prepping for the oscp: kali/arm/nist/fips/aes/python · pdf file–nessus: nasl (not...
TRANSCRIPT
Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python Download: www.tavve.com/misc
Chuck Craft
Tavve Software
@bubbasnmp
16.05.15
Overview
What I do / Why OSCP? / What is OSCP?
Offensive Security Certified Professional
Kali (ARM / Raspberry Pi) Python (NIST / FIPS / AES)
Misc. / Questions
What I do
ICMP
SNMP
SNMPv3
syslog
TACACS ssh
telnet
RDP NTP
traps
NetFlow
Radius
https
sftp
scp
SIEM
NMS
NPM DMZ
Air gap
CISSP
ICMP
SNMP
SNMPv3
syslog
TACACS
SSL/TLS
ssh
telnet
RDP NTP
traps
NetFlow
Radius
https
sftp
scp
NMS
SIEM
NPM DMZ
Air gap
What next?
CEH
OSCP
ISSA
ISACA
ISC2
GIAC
InfraGard
UMSA
BCPA
BOFH SANS
DC612
CCSP SSCP
OWASP
CISM
CISA CSX
CREST
GPEN
BSides
___CON
My day job
ICMP
SNMP
SNMPv3
syslog
TACACS
SSL/TLS
ssh
telnet
RDP NTP
traps
NetFlow
Radius
https
sftp
scp
SIEM
NMS
NPM DMZ
What next? OSCP
CEH
OSCP
ISSA
ISACA
ISC2
GIAC
InfraGard
UMSA
BCPA
BOFH SANS
DC612
CCSP SSCP
OWASP
CISM
CISA CSX
CREST
GPEN
BSides
___CON
Offensive Security Certified Professional (OSCP)
• Hands-on offensive information security certification
• Arduous twenty-four (24) hour certification exam
• Hosted Penetration Testing Virtual Labs
• Penetration Testing with Kali Linux (PWK)
– Online training
– 30? 40? CPEs upon completion
Try Harder™
https://www.offensive-security.com/
What is Kali
• Successor to BackTrack Linux – released 2013
• Debian based
• Developed, funded, and maintained by Offensive Security
• More than 600 penetration testing tools
• Penetration Testing, Forensics and Reverse Engineering
• Current version – Kali-Rolling (2016.1), ARM 2.1.2
https://www.kali.org/
Kali Downloads
• Full Kali ISO – 32/64 bit i386 / amd64 (~3GB)
• Kali Light ISO – Subset of tools (~1GB)
• Kali Mini – 32/64 bit network install (30 MB)
• Kali Light – armel / armhf (do it yourself ARM)
• Prebuilt Kali Images – 32/64 bit VMware/VirtualBox
• Custom ARM Images
• Docker
• https://www.kali.org/downloads/
Who/What is ARM
• 1985 - Acorn RISC Machine
• 1990 – spun out to ARM Ltd
• Cambridge, UK - Global HQ
• Primary business is selling IP cores
• Over 60 billion ARM based chips shipped to date (99% of smartphones/tablets1)
• Over 1100 licenses signed with over 300 companies
1 http://www.bloomberg.com/bw/articles/2014-02-04/arm-chips-are-the-most-used-consumer-product-dot-where-s-the-money
Kali Custom ARM Images
https://github.com/offensive-security/kali-arm-build-scripts
CompuLab Chromebook
CubieBoard
CuBox RaspberryPi
BeagleBone Black
USB Armory
ODROID
NanoPi 2 RIoTboard
Raspberry Pi Model B SoC CPU Memory Card Slot USB Ethernet Price
Pi 3 Model B BCM2837 1.2GHz 64-bit quad-core ARM Cortex-A53 1GB Micro SD 4 NIC/WiFi/BLE $35 Pi 2 Model B BCM2836 900MHz quad-core ARM Cortex-A7 1GB Micro SD 4 yes $35 Pi 1 Model B+ BCM2835 700Mhz Single Core ARM1176JZFS 512 MB Micro SD 4 yes Pi 1 Model B BCM2835 700Mhz Single Core ARM1176JZFS 256/512 MB SD 2 yes
Model A Pi 3 Model A TechRepublic – “mid-2016” 1 WiFi/BLE $20 ? Pi 1 Model A+ BCM2835 700Mhz Single Core ARM1176JZFS 256 MB Micro SD 1 no $20 Pi 1 Model A BCM2835 700Mhz Single Core ARM1176JZFS 256 MB SD 1 no
Other Pi Zero BCM2835 1GHz ARM11 Single Core 512 MB Micro SD 1 (uUSB) no $5 Pi 3 Compute Module 2016 – “soon” Pi Compute Module BCM2835 700Mhz Single Core ARM1176JZFS 512 MB 4GB eMMC 1 via pins no $40
Pi 2 Model B
Download Kali
• https://www.offensive-security.com/kali-linux-arm-images/
“a minimal XFCE Kali system with the top 10 tools”
E:\>c:\fciv\fciv -sha1 kali-2.1-rpi2.img.xz
//
// File Checksum Integrity Verifier version 2.05.
