Yesterday I published the BoKS Puppet module on Puppet Forge! So far I've sunk sixty hours into making a functional PoC, which installs and configures a properly running BoKS client. I would like to thank Mark Lambiase for offering me the chance to work on this project as a research consultant for FoxT. I'd also like to thank Ger Apeldoorn for his coaching and Ken Deschene for sparring with me. 

BoKS Puppet module at the Forge.

In case anyone is curious about my own build process for the Puppet module, I've kept a detailed journal over the past few months which has now been published as a paper on our website -> Building the BoKS Puppet module.pdf

I'm very curious about your thoughts on it all. I reckon it'll make clear that I went into this project with only limited experience, learning as I went :)

PLAYTRACKstrdew.mp3

While I might play games often, I don't play a multitude of games. I like sinking quite some time into games that are really good, instead of jumping to and fro. I often get suggestions for good games from the likes of Penny Arcade or other gaming blogs/comics. Case in point: I found out about 2015's indy hit Stardew Valley. 

I've never played Harvest Moon games, despite knowing they're pretty darn good. I've been wanting to get into it, but never did. Imagine my joy when I learned about Stardew Valley, the bastard lovechild of Harvest Moon, Animal Crossing and modern-day indy game and modding mentality. I'll let some reviews do the explaining: Ars Technica and PC Gamer.

Why do I love it so much? Mostly because:

• The pace. You're completely free in how you want to play the game: want to min-max and power your way through the first three years building a mega-farm? Go ahead! Want to putter about, taking in the sights, talking to the people and just raising a few crops? Do it :)


• The graphic design. The game looks lovely in all of its 16-bit era glory.


• The music. Just listen to the sample above! If that doesn't take you back to Secret of Evermore, I don't know what will!

It's hard to believe that all of it was made by a single person! Sure it took him four years, but still!

Today was a day well spent!

This morning I passed my CEH examination in under 45 minutes. Bam-bam-bam, answers hammered out with time to spare for coffee on my way to Amstelveen. A few weeks back I'd started this course expecting some level of technical depth, but in the end I've concluded that CEH makes a nice entry-level course for managers or juniors in IT. One of my colleagues in the SOC had already warned me about that ;) I still had lots of fun with my fellow IT Gilde members, playing around during the evening-time classes set up in cooperation with TSTC.

Why go to Amstelveen? Because it's home to KPMG's beautiful offices, which is where I would take part in a CTF event co-organized by CQure! This special event served as a trial-run for a new service that KPMG will be offering to companies: CTF as a training event. Roughly twenty visitors were split across four teams, each tackling the same challenge in a dedicated VM environment. My team consisted mostly of pen-testing newbies, but we managed to make nice headway by working together and by coordinating our efforts through a whiteboard. 

This CTF was a traditional one, where the players are assumed to be attacking a company's infrastructure. All contestants were given VPN configuration data, in order to connect into the gaming environment. KPMG took things very seriously and had set up separate environments for each team, so we could have free reign over our targets. The introductory brief provided some details about the target, with regards to their web address and the specific data we were to retrieve. 

As I mentioned, our room was pretty distinct insofar that we were 90% newbies. Thus our efforts mostly consisted of reconnaissance and identifying methods of ingress. I won't go into details of the scenario, as KPMG intends to (re)use this scenario for other teams, but I can tell you that they're pretty nicely put together. They include scripts or bots that simulate end-user behaviour, with regards to email and browser usage. 

CQure and KPMG have already announced their follow-up to this year's CTF, which will be held in April of 2017. They've left me with a great impression and I'd love to take part in their next event!

Recently I've been seeing more and more adverts pop up for "cheap" and user-friendly home alarm systems from China. Obviously you're going to find them on Alibaba and MiniInTheBox, but western companies are also offering these systems and sometimes at elevated prices and with their own re-branding. Most of these systems are advertised as a set of a central panel, with GSM or Wifi connection, a set of sensors and a handful of remotes.

Between the apparent popularity of these systems and my own interest in further securing our home, I've been wanting to perform a security assessment of one of these Chinese home security systems. After suggesting the project to my employer, Unixerius happily footed the bill on such a kit, plus a whole bunch of extra lovely hardware to aid in the testing! 

For my first round of testing, I grabbed a Kerui G19 set from AliExpres. 

I'm tackling this assessment as a learning experience as I have no prior experience in most of the areas that I'll be attacking. I plan of having a go at the following:

• RF hacking of the communications between the remotes, the sensor and the central panel.


• Hardware hacking of the central panel, in an attempt to learn more about its firmware and OS. 


