Category Archives: #windows

ADS Links

Posted by on April 28, 2013 No comments

I’ve been doing a lot of research into encrypting data into alternate data streams (what, I was bored one night!). Instead of boring you with more of the same (this topic has been covered extensively by others), I’d like to share some links with you.

One of the best sources I’ve read regarding ADS is Harlan Carvey’s Windows Forensic Analysis 2E. It was my first real exposure to the wonderful world of alternate data streams and file/folder/executable piggy-backing. (Rob Lee mentioned alternate data streams in SANS FOR408, which piqued my interest.)

The Gabro Blog entry on ADS is extremely insightful as well. Although it does say how the ADS has different encryption attributes than the parent. That’s somewhat misleading as you can’t actually EFS-encrypt an ADS at all (trust me, I’ve tried via cipher /E /A and it isn’t… nor does it make too much sense logically). Of course you can encrypt content with something like GPG and then “push” the content into something else with type.

Additional Resources

Quinn Shamblin’s “Alternate Data Streams Overview” (SANS Blog)
Harlan Carvey’s Blog entry on ADS entitled, “NTFS Alternate Data Streams

In NTFS Secure Erase Leaves Remains

Posted by on December 2, 2012 No comments

I was wondering as to whether or not drive wiping tools in Windows actually performed as expected by wiping all previously securely deleted content from a mechanical hard drive’s unallocated space. I was also curious as to know what information could be gleaned from a wiped drive as to the files that were wiped and if such a find was worthwhile. My tool of choice for the exercise was CCleaner’s free space wiper.

For those that don’t know, wiping is essentially instructing a program to flip bits so that the data’s pattern is permanently unrecoverable. 1 would become a 0 and a 0 would become a 1. Ideally one good pass is all that’s needed to perform this operation but rarely does so efficiently. The DoD is known for using a 7 pass method in order to be safe, erring on the side of caution. Relying on statistics, pioneer of the Gutmann Method, Peter Gutmann, opted for a 35 pass wipe which is widely regarded as over kill. Which method is best? There’s no way to be certain. Different erase tools perform differently and some secure erase programs fail to “scramble” data in the appropriate fashion.

For my desires to wipe the data from the hard drive I decided on being cautious but not outright paranoid (most of the files I deleted to do this exercise were junk anyhow). I opted for the standard 7 pass method. Regardless of what type of pattern wipe you choose – or what wiping program you use – the results below will be the same.

I found that while alternate data streams and unallocated space on the drive were essentially wiped clean, file names were recoverable in the $I30 allocation index in sub-folders on the drive. How was this possible if the $MFT also didn’t indicate that data?

I’m relatively new to forensics and didn’t have a clue at first but with proper research I figured it out. All credit belongs to those that came before me. A blog post that explained it was entitled, “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files” by Chad Tilbury, a SANS Institute Instructor.

If you’re interested in learning more please check out that post. Essentially I learned that that in forensics we can find wiped content by viewing the NTFS Index Allocation File, $I30, still located in NTFS allocated space (FYI, I triaged the drive by examining it in FTKi). (Also if the file was ever EFS encrypted, an $EFS file may also be present in the folder in which it resided. One of the many reasons using the cipher command warns the user to encrypt an entire folder instead of contents within a folder.)

While I was unable to actually recover the files, I was able to glean the names of the files that I previously erased. Knowing that the index was in a particular sub-folder would also show a forensic investigator where the data was actually stored. But what is even more interesting is that Tilbury’s article states that MAC times can also be gleaned from an $I30. Plus, knowing file types or securely erased data may lend a hand to advanced data carving. Very cool. It truly makes the index a trove of useful information in an investigation.

As a student currently enrolled in forensics classes, my goal was to see if secure erasing completely removed “all traces” of said evidence on a Windows system. I was shocked to learn that it does not (yeah, I’m a “noob” with some things – this information has been out for a while – but I’m not afraid to admit that I’m learning). But for more in-depth information on parsing through the index or extracting more information from the file system please see the links below.

Apparently there are lots of remains left behind that indicate a drive has been wiped (the launching of the executable itself, obviously, but also of the content). If your interested in the topic I highly recommend researching it more thoroughly.

