Wednesday, July 27, 2022

OWASP Juice Shop Virtual Machine

    OWASP Juice Shop is one of the go-to tools for learning the ins and outs of web application penetration testing. The project offers a number of different levels for testers of all skill-sets. One of the issues with the project though is that the setup isn't exactly the easiest for everyone out there. The OWASP github page provides great and detailed instructions but sometimes folks just want a simple download of an appliance that simply requires a network connection and a power button; Enter JuiceShopped!

    While probably unnecessary, I hope that it'll be useful to other folks out there looking to get into webapp and even general pentesting. This project provides a pre-configured OVA (virtualbox appliance) running Devuan Daedalus and a current version of OWASP's Juice Shop. The appliance is setup so that all the user has to do is set the appliance's network adapter to Host-only Adapter and then power on the virtual machine!

    Highlights of the machine:

  1. Devuan Daedalus
  2. Machine will pull a DHCP address
  3. Auto starts Juice Shop at boot time

The long term plan for the project is to continuously update the virtual appliance so that folks can simply download the appliance and have a turnkey Juice Shop VM. As time goes along, I'm hoping to automate or at least provide a method to update JuiceShopped so that a new VM won't have to be downloaded/imported each time there is a new release as well!
 

    If you're interested, please download the OVA and share any feedback at the Github page here:  JuiceShopped!

at No comments:
Labels: , , , ,

Saturday, July 23, 2022

Daemonizing a Perl Script with Sysv

    Following up on a previous article in regards to broadcasting UDP data in Perl, here, a need to build a Linux system to run this Perl script at boot time was requested. Simple enough and as with many things in the Perl/Linux world TIMTOWTDI!

    Some background on how all this came about. A door control system was being evaluated and it was determined that it was susceptible to replay attacks. Yes, simply capturing a plaintext broadcasted packet and replaying it would cause this particular door control system to happily lock/unlock doors! Wanting to have a way to train others on how to do this, the messages needed to triggered so that students could capture the messages without requiring both a Window's machine to run the door control software and a person to trigger the controls; Enter Devuan and Perl!

    A quick installation of a minimal Devuan system was performed and then an init script was devised to start the Perl code that would randomly trigger one of four doors periodically. Initially this sounded like it would be far more difficult than it turned out to be and provided a great learning opportunity on how to leverage hash of hashes in Perl (roughly multidimensional arrays in other languages - I'm by no means an expert at why Perl doesn't really have multidimensional array but Gabor Szabo, as usual, has a article on the subject here). None the less, a single multidimensional hash was used to keep track of a number of important things for this door system.

# Four doors allowed by controller
# Status -> Zero = closed, One = open
my %Door_Data = (
  '1' => { 'open' => { 'o_code' => 'f98501', 'o_comm' => '01030303' },
          'close' => { 'c_code' => '796c01', 'c_comm' => '02030303' },
         'status' => 0, 'magic' => '04' }, 
  '2' => { 'open' => { 'o_code' => '853001', 'o_comm' => '03010303' },
          'close' => { 'c_code' => 'e73101', 'c_comm' => '03020303' },
         'status' => 0, 'magic' => '08' }, 
  '3' => { 'open' => { 'o_code' => 'bac601', 'o_comm' => '03030103' },
          'close' => { 'c_code' => 'b9e401', 'c_comm' => '03030203' },
         'status' => 0, 'magic' => '10' }, 
  '4' => { 'open' => { 'o_code' => 'e8ef01', 'o_comm' => '03030301' },
          'close' => { 'c_code' => '90ec01', 'c_comm' => '03030302' },
         'status' => 0, 'magic' => '20' }
  );

    So the hash contains a hash which contains a hash; Hash-ception! For anyone interested the rest of the Perl script will be posted on my github since it's not the main purpose of this article. The jist of it is the script simply obtains the network address of the eth0 interface and then randomly chooses a door, determines if the door is opened or closed according to the script (still researching how to determine this from the controller itself), and then determines the proper code and command to send to perform the lock/unlock action against the door.

    Now the process of making the init script to run on Devuan at startup. Launching a Perl program as a daemon on system start-up was not something I'd ever done before but always happy to learn something new. Since this script would rely on a number of system services, getting the dependencies correct would prove to be very important.

