Monday, September 19, 2011

How to Rip Blu-rays the Easy Way

I've had a home theater PC for almost 4 years now, and a NAS for almost 3.  I love having the combination as a hub for streaming, converting, and yes, ripping various forms of media.  One of the major gaps in its functionality has been Blu-ray.  Typically, I'll buy the Blu-ray versions of the movies that I want, but can only watch them on my PlayStation 3.  I end up borrowing the DVD versions from the local library, or renting it from redbox, if either of them even have them in their catalog, in order to encode a copy for my iDevices or in-house streaming.  Well, no longer!

I just picked up a Samsung SH-B123L/RSBP Blu-ray combo drive from newegg which works marvelously in conjunction with a couple of pieces of software to back-up each of my Blu-ray movies to hard drive, suitable for encoding into single full resolution, or iDevice-friendly, video files.  Researched and played around with the process a bit for this tutorial, so here it goes:
  1. First, you're going to need to download and install the software tools to do the job.  One of them is the free DVDFab HD Decrypter to actually rip the Blu-ray to disk.  This is constantly getting updated to deal with the latest copy protections, so it's probably a good idea to check the site every time you're going to be backing up a newer disc.  You'll also need Handbrake, free as well, to do the encoding of the ripped files to a single video file.  The latest version released earlier this year, 0.9.5, finally supports reading Blu-ray disc structures, which makes this whole process infinitely easier.
  2. DVDFab HD Decrypter
    1. Insert the Blu-ray into your drive, and fire up DVDFab HD Decrypter.  In the Welcome to DVDFab window that pops up, select the option for HD Decrypter Free Edition, and click the Start DVDFab button to continue.  Useful Trick: Once you've started using this application, you'll notice that the Update Expire Time column gets populated with an actual date when you won't be able to use the respective options anymore.  Never fear, once you're in the application, go into the Common Settings and click the Default button to reset settings to, yes, default.  You'll be advised to "restart the product to apply the changed settings."  Once you do, for whatever reason, you'll find that all of the Update Expire Times have been reset to Never Been Used.  Nice!
    2. DVDFab will now confirm the region code, and scan your Blu-ray in preparation to back it up.  Once it's ready, select Blu-ray Copy --> Full Disc from the menu on the left-hand side of the application.  For the Target settings at the top-right side of the application, click on the folder icon, browse to, and select a location where you would like the backed-up files to be stored.  I tend to create and select a folder on my Desktop, just to keep things organized, as we won't be keeping the files after we're done with them.  Note: Don't choose to back it up to an ISO file, as it takes twice as long (needs to copy from a temporary directory to the ISO container), and you would also need to worry about mounting the ISO prior to doing any encoding.
    3. Other than that, all other default settings should be just fine, just verify the BD50 drop-down setting at the bottom of the application to ensure a full-quality backup.  Note: Make sure you have plenty of hard drive space (over 50GB obviously) in order to store the resulting files.  Click the Start button in the lower-right of the application, and walk away for about a half-hour to let it do its thing.  Mmm, coffee.
  3. Handbrake
    1. Once that's done, fire up Handbrake, and select Source --> Folder.  Browse to and select the folder specific to your disc's back-up under the folder that you chose in DVDFab.  The subfolder structure will be \FullDisc\[Movie], so you would select the [Movie] folder.  Handbrake will now do its own scan of the backed up files and present you with all of the Titles and Chapters that it was able to parse from them. Under the Title drop-down in the Source section, select the longest-running title, which generally corresponds to the main movie, rather than any special features, preview trailers, etc.  Note: There may be a few titles that are either close or identical in length, so you'll need to try a Preview of each one to tell the difference between them.  Usually it's something like an extended version vs. director's commentary vs. theatrical release.
    2. In the Destination section, select a target folder and file name for your resulting video file, ending in .m4v.
    3. In the Presets section to the right of the application, select Normal if you want a full-resolution file, or select the corresponding Preset for your target iDevice.  Note: The iPad Preset plays just fine on an iPhone 4, so you won't need two separate encodings if you have both devices.
    4. In the Output Settings section, select a Container of MP4 File, and make sure that the checkbox for Large file size is selected.  If the resulting video file is greater than 4GB in size, highly likely, it will be unplayable unless this option selected.
    5. Select Preview from the top of the application, and in the Video Preview "window" that pops up, select a Start at Preview and a Duration.  Click Play with QT or Play with VLC to get a quick encoding sample to make sure you'll be getting what you expect.  I like to try a few different 10-second Start at Preview numbers just to be certain.  If you've chosen the wrong title, go back under the Title drop-down in the Source section, and select a different one to preview.
    6. Once you're certain that everything is how you'd like it, click Start at the top of the application and let it rip!

