owaspbwa – web testing fast-track

WOW – has it really been since January !!!??? – time flies when you are having fun.

Just wanted to share a nice little project I came across when looking for vulnerable web apps etc.

Many many thanks to Mandiant for sponsoring the bundling of so many of these into the one VM. Means you dont have to spend the day setting up each one before you can start playing with them.

https://code.google.com/p/owaspbwa/

https://code.google.com/p/owaspbwa/wiki/UserGuide

All the favorites are there, as well as plenty I hadn’t seen before.

 

Applications designed for learning which guide the user to specific, intentional vulnerabilities.

• OWASP WebGoat version 5.4+SVN (Java)
• OWASP WebGoat.NET version 2012-07-05+GIT
• OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN
• OWASP Mutillidae II version 2.5.16+SVN (PHP)
• OWASP RailsGoat (Ruby on Rails)
• OWASP Bricks version 1.4+SVN (PHP)
• Damn Vulnerable Web Application version 1.8+GIT(PHP)
• Ghost (PHP)
• Magical Code Injection Rainbow version 2013-01-27+GIT (PHP)

 

One tip though, if you download the 1.1 VM, make sure you replace the tomcat init script as identified in this BR: https://code.google.com/p/owaspbwa/issues/detail?id=83 otherwise anything that relies on tomcat (WebGoat etc) wont work & instead just give you the following warning:

503 - Service Temporarily Unavailable

LogMeIn.com SSL certificate has been suspended – Malware analysis

I couldnt help myself, I had to take this new baby out for a run.

I ran it in Sandboxie, using BSA – and got the following from the report:

 Report generated with Buster Sandbox Analyzer 1.84 at 13:23:54 on 23/01/2013

[ General information ]
* File name: e:\analysis\logmein\ssl_cert_logmein.scr

[ Changes to filesystem ]
* Modifies file (empty) E:\Analysis\logmein\ssl_cert_logmein.scr
* Creates file (empty) C:\Documents and Settings\Administrator\Application Data\Bydy\ziik.ila
* Creates file (empty) C:\Documents and Settings\Administrator\Application Data\Degi\ymnoo.epa
* Creates file C:\Documents and Settings\Administrator\Application Data\Feto\ypaf.exe

[ Network services ]
* Queries DNS “www.google.com.au”.
* Queries DNS “ssl.gstatic.com”.
* Queries DNS “www.google.com”.

[ Process/window/string information ]
* Enables process privileges.
* Gets system default language ID.
* Gets computer name.
* Checks for debuggers.
* Installs a hook procedure that monitors mouse messages.
* Installs a hook procedure that monitors keystroke messages.

Ok – so it drops a file, deletes itself & does a couple of google queries, installs a key & mouse logger …. but the important one is that it checks for debuggers ….. damn – ive been caught time to rollback the VM snapshot & try another way.

Before I run it outside the sandbox, I grab a registry snapshot with regshot & fire up wireshark.

HKU\S-1-5-21-682003330-1972579041-2146942695-500\Software\Microsoft\Windows\CurrentVersion\Run\Uvxexuk: “”C:\Documents and Settings\Administrator\Application Data\Udre\anuma.exe””
10.6.6.1 -> 8.8.8.8      DNS 80 Standard query 0x88da  A a5ccb72387a28161.com
8.8.8.8 -> 10.6.6.1     DNS 153 Standard query response 0x88da No such name

This time it drops a file (different random name this time) – but the important thing is that it sets it up run on boot. We also see a DNS query for a5ccb72387a28161.com that doesnt return a value … hmmmmm

root@bt:~/BADFILES/LogMeIn-SSL/logmein_2# whois a5ccb72387a28161.com

No match for “A5CCB72387A28161.COM”.
>>> Last update of whois database: Wed, 23 Jan 2013 04:19:45 UTC <<<

ok …. so its not registered …. although I wonder what it would do it it could reach that domain / url….

