Buses, 802.11, and hilarity.

Ok. Just a short thing I noticed while connecting to “MoovManage” access point today on the bus.

I was sitting there, waiting for the laggy web auth thing to finish, and decided to have a quick look at what GET params I was sending. Sadly, I forgot to run a capture and harvest them, but I did notice that it gave away some interesting bits of data. ** See below, I got em! **

First off, one param was telling me about 10.0.0.1, and another 10.0.0.4. Another parameter contained my MAC address in the format 00-00-00blahblah

There were various other “bits” sent, that looked a bit like cookies, but I quickly realized that those were likely just extra fluff sent by the app. There was also the original request I made (http://www.google.com/) and a redirect to unnamedbuscompany.com (obviously I am redacting some data!)

There was also a reference to port 3306… What runs on 3306? MySQL.. So I am beginning to wonder, should I reconnect later (with a different MAC address – I have 3 wireless interfaces, Macchanger, and some SERIOUS curiosity) and run a sniffer/MITM proxy to see what is going on? Could be all kinds of data leakage there… maybe even connection params to MySQL Server?

Now for the “ideas”. Those GET params… XSS? SQLi? Who knows! A persistent XSS in such an app would allow you to harvest all kinds of data I imagine, like people connecting’s MAC addresses, sites they requested (+ get params associated), and their “intranet” IP. You could also force redirects to ads, malware, or phishing sites – the application already has redirects in place, but using an XSS vuln to introduce a “new” redirect to “facebook.com” or “gmail.com” would be… Fascinating.

Just some random thoughts :) (Its morning and /dev/brain has not mounted fully…)

## Some time later ##

So I got curious. As we all do. So I ran an nmap scan, as I don’t enjoy sharing my network space with unknown devices.

Here be the results… With SSL certs and such redacted because. Well because I felt like it!

user@brokenhost:~$ sudo nmap -sS -sV -A -O -vvv 10.0.0.1

Starting Nmap 6.02 ( http://nmap.org ) at 2012-06-20 09:21 IST
NSE: Loaded 96 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 09:21
Scanning 10.0.0.1 [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.19s elapsed
DNS resolution of 1 IPs took 0.19s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:21
Scanning 10.0.0.1 [1000 ports]
Discovered open port 443/tcp on 10.0.0.1
Discovered open port 22/tcp on 10.0.0.1
Discovered open port 53/tcp on 10.0.0.1
Completed SYN Stealth Scan at 09:21, 7.73s elapsed (1000 total ports)
Initiating Service scan at 09:21
Scanning 3 services on 10.0.0.1
Completed Service scan at 09:22, 13.30s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.1
NSE: Script scanning 10.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 26.50s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 10.0.0.1
Host is up (0.0071s latency).
Scanned at 2012-06-20 09:21:50 IST for 49s
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.2 (protocol 2.0)
| ssh-hostkey: 1024 [REDACTED] (RSA)
|_ssh-rsa
[REDACTED]
53/tcp open domain dnsmasq 2.46
| dns-nsid:
|_ bind.version: dnsmasq-2.46
443/tcp open ssl/http thttpd 2.25b
| sslv2: server still supports SSLv2
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
| ssl-cert: Subject:

[ SOME DATA REDACTED ]

Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 – 2.6.32
TCP/IP fingerprint:
OS:SCAN(V=6.02%E=4%D=6/20%OT=22%CT=1%CU=39626%PV=Y%DS=1%DC=D%G=Y%M=000B6B%T
OS:M=4FE1884F%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CA%TI=Z%CI=Z%II=I%TS=
OS:8)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5=M5
OS:B4ST11NW8%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A
OS:0)ECN(R=Y%DF=Y%T=41%W=16D0%O=M5B4NNSNW8%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW
OS:8%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S)

Uptime guess: 0.044 days (since Wed Jun 20 08:19:58 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE
HOP RTT ADDRESS
1 7.06 ms 10.0.0.1

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.56 seconds
Raw packets sent: 1073 (47.958KB) | Rcvd: 1032 (41.990KB)

So, it is some kind of embedded Linux box (Debian) running an unusual HTTPd, an odd DNS server, and a ridiculously outdated version of SSH. Which I am sure is probably exploitable.