At the end of the encoding process, you should be left with a nice, playable MP4 video file, suitable for HD streaming or portable iDevice viewing by loading it through iTunes!  If you're satisfied with the results, go ahead and delete the original disc back-up files and reclaim your precious GB's of drive space.  Hope this helps to simplify the process for anyone looking to back-up their Blu-rays!

Wednesday, September 14, 2011

BackTrack 5 R1 - Black Hat Wallpaper

Just a quick post.  In case anyone was interested, this is the default wallpaper from the pre-release distribution of BackTrack 5 R1 that was given out at Black Hat USA 2011 earlier this year.  Nothing overly special, but if you were looking for it, enjoy. :)

Edit: For whatever reason, the full 1920x1200 resolution of the image appears to get lost in translation.  You can download the original here.

Saturday, August 20, 2011

Install BackTrack 5 R1 on an Asus Eee PC 701 4G

The latest and greatest release of BackTrack was just made available for download a couple of days ago.  This distribution of Linux is based on Ubuntu 10.04, and brings together some of the latest and greatest, freely available, security "testing" tools.  A pre-release version of 5 R1 was given out at this year's Black Hat convention in Las Vegas, which I was fortunate enough to attend, and many of those tools, plus additional bug fixes, were added in for this public release.

As the various releases of BackTrack have been coming out, like all other operating systems, it's been getting... bigger.  This newest entry is no different, and if you were to try and do an install onto the Eee's tiny SSD, you would find that it runs out of space quite inconveniently.  The image that you download utilizes Squashfs to compress everything into a read-only, much smaller, more manageable size.  However, once decompressed for installation, it blows right past the 4GB limit of the SSD.  You could install it onto an SD/SDHC card, at the expense of speed and (a little) money.  The other option is to install the live image onto the SSD, and treat it like a live DVD/USB thumb drive, only faster, with nothing additional plugged in, hanging off the side of the Eee.  A side benefit is that everything that you do will be running in RAM, so, in theory, a slight performance boost there.  Here's how to do it:
  1. Follow their instructions for how to create a USB live install thumb drive after downloading your version of choice from here.  You could alternatively burn the DVD, and use an external optical drive for this project.  Whichever you choose needs to be under the 4GB size of the Eee's SSD.  For my purposes, I chose to go with a 2GB 32-bit GNOME ISO:
  2. Plug in the USB drive, turn on the Eee, and hit F2 to enter the BIOS Setup Utility.  I've got BIOS Revision 1302, so your view may differ slightly.
  3. Tab over to the Boot menu, and select Boot Device Priority.  Select your USB thumb drive as the 1st Boot Device, then hit F10 to Save and Exit.
  4. On reboot, when the UNetbootin menu comes up, hit Enter to choose the Default boot option, then hit the space bar to continue past the video mode prompt.  You'll be greeted by the BackTrack splash screen while the system loads up, then you'll get dropped into a root bash shell.  At this point you *could* type "startx" and hit Enter to load up the live X graphical environment, but where's the fun in that?
  5. Now we're just going to image the USB drive onto the 4GB SSD of the Eee by typing "dd if=/dev/sdb of=/dev/sda".  This effectively clones the USB drive onto the SSD, partitions and all.  For example, I used a 2GB USB drive for my install, so only half of the 4GB SSD will be visible/usable to the OS, unless you work some partitioning magic, which I haven't gotten around to yet.
  6. Once that's done, unplug the USB drive, type "reboot" and hit Enter.  The Eee should go through the exact same boot steps with the SSD now, only faster, as if you were booting from the USB drive.  Once you're greeted with the root shell again, type "startx" and hit Enter to load up the live X environment!

Remember this is still only a live environment, and nothing is persistent.  When you reboot, everything will be back to the way it was on first boot, just as if you were using a live CD/DVD.  Standby works fine (though you may need to reconnect the WiFi connection when you resume), so if you don't power off the Eee, you should be good to go for multiple sessions of use.

As a side observation, this setup works phenomenally as a WEP-cracking solution.  You know, as far as I can tell from working with my OWN test wireless networks.  Yeah, that's the ticket... ;-)

Happy Hacking!  I mean, Testing!

Sunday, June 26, 2011

SSH Tunnel for Web Browsing Freedom and More

Ever been using the Internet somewhere where there's a firewall or web filter in place keeping you from browsing your favorite sites?  If you have a secure shell (ssh) server setup at home (or at a hosting site) you can easily use it to proxy all of your web browsing activity, bypassing most types of obstacles that would likely be in your way.