Time to fire up inetsim and see what happens

[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] connect
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] recv: Query Type A, Class IN, Name a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] send: a5ccb72387a28161.com 3600 IN A 10.6.6.11
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] disconnect
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] stat: 1 qtype=A qclass=IN qname=a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] connect
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: POST /dcbe7001/a507590e.php HTTP/1.1
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Accept: */*
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Host: a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Content-Length: 120
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Connection: Keep-Alive
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Cache-Control: no-cache
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: <(POSTDATA)>
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: POST data stored to: /var/lib/inetsim/http/postdata/294f5db6a7407efb43a12242b0e0dbec996cc4d3
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Request URL: http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Sending fake file configured for extension ‘php’.
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: HTTP/1.1 200 OK
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Server: Microsoft-IIS/4.0
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Connection: Close
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Content-Length: 258
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Content-Type: text/html
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Date: Wed, 23 Jan 2013 03:51:52 GMT
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] stat: 1 method=POST url=http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dor]php sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/294f5db6a7407efb43a12242b0e0dbec996cc4d3
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] disconnect
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] connect
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: POST /dcbe7001/a507590e.php HTTP/1.1
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Accept: */*
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Host: a5ccb72387a28161.com
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Content-Length: 120
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Connection: Keep-Alive
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Cache-Control: no-cache
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: <(POSTDATA)>
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: POST data stored to: /var/lib/inetsim/http/postdata/b5fd16db60922e8b7d960748fc4e0af6c4a3dde5
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Request URL: http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Sending fake file configured for extension ‘php’.
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: HTTP/1.1 200 OK
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Server: Microsoft-IIS/4.0
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Connection: Close
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Content-Length: 258
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Content-Type: text/html
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Date: Wed, 23 Jan 2013 03:51:53 GMT
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] stat: 1 method=POST url=http://a5ccb72387a28161.com/dcbe7001/a507590e.php sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/b5fd16db60922e8b7d960748fc4e0af6c4a3dde5
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] disconnect

and there it is, that looks like a phone home to me – it resolves the url and instantly does two posts to the site http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php

Interestingly, the two files dropped are different (MD5)

root@bt:~/BADFILES/LogMeIn-SSL/logmein_1# md5sum ypaf.exe
dc3f94ae190fd6db5f4a675097352768  ypaf.exe
root@bt:~/BADFILES/LogMeIn-SSL/logmein_1# md5sum anuma.exe
cad63849694322e025fbb0dcaf6d5a20  anuma.exe

but they are both appear to be zbot

https://www.virustotal.com/file/bdfde6c2b6e25759dd1ea25a7d23905b6c55bc16c4ade9ce0658c4b66c440bcc/analysis/

https://www.virustotal.com/file/cd480e6b94ce259275014a80d3f98e29ebaabd021e4ecf65f0b224ad462e59fc/analysis/

LogMeIn.com SSL certificate has been suspended – Malware

I have been a little behind with updating this blog, mainly due to work & family commitments, but its also because I have been making my way through the book “Practical Malware Analysis” and had setup a sandpit in which to play around with some fun new toys to analyze executable files. Huge thanks to NoStartchPress – do yourself a favour & get hold of a copy of it: http://nostarch.com/malware

So there I was, happily reading email when I received one that said my LogMeIn.com SSL certificate had been suspended ….. my initial thought was WTF ? I dont have a LogMeIn.com SSL certificate, after opening the mail, seeing the alert that Google had kindly provided & then viewing the source of the email, seeing that it links to a zip file, my spidey sense was on full alert….

So off to the google I went & sure enough, the first couple of hits are LogMeIn “Investigating” and a Threat alert from Cisco.

The first thing I notice, is that it appears to be distributed, in that its not just one email server sending these messages

My Email (62.149.131.234 & 62.149.158.121)

