Monday, 1 March 2021

Industrial Control System Hide-and-Seek


 

 I spend a lot of time researching and reading about security.

I love the subject matter and every once and awhile I stumble across something that makes my eyes bug out.

I say to myself...

"Did I read that correctly? Did that actually happen?"

There is so much happening all the time in cyber security that it is hard to stay on top.  It's a constant game of catch-up.

So I got an idea.  A personal challenge.

I have been reading recently about infrastructure and IoT.  I think IoT is the future and in the same breathe it's critical that we secure these assets.

From my research I have learned that the hard facts that CNI (critical national infrastructure) and ICS (industrial control systems) are woefully lacking in basic security.

The Challenge:

Within five minutes how many types of industrial control systems can I locate online and either connect to directly or validate that it is reachable online.

So with some quick googling and shodan.io at my side I set my timer and got to the task.

Keep in mind this is all within 5 minutes.

And this is what I found:

- Electronic Billboards

- Gas Station Pump Controllers

- Automatic License Plate readers

- Traffic light controllers 

- Red Light Cameras

- Voting Machines (US)

- Telcos running Cisco lawful intercept wiretaps

- Prison Pay Phones

- Tesla Charging stations

- Maritime Satellites

- Refrigeration Units 

- Wind Turbine Farms

- Commercial Vehicle GPS Trackers

- X-ray Machines

- Industrial Automation

- Door/Lock Access Controllers

- Railroad management

Now I have no plan on exploiting these assets, but keep this in mind that in only 5 minutes with some googling and shodan I was able to find and validate multiple machines within these ICS types.  

Now what if I actually had malicious intent? What if I had picked a target and spent significantly more time on the target?  What information could a person grab about the target organization?  How could someone move laterally from this target to some other unsuspecting asset?

Having connected devices is great, proper security considerations need to be forefront.


Andrew Campbell









Monday, 22 February 2021

PFBlockerNG Top Level Domain Blocking

If you are using pfsense as your firewall of choice there is a useful package called PFBlockerNG.  There are so many useful features of this package.  

This video showcases how to block top level domains on a separate interface connected to your pfsense router.

 




 

Friday, 19 February 2021

NSE:dns-check-zone

 

Let's talk about analyzing DNS zone configuration against best practices. 

Generally if you are running a DNS server you should be monitoring it frequently.  There are so many attacks out there that abuse DNS that this is a technology that should never be left on it's own just because it "works."  Audit your DNS regularly.  

A quick test you can do with NSE is "dns-check-zone"  It will give you some quick info on what areas are not quite up to par.

...The real question you should be asking yourself is this.  

"Who else is checking this?"

I digress.

Below I go through a useful NSE script to check your zones.  I have two examples one that failed a couple tests and one that failed 

A LOT.

Before we go ahead and do this we need to find the name server of a particular domain.

Let's use #nslookup

the image below will give you you some details about using #nslookup



With this information we can feed more specific information into NSE
#nmap -sn -Pn <name of name server> --script dns-check-zone --script-args='dns-check-zone.domain=<domain name in question>'

The two images below are the the same as above.



In the above image the name server did fail the SOA Expire check.  Let us look at another server that failed a lot more


1)"FAIL" -->Missing nameservers reported by your nameservers 

At the registrar for your domain name you need to point your domain name too a specific set of name servers.

When you do this the registrar tells the TLD server(parent).

Your NS records need to match the name servers your domain name is pointed to.

The FAIL means that TLD server is not pointing to all the name servers that exist in your DNS zone.

2)"FAIL"-->SOA Refresh not within recommended range

If we take a look at the first NS it's refresh was set to 28800s this second NS is set to 600s.

Curious.

 

Hope you enjoyed!

 

Reference:

[1] https://nmap.org/nsedoc/scripts/dns-check-zone.html

[2] https://www.youtube.com/watch/UVNmby8rLz4

[3] https://www.cloudns.net/wiki/article/203/

Tuesday, 16 February 2021

Cyber Security: How We Have Failed


The deeper I get into cyber studies the more I wish that my own country could hold its own against nation-states (specifically cyber).

It seems that more and more articles are coming across my feed stating that Canada has a weak defence against cyber-attacks. 

Many people have known for awhile that Canada has been lacking on the defence side of things. [2]  It has been learned that nation-states have switched from flat out stealing government secrets to targeting something much more powerful, our economic sovereignty.

CSIS Director David Vigneault named publicly on February 9, 2021 that China and Russia are behind much of the Intellectual Property theft occurring in Canada.  This was the first time that Mr. Vigneault publicly named any specific actor. [1]

This is significant.

