Installing Kali to Raspberry Pi

I installed Kali (successor to Backtrack) on my Raspberry Pi because it was there.  I've been meaning to practice some pen testing for a while, so I looked into Backtrack.  It has been updated, and the new release is called Kali.  I first installed it to a VM to play with.  I saw that there was a version for the Raspberry Pi, so I decided to give it a try.


Here is a short guide to installing using dd in Linux:

http://docs.kali.org/armel-armhf/install-kali-linux-arm-raspberry-pi

Here is another one using win32diskimager:
http://tghc.co/metasploit-postgres-on-kali-raspberry-pi/

First, download the image from here:
http://www.kali.org/downloads/

The image turns out to be in .xz format, which is a stripped down version of 7zip.  I have 7zip, so I was able to extract it.  The image is just under 8GB, so it will fit on an 8GB SD card.  I tried to install to two different SD cards, but ran into file issues when booting on the Raspberry Pi.

The image creates a 60MB fat16 partition and a larger ext4 partition.  I decided to try and extend the partition using GParted in Linux Mint.  I put that in the Raspberry Pi and booted.  It got farther, but then froze up.  This was better than the inode errors that it was throwing before.

Then I tried to copy the image using dd as suggested:
$ dd if=kali-linux-1.0.4-armel-rpi.img of=/dev/sdb bs=512k

This was on a 16GB SD card.  I inserted that into the Raspberry Pi and booted.  This time, it complained about having too many blocks for the device size.  I put it back in Linux Mint and resized the second partition using GParted so that it used all of the remaining space.  This worked, and the Rapberry Pi booted up and I was able to log in.

SANS Webinar: Kinetic Pwnage - Obliterating the Line Between Computers and the Physical World

This was a webcast given by Ed Skoudis in May, 2013.  I just watched it today because it looks interesting and to apply as a CPE credit for my CISSP certification.  This blog entry will be my notes and proof in case of audit.

I was audited on the last webcast that I watched, but was able to provide proof in the registration record at SANS and my notes here.

Notes

Hacking started in 1946, when the MIT Tech Model Railroad Club (TMRC) built a model railroad with control systems.

Ed's Central Thesis - we are entering the golden age of software hacking to achieve physical impact.  Think SCADA, power grids, all of the embedded and attached devices, airplanes, trains, etc.  Partially due to the fact that everything is becoming IP addressable.  Use Shodan searches to find things connected to the internet.  Also, there are web apps everywhere and everything is web enabled.

Air gaps won't work, because they disappear over time.  See Stuxnet.

Physical safeguards are becoming increasingly automated or controlled by IP.

Major areas of concern

Power grid, healthcare, and weapons systems (!).

CyberCity was built to give people a place to train against cyber attacks on physical controls.  It has military backing and simulates commercial, industrial, military, and residential areas.

Why hasn't there been a massive kinetic impact yet?

• Not an effective criminal business model (yet).
• Geo-politics - it isn't in anyone's best interest to cause mayhem (yet)
• Harder than anticipated

Conclusion

Industry has to up their game.

SANS Webinar: Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career

I'm watching webinars for continuing eduation and CPE credit.  This webinar is "Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career."  Who doesn't want to build their career?

Overview

Discuss ways to develop information security skills.  Behind the scenes of Capture the Flag games and other challenges.  Tips on what makes a good security challenge.  Point out places with security challenges.

Notes

Use gamification to measure skill, identify talent, train, and provide motivation.  When confronting a problem, assume that it can be solved.

Types of challenges

• Offense - attack targets, pen test
• Defense - stock attackers
• Offense and Defense - exciting, but more work to implement.  Need to enforce minimal attach surfaces - i.e. a scorebot.
• Analysis - packets, files, malware
• Other - bot-net control, cloud resources, etc.

Flat vs. depth

• flat - all challenges accessible from anywhere
• depth - need to solve earlier challenges to get to the later ones

When creating challenges, don't put in red herrings.  There will already be patterns and diversions in the challenges; don't make it more difficult.  Don't make puzzles for puzzles sake - i.e. needle in a haystack.  They won't lead to real world skills.  Have multiple methods to solve problems.

Free Challenges

Damn Vulnerable Web App
http://www.dvwa.co.uk

Iron Geek’s Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Metasploitable
https://community.rapid7.com/community/metasploit/blog/2010/05/19/introducing -metasploitable

Damn Vulnerable Linux: Currently being rebuilt, but you can find older versions
http://www.damnvulnerablelinux.org/


Huge archive of challenges from
2009 to 2012 here:
http://capture.thefl.ag

Multi-leveled exploit development
environment
http://exploit-exercises.com

www.counterhack.net

Conclusion

Interesting webinar.  Need to check out some of the challenges!

