Thursday, December 5, 2019

What was I reading in November 2019

Another busy month. Worked on getting setting up easily deploy-able private architectures for students, using Docker, OVS, and some scripting. Mixed in some Guacamole and a touch of image mapping, and we have our first lab for the firewall class. Also spent the last of the 2018 Christmas money on classes (I'm now backlogged for 15 classes).


- Pwn2Own Tokyo 2019 - Day One Results
- Rage Against the Maschine - a discussion on reverse engineering of a specific piece of hardware
- Isolating the logic of an encrypted protocol with LIEF and kaitai - more reverse engineering
- Feature walk-through for the XAMN v4.4 forensics tool


- OpenAI has published the text-generating AI it said was too dangerous to share - Someone believes their own hype a bit too much, I think...
- Bypassing GitHub s OAuth flow
- One man's junk
- GitRoyalty - WTF?! If you drop opensource behind a paywall, it's not opensource anymore! This is dumb.
- Rethinking the inotify API as an offensive helper


- File Signatures - a must-have!
- CTF Resources - a work-in-progress


- We reduced our Docker images by 60 with no-install-recommends
- 5 Practical Examples of the dd Command in Linux - I revisited this while learning more about using binwalk to extract hidden files from other files.
- Extracting Kerberos Credentials from PCAP


- The Early History of Usenet, Part II: The Technological Setting
- Configuring Ansible
- Don't Blame the Internet for New Slang


- A Clever Way To Find Compiler Bugs


- AlphaStar: Grandmaster level in StarCraft II using multi-agent reinforcement learning
- Destroying x86_64 instruction decoders with differential fuzzing
- whitequark/unfork


- Study: There may be no such thing as objective reality - A bit too much on theory and philosophy. A discussion, where an experiment (e.g., Schrodinger’s Cat) relies too heavily on dependencies and/or limitations on the experiment. Most everyone can tell you if the cat is alive just by listening or picking up the box. Short version: a scientist's version of navel-gazing.

Above was generated by a homegrown bolt-on script for Wallabag, which is a free utility for capturing web content so that it can be read later.

Saturday, November 30, 2019

Moloch's network authentication

Looks like it's time to switch to "tech writer" for a few days. Finally figured out why Moloch (think web version of Wireshark) wasn't accepting the network authentication. Moloch is a very nice tool (especially for teaching environments) but the install docs are a bit short.

The "hidden detail" was in how the reverse proxy mangles specific header variables (what goes into the proxy config isn't what is delivered to Moloch). Had to write a variable dump script before that was noticeable.

In any case, TC4 IDS students now have a very nice way to view captured packets.

Wednesday, November 27, 2019

Fixing Moloch's Hunt function for anonymous users

For those working with Moloch in single-user (anonymous) mode (where the passwordSecret line in config.ini is commented out), you may have noticed that the "Hunt" option doesn't work out-of-the box. Moloch will complain about the anonymous user not existing.

The fix is the obvious work-around (i.e., create the anonymous user). This can be accomplished from the command line, via:

/data/moloch/bin/ anonymous "anonymous" PaSsW0rD

You'll never need to log in as the anonymous user so make the password difficult and don't re-use the password from one of your other accounts.

Saturday, November 23, 2019

Proactive to a (big) fault

Dealing with locked accounts today. My ISP account was locked due to inactivity (apparently pulling email doesn't count as "activity"). My Amazon account was locked due to my acquiring a new phone (6 months ago).

The Amazon account is unlocked, as is the ISP account, but the ISP account is still acting weird. ISP locked the customer account because of inactivity (apparently they don't consider paying their monthly bills as "activity" either). Care to guess how they notified me?

(For the above, if you guessed "via email to the locked account", you get 10K points!)

It's still not entirely fixed. I can send email to the ISP account from another ISP account but can't receive mail from anywhere else. Plus, my mail client has not been downloading any Kryptos group traffic for the better part of a year (thought the group had gotten quiet). Instead the traffic lands in the ISP inbox and is somehow invisible to my client. I'm seriously thinking about hosting email elsewhere.

Thursday, November 21, 2019

What I did with a week's vacation

Other than continuing to work (yeah, I know), I learned how to integrate OpenVirtualSwitch (OVS) and Docker, so that I could create an architecture that a professor has desired for the better part of a year.

