ModSecurity „Learning-Mode“

Unfortunately, there is no learning mode for ModSecurity.
However, I had to make sure that a large application with lots of false positives could be run with ModSecurity enabled. I tried to build something by myself.

The result is a python script that you can find on GitHub.

The script scans the full audit log of ModSecurity (e.g. /var/log/httpd/modsec_audit.log).
It then builds an exception list for all matches. I tried to make the script a little bit intelligent. You can use the optional arguments for building thresholds until a general exception will be created.

Tip: Try to build automatic tests for your application. If you do so, you can run them every time you changed the config of ModSecurity.
Normally you need to run the script several times, because ModSecurity has no functionality to log all possible “blocking” rules that could possibly match to a single request. Sometimes after you created an exception, another rule matches and blocks the request. You need to rerun the script.

Advanced DNS monitor for WhatsUp Gold

WhatsUp Gold has an integrated DNS monitor.  Unfortunately it checks only if the dns port on a server is connectable. You cannot be sure if the dns server loaded zone files correctly. In this case the server has an open port but might respond with a SERVERFAIL.

Here is a solution how you can create a real query on a dns server.

First install the recent version of wireshark

Now start to listen on your NIC with a “dns” filter.

We need to query the dns server. WhatsUp Gold does not support udp custom monitor. So wee need to switch to tcp. The query looks like

nslookup "-set vc" www.google.com

In your wireshark window search for the right packet:

1

Right click on the query packet -> follow tcp stream -> switch to “C Array“ view.

Copy both request c arrays.

2

In my example it looks like:

0x00, 0x20
0x00, 0x14, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x03, 0x77, 0x77, 0x77,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01

In notepad we can reformate the query in a way WhatsUp Gold understands.

So Replace -> “0x” with “\x”
Replace -> “, “ with “”

The string should look something like that:

\x00\x20\x00\x14\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x06\x67\x6f\x6f\x67\x6c\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01

This is the string you can copy to your new custom monitor:

3

Last thing needs to be done is getting the correct response string. Reopen your wireshark dump and search for the response packet.

4

The last four entries are the hexadecimal representation of the ip address.

0xad, 0xc2, 0x28, 0x53

Copy those entries to your monitor.

5

Installing GoogleTest on Ubuntu with QT Creator IDE

Recently I tried to integrate GoogleTest for C++ on my QT Creator installation. Unfortunately there was no tutorial. So I spent too much time on getting it working.

Here is how you do it:

First install Ubuntu (I use 14.10)
From the Software Center install QT Creator IDE

Now we can get it started:

wget http://googletest.googlecode.com/files/gtest-1.7.0.zip
unzip gtest-1.7.0.zip
cd gtest-1.7.0
./configure
make

sudo cp -a include/gtest /usr/include
sudo cp -a lib/.libs/* /usr/lib/

Now Googletest Framework is installed.

Creating our first project

1

I called my project factorial.
Now create the following source files:

factorial.cpp
int factorial(int n) {
int result = 1;
for (int i = 1; i <= n; i++) {
result *= i;
}
return result;
}

gtest_main.cpp
#include
#include "gtest/gtest.h"

GTEST_API_ int main(int argc, char **argv) {
printf(“Running main() from gtest_main.cc\n”);
testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS();
}

test_factorial.cpp
# include "gtest/gtest.h"
# include "factorial.h"

TEST(IntegerFunctionTest, negative) {
EXPECT_EQ(1, factorial(-5));
EXPECT_EQ(1, factorial(-1));
EXPECT_GT(factorial(-10), 0);
}

TEST(IntegerFunctionTest, DISABLED_zero) {
EXPECT_EQ(1, factorial(0));
}

TEST(IntegerFunctionTest, postive) {
EXPECT_EQ(1, factorial(1));
EXPECT_EQ(2, factorial(2));
EXPECT_EQ(6, factorial(3));
EXPECT_EQ(40320, factorial(8));
}

factorial.h
#ifndef FACTORIAL_H_
#define FACTORIAL_H_
int factorial(int n);
#endif /* FACTORIAL_H_ */

The project structure looks like this now:

2

Now open Factorial.pro to add the following line:
LIBS += -lpthread -lgtest -pthread

3

Now it should work:

4

Security of mRemoteNG

For quick reader: It is terribly broken.