Return-Path: <me@localhost.com>
Received: from smtpsmart1.aruba.it (smtpweb121.aruba.it. [62.149.158.121])
by mx.google.com with SMTP id g49si29182110eep.242.2013.01.22.04.34.13;
Tue, 22 Jan 2013 04:34:13 -0800 (PST)
Received-SPF: neutral (google.com: 62.149.158.121 is neither permitted nor denied by best guess record for domain of me@localhost.com) client-ip=62.149.158.121;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 62.149.158.121 is neither permitted nor denied by best guess record for domain of me@localhost.com) smtp.mail=me@localhost.com
Received: (qmail 9120 invoked by uid 89); 22 Jan 2013 12:34:12 -0000
Received: by simscan 1.2.0 ppid: 5136, pid: 8683, t: 1.6385s
scanners: clamav: 0.88.4/m:40/d:1945 spam: 3.1.4
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
smtpsmart1.fe.aruba.it
X-Spam-Level: *****
X-Spam-Status: No, score=5.2 required=6.5 tests=BAYES_50,HTML_IMAGE_ONLY_20,
MIME_HTML_ONLY,RDNS_NONE,SPF_FAIL autolearn=disabled version=3.2.5
Received: from unknown (HELO webs1224.aruba.it) (62.149.131.234)
by smtpsmart1.fe.aruba.it with SMTP; 22 Jan 2013 12:34:10 -0000
Received: from webs1224 ([127.0.0.1]) by webs1224.aruba.it with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 22 Jan 2013 13:33:35 +0100

From the LogMeIn.com post (80.67.28.160)

X-Msg-Ref: server-9.tower-85.messagelabs.com!1358859129!34525498!1
X-Originating-IP: [80.67.28.160]
X-SpamReason: No, hits=1.8 required=7.0 tests=HTML_60_70,
HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,ML_RADAR_SPEW_LINKS_18,
spamassassin:
X-StarScan-Received:
X-StarScan-Version: 6.7; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10352 invoked from network); 22 Jan 2013 12:52:10 -0000
Received: from charybdis.ispgateway.de (HELO charybdis.ispgateway.de)
(80.67.28.160)  by server-9.tower-85.messagelabs.com with SMTP; 22 Jan 2013
12:52:10 -0000
Received: (qmail 17828 invoked from network); 22 Jan 2013 12:51:49 -0000
Received: from unknown (HELO charybdis.ispgateway.de) (127.0.0.1)  by
localhost with SMTP; 22 Jan 2013 12:51:49 -0000
Received: (from u195401@localhost)      by charybdis.ispgateway.de
(8.14.4/8.13.6/Submit) id r0MCpWg0016765;      Tue, 22 Jan 2013 13:51:32 +0100
Date: Tue, 22 Jan 2013 13:51:32 +0100

So anyway, back to the content, the link in the email to download a new SSL certificate is actually a link to a ZIP file. Note, the site is now requesting a login to get to the link.

http:/ / www [dot] austinpolishsociety [dot] org/bod/ssl_cert_logmein.zip

This ZIP file contains one file ssl_cert_logmein.scr

root@bt:~/BADFILES/LogMeIn-SSL# unzip -l ssl_cert_logmein.zip
Archive:  ssl_cert_logmein.zip
Length      Date    Time    Name
———  ———- —–   —-
324608  2013-01-22 03:38   ssl_cert_logmein.scr
———                     ——-
324608                     1 file
root@bt:~/BADFILES/LogMeIn-SSL# file ssl_cert_logmein.scr
ssl_cert_logmein.scr: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
root@bt:~/BADFILES/LogMeIn-SSL# md5sum ssl_cert_logmein.scr
dc2b9b72189957c8d3ce9d15d0f35bf1  ssl_cert_logmein.scr

another quick google & we see that this file has hit the malware & virus check sites already malwr.com and virustotal.

So even without executing this guy, I can already tell its neither my “expired SSL cert” nor is it an screen saver (per the scr file extension).

I plan to run this in a sandbox & see what else I can find, several sites are reporting it phones home, and virustotal is flagging it as Zeus / zbot – so remote control and/or banking credential capture …. nasty little bugger.

Interestingly when I downloaded the zip & scanned it with MS Security Essentials – no virus reported ….. wonder how long it will take to get a sig down for it.

