Isolating Untrusted Devices at Switch Level

What do you do when you have a questionable device that you’d like to connect to your switch in order to get it online, but you don’t fully trust it and want to isolate it from your other devices? Or what if you don’t trust any of your devices to talk to each other but you still want to give them internet access? The textbook solution is to create separate VLANs and firewall them from each other at the router. This works, but there is just too much configuration for something so simple. An easier approach is to segregate them at the switch level. That way you can skip all the complexities of setting up a VLAN aware router. Sounds great, what’s the catch? The catch is that you do need a managed switch which supports IPv4 ACLs. Luckily, 1Gbps managed switches are not that expensive these days. In my setup I used and old Dell Powerconnect 6224. Similar syntax will apply to Cisco or HP switch. The general idea is that a managed switch has firewall-like features, so let’s use them.

Let’s look at a specific scenario:

  • LAN gateway IP 192.168.1.1/24
  • Port 1 and 2 with devices that have to be segregated from each other and from other devices on the same VLAN
access-list InternetOnlyACL permit ip any 192.168.1.1 0.0.0.0
access-list InternetOnlyACL deny ip any 192.168.1.0 0.0.0.255
access-list InternetOnlyACL permit ip any any

interface ethernet 1/g1
switchport access vlan 10
ip access-group InternetOnlyACL in 1

interface ethernet 1/g2
switchport access vlan 10
ip access-group InternetOnlyACL in 1

The following line is optional

access-list InternetOnlyACL permit ip any 192.168.1.1 0.0.0.0

What it does is make sure that the device can still ping the LAN gateway (important for some devices which verify internet connectivity by pinging LAN gateway) but for most they will happily connect to the internet without ever being able to ping the gateway IP (you just won’t see the first hop in your traceroute). This setup works with both DHCP and static IP assignments.

Caveat: This method blocks funny business on Layer 3 (IP protocol),but it will do absolutely nothing for you if the malicious device starts messing with your network at Layer 2 (ex ARP spoofing). For that you need to configure additional security features on your switch. This is just another layer of protection.

Fixing email display name spoofing

The words “email” and “security” have never mixed, but some things are just too ridiculous to be left as they are.

There are several ways to spoof email, each with their own countermeasures:

  • Sender email address -> DKIM and SPF
  • Sender email display name -> Solution below

While researching ways to fix this, I came across different methods, ranging from database lookups of valid names to looking for suspicious patterns in the display name. None of those methods get to the root of the problem which is that

senders email display name should never have been a “field” that existed in the first place.

Whose idea was it to create a field where anyone can type in “John Smith” as their name, and to top it all off, the recipients mobile device happily says “you have email from John Smith”. Really? From John Smith? Are you sure? No? Not even little bit sure? Is that because anyone can type in anything they want and there is nothing to verify it against? Then why would you show such information as if it’s the truth? No thanks.

To reverse this horrible mistake, the solution is obvious. Let’s remove email display name from existence and display only email addresses (which can still be spoofed, but at least there are countermeasures in place for anyone trying to get away with it)

vi /etc/postfix/header_checks
/^FROM:.<(.@.)>/ REPLACE From: <$1>
/^REPLY-TO:.<(.@.)>/ REPLACE Reply-to: <$1>
postmap -r header_checks
postfix reload


SSL Sniffing with Android x86 and frida

  1. Install Android x86 (I used 8.1r3)
  2. Configure with virtwifi
  3. Long press to access advanced menu’s proxy settings
  4. Proxy traffic to BurpSuite or similar
  5. Install frida-server on Android x86
    1. follow https://www.frida.re/docs/android/
    2. frida-ps -aiH 192.168.x.x #find the target’s application identified ex: com.company.myapp
    3. download file bypass.js into current directory
    4. frida -H 192.168.x.x -f com.company.myapp -l bypass.js –no-pause
  6. burpsuite should now see plain text requests coming in

CLUG Presentation: AI for Beginners from a Beginner

Recently I saw a demo of AI technology that could count the number of people in a security camera video feed.  I thought it was pretty cool and started Googling “how did they do that?”. First I came across scientific papers that require you to have an advanced math degree to understand, but soon I stumbled across a whole other class of open source projects that are pre-packaged and ready to go with zero math.   If you can handle the level of complexity roughly equivalent to compiling a Linux program from source, you can also start using powerful AI today.

Presentation is today at the Nicholls Family Library at 5 PM

Download copy of the PowerPoint presentation here

Using Frida to Bypass SSL Pinning on Android

Most modern apps rely on SSL pinning to make sniffing SSL traffic through proxy more difficult. This is great security-in-depth practice, but it’s a real pain when trying to inspect app’s traffic as a part of vulnerability assessment or penetration test. Luckily there if Frida.

  1. Run frida-server https://www.frida.re/docs/android/
  2. frida-ps -Uai #find the target’s application identified ex: com.company.myapp
  3. download file bypass.js into current directory
  4. frida -U -f com.company.myapp -l bypass.js –no-pause
  5. done

HTTPs Inspection of Android APK

With increased security, it’s getting trickier to intercept HTTPs traffic send by Android Apps. For that reason most methods rely on rooting Android. But what to do when you don’t have a rooted Android on hand?

Use Android Emulator from Android Studio:

  1. Go to “Settings->Wireless & Networks->More”
  2. Go to “Cellular Network Settings”
  3. Go to “Access Point Names”
  4. Edit Proxy and Port fields
  5. Install root cert from BurpSuite or whatever tool you are using to intercept the traffic
  6. Install and run your APK

WAF Proxy with ModSecurity and Apache

When you need to protect an application against XSS and other nasty attacks, but you can’t modify the source code, ModSecurity can save the day.

  1. Install apache
  2. Install ModSecurity
  3. Setup apache as a proxy with the following configuration
    <Location />
    ProxyPass https://www.test.com/
    ProxyPassReverse https://www.test.com/
    
    #SecRuleRemoveById 999999 whitelist any rules here
    </Location>
    
    
  4. Turn on /etc/modsecurity/modsecurity.conf
SecRuleEngine On

#SecRuleEngine DetectionOnly

5. Turn on CRS blocking in /etc/modsecurity/crs/crs-setup.conf

SecDefaultAction "phase:1,log,auditlog,deny"
SecDefaultAction "phase:2,log,auditlog,deny"

#SecDefaultAction "phase:1,log,auditlog,pass"
#SecDefaultAction "phase:2,log,auditlog,pass"

6. Watch /var/log/apache2/modsec_audit.log for false positives and tweak rules accordingly