Basically, I combined OVS, Docker, and Guacamole, so that each of 30 students could have a 3-node architecture consisting of a SSH host and a web server, with a VyOS firewall in between, and two virtual switches connecting everything together. I managed to pull it off on a machine with one CPU, consuming less than 10 GB of HD space and about 5 GB of memory. I imagine that one vCPU won't be able to keep up with stresses generated by 30 concurrently online students but so far, they've only been online 1 or 2 at a time. I can always add one (or more) on the fly.

The more I read about OVS, the more I like it. The next lab project will involve setting up an IDS environment, with two end points (one running tcpreplay) connected with a single virtual switch, which allows for port mirroring to a Snort container. Like the other project, Guacamole will run on top of this project (goal is to not require the student to have anything other than a browser).

I've not yet learned about SDN controllers but did manage to write a series of Perl scripts to do things like: deploy the containers, deploy the switches, connect the switches to the containers and connect them to Guacamole, and associate the Guacamole user accounts with the containers. Once the requisite software is installed and the Docker images are created, deployment of 30 private architectures only takes a few minutes (much quicker than cloning VMs).

If things go wrong and a student cannot correct their mistakes, the scripts are written so that a single student's architecture can be destroyed and redeployed. Additional scripts were written to check that all containers and switches are operating as they should.

The hard part was getting the three containers tweaked "just so". Such required making changes to a container, committing it to new container, destroying the old architecture, and redeploying the whole thing, using the new image. Scripting the process made it super easy.

Just in time for finals. Sorry guys!

Sunday, November 3, 2019

What was I reading in October 2019?

October was a busy month, what with being on travel for 2 weeks, participating in both the President's Cup and ODU's CyberOPS CTF events, as well as...

The Cubietruck finally kicked all four of its little feet up in the air. Instead of the SSD, it looks like NVRAM corruption (we've had some nasty brown-outs in October). It's back online. I used the repair as an excuse to weed out what I had running on that box.

The third hypervisor is back online, finally. The fix required blowing away the BIOS config and starting a new one (it wasn't accepting new drives). For now, it's running with about 5x the amount of storage that was previously on there.

In any case, this past month's (err... week's?) reading:


- Potential bypass of Runas user restrictions
- Machine learning challenges at LinkedIn: Spark TensorFlow and beyond
- NordVPN confirms it was hacked
- Facebook Faked Viewer Metrics By As Much as 900 Percent
- Optimize your metadata for better compression
- Accidental Satellite Hijacks Can Rebroadcast Cell Towers
- jullrich/pcap2curl
- RandomAdversary/Awesome-AI-Security
- Quickpost: ExifTool OLE Files and FlashPix Files


- Tails - Tails 4.0 is out
- Incorrect Working IPv6 NTP Clients/Networks
- Researcher Discovers Critical Linux WiFi Vulnerability That Existed For Four Years
- Debian Buster / OpenWRT 18.06.4 upgrade notes
- Objections to IoT regulation. A rational reply
- Weaponizing and Gamifying AI for WiFi Hacking: Presenting Pwnagotchi 1.0.0


- Absurd fonts for an absurd world


- How To Record Everything You Do In Terminal - I'm helping out with a project for school, and am reviewing Vagrant and Ansible capabilities as part of it.
- How to deploy a container with Ansible


- 6 signs you might be a Linux user - #1 applies to all computer geeks. I'm guilty of #2, #3, and #4. If you're guilty of #5, yer a newb. I disagree with #6. A better one is that you've adapted other people's tools to suit your own needs.
- Searx - A New Internet Search Engine - Not really a new search engine. It's a search aggregator, meaning that you're still seeing Google Search results. Want you own search engine? Stand up Elastic or Sphinx Search and learn about FTS.


- Gravitational Teleconsole - Looking at this (and Teleport) for use as part of the school project.


- suchja/wine - still more stuff for the school project
- The single most useful thing in bash - 25 years later, I'm still learning new things about Bash!
- Tmux Tutorial
- adblockradio/adblockradio - At this point I'll try it, if only to mute the barrage of attack ads.

Above was generated by a homegrown bolt-on script for Wallabag, which is a free utility for capturing web content so that it can be read later.

Tuesday, October 22, 2019


Have posted my tweaks of shark-1.0 (to control the RadioShark v1) to:

I've tweaked the original source code slightly, to work around a couple complaints that GCC generates.  The older version of Fedora is needed as it was the last version to support the older libhid library.

