Automatic Network Service Detector within Twitter Logs. (ARDUINO)

Hey folks, probably you've heard about the IronGeek hardware Project called "programmable-hid-usb-keystroke-dongle". This is a great project man ! Fortunately or unfortunately (it depends on your point of view) I've been working on quite the same project from 3 months, utilizing the same platform too. Now I gotta some interesting results too ;). Isn't amazing ? I mean we felt the same need for automatic penetration testing and both of us realized a practical board, with the same chipset. So ... why not collaborate together ? If IronGeek are reading me and if you are interested on collaborate together on what you've done, please contact me.

Anyway, the second step (at least to me), after automatized the in-site security procedures, is to automate the network service detector using a Black-Box approach. Why BB approach ? The answer is easy, it's intuitive for all the people that are not accustomed with security. Just plug the BB to the network and here we go, it writes up to your private (or not) twitter channel the network results.

Ok, that is nice, but what does it do ?
Alright, the basic idea is to have a physical tool which is able to monitor the network services.

Why not a nagios running PC ?
1- Because a PC is expensive compared to ARDUINO
2- Because installing and configuring Nagios keeps much time
3- Nagios is very complete and for such reason ... complex

Plug 'n' Play idea.
1- A system which keeps DHCP configurations
2- A system which automatically scans our network and automatically generates reports
3- A really cheap system

How it looks like (No Packaged showed here - packages are under constructions - {I like fashionable black boxes, not really "on-fly-ones" ;) })

The implementation:


Hardware
1- ARDUINO 2009
2- Ethernet Shield
3- Ethernet cable

Software
Arduino Development Kit
Arduino DHCP library
Arduino Twitter Library

Step by Step Instructions:

1) Install Arduino Development kit

2) Copy Dhcp.cpp and Dhcp.h to /Resources/java/hardware/libraries/Ethernet/ (for more details follow instructions here.

3) Copy Twitter libraries to /Resources/java/hardware/libraries/

** If you don't want to spent time to configure your libraries, take this package, unzip-it, and replace your libraries (/Resources/java/hardware/) **

4) Grab the code (sorry I should use SyntaxHighLighter, next time ;) .. probably)

/****************************************************/
// Small Arduino Portable Port Scanner
// Don't forget the Libraries.
// by Marco Ramilli, http://marcoramilli.blogspot.com
// Arduino uses digital pins 10, 11, 12, and 13 (SPI) to communicate with the W5100 on the ethernet shield. These pins cannot be used for general i/o.
#include
#include "Dhcp.h" //DhCP Library
#include //Twitter API
#include //Used for append strings

/****************************************************/
//Defult Network Configuration instances for the device
byte ip[] = { 192, 168, 2, 50 };
byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
/****************************************************/
Twitter twitter("TwitterUserName:TwitterPasswd");//Username and Password for Twitter
byte basenetwork[] = { 192, 168, 2, 1 }; // Test a Class C network, put here the NetID, doesn't matter what HostID you choose.
String msg;
/****************************************************/

void setup()
{

Serial.begin(9600);
delay(1000);
Serial.println("DHCP Querying");

//DHCP Settings ...
if(!getNC()){
Ethernet.begin(mac, ip );
Serial.println("Setting Default Network Configurations");
}
}

void loop()
{

Serial.print("connecting..."); printArray(&Serial, ".", basenetwork, 4, 10);
msg="Server:X.X.X."; msg.append(basenetwork[3]); //building the twitter string

for(int port=0; port<= 100; port++){
Client client(basenetwork, port); // trying to connect 65535 !
if (client.connect()) {
Serial.print("Port:"); Serial.print(port); Serial.println(" *OPEN* ");
msg.append(" Port:");
msg.append(port);
msg.append(" OPEN ");
} else {
Serial.print("Port:"); Serial.print(port); Serial.println(" CLOSED");
}
client.flush();
client.stop();
}

msg.append("->TESTED !");
postonTwitter(msg); // sending host result on Twitter !


if(basenetwork[3] <= 254){
Serial.println("Calculating new Address");
basenetwork[3] = basenetwork[3] + 1;
}
else{