For the purposes of this post, let's assume that you're running an out-of-the-box installation of OpenSSH server on a linux system, with the configuration files located in the /etc/ssh directory.  The most useful parameter in the /etc/ssh/sshd_config file is the "Port" setting.  By default, it's set to 22, which is the standard port for ssh.  In most situations where your web browsing traffic is being filtered, port 22 is likely being blocked as well, so that doesn't help us too much.  You can change the line to

  • Port 443
in order to have the ssh server listen on a port that is likely not being blocked at all.  443 is normally used for SSL-encrypted web traffic, a.k.a. https.  Most web filters will take one look at that and say, "Nevermind, sorry for the disruption, nothing to see here, move right along."  There are a couple of other basic parameters that you should be mindful of from a security standpoint including:

  • Protocol 2
    • This is to ensure that your ssh server only uses the latest, more secure protocol, as backwards compatibility with protocol 1 introduces vulnerabilities into the system
  • PermitRootLogin no
    • This is to ensure that nobody can login remotely as root directly.  An attacker would need to first gain access to a lower privileged account, and then attempt to escalate from there.

Once you've got the sshd_config file all set, save it, and restart the sshd service.  Then you should be ready to login remotely using any ssh client.  For our example here, we'll use a popular one called PuTTY.  Once you've downloaded, and optionally installed, PuTTY, fire it up, and when the Configuration window comes up, enter in the hostname/IP address of your ssh server, with the port that you selected in your sshd_config file:
Then, on the left-hand side, under Category, navigate to Connection --> SSH --> Tunnels.  Enter in a Source port for the tunnel (I've chosen 1080 because the tunnel is really creating a SOCKS proxy, which uses 1080 by default), select the radio button for Dynamic instead of Local, and click the Add button next to the Source port field.  It should now look something like this:
At this point you can go back to Category --> Session, and save the session so that you won't need to configure it all again, or you can just click the Open button in the lower-right corner to start up your ssh session.  Once you've got your session up and running, you'll need to configure your browser of choice to take advantage of the tunnel you've just created.

In IE9, navigate to Internet Options --> Connections --> LAN Settings --> Proxy server,  Check the box for "Use a proxy server for your LAN," and click the Advanced button.  In the Proxy settings window that comes up, for the "Socks:" entry, enter in for the address and 1080 for the port.  Click on the OK button when you're done.
In Firefox 5, navigate to Options --> Advanced --> Network --> Settings...  Select Manual proxy configuration, and for the "SOCKS Host:" entry, enter in and 1080 for the Port.  Select the radio button for SOCKS v5 instead of v4.  Click on the OK button when you're done.
In Chrome 12, navigate to Options --> Under the Hood --> Network --> Change proxy settings...  This will bring up the same window as for IE9 above, so just configure the Proxy server as mentioned previously.
You should now be all set!  Any web browsing that you attempt to do now will be redirected through your encrypted ssh tunnel, and go out to the Internet from the network that your ssh server resides on, rather than the current network that you're connected to locally.  Filters schmilters!

This technique has an infinite number of uses for getting you where you need to go.  You can tunnel things like Microsoft Remote Desktop/Terminal Services, port 3389, Instant Messaging, VNC/Apple Remote Desktop, port 5900, etc.  Best of all, it's all encrypted, and potentially performs better than a direct connection, as you can even turn on compression for the SSH connection.

To perform simple port forwarding for these types of services, you'll need to add another tunnel into your PuTTY session configuration.  This time, select the radio button for Local instead of Dynamic.  You'll also need to enter in a specific destination host and port to forward the traffic to on the other side of the tunnel.  For example, say you want to connect to a Windows system that has an IP address of on the remote network, using Remote Desktop, you would set up the tunnel in PuTTY like so:
Then, once your ssh session is up, in your Remote Desktop Connection client window, simply connect to to utilize the tunnel to get to the remote host:
You may run into issues if you're trying to do this from a Windows system that is itself also accessible via Remote Desktop, meaning port 3389 on localhost is already taken.  In that case, just change the source port to something else like 3391 in the port forwarding configuration, and connect to from your RDP client, easy as that.

And of course, for those of you that are like me and prefer to use the command-line for things like this, a simple ssh one-liner using something like cygwin:

  • ssh -p443 -D1080 -L3391: username@your-ssh-server

does the exact same thing as all that GUI PuTTY configuration.

Happy tunneling!

Sunday, June 19, 2011

Install Ubuntu 11.04 / 11.10 / 12.04 / 12.10 on an Asus Eee PC 701 4G

Ever since I got my iPad last summer, my grand-daddy of all netbooks, the Asus Eee PC 701 4G, has become somewhat... neglected.  These days it serves as a test bed for various flavors of linux and their respective updates.  I've run the default Xandros, XP Pro (full installation, compressed), Fedora, Ubuntu, and Joli OS (Jolicloud).  Even with XP Pro, all updates, I never had an issue installing any OS within the confines of the tiny 4GB SSD that is soldered on the board of this device.

