as MD5 and SHA1. We’ll consider each in turn.

MacOS
1) Open up a command line Terminal.
2) Type “openssl md5 </path/to/file>” into the terminal and press enter.
2A) As an alternative to #2, you can also type “openssl md5 ” into the terminal, then drag and drop the target file into the Terminal window, and press enter.
3) The terminal will then return the MD5 hash value of the given file.

To compute the hash value of the file using a different hash function, type the name of that function into the terminal command in place of “md5”. For example, to compute the sha1 hash of a file, you would type: “openssl sha1 ” followed by the file path. To see a list of all the message digest commands available on your machine, type “openssl —help” into the command line terminal.

Linux (Debian-based)

1) Open up a command line Terminal.
2) Type: “md5sum </path/to/file>”. Then press enter.
3) The terminal will return the MD5 hash value of the given file.

To compute the hash value of the file using a different hash function, type the appropriate command into the terminal in front of the path to the target file. For example, “sha1sum </path/to/file>” will compute the file’s sha1 hash value. To see what other hash functions are available on your system, type “man dgst” into the terminal. 

Windows
Windows systems apparently do not come bundled with a built-in utility to check hash values. However, there are a number of different pieces of software you can download to accomplish the task. Microsoft Support lists the File Checksum Integrity Verifier, but warns that this is not supported by Microsoft and is only of use on Windows 2000, Windows XP and Windows Server 2003. This discussion at superuser provides a number of different extant options.

Video Lectures on Hash Functions
As always, comments, questions, suggestions and angry tirades are welcome below.
Comments (7)

Safely Stash Your Bitcash In Virtual Vaults

The popularity of Bitcoin and other crypto-currencies bodes well for promoting a decentralized financial system, but their allure also ups the danger of their theft. Now, virtual vaults have been created to add an extra layer of protection to your Bit-fortune.

According to www.joh.cam.ac.uk, there are currently over 13 million Bitcoins in circulation, with a value of over £311 per unit. Though the price fluctuates, this could rise to over £1000 per unit, and over 80 million people are expected to hold Bitcoin "wallets" (online accounts of their Bit-loot) by the end of 2014. The virtual vault Elliptical, created by students from St. John's University, Cambridge, England, holds virtual "keys" for users so that their Bitcoins may be accessed with additional layers of security, while making reports available on the varying market price of the currency. The heavy security makes Elliptical an attractive option for companies, law firms, and financial service providers, including the new Global Advisors Bitcoin Investment Fund (who collaborate to make Bitcoin viable for pensions and insurance providers.)

Elliptical is fully insured, allowing users not to fret that hackers or viruses will act like modern Bit-bank robbers. Creator James Smith explained Elliptical as, “a secure, insured custodian of Bitcoin and other digital currencies, serving a range of enterprise customers." He claims the site, which recently obtained £1.2 million in funding from the Octopus group, is being placed "at the heart of digital currency infrastructure."

So if your faith in the dollar, Euro, or pound is sinking lower than your hope for humanity, perhaps its time to invest in the realm of e-riches. Other vault options, such as Coinbase and Xapo, offer similar vault services.  The scope is serious, and the security is stronger than what you may think you are currently safe with.

No cracking, no hacking.

Comments

Apple Responds to Claims of Backdoor in iOS Devices

 Just in case you were still wondering if your devices are secure.  From The Next Web:
Apple has published new information about the diagnostic capabilities of iOS, in what appears to be a response to suggestions that it includes a ‘backdoor’ that could enable governments and other third-parties to access user data.

The controversy arose after security consultant Jonathan Zdziarski documented a vulnerability that could leave usage data on iOS device exposed. Rebutting subsequent reports that linked the vulnerability with government data collection, Apple told iMore that it has “has never worked with any government agency from any country to create a backdoor in any of our products or services.” . . .