Recovery Pi

My previous single Raspberry Pi posts have been steps towards my “Recovery Pi”

a small self sufficient system that can be shipped to
a remote site to facilitate serial (console) & network
(mgmt lan) connectivity to the remote devices

• Raspberry Pi ($45)
– http://www.raspberrypi.org/faqs

• USB->Serial Convertor ($30)
– http://www.jaycar.com.au/productView.asp?ID=XC4834

• Cisco Console Cable

• Telstra 3G “Elite” USB Modem ($29)
– http://www.telstra.com.au/internet/mobile-broadband-prepaid/get-started/#tab-elite-usb
– Telstra AUS Mobile Internet $180/year (365 day access | 1.46c per MB in AUS | $15.36 per MB Intl Roaming)

• 8GB SDHC Mem Card ($10)

• USB Power Brick (~10hrs run) ($20)
– http://www.tevion-cameras.com/popups/MPP_7400_au_popup_02/

• USB Powered Hub ($18)
– http://hakshop.myshopify.com/products/usb-powered-hub

• Total Retail Startup Cost: $152 AUD

---

===Built on the existing Debian Squeeze image===

http://downloads.raspberrypi.org/images/debian/6/debian6-19-04-2012/debian6-19-04-2012.zip

===Telstra 3G USB Modem===

root@raspberrypi:~# apt-get install usb-modeswitch pppd

root@raspberrypi:~# dmesg | grep ttyUSB
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB0
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB1
usb 1-1.2.4: GSM modem (1-port) converter now attached to ttyUSB2
usb 1-1.2.3: pl2303 converter now attached to ttyUSB3

root@raspberrypi:~# cat /etc/chatscripts/telstra
ABORT ‘NO CARRIER’
ABORT ‘NO DIALTONE’
ABORT ‘BUSY’
ABORT ‘ERROR’
ABORT ‘NO ANSWER’
” ‘ATZ’
OK ‘AT&F’
OK ‘ATQ0 V1 E1′
OK ‘AT&D2 &C1′
OK ‘AT+FCLASS=0′
OK ‘ATS0=0′
OK ‘AT+CGDCONT=1,”IP”,”telstra.internet”‘
OK ‘ATDT*99#’
CONNECT ”

root@raspberrypi:~# cat /etc/ppp/peers/telstra
/dev/ttyUSB2
460800
modem
crtscts
defaultroute
noipdefault
usepeerdns
ktune
noauth
lock
nobsdcomp
novj
connect “/usr/sbin/chat -v -f /chatscripts/telstra”

root@raspberrypi:~# pon

root@raspberrypi:~# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
inet addr:10.138.162.113  P-t-P:10.64.64.64  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
RX packets:705 errors:0 dropped:0 overruns:0 frame:0
TX packets:624 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:621353 (606.7 KiB)  TX bytes:40301 (39.3 KiB)

root@raspberrypi:~# poff

===3G Connection On Boot===

root@raspberrypi:~# cat /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto lo
iface lo inet loopback

auto ppp0
iface ppp0 inet ppp
provider telstra

===Reverse SSH Connection & AutoSSH===

root@raspberrypi:~# ssh-keygen

root@raspberrypi:~# ssh-copy-id recoverypi@jumphost

-Manual-
root@raspberrypi:~# ssh -R 2222:localhost:22 recoverypi@jumphost

-Auto-
root@raspberrypi:~# apt-get install autossh

root@raspberrypi:~# autossh -M 20000 -f -N -R 2222:localhost:22 recoverypi@jumphost  -i /root/.ssh/id_rsa

Add the command into /etc/rc.local before the “exit 0” line & you are good to go on every reboot.

autossh -M 20000 -f -N -R 2222:localhost:22 recoverypi@jumphost  -i /root/.ssh/id_rsa

– Connect to your JumpBox & verify the Pi has “phoned home”

recoverypi@jumpbox:~$ netstat -ant | grep 2222
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN
tcp6 0 0 ::1:2222 :::* LISTEN

– Connect across the reverse SSH tunnel to the Pi

recoverypi@jumpbox:~$ ssh root@127.0.0.1 -p 2222
root@127.0.0.1’s password:
Linux raspberrypi 3.1.9+ #84 Fri Apr 13 12:27:52 BST 2012 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 17 22:27:42 2012 from raspberrypi
root@raspberrypi:~#

===MINICOM===

root@raspberrypi:~# apt-get install minicom

root@raspberrypi:~# minicom -D /dev/ttyUSB3 -b 9600 -o

Welcome to minicom 2.4

OPTIONS: I18n
Compiled on Sep  7 2010, 01:26:06.
Port /dev/ttyUSB3

Press CTRL-A Z for help on special keys

border-rtr>
border-rtr>en
Password:
border-rtr#sh ver
Cisco Internetwork Operating System Software
IOS ™ C2600 Software (C2600-IO3-M), Version 12.2(46a), RELEASE SOFTWARE (fc1)