• Ditto for the IP camera.


• Workings of the smartphone apps for the security system and the IP camera.


• Network traffic to and from the central panel and the IP camera.

The last item on the list is the only one I'm actually familiar with. The rest? Well, I'm looking forward to the challenge!

Has research like this been done before? Absolutely, I'm being far from original! One great read was Bored Hacker's "How we broke into your home". But I don't mind, as it's a great experience for me :)

The first part of my current project that I wanted to tackle, was the "RF hacking" part: capturing, analyzing, modifying and replaying the radio signals sent and received by a hardware device.

Home alarm systems (or home automation systems in general) often used one of two RF bands: 433MHz or 868Mhz. As far as I understand it, 433MHz is often used by lower end or cheaper systems; haven't figured out why just yet. In the case of the Kerui G19 alarm, the adverts from the get-go tell you it uses 433MHz for its communications.

Cracking open one of the remotes I find one basic IC in there, the HS1527 (datasheet). The datasheet calls it an "OTP encoder", but I haven't figured out what OTP stands for in this case. I know "OTP" as "One Time Password" and that's also what the datasheet hints at ("HS1527 hai a maximum of 20 bits providing up to 1 million codes.It can reduce any code collision and unauthorized code scanning possibilities.") but can't be that because the Kerui remotes send out the exact same code every time. HKVStar.com has a short discussion on the HS1527, calling it a "learning code" as opposed to a "fixed code" (e.g. PT2262), but the only difference I see is 'security through obscurity', because it simply provides a large address space. There is no OTP going on here!

The datasheet does provide useful information on how its bit patterns are generated and what they look like on the output. The four buttons on the remote are tied 1:1 to the K0 through K3 inputs, so even if HS1527 can generate 16 unique codes, the remote will only make four unless you're really fast. 

After that I spent a lot of time reading various resources on RF sniffing and on 433MHz communications. Stuff like LeetUpload's articles, this article on Random Nerd, and of course lots of information at Great Scott Gadgets. Based on my reading, I put together a nice shopping list:

• The RTL-SDR.com USB dongle, which includes two antennas. $25.


• An Arduino Uno clone from China, less than $8


• 433Mhz transmitter and receiver for the Arduino (less than $2 a piece)

And cue more learning! 

GQRX turns out to be quite user-friendly and while hard to master, isn't too hard to get a start with. It's even included with the Kali Linux distribution! Using GQRX I quickly confirmed that the remotes and control panel do indeed communicate around the 433MHz band, with the panel being at a slighly higher frequency than the remotes. With some tweaking and poking, I found the remote to use AM modulation without resorting to any odd trickery.

GQRX dilligently gave me a WAV file that can be easily inspected in Audacity. Inspecting the WAV files indicated that each button-press on the remote would send out multiple repeats of the same bitstream. Zooming into the individual bitstreams you can make out the various patterns in the signal, but I'd had problem matching it to the HS1527 datasheet for the longest of times. For starters, I never saw a preamble, I counted 25 bits instead of 20+4 (address+data) and the last 4 bits showed patterns that should only occur when >1 button was pressed. 

Then it hit me: that 25th bit is the preamble! The preamble is sent back-to-back with the preceding bitstream. Doh!

Just by looking at the GQRX capture in Audacity, I can tell that the address of this particular remote is 10000100001100110001 and that 0010 is the data used for the "disarm" signal. 

Time for the next part of this experiment; let's break out the Arduino! Again, the Arduino IDE turns out to be part of the Kali Linux distro! Awesome! Some Googling led me to Suat Özgür's RC-Switch library, which comes with a set of exemplary programs that work out-of-the-box with the 433Mhz transceivers I bought. 

Using the receiver and sniffing the "disarm" signal confirms my earlier findings:

Decimal: 8663826 (24Bit) Binary: 100001000011001100010010 Tri-State: not applicable PulseLength: 297 microseconds Protocol: 1

Raw data: 9228,864,320,272,916,268,920,272,912,276,908,872,308,284,904,280,904,280,912,276,904,872,320,868,312,280,908,276,912,868,312,876,324,276,900,276,908,280,908,876,312,280,908,280,904,880,312,276,908,

Decimal: 8663826 (24Bit) Binary: 100001000011001100010010 Tri-State: not applicable PulseLength: 297 microseconds Protocol: 1

Raw data: 14424,76,316,280,904,288,896,280,904,20,1432,36,1104,36,912,280,904,284,900,280,908,876,312,872,308,280,908,88,272,120,928,128,756,24,224,20,572,44,1012,32,800,24,188,32,964,68,1008,44,856,

The bitstream matches what I saw in Audacity. Using Suat's online parsing tool renders an image very similar to what we saw before.

