UPDATE: Insecure has released v6.46 which contains all of these patches. Just grab the latest and follow the usage info here

If you don’t know what Heartbleed is, you can find out here: http://heartbleed.com/. If you don’t want to read the details above, XKCD put together a great short comic about it: http://xkcd.com/1354/

NOTE: I first put this together 3 days ago, but I am just now releasing after being asked by many people for the package and directions.

The problem: How do you scan a bit more than 5 class B’s (~328000 IP addresses) before any off the vendors (Tenable, Qualys, Rapid7) have released signatures? Easy – you build your own!
The goal was to scan as many IPs as possible at work as quickly as possible.

After using the Heartbleed github project (https://github.com/FiloSottile/Heartbleed) and creating a Dancer web service around it, I realized that there still needed to be a faster way to scan for this. How much faster?

How about a /24 (254 IP addresses) in less than 10 seconds.

I have a patched version of NMAP already (6.40) that has Heartbleed checks.
Again, Insecure has released v.6.46 which has these patches. Grab that and follow these directions

Then, you can scan like this:

/usr/local/bin/nmap --open --script ssl-heartbleed -p 443 SUBNET-CIDR-HERE

 

If you want cleaner results, for a script, a good way to filter the output will be with something like this:

/usr/local/bin/nmap --open --script ssl-heartbleed -p 443 SUBNET-CIDR-HERE | sed -e '/report for/,/ssl-heartbleed/!d' | grep -v 'Host is up' | grep -v 'SERVICE' | sed -r 's/Nmap scan report for //'

This produced a clean 2 line result, where if it’s vulnerable, it will have “ssl-heartbleed” under each host/IP address entry.

 

How to build your own patched NMAP binary?

But what if you don’t trust my binary? Good – let me show you how to build one yourself:

Continue Reading →Ridiculously fast Heartbleed Subnet Scanner – nmap heartbleed howto and tutorial

There are many ways to exploit a web server and gain access to the file system – read or write (sometimes both). This becomes even easier when one hosts CGIs or other dynamic code – especially when that code includes user based inputs. Recently, I found one of the most elegant exploits that I have seen for this kind of an attack vector, so I wanted to go over it and share some information about how it works and what exactly it exploits.

To setup the background for this scenario, imagine a web server (ex: ‘www.example.com’) setup with userdirs, which allows CGI execution – not an uncommon situation at all. This means that ‘user1′ will have a directory like ‘public_html’, which will become directly accessible at: ‘http://www.example.com/~user1/’. For example, creating a ‘blah’ folder in ‘/home/user1/public_html’, will create ‘http://www.example.com/~user1/blah’ on the web.

At some point, ‘user1′ creates a file called ‘x.cgi’, which simply has a GET parameter called ‘file’, and if that parameter is a file that exists, it loads it via an include. Otherwise, it loads a default.html file. Let’s assume that ‘x.cgi’ is a PHP file which looks like this:

#!/usr/bin/php
// x.cgi file - used as a "pre-processor" for loading HTML files
$file = $_REQUEST['f'];
if (file_exists($file) ) {
    include($file);
}
else {
    include('default.html');
}
?>

Continue Reading →Web Exploit – user modifiable Read and Execute can give you Write access

Setting up the network interfaces is something that seems to give people a hard time (clearly visible here: http://docs.openstack.org/grizzly/basic-install/apt/content/basic-install_network.html). If you follow that guide, one of the most confusing points is how the Open vSwitch fits into the existing architecture.

Assuming you are following the guide, you have 2 networks:
10.10.10.0/24 -> private
10.0.0.0/24 -> public

Your Network Controller, again per the guide, will have an internal-network interface of “10.10.10.9” and an external-network interface of “10.0.0.9”

Your starting network config (/etc/network/interfaces) file will look like this:

########################################
# Internal Network
auto eth0
iface eth0 inet static
    address 10.10.10.9
    netmask 255.255.255.0

# External Network
auto eth1
iface eth1 inet static
    address 10.0.0.9
    netmask 255.255.255.0
    gateway 10.0.0.1
    dns-nameservers 8.8.8.8
########################################

Now, you will first install the packages needed:

# apt-get install quantum-plugin-openvswitch-agent \
quantum-dhcp-agent quantum-l3-agent

Then you will start the Open vSwitch:

# service openvswitch-switch start

Continue Reading →OpenStack – Network Controller – Open vSwitch – Network Interfaces Config

Recently, while setting up my the network controller for OpenStack, I saw this message:

# tail -f /var/log/quantum/openvswitch-agent.log

ERROR [quantum.plugins.openvswitch.agent.ovs_quantum_agent] Failed to create OVS patch port. Cannot have tunneling enabled on this agent, since this version of OVS does not support tunnels or patch ports. Agent terminated!