From their website: mRemoteNG is a fork of mRemote, an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.

A work colleague proposed to use this software for our productive environment.
I saw the email with the proposal lately in the evening. Never the less I decided to take a look on its security.

Without installing the software I took a look on the GitHub repository.
Because I did not want to spend too much time I only grabbed for the low hanging fruits.

I searched the code for sha1 and sha2, aes and so on.
At the end (because I did not expect this) i searched for the term md5 and surprisingly there was a result.

The class mRemoteNG/mRemoteV1/Security/Security.Crypt.vb seems to do all the crypto.

Without going more deeply inside the code, I decided to start a bug report.
Unfortunately the reaction was not the way I expected:

————————————————

Hi,

Thanks for your work for mRemoteNG.
I think this program helps a lot!

We considered using this software for our business IT.
For that we need to store passwords and stuff...

I quickly took a look on the Crypto you are using for mRemoteNG.
After a quick glance I realized that the underlining Crypto looks extremely fishy.
To be honest I think it is completely broken.
I'm talking about this class:
mRemoteNG/mRemoteV1/Security/Security.Crypt.vb

I think you should take a look on how to implement the "Crypto Stream" library from .Net
Microsoft provides a correct example:
http://msdn.microsoft.com/de-de/library/system.security.cryptography.cryptostream.aspx
I also think that you should recode your key generation "algorithm".

This part:
---
Dim md5 As New MD5CryptoServiceProvider
Dim key() As Byte = md5.ComputeHash(Encoding.UTF8.GetBytes(StrSecret))
md5.Clear()
rd.Key = key
---

Is flawed.
MD5 should not be used anymore. It is broken.
See: http://en.wikipedia.org/wiki/MD5

I hesitate to give any advice how to fix this.
I'm not an expert on how to implement secure encryption functions (I guess only few people can say that for themselves).

Maybe someone can help.

Just some hint: "RijndaelManaged" Seems to use AES CBC mode by default.
This requires us to have a pseudo random IV for each encrypted message. The IV then must be stored with the encrypted data (IV itselvs is not encrypted).
If this requirement is not addressed we do not have uniform randomness over different encrypted strings. This is a problem.

http://en.wikipedia.org/wiki/Initialization_vector

At the moment this function does not provide any security.

Kind regards

————————————————

The response:

————————————————

Thank you for your message and for researching the security of mRemoteNG.
I believe you are mistaken though.

mRemoteNG only uses MD5 to create a 128-bit key from the password.

Due to the collision vulnerabilities of MD5, it is more likely that passwords other than the original password could be found that would generate the same hash. This is a huge search space though because the alternate passwords might use any characters (0-255) and be any length. Since a human is probably typing the original password, it likely only uses letters, numbers, and symbols, and is fairly short (<20 characters). Because of this, it is much more likely that an attacker using brute force would find the original password before they found any alternate passwords that would also work. I don't see this as a problem. Were I to rewrite this code without any backwards compatibility requirements, I wouldn't use MD5. But because of the way it is being used, I believe it is still very secure. The issue with rainbow tables affects all unsalted hash algorithms. However, since mRemoteNG never saves the MD5 hash anywhere, it can't be looked up in a rainbow table or on Google. The only way to get the MD5 hash would be to read it from memory in the moments between when it is generated and when it is cleared on the next line. If an attacker can read the memory of the mRemoteNG process, they can already your see passwords so it doesn't matter. As for your concerns about RijndaelManaged, mRemoteNG already does exactly what you suggest. Here on line 21, a new IV is generated whenever a connection file is encrypted: https://github.com/rmcardle/mRemoteNG/blob/develop/mRemoteV1/Security/Security.Crypt.vb#L21

And here on line 26, that generated IV is stored with the encrypted data:

https://github.com/rmcardle/mRemoteNG/blob/develop/mRemoteV1/Security/Security.Crypt.vb#L26

————————————————

I still was confessed that there is something wrong. I responded:

————————————————

Thanks for the quick response!

I don't think that we should discuss the probability of an attack. I believe that both of use are at best capable to make an educated guess what the implications of this function are.
However i consider that not fair for the users (who can even less weighing up what is secure and what is not) of mRemoteNG to rely on our guesses.