Obviously there are ways of getting rid of a data in a more effective manner. Wiping the entire disk from outside of Windows is preferable though manufacturer-style wipes are always the best. After my recent class I’ve been toying around with hdparm against SATA drives that accept the SE commands and found this method to be best. Of course you could use dc3dd/dcfldd’s pattern filling function as well.

File Wiping/Free Space Wiping Methods Used

Files securely erased with Eraser using 7 pass wipe and then performed a Free Space Wipe on the same drive in CCleaner (7 pass).

Sources

Tilbury, Chad. “NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files.” SANS Blog. September 20, 2011.

Read about the blog post first on the Wilder Security Forums after doing a Google search for $I30.

Encrypted Messaging using OpenPGP and Psi

Posted by on September 16, 2012 No comments

The simplest way to enable encrypted chat messaging with services like Google Talk, AIM, Yahoo, IRC and other messengers/protocols is to use a GNU Privacy Guard enabled-Jabber client. If you’ve never set one up before, you’ll want to follow these directions. I’ve included the configuration I prefer for Windows though my Linux setup was nearly identical.

In Windows I prefer using Gpg4win as it’s extremely easy to use and light weight. So go ahead and pick up a copy of the Windows binaries here: http://gpg4win.org/ — optionally, if you’re interested in another GnuPG you can pick one up over at http://www.gnupg.org (please keep in mind that the Miranda IM client works poorly with gpg2 packaged with Gpg4win which is why Psi is the easier alternative).

Kleopatra makes creating OpenPGP keypairs a quick and painless process. So from within the key manager create the key you’ll use with Psi. Kleo supports RSA & DSA though I prefer RSA keys 2,048 bits and larger (keeping in mind that the larger the key the longer it’ll take to encrypt and decrypt messages though with a modern system you’re not likely to notice; a larger key is obviously more secure). Export the certificate (your public key) to a location of your choice, it’ll use ASCII armor by default.

Now that you have a public key to use with a XMPP client, again, I use Psi because it’s extremely light weight and known to work well with every type of OpenPGP program out there. To download Psi visit go here: http://psi-im.org/

While you could make your own XMPP server in the future, we’ll use a pre-existing server in this article (the main reason is that it happens to have gateways to other popular chat servers).

JaIM has an amazing server which happens to be an excellent AIM Gateway. It also features a number of transports such as: AIM, Yahoo, IRC, ICQ and MSN. JaIM also features XMPP server acces (Google Talk/Misc. Jabber) in addition to its own chatrooms, SOCKS5 Bytestreams, and Prosody Lua-based servers.

JaIM Public XMPP Server

To use JaIM, be sure to check Register as JaIM supports in-client registration. Enter jaim.at as a server, turn off log message history if you want, under Details you’ll see an area for OpenPGP. Find and select your key. Under Connection enable compression, keep alive, any proxy or proxy chain information you may have, enable probe legacy SSL port, allow plaintext authentication over encrypted connections only and set encrypt connection to Always.

Upon connecting it’ll ask you for a username and password to create. Once you connect to a server you can enable encryption by clicking on the gray unlocked logo. It’ll ask for your secret passphrase, upon entering it successfully you’ll see a yellow lock logo appear next to the server of your choice.

You can find commonly used Transports (such as AIM or MSN) by clicking on the Psi Greek symbol and checking the Service Directory on the JaIM.at server. You’ll be required to set your username and password and any account profile details you desire. Some Transports work better than others. If you’re an AIM and Google Talk user, for example, you’ll find this setup to your liking. Psi will automatically import your contacts from each of the Transports you choose.

Messages you send will usually be unencrypted by default unless you choose otherwise. On the top of the message box toward the right hand side of the window you’ll see a gray lock. To enable encryption, please select the lock logo. Note that you’ll need to import other user’s public keys in order to send them messages they can decrypt (obvious but I thought it was worth noting).

Google Talk

You can either use the XMPP option using JaIM’s server (a bit out of the way for my tastes) or you can simply connect to Google Talk’s server directly. To connect directly in addition to using JaIM for your other accounts (or instead of using JaIM), go to Account Setup and add an entry for talk.google.com under Jabber ID it should read:

your.username@gmail.com

Google mistakenly doesn’t mention entering your password in the Account Setup field. If you have 2-step verification enabled on your Google account, you’ll want to enter your one time application specific password here. If you use Google with a regular password, feel free to enter that here as well so it doesn’t ask you your password every time you connect to Google Talk.

