A Semester for Neglected Projects

Despite the fact that this is my last semester before I graduate, the most exciting part for me is that I can finally dedicate a substantial amount of time to hands-on projects. The main reason for this is, I’m working on my capstone project and have another class requiring a hands-on project. In both cases, the projects are very open and meant to encompass about 3 months of work. The only restriction of the second project is that it must be cloud based and for a nonprofit group.

Capstone: FitBit Telemetry, Privacy, and Security Analysis

For my B.S. IT degree, my capstone project is centered on security and privacy of wearable technology like the FitBit. As digital and internet technology expands into new areas of life, an unfathomable amount of data is generated by our comings and goings. Wearable tech is subject to the same concerns as other Internet of Things with the additional issues brought about by collecting biometrics, and health information. So, after a review of current literature, I will start by analyzing telemetry data sent by the FitBit Charge2, and possibly other models. While others have done research in this area I think it will be important to collect and analyze data myself.

One of my concerns with wearables such as fitness trackers is that in order to use them consumers must place full trust in the company selling them the hardware. Heartbeat data is collected, sent to servers, and analyzed in order to provide the user with useful reports. For the FitBit this means turning on location services and Bluetooth in order to authenticate and sync the device. While there is the option to encrypt data sent to the servers, I’d rather connect the tracker to a laptop, or other computing device to handle processing. So my second goal is to develop an application to handle the data locally, without needing to use other’s servers.

What excites me about this project is the chance to learn more about how health data is collected, stored, managed, and presented as information. In addition to that, I’d like to be able to develop programming skills to create a tool that puts control back in the hardware owner’s hands. This project will be the most difficult and research intensive of the two, but that’s why I’m so excited to begin!

Cloud Architecture: Mastodon

A mastodon leaps into the air holding a paper airplane in its trunk. He is surrounded by clouds and paper airplanes. The mastadon is the mascot of the decentralized social media platform Mastodon. This image links to Join Mastodon dot org

While my second project hasn’t been approved yet, the thing I’m really excited to use cloud services for is to set up and maintain a Mastodon instance. Eugene Rochko created Mastodon, which is built on standard protocols to allow any community to set up their own server. These independent servers are interoperable allowing a federation of independent social media servers to arise. Mastodon is free, contains anti-abuse tools, is naturally community moderated, and has no advertisements. This means that unlike Facebook, Twitter, YouTube and Patreon, content creators are not restricted or influenced by corporate interests outside of their control.

When I heard about Mastodon, I signed up for an account on Mastodon.Technology and since then, I’ve toyed with the idea of setting up my own instance. However, time and financial constraints meant that I had to keep putting the experiment off for ‘one day’. Particularly in light of deplatforming campaigns, which often become out of control due to the giant games of internet-telephone, which occur with increasing regularity, a community-owned decentralized social media platform is extremely appealing. I believe the internet is at it’s best when people can interact freely, without censorship, without having their intellectual property rights being undermined, and in communities which are not isolated, but can set their own standards.

The strength of hosting the instance on a cloud service is that it will be possible to pay for resources in proportion to their use. Therefore if the server has low usage, or suddenly high usage, service will continue and pricing should stay reasonable. I plan to promote it amongst security and privacy conscious friends, as well as my artist friends who may find themselves increasingly restricted by social media scrutiny and standards.

Hosting the Mastodon instance will provide another real world avenue to understand resource usage and allocation over time, as well as cloud server vulnerabilities. If I can get the server up and active quickly, then my focus will be on maximizing privacy and control for users as well as safety.

Future Updates

As I progress through both of these projects my plan is to document my progress here. Hopefully, it can help someone else, as well as serve as a useful personal record.

Toying with SQLmap

First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*

The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”

The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore []. The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.

us@vamanos:~$

Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.

sqlmapbegin

Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.