Let's say it one more time, the Director of Canadian Security Intelligence Services has publicly stated that Russia and China represent a "... significant danger to Canada's prosperity and sovereignty."

 Look at what happened to Nortel [3].  They had an IP leak that persisted for a long time, till the point they didn't exist anymore.

Nortel bled out it's IP till it could no longer compete.  What Mr. Vigneault is telling us is that this is happening all over the place and it's out of control.

We have failed [Cyber Security] because we leave the defense of our nations IP up to private businesses.  Businesses who don't even know they are THE frontline of this cyber fight.

North America, and many other nations, are so incredibly vulnerable.  

National cyber security is not a unified body.  It is comprised of a distributed network of millions of entities(private businesses) working independently to protect their own turf.  One weakness in this chain means that any trust relationships between those entities can be exploited.

This week it was released that a Florida water plant was hacked and that the chemical composition of the areas drinking water had been compromised[4].  It was discovered that this critical infrastructure was easily hacked do to the fact that it had no Firewall.

Had..................No..................Firewall.

How does this even happen in these "modern" times?  It's a safe bet that people have been poking around in that treatment plant for a long time.

Going back to CSIS.  It must be bad when Vigneault announces to the entire world that there is a serious threat to our national prosperity and sovereignty.

Was the goal awareness? 

Are our federal leaders aware of how bad it is?  

How much more IP needs to bleed out before someone takes this seriously?

Andrew Campbell

Reference:

[1] https://www.cbc.ca/news/politics/csis-speech-david-vigneault-1.5906665 

[2] https://globalnews.ca/news/3131347/canadas-military-too-vulnerable-to-cyber-attacks-documents/

[3] https://globalnews.ca/news/7275588/inside-the-chinese-military-attack-on-nortel/

[4] https://gizmodo.com/hacked-florida-water-plant-reportedly-had-no-firewall-a-1846246067

Friday, 12 February 2021

NSE:broadcast-listener

Broadcast-listener is a interesting NSE script that listens on a network for devices that are broadcasting and provides some information on what in particular is broadcasting.

Usage:

#nmap --script broadcast-listener -e <interface name>

if you need to quickly find the name of your interface type

#tcpdump -D

 

Hosts on a network are broadcasting all the time.  Attempting to determine "who is who in the zoo."  Where broadcast listener comes in handy is that it attempts, and fairly accurately, tells us what type of broadcasting is occurring.  The packets from these broadcasters are analyzed and the output reflects this data.

Above you will see the output for a network.  The colours correspond with numbers that show up multiple times.

 Important to note that UDP decoders are triggered by destination port and ether decoders are triggered by pattern match.

Protocols present in this image

SSDP = Simple Service Discovery Protocol (Network protocol for advertisement and discovery of network services and presence information)

MDNS = Multi Cast DNS(Protocol that resolves hostnames to IP addresses within small networks that do not include local name server)

NetBIOS = Network Basic Input/Output System (Provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network)  it is not a protocol it is an API

Reference: 

[1]  https://nmap.org/nsedoc/scripts/broadcast-listener.html

Monday, 8 February 2021

How To: Find Random Machines in Specific Countries

On the internet there are packets flying everywhere.  Some from legit sources, and many many many many other sources maybe not so much.

ICMP packets are truly awesome.  I can reach out to a machine across the planet and know that it is there and that it is real.

The idea of being able to reach out and touch a machine across the planet is fascinating.  In a previous post I demonstrated how to find 100% random hosts on the internet LINK.  

What if we could modify this slightly to choose a particular country we want to connect with?

It is actually quite simple.

Check out the reference below [1].  This site provides us with networks allocated to particular countries.

Take a look at the ranges.  Some vary from 1 to the thousands!  Pick the network you want.

With hping3 we select the appropriate network and leave the final octet as "x".  

When we call "--rand-dest -I <your interface>" we are establishing that we want a random host from with in a specific network.

Since the specific network is allocated to a individual country the IP addresses that are returned belong to hosts from within that country.




Reference:

[1] https://lite.ip2location.com/ip-address-ranges-by-country

[2] https://blog.apt-secure.ca/2020/08/how-to-hping3-random-host-discovery.html

Monday, 1 February 2021

Metasploit: FTP Anonymous Scanner

 In a previous post (NSE:ftp-anon) I demonstrated how to use NSE to collect information about a target machine and determine if the target is allowing anonymous credentials.

This post is going to show that we can gather similar information utilizing metasploit as well.

Take a look at the image below.