#! /bin/sh
### BEGIN INIT INFO
# Provides:          door_lock.pl
# Required-Start:    $local_fs $network $remote_fs $named $time
# Required-Stop:     $local_fs $network $remote_fs $named
# Should-Start:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Launch door unlock/lock script
# Description:       Launch Perl script as system Daemon
### END INIT INFO

    While extensive testing wasn't done on the required system facilities, it was noted that $local_fs and $network were obviously necessary. The next step was to create the required actions. For this start-up script, and most of the ones I create, start|stop|status|restart are all determined to be good options.

    Each of the different actions would leverage start-stop-daemon and since the Perl script doesn't have code to fork on it's own, the --background option for start-stop-daemon will be needed when starting this process at boot (I plan to go back and utilize fork in the Perl code later though). The previous requirements led to a case statement looking like the following.

PATH='/usr/local/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin'
PIDFILE='/run/door_lockd.pid'
DAEMON='/usr/local/sbin/door_control.pl'
NAME='door_lockd'

. /lib/init/vars.sh
. /lib/lsb/init-functions

case "$1" in
  start)
	log_daemon_msg "Starting Door Control daemon" "$NAME" || true
	if start-stop-daemon --start --background --chuid 0:0 -m --pidfile $PIDFILE --exec $DAEMON; then
		log_end_msg 0 || true
	else
		log_end_msg 1 || true
	fi
	;;

  restart)
	log_daemon_msg "Restarting Door Control daemon" "$NAME" || true
	start-stop-daemon --stop --quiet --oknodo --retry TERM/3/KILL/5 --remove-pidfile --pidfile $PIDFILE
	if start-stop-daemon --start --background --chuid 0:0 -m --pidfile $PIDFILE --exec $DAEMON; then
 		log_end_msg 0 || true
	else
		log_end_msg 1 || true
	fi
	;;

  stop)
	log_daemon_msg "Stopping Door Control daemon" "$NAME" || true
	if start-stop-daemon --stop --quiet --oknodo --retry TERM/3/KILL/5 --remove-pidfile --pidfile $PIDFILE ; then
		log_end_msg 0 || true
	else
		log_end_msg 1 || true
	fi
	;;

  status)
	status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
	;;
  *)
	echo "Usage: door_lockd.sh [start|stop|restart|status]" >&2
	exit 3
	;;
esac
exit 0

     Thinking everything was good to go at this point, I used update-rc.d <name_of_script> defaults to install the proper symbolic links to the init script in the proper rcX.d directories and rebooted. Sadly upon reboot the Perl program wasn't running but oddly enough there was a PID file and init messages showed that there weren't any errors starting. So the init script definitely ran but there were no signs of whether the Perl program started. Some further reading about the --background argument lead me to wonder if something failed but start-stop-daemon was unable to check the status. Turned out that wasn't the case and the real issue was determined by removing --quiet from the start-stop-daemon and noticing that the Perl code indeed ran but was attempting to open the necessary socket for sending the UDP data before the network adapter was actually ready! So I modifed the Perl program to no longer die on failure to open a socket but rather warn. I also modified the program so that it wouldn't actually try to send data if the socket failed. Oddly, I was under the impression that the $network variable meant that the network adapter would be online and ready to go (ie configured with whatever protocol was needed on that adapter) before init would attempt to run this init script. None the less, the system was rebooted again and low-and-behold the init script kicked off the Perl program as a background daemon and after waiting a little while for the delay in the script to kick out a UDP message, the ether was once again presented with UDP data being broadcasted out to the world.

root@Devuan:~# tcpdump -i eth0 -nn 'port 60000'
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:45:17.1920 IP 192.168.1.19.35133 > 255.255.255.255.60000: UDP, length 1172
19:45:23.1926 IP 192.168.1.19.38198 > 255.255.255.255.60000: UDP, length 1172
19:45:25.1932 IP 192.168.1.19.36199 > 255.255.255.255.60000: UDP, length 1172
19:45:27.1937 IP 192.168.1.19.39466 > 255.255.255.255.60000: UDP, length 1172
19:45:32.1945 IP 192.168.1.19.53527 > 255.255.255.255.60000: UDP, length 1172

    Watching the door locks being evaluated was also entertaining as they were randomly locking and unlocking with no one interacting with the control console: Success!