What this means is that the versio of the datapath (shipped by Ubuntu) does not have the support needed to create tunnels or patch ports. This happened on Ubuntu 13.04.

Fortunately, it is VERY easy to solve this. You need to simply build your own datapath for your kernel. For this, you OpenvSwitch’s datapath source, and you need module-assistant:

apt-get install -y openvswitch-datapath-source module-assistant

You can then grab your kernel headers and any other dependencies:

module-assistant prepare

I noticed that either the kernel headers do not have the version.h in the right place, or the module-assistant looks in the wrong place. You can solve this by doing:

cd /lib/modules/`uname -r`/build/include/linux
ln -s ../generated/uapi/linux/version.h .

And finally, to download, build, and install the modulle:

module-assistant auto-install openvswitch-datapath

Now, reboot your system so that the new module is loaded, and you are ready to go. You will notice that “/var/log/quantum/openvswitch-agent.log” no longer has this issue.

Disclaimer: I wrote this myself and posted it first on PinStack.com. Then I posted it on CrackBerry.com. I am re-posting it here because I think it will benefit people, and I would like to save a copy of it.

[I am going at this from truly personal experience, along with some background so that you know what kind of an user I am. If you are interested in the specs and overall usage, there are thousands of reviews. I hope that people will appreciate this a bit more than a typical "i used it, it made phone calls, it lasted 12 hours, the screen is small, the back over heated, the keyboard was amazing, it's not an iPhone or Android and there are no apps" review]

First – a bit of background about me and cellphones: to call myself a cellphone enthusiast/a power user, or someone who is obsessed with cellphones would be kind of like calling Tiger Woods “ok at golf” or the Bugatti Veyron “faster than a honda”. To give you some quick numbers: I’ve gone though >30 phones in ~4 years (many many more since the early part of 2000), I have switched through each major US carrier about ~5 times, and in the whole process, I have only paid a cancellation fee twice. [Please note that I have really toned this down lately - mostly because carriers like Samsung have found a way to push a new device every 3-4 months without doing anything exciting and ground breaking.]

Continue Reading →1 Week (so far) with the BlackBerry Q10!

The Scenario:

Let’s say you are at a coffee shop with public internet access, and you don’t want someone snooping on your traffic, so you VPN to your work. However, you also don’t want to tunnel personal stuff out of your work VPN (chat, facebook, youtube, your personal email maybe?), so the question becomes, how do you create 2 different firewalls – one that ONLY allows you to VPN and does not allow any other applications access, and one that then controls the traffic within the VPN channel so that you can utilize the connection for some apps but not others?

At this point, there are only 2 “methods” of running a Firewall on Android: having root and managing/accessing IPTables, or, the only alternative – creating a sub-VPN channel that you pipe the traffic over and filter (which does not require root). Unfortunately, the second type (without root) will not work for this, since we will need to utilize the VPN channel ourselves for our VPN, and to my knowledge, Android let’s you setup only 1 active VPN channel. So, you need 1.) a way to root and 2.) a good Firewall

Continue Reading →Firewall the Inside of your OpenVPN or L2TP/IPSec Tunnel on Android

I read an interesting article last night which highlited some problems with the way SSH process communication happens. I am writing a post about it because it is so simple and yet so effective.

Here is the scenario:
Let’s say that you have a linux system running the latest set of patches/OpenSSH. You have multiple users on the system, and one or more of them have sudo/su/escalated privileges. The idea is that when user ‘A’ connects to the system, user ‘C’ will be able to sniff out their password.

The details:
The idea is that almost all ssh daemons by default are configured to use “Privilege Separation”. This means that sshd spawns a process (child) that is unprivileged to listen for incoming network requests. After the user authenticates, another process gets created running as the authenticated user. The magic happens in between these two processes.

A simple example:
User ‘C’ ssh-es into the system, escalates their privledges (either by legitimate or non-legitimate means) and starts listening for newly created ssh ‘net’ processes. As soon as user ‘C’ sees a process being crated, they immediately attach strace to it.