I also would guess ARM or MIPS/MIPSEL architecture, though do not hold me to that, as that is just a guess. I do not think it is running x86. Further poking was not done lest laws be violated – looking at something is OK, but actually trying to break into it, is NOT OK. Hence, I did not bother search for an exploit or anything. I might analyse the results later and publish ideas on owning these things, but not now.

To be honest, I want to buy one of these devices to poke at it some more, would love to find some vulns in them. They are embedded devices, ergo sexy as fuck!

Ok, so on my return trip I captured the GET it made. Here it is, dissected…

https://portal.moovmanage.com/setup/1082/2?res=notyet

&uamip=[GATEWAY IP] # 10.0.0.1
&uamport=3990 # How interesting, last time it was 3306… Perhaps random?
&challenge=1ae780936302d93e8a408936ab128209 # MD5 hash, have not cracked it… YET!
&mac=[MY MAC ADDRESS] # LOL, as if I was going to expose that ;)
&ip=[MY LAN IP ADDRESS] # 10.0.0.(removed)
&called=[ROUTER MAC ADDRESS] # Don’t track me bro…
&nasid=1082 # No clue what you are… YET
&userurl=http%3a%2f%2fgoogle.com%2f # Oh how nice. Thats where I was going :3
&md=584472E656ADD831B5D3060AA9B35E4B # MD5 hash, have not cracked it… YET!

So, I was wrong about the MySQL Server connection, but it DOES make some kind of connection, likely a “VPN” setup or something, or maybe that is the port my traffic exits the network via. I do not know yet.

10 simple tips to secure your (home) Wireless network.

Ok, pills I never thought I would write this, however over the coming weeks I plan to write up a few simple “checklists” for the average computer user to help them secure their networks (well, make them a BIT harder to penetrate) and their computers.

Also please note this is the raw draft written up between 4am and 5.48am, Saturday 2nd of June and published sometime later that day. All concept of time and space is gone to hell due to the immense amount of sleep deprivation my fuzzing of MiniWeb is causing me. It was written on the fly, and is all original content. It is just shit off the top of my head, so if you notice any flaws in it, alert me.
The links/references to tools I refer to are at the bottom and were/will be added just prior to publication. Seeing as spellchecker has not chewed me out yet, buy viagra there is clearly no problem :P

1. If you do not need it, turn it off!
Too many home users out there do not ACTUALLY USE their wireless networks. I have seen many cases where there is a wireless access point supplied by their ISP, enabled, with encryption either turned off, or defaulting to WEP, and the computer is actually connected via a LAN cable.
This, is opening you up to a totally pointless security risk. If you are NOT using wireless, you should NOT have it turned on. It is as simple as that. By leaving it enabled when not necessary, you pointlessly increase your attack surface to anyone within reach. And with a nice antenna… Well… Lets just say, “within reach” can mean “within a very bloody long distance”.

2. If you have not enabled encryption, do so.
This is simple. If your access point does not need authentication to connect, you should really fix this by enabling it. Which brings us to step three…

3. If you are STILL using WEP, upgrade to WPA-2 NOW!
Ok. Some simple stats/figures. If, for some reason, you, like MANY others, are still using the WEP encryption on your router/access point, you are just ASKING for someone to own you, be it a non malicious nearby kid who wants free internet, or someone who wants to, er, “explore”, your network. And all too often that freeloading kid turns out to be an explorer… Either way, using WEP is a very serious risk. You may as well be using NO encryption.
Let me explain it simply. My “fastest record”, from starting sniffing/injecting to cracking the WEP key, has been three minutes. Drunk. In a bar. Using nothing other than the freely available, open source, aircrack-ng toolkit. Three minutes. Less than the amount of time it takes to smoke a cigarette. Less than the amount of time it (normally) takes me to get a pint of Guinness at a bar.
WPA-2, on the other hand, (or even WPA, but why not opt for the more secure, better encrypted version?), can be a TOTAL pain to crack. First you have to capture a handshake, then you have to crack the key. Waiting for a handshake to appear can take hours! Even if you are deauthing people and sniffing, you could STILL be waiting hours! And then there is the chance their password is not in your wordlist… Using WPA exponentially increases (on average, in MY experience), the amount of time it takes to access your network.