Serial.println("Resetting Address");
basenetwork[3] = 1;
}


}// end loop


/****************************************************/
//DHCP client
int getNC(){
int result = Dhcp.beginWithDHCP(mac);
if (result == 1){
byte buffer[6];
Dhcp.getLocalIp(buffer);
Serial.print("ip address: ");
printArray(&Serial, ".", buffer, 4, 10);
Dhcp.getSubnetMask(buffer);
Serial.print("subnet mask: ");
printArray(&Serial, ".", buffer, 4, 10);
Dhcp.getGatewayIp(buffer);
Serial.print("gateway ip: ");
printArray(&Serial, ".", buffer, 4, 10);
Dhcp.getDhcpServerIp(buffer);
Serial.print("dhcp server ip: ");
printArray(&Serial, ".", buffer, 4, 10);
Dhcp.getDnsServerIp(buffer);
Serial.print("dns server ip: ");
printArray(&Serial, ".", buffer, 4, 10);
Serial.print("READY");
return 1;
}else{
Serial.print("No DHCP, Running in default conf");
return 0;
}
}
/****************************************************/
//printArray funciton
void printArray(Print *output, char* delimeter, byte* data, int len, int base){
char buf[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
for(int i = 0; i < len; i++)
{
if(i != 0)
output->print(delimeter);
output->print(itoa(data[i], buf, base));
}
output->println();
}
/****************************************************/
int postonTwitter(char *message){
Serial.println("connecting to TWITTER ...");
if (twitter.post(message)) {
int status = twitter.wait();
if (status == 200) {
Serial.println("OK.");
return 1;
} else {
Serial.print("failed : code ");
Serial.println(status);
return 0;
}
} else {
Serial.println("connection failed.");
return 0;
}
}
/****************************************************/

Alright, this is the basic idea. I hope you will enjoy it, please leave feedbacks comments requests or whatever you like. Thanks

Posted by Marco Ramilli at 4:40 PM

Browsers Classification (Funny)

Hi Folks,
today I wanna share this amazing and very funny browsers classification !



The author captured the essence of each browser :) Have Fun!!

Posted by Marco Ramilli at 9:28 AM

Towards a practical and effective security testing methodology

Hi Folks,

I would like to invite you to ISCC 2010 IEEE conference in Italy (22 to 25 of June). The conference will be placed in Riccione, Italy.

Friends of mine told me it will be very interesting since there are a lots of important "Keynote Speakers". Marco Prandini and I will present "Toward a practical and effective security testing methodology", here the abstract:

Abstract—Security testing is an important step in the lifetime
of both newly-designed and existing systems. Different
methodologies exist to guide testers to the selection, design,
and implementation of the most appropriate testing procedures
for various contexts. Typically, each methodology stems from
the specific needs of a particular category of actors, and consequently
is biased towards some aspect of peculiar interest. This
work compares the most commonly adopted methodologies
to point out their strengths and weaknesses, and, building
on the results of the performed analysis, proposes a path
towards the definition of an integrated approach, by defining
the characteristics that a new methodology should exhibit in
order to combine the best aspects of the existing ones.

If you are planning to come let me know we will organize something fun together !

Posted by Marco Ramilli at 7:02 PM

Chinese Academic Paper: a mess

Hi Folks,

I have no words to explain the situation described by NYTime in this article today. Please find 10 minutes to read the NYTimes article, it clarifies how seems to be difficult doing research in China.

Directly from NYTimes :

[....]

“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.

The difference between Mr. Wang’s explanation and Mr. Wortzel’s conclusion is of more than academic interest. It shows that in an atmosphere already charged with hostility between the United States and China over cybersecurity issues, including large-scale attacks on computer networks, even a misunderstanding has the potential to escalate tension and set off an overreaction.

“Already people are interpreting this as demonstrating some kind of interest that China would have in disrupting the U.S. power grid,” said Nart Villeneuve, a researcher with the SecDev Group, an Ottawa-based cybersecurity research and consulting group. “Once you start interpreting every move that a country makes as hostile, it builds paranoia into the system.”

[....]

Poor guys ...

Posted by Marco Ramilli at 6:11 PM

IDS Evasion

Alright folks,
yet another paper has been published so I can finally upgrade my blog with some interesting results.
In 2009 we (Network Security abs @ University of Bologna) studied a new way to analyze attacks using Data Mining over SNMP artificial variables. Artificial means forged by us, over natural SNMP variables.
This pictures show how our approach (we still don't have a name ) reacts to a DOS hidden under "normal traffic".



The described approach can also detect many different attacks utilizing the not intrusive SNMP. SNMP is ubiquitous; it runs on every platforms, from CellPhone to Washing Machines, we don't have to configure IDS, nasty systems or exoteric firewalls; what we need is just analyze SNMP data.
So far we don't have a presentable framework, the current version is in pre-alpha, basically we have a set of scripts which made all the computations. We're looking forward to new students that wanna implement a nice framework. If you are interested on this project (even if you are not a student :D ) please contact me.

Posted by Marco Ramilli at 1:15 PM

When Memory Injection Sucks

Hi Folks,
during last few days I utilized a self-made tool to inject shellcode into process. I must be sincere.. it has been a while since I didn't use it ... maybe a year ? But it always worked great. I injected tons of shellcode on processes, at the beginning for studying (aka homework) and then for research purposes (aka for work). Well, today on BackTrack 4 it doesn't work anymore. That surprised me.