at No comments:
Labels: , , ,

Thursday, July 21, 2022

Alfa AWUS036ACH Driver on Devuan

    Well Prime day came and went recently. To my excitement, I was able to get a nice deal on a new Alfa AWUS036ACH USB Wi-Fi adapter! Upon receiving the adapter I quickly went to test it on the laptop only to find that Devuan didn't have the proper firmware to use the adapter. Dang!

root@Devuan:~# dmesg --follow
[ 1154.560128] usb 1-1.1.1: new high-speed USB device number 10 using ehci-pci
[ 1154.669536] usb 1-1.1.1: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[ 1154.669546] usb 1-1.1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1154.669550] usb 1-1.1.1: Product: 802.11n NIC
[ 1154.669553] usb 1-1.1.1: Manufacturer: Realtek
[ 1154.669556] usb 1-1.1.1: SerialNumber: 123456
...

root@Devuan:~# lsusb -d 0bda:8812 -v

Bus 001 Device 010: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
Device Descriptor:
...
  idVendor           0x0bda Realtek Semiconductor Corp.
  idProduct          0x8812 RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
  iManufacturer           1 Realtek
  iProduct                2 802.11n NIC
    Normally at this point, I'll check repositories for non-free firmware and hope that the distribution maintainers have already pre-packaged the needed firmware.

root@Devuan:~# apt-cache search 8812
firmware-realtek - Binary firmware for Realtek wired/wifi/BT adapters

root@Devuan:~# apt-cache show firmware-realtek | grep 8812
  * Realtek RTL8812AE Bluetooth firmware (rtl_bt/rtl8812ae_fw.bin)
  * Realtek RTL8821AEFW firmware (rtlwifi/rtl8812aefw.bin)
  * Realtek RTL8821AEFW wowlan firmware (rtlwifi/rtl8812aefw_wowlan.bin)

    Well that's a bummer. It doesn't appear that the realtek firmware package in Devuan's repository doesn't include the needed code for this new adapter! Well off to Alfa's site to see where the source is available. Luckily from the looks of it, Alfa has already shared a number of instructions for getting the driver working on different distributions here. A quick review of the page shows that Kali, Ubuntu, and Debian already have guides available which is really good news! So to get things started, the firmware needs to be downloaded. 

git clone https://github.com/morrownr/8812au-20210629.git

    Now at this point one could run the install script but it does request root privileges and I'm not a particularly trusting individual when it comes from code downloaded off the internet. So taking a look at the install script shows that there's only a handful of things that actually need root privileges (installing the module and the module's configuration file being the main items). Easy enough to get around.

aut0exec@devuan:~$ cd 8812au-20210629/
aut0exec@devuan:~/8812au-20210629$ make clean
aut0exec@devuan:~/8812au-20210629$ make

    Once the make process finishes, hopefully error free, there will be a file named 8812au.ko as well as 8812au.conf in the current directory. These files then need to be copied to the proper locations ('su -c' will prompt for root's password).

aut0exec@devuan:~/8812au-20210629$ su -c "cp 8812au.conf /etc/modprobe.d/"
aut0exec@devuan:~/8812au-20210629$ su -c "cp 8812au.ko /lib/modules/$(uname -r)/kernel/drivers/net/wireless/"
aut0exec@devuan:~/8812au-20210629$ su -c "/sbin/depmod $(uname -r)"

    After all of these steps, the module should be ready to go! One could simply reboot but this shouldn't be necessary; just unplug the adapter and plug it back in. 

root@Devuan:~# dmesg --follow
[ 6192.608297] usb 1-1.1.1: new high-speed USB device number 11 using ehci-pci
[ 6192.721143] usb 1-1.1.1: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[ 6192.721149] usb 1-1.1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6192.721151] usb 1-1.1.1: Product: 802.11n NIC
[ 6192.721152] usb 1-1.1.1: Manufacturer: Realtek
[ 6192.721153] usb 1-1.1.1: SerialNumber: 123456
[ 6193.100284] usbcore: registered new interface driver rtl8812au  <--------SUCCESS!
[ 6193.117356] rtl8812au 1-1.1.1:1.0 wlx00c0caaff351: renamed from wlan1 <--SUCCESS!
...

root@Devuan:~# lsmod | grep 8812
8812au               2191360  0
cfg80211              970752  4 b43,8812au,mac80211,brcmsmac
usbcore               323584  5 ehci_pci,usbhid,ehci_hcd,8812au

root@Devuan:~# ip a sh dev wlan0
3: wlx00c0caaff351: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DORMANT group default qlen 1000
    link/ether de:ad:be:ef:c0:de brd ff:ff:ff:ff:ff:ff permaddr de:ad:be:ef:c0:de

Success! There is now an extra wireless adapter showing up in the output of the 'ip a' command as well as the new module shows as loaded in the output of 'lsmod'. Enjoy connecting to the all the networks!

at No comments:
Labels: , , ,

Tuesday, July 12, 2022

Broadcasting UDP data with Perl!