Backward compatibility is surely a fair point. Why don't you just add another field in the options. Something like this:

( ) Encrypt Config file (Legacy mode to keep compatibility to older version)
( ) Encrypt Config file (Better security but breaks compatibility to older versions)

I think this is a valid trade off between security and compatibility.

A secure key derivation function is already implemented in the .Net framework:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.passwordderivebytes(v=vs.110).aspx

Regarding to the implementation of the "Crypto Stream" library from .Net:

I took more time to take a look on the diffs of your implementation and the reference implementation.

Dim encryptor As ICryptoTransform = rijAlg.CreateEncryptor(rijAlg.Key, rijAlg.IV) <- You don't use this. You save the IV by yourself I can not say if this breaks encryption in any way (probably not). I just see no technical need to deviate from the reference implementation. Kind regards

------------------------------------------------

The first email made me sad somehow and I started to get curious.

I googled for “mRemoteNG Security”. I noticed a blog entry from 2011 for the old version mRemote:

http://cosine-security.blogspot.ch/2011/06/stealing-password-from-mremote.html

This guy identified that the developers were using a fixed string to encrypt the configuration/password file!!!
He also created a bug report.

With serious misgivings about it I searched the git repo again. The “secret” string is still in the source code.

As a final step I checked if the metasploit module is still working.
It does 😐

I think this needs no further explanation. Don’t ever use this “software” to store any of your credentials.

Securing SSH

You might have heard that the German newspaper “Der Spiegel“ has released new documents from the Snowden NSA leaks. It looks like the NSA/GCHQ tries to break the SSH protocol.

Some people took the time to reconsider what algorithms are used within the default configuration of the open ssh package. They think that those configurations are not strong enough to withstand the capabilities of infamous NSA/GCHQ.
You can find their suggestions here:

https://stribika.github.io/2015/01/04/secure-secure-shell.html

Personally I think it might make sense to “upgrade” your SSH connection security.
I did not want to do the required steps manually, because I think I likely forget something important.
Therefor I created a shell script that does the job for all Debian based systems (I tested 7.5 and 7.9).

You can find the script here.

My (Windows Putty) handshake now seems to use more accurate encryption algorithms.

putty

MS SQL query performance monitor

WhatsUp Gold is a network monitoring tool which provides a lot of options how a network can be monitored. Its comprehensive pre-defined monitor library helps network administrators to make almost every piece of data visible to catch performance issues or failures of computer systems.
The web reporting engine then gives us several diagrams to illustrate the captured data.

Here is a link to the website of Ipswitch’s WhatsUp Gold

Recently I had to monitor a Microsoft SQL server. The goal was to do a query to the server and measure the time it needs to run.
I tried to use the WhatsUp Gold SQL Performance Monitor. Unfortunately this monitor is meant to return a numeric value not the time a query needs to run. So I had to find another solution.

WhatsUp Gold has a scripting facility. I created the following script which uses Microsoft VB script to return the query time. You can download the script

Luckily the script is working and I can monitor the query performance of my SQL server.

1

FinFisher Leaks: Hacker reveals how he broke their defense

Gamma sells “governmental trojan software systems”. The alleged hacker of recent revelations reveals his/her methods how he/she got into FinFisher’s network and published a multi gigabyte archive of their data.
This article is a stark contrast of what “other” hackers used to do. They usually keep their methods a secret.

The link is from Reddit’s Netsec group:

http://data.langly.fr/blackhat

He claims that his procedures were rather unsophisticated and FinFisher was an “easy” target.

For us sysadmins and data security responsible people it is an interesting inside. I think understanding the attackers approach helps a lot securing networks.

Enjoy reading!

Targeted Phishing Attacks

Targeted Phishing Attack. If you think about it the first thing which comes to mind is:

That does not affect me or our employees!

I think that had been the answer of my colleges at work before we sent them a phishing mail 🙂

This was the story:
I had the chance and the permit of my boss to find out how many of our colleagues would enter their credentials to a phishing site, which looks exactly like Outlook OWA 2010.

Preparation

First thing you need for a phishing attack is a domain which looks almost like the “real domain” the company you want to attack is using. So for example if you want to attack testmachine.com; buy testmchine.com.
People tend to overlook it, they usually do not read every word letter by letter.

