Saturday, September 22, 2018

Resizing a virtual image in VMware or Parallels

Made the mistake of not allocating enough virtual drive space for OS X image I had setup to work from.  First i had to get rid of all of my snapshots.  This must had corrupted the catalog and disk utility first aid wasn't doing anything to fix it.  Plus when I created the image it was done with HFS instead of APFS.  
But after reading through a few sites on the ways it could be fixed.  As you might have guessed, didn't help.
Before resorting to a commercial product, I was able to come up with a working solution in both VMware Fusion and Parallels Desktop.
Prerequisite
A vm os x image on a dedicated volume
Approach
HFS and VMware – while booting:
command+s
At single mode prompt: fsck -fy
Repeat until there’s no more errors
At prompt: reboot
From terminal as root execute:
/usr/sbin/diskutil resizeVolume / R
Done
HFS and Parallels – Do before booting
In VMConfiguration-> Hardware -> Boot Order > Advance enter the following
devices.mac.boot_args=”-s”
Then boot image
At single mode prompt: fsck -fy
Repeat until there’s no more errors
At prompt: shutdown -h now
In VMConfiguration-> Hardware -> Boot Order > Advance remove the entry
devices.mac.boot_args=”-s”
Boot into vm image
From terminal as root execute:
/usr/sbin/diskutil resizeVolume / R
Done

Sunday, June 17, 2018

Dr. No


The meaning of security has different viewpoints depending on whom you ask in the organization.  Compliance to meet certifications requirements, meeting legislative, regulatory (or industry) requirement, safeguard the visibility and accessibility of personal information, a set of non-functional requirements for implementing the appropriate controls.  I have witnessed the differing definitions in many of the businesses I have consulted for over the years.  I describe it as an incohesive mess devolved into twisted competitiveness for funding, headcount, and the fighting for the position of prestige within the organization.  

This negatively impacts and splinters the focus and purpose of Security as a business partner and a positive change agent.  The difficulty lies in the consensus of how to fuse vying priorities and approaches to support the organization's vision and goals.

It seems evident that Security should be about advising the business on what path to take to improve its capability and performance in delivering the organization's goods and services.  Informing and providing business intelligence that draws on compliance, privacy, and tactics, techniques, and process for safeguarding the essence of the business so that it can continue to be innovative with the freedom to diversify its capabilities.  

It is time to squash the tendency of being seen as nothing but neighs sayers and roadblocks.  To do this, we need to know what we're up against and the significance it can have on the business.  

Saturday, March 31, 2018

Part 2 - Discovering Clusters of Vulnerabilities

tdlr

Not sure if the RabbitMQ Server is supposed to be installed on the RPi Controller, but I'm trying it anyway.

Installing RabbitMQ

First, we need to download a few files:
Open a terminal and download the latest package for the Raspbian

sudo -s
cd /home/pi/Downloads
wget -c https://packages.erlang-solutions.com/erlang/esl-erlang/FLAVOUR_1_general/esl-erlang_20.1.7-1~raspbian~stretch_armhf.deb
wget -c https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.4/rabbitmq-server_3.7.4-1_all.deb

Install the dependencies

apt-get install socat logrotate

Now install the erlang

dpkg -i esl-erlang_20.1.7-1~raspbian~stretch_armhf.deb

Now install the RabbitMQ server

dpkg -i rabbitmq-server_3.7.4-1_all.deb

Install any missing packages, then, reboot the RPi

Configure Management Console

Open a terminal and enter the following commands, replacing variables (denoted by brackets) with actual values:

sudo -s
rabbitmq-plugins enable rabbitmq_management
rabbitmqctl add_user pi clusterhat
rabbitmqctl set_user_tags pi administrator
rabbitmqctl set_permissions -p / pi ".*" ".*" ".*"

The above commands will perform the following actions:
  • Enable the management console
  • Create a new user for authenticated connections
  • Gives the new user administrator privileges
  • Gives the new user full control of exchanges/queues
Once this is complete, you can now access the management console by opening a browser and navigating to the RPi Controller's internal IP address, with the port 15672 (i.e., https://192.168.1.1:15672).