    The other day a scenario presented itself in which a device waited for broadcast traffic to a specific port in order to perform different actions. Horrible security posture aside, this presented an interesting opportunity to practice some sockets in Perl!

#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket;

my $sock = IO::Socket::INET->new(
	Proto => 'udp',
	PeerPort => '5555',
    # Could use network specific broadcast below instead
	PeerAddr => '255.255.255.255',
	LocalAddr => '192.168.1.19',
	Broadcast => 1,
	autoflush => 1,
) or die "Error opening socket: $!\n";

$sock->send('Perl broadcasting to the UDP world!');

    After a quick save and some root privileges, tcpdump presented the following datagram heading out to the ether!


root@aut0exec:~# tcpdump -i any -nn -X 'udp and port 5555'

21:04 eth0  Out IP 192.168.1.19.60735 > 255.255.255.255.5555: UDP, length 35
	0x0000:  4500 003f 44a1 4000 4011 3452 c0a8 0113  E..?D.@.@.4R....
	0x0010:  ffff ffff ed3f 15b3 002b c1f7 5065 726c  .....?...+..Perl
	0x0020:  2062 726f 6164 6361 7374 696e 6720 746f  .broadcasting.to
	0x0030:  2074 6865 2055 4450 2077 6f72 6c64 21    .the.UDP.world!

    From here, I had some other things to do with code for other purposes but none the less, simply getting the broadcast to 255.255.255.255 via UDP was an ordeal. Hopefully, this post can save someone else some troubles later!

at No comments:
Labels: , ,

Sunday, July 10, 2022

Devuan on a Raspberry Pi using Serial Console

     Greetings! As anyone who knows me might know, I'm an avid Linux fan and specifically I enjoy Devuan. I have my reasons like everyone but for me, it just works. That is to say until I decided to head down the Devuan on a Raspberry Pi (RPi) path! Long story short, I was given a RPi4 at work and asked to setup a dropbox of sorts and noticing that Devuan had some Daedalus (next release of Devuan) images available at the ARM Trial Images page, I thought this would be a great opportunity to try out the new release on a new RPi4. 

    One of the first things immediately noticed was that the RPi4 uses USB-C for power as well as a micro HDMI for video out. Shoot! USB-C wasn't an issue but the micro HDMI would prove to be an issue. Not to fear like all my other RPi's, the Pi 4 also supports a UART interface and I have more than a few UART capable devices laying around at all times.  

    After downloading the Daedalus zip from Devuan's site, extracting it, and writing it to the micro-sd card for the Pi, I set off to enable the UART interface by modifying the RPi's config.txt file on the boot partition. Normally when doing this, all that had been needed with recent distros like Raspbian was to add enable_uart=1 to the config.txt file. 

    Prior to booting the Pi, a connection to the primary serial interface is needed to see the output. A JTAGulator board was used for this purpose. So making the proper connections from the JTAGulator to the RPi was follows:

JTAGulator Pin RPI GPIO Pin
GNDPin 9
CH0Pin 8
CH1Pin 10

    Hopefully at this point, the following command can be used to access the JTAGulator interface picocom -q -b 115200 /dev/ttyUSB0.Upon successful connection, the JTAGulator ascii art should be displayed and a UART passthrough connection can be configured.