The image is of the command line on Kali Linux. The sqlmap output indicates that 'customeridget' is 'Generic UNION query (NULL) - 1 to 20 columns' is injectable. SQLMAP prompts the user to see if the others should be tested. Yes is selected. More information is displayed regarding the GET parameter 'customeridget' and the queries. SQLMAP indicates the back end database management system is MySQL. The web sever operating system is Windows 7. The web applicaiton technologies include Apache 2.2.22, and PHP 7.1.7. The version of MySQL is greater than or equal to 5.0.12. The data is fetched and logged to text files under /root/.sqlmap/output/www.sql.net

Finally, we can also see the server OS, the version of Apache and type of database.

So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.

Looking through the advanced help there are a few parameters that seem interesting.

 

sqlmap_advanced_help
It’s critical to get comfortable using a tools native help functions whether that’s ‘man pages’ in Linux, Get-Help in powershell or any command line tool/interface period.

 

I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload  the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.

win7_peeking_at_directory

win7_textfile_php

 

I was able to navigate to the web shell like so:

z_webshell_in_use
1: You can see how easy it is to upload a file from here and place it into the web server’s directory. It’s no harder to find the ISS webroot inetpub (This was serving a copy of the same website at the time, but I was more personally interested in Apache.)
z_webshell_in_use2
2: Executing only minimal parameters in the shell gave me a list of the C drive contents, and other information.
z_webshell_in_use3
3: You can use sqlmap to identify the web root, though I skipped that step to be honest. I knew the webroot was here for the ‘sql.com’ version of Bad Store I was hosting.
z_webshell_in_use4
4: ‘del main.php’ executed in the directory deleted the file, breaking the site. When I ran it a second time I got the ‘Could Not Find’ error you see there.

Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!

All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.

me@notes:~$

–os-shell (from the file access help in sqlmap)

I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.

sqlmap_brute_force_common_dir

sqlmap_brute_force_common_dir_detail

It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.

privescos-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.

–read-file=Index

sqlmap_readfileindex

If you open Index with Nano there is nothing there…

sqlmap_fileaccess2.png

Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.

 

*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured.  It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”

Why should I try College Cyber Defense Competitions?

If you are an information technology or cybersecurity student with the opportunity to participate in a collegiate cyber defense competition I highly recommend you take advantage of it. If you don’t have the opportunity to join an existing team I suggest you make one!

Why? Because when you are tasked with defending a network you’ve never seen before, with one hand tied behind your back, while your CIO and CEO demand extensive reports and policies be written while you respond to intrusions … a lot of things start to click. Things that you’ve learned in class, or personal experimentation, get tied together within a greater context. You’ll learn from your teammates and be forced to learn new tools or concepts on the fly. And, if you’ve never been given administrative privilege in a network, not of your own design this is an extremely useful experience.

It’s a really, really bad day at work simulator.

It will test your nerves, communication skills, technical skills, team cohesion, and organizational skills.

You might stress-break-out but you’ll get a hell of a rush when you take back machines.

At some point, you’re going to think the hackers have taken down a service or system and, if you’ve kept good enough change logs, within five minutes you’ll discover that you, or a team member, hurt yourself by overhardening. If you don’t have good enough change logs or your team isn’t gracious and humble enough to absorb mistakes you’re gonna have a bad time. This fear is affectionately and resentfully referred to as The Ghost of Red Team. And it’s a perfect example of how psychological this event is. Unlike an athletic sport, you can’t compare your team’s performance to others, and you may not be sure about your adversaries’ performance either.

Similarly, if your team doesn’t have enough respect for business injects, such as the aforementioned policy writing assignments and reports, you will lose. It’s not the cool job and nobody wants to do it but you will lose if someone doesn’t do it and do it well. Just like you need all your services up as long as possible, you need every inject turned in and done as well as possible.

These competitions are incredible learning experiences and potentially good networking opportunities. In light of that, I’d like to be able to help students who are interested in cyber defense competitions get an idea of what they’re in for and how to prepare. I can’t and won’t get into specific detail about particular competitions. But, I can and will write what I would have liked to know about preparing for competitions in general. Hopefully, it’s beneficial to you.