===TFTP===

root@raspberrypi:~# apt-get install xinetd tftpd tftp

root@raspberrypi:~# vi /etc/xinetd.d/tftp

————————————-
service tftp
{
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = nobody
server          = /usr/sbin/in.tftpd
server_args     = /tftpboot
disable         = no
}
————————————-

root@raspberrypi:~# mkdir /tftpboot
root@raspberrypi:~# chmod -R 777 /tftpboot
root@raspberrypi:~# chown -R nobody /tftpboot

root@raspberrypi:~# /etc/init.d/xinetd stop
Stopping internet superserver: xinetd.
root@raspberrypi:~# /etc/init.d/xinetd start
Starting internet superserver: xinetd.
root@raspberrypi:~#

---

Raspberry Pi Runtime on Battery

In a previous post, I mentioned the battery pack I bought from our local Aldi store “Tevion MPP 7400” – portable 7400mAh Li-Po Battery Pack. After many questions of “how long will it run” – I decided to find out.

I ran the Pi on this with the USB Wireless NIC & USB->Serial Console cable until it ran no more – and to my surprise, this nearly ran for 11 hours straight.

10hrs 55minutes to be exact

 22:17:01 up 10:55,  1 user,  load average: 0.00, 0.01, 0.05

Sooooo – with that runtime – it should give plenty of portable time on target between charges.

Telstra 3G Raspberry Pi

Bringing a couple of my previous posts together, I finally got my Telstra 3G dongle to work on the Raspberry Pi.

First challenge was the device detecting as a CD-Rom (to make it easier for Windoze users). This is quickly solved by installing usb_modeswitch (notice the change from device 19d2:2000 (presented as CD-Rom) to 19d2:0031 (The USB modem mode)

root@raspberrypi:~# lsusb | grep ZTE
Bus 001 Device 004: ID 19d2:2000 ONDA Communication S.p.A. ZTE MF627/MF628/MF628+/MF636+ HSDPA/HSUPA

root@raspberrypi:~# apt-get install usb-modeswitch

root@raspberrypi:~# lsusb | grep ZTE
Bus 001 Device 005: ID 19d2:0031 ONDA Communication S.p.A. ZTE MF110/MF636

Unplugging plugging the dongle back in now gives you the ttyUSB devices you need.

root@raspberrypi:~# dmesg | grep ttyUSB
usb 1-1.2.3: GSM modem (1-port) converter now attached to ttyUSB0
usb 1-1.2.3: GSM modem (1-port) converter now attached to ttyUSB1
usb 1-1.2.3: GSM modem (1-port) converter now attached to ttyUSB2
usb 1-1.2.3: GSM modem (1-port) converter now attached to ttyUSB3

The easy thing to do would to to use the sakis3g script – its compiled for arm ….. but I couldnt get it to work, it would just fail to connect.

Next easiest thing would be to use wvdial …. however this isnt ported to arm …. dammit

So, its back to pppd & chat scripts.

root@raspberrypi:~# cat telstra.chat
ABORT ‘NO CARRIER’
ABORT ‘NO DIALTONE’
ABORT ‘BUSY’
ABORT ‘ERROR’
ABORT ‘NO ANSWER’
” ‘ATZ’
OK ‘AT&F’
OK ‘ATQ0 V1 E1’
OK ‘AT&D2 &C1’
OK ‘AT+FCLASS=0’
OK ‘ATS0=0’
OK ‘AT+CGDCONT=1,”IP”,”telstra.internet”‘
OK ‘ATDT*99#’
CONNECT ”

root@raspberrypi:~# /usr/sbin/pppd /dev/ttyUSB2 460800 modem crtscts defaultroute noipdefault usepeerdns ktune noauth lock nobsdcomp novj connect “/usr/sbin/chat -v -f /root/telstra.chat”

At this point, the dongle light flashed, I did the victory dance & poured a drink – however it was short lived.