Leave it to a bug in the latest version of Ubuntu (11.04) to ruin that perfect record.  An issue that I ran into, and subsequently found information about at Ubuntu in Launchpad, is that the Ubiquity installer imposes an arbitrary minimum hard disk size when the actual final installed size of the OS is far below that limit.  Observe.

After creating a bootable USB key with the Universal USB Installer from Pendrive Linux, boot from the key, and at the Installer boot menu, choose Select Run Ubuntu from this USB to boot into a live session of the OS:
Double-click on the icon to Install Ubuntu 11.04.  At the Welcome window, Select your language, and use Alt-Left Click anywhere in the window to drag it up to click the Forward button, since the massive 800x480 resolution of the Eee PC isn't QUITE able to fit it all on-screen.

On the Preparing to install Ubuntu window, you'll see the specifications that you'll need "For best results" including:
  • has at least 4.4 GB available drive space
  • is plugged in to a power source
  • is connected to the Internet
This time, when you Alt-Left Click-and-Drag the window up, you'll find that the Forward button is greyed out.  So really instead of being suggestions for best results, these are actually requirements to even continue with the installer!  Finks.
Click the Quit button to return to the Ubuntu desktop.  Hit Alt+F2 and type:
  • gksu gedit /usr/lib/ubiquity/plugins/
Then on line 310 of that file, change the "fudge factor" from
  • min_disk_size = size * 2
  • min_disk_size = size * 1.4
Update: For Ubuntu 11.10, the same bug rears its ugly head, but instead of line 310, it's now on line 250.
Update 2: For Ubuntu 12.04, the file is now /usr/lib/ubiquity/ubiquity/, line 796.
Update 3: For Ubuntu 12.10, the file is still /usr/lib/ubiquity/ubiquity/

Click the Save button, exit the editor, and then double-click on the icon to Install Ubuntu 11.04 again.  Proceed through all the same windows, and this time you should find that the Forward button is no longer greyed out.  Hey, would you look at that!
Feel free to check the boxes to "Download updates while installing" and "Install this third-party software," and click the Forward button.  Once you finally get to the point where you get the Installation Complete message, click on the Restart Now button, go ahead and restart.  Once you login for the first time, run the Update Manager for any additional updates that didn't get picked up during the course of the installation.  When you open up a Terminal window, and run:
  • df -h
  • cat /proc/cpuinfo 
you will notice a few things.  First, the final installed size of the OS is actually only around 2.7 GB instead of the 4.4 GB that the installer was requiring .  Second, even though the processor in this netbook is a Celeron M 900, it is downclocked to 630 MHz.  This is fairly common, also happened by default with XP.  In both cases, additional utilities are required to get that back up to 900 or higher for better performance, but poorer battery life obviously.

Not that I'm playing favorites or anything, but for comparison purposes, a Fedora 15 installation on the same hardware comes out to a final installed size of 2.5 GB, and a clockspeed of the full 900 MHz, out of the box.

Anyway, hope that helps if there's any of you out there that are like me, a closet hoarder of technology, always looking to repurpose older tech, rather than dispose of or recycle it.  You can have my gadgets... if you can pry them from my cold dead fingers!

Monday, June 6, 2011

Forcing a Screen Resolution in Fedora 15

I love linux.  I really do.  It's gotten better and better over the years with functionality, hardware detection, and user friendliness.  Where it still falls flat on its face however is when something doesn't work as expected, most times it requires digging into some obscure configuration file somewhere to put in a custom fix, and Google becomes your best friend.  That and the fact that it's getting all GUI and bloated like Windows.  Ugh. ;-P

Anyway, I just wiped out my Fedora 12 linux server in order to install Fedora 15, primarily due to lack of updates for 12, but also just to play with the new GNOME 3.0, GNOME Shell, and service management tools.  I usually have it running headless, but every once in a while, do need to do something GUI based.  That's when I plug it into the nearest monitor, my trusty 4-year old 47" Vizio GV47LF.  This TV is fully 1080p (1920x1080@60Hz), but for whatever reason, it gives out incorrect EDID information over its VGA connection.  Its claimed maximum resolution is only 1360x768@60Hz.  This issue affected any operating system that I've had plugged in via VGA in the past, requiring custom fixes like using SwitchResX in Mac OS X (10.5.8) or PowerStrip in Windows.

With Fedora, I never bothered searching for a fix, as I usually connected to it via ssh and just didn't care enough to bother with it.  Had some time over the weekend to poke around and put together a pretty decent fix that should work well for most of you in a situation like mine where your monitor just isn't playing ball nicely.