Following his initial findings, Zdziarski has been in contact with Apple. Citing the company’s response to his claims, he said that he “doesn’t buy for a minute that these services are intended solely for diagnostics.” That’s to say that he found the type of data available to the diagnostics services to be “of an extreme personal nature,” which seemed out of place given the focus.
For all you folks out there who "have nothing to hide", I suppose you have nothing to be afraid of.  But in that case, feel free to leave your bank account information in the comments!
Comments

Cryptography vs. Cryptanalysis: Black Hat Talk on Hacking Tor Pulled from Conference

Historians of cryptology often describe the development of the discipline of "secret writing" in terms of a dialectic between cryptography and cryptanalysis, that is, between code makers and code breakers.  Cryptographers seek to create ever more indecipherable encryption schemes and cryptanalysts seek to break them.  An article on the cancellation of a Black Hat conference talk on the Tor privacy service from Reuters provides us with an interesting glimpse of how this tension is currently playing out among hackers and security researchers within the US government.  From Reuters, on the cancelled talk:

A highly anticipated talk on how to identify users of the Internet privacy service Tor was withdrawn from the upcoming Black Hat security conference, a spokeswoman for the event said on Monday.

The talk was canceled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers, the spokeswoman, Meredith Corley, told Reuters . . . a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI). . . .

Its abstract, titled "You don't have to be the NSA to Break Tor: De-Anonymizing Users on a Budget," had attracted attention within the security and privacy communities. The abstract had been published on Black Hat's website but has since been removed.
While the media often identify Tor as the preferred browser of child pornographers, criminal cartels and terrorist groups they often fail to note that it was actually originally developed by US government researchers. Or perhaps their implication is that the US government naturally falls under one of those umbrella terms? Whatever the case may be in that regard, the Reuters article hints at the state of the arms race between US government cryptographers and cryptanalysts. Another excerpt:
The U.S. government funded the creation and much of the operation of Tor as a communications tool for dissidents in repressive countries. But Tor has frustrated the U.S. National Security Agency for years, according to documents released by former agency contractor Edward Snowden.
That revelation has helped increase adoption by those seeking privacy for political reasons, as well as criminals, researchers say. 
Some criminal suspects on Tor have been unmasked by the U.S. Federal Bureau of Investigation and other law enforcement or intelligence agencies using a variety of techniques, including tampering with software often used alongside Tor.

Check out the EFF for more information on Tor.
Comments (1)

Goto Fail: Apple iOS Bug Compromises SSL, Opens Vector for Attackers

From ZDNet:
Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in
its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.

A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.

The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).

Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.
Imperial Violet has details on the bug itself:

So here's the Apple bug:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...

if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...

fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
 
(Quoted from Apple's published source code.)
Note the two goto fail lines in a row. The first one is correctly bound to the if statement but the second, despite the indentation, isn't conditional at all. The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.
If you're worried your system may be affected, follow the link above to Imperial Violent, who has created a tool to do a quick check.

Comments (3)

Massive Data Breach at University of Maryland

Governments, corporations, educational institutions, all of them completely incompetent when it comes to basic data security.  This is going to be a headache for a lot of people.  From Malwarebytes:
The University of Maryland (UMD) said it was the victim of a recent cyberattack, according to their statement released Wednesday. In the letter, UMD President Wallace D. Loh said he was informed of the breach yesterday evening by Brian Voss, the Vice President of Information Technology at the university.

“A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel,” Dr. Loh said. “The records included name, Social Security number, date of birth, and University identification number.”
Comments (1)

Kickstarter Compromised: Info Hacked

If you're on Kickstarter, you should probably be busy changing up your passwords.  From CNET:
Hackers hit crowd-funding site Kickstarter and made off with user information,
the site said Saturday.  Though no credit card information was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."
Comments

Router Vulnerability Allows Easy Exploit

From the Hacker News:
In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys, TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide.

Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users.

Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack . . .
Comments

Yahoo Mail Hacked

Uh oh!  From the CBC:
Usernames and passwords of some of Yahoo's email customers ha
ve been stolen and used to gather personal information about people those Yahoo mail users have recently corresponded with, the company said Thursday.

Yahoo didn't say how many accounts have been affected. Yahoo is the second-largest email service worldwide, after Google's Gmail, according to the research firm comScore. There are 273 million Yahoo mail accounts worldwide, including 81 million in the United States.
All the people who apparently do not care about widespread dragnet surveillance and backdoors installed in software and hardware at the behest of government spy agencies, apparently do not realize that these same "tools" can and will be used by anyone at all. 
Comments

Is Your Refrigerator Spying on You?

