Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python · PDF file–Nessus: NASL (not...

Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python Download: www.tavve.com/misc

Chuck Craft

Tavve Software

[email protected]

@bubbasnmp

16.05.15

Overview

What I do / Why OSCP? / What is OSCP?

Offensive Security Certified Professional

Kali (ARM / Raspberry Pi) Python (NIST / FIPS / AES)

Misc. / Questions

What I do

ICMP

SNMP

SNMPv3

syslog

TACACS ssh

telnet

RDP NTP

traps

NetFlow

Radius

https

sftp

scp

SIEM

NMS

NPM DMZ

Air gap

CISSP

ICMP

SNMP

SNMPv3

syslog

TACACS

SSL/TLS

ssh

telnet

RDP NTP

traps

NetFlow

Radius

https

sftp

scp

NMS

SIEM

NPM DMZ

Air gap

What next?

CEH

OSCP

ISSA

ISACA

ISC2

GIAC

InfraGard

UMSA

BCPA

BOFH SANS

DC612

CCSP SSCP

OWASP

CISM

CISA CSX

CREST

GPEN

BSides

___CON

Lake Wobegon

My day job

ICMP

SNMP

SNMPv3

syslog

TACACS

SSL/TLS

ssh

telnet

RDP NTP

traps

NetFlow

Radius

https

sftp

scp

SIEM

NMS

NPM DMZ

Pentest

What next? OSCP

CEH

OSCP

ISSA

ISACA

ISC2

GIAC

InfraGard

UMSA

BCPA

BOFH SANS

DC612

CCSP SSCP

OWASP

CISM

CISA CSX

CREST

GPEN

BSides

___CON

Offensive Security Certified Professional (OSCP)

• Hands-on offensive information security certification

• Arduous twenty-four (24) hour certification exam

• Hosted Penetration Testing Virtual Labs

• Penetration Testing with Kali Linux (PWK)

– Online training

– 30? 40? CPEs upon completion

Try Harder™

https://www.offensive-security.com/

What is Kali

• Successor to BackTrack Linux – released 2013

• Debian based

• Developed, funded, and maintained by Offensive Security

• More than 600 penetration testing tools

• Penetration Testing, Forensics and Reverse Engineering

• Current version – Kali-Rolling (2016.1), ARM 2.1.2

https://www.kali.org/

Kali Downloads

• Full Kali ISO – 32/64 bit i386 / amd64 (~3GB)

• Kali Light ISO – Subset of tools (~1GB)

• Kali Mini – 32/64 bit network install (30 MB)

• Kali Light – armel / armhf (do it yourself ARM)

• Prebuilt Kali Images – 32/64 bit VMware/VirtualBox

• Custom ARM Images

• Docker

• https://www.kali.org/downloads/

Who/What is ARM

• 1985 - Acorn RISC Machine

• 1990 – spun out to ARM Ltd

• Cambridge, UK - Global HQ

• Primary business is selling IP cores

• Over 60 billion ARM based chips shipped to date (99% of smartphones/tablets1)

• Over 1100 licenses signed with over 300 companies

1 http://www.bloomberg.com/bw/articles/2014-02-04/arm-chips-are-the-most-used-consumer-product-dot-where-s-the-money

Kali Custom ARM Images

https://github.com/offensive-security/kali-arm-build-scripts

CompuLab Chromebook

CubieBoard

CuBox RaspberryPi

BeagleBone Black

USB Armory

ODROID

NanoPi 2 RIoTboard

Destruction – on a budget

http://null-byte.wonderhowto.com/ wifite SET

Raspberry Pi Model B SoC CPU Memory Card Slot USB Ethernet Price

Pi 3 Model B BCM2837 1.2GHz 64-bit quad-core ARM Cortex-A53 1GB Micro SD 4 NIC/WiFi/BLE $35 Pi 2 Model B BCM2836 900MHz quad-core ARM Cortex-A7 1GB Micro SD 4 yes $35 Pi 1 Model B+ BCM2835 700Mhz Single Core ARM1176JZFS 512 MB Micro SD 4 yes Pi 1 Model B BCM2835 700Mhz Single Core ARM1176JZFS 256/512 MB SD 2 yes