A simple way to do it is by:

ps aux | grep ssh | grep net | awk {' print $2'} | xargs -L1 strace -e write -p

or even better:

while [ 1 ]; do ps aux | grep ssh | grep net | awk {' print $2'} | xargs -L1 strace -e write -p; done

 

Continue Reading →Sniffing SSH Password from the Server Side

This will be my last post about the Google Nexus S since I just purchased (and received) my Nexus 4. That said, I really wanted to give one last update on the Nexus S since it looks like things have changed quite a bit with the update process. While it looks more complicated at first, it’s actually a lot more flexible now. Here is how to upgrade your Nexus S manually to a full 4.1.2 Jelly Bean, even if you have not received it yet/are in a country where the updates are not coming in, or are on a carrier which is not pushing OTA updates.

The first step is to go to Google’s Official Factory Images for Nexus Devices

Now, you have one of four choices for sections, based on your phone:

  • If you have the (MOST POPULAR) T-Mobile or ATT (GSM) version of the Nexus S, go to: “Factory Images “soju” for Nexus S (worldwide version, i9020t and i9023)”
  • If you have the Sprint (4G) version, go to: “Factory Images “sojus” for Nexus S 4G (d720)”
  • If you have the Korean version (VERY RARE), go to: “Factory Images “sojuk” for Nexus S (Korea version, m200)”
  • If you have the NON-1Ghz (STILL RARE) version, go to: “Factory Images “sojua” for Nexus S (850MHz version, i9020a)”

Let’s assume you have the T-Mobile/ATT one since most people have that.
You will want the “4.1.2 (JZO54K)” image, which you can download from their official link:

soju-jzo54k-factory-36602333.tgz
(md5: 788233dca5954532acda63039f814b4d)

Continue Reading →Google Nexus S – update manually to 4.1.2 Jelly Bean

I walk outside listening to Pandora quite a lot, and today I realized that I miss about half the SMS’ that I get. Either because it’s too noisy, or maybe because the SMS’ are not loud enough and I use a single beep, or because the sound trigger gets interrupted by Pandora, but either way, it’s a bit annoying. I have been considering some sort of a solution that will play incoming SMS messages when my headphones are plugged in for quite some time, but I couldn’t think of an efficient way to do it — that is, efficient on the battery. I think I came up with one today.

The idea behind this Tasker program is the following:

There are two Profiles: ‘Detect Headphones‘ and ‘Play Text Over Headphones‘. Only one Profile has to be actually active at all times – the Detect Headphones one. When you plug in your headset (with microphone, or just regular headphones), the profile sets a variable %HEADPHONES to ‘yes’. It then turns on the second Profile – the one that monitors incoming SMS messages and plays them over the headset if your %HEADPHONES variable is set to ‘yes’.

Continue Reading →Speak SMS over the Head Phones only when they are plugged in

The general idea behind this is that it utilizes my original Blackberry Sound Profiles for Android and it adds a “timer” element which can be set. Upon setting the timer, it will set a temporary task until the timer runs out. The idea came from one of my visitors who asked me how to do this. At first, I had no idea how to do it. About 30 minutes later I had a semi-working prototype. Another 3 hours later (had to figure out how Scenes worked and interacted with variables and the rest of the system) I had the final version with a working GUI.

The first thing that you need are my Tasker Blackberry Sound Profiles found here: (http://blog.vpetkov.net/2011/05/10/my-tasker-program-blackberry-sound-profiles-for-android). If you don’t have them yet, follow the super quick “Getting Started” section. Once you have the tasks and you have them working (if you want this to work out of the box, grab at least the “Work” task and the “Sleep” task), download the Timed extension:

Note: You need the current BETA to import this profile: http://tasker.dinglisch.net/beta.html (1.2.1b4m)

Timed.zip
(md5: 5709a9ed0b139a027900d9f8f1e2e92a)

Now unzip it and follow the same steps from the original post – grab the “Timed.tsk.xml” file and import it into the the Tasks tab, and then grab the “TimedScene.scn.xml” file and import it into the Scenes tab. Go to your home screen and create a Tasker widget of your “Timed” task. Every time you select this task, it will pop a box which will let you use a slider or directly type in a number. After this, when you hit “Set Profile”, the temporary task (by default “Sleep”) will get activated for the number of minutes you set. After that time period it will go back to the other (by default “Work”) task.

Continue Reading →Timed Blackberry Sound Profiles for Android