So, what happens if we plug that same bitstream into the basic transmission program from RC-Switch? Let me show you!

If the YouTube clip doesn't show up: I press the "arm" button on the alarm system, while the Arduino in the backgrouns is sending out two "disarm" signals every 20 seconds. 

To sum it up: the Kerui G19 alarm system is 100% vulnerable to very simple replay attacks. If I were to install this system in my home, then I would never use the remote controls and I would de-register any remote that's tied to the system. 

Having come a long way in the RF-part of my current security project, I decided to dive into the hardware part of my research. The past few weeks have been spent with a loupe, my trusty multimeter, a soldering iron and some interesting hardware!

Cracking the shell of the Kerui G19 shows a pretty nice PCB! All ICs and components are on the backside, the front being dedicated to the buttons and the business end of the LCD panel. Opening the lid on the back immediately shows what look like unterminated service pins (two sets of'm), which is promising. 

What's less promising, is that the main IC is completely unmarked. That makes identifying the processor very hard, until I can take a crack at the actual firmware. My initial guess was that it's some ARM7 derivative, because the central panel mostly acts like a dressed-down feature phone with Android. A few weeks later that guess feels very, very off and it's most likely something much simpler. As user PedroDaGr8 mentioned on my Reddit thread about the PCB:

"Most people would assume an ARM in this case. In reality, it might be ARM, PIC, AVR, MIPS, FPGA, CPLD, H78, etc. Any of these could fulfill this role and function. It often depends on what the programmer or programming team is familiar with. I have seen some designs from China before, that used a WAY OVERKILL Analog Devices Blackfin DSP processor as the core. Why? Because it was cheaper to use the guys they had that were proficient at programming in Blackfin than to hire new guys for this one product."

So until I can analyse the firmware, the CPU could be just about anything! :D

There are many great guides online, on the basics of hardware hacking, like DevTTYs0's "Reverse engineering serial ports" or Black Hills Security's "We can hardware hack, and you can too!". Feeling confident in their teachings I took to those service pins with my multimeter. Sadly, both rows of pins had an amount of pins that's not consistent with UART consoles but I didn't let that discourage me. Based on the measured voltages I hooked up my PL2303 UART-to-USB, to see if I could find anything useful. 

No dice. Multiple pins provided output onto my Picocom console, often with interspersed Chinese unicode characters. But no pins would react to input and the output didn't look anything like a running OS or logging. 

Between the lack of identification on the CPU and the lack of clear UART ports, it was time for hard work! I took a page from the book of Joffrey Czarny & Raphaël Rigo ("Reverse engineering hardware for software reversers", slide 11) and started mapping out all the components and traces on the PCB. Instead of using their "hobo method" with GIMP, I one-upped things by using the vector editor InkScape. My first few hours of work resulted in what you see above: a mapping of both sides of the PCB and the interconnections of most of the pins. 

Thus I learned a few things:

1. Damn! There's at least one hidden layer of traces on the inside of the PCB. I have deduced the existence of a number of connections that cannot be visually confirmed, only by measuring resistance. 


2. The service headers under the backside lid are connected to both the CPU (CN11 and CN3) with CN3 probably having served to flash the firmware into the EN25-F80 EEPROM.

Status for now: lots of rewarding work and I have a great SVG to show for it. And I've gotten to know my Arduino and PL2303 a bit better. But I haven't found anything that helps me identify an OS or a console port yet. I'll keep at it!!

Continuing where I left off last time (replay attack using a remote), I wanted to see how easy it would be to mess with the sensors attached to the Kerui home alarm system that I'm assessing. 

For starters, I assumed that each sensor would use the same HS1527 with a different set of data sent for various states. At least in the case of the magnet sensors, that assumption was correct. The bitstreams generated by one of the contacts are as follows:

• OPEN: 011111010100100000001110 (1110)


• CLOSE: 011111010100100000000111 (0111)


• TAMPER: 011111010100100000001011 (1011)

As I proved last time, replaying any of these codes is trivial using an Arduino or similar equipment. Possible use cases for miscreants could include:

1. Trick the alarm into thinking an open door is closed, before the alarm gets armed. That way the home owner does not get alerted about leaving something open when leaving the home. 


2. Trick the alarm into thinking a window opened, after the alarm gets armed. Do this often enough, a few nights a week, and the home owner will get fed up with the alarm and just disable it. 