Looking at the logs in /var/log/messages – we see something wrong. ppp connects, but then the USB dongle disconnects (the bus resets) – bugger.

Jul  3 21:25:21 raspberrypi pppd[1619]: Serial connection established.
Jul  3 21:25:21 raspberrypi pppd[1619]: Using interface ppp0
Jul  3 21:25:21 raspberrypi pppd[1619]: Connect: ppp0 <–> /dev/ttyUSB2
Jul  3 21:25:22 raspberrypi pppd[1619]: PAP authentication succeeded
Jul  3 21:25:22 raspberrypi pppd[1619]: kernel does not support PPP filtering
Jul  3 21:25:26 raspberrypi kernel: DEBUG:handle_hc_chhltd_intr_dma:: XactErr without NYET/NAK/ACK
Jul  3 21:25:26 raspberrypi kernel:
Jul  3 21:25:26 raspberrypi kernel: DEBUG:handle_hc_chhltd_intr_dma:: XactErr without NYET/NAK/ACK
Jul  3 21:25:26 raspberrypi kernel:

<snip>

Jul  3 21:25:28 raspberrypi kernel:
Jul  3 21:25:28 raspberrypi kernel: DEBUG:handle_hc_chhltd_intr_dma:: XactErr without NYET/NAK/ACK
Jul  3 21:25:28 raspberrypi kernel:
Jul  3 21:25:28 raspberrypi kernel: DEBUG:handle_hc_chhltd_intr_dma:: XactErr without NYET/NAK/ACK
Jul  3 21:25:28 raspberrypi kernel:
Jul  3 21:25:29 raspberrypi kernel: usb 1-1.2: USB disconnect, device number 8
Jul  3 21:25:29 raspberrypi kernel: option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
Jul  3 21:25:29 raspberrypi kernel: option 1-1.2:1.0: device disconnected
Jul  3 21:25:29 raspberrypi kernel: option1 ttyUSB1: GSM modem (1-port) converter now disconnected from ttyUSB1
Jul  3 21:25:29 raspberrypi kernel: option 1-1.2:1.1: device disconnected
Jul  3 21:25:29 raspberrypi pppd[1619]: Modem hangup
Jul  3 21:25:29 raspberrypi pppd[1619]: Connection terminated.
Jul  3 21:25:29 raspberrypi kernel: option1 ttyUSB2: GSM modem (1-port) converter now disconnected from ttyUSB2
Jul  3 21:25:29 raspberrypi kernel: option 1-1.2:1.3: device disconnected
Jul  3 21:25:29 raspberrypi kernel: option1 ttyUSB3: GSM modem (1-port) converter now disconnected from ttyUSB3
Jul  3 21:25:29 raspberrypi kernel: option 1-1.2:1.4: device disconnected

I had read about power causing issues on the USB devices, sometimes displaying these debug messages, so i tried using the 2A supply, but got the same result. I then tried out my funky new powered usb hub, courtesy of the crew @ Hak5.

Having the USB Data & USB Power plugs both in the Pi – it now works like a charm, the kernel debug messages are a thing of the past.

Jul  3 21:37:55 raspberrypi chat[1307]: CONNECT
Jul  3 21:37:55 raspberrypi chat[1307]:  — got it
Jul  3 21:37:55 raspberrypi chat[1307]: send (^M)
Jul  3 21:37:55 raspberrypi pppd[1305]: Serial connection established.
Jul  3 21:37:55 raspberrypi pppd[1305]: Using interface ppp0
Jul  3 21:37:55 raspberrypi pppd[1305]: Connect: ppp0 <–> /dev/ttyUSB2
Jul  3 21:37:56 raspberrypi pppd[1305]: PAP authentication succeeded
Jul  3 21:37:56 raspberrypi pppd[1305]: kernel does not support PPP filtering
Jul  3 21:37:58 raspberrypi pppd[1305]: Could not determine remote IP address: defaulting to 10.64.64.64
Jul  3 21:37:58 raspberrypi pppd[1305]: local  IP address 10.138.162.113
Jul  3 21:37:58 raspberrypi pppd[1305]: remote IP address 10.64.64.64
Jul  3 21:37:58 raspberrypi pppd[1305]: primary   DNS address 10.4.182.20
Jul  3 21:37:58 raspberrypi pppd[1305]: secondary DNS address 10.4.81.103