First, after logging in, open up a Terminal and type:

xrandr -q

This should return to you a list of resolutions and refresh rates that the system is being told by your monitor that it supports.  In addition, you'll find the name of the output that the system has assigned to your monitor at the start of the second line.  The man pages refer to it as VGA, for example, but for my particular situation it was VGA1.

Next, you'll need to put together a modeline for your particular situation to outline the true display capabilities that your monitor supports.  In my case it was:

"1920x1080" 148.350 1920 2008 2056 2200 1080 1084 1089 1125 +hsync +vsync

Finally, what you'll need to do is go and edit "/etc/gdm/Init/Default".  This is a startup script that gets referenced whenever X is starting or restarting.  You may want to make a backup copy of the file first, you know, just in case.  You will need root access to modify this file.  Anyway, you'll want to add in three (3) lines right before the "exit 0" at the end of the file:

xrandr --newmode [your modeline here]
xrandr --addmode [your output here] 
xrandr --output [your output here] --mode [your new mode here]

In my example:

xrandr --newmode "1920x1080" 148.350 1920 2008 2056 2200 1080 1084 1089 1125 +hsync +vsync
xrandr --addmode VGA1 1920x1080
xrandr --output VGA1 --mode 1920x1080

Once those edits are added, save the file, and logout.  You should find that the changes take place immediately, and your login screen is now running at the full resolution that your monitor actually supported all along!

Hope that helps!

Sunday, June 5, 2011

Something's Not Quite Right...

Ok, so I've blogged about my fake attwifi hotspot using DD-WRT.  I've blogged about setting up a laptop in between that hotspot and the Internet for packet sniffing with Wireshark.  And I've mentioned doing other more interesting things like setting up the Upside-Down-Ternet.  I decided to put my money where my mouth is and build it out myself, potentially for demonstration purposes at our next security awareness presentation at the company I work for.  How many people in an audience of about 50 do you think I can get to auto-connect to my access point, just by virtue of them having their devices in their pockets?  We're about to find out in a couple of weeks.

After reading the main page for the Upside-Down-Ternet, I realized it was slightly more complicated than just running a script.  Turns out I needed to setup a squid proxy, a web server (likely apache), and some image manipulation tools on my laptop in order to automatically intercept Internet requests for linked images coming from my "victims", pull down those images myself for flipping, and rewrite the links to point to the flipped images on my own web server before delivering the web page to the client.  There is a pretty decent write-up about how to do this in a step-by-step fashion, but there are couple of differences/mistakes in certain sections:

  • Setting up the proxy - Good
  • Setting up the webserver - Instead of:
    • sudo chown www-data:www-data /var/www/images
      • it should be:
    • sudo chown proxy:proxy /var/www/images
      • Otherwise you'll end up with all sorts of permissions errors when squid tries to start manipulating and writing image files.
  • Image Script - Good
  • Networking Setup - Unnecessary, we're going to be taking care of this through our DD-WRT configuration
  • Cleaning Up - Unnecessary, you won't be running it for very long. *ahem*
Also, instead of doing all that sudo-ing, I prefer to just "sudo su" once to get a root shell, but maybe that's just me. Anyway, once you've got that all set up, you can go ahead and test it out locally on the laptop first. Open up Firefox and navigate to Edit --> Preferences --> Advanced --> Network --> Settings... --> Manual proxy configuration. Enter Port 3128 for the HTTP Proxy, and check the box to "Use this proxy server for all protocols."
Click OK to accept everything, then try going to your favorite sites to see the effects! Here's a couple of screenshots showing the updated sites that the original creator used:
If you can't get it to connect properly, or it just seems to be hanging, try kicking the services like so:
  • service squid restart
  • service apache2 restart
and that should work. Now, remember that whole proof-of-concept from the last blog entry? Well, once the router is setup to get Internet access through the laptop, you need to configure it so that anybody that connects to the router, goes through your new proxy. How do we do that? You'll need to use another device to manage the router for this, or you can temporarily connect the wireless interface of your laptop to the router instead of your real Internet connection to create a bit of a circular mess. :) Just remember to disconnect from attwifi and back to your true Internet connection on the laptop before calling it a day. In my case I used my iPad connected to attwifi to perform these steps.
  • In the DD-WRT interface, navigate to Services --> Hotspot --> HTTP Redirect.
  • Click the radio button to Enable this functionality, then for the HTTP Destination IP, enter in the IP address of the router's assigned gateway, which is also the IP adddress of the laptop's Ethernet interface. You can find that out easily by doing "ifconfig" on the laptop and looking for the IP address assigned to the "eth0" interface.
  • For the HTTP Destination Port, enter 3128.
  • For the HTTP Source Network, enter the CIDR address without the /24 or whatever your subnet mask might be.
  • Click Save and then Apply Settings at the bottom of the page and wait for the router to come back up.
At this point, everything should be good to go! Try it out from any mobile device connected to your router, and voila:
Mogrify has a TON of image manipulation options, so play around and see which one you like the most. In the meantime, I think at this point you probably all want me to come up with a new line of topics to blog about already. Don't worry, have a bunch in draft, coming soon.


