atechdad make it so

URHACK.COM

Hey all,

As you know from previous posts, I’ve been combing through logs provided by Project Sonar/scans.io for a little while now. The information I was gathering about hacked pages seemed a little large for here so I’ve stood up a custom site : uhack.com. Check it out!

Karma Rogue AccessPoint Offense with badkarma.py

For those that don’t know, karma is a patch that is applied to hostapd which allows the creation of a wifi honeypot. This honeypot listens for probe requests from devices which announce SSIDs used to autojoin preferred wifi hotspots. The honeypot then spoofs this SSID, luring in unsuspecting devices. Once on the network, many nasty methods can be used to attempt to compromise the device itself, or the data which traverses the access point.

Detection:
This attack can be detected simply by creating a nonsense SSID, and attempting to connect.

First, create a nonsense SSID:

atechdad@kali:~# sudo ifconfig wlan1 down
atechdad@kali:~# sudo iwconfig wlan1 essid badkarma
atechdad@kali:~# sudo ifconfig wlan1 up
atechdad@kali:~# sudo iwconfig wlan1

Then see if we joined. You’ll see we did because Access Point has a MAC assigned.

wlan0     IEEE 802.11bg  ESSID:"badkarma"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: F6:B1:14:6D:AB:01   
          Bit Rate=24 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-25 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:8   Missed beacon:0

Here is the view from the attacker’s perspective:

KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Checking SSID for start of association, pass through badkarma
KARMA: Successful association of 00:1e:2a:18:26:60

So now we’re on the network– and we know how to find it.

Defense:
There are a few ways I can think of offhand to defend against this kind of attack.
1. Turn off auto connect.
2. Audit your devices.
3. Add a fake AP with bad network settings to your device. Configure your device to alert on join. 

I wouldn’t recommend #3. Without other controls in place, this could open your device up to the attack we’re trying to avoid.

Here’s how to see what your devices are probing :

atechdad@kali:~# sudo airmon-ng start wlan1
atechdad@kali:~# sudo airodump-ng mon0

You’ll see something like this. Pay attention to the second section:

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 (not associated)   XX:XX:XX:XX:XX:F6  -44    0 - 1      0        1
 (not associated)   00:1E:2A:18:26:60  -59    0 - 1     86       11  badkarma

You’ll notice in the second section a list of client devices. Pay attention to the Probe column

Offense:
badkarma.py is a simple that works by creating a randomized AP, joining it, then deauthenticating all connected guests. It was written to run using kali linux. At minimum, it requires python, wireless-tools, the aircrack-ng suite, and mdk3 be present.

Sample output:

atechdad@kali:~/badkarma# ./badkarma.py -i wlan1
[!] Stopping network-manager..
[!] Starting monitor interface..
[!] Monitor active on interface mon0
[!] ESSID is now robesunconnected
[!] Wireless MAC is now 6c:18:c5:21:29:c3
[!] Bad AP EA:BE:1C:E7:C3:A7 found! Adding to blacklist...
[!] Liberation! Disconnecting between: 6C:18:C5:21:29:C3 and: F6:B1:14:6D:AB:01
[!] Liberation! Disconnecting between: XX:XX:XX:XX:XX:XX and: F6:B1:14:6D:AB:01
[!] ESSID is now distilsfinagling
[!] Wireless MAC is now c6:5c:7d:76:f9:a4
^C[!] Cleaning Up...
[!] Deleting blacklist...
[!] Ending deauth...
[!] Stopping monitor interface mon0
[!] Resetting interface wlan1
[!] Starting network-manager...
[!] Exiting..
atechdad@kali:~/badkarma#

Verification of deauthentication from Attacker’s perspective:

wlan0: mgmt::deauth
wlan0: deauthentication: STA=6c:18:c5:21:29:c3 reason_code=1
wlan0: STA 6c:18:c5:21:29:c3 IEEE 802.11: deauthenticated
wlan0: STA 6c:18:c5:21:29:c3 MLME: MLME-DEAUTHENTICATE.indication(6c:18:c5:21:29:c3, 1)

Getting Script:

atechdad@kali:~# git clone https://github.com/atechdad/badkarma.git

Running:

atechdad@kali:~# cd badkarma/
atechdad@kali:~/badkarma# ./badkarma.py -i wlan0

This should only be run against access points you have permission to attack. I assume no responsibility for its use and offer no support.
The script was just thrown together to meet my needs. If you make improvements, please contribute back.