The following steps will prep metasploit so that you can do some scanning of your target.

#use scanner/ftp/anonymous

#set rhosts [Target IP] 

#set threads 50  (You don't have to do this step, but is useful if you are doing a scan of an entire network 192.168.1.0/24  <--Example) 

#run

Results:

Look at what comes back!  We know that the target is allowing anonymous connections and that READ access is set!

We can also see that vsFTPd 2.3.4 is set!  Which is awesome because metaploit is a perfect pool for gaining shell access through this vulnerability.


For curiosity sake I also ran NSE:ftp-anon.

The picture below comes back with more information!


 What can we learn from this? Well, both tools are good but together are even better.  Keep learning about the various tools available too you and when you package them together you can do some awesome things.  

 

Keep checking out my NSE Database I am continuing to add to it so that it can be a good resource for all.

Andrew Campbell

Monday, 25 January 2021

A DMZ Lie


 

Today I'm attempting to demystify a thought process around DMZs (Demilitarized Zones).  

A DMZ is extremely useful method for providing network security.  It can be utilized in a variety of ways and vary greatly in complexity.  The writing in this post assumes you have a basic understanding of what a DMZ is.

The mystery I would like to pull the curtain back on in this post is home routers and built in DMZ capabilities.

In a previous post "Why are guest networks important?" I highlight the benefit of having A guest network. 

So, what is the difference between a guest network and a DMZ (home router)?  The difference is actually huge.

When we think about DMZ the first image that may come to mind is that it is an isolated area that is protecting data, that only approved admins can access.  While this can be true, it can also be totally different.  That's the glory of a DMZ I can isolate assets and restrict access, or I can have a DMZ facing the internet and in that DMZ I have a webserver.  However I want to built out my infrastructure there is a DMZ combination that can be implemented.

DMZs are nice because they provide that additional layer of security.  They can be locked down and make the work of an attacker that much more difficult.

The problem with DMZ capabilities on home routers is that it is using a word that is associated with security, and then doing the opposite.

It is giving people false hope.

When I select DMZ on my home router (the process is very similar for most appliances).  What I am doing is allowing a machine on my network direct access to the internet.  Potentially, if not definitely, skipping your firewall entirely.

Some internet resources have said that you can put gaming systems in this kind of configuration.  The justification is that it makes things "faster." This is silliness.

Put your xbox behind your firewall. Come on now.

A problem with giving a machine direct access to the internet is that the internet has direct access to it as well!  It gets compromised and now your you entire network is visible.

What's a better Alternative?

 You want a secure home network? At the very least set up a guest network and have all guests connect via this network. This way you have created some isolation.  

You want remote access to an asset in your own network(non-guest)?  Set up some virtual router(s) (pfsense is a great solution).  Configure these so that you can access the asset.  This is a much better way to do it as it leverages the DMZ methodology appropriately

Thanks!



Reference:

[1] https://weakwifisolutions.com/is-dmz-safe/

[2] picture: https://www.addictivetips.com/windows-tips/public-network-dangerous/

Tuesday, 19 January 2021

NSE:banner

A useful technique in reconnaissance is grabbing banners.  There are a few ways to achieve this goal.  Most often you will gain all the information you will need from a simple nmap or even a quick netcat or even hping3.

Banners provide us with information about the port we are investigating.  Here are some additional ways to retrieve information about specific ports that are similar to banner grabbing.

(nmap -sS -sV -p# [ip])

(nc -vn [ip][port])

(hping3 -S -p# [ip] -I [interface name])


Above you can see that I am choosing port 22.  I have turned off the ping probe part of the nmap process and select the banner NSE script with (-sV --script=banner) 

Below you will see the command I used. 

 #nmap -Pn -p22 -sV --script=banner [IP]

 Next steps: investigate to see how old dropbear_2016.74 is

Reference:

[1] https://nmap.org/nsedoc/scripts/banner.html

[2] https://www.studytonight.com/network-programming-in-python/banner-grabbing

Monday, 18 January 2021

When is it OK? Profiling Within your Organization

Firstly, I want to state clearly that this article is meant to be a discussion point.  The topic of profiling can be touchy.  I want to talk about aspects of this topic and how I believe there is space within cyber-security for profiling.

Thanks.

The more I study about cyber-security the more it intrigues me and spurs me on to want to learn more.  Again and again I find that as a cyber-security professional one has to toe-the-line on what is "good" and "bad".  If I learn about a tool where it's predominant purpose is too steal credentials is it wrong to learn about such a tool?

No.

If I use that knowledge maliciously on a network I have crossed the line though.