Model A Pi 3 Model A TechRepublic – “mid-2016” 1 WiFi/BLE $20 ? Pi 1 Model A+ BCM2835 700Mhz Single Core ARM1176JZFS 256 MB Micro SD 1 no $20 Pi 1 Model A BCM2835 700Mhz Single Core ARM1176JZFS 256 MB SD 1 no

Other Pi Zero BCM2835 1GHz ARM11 Single Core 512 MB Micro SD 1 (uUSB) no $5 Pi 3 Compute Module 2016 – “soon” Pi Compute Module BCM2835 700Mhz Single Core ARM1176JZFS 512 MB 4GB eMMC 1 via pins no $40

Pi 2 Model B

Where to get Pi

• Element14 (Farnell,Newark,MCM)

• Amazon

• Adafruit

Download Kali

• https://www.offensive-security.com/kali-linux-arm-images/

“a minimal XFCE Kali system with the top 10 tools”

E:\>c:\fciv\fciv -sha1 kali-2.1-rpi2.img.xz

//

// File Checksum Integrity Verifier version 2.05.

//

1940438fe85f5850e10ea6c14d0aebefc1266985 kali-2.1-rpi2.img.xz

Don’t be a LinuxMint 2016 !

Burn to memory card

Win32 Disk Imager https://launchpad.net/win32-image-writer http://sourceforge.net/projects/win32diskimager

210 Datacenter

Power / Anker

CTIA (UCS) Universal Charger Solution EC Common External Power Supply

Console Access – KVM vs serial

https://github.com/offensive-security/kali-arm-build-scripts/blob/master/rpi.sh

RPi1 – 2.1 and newer RPi2 - see Github issue #54 (fixed in 2.1.2) RPi3 – UART changes (due to Bluetooth)

Red power – proceed with care !










Kali Login user root, password toor

root@kali:~ rm /etc/ssh/ssh_host_*

root@kali:~ dpkg-reconfigure openssh-server

root@kali:~ service ssh restart

Allow root to ssh into server root@kali:/etc/ssh# pwd

/etc/ssh

root@kali:/etc/ssh# vi sshd_config

# chuckc - Fri Feb 5 22:40:50 UTC 2016

# PermitRootLogin prohibit-password

PermitRootLogin yes

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument

must be ``yes'', ``prohibit-password'', ``without-password'',

``forced-commands-only'', or ``no''. The default is

``prohibit-password''.

Opened up in 2.1.2 ?

Kali + ARM = Pwnie (Bloomberg)

http://www.bloomberg.com/graphics/2015-mob-technology-consultants-help-drug-traffickers/

“The device they built looked like a European version of a power strip. Tucked inside a 15-by-5-inch casing was a tiny Linux computer running powerful hacking software called Metasploit. The pwnie sent out data via cellular networks, which meant they could be accessed from anywhere.”

RTFM / BTHb

OverTheWire

http://overthewire.org/wargames/bandit/

Root Me

https://www.root-me.org/en/Challenges/

Vulnhub

https://www.vulnhub.com/entry/tr0ll-1,100/

Metasploit Unleashed

https://www.offensive-security.com/metasploit-unleashed/

Metasploitable: intentionally vulnerable Linux virtual machine https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Metasploitable 2 Exploitability Guide https://community.rapid7.com/docs/DOC-1875

OWASP Mutillidae II

https://sourceforge.net/projects/mutillidae/ Jeremy Druin - @webpwnized

Intermission




Misc. / Questions

New (to me) languages

4.1 Network Discovery 4.2 Network Port and Service Identification

– nmap: Lua – Wireshark: Lua

4.3 Vulnerability Scanning – Nessus: NASL (not Nasal) – OpenVAS: NASL

5.2 Penetration Testing – Metasploit: Ruby

All purpose: Python

NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment

NodeMCU (ESP8266)

github public_drown_scanner

http://carlcheo.com/startcoding

Perl -> Python

!=

YouTube – Chicago Buses

YouTube – Blackhat / Matasano

Also Excel and Postscript 64? 48? Currently 56 Now 64!