root@raspberrypi:~# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.138.162.113  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:705 errors:0 dropped:0 overruns:0 frame:0
          TX packets:624 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:621353 (606.7 KiB)  TX bytes:40301 (39.3 KiB)

root@raspberrypi:~# traceroute www.google.com
traceroute to www.google.com (74.125.237.148), 30 hops max, 60 byte packets
1  10.5.194.242 (10.5.194.242)  635.526 ms  674.257 ms  683.415 ms
2  * * *
3  * * *
4  Bundle-Ether12.fli8.Adelaide.telstra.net (120.151.255.29)  780.113 ms  779.887 ms  779.557 ms
5  Bundle-Ether1.fli-core1.Adelaide.telstra.net (203.50.11.9)  779.381 ms  779.129 ms  787.440 ms
6  Bundle-Ether9.win-core1.Melbourne.telstra.net (203.50.11.91)  787.405 ms  110.280 ms  105.926 ms
7  Bundle-Pos3.ken-core4.Sydney.telstra.net (203.50.11.12)  122.242 ms  122.008 ms  121.642 ms
8  Bundle-Ether1.ken39.Sydney.telstra.net (203.50.6.146)  134.345 ms  134.449 ms  149.559 ms
9  72.14.198.54 (72.14.198.54)  179.171 ms  179.048 ms  156.730 ms
10  66.249.95.226 (66.249.95.226)  115.508 ms  108.826 ms  118.016 ms
11  72.14.237.137 (72.14.237.137)  137.651 ms  125.653 ms  124.900 ms
12  syd01s13-in-f20.1e100.net (74.125.237.148)  119.918 ms  119.181 ms  118.817 ms
root@raspberrypi:~#

WiFi Pi

The next logical step was to remove the dependency on physical ethernet cabling to my Raspberry Pi.

I struggled with a couple of cards, but eventually got success with a tiny little NG54/N150 Wireless USB Micro Adapter – WNA1000M.

I cant claim the credit – it was a combination of the following sites that eventually got a result.

http://www.69b.org/prox-pi.php/rpo/phpBB3/viewtopic.php?f=66&t=6737&sid=6f0540c1c93a8bd41b309c6832b6058b
http://www.ctrl-alt-del.cc/2012/05/raspberry-pi-meets-edimax-ew-7811un-wireless-ada.html
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=28&t=5249

http://www.raspberrypi.org/phpBB3/viewtopic.php?f=26&t=6256
http://dl.dropbox.com/u/80256631/install-rtl8188cus.txt
http://dl.dropbox.com/u/80256631/install-rtl8188cus.sh

root@raspberrypi:~# apt-get install wget unzip wireless-tools wpasupplicant
root@raspberrypi:~# wget http://www.electrictea.co.uk/rpi/8192cu.ko
root@raspberrypi:~# wget ftp://ftp.dlink.com/Wireless/dwa130_revC/Drivers/dwa130_revC_drivers_linux_006.zip
root@raspberrypi:~# unzip dwa130_revC_drivers_linux_006.zip

root@raspberrypi:~# install -m 644 ./8192cu.ko /lib/modules/3.1.9+/kernel/drivers/net/wireless/
root@raspberrypi:~# depmod -a

root@raspberrypi:~# mkdir -p /usr/local/lib/firmware/RTL8192U
root@raspberrypi:~# mv rtl8192u_linux_2.6.0006.1031.2008/firmware/RTL8192U/* /usr/local/lib/firmware/RTL8192U/
root@raspberrypi:~# vi /etc/wpa_supplicant/wpa_supplicant.conf

root@raspberrypi:~# cat /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=2

network={
ssid="WiFiNetworkSSID"
key_mgmt=WPA-PSK
proto=WPA2
pairwise=CCMP
group=CCMP
psk="C0mpl3xS3cur3P$K"
}
root@raspberrypi:~#

touch /etc/modprobe.d/blacklist.conf
echo "blacklist rtl8192cu" >> /etc/modprobe.d/blacklist.conf
touch /etc/modules
echo "8192cu" >> /etc/modules