//
1940438fe85f5850e10ea6c14d0aebefc1266985 kali-2.1-rpi2.img.xz
Don’t be a LinuxMint 2016 !
Burn to memory card
Win32 Disk Imager https://launchpad.net/win32-image-writer http://sourceforge.net/projects/win32diskimager
Console Access – KVM vs serial
https://github.com/offensive-security/kali-arm-build-scripts/blob/master/rpi.sh
RPi1 – 2.1 and newer RPi2 - see Github issue #54 (fixed in 2.1.2) RPi3 – UART changes (due to Bluetooth)
Red power – proceed with care !
Kali Login user root, password toor
root@kali:~ rm /etc/ssh/ssh_host_*
root@kali:~ dpkg-reconfigure openssh-server
root@kali:~ service ssh restart
Allow root to ssh into server root@kali:/etc/ssh# pwd
/etc/ssh
root@kali:/etc/ssh# vi sshd_config
# chuckc - Fri Feb 5 22:40:50 UTC 2016
# PermitRootLogin prohibit-password
PermitRootLogin yes
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be ``yes'', ``prohibit-password'', ``without-password'',
``forced-commands-only'', or ``no''. The default is
``prohibit-password''.
Opened up in 2.1.2 ?
Kali + ARM = Pwnie (Bloomberg)
http://www.bloomberg.com/graphics/2015-mob-technology-consultants-help-drug-traffickers/
“The device they built looked like a European version of a power strip. Tucked inside a 15-by-5-inch casing was a tiny Linux computer running powerful hacking software called Metasploit. The pwnie sent out data via cellular networks, which meant they could be accessed from anywhere.”
Metasploit Unleashed
https://www.offensive-security.com/metasploit-unleashed/
Metasploitable: intentionally vulnerable Linux virtual machine https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Metasploitable 2 Exploitability Guide https://community.rapid7.com/docs/DOC-1875
Intermission
What I do / Why OSCP? / What is OSCP?
Offensive Security Certified Professional
Kali (ARM / Raspberry Pi) Python (NIST / FIPS / AES)
Misc. / Questions
New (to me) languages
4.1 Network Discovery 4.2 Network Port and Service Identification
– nmap: Lua – Wireshark: Lua
4.3 Vulnerability Scanning – Nessus: NASL (not Nasal) – OpenVAS: NASL
5.2 Penetration Testing – Metasploit: Ruby
All purpose: Python
NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment
NodeMCU (ESP8266)
github public_drown_scanner
cryptopals.com the matasano (now NCC Group) crypto challenges
Set 1: Basics 1. Convert hex to base64 2. Fixed XOR 3. Single-byte XOR cipher 4. Detect single-character XOR 5. Implement repeating-key XOR 6. Break repeating-key XOR 7. AES in ECB mode 8. Detect AES in ECB mode
Set 2: Block crypto 9. Implement PKCS#7 padding 10. Implement CBC mode 11. An ECB/CBC detection oracle 12. Byte-at-a-time ECB decryption (Simple) 13. ECB cut-and-paste 14. Byte-at-a-time ECB decryption (Harder) 15. PKCS#7 padding validation 16. CBC bitflipping attacks
Set 3: Block & stream crypto 17. The CBC padding oracle 18. Implement CTR, the stream cipher mode 19. Break fixed-nonce CTR mode using substitions 20. Break fixed-nonce CTR statistically 21. Implement the MT19937 Mersenne Twister RNG 22. Crack an MT19937 seed 23. Clone an MT19937 RNG from its output 24. Create the MT19937 stream cipher and break it
Set 4: Stream crypto and randomness 25. Break "random access read/write" AES CTR 26. CTR bitflipping 27. Recover the key from CBC with IV=Key 28. Implement a SHA-1 keyed MAC 29. Break a SHA-1 keyed MAC using length extension 30. Break an MD4 keyed MAC using length extension 31. Implement and break HMAC-SHA1 with an artificial timing leak 32. Break HMAC-SHA1 with a slightly less artificial timing leak
Set 5: Diffie-Hellman and friends 33. Implement Diffie-Hellman 34. Implement a MITM key-fixing attack on Diffie-Hellman with parameter injection 35. Implement DH with negotiated groups, and break with malicious "g" parameters 36. Implement Secure Remote Password (SRP) 37. Break SRP with a zero key 38. Offline dictionary attack on simplified SRP 39. Implement RSA 40. Implement an E=3 RSA Broadcast attack