Going one step further I was wondering whether the simple 433Mhz transmitter for my Arduino would be capable of drowning out the professionally made magnet contacts. By using Suat Özgür's RC-Switch library again, I set the transmitter to continuously transmit a stream of ones. Basically, just shouting "AAAAAAAAAHHHHH!!!!!" down the 433MHz band.

Works like a charm, as you can see in the video below. Without the transmitter going, the panel hears the magnet contact just fine. Turning on the transmitter drowns out any of the signals sent by the contact.

So far I'm loving OffSec's live classroom PWK course (Pen-Testing with Kali Linux), mostly because it actually requires quite some effort while your there. No slouching in your seats, but axe-to-the-grindwheel hands-on work. But last night was a toughy! As part of the five day course, the Thursday evening offers an additional CTF where all students can take part in attacking a simulated company. 

The initial setup is quite similar to the events which I'd experience at Ultimum and at KPMG: the contestants were divided into teams and were given VPN login details. In this case, the VPN connection led us straight into the target company's DMZ, of which we were given a basic sketch. A handful of servers were shown, as well as a number of routers/firewalls leading into SCADA and backoffice networks. As usual, the challenge was to own as many systems as possible and to delve as deeply into the network as you could. 

Let me tell you, practicing coursework is something completely different from trying the real deal. Here we are, with 32 hours of practice under our belt and all of a sudden we're spoilt for choice. Two dozen target hosts with all manner of OSes and software. In the end my team concluded that it was so much that it'd left our heads spinning and that we should have focused on a small number of targets instead of going wide. 

Our initial approach was very nice: get together as a group, quickly introduce eachother and then form pairs. With a team of 8-10 people, working individually leads to a huge mess. Working in pairs, not only would we have two brains on one problem, but that would also leave more room for open communication. We spent the first 45 minutes on getting our VPN connections working and on recon, each pair using a different strategy. All results were the poured into Faraday on my laptop, whose dashboard was accessible to our team mates through the browser. I've been using Faraday pretty extensively during the PWK course and I'm seriously considering using it on future assignments!

After three grueling hours our team came in second, having owned only one box and having scored minor flags on other hosts. I'm grateful that the OffSec team went over a few of the targets today, taking about 30min each to discuss the approach needed to tackle each host. Very educational and the approaches were all across the board :)

A bit over a year ago I first started working with Microsoft's Active Directory, integrating it with BoKS Access Control. At the time, I was impressed by Windows Server 2012 and 2016 and the ease with which I could set up an AD forest with users. 

I'm now learning how to build a two-tier PKI infrastructure, after seeing them in action at various previous clients. I've been on the consuming end of PKI for years now and I thought it was time to really know how the other end works as well! I must say that I love Microsoft's generosity when it comes to documentation! Not only do they provide proper product docs, but they also have online tutorials in the form of TLGs: test lab guides. Using these, you can self-teach the basics of a subject, and then build up from there.

The 2012 Base TLG helps you build a basic AD forest of systems. I can follow it up with the two-tier PKI infrastructure TLG, which helps me set up an offline root CA, and an issuing CA, along with automatically enrolling any new systems in the networkt that need SSL certs. Awesome!

I'm similarly extatic about the performance of my Macbook Air. It's a tiny, super-portable system, but it still doesn't balk at running my usual applications plus four full-fledged Windows Server 2012 hosts. Nice!

EDIT:

Ammar Hasayen also did a nice write-up, which appears to be based upon the two-tier PKI TLG but which adds additional details.

Also, Microsoft also offer a third great resource, their MVA: Microsoft Virtual Academy. They also have a course on two-tier PKI with ADCS. 

A few weeks ago, I reopened commenting on this site after having it locked behind logins for years. Since then the amount of spam submissions have been growing steadily. Sucks, so I finally took the time to implement proper spam checking. Enter Google's free project reCaptcha. Of course I realize that, if something's free on the web, it probably means that I'm the product being sold. I'll have to poke around the code to see what it actually does :)

CodexWorld have a great tutorial on getting reCaptcha to work in a basic script. Took me less than an hour to get it all set up! Lovely!

One of my past colleagues reached out to me today, asking me this:

I'm still OSCP-wannaby, but probably it is too technical for me. I'm still not sure. Could you please share if a pre-exam training is worth its price or what is your practical - cutting of 'try harder' ;-) - advice to pass it?

I'll post my reply here, because I've been telling people this very thing for the past few weeks.