Research finds 400k Security Camera DVRs with Hardcoded Credentials

I’ve been tinkering with passive research using public scans which are freely available via Project Sonar. I was curious to search and look for any devices which may have username and passwords hardcoded so I decided to search for a few instances where the username and passwords appear hardcoded to admin. I thought that surely there couldn’t be many– so I kicked off the scan…

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data='$(\"password\").value = \"admin\"' + include data='$(\"username\").value = \"admin\"'+ decode_http_reply data + select ip + lines  >> ips.txt

..and waited.  The above command streams the huge scan database and inspects it live so I don’t have to download the entire thing. I know it’s lazy, but the VPS I was running this from only has a 20GB hd.

A few hours passed and the command completed. So I checked the file….
Too many IPs to cat. How many are we talking?

atechdad@server:~$ cat ips.txt | wc -l
467807

Er. Can’t be right. Let’s check one of the records.

Something called NETSurveillance in the title. That’s odd. How many of these are there?

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data='$(\"password\").value = \"admin\"' + include data='$(\"username\").value = \"admin\"'+ decode_http_reply data + select data + lines |grep -i surveillance

Ok. Lots.

So what is this thing?

It seems most of these are security camera / DVRs of assorted brands which source from China. The most common appears to be branded by the identifier, NetSurveillance. An example of one is H.264 8 Cam DVR-9108VH

It appears that a good many of these devices are configured with admin:admin.

I hope that at over 400,000 devices, there are many false positives. Also, why aren’t these things behind a firewall? A cheap consumer router would be better than nothing.

Anyway, so that’s yet another thing you can do with the info from scans.io.

Finding Hacked Pages With Passive Scanning via Project Sonar

Recently, Shodan’s blog featured instructions on finding hacked paged by searching for the phrase “Hacked By”.  Here’s how to do this yourself using the scans provided by Project Sonar. This information can be used for all kinds of passive scans.

sudo apt-get update
sudo apt-get install libgeoip-dev ruby1.9.1-dev git build-essential
git clone https://github.com/rapid7/dap.git
cd dap
sudo gem install bundler
bundle install

This installs the geoIP library in case you’re wanting to do other things with dap.

sudo mkdir -p /var/lib/geoip
cd /var/lib/geoip
sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
sudo gunzip GeoLiteCity.dat.gz
sudo mv GeoLiteCity.dat geoip.dat

This command downloads the scan file which is pretty big and does the searching inline:

curl -s https://scans.io/data/rapid7/sonar.http/20150217-http.gz | zcat | bin/dap json + select data + transform data=base64decode + include data='Hacked By' + decode_http_reply data + lines | grep "Hacked By"

Then you could use some command-line parsing to clean it up even more!.

Happy research!

 

 

 

(ignore this below. This is just me playing and saving my notes…)

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data=’Hacked By’ + decode_http_reply data + lines | stdbuf -o0 grep -iPo ‘(?<=HTTP/1.1 200\s|Hacked By\s)[^\s]*’ | stdbuf -o0 grep OK -A1 | stdbuf -o0 grep -Ev “OK|–” » test.txt

Parsebin – A Powershell Pastebin Parser

By now, most folks have realized that pastebin holds some interesting data. Some of the information you run across can be interesting – if not hilarious. That is, as long is it’s not *your* data.

In 2011, Xavier Garcia put together a python pastebin scraper.

For no real reason I decided to hack together rewrite this in powershell. If this helps you, cool.

Description of required files:

  • ./seen.txt : a list of pasties scraped already. This is created by the script
  • ./regex.txt : the regex expressions used to look for juicy information. This is created by you
  • ./found/ : this is actually a folder you’ll need to create. This is to hold the auto-downloaded pastes found. I’ve commented this out. Use at your own risk!

Script (parsebin.ps1) : I’ve linked to it here. Rename it to .ps1 of course.