The script uses ptrace() API, and like Malaria or shellInjector writes back to IP the entire shellcode. So far I have no idea what happened and why it wont work anymore. The displayed error is: POKETEXT Input/Output. I attache here the screenshot of the issue.




Suggestions ? Someone know what happens ? Maybe a kernel restriction ? Please leave a comment if you know what changed during last year :D. thank you .

Posted by Marco Ramilli at 9:23 AM

Just For Fun! The Fake Steve Job @ Home

Well,
sometime I wonder how people find so much free time to make this stupid, but amazing and really funny stuff :D !



I had amazing 3 minutes today watching this video. :D
Take a look, hope you'll find funny as I found it !

Posted by Marco Ramilli at 8:58 AM

Exploiting Intel® CPU Caching.

Hi Folks,

according to this post on Invisible Things, next week they'll publish a paper (within the exploit description) on privilege escalation from Ring 0 to the SMM on many of the recent motherboards with Intel CPUs. I am very curious to see what they've done. I hope the paper will be technical and procedural. I would like to see both: the process that triggered the attack and the description with technical details of the exploit which implements the attack.

Anyway, I am sure it will be another incredible and amazing attack from Invisible Thinks. Thank you for sharing.

Posted by Marco Ramilli at 1:28 PM

Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

Hi Folks, today I wanna point out this interesting paper: "Network Attack Detection Based on peer-to-peer clustering" . Finally I can post the result of our research in a blog post :D, since has already been published. Here the abstract of the paper:

Network intrusion detection is a key security issue that can be tackled by means of diff erent approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process tra c information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to e ectively distinguish normal tra c behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the ef ectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).

The accuracy of the results:

The False positive rate:

This paper described a novel methodology for network attack detection based on data mining of tra c information collected via SNMP by multiple monitoring stations, which are organized in a peer-to-peer network with the purpose of sharing the gained knowledge. In particular, the use of unsupervised clustering techniques on network-speci c MIB objects allows to e ectively detect malicious network behaviors, such as the ones due to DoS, DDoS and port scanning attacks, while still distinguishing between normal and harmful tra c pro les with very high accuracy. Experimental results, obtained by emulating the real tra c of ten web servers under several kinds of attack, demonstrated the e ectiveness of the proposed solution, reaching high accuracy levels with no detection failures and a false positive rate as low as 1.21% on average. The accuracy levels of discerning normal and harmful tra c is on average greater than 99.58%. Moreover the detection accuracy can be increased by increasing the number of collaborative neighbours per peer, particularly the accuracy of identifying also the kind of attack. Finally, the experiments highlighted that the loss of detection accuracy of not updated clustering models, over new incoming observations, is on average only 0.39%, after that the amount of the new SNMP tra c is an order of magnitude greater than the one used to learn the corresponding model. Such promising results will be the basis to extend the current work to more complex network scenarios, where experiments will be conducted on SNMP traffi c collected from a larger set of heterogeneous hosts and servers as well as from interconnecting equipment such as routers and switches.

Enjoy your reading.

Posted by Marco Ramilli at 7:33 PM

1024-bit RSA Encryption Cracked

An amazing paper published by Andrea Pellegrini, Valeria Bertacco and Todd Austin entitled "Fault-Based Attack of RSA Authentication", will be discussed on Design, Automation and Test conference in Europe. The authors claim to attack the RSA system by fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. The paper is available here.

So far the practical attack feasibility is pretty low, in fact the attacker needs to control the power adapter of the attacked machine, which means having physical control on hardwares. Of course when you have control on hardware there are tons of way easier and faster then forcing hardware faults to recover private key. Moreover David Naccache et Al. have already shown how is possible to share information utilizing covert channels like temperature, power pics and sound, but the concept described by Pellegrini is really interesting and innovative.

Finally I totally recommend this reading, pretty brilliant, easy to read and innovative concept of attack.

Posted by Marco Ramilli at 1:33 PM

Sick And Busy

Hi folks,

I am sorry for a week off. Today I am sick, but I would like to point out this interesting post: PayPal Freezes Cryptome's Account.

PayPal has confiscated donations made to Cryptome since February 24, 2010. The donations have have been refunded by Cryptome rather than leave them in the untrustworthy control of PayPal for purposes contrary to those of the donors. The total refund was about $5,300, not much but a peak in donations.The timing of the confiscation corresponds to the recent Microsoft-Network Solutions copyright imbroglio and public attention given to the lawful spying guide series including those of PayPal. PayPal's legal agreements describe a wide range of prohibitions -- among them DMCA infringement, counter-terrorism, violations of AUP and catch-alls -- for use of its services and urges reporting of violations. It "limits" (suspend and/or close) an account without fully explaining the reasons, some of which may be secret under spying law, others kept confidential to avoid law suits or bad publicity. [ ... ]

This is interesting to know :D

Posted by Marco Ramilli at 8:25 AM