Assigning PGP Keys to Others

Simply right click on a person’s name and select Assign OpenPGP Key and enter their key accordingly.

Using the setup above you’ll be able to use Psi to video, voice and text chat with encryption enabled.

DNS Threats and Security Solutions

Posted by on September 15, 2012 No comments

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

Hamachi as a Private VPN For Secure Web Traffic

Posted by on September 13, 2012 No comments

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete: 

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”

Access Your Virtualized Linux Box Anywhere

Posted by on September 10, 2012 No comments

Have you ever wanted access to a Linux box on your mobile device? Sure, you could just SSH into secure shell but what if you wanted the entire experience on your portable computer or at a friend’s house? Virtualization + RAS = true OS freedom (or… well, for geeky fun anyway). The technique is used on a regular basis but there may be some out there that may not know how to take advantage of it.

In this blog article I’ll explain how to get access to your Linux box from any platform or device. Keep in mind that if your host is already Linux you can skip the virtualization section and head right down to configuring the remote access software.

This setup can be and should be used on a Windows host machine running a Linux Guest environment.

Remote Access on Your Mobile

There’s been a lot of advancements in the fields of virtualization and remote access software, but it never ceases to amaze me how few all-in-one packages there are for manipulating virtual environments via mobile devices. This is because writing mobile devices is often tricky and the few software options out there are kind of crappy. The software I’ll be using in this post are the iOS iPad versions of TeamViewer HD Free for iPad and VMware View (also free but the host-side software is a 60-day trial). But I’ll only be providing the in-depth setup for TeamViewer as to do both would be too exhaustive.

Downloading TV or VMware View on Your Mobile

TeamViewer For Remote Control (Android OS)

TeamViewer HD for iPad (iOS/iPad)

VMware View for Android (Android OS)

VMware View for iPad (iOS/iPad)

Your RAS software is the key to accessing your virtualized session so select RAS that is usable on the desired mobile device. The RAS determines manipulation to a “T” so select wisely or YMMV. Similarly you can opt for VNC variations and swap out the RAS selections I’ve used.

As such, you’ll probably need to review the release notes on your mobile RAS to ensure that it’ll function correctly on your specific mobile device. For example, I’ve used TeamViewer for Android on my Motorola Razor without any problems. But I wouldn’t expect speedy results on an older android without a dual-core processor.

Host Machine

Obviously it goes without saying (but I will) that your host needs to be on if you want to access your virtualized box. The critical components here are:

  • RAM
  • Bandwidth

I’ll be using ~1.5-2 gigs dedicated to the virtual sessions but keep in mind that this is the bare minimum needed for most X environments to work efficiently under pressure (and therefore in a virtual environment). Your success will be based on how much RAM you a lot the virtualization on the host machine: some operating systems X environments are resource hogs. Keeping that in mind, I’ll be using Bodhi Linux as it’s a lightweight E17 distribution. Minimalism is critical if you are tight on RAM.

(If you’re interested in Bodhi Linux you can pick up the distro here: http://www.bodhilinux.com/)

It goes without saying that 3D hardware acceleration needs to be enabled on the host but what you’ll see on the mobile client may also vary, this means having a fairly new GPU. But this is Linux we’re talking about… in all likelihood you’ll be fine so long as you aren’t doing anything too graphically intense. I’m using an XFX HD 6670 with 1 GB of DDR5 so you don’t need anything fancy (keep in mind everything on my system is bottlenecked due to an old Pentium D processor, so any modern system should be able to do well). If the virtual environment plays fine on your host you are set in that department.

Bandwidth is critical. I’m pulling 45/35 on a fiber line for the host. You don’t want your host machine to slow you down (use Wi-fi on the client-side as opposed to 3G or 4G if the network is fast enough). Let’s be honest. We’re using RAS (slow) and virtualization (potentially slow), you don’t want a bandwidth problem factored in. Nothing sucks more than remote access lag.

Host Software

This is broken up into two parts. 1) The virtual environment creator and player (can be the same in the case of VMware Workstation or VirtualBox), and 2) The RAS setup within the virtualized Linux session.