4. Use a secure wireless passphrase.
First off, the default passphrase that comes with your wireless router/access point, is rubbish. Change it. It may look secure, but all too often there is a secret (i.e. well known) formula to derive the passphrase from the routers SSID or MAC address. See the Eircom WEP Key Bug for an example on this, though there have been countless other such vulnerabilities exposed.
If your passphrase is a dictionary word, or even a permutation of one, change it. A sentance is more secure, and just as easy to remember. Better yet, some random junk. Your computer will remember it FOR you, so you REALLY have no excuse. You only have to find it once, and there is NO shame in keeping “WPAKEY.txt” in your “My Documents” folder. I do it myself…

5. Disable WPS.
WPS, known as “Wireless Protected Setup”, was designed to allow devices to easily authenticate to access points in a secur fashion. Too bad the implementation has been proven to have some flaws, allowing people with freely available software such as Reaver to crack your WPS within a short period of time.
You should check does your access point allow WPS, and if it does, DISABLE IT. If, for some reason, it cannot be disabled, I would advise replacing it… Or shouting at your ISP repeatedly until they release an upgrade that allows disabling it.
This may cause SOME inconvenience, but I have never actually found a legitimate use for WPS (yet).
Just disable it.

6. MAC Address Filtering.
As a standalone security measure, MAC address filtering is a joke. It is easily bypassed. However, when combined with such things as WPA-2 and string passphrases, it actually adds an extra layer of security. This is the defence in depth principle.
Essentially, this locks your Wireless Access Point to a “whitelist” of devices that you add to it. You simply add the MAC addresses (unique identifying “addresses” on network interface cards) of all the devices you want to allow on your network to the “whitelist”, and nothing else can connect. Unless, someone hijacks the MAC address of one of your devices (trivial), however this DOES add an extra element of complexity to any attacker who wishes to breach your network.

7. Disable SSID Broadcast.
Wireless Access Points are chatty beasts, and quite enjoy telling EVERYONE within range about their existance, who they are, who made them, their signal strength, and what encryption they use.
This is similar (to steal a phrase from SOMEWHERE, I CANNOT REMEMBER WHERE) standing in the street shouting your name, address, date of birth, creditcard number, CVV2, mothers maiden name, PPS Number/SSN and whether or not you are armed. Fucking stupid.
You would not do such a thing (I hope!), so why should your wireless hotspot?
You should change the SSID to something nonstandard and unique, and then disable broadcasting. This means that (in theory) only people who already know its SSID/Name can even consider connecting to it, and everyone else sees “hidden network”.
However, this alone is also useless – it can be broken/circumvented by a skilled attacker. HOWEVER, it adds yet another layer of complexity to the attack, and again, helps us in applying the Defence in Depth principle.

8. Lock Administrative Interfaces.
This one is also quite simple. Log into your router. Think for a moment about how incredibly lame the username/password it uses is. Change them.
This stops malicious intruders from (Easily) reconfiguring your network, which could allow them to launch Pharming attacks on you by reconfiguring your DNS servers. If you lock these down, it may just help in slowing down an attacker or even make them just give up and move on to easier pickings.

9. Routinely Scan your Network.
I do this, and I advise everyone to do this. Download something like Nmap and use it every so often to scan your network for unauthorized devices connected, rogue services that should not be running, and other such nasty things. This can often help you in detecting a breach early and rectifying it, and can also assist you in locating vulnerabilities in your network. I know Microsoft Security Essentials also has an auditing tool, you should also run this, or Nessus, to detect vulnerable devices attached to the network.

10. Change Everything Regularly.
This one is the one most people fail to do: Change their passwords regularly.
In the event of a compromise, you CAN LIMIT THE DAMAGE, if you are routinely changing the passphrases on your gear. I do so every 2 weeks out of habit – every 2 weeks, I simply change ALL the passwords again. It only takes a few minutes. And you know what? It is certainly worth the time for the extra peace of mind – if someone HAD gotten in during those 2 weeks, they are now locked out. Until they get in again. This limits your exposure, and helps frustrate an attacker to the point where they give up. It is also good security policy. Also change the hidden SSID to something new, and check have any new MAC addresses been added to your whitelists. AUDIT THE WHITELISTS. This is one sure fire way of detecting intrusions – spotting the attackers MAC in your “whitelist”. This way you also have evidence of an intrusion and can report it to the authorities, or simply set up something to alert you when they try connect…

Refs/Links:
The Aircrack Project
Reaver WPS Cracker
Eircom WEP Key vulnerability
nmap
Nessus