[Plug-security] Forensics & Tech Details < SSH August Hackfest && Android App Download Link for Wifi Testing

Sun Aug 11 18:32:11 MST 2013

I am not including the full logs for your appraisal (due to listserver
constraints). If you would like to see those, let me know.

Please be sure to read to the bottom of the post to see the equipment and
get the Android download link.

Here's what the SSH access attempts look like from a standard linux system:

As you can see this person was attempting to hit our server (before the
hackfest).

This could easily be blocked with an IPTABLE rule to deny them when they
attempt to hit port 22 more than x times in a 2 minute period, the use of a
portknocking utility or a denyhosts wrapper.  But the very best way to
remediate these types of exploits is a VPN.

0) IPTABLES/Swatch:  http://home.gagme.com/greg/linux/protect-ssh.php
1) IPTABLES/Portknocking:
http://www.mariusv.com/howto-protect-services-like-ssh-against-brute-force-using-only-iptables/
2) Wrapper (port knocking):  http://www.cipherdyne.org/fwknop/
3) Denyhosts (with whitelisting):  http://denyhosts.sourceforge.net/
4) We love OpenVPN Access Server:
http://openvpn.net/index.php/access-server/overview.html

Aug  9 17:52:54 metasploitable sshd[26036]: Failed password for root from
188.132.135.123 port 42662 ssh2
Aug  9 17:52:56 metasploitable sshd[26038]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
static-123-135-132-188.sadecehosting.net  user=root
Aug  9 17:52:58 metasploitable sshd[26038]: Failed password for root from
188.132.135.123 port 43631 ssh2
Aug  9 17:53:00 metasploitable sshd[26041]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
static-123-135-132-188.sadecehosting.net  user=root

As you can see this guy was pretty persistent.  He was coming from a
hosting house (which we have forwarded these logs to with time-date
variance).

Here's our logs from the fest (which look similar):

Aug 10 14:50:41 metasploitable sshd[23658]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=206.209.103.73  user=root
Aug 10 14:50:46 metasploitable sshd[23666]: pam_unix(sshd:auth): check
pass; user unknown
Aug 10 14:50:46 metasploitable sshd[23666]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=206.209.103.73
Aug 10 14:50:46 metasploitable sshd[23660]: pam_unix(sshd:auth): check
pass; user unknown
Aug 10 14:50:46 metasploitable sshd[23660]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=206.209.103.73
Aug 10 14:50:46 metasploitable sshd[23667]: pam_unix(sshd:auth): check
pass; user unknown
Aug 10 14:50:46 metasploitable sshd[23667]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=206.209.103.73
Aug 10 14:50:46 metasploitable sshd[23665]: pam_unix(sshd:auth): check
pass; user unknown
Aug 10 14:50:46 metasploitable sshd[23665]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=206.209.103.73

In all forensics, the $DATE is salient.  In our case this server (like
many) is not on localtime.

root at metasploitable:/var/log# date
Sun Aug 11 20:43:54 EDT 2013

Since we are in -7 MST we must add 3 hours to the log times.  As you can
see all our originating IP's are from DeVry University.

If you are interested in building a little Android like the one I had at
the fest, I used:

MiniPC for Android 4.0

http://dx.com/p/android-4-0-mini-pc-google-tv-player-w-wifi-allwinner-a10-cortex-a8-tf-hdmi-white-4gb-137012?utm_source=GoogleShoppingUS&utm_medium=CPC&utm_content=137012&utm_campaign=191&gclid=CKyH9oDZ9rgCFYdxQgodTjwA0A

Our Android exploit APP was:  WIBR+

http://m.zimbio.com/Wireless+LAN/articles/mKzPKe4Bq7S/WIBR+WIfi+BRuteforce+hack+pro

Download here:

http://m.zimbio.com/go/_0mQVsoLbj5/http://www.mediafire.com/download/lt5cjwzls83vbcy/WIBR%2B_1.0.33.apk

Our WPA2 "hackfest" wireless AP "target" is running on TP-LINK TL-WR700N:

http://www.tp-link.com/en/products/details/?model=TL-WR700N

See you all next month!

FLAG Report:

We had 1 person obtain root IMMEDIATELY via SSH using the ncrack utility
described in the presentation materials:
 Richard Busch.

Lori Spyder Webb and her team got the WPA2 password IMMEDIATELY.

Reference:  http://it-clowns.com/c/files/drawer/augusthackfest-ssh.txt

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown

-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130811/33b4448d/attachment-0001.html>