Dashboard

Open a terminal and git a clone of the dashboard

sudo -s
cd /home/pi
git clone https://github.com/tlkh/prowler-dashboard.git

Now run the dashboard, from the terminal:

cd /home/pi/prowler-dashboard
python3 app.py


Friday, March 30, 2018

Discovering Clusters of Vulnerabilities

tldr

Came across an interesting project while skimming through n0where.net.  Apparently, someone (i.e., Faith See, Wong Chi Seng, and Timothy Liu) came up with the brilliant idea of using a cluster for discovering vulnerabilities on network endpoints.  The project is called Prowler, and it is freely available on Github. They have a good running start of how to set it up, but there were a few gaps, which I'll attempt to fill in.

What peaked my interest is the use of Raspberry Pi (RPi) and a hat descriptively named Clusterhat is turned into an affordable testbed to explore. Who knows, this might be something that I can use for my day job.  Or something that I will use to make sure my network is up to date by turning it into some robotic process automation.  (A current project I'm working on.)

The first identifiable problem has nothing to do with Prowler, but the RPis architecture. More specifically the onboard ethernet port. Due to the way Clusterhat and the RPis speak to one another, the RPi designated as the Controller is the bridge router (br0.) The Zeros, which are the worker nodes via the Clusterhat communicated their network traffic through USB0.  Both the Zero's and the Controller are assigned its IP Address from the network via DHCP. There are undoubtedly other ways this can be set up such as statically assigning the IP Addresses, etc.  And this is something I'll want to resolve given that out of the box, its a severe bottleneck.  How bad is it? Talking strictly about download via the Internet, the best I get is .98 Mbps (up is at 4.61 Mbps) from the RPi Controller.  The RPi is connected via a 10' Cat 6 to a 1 Gbps managed switch through a 1 Gbps router over a cable modem where I get a consistent 269 Mbps download on any other device.  I understand that the RPi ethernet port is based on USB 2.0 and the maximum I can ever hope for is 300 Mbps.  Let's just leave it at that, and acknowledge there is room for improvement.

For now, I'm focused on getting this working.  Optimization comes later.

Recon 

Looking over what is documented, (via the Github site), the author's recognize there are gaps (instructions wise) of how this is put together.  For example, based on the images of the cluster, which is a picture of a Custerhat with four Zeroes and three RPi 3b's.  One is for sure is the controller and the other two isn't called out in the description.  But I assume it's for running the dashboard via Eel, and the status updates are handled via RabbitMQ.
But according to the contents of the Ansible playbook, they also had it set up with RPi 3b's running as part of the cluster.  I'll have to look into that later.  For now, I wanted to get a working version up and running.  So here is how to put one together.

Prerequisites 

  • Working understanding of networking - cables, switches, Internet, etc. 
  • 5V 2A power source and cables to power the RPis 
  • Clusterhat from 8086 - x1 
  • RPi Zero W - x4 (Or the non-wireless version) 
  • RPi 3b (REM: The following instruction are not for the Raspberry RPi 3 b+. See Clusterhat website for the description of the problem.) 
  • 16 GB Class 10 micro SD - x4 (Larger, smaller, your choice) 
  • 128 GB Class 10 micro SD - x1 (Larger, smaller, your choice) 
  • You will need to use an image writing tool to install the downloaded images onto the SD cards
  • You're a DIY type of person, and you've burned a few RPi in your day 

Rules for 1st Time Setup

  • Keep all of the defaults "As Is" until after everything is working
  • Don't modify any of the scripts, playbooks, etc. unless necessary to fix a setup/install problem
  • Whenever working in a terminal just run as sudo

Prep 

Go to Clusterhat and download the following images:
  1. Desktop Controller - Desktop Stretch image for the controller 
  2. P1 - Stretch Lite image for Zero P1 
  3. P2 - Stretch Lite image for Zero P2 
  4. P3 - Stretch Lite image for Zero P3 
  5. P4 - Stretch Lite image for Zero P4 
Decompress each of the files so that the .img is accessible to the image writing tool.  I suggest installing the images as follows:
  • 128 GB - RPi 3b - Desktop Controller 
  • 16 GB - RPi Zero
After piecing everything together, its time to boot up.
REM: Piecing the entire RPis and Clusterhat together with the network, keyboard/mouse, HDMI and power is beyond the scope of this document.  

