My Cybersecurity Journal

Friday, March 1, 2019

LPI Linux Essentials

Linux is almost everywhere and they're often found in IoT devices, Android smartphones, home routers, etc. due to its open source nature. Cisco has adopted the Linux kernel into their IOS-XE and Firepower (based on Red Hat) in recent years.

admin@FMCv-LAB:~$ cat /etc/redhat-release

Fire Linux OS 6.2.3-13

Linux is also a must have skill for a Cybersecurity professional since specialized Linux distributions (such as Kali Linux) are used for penetration testing, vulnerability assessment and forensic analysis.
My first step to gain fundamental Linux skill was to study and take the LPI Linux Essentials (LE) exam (010-150). There's a lot of study guides in the LPI website. To get hands on, I deployed an Ubuntu VM in my lab and watched the Linux Essentials CBT Nuggets videos by Sean Powers.

This link provides the exam (010) objectives and there are currently two versions (as of this writing): the current version 1.6 (010-160) and 1.5 (010-150). There's only a slight difference between version 1.5 and 1.6 with added topics such as other popular Linux OS, Cloud computing and Linux text editors.

I recently took the 010-150 exam (available until July 1, 2019) since a lot of study materials refers to it and you'll still be equally certified according to FAQ. The Linux Essentials is a LIFETIME cert (never expires) and it only cost around $110 USD. According to LPI support, they only send hard cert for passing LPIC-1 and above so you'll have to download and print the LE PDF cert yourself.

You'll need a couple of things in order to get started. One of them is to register and obtain an LPI ID in the portal.

Once you get an LPI ID, you'll need to register in Pearson VUE and schedule the LPI exam.

This is where you input the LPI ID.

The Linux Essentials exam has 40 questions and you're only given 60 minutes to finish. Passing score is 500 (out of 800). After passing the exam, you can verify and download the PDF cert from the LPI portal the next business day.

Here's how the LPI Linux Essential cert looks like.

Friday, February 8, 2019

Rainbow Table Attack Using RainbowCrack

Password cracking or Rainbow table attacks work by taking a password hash and converting it to its plaintext original. In this case, the attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information. The concept of rainbow tables is that the attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table called a “rainbow table.” This allows an attacker to just get a hash from the victim system and then just search for that hash in the rainbow table to get the plaintext password. To mitigate rainbow table attacks, you can disable LM hashes and use long and complex passwords.

In order to simulate a Rainbow Table Attack you'll need three applications:

1) Rainbow Table Generator (Winrtgen)

2) Windows Password Dump (pwdump7)

3) Rainbow Table Cracker (RainbowCrack)

The Winrtgen comes with the Cain & Abel installation. Open Winrtgen > Add Table.

Under Hash > choose nltm.

In order to save time generating the Rainbow Table, change Min Len and Max Len to 3 > select Charset (loweralpha in this case) > change Chain Count to 40000.

Click Benchmark.

Notice the Rainbow table file size is 625 KB and the total precomputation time (for all possible combination of Charset) is around 34 seconds.

Click OK to start generating the Rainbow Table.

I created a new user account (john) in Windows 7 under Control Panel > User Accounts and Family Safety > Add or remove user accounts.

Click Create a new account.

Type the new account name > select Administrator > Create Account

Click the new user account (john) > Create a password.

Type and re-type password to confirm password > Change password.

I simply used the password of xyz in this case.

Open a command prompt and type pwdump7.exe and it will automatically dump or display the Windows user account and hashed passwords.

You can also redirect the output to a file, use pwdump7.exe > FILENAME.pwdump

Add the dump hashed password and pre-computed hashed Rainbow Table in RainbowCrack.

To open the pwdump file, click File > Load NTLM Hashes from PWDUMP file

Next is to load the Rainbow Table, go to Rainbow Table > Search Rainbow Tables.

Once the Rainbow table is loaded, RainbowCrack will start cracking (brute force) the hashed passwords.

Notice it displayed in plaintext the password of xyz for the username john

So it's best practice to enforce a complex password policy of at least 8 characters long using a mix of lower and uppercase alphabets, numbers and special characters.

Saturday, January 12, 2019

DHCP Starvation Attack and MAC Address Spoofing

It was a rainy holiday but I still enjoyed my stay in the Philippines last December 2018. My family visited the Mind Museum in BGC Taguig, which was just few minutes away from F1 Hotel where we stayed.

I always longed the fresh air and cool climate in Tagaytay, so we went there after celebrating the New Year. Our first stop was Paradizoo, a mini zoo where you can interact and feed various farm animals. They also have other attractions such as the butterfly garden and a honeybee farm.

We had Filipino lunch at Balay Dako and they have a spectacular view of Taal Lake and Volcano.

This helpful link describes the anatomy of a DHCP server spoofing attack. I also used a Layer 2 attack tool called Yersinia, which is included in Kali Linux distribution.

In my Cybersecurity lab, the Cisco ASA5506-X act as the DHCP server for the wired inside hosts on the 192.168.1.0/24 subnet and for the wifi hosts on the 192.168.10.0/24.

Both DHCP ranges has a maximum of 42 IP addresses that it could lease out:

192.168.1.10 - 192.168.1.50

192.168.10.10 - 192.168.10.50

The ASA firewall/DHCP server currently displays only 1 host with the assigned IP address 192.168.10.43 (my iPhone).

root@kali:~# yersinia --help

Û²ÛÛ²²Û

²Û°°°²²Û²²

Û²²²°ÛÛÛ°²Û²²

²²°²°Û±²±Û²°°²²²Û

°²°°Û±²±²²±Û²²°²²Û

²°²°Û±²±±²²±Û°°²°²² Yersinia...