After that rent a vserver with root shell access. This system will be used for your crafted website and to send out the fake emails.
You can rent the vserver for cheap money everywhere. For example use Amazon’s AWS.

Now you can configure the DNS of your fake domain to point to your vserver. For convenience I did not set up a bind server, I used a free dns service called freedns.afraid.org

Configuration

First step is to set up the fake OWA access. For this purpose I copied the web folder from our exchange server and uploaded it to my vserver. It will look exactly like the real OWA
Capture
Note that I needed to change the aspx file to html, because I used Linux.

After that I needed to change the logon page, so that the “HTTP POST” action would create an email with the username of the trapped user.

I changed the POST line to:

form action="action.php" method="POST" name="logonForm" ENCTYPE="application/x-www-form-urlencoded" autocomplete="off">

Because we don’t want to hack our users for real. I made the password field useless. Now no unencrypted credentials will leave the network:

input type="password" class="txt" onfocus="g_fFcs=0">

Now set up the php post script. You can find mine here.

Next we need a site which will tell the user that his account was migrated. I used the OWA template again:

Capture2

Last but not least: Configure your host to send email externally: https://stackoverflow.com/questions/18288007/php-send-mail-from-localhost

As we are finished with the technical preparations we move on to the crafted email. This step is extremely important. We don’t want our user to smell the rat 🙂

My email (it is german) says something like: Hey we upgraded OWA Web Access but to finish the migration you need to login. It looks like this:

Untitled

Note that I used the “real OWA address for the link text but the fake one for the link target

Now copy the (HTML) mail to your vserver it will be sent by the php script

The last step is to create a script to send our crafted email to our victims. You can find an example here.

Please note that you need to change the victims address every time you send the email. This could be optimized, so that you can use a list with recipients.

Result

After I sent the mail to all of my colleagues, we received all the usernames from those users who had fallen into the trap. With our test we gained around 50% of the credentials till one user found out it was an attack.

Now we want to help our users to avoid being trapped with attacks like these we set up an informative mail to help theme recognizing phishing mails.
There is one simple rule: Do not provide sensitive data to an website, when you receive the URL by email.

If you think at your firm the result would be different. Just try it 😉

Ipswitch WhatsUp Gold – Configure SMS alert with Hyper-V

Ipswitch WhatsUp Gold supports a wide variety of different alerting methods. However most of the admins are happy using email alerts only. But what happens if the internet line goes down or a critical system fails during weekend? In this case a SMS alert would be great and Ipswitch does support that with a built in alert method.
In modern environments WhatsUp Gold is mostly running on a hypervisor platform. Unfortunately Microsoft Hyper-V does not support USB pass through out of the box. So we need to have a workaround for this. Here you can find (one) a solution for that issue:

Hardware:

Basically it does not matter what kind of hardware SMS modem you are using. It just needs to have two features. First you need to have a COM API and second your modem must support AT-commands.

In this example I use D-LINK DWM-156.

Getting the modem running is very simple. Just mount a SIM card and plug the stick into your physical server. Afterwards you need to upgrade the firmware (otherwise it did not work in my case).
Rename the exe which starts the utility automatically once a user logs in and blocks the COM interface.

C:\Program Files (x86)\D-Link Connection Manager\UImain.exe -> UImain.exe_old

Software:

I found a very handy (free) utility to send SMS commands to my modem. You can find it: here.

There is no installation process. I just extracted the file to C:\Program Files (x86)\SendSMS_v1.45_net40\

Now you can test your modem with the command line:

C:\Program Files (x86)\SendSMS_v1.45_net40\SendSMS.exe" /port:com3 "I love butter cookies!"

If it works you can carry on, if not check if the COM port is correct.

Configuration:

Running remote scripts on WhatsUp Gold is not very easy and you need to do some tweaks to get it running. Further you don’t have the same capabilities like you have in the built in SMS alert function. But for most cases it will be enough.
I have created the following script to connect to the Hyper-V server. You can find it: here.

Please note the changes you need to make. It is documented inline in the script.

Afterwards you can copy the script for every single alert you need. It takes the name of the active script alert and sends it as text message to the numbers specified in the script.