Make sure you put the Zeroes in the correct order. Version 2.0 of the Clusterhat, P1 is nearest to the GPIO and P4 is closed to the micro USB power port.

RPi Controller 

The RPi Controller will boot up, except possibly the Zeros (until they are turned on.)  There's a GUI for this, but I like CLI, so open a terminal on the RPi Controller.
REM: Make sure you have access to the Internet. If you don't, then you'll need to correct that issue before you can move on to the rest of the guide.
The following appears to be redundant, but the error rate is significantly reduced:  

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Find something to do; this might take a while.  (REM: crippling download speed)
Once it's finished, issue your favorite reboot sequence. (i.e., reboot, shutdown -r now, etc.)
Now lets git Prowler. From the terminal do the following (REM: Be sure you are in the /home/pi directory when you clone the repository):

git clone https://github.com/tlkh/prowler

Now, cd into the directory of Prowler and execute:

cd prowler (i.e., pwd = /home/pi/prowler)
./setup_node.sh

REM: You might need to do a chmod +x *.sh
The update/upgrade will run all over again, but it will take care of the rest of the requirements as far as libraries, and additional packages such as NMap.
Now let's install Ansible

pip3 install ansible

Clusterhat 

Once everything is installed, now its time to get the Zeros up and running.
Turn on the Zeroes via CLI in a terminal: 

clusterhat on

From the terminal type the following: 

minicom p1

REM: If challenged, remember its U: pi, P: clusterhat 
Let's see what IP address we have, at the terminal enter: 

ifconfig usb0

It should return an IP Address that is within the same range as the RPi Controller. 
If not, the "fix", try:

dhclient -4 usb0

Now, set up SSH and expand the SD to the max

raspi-config
  1. Select - 5. Interfacing Options 
  2. Navigate to and select SSH
  3. Choose Yes
  4. Select Ok
  5. Select - 7. Advanced Options
  6. Select - A1 Expand Filesystem
  7. Select Ok
  8. Select Finish
  9. Select Yes - Would you like to reboot now?
Repeat the above steps for each of the remaining Zero images. 
REM: Be sure write down what the IP Address is for each of the Zeros

Passwordless SSH 

Open a terminal on the RPi Controller

ssh-keygen

Click on Enter whenever prompted

Enter file in which to save the key (/home/pi/.ssh/id_rsa): [Press Enter key]
Enter passphrase (empty for no passphrase): [Press Enter key]
Enter same passphrase again: [Press Enter key]

Now we need to copy the public key to each of the Zeroes. In a terminal on the RPi Controller:

ssh-copy-id -i ~/.ssh/id_rsa.pub pii@<Zero's pX IP Address>

When prompted for the password enter: clusterhat 
Now, test if we are now able to connect to the Zero from the RPi Controller. In a terminal:

ssh RPi@<Zero's pX IP Address>

It should result in the following prompt:

pi@pX:~ $

If you see this prompt, it means success!
Now repeat these steps for the remaining Zeroes. (i.e., p2 to p4)

Ansible

The setup doesn't do this part for you, so you're going to have to do it yourself.
On the RPi Controller, in terminal create a directory called ansible in /etc 

mkdir /etc/ansible

Now create a file called hosts in the new ansible directory

vim /etc/ansible/hosts

REM: Hope you wrote down the IP Addresses for each of the Zeroes
Add the following to the hosts' file:

[all:vars]
ansible_connection=ssh
ansible_ssh_user=pi

[pi-cluster]

p1.local
p2.local
p3.local
p4.local

Now save (<ESC>:wq!)