I've always thought OffSec's online PWK training to be well worth the money! $1150 gets you a huge PDF with all the course work, a few hours of videos and 90 days of lab access. It also includes your first exam attempt. For a training of this quality, that's really not a lot of money! You could even opt to pay even less, getting only 30/60 days of lab access.

The classroom variant is something else entirely though. It's a LOT more expensive, at roughly $6000. That's for a week's on-site training, including a CTF event on one night. You also get the same PDF and videos, the included exam, but only 30 days of lab access. For me, it was well worth it because it was five days of non-stop hacking in a room with 30 other students and two top-notch trainers.  

Something that saved me time and money: during the classroom training you receive the two most important VMs, which you can use on your OWN laptop. Thanks to that, I didn't have to start my lab access until I'd finished >90% of my exercises. In the online PWK you use lab access to work on your exercises!  

The course is always worth it before taking the exam: submitting a proper report of your coursework may net you 5 bonus points on the exam. Submitting a pen-test report for the labs may net you a further 5 bonus points. On a minimal passing score of 70, those 10 points can really help a lot!  

So yeah. Definitely work through all the coursework to get into it and score points. Then play a lot in the labs, for both practice and more points. Then take the exam when your time's up. Always do the exam! Because if you fail your exam and then renew your labs, OffSec will include a "free" retake of your exam with the new lab time! Totally worth it! That way your "failed" exam because a recon mission that teaches you a lot!

Here's another question I've had a few times, which came to me again this weekend:

"I'm really surprised you had the confidence to tackle the exam with just 19.

Is this you bread and butter ? Was this simply to formalize existing knowledge for you ?"

To be honest, I was just as surprised that I passed! No, I don't have workexperience in the field of pen-testing; I've only done two or three CTFs.

My original intention with my exam was to consider it a recon missions for my second exam. I was sure that 19 out of 55+ hosts was not enough to be prepared for the exam. I went into the exam fully reconciled with the idea that failing was not just an option, but all but assured. The exam would be a training mission, to learn what to expect. 

The day before my exam I had practiced exploiting a known buffer overflow in EasyRMtoMP3Converter (EXE). Here's the CoreLan writeup from 2009. Using the approach I learned during the PWK class and by studying various published exploits, I built my own Python script to exploit the software. After some additional work, the code worked against both Windows 7 and XP. 

This extra practice paid off, because I managed to finish the BOF part of the exam within two hours. This was basically the wind in my sails, what got me through the whole exam. After finishing the BOF I dared to hope that I might actually have a chance :) And I did. 

The ecstacy of achieving the OSCP certification didn't last long for me. Sure, I'm very happy and proud that I passed, but not two days later I was already yearning to move on! I wanted to get back to the PWK Labs, to finish the other thirty-odd servers. I wanted to retake the exam a second time. I wanted more challenge! So I set to making a list!

• I'd love to take the three Microsoft MCSA exams for Windows 2016, considering how my new job involves a lot of AD and Windows. 


• My RHCSA and RHCE certs from RedHat will expire later this year, so I should take a look at retaining those by retaking their exams. 


• Offensive Security's follow-up to OSCP, the course and exam CPT+OSCE sound awesome! But they're a bit expensive. 


• I've been eyeing the CoreLAN exploit-writing course and wanted to go to BruCon this fall, but sadly that course has already sold out. Maybe another time. 

As something inbetween, I've signed up for SecurityTube's SLAE course: they teach you basic x86 assembly programming, to build and analyze Linux shellcode. Sounds very educational! And at only $150 for the course and exam it's a steal! I'll be blogging more about this in the future :)

Signing up for the course went easily and I got all the details within a day. However, actually getting the course files proved to be a struggle! There are three ZIP files, totalling roughly 7GB. They're stored in Amazon S3 buckets, which usually implies great delivery speeds. However, it seems that in this case SecurityTube have opted not to have any edge locations or POPs outside their basic US-WEST location. This means that I was sucking 7GB down a 14kbps straw :( That just won't do! Downloads were horribly slow!

After doublechecking that the issue did not lie with our home network, I attempted to download the files using my private server in the US: speeds were great. However, downloading from my own server wasn't much faster. Darn. Maybe there's another hickup? Two of my colleagues suggested using a VPN like PIA; sure that's an option. But I've been meaning to look into Amazon's AWS service, which allows you to quickly spin up virtual machines across the globe, so I went with that. 