²²°°²Û²²±²²±²±Û°²ÛÛ²²²

Û²²²°Û±²²²±±²²±ÛÛ°²°ÛÛ²²² The Black Death for nowadays networks

²²²°²ÛÛ±²²²²²²²²±Û°°²²°²²

²ÛÛ°°²°Û±²²±±±²²²²²±Û°²²Û²² by Slay & tomac

Û²²Û²°°Û±²²²±±²²²²²²±Û²°°²²Û

²²Û²°Û±±²²±±±±±±²²²±Û°²°²Û http://www.yersinia.net

Û²°²²ÛÛ±±±²²±±±±²²²ÛÛÛ²Û² yersinia@yersinia.net

Û²²°°²ÛÛ±±±²²²±²²²ÛÛ²°ÛÛ

²Û²°²²°Û±±±²²²²±Û²°Û²²

²Û²²Û°²°ÛÛÛÛÛ±ÛÛ°²²²² Prune your MSTP, RSTP, STP trees!!!!

²²Û°°²²²°°²°°Û²²

Usage: yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [protocol_options]

-V Program version.

-h This help screen.

-G Graphical mode (GTK).

-I Interactive mode (ncurses).

-D Daemon mode.

-d Debug.

-l logfile Select logfile.

-c conffile Select config file.

protocol One of the following: cdp, dhcp, dot1q, dot1x, dtp, hsrp, isl, mpls, stp, vtp.

Try 'yersinia protocol -h' to see protocol_options help

Please, see the man page for a full list of options and many examples.

Send your bugs & suggestions to the Yersinia developers <yersinia@yersinia.net>

MOTD: The world is waiting for... M-A-T-E-O!!!

root@kali:~# yersinia -G // LAUNCH GUI

A pop-up message is displayed. Just click OK.

To launch a DHCP Starvation (DoS) Attack, go to DHCP tab > Launch attack (gear icon) > choose sending DISCOVER packet > OK.

The DHCP table went full (42 Active Leases) in less than a minute.

To stop the DHCP Starvation attack, click List attacks > Stop

Tuesday, January 1, 2019

Cisco ASA FirePOWER Traffic Redirection, Security Zone and Network Object via ASDM

Below is the normal traffic flow in a Cisco ASA Firewall with FirePOWER module.

You can check the ASA Access Rules under Configuration > Firewall > Access Rules (click the box/or maximize icon). There's an implicit permit rule for traffic from the inside and wifi going out to the Internet (outside). You'll need to permit traffic from inside to outside and redirect it to the FirePOWER module in order to apply Next-Generation firewall services such as IPS, URL filter and Advanced Malware Protection (AMP).

Below is the inspection flow for the FirePOWER Access Control Rules

Click on ASA FirePOWER to check the Access Control Policy for the FirePOWER module. Notice there are no rules created yet and the Default Action is set to Access Control: Trust All Traffic

To redirect traffic to the FirePOWER module, go to Configuration > Firewall > Service Policy Rules. There's a global_policy and inspection_default configured by default. Click on the inspection_default and click Delete (trash) icon.

Click Add (down arrow) > Add Service Policy Rule

Leave the default settings in Step 1 and click Next.

Choose Use class-default as the traffic class > click Next.

Go to ASA FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow > leave the default Permit traffic > click Finish.

This will allow traffic to flow normally even though the FirePOWER module has failed.

Click Apply and ASDM will display an error. Just click Close.

Below is the configuration for the traffic redirection on the FirePOWER module. I also generated some web traffic from a machine residing on the inside interface.

ASA5506W-X# show run policy-map

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect icmp

inspect icmp error

policy-map global-policy

class class-default

sfr fail-open

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

ASA5506W-X# show service-policy

Global policy:

Service-policy: global-policy

Class-map: class-default

Default Queueing SFR: card status Up, mode fail-open

packet input 5636, packet output 5636, drop 0, reset-drop 0

You'll need to prepare several objects (alias) to be used for FirePOWER Access Control Policy Rules. First, create the logical Security Zones under Configuration > ASA FirePOWER Configuration > Object Management > Security Zones > Add Security Zone

Choose ASA (which is the only optional available) under Type in order to load the Available Interfaces. In my case I got interfaces on the outside, several inside and wifi.

Type a Name (INSIDE-WIRED) > select the interface(s) > Add > Store ASA FirePOWER changes.

I encountered an issue wherein there were no hits on the FirePOWER access rules. You'll need to add all the inside interface except the interface going to FirePOWER (inside-1). This is the direct cable between the ASA 5506W-X G1/2 and MGT1/1 interface.

Click the arrow on the Security Zone Object (INSIDE-WIRED) to expand and show its associated interfaces.

Configured the same for the wifi and outside interfaces.

Click the arrow to expand the Security Zone Object and show its associated interfaces.

Next, create individual network objects under Configuration > ASA FirePOWER Configuration > Object Management Network > Individual Objects.

By default the Network Object for the RFC 1918 Private Networks is configured.

Click Add Network > Type a Name for the Network Object > type the Network (CIDR notation) > click Add > Store ASA FirePOWER Changes.

In this case I added the inside wired (192.168.1.0/24) and wifi (192.168.10.0/24) networks.

You then create a Network Group Object to tie together the individual network objects create earlier under Configuration > ASA FirePOWER Configuration > Object Management > Object Groups > Add Network Group.

Type a Name for the Network Group Object > select the individual Network Objects on the left > click Add to move under Selected Networks on the right > Store ASA FirePOWER changes.