Cyber tools, like a hammer, can be used for good or ill.

Profiling can be a tool for protecting your organization.

The dictionary defines "Profiling" as such:

"The recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

As a society we are prone to use profiling in a negative way (racial profiling, gender profiling, etc.)  These are not acceptable. 

Let's look at the definition of profiling and pull it apart too see if there is any usable pieces as a security professional.

"analysis of psychological and behavrioural characteristics..."

Psychology would be how we handle the world around us.  When presented with a situation, what are we thinking and feeling at that moment?  Behavioural is our actions, when I have an experience I feel and think (psychology) and act on those feelings (behaviour).

I believe this to be a basic fact of humanity.  

This cause and effect relationship between feelings and acting plays out dramatically different between people.  How I respond to a news article about violence at the capitol may be drastically different then someone who grew up in an area where people sympathize with the rioters. 

and on

and on 

and on. 


...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

To assess or predict capabilities in a certain sphere.  The sphere of reference that we are talking about today revolves around cyber-security and your organization.  

Is it possible to determine who within your organization is a higher risk for allowing unintentional security breaches?...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

I believe yes.

For anyone who has spent any amount of time in IT you will know what I mean when I refer to repeat offenders (users).  Those users who seem to always be patient zero for new malware in your network environment.

After seeing malware over and over again I began to noticing behaviour trends/patterns in users.

Here are some things to watch for with users that can (not guaranteed) make them a higher risk for malware/security breaches:

1. Age:  Being of a certain age does not necessarily mean that you are going to be the target of attack.  However I have noticed that for folks who have not grown up under the shadow of ever present technology they tend to be pretty trusting and surprised when the Nigerian prince asking for money isn't real.  I'm not trying to be ageist, in fact I have experience a lot of younger people fall victim to phishing scams.  

It's at this point that I think people will be most up in arms.  I am not saying that being "old" or being "young" is bad, by no means.  All I am saying is that the people who want to attack your company are thinking this way.  It is prudent to at least consider the attacker mindset.

2. Position: Specifically people who are higher up the ladder tend to be a high risk because their access to critical assets is greater.  Hence why spear phishing an organization goes better if you can spoof the bosses email.

I have also seen "lower" positions be prone to attack.  Sometimes people in ground level roles are less invested in an organization....sometimes...not always.  Their position maybe temporary.  The nature of their role means that assets they interact with on a daily basis are potentially not mission critical.  Sometimes this scenario can lead to people letting their guard down.  "I'm not very high on the food chain here, what damage could I do?"

3. Technical Aptitude: I have had many users confess to me that they are bad with computers.  This in itself means that these users are a higher probability of compromise.

---------

Notice that gender and race didn't enter the list (Age/Position/Tech Aptitude).  In my experience these are not consistent recurring factors that increase a user's probability for compromise.

The only caveat to the previous statement would be spear-phishing.  Perhaps an attacker has done their research on me (LinkedIn/Facebook/etc.) They know my gender and race and craft a very specific email. Then there is an increase risk, however that is the exception not the norm.

I believe you can take those three topics I listed and come up with subgroups with specific behaviour traits.  I've seen it all.

---The young guy who has a higher power job, thinks he's untouchable, a little cocky, minimal tech skills.

---The middle aged father, middle of the pack role at a company, absolutely no tech skills/awareness

---The ready to retire, CEO, could care care less if he/she ever sees let alone uses a computer, "My assistant does that work".  "What's this new thing called Social Media"

So What Now?

Well, as a security professional knowing this is half the battle.  It isn't wrong to suspect that someone is a higher risk for compromise.  If you treat them with a lack of respect that would be wrong.  

Treat them like every other user and accept that you cannot not change them.  What you can do though, is mitigate risk.

With these folks the best, I mean the absolute best thing you can do (on top of using security best practices that are associated with their industry and your own security best practices) is EDUCATION.

Honestly if you have these high risk repeat offenders attend an education session on the dangers of Ransomware and you show them some real facts about how bad it is it can be enough to scare some folks in to being more vigilant.

Conduct practice sessions where people try and determine phishing scams from real product offers.

You can't make people change, but if you can at least get one high risk repeat offender to independently hover over that shiny link and choose not to click it you should consider that a victory

In summary:

It's ok to think in your mind that someone might be a higher security risk.  Don't treat them any differently then other users.  Educate them on the hazards of the cyber world and this simple act will make a world of a difference.