And here you thought you felt guilty because of what you were eating.  A press release from Proofpoint:
outsideperception.wordpress.com
Proofpoint, Inc, a leading security-as-a-service provider, has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances
. The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks. As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets.
Comments

Car Hacking on the Rise

From Auto Express:
An increasing number of cars are at risk from computer hackers because of the advanced Internet enabled systems they offer – and the problem could be potentially life-threatening. That’s the warning from technology firm Harman at the 2014 Consumer Electronics Show (CES).
Modern cars have a number of electronic control units (ECUs), which not only control infotainment services, but also the operation of the engine, transmission and safety features such as stability control and anti-lock brakes.
If someone can hack into the connectivity system, they then have access to all the car’s other ECUs because there is currently no physical or electronic barrier between them.

Comments

Snapchat Vulnerable to Data Hack

From ZDNET:
Hackers have made sure that popular photo sharing app Snapchat got a hearty lump of coal for Christmas.  After having its security disclosure go ignored since August, Gibson Security has published Snapchat's previously undocumented developer hooks (API) and code for two exploits that allow mass matching of phone numbers with names and mass creation of bogus accounts.  on the GibSec Twitter account on Christmas Eve — which by time difference is Christmas Day in Australia.
The Australian hackers announced its publication of Snapchat's API and the two exploits 
Comments (1)

Target Data Hack Worse than Initially Reported

It's almost like they painted a target on themselves.  Oh wait . . . from the NYT:
After hackers stole credit and debit card records for 40 million Target store customers, the retailer said customers’ personal identification numbers, or PINs, had not been breached. Not so. On Friday, a Target spokeswoman backtracked from previous statements and said criminals had made off with customers’ encrypted PIN information as well.
Comments

Glenn Greenwald to Speak at Chaos Communication Conference

From ZDNet:
The world's oldest and largest global hacker organization The Chaos Computer Club (CCC) has announced it will open next week's conference, the 30th Chaos Communication Congress (30c3), with a December 27 opening keynote by Glenn Greenwald.

Glenn Greenwald's keynote tops our list of must-see talks at the legendary event. 30C3's schedule shows that the compelling keynote won't be the only explosive presentation at 30C3.

Mr. Greenwald's keynote will be webcast live on this page. If you miss it, all of 30C3's talks will be archived on the offical CCC media website. CCC's archives go online astonishingly fast.
Comments (1)

Tens of Millions of Credit and Debit Cards Compromised in Target Hack

If only there were an alternative global payment processing system, one that did not rely on the shady practices of banks and corporations.  From the Chicago Tribune:
Target Corp said data from about 40 million credit and debit cards might have been stolen from shoppers at its stores during the first three weeks of the holiday shopping season.
The data theft, unprecedented in its ferocity, took place over a 19-day period that began the day before Thanksgiving. Target confirmed on Thursday that it identified and resolved the issue on Dec. 15 . . .

Target said the breach, second-largest hack at a U.S. retailer, might have compromised accounts between Nov. 27 and Dec. 15, a period of nearly three weeks.
Comments (1)

Court Rules that Constitutional Protections Do Not Apply to "Hackers"

Are you keeping up with today's newspeak?  From Digitalbond:
The US District Court for the State of Idaho ruled that an ICS product developer’s computer could be seized without him being notified or even heard from in court primarily because he states on his web site “we like hacking things and don’t want to stop”. . . .
Comments

Adobe Hacked: Data on 3 Million Customers Compromised

From Adobe:
Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident . . . 
Comments

Book Review: Hacking Secret Ciphers with Python

Hacking Secret Ciphers with Python is a free introductory textbook on cryptography, computer programming and the Python programming language written by Albert Sweigert, a software developer from San Francisco.  Hacking Secret Ciphers with Python is Sweigert's third book on Python, and the first that teaches the programming language through cryptography and traditional cryptographic protocols.

Published under a creative commons license, the work can be read for free online, downloaded as a .pdf or purchased from Amazon, with all proceeds going to the Electronic Frontier Foundation, Creative Commons and the Tor Project.  From the book's description:
“Hacking Secret Ciphers with Python” teaches complete beginners how to program in the Python programming language. The reader not only learns about several classical ciphers, but also how to write programs that encrypt and hack these ciphers. The full source code is given and explained line-by-line for ciphers such as the Caesar cipher, transposition cipher, simple substitution cipher, multiplicative & affine ciphers, Vigenere cipher, and hacking programs for each of these ciphers. The final chapters cover public key cryptography and the modern RSA cipher.
Clocking in at 416 pages, the book is broken down into 24 chapters covering virtually everything from the ancient Caesar Cipher to modern public key cryptography.  It thus provides a practical overview of the history of cryptography, while simultaneously introducing the reader to progressively more advanced aspects of the Python programming language. 