I built a basic Ubuntu server in Frankfurt and downloaded the files from the US. Seeing how both the source and destination were on Amazon's network, that went perfectly fine. Grabbing the files from my Frankfurt system also went swimmingly. So after two days of bickering I finally have the course files on my laptop, ready to go :)

Ten years ago, almost to the day, we bought a Playstation2 to play rhythm games like DDR and Guitar Hero. The console and its games have long since been relegated to storage, but one of the DualShock controllers is still with us in the living room. Our friend Baris once gifted us a LikSang SmartJoy Playstation2-to-USB converter, which I've been using in OpenEmu to play classic SNES games with Dana. 

In this month's Steam Summer Sale I grabbed two great games, "Ori" and "Hollow Knight", which play better using a controller. Unfortunately they don't recognize the SmartJoy out of the box, so I had to do some research. "JoystickMapper" to the rescue! It'll work with just about any controller and can be used to map buttons to keyboard actions, which most Mac and PC games support. Now I won't have to shell out bucks for a new controller! /o/ Well worth the five euros for JoystickMapper.

Recently I've been poking around NTP time servers with a few friends. Our goal was to create an autonomous, reliable and cheap NTP box that could act as an on-premise, in-house Stratum-1 time server. In a world filled with virtual machines that don't have their own hardware clocks, but whose applications demand very strict timekeeping, this can be a godsend.

I could write pages upon pages of what we've done, but the RPi Fatdog blog has a great article on the subject! 

Using just one Raspberry Pi and a reliable RTC (real-time clock) module you can create an inexpensive time server for your network. The RTC they're referring to supposedly drifts about a minute per year; still not awesome, but alright. *

This setup works well and Windows servers will happily make use of it! Linux NTP clients and other, stricter NTP software will balk at the fact that your Stratum-1 box was never synchronized with another time source. This is proven by the ntpdate command refusing to sync:

$ ntpdate timeserver
4 Mar 12:27:35 ntpdate[1258]: no server suitable for synchronization found

If you turn on the debugging output for ntpdate, you'll see an error that the reference time for the host is in 1900, which is the Epoch time for NTP. The example below shows reftime (though not in 1900):

ntpq>rv
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg
system="UNIX", leap=00, stratum=2, rootdelay=280.62,
rootdispersion=45.26, peer=11673, refid=128.4.1.20,
reftime=af00bb42.56111000  Fri, Jan 15 1993  4:25:38.336, poll=8,
clock=af00bbcd.8a5de000  Fri, Jan 15 1993  4:27:57.540, phase=21.147, freq=13319.46, compliance=2

The quick and easy work-around for this issue is to simply create both Stratum-1 and 2 in-house :) Have one RPi run as S-1, with 2 or 3 RPis working as S-2, that sync their time off the S-1 and who are peered among themselves. Any NTP client will then happily accept your S-2 boxes as NTP source. 

Better than nothing! And cheap to boot. 

*: Remi Bergsma wrote an interesting article about Raspberry Pi clock accuracy, with and without RTC.

Over the past few weeks, I've been setting up a pen-testing coaching track for ITGilde. I'd planned my agenda for Q3/Q4/Q1 accordingly and had even accepted that my RHCSA and RHCE certifications would lapse in November. Unfortunately I couldn't get enough students together for this winter, so I'm putting the coaching track off until next spring. Huzzah, this frees up plenty of time for studying!

So... Now I'd like to try and retain my Redhat certs, for which I've worked so hard! My deadline's pretty close though, as November's right around the corner. After some investigation I concluded that the most productive way for me to retain these certs, would be through passing one of the RHCA exams. EX413, pertaining to server security, is right up my alley! So, I'll be speedrunning the EX413 studies, trying to finish it all in five weeks time!

I love a good challenge! ^_^

In preparation for my upcoming EX413 examination, I'm mucking about with FreeIPA. 

FreeIPA is a easy-to-setup solution for building the basis of your corporate infrastructure on Linux. It includes an LDAP server, it sets up DNS and a CA (certificate authority) and it serves as Kerberos server. Basically, it's a light version of Active Directory, but targeted at Linux networks. Of course Linux can use AD just fine, but if you don't have AD FreeIPA is the next best thing.

IPA has come a long way over the past ten years. It might still not be fully featured, but it certainly allows you to setup a centralized RBAC platform, not unlike the BoKS product range I've worked with. BoKS offers more functionality (like a password safe and the possibility to easily filter SSH subsystems like allowing SCP or SFTP only), but it's also far from free. 

I'm currently doing exactly what EX413 exams want you to be able to do: install a basic FreeIPA environment, with some users and some centralized SUDO rules. It's the latter that was giving me a little bit of a headache, because I had a hard time figuring out the service account to use for the bind action. Sander van Vugt's training video refers to the service account uid=sudo,cn=sysaccounts,dc=etc,dc=ex413,dc=local, which does not appear to exist out of the box. 