Set 6: RSA and DSA 41. Implement unpadded message recovery oracle 42. Bleichenbacher's e=3 RSA Attack 43. DSA key recovery from nonce 44. DSA nonce recovery from repeated nonce 45. DSA parameter tampering 46. RSA parity oracle 47. Bleichenbacher's PKCS 1.5 Padding Oracle (Simple Case) 48. Bleichenbacher's PKCS 1.5 Padding Oracle (Complete Case)
Set 7: Hashes 49. CBC-MAC Message Forgery 50. Hashing with CBC-MAC 51. Compression Ratio Side-Channel Attacks 52. Iterated Hash Function Multicollisions 53. Kelsey and Schneier's Expandable Messages 54. Kelsey and Kohno's Nostradamus Attack 55. MD4 Collisions 56. RC4 Single-Byte Biases
Set 8: On Github Sean Devlin @spdevlin
Set 1: Basics
1.Convert hex to base64 2.Fixed XOR 3.Single-byte XOR cipher 4.Detect single-character XOR 5.Implement repeating-key XOR 6.Break repeating-key XOR 7.AES in ECB mode 8.Detect AES in ECB mode
#1 - Hex -> Base64
• Request for Comments (RFC)
– https://www.ietf.org/rfc.html
• RFC 4648: The Base16, Base32, and Base64 Data Encodings
– Base 64: A-Z, a-z, 0-9, ‘+’, ‘/’
– Base 64 with URL and Filename Safe Alphabet: ‘+’, ’/’ -> ‘-’, ‘_’
– Base 32: A-Z, 2-7 – Base 32 with Extended Hex Alphabet: 0-9, A-V
– Base 16: Essentially, Base 16 encoding is the standard case- insensitive hex encoding and may be referred to as "base16" or "hex".
• RFC 4880: OpenPGP Message Format
PGP and URL examples
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJWqiT1AAoJENnE0m0OYESR07gIAJ65FdP2oFR9pspmLh+iZ978
Q+1R8vShqUjkpE14gUOHaidgsU8l7HoR7v3mWFtv+XqBUp94ISOFeyt4B4jlDsHE
SSgO60zlnYha0KaOeRv/aH1quiWhx8bxNZ1HJbbwlxPclqmEplhXqoSEbVvOZKFZ
VPu8gmJg3fzdQpQT0eAZ/5ez6SMvIM1FO47FlqtstWgHSs0iq1scIr1LKNmH3uMZ
tmNmq5U/tTX/51eKYqFIrWXIeyHSiOTXRBUjnw4ybCiobklLH1qiEApJW6iPkOob
9WthtiyBVBxCpYpF8h4mQc3h77J/q4rLcL/b56sqMsHTV4ULhbN2VIUnzcuzIUI=
=Dfuh
-----END PGP SIGNATURE-----
Link:
https://www.periscope.tv/w/aQQ0Szk2fDFPd3hXbGRNalluS1GEkRrtoANLnX
cbpKGaln1ekV53WKmTe-2OUDHbNqMm0Q==
Set 1: Basics
1.Convert hex to base64 2.Fixed XOR 3.Single-byte XOR cipher 4.Detect single-character XOR 5.Implement repeating-key XOR 6.Break repeating-key XOR 7.AES in ECB mode 8.Detect AES in ECB mode
Set 1: Basics
1.Convert hex to base64 2.Fixed XOR 3.Single-byte XOR cipher 4.Detect single-character XOR 5.Implement repeating-key XOR 6.Break repeating-key XOR 7.AES in ECB mode 8.Detect AES in ECB mode
National Institute of Standards and Technology (NIST)
• NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
• Founded 1901 as National Bureau of Standards
• Current name in August 1988 - Reagan signs OTCA
• Neon lights
• The nation’s first crime lab
• WWII - first fully automated guided missile
• First atomic clock
• WWVB (CO) (303) 499-7111, WWVH (808) 335-4363
• Closed Captioning
• www.time.gov and time.nist.gov
• 2000: Advanced Encryption Standard
https://www-s.nist.gov/srmors/view_detail.cfm?srm=2387
Details Description: Peanut Butter Lot: N/A Expiration Date: 12/31/2019 Unit Price * : $835.00 Unit of Issue: 3 x 170 g Status: Now Selling Certificate Date: 7/21/2015 * Prices are subject to change without notice
The SRM has been determined to be non-hazardous by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce under paragraph (d) of OSHA Standards 29 CFR Part 1910.1200. The SRM will not release or otherwise result in exposure to a hazardous chemical under normal conditions of use. Description: This SRM is intended primarily for use in validating methods for determining proximates, fatty acids, calories, vitamins, elements, amino acids, aflatoxins, and acrylamide in peanut butter and similar matrices. This SRM can also be used for quality assurance when assigning values to in-house control materials. A unit of SRM 2387 consists of three jars of peanut butter containing 170 g each.