Basically, the above creates a Fedora 25 image that can be called (as a temporary container) to control the white version of the RadioShark (white, v1) device (which can still be purchased via various online markets or from junk-boxes at local social events).  I don't know if it'll work with the black, v2 device but will know shortly, as a friend picked up a v2 device at the Richmond Hamfest.

Monday, October 21, 2019

Still still here

A month goes by fast! Still here, still busy has heck, but it's getting better.

Last week, I participated in the first annual President's Cup CTF. I was able to squeak by, right around the 50th percentile. Not too shabby for a non-pro. Those questions were hard!

This past Saturday, I participated on a team at ODU's CyberOPS 2019 CTF. We ended up in a 4-way tie for fifth place. Although we'd like to do better, we're quite happy with where we placed. Topics we need to brush up on: reverse engineering, image manipulation using GIMP (for the second year), and the more esoteric approaches to SQL injection (A union? Really?).

I'll be demoing the sudo bug (and giving a very short presentation) at this week's Cyber Club meeting. Once again, the media put a bit more OMG into their news articles than was needed, as exploitation of the bug requires a pre-existing "bad idea" in the config file.

I've been improving my Docker containers and have my article tracker (based on Wallabag v1) back online. On the to do list: I'll be needing to grab the source code for the various support libraries, just so a package update doesn't destroy (again) my ability to use the tool.  Will post the source on the school's Docker repository shortly.

Sunday, September 22, 2019

Still here

Just wanted to let y'all know that I'm still here. I've just been extremely busy with work, travel, and getting the school's cyber range stood up.

To update the last post about linked clones: the VirtualBox version worked nicely. The ESXi version was a horror. For the latter, the was a less-than-optimal bottleneck relating to accessing the hard drives. Standing up five clones produced an escalating read/write latency which eventually renders the box unusable. Short version: the ESXi effort abandoned.

The DMS code is working well (though redundant functions need culling). Using it was a loader for the Recoll search engine appears to be the best approach (though I sometimes miss the Sphinx search engine).

In any case, the cyber range is up and running with two new machines, supporting twice as many students (some of which are also Cyber Club members). My "free time" has gradually increased to the point where I'm writing again. I do have a serious backlog of "things to read" though and I intend on visiting the nearest Hungry Howie's (about 200 miles away) in the next few weeks.

Sunday, March 31, 2019

Playing with VirtualBox linked-clones

Have been experimenting with rapid deployment of cloned VMs and having some fun. Using VirtualBox's linked clone feature, I can create and start 30 instances to Kali Linux (30 being the number of classroom seats) in a matter of seconds. I've also worked out how to push new network configuration onto each instance. In-progress notes are on the TC4 internal Gitea server. Will also post 'em to Github when things are further along.

There's a bunch of other things to figure out and instantiate but they'll have to go on the "to do" list. Have signed up for my second season in the NCLs. Not sure if I'll be competing remotely (separate from the class), but I want to do better than last year. This means working through the harder parts of the gym, which opened a few days ago.

Tuesday, March 26, 2019

undefined reference to "show_hash"

Note to self: when compiling older software, the fix for the "undefined reference to 'show_hash'" error appears to be "apt-get install uthash-dev". That, or libhashkit-dev, but I believe that it's the uthash-dev library.

Monday, January 28, 2019

Chrome and xclip

Have been watching a number of crackme-type walk-throughs, where the speaker relies heavily on xclip to capture a command line output so that the mouse can be used to paste data into the browser. I could never get it to work with Chrome, until today. To use xclip with Chrome, add the following to ~/.bashrc (or .bash_aliases if you have it): alias xclip="xclip -selection clipboard" After that, it should work as expected.

Thursday, January 10, 2019

My VLAN beef

After all these years, why is it that pundits still associate use of VLANs with security? Any security afforded by use of a VLAN is a side effect and is considered (by those in security) as not assurable (e.g., it cannot be proven by testing), is easily broken, and is very easily mis-configured.

A VLAN is a traffic management tool, designed to increase overall (employable) bandwidth in an architecture. It does not employ authentication or encryption. Security is increased (often negligibly) by ensuring that traffic doesn't "go" somewhere. In some architectures (e.g., VoIP phones on the same network segments as the workstations), this separation doesn't exist.