This set me off one a foxhunt that lasted 1.5 hours.

• I wanted to use a graphic LDAP browser to poke around the IPA server. Softerra's LDAPAdministrator is a wonderful piece of software, but at $250 for a single license it's a bit much for me :) So I went with Apache's free Directory Studio (ADS). 


• ADS is a Java application that runs on Linux, MacOS and Windows. That's ace! However, it's a bit finicky about its Java VMs and it requires A) the full JDK, B) Java version 8. Installing multiple versions of Java on MacOS is famously messy and Wim de Blauwe's blogpost about easily switching Java versions on MacOS was very useful.


• Unfortunately it wasn't enough, so I decided to axe all my installed Java versions as per Oracle's instructions. I then reinstalled JDK8, using the official download from Oracle. After that, I still needed to edit the startup INI file for ADS anyway, to exactly and very specifically point to the right Java VM because /usr/bin/java still points to some old, Apple-provided version. Meh. Instructions here in the ADS FAQ. 


• ADS finally boots up! But wouldn't you know it? It also needs an account to bind to the IPA server! :D We're back to square one! A normal user account would allow me to bind just fine, but it was lacking the access permissions to browse the LDAP tree.


• Luckily the FreeIPA FAQ includes a section on adding service accounts for this specific use!

Because this is a sandbox environment, I've set up one account as both the SUDO bind user in /etc/sudo-ldap.conf and in the ADS user interface. Both now work swimmingly! I can "sudo -l" as a normal user and I can mess around the LDAP tree from the warmth and comfort of my MacOS desktop :)

EDIT:

Well I'll be a monkey's uncle! That little rascal of a UID=sudo was hiding inside LDAP all along! I guess I really did make a mistake in my initial ldappasswd command :D Well, at least I learned a thing or two!

EDIT 2:

FOUND IT! The OID I showed up top has an "s" too many! I wrote "sysaccountS", while it's supposed to be "sysaccount". Ace! That's going to make life a lot easier during the exam :)  

We've just bought a new laser printer, mostly for my daughter Dana's schoolwork. Installation was a snap as both Windows and MacOS have made it a fool-proof process. MacOS even gave me a button labeled "Visit printer website"! Of course that's gonna pique my interest!

Yup, the HP Laserjet Pro M203dn (as it's fully named) has a wonderfully helpful web interface! By default, there's no username or password, there's no login prompt whatsoever. Just open for everyone to browse. Which is where I stumble upon the screenshot I'm showing above. Of course the SNMP community strings default to public/public. Why not? But who in the seven hells decided to make that SNMP daemon -writable-?! That's asking for trouble!

... aside from the "no username or password on the admin panel" of course. Ye gods! O_o

Oh and of course the certificate on the https web server was not signed by HP's CA. Because of course I wouldn't want to verify that nobody messed with the firmware or the certs on the printer. 

... *checks around* Yep, HP also don't have a bug bounty program. =_=

For the third year in a row I competed in the PvIB CTF "Pen.test event", a Jeopardy-style CTF where contestants race to solve puzzles and small hacking challenges. Last year I didn't fare very well at all, but this time aroud things went great! The crowd was nice, my table companions were cool, it was great talking to Anko again and the DJ played awesome beats. I had a blast!

Around 1.5 hours into the competition I went to stretch my legs and get a drink, enjoying the fun we were having. Looking around, sipping on my cola I noticed something odd about the scoreboard! When I'd managed to grab my phonecam I'd already been surpassed by one team, but for at least a short while I'd managed to be in #4 out of the pack of 51 contestants. In the end I finished somewhere halfway , because greater minds than mine managed to keep on scoring points :)

Like before, the challenges were divided into various categories (shown above) and ranked from easy to hard, resulting in different scores per item. I finished the night with 100.000 points (3x10e3, 2x10e4, 1x10e3). I was so, so close on another 10k and 30k points which is why I stuck around until the very last minute!

Web:

1. I let myself be fooled by the easy Web challenge for way too long. The challenge presented you with a SquirrelMail login page and the task to login and get their email. Assuming it was a veritable SquirrelMail, I assumed no easy software vulnerabilities would be found, so I resorted to password guessing. An hour before the end of the night, Anko asked me "When we start out web pen testing, what are the things you're taught first?". Me: "Well... I reckon... You mean XSS, CSRF and SQL Injection, right?" A: "Absolutely." Me: "Sonuvabitch...". Turns out it was NOT SquirrelMail, just a quick and easy SQLi exercise made to look like it. 