NIST Publications
• Federal Information Processing Standards (FIPS): security standards – FIPS 197: Advanced Encryption Standard (AES)
– FIPS 140-2: Security Requirements for Cryptographic Modules
• NIST Special Publications (SPs): security and privacy guidelines, recommendations and reference materials. – SP 800-61 Rev. 2: Computer Security Incident Handling Guide
– SP 800-115: Technical Guide to Information Security Testing and Assessment
– SP 1800-5: DRAFT IT Asset Management
• ITL Bulletins are published monthly by NIST's Information Technology Laboratory, focusing on a single topic of significant interest to the computer security community. – ITL January 2016: Securing Interactive and Automated Access Management Using Secure Shell (SSH)
Overview
What I do / Why OSCP? / What is OSCP?
Offensive Security Certified Professional
Kali (ARM / Raspberry Pi) Python (NIST / FIPS / AES)
Misc. / Questions
BeagleBone Black Processor: AM335x 1GHz ARM® Cortex-A8 512MB DDR3 RAM 4GB 8-bit eMMC on-board flash storage 3D graphics accelerator NEON floating-point accelerator 2x PRU 32-bit microcontrollers Connectivity USB client for power & communications USB host 10/100 Ethernet HDMI 2x 46 pin headers Software Compatibility Debian (pre-loaded on eMMC) Android Ubuntu Cloud9 IDE on Node.js w/ BoneScript library plus much more
http://beagleboard.org/
Kali !
Pine64: $15 64-Bit Super Computer Allwinner A64 1.2GHz CPU 64bit Quad Core ARM A53
512MB/1GB/2GB DDR3 SDRAM
2 x USB 2.0
4K x 2K HDMI port
Ethernet 10/100 10/100/1000
+5v power microUSB
MicroSD Slot up to 256GB
Add-on: 802.11 BGN Bluetooth 4.0
https://forums.kali.org/showthread.php?30287-pine-64-VS-raspberry-pi-3
Northbound Networks: Zodiac FX
• The world's smallest OpenFlow SDN switch (10 x 8 cm)
• Support for OpenFlow 1.0, 1.3 & 1.4
Linux ARM - armel and armhf
• root@kali:~# uname -a
• Linux kali 3.8.13-bone53 #1 SMP Thu Aug 13 23:27:51 CDT 2015 armv7l
GNU/Linux
• root@kali:~# readelf -a /proc/self/exe | grep VFP
• Tag_FP_arch: VFPv3-D16
• Tag_ABI_VFP_args: VFP registers
• root@kali:/proc# cat /proc/cpuinfo | grep -i model
• model name : ARMv7 Processor rev 2 (v7l)
• # uname -a
• Linux raspberrypi 3.1.9+ #272 PREEMPT Tue Aug 7 22:51:44 BST 2012 armv6l
GNU/Linux
• # readelf -a /proc/self/exe | grep VFP
• Tag_FP_arch: VFPv2
• Tag_ABI_VFP_args: VFP registers
https://blogs.oracle.com/jtc/entry/is_it_armhf_or_armel
cat /proc/cpuinfo
• # cat /proc/cpuinfo
• Processor : ARMv6-compatible processor rev 7 (v6l)
• BogoMIPS : 697.95
• Features : swp half thumb fastmult vfp edsp java tls
• CPU implementer : 0x41
• CPU architecture: 7
• CPU variant : 0x0
• CPU part : 0xb76
• CPU revision : 7
• Hardware : BCM2708
• Revision : 0003
• Serial : 00000000081d9f52
• root@kali:~# cat /proc/cpuinfo
• processor : 0
• model name : ARMv7 Processor rev 2 (v7l)
• BogoMIPS : 993.47
• Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls
• CPU implementer : 0x41
• CPU architecture: 7
• CPU variant : 0x3
• CPU part : 0xc08
• CPU revision : 2
• Hardware : Generic AM33XX (Flattened Device Tree)
• Revision : 0000
• Serial : 0000000000000000
Janz Tec AG emPC-A/RPI Fanless Embedded Controller (w/ CAN)
https://www.janztec.com/en/products/embedded-computing/empc/empc-arpi/
@bubbasnmp ???
• http://www.simple-times.org/
• Case, McCloghrie, Rose, Waldbusser et al
• Ask Dr. SNMP – Jeff Case ``That dog won't hunt.''
Prepping for the OSCP: Kali/ARM/NIST/FIPS/AES/Python Download: www.tavve.com/misc
Chuck Craft
Tavve Software
@bubbasnmp
16.05.15
Questions ???