The book begins at the beginning, showing the reader first how to create rudimentary ciphers with paper and scissors.  It then gives a quick introduction on how to install Python, how to work with the interactive shell, and provides a quick overview of Python basics before jumping in to its first major coding chapter on the Reverse Cipher.  For each cipher covered in the book, it provides the Python code to run that cipher, followed by a chapter covering a second program that can be used to hack that cipher.  Python basics are covered in the analysis of the code used to create and then hack the given cipher.

Highly recommended for beginner to intermediate Python programmers who are interested in cryptography.  And since it is available free online, you can dive right in.
Comments

Hacked Identity Theft Service Reveals Breaches of Numerous Consumer Data Aggregators

We're all up for sale online.  From Krebs on Security:
An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney. Until very recently, the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went.
Comments (1)

A Closer Look at the Syrian Electronic Army

From Krebs on Security:
A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria – Network Solutions LLC. and its parent firm Web.com had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA . . .
Comments

Fed Malware Takes Down Tor Host

From Wired:
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Comments

Government Increasingly Using Hacking Tools

From the Wall Street Journal:
Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.

People familiar with the Federal Bureau of Investigation's programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can't be wiretapped like a phone, is called "going dark" among law enforcement . . .

The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.'s GOOG +1.82% Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment. 
Comments

Instagram Hack Serves Up Fruit

Here's a funny little story from The Next Web:
An Instagram hack that posts pictures of fruit to users’ timelines has returned. We last saw the issue back in June.  Once again, the images – often of fruit but sometimes (as The Verge notes) of smoothies – are accompanied by text suggesting that the user is trying a new diet and encouraging others to follow a link that has been inserted into their bio.
Comments (2)

How Easy Is It to Hack a Cell Phone? Pretty Easy

From CNN:
An increasingly popular technology for extending cell-phone coverage ranges had a major security hole that went undetected for years, through which an attacker could eavesdrop on everything a target did on their phone, according to new research released on Monday.

The research brings to light previously unknown vulnerabilities in some models of femtocells, devices that mobile network operators use to bring wireless service to low-coverage zones. The compact boxes, which are typically as small as a standard cable modem, can be deployed in hard-to-reach spots like the top of an apartment building or a home in the mountains. Femtocells are also referred to as "network extenders," and analysts project that as many as 50 million of them will be in use by 2014.
Comments (1)

Your Credit Card Company and Bank are Threats to Your Information Security

Today, online hacktivist group Anonymous has launched Operation USA, which is targeting U.S. government and banking websites.  Ahead of the attack, the US Department of Homeland Security downplayed the planned operation.  According to reports
“OpUSA poses a limited threat of temporarily disrupting U.S. websites,” the homeland security bulletin states, saying the attackers will likely use commercial hacking tools in a variety of “nuisance-level” strikes, defacing websites or temporarily knocking them offline.
Once again, the Department of Homeland Security appears to have proven themselves to be both ignorant and inept.  Hackers are already claiming to have leaked detailed credit card information on 10,000 individuals to the website pastebin.  The leak contains names, addresses, home phone numbers, social security numbers, credit card numbers, mother's maiden name, the answers to the card holder's so-called "security question" and so on.  Make sure your information is not in the leak, and if it is, take appropriate action.  This hack succinctly demonstrates how woefully inadequate the security protocols are at some of the world's largest banks and credit card companies.  The question we should be asking is not, why would a hacktivist group engage in such malicious behavior.  Your working assumption should be that hackers are ALWAYS attempting to access your personal and financial information.  The real question is why are these corporations that we trust with our personal and financial information so insecure?  
Comments

Over 50 Million User Accounts Compromised at LivingSocial

From All Things D:
LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyber attack on its computer systems, which an email from CEO Tim O’Shaughnessy — just sent to employees and obtained by AllThingsD.com — said resulted in “unauthorized access to some customer data from our servers.”

The hack includes customer names, emails, birthdates and encrypted passwords.  The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords.
Comments

Who Will Protect the People from State-Sponsored Hackers?

In his State of the Union Address last night, President Obama emphasized the importance of protecting the country's computer networks from hackers "who steal people's identities and infiltrate private email."  But who will protect the people from US government agencies which are reading their emails, conducting illegal searches of their papers and effects, and engaging in warrantless wiretapping?  From the President's State of the Union Address:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.  


Comments
See Older Posts...