Thanks for reading

Andrew Campbell









Friday, 15 January 2021

NSE: fcrdns


Forward-confirmed reverse DNS lookup

"...is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other"[2] 

 


Usage:

 #nmap -Pn -sn --script fcrdns <target>

In the command above we are skipping the ping(-Pn) and the port scanning(-sn) stages of the nmap scan.

Above we have two scans using fcrdns.

Both return the host name.  Scan two however would be an interesting one to probe further.  It starts with "ns....." which for some admins is a naming convention reserved for Name Servers.  Next step would be to check for zone transfers and see what "dig" comes up with


Reference:

[1] https://nmap.org/nsedoc/scripts/fcrdns.html

[2] https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

Sunday, 10 January 2021

Significant Cyber Incidents Since 2006

 

Let me introduce you to the "Centre for Strategic and International Studies." 

On their website they describe themselves as such:

"The Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit policy research organization dedicated to advancing practical ideas to address the world’s greatest challenges."

It's an interesting group and I highly encourage you to check out the website located in references.

There is one section of their site that caught my eye that I will highlight today.

"Significant Cyber Incidents"  

CSIS "... records significant cyber incidents since 2006. We focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars." [1]

Their list is eye opening!  Content like this plays well into my thought process because I often ponder on the state of the cyber-world and the nation states that attack each other.  This site[CSIS] puts a little perspective on the situation.  

I do want to say that cyber-warfare is usually a two-way relationship.  CSIS highlights foreign (to America) efforts to circumvent American and other global assets, but I did not see any documentation around American efforts to circumvent foreign assets.  Obviously they will not list how America is attacking other countries in cyber-space.

The list goes on-and-on for 54 pages and is actually quite an interesting read.  The draw for me is realizing the kinds of things that were happening in history.  "What was I doing in 2012? Oh my goodness there was a massive data breach in July of that year"  that kind of thing. 

On the list search for this: SCADA

If you are not sure what SCADA is, here is a definition "Supervisory control and data acquisition is a control system architecture comprising computers, networked data communications and graphical user interfaces."

It's a dull definition, yes.  However the economic and political risks of this as a target for nations states is astronomical.

"September 2012. Chinese hackers infiltrated Telvent Canada, an industrial automation company, and stole data related to SCADA systems throughout North America"

Krebs on Security referenced the attack in his article in September 2012 [4].  He outlined the details really well.  I included this incident as an example of the plethora of SCADA attacks that have occured.

SCADA is our ability to automate infrastructure.  If this data were stolen, or compromised it would allow an attacker to do massive amounts of damage.  You dream it and it can be done.

Maybe reading lists like this is making me more paranoid.  I don't know if I care.  

Cyber-space is massive and there is so much happening all the time that we are not aware of.

CSIS is one resource for you stay on top of the cyber-relations of our world.

 

Stay tuned, I am working on an article geared towards the security risks specifically pointing at critical infrastructure.

 

Thanks,

Andrew Campbell

 

 

 

Reference:

[1] https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

[2] https://csis-website-prod.s3.amazonaws.com/s3fs-public/201218_Significant_Cyber_Events.pdf

[3] https://csis-website-prod.s3.amazonaws.com/s3fs-public/201222_Chinese_Espionage.pdf 

[4] https://krebsonsecurity.com/tag/telvent-canada-ltd/

Sunday, 3 January 2021

NSE: ftp-anon

 We all know that poor security for an FTP server would be to allow the anonymous/anonymous credentials to hang around. That being said, it is conceivable that an admin may specifically have chosen this condition and there are measures in place to prohibit lateral movement.

When doing a pentest there are a number of ways to check the FTP service of a target.  A quick port scan, a poke with netcat can tell you some valuable information.

Let's look at NSE and do some recon.




 Above is a successful running of the NSE script ftp-anon.  

It is run with: #nmap -sV -sC [target ip] -p21 

We are using versioning switch (-sV) and scripting switch (-sC)

Important to note that if the server allows anonymous logins it will also tell us the writable files of the root directory.

Let's take a look at a machine with an open port and FTP service running on it.


 Look at what happens between the first (netcat) and the third(NSE) scan.  Netcat returns with an "open" state.  If one were to do a regular nmap scan of this machine at this point it would return with an "open" state as well.  When reviewing the third scan with NSE it actually comes back with "filtered."  This tells us that the FTP service does not have anonymous/anonymous set.

This information gives you some valuable information for your pentest.  In the second image we know that the target is using marginally more security at least by having some sort of authentication in place.

Next steps would be capitalizing on some social engineering and brute forcing the password. ;)

Make sure you have been given permission to perform pentests. 

 

Reference:

[1] https://nmap.org/nsedoc/scripts/ftp-anon.html