Wednesday, June 1, 2011

Proof-of-Concept Evil Hotspot

So I recently built-out a new computer for the family common area, allowing me to repurpose that laptop for other nefarious tasks.  Ok, not really nefarious, i just wanted to have a decent test bed for trying out some of the latest versions of various flavors of Linux operating systems.  So the first one I'm trying is the newest Ubuntu, version 11.04.  One of the interesting capabilities that's been built into this OS for a couple of years now is Internet Connection Sharing whereby I can actually plug a device into the Ethernet port on my laptop and allow that device to piggy-back off of my laptop's existing Internet connection.  So of course I had to play around with it to see what I could do...

Enabling this functionality is actually extremely easy to do, and is well documented here.  Couple of screenshots to get the point across:
This functionality is extremely convenient in that it even pushes out a DHCP address to the connecting device.  So that's all well and good, but what can we DO with it?

Well, in my first blog post, I talked about how easy it was to spoof a legitimate hot spot's SSID, attwifi in my example, and some of the risks associated with connecting to those.  In my second post, I talked about Wireshark, and how easy it was to sniff traffic passing across the network to which you're connected.  Put 'em together and what have you got?  A method by which you can capture and view network traffic from mobile devices automatically connecting to you, trying to get Internet access.

Here's the setup: Internet connection --> Ubuntu laptop-Ethernet port --> WAN port-Asus WL-330GE Router-"Evil" attwifi network.

After you've configured Ubuntu to share out its Internet connection via the Ethernet port, and either rebooted or restarted the networking, your choice, you should find that the Internet-facing interface has reconnected back up, and the Ethernet interface will be ready to have a private address assigned to it, as per RFC 1918, once you plug in the router.  In my case, it was a 10.x.x.x address.

Now, plug in the wireless router's WAN port to the laptop's Ethernet port, and power up the router.  If it's configured to grab an IP address automatically via DHCP, it should also now have an IP address in the same subnet as the Ethernet interface of the laptop.  The wireless side of the router will now be broadcasting the new "evil" SSID, attwifi in my case.

Connect a "victim" device to the attwifi network, and you should find that you can get Internet access routed through the router --> laptop --> real Internet connection.  Now, run Wireshark on the Ubuntu laptop to capture clear-text traffic like http web traffic, smtp email traffic, telnet or ftp traffic, etc. sourced from your unwitting "victim" device.

One of the gotchas of running Wireshark on Ubuntu is that it will likely complain that there are no network interfaces to start capturing from.  This is because Wireshark needs root access to place those network interfaces into what's called "promiscuous mode," listening to all network traffic, not just that which is only intended for the system itself.  You can either "su" to root, or just "sudo wireshark" in order to get the necessary privileges to get Wireshark the access that it needs, and start capturing on the Ethernet interface of the laptop.  Done deal.

You also have the ability to do things like create a replica of a legitimate hot spot's captive portal to put up once someone connects to your "evil" one.  Then, you can capture a victim's hot spot credentials as well, in addition to their traffic once they've connected to you instead.  How easy is it?  Walk into a Starbucks, connect to their AT&T WiFi network, open up a browser, and when you get to their captive portal, from the File menu, just Save/Save Page As to pull down a copy of the site with all images and source code for your enjoyment.  Modify it to your liking, run it on your own webserver on the laptop, and you can even point to various Hotspot Services from the DD-WRT router firmware.

You can also have some more fun by creating a proxy on your laptop and causing some browsing mayhem doing something like serving up the Upside-Down-Ternet.  Watching the extremely confused looks on your victims' faces might actually be even more fun than just capturing their traffic and logon credentials, etc. :)

So the moral of the story hasn't changed, but let me summarize:

  • Disable mobile device wireless when not in use.
  • Be absolutely certain of what wireless networks you're connecting to and their legitimacy.
  • Use encrypted protocols whenever possible.
  • Don't do anything of a sensitive nature, like online banking or file transfers, when out and about using free, likely unsecured, wireless hotspots.
Like those Allstate commercials say, "Be better protected from mayhem like me.  Dollar for dollar, nobody protects you from mayhem like [gobitech]." :)

