Am I a white hat or a black hat hacker?

Every time I hack or crack something, I face a tough ethical dilemma. I wonder, am I hurting people’s security and privacy by doing this? When I improve the code that is designed to simplify the cloning of RFID access cards, am I helping the society? Am I helping criminals break into buildings? When I write a tutorial that explains “how to hack in”, am I helping the society? Or am I helping the criminals send phishing spam?
To untangle this, let’s start with definitions. White hat hacker is defined as someone who improves security, while a black hat hacker is defined as someone who harms security. This isn’t very helpful. Whose security are we talking about? Is a hacker working for a government security organization considered white hat or black hat? After all, they are improving *their* organization’s security. Are our guys the white guys, while “the other” guys are black hat? And how do we define harm or benefit? Is a hacker who releases info about 0-day exploit causing harm, or benefit? It seems these definitions shift the ethics off to another level avoiding the deeper philosophical implications.

Here is a more useful definition:

  • White hat hacker: Hacker who shares their tools and knowledge in a public and open manner for the purpose of enabling everyone to gain privacy and control.
  • Black hat hacker: Hacker who secretively guards their tools and knowledge for the purpose of relinquishing privacy and control from others.

This definition allows us to ask us another interesting question. What would happen if majority of hackers were white hat? What would happen if majority of hackers were black hat?

Black Hat Majority:

bh2

Information security is in a very bleak state. Black hats have all kinds of back doors, and everyday users can only throw up their arms and say “privacy is dead”, “liberty is dead”, “I do not have control over my devices – others do”. This is a state we are in now.

 

White Hat Majority:

wh

Information security is in a good state. Published exploit is a defensible exploit. Black hats still have the fringes to operate in. However, overall, every day users are fairly certain that they have the control over their systems and that they are not just puppets within a system controlled by others.

This makes it easy for me to say: I’m proud to be a white hat hacker.  I’m also proud to be on the right side of the race between the two sides.

I hope this makes others who have been on the sidelines, wondering what’s the right thing to do, jump right in.

Improved proxmark3 scanning of ioProx / Kantech fobs

I’ve been playing with my new proxmark3. It works great for HID cards, but ioProx code is still in its infancy. I made some improvements to it based on analysis by marshmellow:

  • Better accuracy: You no longer have to worry about centering your fob on the antenna or scan it repeatedly to get a “good” reading. Now you can just hold it in your fingers to scan. Before this update I was averaging 10 – 70% accuracy depending on how I held the fob. This version is pretty much 100% – I haven’t had a bad scan yet.
  • Correct decoding of human readable XSF number: Previous version had a bug that displayed the wrong unique code and the wrong facility IDs.

proxmark3

Download the binary firmware (including source code patch if you want to build it yourself) .

There is still more work to be done. For example, there appears to be CRC or checksum near the end – it’s still a mystery.

Quick and easy iptables based proxy

Today was a busy day dealing with power outage that affected 2100 businesses in downtown Calgary. Of course, couple of my clients were in the zone that went dark. I offered them to run their key infrastructure from my place for couple of days. Everything went great, except I have only 1 IP address on my connection. That’s not good when both clients want to come in on port 443. What to do?

Call up my ISP and order another IP? Nope: Takes too long, too expensive, I just need this temporarily. Also, ISP might mess it up and take me offline for a while.

Get VM with IPv4 IP and proxy the traffic over? Yes, but why go with something heavy handed like nginx?

I prefer this elegant solution brought to you by iptables:


# echo 1 >| /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -p tcp -d $IP_OF_VM --dport 443 -j DNAT --to $IP_WHERE_IM_FORWARDING_TO:8443
# iptables -t nat -A POSTROUTING -j MASQUERADE

New Quantum Key Distribution Record by LANL

NIST, LANL and Albion College set two significant distance records for distributing “keys” (or codes) for quantum encryption.

Press release

Why does this matter?

– Will make it impossible for adversaries to “sniff” network traffic without being detected.
– Until now prototypes were specialized (read expensive) equipment. This technology is inexpensive so it could soon be mainstream.
– With the real possibility of quantum computing developing the point of making all SSL and VPN encryption methods obsolete, this technology is one piece of the puzzle in replacing current encryption technology with the next generation.

[Solved] Linux PPTP client NATed behind pfsense firewall

When migrating my PPTP client configuration from an older Linux server to a new one, I could not get a PPTP tunnel up and running on the new server.   I kept getting this error flow:


using channel 15
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xxxxx6a93> <pcomp> <accomp>]
Script pptp vpn.xxxxxxxx.com --nolaunchpppd finished (pid 23704), status = 0x0
Modem hangup

So I was sending, but getting nothing back.

I tripple checked my configuration, and tweaked a few settings.  No luck.  Then I stumbled on an article that talked about the challenges of PPTP behind NAT devices.    I already knew about the common issue of not being able to dial out with more than one client session to a remote PPTP server.  For that reason I was careful not to have  more than one open at the same time,  but I thought I’d dig a bit deeper to see if NAT was the culprit.

Long story short, I noticed that pfsense -> diagnostics -> pftop was showing a GRE state from old server to the destination VPN server.  It showed age of 3+ hours (forgot the exact number) even though I was sure that the PPTP session on the old server was shut down.   I reset the firewall state on pfsense, and it started to work immediately.