SANS Webinar: APT: It is Time to Act

This is the 2nd SANs webinar that I've watched.  The title is "APT: It is Time to Act."  It looked interesting because I've seen APT a few times and wasn't sure what it meant.  APT is Advanced Persistent Threat.  These notes are for my reference and for audit purposes as I log this for CPEs for CISSP.

Overview

APT is like cancer vs. the common cold threat of a few years ago.  Should think in terms of you are already infected, now go find it.  Despite best efforts, we will still get infected.

Advanced = advanced adversary.  Another interpretation of APT = average phishing technique.  Adversaries are going to used the easiest method that they can to break in.  I.e. phishing.  Usually buried in an attachment so you get compromised without even knowing.  That is the persistent part.

Too much focus on presentation and not enough on detection.

Solutions

Most dangerous applications are web browsers and email clients.  So sandbox/VM those applications.

3 Primary vectors

1. Executable content in email
2. Macros in an office document
3. Executable code in embedded HTML in the email

So disable executable content, macros, and executable HTML in email.

Prevention vs. Detection

Prevention will eventually fail, so need to also have detection.  This will allow you to detect a breach after it gets through prevention and then stop it. Organizations have to focus more on detection.  Most security is preventative (85%) vs. detective (15%), and most of it is on inbound vs. outbound.  Need to examine outbound traffic to spot unusual activity.

Encrypted outbound traffic can sneak past detection.  Need to load crypto modules to decrypt, but if adversary controls keys, then that won't work.  Solution - create crypto free zones.  That is from understanding adversary and their strength, then turning it into a weakness.

5 Steps to Secure Future

1. Identify Critical Data - can't protect what you don't know.  Determine your most important assets, biggest threats, and biggest vulnerabilities.  Get a unified focus from everyone.  Risk Based Thinking improves results.  Questions to ask:
1. What is the risk?
2. Is it the highest priority?
3. Is it the most cost effective way to reduce risk?
2. Align the defense with the offense.  Most attacks follow these five steps.  Most effort is spent defending steps 3 and 4.  If you do enough reconnaissance and scanning, then exploitation is fairly easy.
1. Reconnaissance
2. Scanning
3. Exploitation
4. Create backdoors
5. Cover tracks
3. Know your organization.  If offense knows more than defense, then they will win.  You need to have:
1. Accurate network diagram - can't protect what you don't know about
2. Network visibility map
3. CM and change control
4. Defense in depth.  There is no unstoppable adversary.  
1. Inbound protection
2. Outbound detection
3. Log correlation - look at IP address destination countries
4. Anomaly detection
5. Common Metrics.  Use the critical controls
1. Offense informing the defense
2. Automation and continuous monitoring of security
3. metrics to drive measurement and compliance

Conclusion

Need to focus on outbound detection - no prevention is perfect.  Use automation, current security devices, and a common focus.  Understand your assets and the adversary.

SANS Webinar: Windows Ports and Services Tools

I was watching a webcast called "Auditing Windows Controls: What You May Not Know Windows Can Tell You" at sans.org.  It was about Windows software and network controls and auditing them.  There are a few useful commands that I wanted to document.  This also serves as an audit record for CISSP CPEs.

Commands

One great benefit of command line tools is that the output can be captured to text logs for auditing.  They often can be scripted as well, which automates the audit process.

• netstat - lists current TCP and UDP connections
• -ano flags list all connections and listening ports, win numerical form, with the process id
• wmic - Windows Management Instrumentation Command-line
• Once in the cli, you can execute various commands
• 'process X list' - lists process from the object ID X (from netstat -ano)
• 'product list' - lists installed software with version
• netsh - network shell
• quick scripting interface to network interfaces
• gives quick information on firewall configuration
• can save information to a text file for auditing
• scwcmd - server command line configuration tooll
• gives text output for auditing
• read reports with "scwcmd /view c:/temp/report.xml" 
• 
  

Software restriction

Starting in Windows XP, there are software restriction policies (SRP).  It can be used to deny all executables unless there is an approved MD5 hash.  In Windows 7 and later, moved to AppLocker instead of SRP.  Uses SHA-256 hashes instead of MD5 for fewer collisions.  AppLocker has an audit mode.

Conclusion

This was a good webinar with a good overview of various tools.  I did not know about some of them, so it was very useful.

When auditing, get a list of authorized services and software.  Check to see if IPv6 enabled and supported officiall.  FInd out how is patching managed.