Monday, May 23, 2011

Wireshark - The Swiss Army Knife of Downloading Tools

In the Information Security industry, there are a wide variety of tools that can be used both for the forces of good and for evil.  One of these tools is called a packet sniffer which has the capability to listen in on the traffic passing along on the network that the system is connected to.  This can be extremely useful from a troubleshooting standpoint, or extremely dangerous as a vector of attack.  Over the last decade or so, most network environments have migrated from hubbed to switched, meaning network devices will only send traffic to the designated recipient system as opposed to blasting the traffic to all connected systems with the recipient system going, "Oh hey, that's meant for me."  This is definitely a good step for security, but also easily defeated with techniques like Address Resolution Protocol (ARP) poisoning, where an attacker can trick the network devices into sending traffic meant for someone else to them, listen in with a packet sniffer, and then forward the traffic along to the actual recipient.  This is accomplished by tricking both parties to update their ARP tables to map an IP address to an incorrect MAC address.  Another term for it is a Man-in-the-Middle attack.  One of the easier methods to do this is via a freely downloadable tool called Cain & Abel.  But I digress...

One of the absolute best packet sniffers available is another free tool called Wireshark.  This is a GUI tool with such an incredible amount of functionality built-in, that I feel like I'm still just starting to scratch the surface of everything that you can do with it.  I recently attended a SANS Voice-over-IP (VoIP) security course down in Orlando back in March where we were able to take a packet capture of network traffic and pull out the actual audio of bi-drectional calls that were being made with VoIP using this application.  Those of you using Vonage, magicJack, or any other consumer-grade VoIP product should probably be aware (or beware) that if you're on a shared network segment of any kind, e.g. cable modem, it's absolutely possible for someone to listen in on your conversations, capture touch tones (e.g. credit card numbers, PINS, etc.), and even listen to or inject audio into the conversation in real-time.  Scary stuff.

Anyway, enough with my security soap boxing, on to the good stuff.  Wireshark comes with the ability to pull files out of a network stream and save them out for later use.  Meaning you can fire up Wireshark, load up an mp3 in Grooveshark or a video in YouTube for example, and once it's done buffering, pull the file out of the packet capture, and listen to or watch that content as much as you want from your local hard drive, offline.  Intrigued yet?  First you'll need to download and install Wireshark.
  1. Click on the link above, and download the latest stable release for your system's architecture, currently at version 1.4.6.  Launch the installer, click through a bunch of Nexts, and don't forget to install WinPcap which makes the magic happen.
  2. Once it's installed, fire it up, and click on the first icon in the toolbar to "List the available capture interfaces..." Alternatively you can select Capture --> Interfaces from the menu.  Click the Start button next to the corresponding network connection that you want to listen in on.  Depending on your setup, there could just be one, but if not, typically it's the one that shows the most Packets passing through.
  3. Now load up Grooveshark/YouTube, select a song/video, and wait for the buffering to complete.  You do NOT need to wait and listen to/watch the whole thing, but you do need for the whole thing to buffer up first.  Just the buffering is enough.
  4. Once it's done buffering, in Wireshark, click on the fourth icon in the toolbar to "Stop the running live capture."  Alternatively you can select Capture --> Stop from the menu.
  5. Now navigate to File --> Export --> Objects --> HTTP.  You will see a TON of files from different sites listed, but there's only one that you're interested in.  For a Grooveshark song, it should have a Hostname, an audio/mpeg Content Type, a stream.php Filename, and likely it should be the largest in size (Bytes).  For a YouTube video, it should have, video/x-flv, videoplayback?something, and should also likely be the largest in size listed.
  6. Click on the entry, and you'll see a Processing window pop-up briefly and disappear.  Then click the Save As button in the lower right of the window.  Navigate to a location where you want to save the song/video and change it from stream.php to whatever-you-want.mp3 or for the YouTube video, whatever-you-want.flv.  Go ahead and play it.  You know you want to.  For the mp3s, you should find that any available meta-data came down with the file as well, like artist/song information, and album art.  For the videos, use whatever program you prefer to play flash videos.  I'm partial to VLC myself.
And now back to my soap box.  With tools like these that make eavesdropping on the network as easy as point-and-click, you really need to be aware of what you're doing on the Internet and what kind of security risks it comprises.  A few things to consider:
  • Never click on links in your emails.  Yes, this is more of a piece of phishing advice, but those links could lead you to a fake version of a site that you thought you were clicking to which can capture your information with something like Wireshark, and then pass you on to the real site, without you ever realizing it.  It can be done, I've done it for a security awareness demonstration before.  Always type in the website address yourself and do your best to validate that it is properly secured with SSL (that little padlock that says communication between you and the site is encrypted, even though this too can be faked).
  • Never give out sensitive information like your credit card number or PIN over the phone to someone that called you, especially if you're using consumer-grade VoIP at home.  There are even tools out there that can pull the corresponding numbers to (Wireshark) captured tone sounds, even if you never verbally spoke those numbers.  Always call the bank/credit card company directly yourself.
  • If your work requires you to send files back and forth electronically with another party, make sure to use encryption on the connection (SSH/SFTP/SCP/SSL), on the file with a password (PGP/GPG/AES), or ideally both.  Now that you've seen how easy it is to pull a file out of the network stream when it's not encrypted, it should be obvious to you that protocols like Telnet/FTP/HTTP just aren't going to cut it anymore when it comes to security.
Anyway, I hope that this post has served both to educate, entertain, and horrify.  Until next time. :)