The moral of the story is that pfsense likes to keep the GRE state open for hours after it’s been disconnected.   That is a problem.   Packets go out, but they are NATed to the wrong server when they come back.

Version details:

Pfsense: 2.1.4-RELEASE (i386)
PPTP: 1.7.2
Linux: Ubuntu 14.04.1 LTS

CAPTCHA firewall bypass / port knocking portal

Couple of my clients’ sites were being probed by botnets.   It was the usual:

  • Common vulnerabilities probes
  • Password guessing attacks

It didn’t warrant putting them behind a firewall, but I also didn’t like the idea of having it open to relentless automated 24×7 scanning. The sites were extranet type of sites, not really public, but not private either.  I scratched my head a bit trying to figure out how I could improve security without inconveniencing users.  What I came up with is this method:

  1. Any access to the website is blocked by a “captive portal” like page
  2. When the user provides the portal what’s being asked for (in this case correct answer to CAPTCHA) the firewall opens an exception to their IP and the user is redirected onward to the site they were looking for.

Is this secure against a determined hacker?  Definitely not.  Solving the CAPTCHA takes only 3 seconds and they’re in through the first layer of defense.   That’s why it’s critical that this is treated as an extra (thin) layer of defense and not as the only layer.

Is this secure against 99% off all attacks out there? (worm / botnet attacks on autopilot): Definitely

How is it implemented?

  • PHP page shows the portal page
  • If CAPTCHA is correct, IP is collected from $_SERVER[“REMOTE_ADDR”], sanitized and saved in a file that keeps track of allowed IPs
  • PHP  page then triggers a shell script that updates iptables with the following entry:
    iptables -t nat -A PREROUTING -p tcp --dport 80 -s $AllowedIP -d $YourIP -j DNAT --to-destination $TargetIP:80

How can this be improved?

Nothing says that access is given with a simple CAPTCHA, there could be full authentication that takes pace before firewall is opened.  Furthermore it could close shortly after access is given disallowing any fresh TCP connections.   Think of it as authenticated port knocking.

security proxy

 

You’ve probably seen a page like this if you’ve stumbled across CloudFlare protected site when using Tor.  I don’t know what internal mechanism they use, but I imagine it’s very similar.

 

API Monitors

When reversing applications it’s useful to see what’s happening under the hood.   Up until now I’ve either had to bring out OllyDbg and dive into assembly or rely on a high level tool like Systernals Process Monitor.   I’m fond of strace on Linux, but when I searched for “strace for Windows” resulted in tools that were not very reliable.   That was couple of years ago.

Today I stumbled on these two API monitors that do exactly what I need on Windows:

 

IPv6 for the impatient

I always wanted to get my feet wet with IPv6.   The problem is that my ISP doesn’t support it.   Today I found out that I don’t need to wait until they get their act together, I can get onto IPv6 imediatelly by using a tunnel from Hurricane Electric.

  • It’s free
  • You get /48 prefix of publicly routed IPv6 IPs.  (1208925819614629174706176 addressees)  I still don’t know what I will do with that many 🙂
  • Can dual stack.  IPv4 and IPv6 side by side on a single router.  You don’t need to shut down or disrupt IPv4.    You do not need to quit IPv4 cold turkey.  In fact, I had only two machines on my network dual stacked, happily coexisting with their IPv4 counterparts.
  • Not that hard to setup if you have a router that plays nice (most do)

I got it up and running in under an hour.   It was fun.  When I switched to purely IPv6 mode, it reminded me of the 90’s when every site that actually worked was  a cause for celebration.

To be honest, after a day or so, I actually ended up turning it off.  The trouble was that even though I was running dual stack, everything liked to default to IPv6 first and IPv4 second.   That’s good in theory, but in practice, I feel IPv6 is just not ready if you want 100% smooth experience.

I’ll try again in a year or so since I can see IPv6 adoption is exploding.

 

Visualizing Complex Files

Inspired by a very interesting TED talk by Chris Domas, I decided to make my own tool that did the same thing.

Download the binary (.NET compatible)

Download the source code

As you can tell from the source code,  the mechanism is very easy:

  1. Split file into bytes
  2. Loop through the bytes (currentByte and previousByte)
  3. X axis is 0 – 255 (currentByte)
  4. Y axis is 0 – 255 (previousbyte)
  5. Plot intersections of X and Y

The technical name for this is digraph.  Doing this in 3D or 4D would require a very similar process.

Below are screenshots of some of the files that I visualized.

text

Note how everything is in the upper left corner.  That’s because bulk of plain text is ASCII bytes 32 (space) to 126 (~)

exe

 

Some similarities to a text file in terms of well defined patterns except that binary file won’t be restricted to below byte 127.

jpeg

Notice the shades of gray.

 

random

 

This was about 32 MB file.  If I had a bigger file that was even more random I would expect the entire screen to fill white.   Any pattern visible here is a tale tale to a lack of randomness (or a small sample)

 

 

Pingb: Bandwidth Measuring

Ever needed to get an estimate of a link’s bandwidth and all you have is shell access to one of the end points?

Normally you would need access to both endpoints and run something like iperf across the link.   That’s the proper way, but it takes a lot of time to setup (poke holes through firewalls etc).   If you don’t want to go through that hassle and just need a quick estimate, you can use pingb.

Pingb estimates the bandwidth by measuring the difference between ICMP echo requests of different sizes.