# picocom -q -b 115200 /dev/ttyUSB0
                                    UU  LLL
 JJJ  TTTTTTT AAAAA  GGGGGGGGGGG   UUUU LLL   AAAAA TTTTTTTT OOOOOOO  RRRRRRRRR
 JJJJ TTTTTTT AAAAAA GGGGGGG       UUUU LLL  AAAAAA TTTTTTTT OOOOOOO  RRRRRRRR
 JJJJ  TTTT  AAAAAAA GGG      UUU  UUUU LLL  AAA AAA   TTT  OOOO OOO  RRR RRR
 JJJJ  TTTT  AAA AAA GGG  GGG UUUU UUUU LLL AAA  AAA   TTT  OOO  OOO  RRRRRRR
 JJJJ  TTTT  AAA  AA GGGGGGGGG UUUUUUUU LLLLLLLL AAAA  TTT OOOOOOOOO  RRR RRR
  JJJ  TTTT AAA   AA GGGGGGGGG UUUUUUUU LLLLLLLLL AAA  TTT OOOOOOOOO  RRR RRR
  JJJ  TT                  GGG             AAA                         RR RRR
 JJJ                        GG             AA                              RRR
JJJ                          G             A                                 RR

           Welcome to JTAGulator. Press 'H' for available commands.
         Warning: Use of this tool may affect target system behavior!

> u

UART> v
Current target I/O voltage: Undefined
Enter new target I/O voltage (1.4 - 3.3, 0 for off): 3.3
New target I/O voltage set: 3.3
Warning: Ensure VADJ is NOT connected to target!

UART> p
UART pin naming is from the target's perspective.
Enter X to disable either pin, if desired.
Enter TXD pin [0]: 
Enter RXD pin [0]: 1
Enter baud rate [0]: 115200
Enable local echo? [y/N]: 
Entering UART passthrough! Press Ctrl-X to exit...

    After applying power to the RPi, Kernel messages proceeded to fly across the screen as expected until the final portion of the init sequence in which getty should should be spawned to allow for interacting with the RPi running Devuan.

### Trimmed Kernel messages for brevity###
Starting firstboot:
 Expanding root filesystem ...
 Running fsck on boot partition ...
.
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Setting up console font and keymap...done.
Starting enhanced syslogd: rsyslogd.
LED Service:mmc0
.
Governor:performance
.
haveged: command socket is listening at fd 3
Starting periodic command scheduler: cron.
Mounting zramswap virtual memory:Setting up swapspace version 1, size = 1024 MiB (1073737728 bytes)
no label, UUID=cf07e06f-a881-491f-8eca-bb86a4fc9362
.
Starting NTP server: ntpd2022-07-09T05:32:55 ntpd[1293]: INIT: ntpd ntpsec-1.2.1: Starting
2022-07-09T05:32:55 ntpd[1293]: INIT: Command line: /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec
.
Starting system message bus: dbus.
Starting bluetooth: bluetoothd.
Starting session management daemon: elogind
.
Starting Avahi mDNS/DNS-SD Daemon: avahi-daemon.
Starting OpenBSD Secure Shell server: sshd.
Starting network connection manager: NetworkManager.
Checking credentials:
Restarting OpenBSD Secure Shell server: sshd.
.

    Sadly immediately after the messages about SSH, the CLI simply appears to hang. Normally this is when getty should be started and a login prompt visible. Dang! Alright after some trial and error a solution was found by visiting the inittab file in the RPi's ROOTFS partition and correcting the proper line to enable a serial getty. To accomplish this task, ensure that the RPI's microSD card is accessible and modify the following line in ROOTFS/etc/inittab.


<File contents trimmed for brevity>
# Example how to put a getty on a serial line (for a terminal)
#
#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 <-- This line needs changed
#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100
#
<File contents trimmed for brevity>

--- Corrected line contents below

<File contents trimmed for brevity>
# Example how to put a getty on a serial line (for a terminal)
#
T0:23:respawn:/sbin/getty -L serial0 115200 linux
#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100
#
<File contents trimmed for brevity>

Saving the file and booting the RPI again yielded a successful prompt over the serial interface.

Starting bluetooth: bluetoothd.
Starting session management daemon: elogind.
Starting Avahi mDNS/DNS-SD Daemon: avahi-daemon.
Starting OpenBSD Secure Shell server: sshd.
Starting network connection manager: NetworkManager.

Devuan GNU/Linux daedalus/ceres devuanpi serial0

devuanpi login:

Success! At this point the default username:password (devuan:devuan) can be used to log in and continue configuring the RPi as desired. Hopefully this can save others some headaches trying to get a serial interface working through Devuan on a RPi. 

EDIT - Worth noting this process also works on a RPi 2 running Devuan Daedalus.

at No comments:
Labels: , ,

Friday, July 8, 2022

Hello world!

- Obligatory first post. 😎


Still working out the theming kinks so check back later and hopefully things will look better!

at
Subscribe to: Posts (Atom)