cryptopals.com the matasano (now NCC Group) crypto challenges

Set 1: Basics 1. Convert hex to base64 2. Fixed XOR 3. Single-byte XOR cipher 4. Detect single-character XOR 5. Implement repeating-key XOR 6. Break repeating-key XOR 7. AES in ECB mode 8. Detect AES in ECB mode

Set 2: Block crypto 9. Implement PKCS#7 padding 10. Implement CBC mode 11. An ECB/CBC detection oracle 12. Byte-at-a-time ECB decryption (Simple) 13. ECB cut-and-paste 14. Byte-at-a-time ECB decryption (Harder) 15. PKCS#7 padding validation 16. CBC bitflipping attacks

Set 3: Block & stream crypto 17. The CBC padding oracle 18. Implement CTR, the stream cipher mode 19. Break fixed-nonce CTR mode using substitions 20. Break fixed-nonce CTR statistically 21. Implement the MT19937 Mersenne Twister RNG 22. Crack an MT19937 seed 23. Clone an MT19937 RNG from its output 24. Create the MT19937 stream cipher and break it

Set 4: Stream crypto and randomness 25. Break "random access read/write" AES CTR 26. CTR bitflipping 27. Recover the key from CBC with IV=Key 28. Implement a SHA-1 keyed MAC 29. Break a SHA-1 keyed MAC using length extension 30. Break an MD4 keyed MAC using length extension 31. Implement and break HMAC-SHA1 with an artificial timing leak 32. Break HMAC-SHA1 with a slightly less artificial timing leak

Set 5: Diffie-Hellman and friends 33. Implement Diffie-Hellman 34. Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection 35. Implement DH with negotiated groups, and break with malicious "g" parameters 36. Implement Secure Remote Password (SRP) 37. Break SRP with a zero key 38. Offline dictionary attack on simplified SRP 39. Implement RSA 40. Implement an E=3 RSA Broadcast attack

Set 6: RSA and DSA 41. Implement unpadded message recovery oracle 42. Bleichenbacher's e=3 RSA Attack 43. DSA key recovery from nonce 44. DSA nonce recovery from repeated nonce 45. DSA parameter tampering 46. RSA parity oracle 47. Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case) 48. Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)

Set 7: Hashes 49. CBC-MAC Message Forgery 50. Hashing with CBC-MAC 51. Compression Ratio Side-Channel Attacks 52. Iterated Hash Function Multicollisions 53. Kelsey and Schneier's Expandable Messages 54. Kelsey and Kohno's Nostradamus Attack 55. MD4 Collisions 56. RC4 Single-Byte Biases

Set 8: On Github Sean Devlin @spdevlin

Set 1: Basics

1.Convert hex to base64 2.Fixed XOR 3.Single-byte XOR cipher 4.Detect single-character XOR 5.Implement repeating-key XOR 6.Break repeating-key XOR 7.AES in ECB mode 8.Detect AES in ECB mode

#1 - Hex -> Base64

• Request for Comments (RFC)

– https://www.ietf.org/rfc.html

• RFC 4648: The Base16, Base32, and Base64 Data Encodings

– Base 64: A-Z, a-z, 0-9, ‘+’, ‘/’

– Base 64 with URL and Filename Safe Alphabet: ‘+’, ’/’ -> ‘-’, ‘_’

– Base 32: A-Z, 2-7 – Base 32 with Extended Hex Alphabet: 0-9, A-V

– Base 16: Essentially, Base 16 encoding is the standard case- insensitive hex encoding and may be referred to as "base16" or "hex".