2. This challenge sent you to an online calculator which would help the voting committee tally their votes, in this case a basic formula line which would return the outcome. Entering gibberish into the line would return a basic Python EVAL failure. Turns out that it was possible to run OS-commands through the EVAL calculation line, which let me list the remote files and to grab the required flag.


3. Both this exercise and #2 were a bit slow to respond in my browser, so I turned to the Lynx text-based browser. This foregoes all CSS, which was being loaded from the Internet. This time around we were supposed to hack a voting system, to find out the vote-total for each candidate. I noticed that it was based on a JSP that got included by URL, so I downloaded it for further analysis. This code showed me that the voting process makes SOAP calls to retrieve candidates and to place a vote. I also gave me examples of the XML data needed for those soap calls. From here on out, my challenge was to find out how to get voting results instead! I haven't worked with SOAP a lot, but I know there had to be some way of querying the remote end for available procedures and commands. This is where I learned about WSDL, which gave me exactly what I needed: a description of how to request voting results. This needed a little bit more tweaking to the XML, because the candidates were identified by an MD5 hash that needed to be updated as binary data. Darn! Was this close to getting the whole challenge, but was a few minutes too late. 

Learning on the go was hella fun! I got to renew my experience with CURL calls and XML data and learned new things about SOAP. Nice!

Crypto:

1. I'd figured out the positional encryption scheme for this challenge pretty quickly, as it was clearly based on jumping and looping through the ASCII table, based on a character's position. Despite this, I seem to have had some stupid mistake in my method, because my decrypted text was repeatededly rejected. Again, this close to cracking it, but too little too late. 


2. We were provided with two enigmatic strings and an encrypted ZIP file. Had no idea how to proceed with this one just yet.


3. We're provided with Python code for a home-brew crypto, as well as some sample data. Given enough time I'm sure I could have figured out the issue at hand, but in this case ${ENOUGH_TIME} would -GT 2d. So never mind ;)

Cracking crypto never was my strong point ;)

Forensics:

1. We're given a .CRT certificate for a voting machine, which supposedly is fishing. Making it legible with the OpenSSL command line quickly shows the PvIB CTF flag.


2. We're given a .DOCX file which was supposed to contain suspicious data. I simply used unzip to extract all the components files of the Word document and searched the various XML contents for the CTF flag. 


3. We're given a .PNG image that supposedly contains hidden data. One ZSteg install later I have my flag. 

Fun challenges! Not too hard so far.

Misc.:

1. A PDF file with some hidden data in it. Open the PDF with the viewer on my Kali box made it stand out as a fat blue box. Anko simply grepped for "-i pvib" through the strings-output of the PDF and fared just as well :)


2. Oooff! I wish I'd had my wife with me! She's great at logical reasoning :) This challenge combined logic (determine whether persons A, B and C are lying or tell the truth), math (Fibonacci and Harshad numbers) and programming (because there's no plausible way of quickly solving the puzzle on paper). Seeing how I can't ever get my ideas straight with the liars/truthers, I skipped this one after about half an hour. 

What a great evening! Better yet, on the way home I managed to get on the Slam! night show and I won a DAB+ radio for our home! :D Awesome-cakes!

In my test networks at home I've often run into issues with NetworkManager or dhclient messing with my network settings, most importantly the DNS configuration. Judging by the hundreds of StackExchange and other forum posts to the same effect, I'm certainly not alone. The fact that this seems like such a newbie problem just makes it all the more annoying. 

I've tried many changes, based on those forum discussions, such as:

• Set NM-CONTROLLED=no in all /etc/sysconfig/networking/ifcfg-* files.


• Set BOOTPROTO=static in all/etc/sysconfig/networking/ifcfg-* files.


• Set DNS1 and SEARCH in all/etc/sysconfig/networking/ifcfg-* files.


• Set dns=none in /etc/NetworkManager/NetworkManager.conf.


• Fully disable NetworkManager from starting.

And funnily enough, things would still be changing my /etc/resolv.conf every time networking was restarted.

Turns out that I am in fact making a RedHat-newbie mistake! I'm stuck in my old ways of manually micro-managing specific settings of a Linux box. I'm so stuck that I've forgotten my lessons from the RHCSA certification: system-config-network-tui. 

That tool is great at resetting your network config and overwriting it with the exact setup you want. It helps clear out any settings in odd places that might lead to the continuous mucking about with your settings.