Tuesday, May 17, 2011

attwifi Impersonation Experiment

I recently decided to conduct a little experiment in the name of science (or security, tech-geek curiosity, take your pick).  As many of you may already know, AT&T is behind many of the publicly available wifi hotspots located everywhere at places like Starbucks, McDonalds, etc.  For AT&T iPhone users, the first time that you connect to one of these hot spots, with an SSID of attwifi, your phone is then configured to automatically connect to these networks whenever they come in range so that you can get faster connectivity and avoid data usage charges on your 3G plans. Convenient, right?  Well, security and convenience have always butted heads together, causing headaches for all of those involved.  And that's where I come in.  I was wondering how many devices I could get to automatically connect to a wifi network that I was broadcasting from my backpack on my normal commuting route, which includes about a 3 mile drive, 25 minutes on the subway, and 3 blocks of walking...  roughly 45 minutes door-to-door.

I had previously purchased a portable wireless router, the Asus WL-330GE, and flashed a custom, linux-based firmware called DD-WRT onto it.  DD-WRT is a great alternative firmware for compatible routers as it enables features above and beyond those of the manufacturers' firmware, while providing rock solid stability.  I had another Asus router that was running for over 230 days with no issues until I accidentally, ahem, power cycled it.  Anyway, one of those features is to increase the power of the wifi radio, which came in handy for this experiment.  I gave the device an SSID of attwifi, turned off encryption, and enabled a pool of 50 IP addresses that could be given out automatically to any associated device that wanted one.  I hooked it up to a Griffin USB Reserve Power, and threw it into my backpack for the trip home from the office one day, slightly paranoid that the subway security personnel would come after me for carrying something with bright blue flashing LEDs onto the train.  The Griffin battery is able to provide a little under 2 hours of power to the router, perfect for my little project.  To give you an idea, the router itself is slightly smaller than a deck of cards.

I logged into the router from my own iPhone periodically during my commute to keep tabs on who, if anyone, was connecting.  And were there ever.  By the time I walked the four blocks from my office to the train station, the 50 IP addresses were already all spoken for!  Surprisingly, a majority of the devices that hooked into my router were blackberries, with iPhones coming in second, and Android devices and iPads trailing a distant 3rd and 4th.  For a second run of the experiment later on, I increased the number of available IP addresses to 253, and got 107 devices to connect to me over the course of the commute, one-way!

One of the other features of the DD-WRT firmware is the ability to see who is connected and their relative signal strengths as well.  Sitting on the train on the way home, I took a look at the list and at any point in time had half a dozen or so connected clients.  The amusing thing was, I was basically able to put a name to a face when iPhone users were connected.  The name of the client device is typically [name]'s-iPhone.  So when the signal strength says 98% for Marcia's-iPhone and there's only one woman in my immediate vicinity with an iPhone out, tapping away furiously, wondering why she can't get online, chances are, that's Marcia.

So what does this mean?  Well, from a security standpoint, it's no longer about making sure that your own devices/computers/etc. are fully patched, up-to-date, locked down, etc., to keep the bad guys out.  Now more than ever, with the emergence of mobile technologies, you need to be cognizant of the bad guys that you could potentially be connecting to either willingly or unknowingly.  At best, I could cause a denial-of-service attack, meaning these devices which all prefer wifi over 3G connectivity automatically, connect to my setup, which isn't connected to the Internet at all, and they get nowhere fast.  Marcia's case in point.  At worst, I could setup a system which would pass them through to the Internet just as they expected, but capturing everything that they do along the way beforehand, like passwords, credit card numbers, email and chat messages, etc.  EVERYTHING.  The same risks apply to things like free hotel wifi networks, Panera, Barnes & Noble, etc.

Moral of the story, make absolutely certain that the wireless networks that you're connecting to are the legitimate ones that you're expecting, and it's good practice to disable automatically connecting to wireless networks (unencrypted or otherwise) unless you absolutely need them.  This means turning off wifi functionality until you need it.  I'd be willing to bet that a good majority of my "victims" weren't even using their devices at the time, they were just auto-connecting from their holsters/purses/pockets and such.  As "Mad-Eye" Moody from Harry Potter always says, "Constant Vigilance!"