Slight Mod 

Discovered during the setup process for the Zeroes that one of the actions in the playbook assumed Prowler was installed.  Not sure if this is how its meant to work, but the fix is to install it on each node. To do that, we're going to modify the setup_node.yml playbook by inserting an action to git and clone Prowler on each Zero.
In a terminal on the RPi Controller:

cd /home/pi/prowler/playbooks
cp setup_node.yml setup_node.org

Now edit setup_node.yml with your favorite editor add the following lines before the line with "Configure Python packages"

- name: Git a Clone of Prowler 
  become: yes 
  git: 
    repo: https://github.com/tlkh/prowler 
    dest: /home/pi/prowler 
    clone: yes
- name: Git a Clone of dispy
  become: yes 
  git: 
    repo: https://github.com/pgiri/dispy
    dest: /home/pi/dispy
    clone: yes

REM: Follow the formatting of the playbook

Ansible Playbooks 

Let's see if all of the previous steps paid off.
On the RPi Controller, open a terminal and run the following: 

ansible-playbook /home/pi/prowler/playbooks/setup_node.yml 

This will take a while... 

When the setup is finished, execute the following:

ansible-playbook /home/pi/prowler/playbooks/clone_repos.yml

[To be continued]

The next step will be to set up the Eel dashboard.  Once I work out those details, I will post the DIY.

Reference

https://www.jeffgeerling.com/blogs/jeff-geerling/getting-gigabit-networking
https://clusterhat.com/setup-software
https://www.raspberrypi.org/documentation/installation/installing-images/README.md

Saturday, April 23, 2016

Google offers totally free of charge Babysitting Services

As a person who lives, breaths and who falls asleep only to continue dreaming about security, I'm always looking for a way to express the impact of the risk we take.  I've created tools, define methodologies to follow, to aid in solving problems or expose it to learn more about it.  Today's challenge is how we can maintain enough of our privacy to avoid from being preyed upon.

Then along comes, Google (and Facebook) demonstrating how privacy no longer exists.  Bits and bytes of information have now become the next gold rush. And all of it done in plain sight.  For example, when you ask Google (Home, Assistance, etc.) a question,  or handsfree to dictate a message its collected and stored just in case you need to go back because you forgot the question.   Now it might be convenient as a parent to monitor, track and identify what your kid is up to, now imagine this in the hands of some dubious person, a con artist, a competitor, nemesis, your ex, investigators of one form or another.

Don't believe me, give it a try.  In any browser, go to https://history.google.com and login to (hopefully, one of many) Google accounts.  Now take notice of what you searched for or the websites you happened to have visited... two years ago!

How about the convenience of a smartphone with built-in GPS chip mashed up with your Google account.  Go to https://www.google.com/maps/timeline
and admire the pinpoint accuracy of everywhere you have been since you associate your Google account with your phone.  It gets even better.  Drill down to one of the many dots litter across the map. 

Yes, George Orwell is having the last laugh.

After you recover from your head spinning from all of the nefarious possibilities flashing through your head, go ahead and poke around Facebook and discover what it has in store for you.

There are ways to protect your privacy.  One is, of course, stop using Google altogether.   And in today's world that can be easier said than done.

Of course, there are many ways to try to cover your tracks such as obfuscating your network traffic, but then you run into the issue with exit points involving Google.  For example, using TOR to surf, but logging into your Gmail account.  You might fool Google into thinking you're at a Cafe in France, but your history will expose you in other ways.

Or in the Google setting switch it off.  But the genie is out of the bottle at this point.   For all, I know the "switches" are just a placebo.  If they can do it in plain sight, they certainly can do it without you knowing about it.

So, workable solutions are, though a bit slower at times, by anonymizing your time spent on the Internet.  Wired has a good starting point to consider. 

Ref: http://www.wired.com/2014/06/be-anonymous-online/

Final thought.  If the rumors are true that Google does little to protect your privacy from your employer or law enforcement, it might be time to get off the Google Grid.

Saturday, April 16, 2016

Yubico and Mac OS X Short Version

This assumes you already know how to setup your yubikey its a fresh install and you know your way around OS X.

If you don't; just follow follow the instructions available from Yubico's website.  I helped to write the document, but some key points were changed so I thought to correct it with this blog.


Install Xcode from the App Store


Depending one your download speeds, this might take awhile so grab a beverage of your choice.


Once this is complete, open a Terminal and accept the Apple's Licensing agreement

sudo xcodebuild -license
Just to be sure the changes were made, suggest rebooting.