**If your wifi is wlan2 or wlan3 etc - you can rename by deleting the old nics from ....

root@raspberrypi:~# vi /etc/udev/rules.d/70-persistent-net.rules

root@raspberrypi:~# vi /etc/network/interfaces

auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

And for the results:

root@raspberrypi:~# lsusb
Bus 001 Device 004: ID 0846:9041 NetGear, Inc. WNA1000M 802.11bgn [Realtek RTL8188CUS]

root@raspberrypi:~# iwconfig wlan0
wlan0     IEEE 802.11bgn  ESSID:"WiFiNetworkSSID"  Nickname:"<WIFI@REALTEK>"
          Mode:Managed  Frequency:2.447 GHz  Access Point: 02:5E:52:7A:AF:12   
          Bit Rate:150 Mb/s   Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:****-****-****-****-****-****-****-****   Security mode:open
          Power Management:off
          Link Quality=88/100  Signal level=88/100  Noise level=0/100
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

root@raspberrypi:~# ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr c4:3d:c7:79:3a:04  
          inet addr:192.168.0.140  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:261 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:53777 (52.5 KiB)  TX bytes:33212 (32.4 KiB)

Tor & disabling IPv6 in Linux

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org lucid main

– Get the key

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is 127.0.0.1:8118 & configure socks4a proxy

vi /etc/privoxy/config

listen-address 127.0.0.1:8118
forward-socks4a / 127.0.0.1:9050 .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy 127.0.0.1:8118
– Check that you connect over tor

https://check.torproject.org/

– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 127.0.0.1 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      3569/privoxy
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3562/tor

root@bt:~# curl -s icanhazip.com
101.171.255.232

root@bt:~# proxychains curl -s icanhazip.com
|S-chain|-<>-127.0.0.1:9050-<><>-174.132.254.58:80-<><>-OK
31.172.30.1- Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p

Telstra3G USB in Linux

Telstra 3G USB Dongles are good for connectivity on the go.

http://www.zte.com.au/telstra/MF626i.htm
https://wiki.ubuntu.com/AustralianTeam/Projects/WirelessBroadbandInformation

root@bt:~# lsusb | grep ZTE
Bus 001 Device 005: ID 19d2:0031 ONDA Communication S.p.A. ZTE MF110/MF636

root@bt:~# dmesg | grep ttyUSB
[ 2306.101269] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0
[ 2306.101613] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB1
[ 2306.102140] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB2
[ 2306.102487] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB3
root@bt:~#

There is a hard way using wvdial etc – or an easy way. I chose the easy way – a great little script called sakis3g

====================================

http://wiki.sakis3g.org/wiki/index.php?title=Sakis3G_script
http://www.sakis3g.org/#download

wget “http://www.sakis3g.org/versions/latest/i386/sakis3g.gz&#8221;
gunzip sakis3g.gz
chmod +x sakis3g
./sakis3g –interactive

====================================

root@bt:~/scripts# ./sakis3g connect USBINTERFACE=”3″ APN=”telstra.internet”

root@bt:~/scripts# ./sakis3g connect info
MF626s connected to Telstra (50501).
Connection Information

Interface: P-t-P (ppp0)

Connected since: 2012-06-11 20:52
Kilobytes received: 376
Kilobytes sent: 57

Network ID: 50501
Operator name: Telstra
APN: telstra.internet

Modem: MF626s
Modem type: USB
Kernel driver: option
Device: /dev/ttyUSB2

IP Address: 10.192.124.71
Subnet Mask: 255.255.255.255
Peer IP Address: 10.64.64.64
Default route(s): 10.64.64.64
====================================

root@bt:~/scripts# ./sakis3g disconnect
Disconnected.

Do you want to be Certyfied Ethical Hacker ?

This one caught my eye on LinkedIn ………. I guess “Free IT Security Training” doesn’t really have an advertising budget … but really ?? does this give you confidence in the course ?

I thought perhaps it was a posting that someone using one of the leaked passwords – but then its actually linked to the same post on pentest magazine.

http://pentestmag.com/do-you-want-to-be-certyfied-ethical-hacker/