This post will be focusing on the latter. You should already know how to setup a virtual environment in VMware or Oracle VM VirtualBox. Read the documentation associated with either virtualizaton software package you decide to use (keeping in mind, of course, that VirtualBox and VMware Player are free while VMware Workstation is an expensive investment; the free former alternative is best for creating and playing environments without having to purchase VMware Workstation).

Oracle VM VirtualBox can be downloaded here: https://www.virtualbox.org/
VMware Workstation can be sampled for 30-days here: http://www.vmware.com/products/workstation/overview.html
VMware Player (not a v creator) can be downloaded here: http://www.vmware.com/products/player/

The last note here would be to use NAT as your network adapter preference to allow the host to share the IP address (my VPN configured through my host machine also worked well with this configuration).

Virtualization’s RAS

TeamViewer or VMware View 5.0 are ideal since they are well documented and exist on nearly any platform you need. You need to have created your virtual environment flawlessly for this to work which means installing and being able to use Linux as a whole.

As far as the virtualization’s RAS is concerned, if you did use Bodhi you can download the Debian archive for TeamViewer for Linux or use Synaptic to automate the process (using this method is the easiest with TeamViewer7).

Configuring Your RAS (TeamViewer Example)

Upon starting TeamViewer for the first time you’ll get a notice about software configuring Wine to run the remote desktop accordingly.

I would create an account on TeamViewer to be able to save frequently accessed computers.

Once it starts up you’ll want to copy down your 9-digit ID number. If you want to perform unattended sign in disregard the attended password on the main page (keeping in mind that your Linux guest box and TeamViewer software needs to be running).

To configure the unattended password head over to the Options/Security Tab and choose a complex password for logging in (the combination of your 9-digit ID and your unattended password will allow you remote access to your virtualized Linux session).

Then head over to your mobile TeamViewer app (or the program you are trying to connect from) and add the Linux guest’s ID and unattended password in the “Computers & Contacts” section of the client.

Then go ahead and connect resting assured the connection is secure (even if you’re connecting over an insecure wi-fi).

Closing Notes

Bodhi Linux Guest VMware / Bodhi on iPad 1

It’s highly unlikely that any RAS is going to offer stunning visuals but different software can provide different results (TeamViewer isn’t known for graphical prowess). Regardless, feel free to play around with the general concepts explored in this post to achieve a suitable result. In the end the goal was to create a decent remotely accessible Linux virtualization as opposed to accessing your Linux box through a CLI and, to that end, it worked.

IPv6 Security Issues

Posted by on August 1, 2012 No comments

There’s a lot of talk about IPv6 having a number of security flaws. I thought I’d summarize some of them and address them accordingly. What follows is an enthusiasts’ view of the issues at stake gained by reading up on the issue through various sources.

Security Concerns

1) The argument that federal and state law enforcement will be hard pressed to be able to track criminals over the internet is also a benefit for those preaching anonymity online. Since IPv6 addressing is considerably more complex than their IPv4 counterparts, spanning multiple subnets, some security experts warn users against it entirely.

IPv6, currently being favored for use over on the popular uTorrret Bit Torrent client serves as a proponent to IPv6, saying Teredo tunneling enables a more effective means of sharing data between older operating systems (Teredo = backward compatibility between 6 and 4).

Could the prospect of anonymity have been a driving force in the adoption of IPv6 for torrent use? Possibly but not likely considering there are net tools available for IPv6 (such as SubnetOnline and many others, makes you wonder why the FBI is so concerned if tools are available, even if not so widespread yet).

Source: IPv6 good for criminals, says FBI and DEA | Digital Trends
Source: Teredo tunneling – Wikipedia, the free encyclopedia
Source: IPv6 – Wikipedia, the free encyclopedia

2) IPv6 may or may not be more susceptible to mass DDoS attacks and MITM attacks or at least ones which are not presently protected against by common routers and/or firewalls, the debate is still up in the air. If interested, there is a white paper that I’ve found that discusses the effects of DDoS with IPv6’s new IPSec protection configured and without it (covers TCP, UDP, ICMP flooding and Smurf attacks; check it here).