Reporting CPEs

1. Go to isc.org
2. Log in
3. Click "Submit CPEs" 
4. On the CPE Report page, click "Add CPEs"
5. Fill out the questionnaire

• Apply CPE to Credential/Concentration: CISSP
• Domain for CPE Credit: Usually "Multiple Domains (Group A)" unless webinar is specific to one domain
• Activity Start Date: the data that the webinar was watched
• CPE Type: Self Study, Computer-Based Training [CBT] or Web Cast
•  Course Name: Name of Webinar.  I put (SANS) at the end so I know where I watched it
•  Number of hours: length of webinar

I am a CISSP Now

I got my confirmation email saying that the (ISC)2 board of directors had awarded (!) me with the CISSP certification.  I'll continue with flying lessons and start my continuing education requirements.  It's nice to have the pressure off now.

Passed CISSP Exam!

On July 23rd, I took the CISSP paper exam in San Diego.  It is a six hour test with 250 questions.  I am usually very good at taking tests, but this one was a little more difficult for me.  I took three passes through the questions.  First, I answered the ones I knew for sure.  There were a little over 100 in this category.  Then, I answered the next set that I was pretty sure about.  That added another 50 or so.  I needed 70% to pass, so about 175 questions correct (there are new questions for evaluation that don't count, and I've heard that the questions are weighted).  I answered almost all of the remaining questions in the third pass.  That took a little under four hours.

After I had answers for all of the questions, I started marking the answer sheet.  As I went through, I did a final sanity check.  This part was boring.  Even though you should stick with your original answer, I did change a few of my answers.

Four weeks and one day later, I got an email from (ISC)2 saying that I passed!  I just need to submit my endorsement form and resume.  I should hear back from them a few weeks after that.

Rainbow Tables

A friend asked me about rainbow tables, so I thought I'd document what I remembered from my Offensive Security class two years ago.

Rainbow tables are used for cracking passwords.  They are a collection of precomputed hashes, so the software can look up a password hash in the table rather than try to brute force or dictionary attack it.  The downside is that the tables can get quite large depending on the character set and size of passwords used to generate it.

One tool that can use rainbow tables is ophcrack.  There are some tables available for free, such as xp free and vista free.  These are just based on a dictionary.  So instead of computing the hash for each entry in the dictionary and comparing it to the password hash (dictionary attack), the table allows for near instant lookup of passwords.

There are also online rainbow tables where you can submit a hash.  If the hash is in one of their tables, the password is cracked.  Onlinehashcrack.com is an online tool.  Another is freerainbowtables.com.  The nice thing about freerainbowtables is that they are constantly generating tables, and you can help by downloading the client.  Then the tables are available for download.  They also sell them if you don't want to download 5.7TB (as of 8/10/12).

There are two types of rainbow tables there - the older format and the newer hybrid tables.  The tool on the site (rcracki_mt) works with both types.  Other tools, like Cain, only work with the older format.  There is another tool to convert the hybrid tables back to the older format for use in other crackers.

Intro

I've been meaning to start a blog for quite a while.  Like most people, I'll stick to what interests me, so I'll have a typical technology/computer security/gaming/car/flying/cooking blog.  Actually, other than the cooking, I guess that would be pretty standard for a teenager.

The primary reason for starting it today is that I just started my flight training today.  I want to document it while it was still fresh in my mind.  Hopefully this will help someone else, like other people's writings have helped me in the past.  However, I don't really expect anyone to read this.

Let me explain the topics.  First, technology and computer security.  I've always liked technology and have an engineering degree.  I enjoy building my own computers, playing with networks, and hacking anything that I can.  I'm an Offensive Security Certified Professional and just took my CISSP exam.  I'll try to document new technology, tablet, vulnerabilities, and other security topics.  I especially want to document exploits that I have researched.

Gaming.  When I have free time, I like gaming on many different platforms.  That changed when our kids were born.  Now that they are a little older, I can play some games with them, such a Skylanders.  Now that I'm in flight training, gaming time will probably be limited to X-Plane.

Cars.  My wife and I are looking for cars, so I've been doing a lot of research and will try to document my findings.  She's interested in a Mazda 5, and I'm interested in a Subaru BRZ with 50 more horsepower.  I've got my fingers crossed that 2014 will have an STI version.

Flying.  As I mentioned above, I just started flight training.  I've wanted to do this for at least 10 years.  The first flight was a little overwhelming.  By writing it down, I think I'll reinforce what I learned.  This will be kept in a different blog: jbisflying.blogspot.com.

Cooking.  Like I tell my wife, I don't like cooking.  I like eating.  Early on, I realized that meant I would have to cook food for myself if I wanted to eat well.  I can't/won't eat out every day!  Every once in a while, I run across a good recipe.  I want to make sure I keep track of them.