Now open a terminal again and install Xcode Command Line Tools

sudo xcode-select --install
In the same terminal install Homebrew
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

wget wasn't installed, so lets make sure we install it.

brew install wget
Follow the prompts, a one point it will ask you to enter your root credentials.  Once the install is complete, run the brew doctor.
brew doctor
Download the command line version of the Yubico tool.
cd ~/Downloads


wget -c https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.17.3-mac.zip
The Mac OS X may have already unzip the file for you, otherwise go ahead and decompress it and double click on the package (pkg)

Now install the PAM library

brew install pam_yubico
For good measure, go ahead and reboot.  Open a Terminal session and insert your yubikey into a USB port.  To create a key type in the following:
ykpamcfg -2
Unless you were able to login as root, you will need to copy the key created in /var/root/.yubico into your home directory
sudo cp /var/root/.yubico ~/
The .yubico directory nows to be changed to your account.
sudo chown -R $(whoami) ~/.yubico
To require the screensaver to have your yubikey inserted to be able to login, edit /etc/pam.d/screensaver
sudo vi /etc/pam.d/screensaver
Goto the last line that starts with 'auth' and copy [yy] the line and paste [p] it so its the next line.

Change the newly created line after 'required' to:

auth       required        pam_yubico.so mode=challenge-response
Now save the file. 

Now lets test if it if works.

To test that your yubikey is required to deactivate the screensaver,remove your yubikey when or activate the screensaver, at the login screen type your password.

It should have failed

Re-insert the yubikey, and re-enter the password.

You should now be able to successfully log back in.

Note: To make sure someone can't bypass the screensaver, be sure to set the select Apple Menu > System Preferences > Security & Privacy. Check "Require password..." and set it to immediately from the dropdown.



Repeat the same process for logging into your Mac except you'll need change the  /etc/pam.d/authorization file.
sudo vi /etc/pam.d/authorization

Sunday, April 10, 2016

USB Armory

Prerequisites
Software
XCode Command-line Tools
Homebrew
XZ
Hardware
USB Armory
Micro SD with SD Adapter
MacBoox X/iMac
Download Image
Go to Offensive Security's website and download the latest copy of the USB Armory image
Unzip the image
In a terminal go to the directory where the downloaded image is being stored and decompress it
xz -d kali-2.1.2-usbarmory.img.xz
Format Drive
  1. Connect the micro SD card to an external card reader. 
    • WARNING: Formatting the SD card deletes all the data off of the card.
  2. Open Disk Utility
  3. Find the SD card in the left side of the window
  4. Click the ERASE tab in the middle of the window.
  5. Next, click on the “Format” dropdown menu and select “MS-DOS (FAT)” 
    • NOTE: If the SD card is <= 32 GB else select “ExFAT”
  6. A message will appear asking, “Are you sure you want to erase the partition “[YOUR SD CARD NAME]?” Click “Erase”. Now the computer will delete the contents of your SD card and format it.
Install image to SD Card
  1. Run the diskutil list to determine the SD card
    • diskutil list
      • Note the SD e.g., /dev/disk3
  2. Open a Terminal and run
    • dd if=kali-2.1.2-usbarmory.img of=/dev/disk3
NOTE: The same process used to image a SD to be used in a Raspberry Pi is the exactly the same.

Mac OS X
Setup Networking on USB Armory

  1. Open Terminal and ssh into the USB Armory
ssh root@10.0.0.1
Change the IP Address on USB Armory
vi /etc/network/interfaces

  1. Change the address from 10.0.0.2 to 192.168.2.100 
  2. Change the gateway from 10.0.0.1 to 192.168.2.1
  3. Save the changes
  4. Reboot the USB Armory
Internet Sharing on the Mac

Go to System Preferences -> Sharing



Go to System Preferences -> Network


  1. Select RNDIS/Ethernet Gadget in the left column 
  2. Select Manually from the drop down for Configure iPv4 
  3. Set the IP Address to 192.168.2.1
  4. Set the Subnet Mask 255.255.255.0 
  5. Leave the Router blank 
  6. Click on Apply 
SSH into the USB Armory
  1. SSH into the USB Armory using the IP Address set in step 3 above
    • ssh root@192.168.2.100
  2. Run an apt-get update
    • apt-get update
  3. As long as the host is connected to the Internet, the repository should begin to be updated