One exploit toolkit known as THC-IPV6 (THC-IPV6 – attacking the IPV6 protocol suite) has been particularly problematic as it contains ICMP flood tools, network listeners, ARP poisoning tool which actually fakes the network into believing you are a router, MITM traffic redistribution tools, DOS detection, IDS, ICMP6/TCP-SYN traceroute, network fuzzers, smurfers and countless other tools. The only safety users have against this is a really strong modern firewall and/or network policy. (Source of Note: thc-ipv6 Toolkit – Attacking the IPV6 Protocol | Darknet – The Darkside)

To summarize but counter the concerns, ZDNet said the following on their blog:

True, IPv6 incorporates Internet Protocol Security (IPsec), but by itself that doesn’t buy you any more security. IPv6’s header design also lends itself to better security since it can be used to provide to a cleaner division between encryption meta-data and the encrypted payload. In addition IPv6’s huge address space can be deployed to scanning attacks harder by allocating random addresses within subnets. But, those are all matters on how you deploy IPv6. In and of itself, IPv6 won’t make you any more secure than your childhood blue blanket.

First IPv6 Distibuted Denial of Service Attacks Seen, ZDNet

So although attacks can be larger spread if the implementation of IPv6 is handled improperly (across entire subnets), this is a deployment problem not a problem inherent in the protocol itself. Furthermore, on an individual level, as more firewalls support IPv6 so too will we see a decline in the attacks available to those using IPv6 on their network.

3) Route Header Security Concerns – a packet’s route header can be used to specify where and how to strike a particular target. This concern is mentioned in the following presentation: http://meetings.ripe.net/ripe-54/presentations/IPv6_Routing_Header.pdf Possible solutions is better packet routing by ISPs as they become more equipped to handle IPv6 as well as more advanced firewalls and security schemes.

Conclusion

So essentially what we see is a growing technology, still very much in its infancy, becoming more predominant by the day. Hopefully as IPv6 is adopted so to will public awareness of the security risks increase. It’s also my belief that software vendors and internet service providers alike should work together to better address such issues.

IPv6 may have started slow but it may be here to stay.

Metasploit 3.5.2 Windows VB-XCACLS Error

Posted by on August 1, 2012 No comments

I was installing the Windows Metasploit on a Windows XP desktop host today and I encountered an error message. After resolving the error I thought I’d post about it here to inform people of why it occurs and how it fix it.

Problem running post-install step. Installation may not complete correctly
Error running cscript “C:metasploittoolsXCALCS.vbs” “C:metasploit” / G “(Username):f” /G SID#S-1-5-18:f /I REMOVE /T: Program ended with an error exit code

If you get that message and you’re using XP you’re dating yourself. In Windows versions prior to Windows Vista you’ll need the the VB tools located at: Download details: Extended Change Access Control List Tool (Xcacls)

The r00tsec blog describes this as being caused by the fact that in prior Metasploit utilizes the ability to run without requiring special permissions from the user and, in XP, this feature requires the right tool (the Xcacls expansion from MS).

It is my understanding that the tool above allows Metasploit to run with the right privileges without requiring any additional access/permission(s) on the part of the user.

Prior to Vista there was no special group of users (“Authenticated Users” group), so Xcacls.vbs is needed to facilitate this operation in earlier operating systems.

To fix the error(s)

All I did was uninstall Metasploit (may or may not be required), install the VB tool, and reinstall.

When asked where XCacls.vbs should install, you can install to your framework directory. Then from a DOS prompt in the same directory as Xcacls.vbs:

Cscript.exe /h:cscript
Cscript.exe xcacls.vbs
xcacls.vbs (framework directory) /E /R SID#S-1-5-32-545 /T

Note – If your VBS scripts are opening in Notepad, the correct Visual Basic scripts association has been broken (yeah, and you just wanted to open all scripts in your cool new text editing program, right?). You can correct this by altering the appropriate registry string or simply by downloading a .reg fix which will reset it for you.*

A similar problem can also occur in Vista but to read more about it please follow the r00tsec link below.

Keep in mind that Metasploit works best in Linux as there are many bugs that need ironing out in the Windows release.

Source: Computer Security Blog | Learning The Offensive Security: Metasploit Framework 3.5.2 Released!

Source2: http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html

* VBS Association Fix (XP):
http://www.dougknox.com/xp/fileassoc/xp_vbs_file_association.zip