• RFC 4880: OpenPGP Message Format

https://www.ietf.org/rfc.html

PGP and URL examples

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQEcBAEBAgAGBQJWqiT1AAoJENnE0m0OYESR07gIAJ65FdP2oFR9pspmLh+iZ978

Q+1R8vShqUjkpE14gUOHaidgsU8l7HoR7v3mWFtv+XqBUp94ISOFeyt4B4jlDsHE

SSgO60zlnYha0KaOeRv/aH1quiWhx8bxNZ1HJbbwlxPclqmEplhXqoSEbVvOZKFZ

VPu8gmJg3fzdQpQT0eAZ/5ez6SMvIM1FO47FlqtstWgHSs0iq1scIr1LKNmH3uMZ

tmNmq5U/tTX/51eKYqFIrWXIeyHSiOTXRBUjnw4ybCiobklLH1qiEApJW6iPkOob

9WthtiyBVBxCpYpF8h4mQc3h77J/q4rLcL/b56sqMsHTV4ULhbN2VIUnzcuzIUI=

=Dfuh

-----END PGP SIGNATURE-----

Link:

https://www.periscope.tv/w/aQQ0Szk2fDFPd3hXbGRNalluS1GEkRrtoANLnX

cbpKGaln1ekV53WKmTe-2OUDHbNqMm0Q==

Base64 – Command & Control, Data Exfil

Set 1: Basics


#2 - XOR

0xe5 = 1110:0101

0x17 = 0001:0111

0xf2 = 1111:0010

XOR

#3 - ETAOIN SHRDLU

Set 1: Basics


#7 – AES-128-ECB

Rijndael (AES) Animation

http://www.formaestudio.com/rijndaelinspector/

National Institute of Standards and Technology (NIST)

• NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

• Founded 1901 as National Bureau of Standards

• Current name in August 1988 - Reagan signs OTCA

• Neon lights

• The nation’s first crime lab

• WWII - first fully automated guided missile

• First atomic clock

• WWVB (CO) (303) 499-7111, WWVH (808) 335-4363

• Closed Captioning

• www.time.gov and time.nist.gov

• 2000: Advanced Encryption Standard

https://www-s.nist.gov/srmors/view_detail.cfm?srm=2387

Details Description: Peanut Butter Lot: N/A Expiration Date: 12/31/2019 Unit Price * : $835.00 Unit of Issue: 3 x 170 g Status: Now Selling Certificate Date: 7/21/2015 * Prices are subject to change without notice

The SRM has been determined to be non-hazardous by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce under paragraph (d) of OSHA Standards 29 CFR Part 1910.1200. The SRM will not release or otherwise result in exposure to a hazardous chemical under normal conditions of use. Description: This SRM is intended primarily for use in validating methods for determining proximates, fatty acids, calories, vitamins, elements, amino acids, aflatoxins, and acrylamide in peanut butter and similar matrices. This SRM can also be used for quality assurance when assigning values to in-house control materials. A unit of SRM 2387 consists of three jars of peanut butter containing 170 g each.

NIST Publications

• Federal Information Processing Standards (FIPS): security standards – FIPS 197: Advanced Encryption Standard (AES)

– FIPS 140-2: Security Requirements for Cryptographic Modules

• NIST Special Publications (SPs): security and privacy guidelines, recommendations and reference materials. – SP 800-61 Rev. 2: Computer Security Incident Handling Guide

– SP 800-115: Technical Guide to Information Security Testing and Assessment

– SP 1800-5: DRAFT IT Asset Management

• ITL Bulletins are published monthly by NIST's Information Technology Laboratory, focusing on a single topic of significant interest to the computer security community. – ITL January 2016: Securing Interactive and Automated Access Management Using Secure Shell (SSH)

FIPS-197

Nk = 4, 6, or 8 (32-bit words) Nr = 10, 12, or 14

AES calculations

AES Pseudo Code

Rijndael Inspector

http://www.formaestudio.com/rijndaelinspector/archivos/

Overview




Misc. / Questions

BeagleBone Black Processor: AM335x 1GHz ARM® Cortex-A8 512MB DDR3 RAM 4GB 8-bit eMMC on-board flash storage 3D graphics accelerator NEON floating-point accelerator 2x PRU 32-bit microcontrollers Connectivity USB client for power & communications USB host 10/100 Ethernet HDMI 2x 46 pin headers Software Compatibility Debian (pre-loaded on eMMC) Android Ubuntu Cloud9 IDE on Node.js w/ BoneScript library plus much more

http://beagleboard.org/

Kali !

Pine64: $15 64-Bit Super Computer Allwinner A64 1.2GHz CPU 64bit Quad Core ARM A53

512MB/1GB/2GB DDR3 SDRAM

2 x USB 2.0

4K x 2K HDMI port

Ethernet 10/100 10/100/1000

+5v power microUSB

MicroSD Slot up to 256GB

Add-on: 802.11 BGN Bluetooth 4.0

https://forums.kali.org/showthread.php?30287-pine-64-VS-raspberry-pi-3

Northbound Networks: Zodiac FX

• The world's smallest OpenFlow SDN switch (10 x 8 cm)

• Support for OpenFlow 1.0, 1.3 & 1.4

fcc.gov/oet (Raspberry Pi 3 info)

Pkg on Pkg memory

Roku BCM2835

Everyone loves Pi

• https://wiki.hackerspaces.org/Minnesota

Linux ARM - armel and armhf

• root@kali:~# uname -a

• Linux kali 3.8.13-bone53 #1 SMP Thu Aug 13 23:27:51 CDT 2015 armv7l

GNU/Linux

• root@kali:~# readelf -a /proc/self/exe | grep VFP

• Tag_FP_arch: VFPv3-D16

• Tag_ABI_VFP_args: VFP registers

• root@kali:/proc# cat /proc/cpuinfo | grep -i model

• model name : ARMv7 Processor rev 2 (v7l)

• # uname -a

• Linux raspberrypi 3.1.9+ #272 PREEMPT Tue Aug 7 22:51:44 BST 2012 armv6l

GNU/Linux

• # readelf -a /proc/self/exe | grep VFP

• Tag_FP_arch: VFPv2

• Tag_ABI_VFP_args: VFP registers

https://blogs.oracle.com/jtc/entry/is_it_armhf_or_armel

cat /proc/cpuinfo

• # cat /proc/cpuinfo

• Processor : ARMv6-compatible processor rev 7 (v6l)

• BogoMIPS : 697.95

• Features : swp half thumb fastmult vfp edsp java tls

• CPU implementer : 0x41

• CPU architecture: 7

• CPU variant : 0x0

• CPU part : 0xb76

• CPU revision : 7

• Hardware : BCM2708

• Revision : 0003

• Serial : 00000000081d9f52

• root@kali:~# cat /proc/cpuinfo

• processor : 0

• model name : ARMv7 Processor rev 2 (v7l)

• BogoMIPS : 993.47

• Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls

• CPU implementer : 0x41

• CPU architecture: 7

• CPU variant : 0x3

• CPU part : 0xc08

• CPU revision : 2

• Hardware : Generic AM33XX (Flattened Device Tree)

• Revision : 0000

• Serial : 0000000000000000

Pi Raq

https://github.com/earthlcd/Pi-RAQ https://earthlcd.com/products/raspberry-pi/pi-raq/

Janz Tec AG emPC-A/RPI Fanless Embedded Controller (w/ CAN)

https://www.janztec.com/en/products/embedded-computing/empc/empc-arpi/

@bubbasnmp ???

• http://www.simple-times.org/

• Case, McCloghrie, Rose, Waldbusser et al

• Ask Dr. SNMP – Jeff Case ``That dog won't hunt.''

http://www.simple-times.org/



Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python Download: www.tavve.com/misc

Chuck Craft

Tavve Software

[email protected]

@bubbasnmp

16.05.15

Questions ???

Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python · PDF file–Nessus: NASL (not...

Documents

Transcript of Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python · PDF file–Nessus: NASL (not...