Spy vs Spy: Thoughts on the SolarWinds Hack

Alleged Russian backed hack “virtually a declaration of war by Russia on the United States,” claims US Senator Dick Durbin – I always kind of shake my head a little bit when I read political quotes like this. In this post I will explain why.  

I have been asked a lot about the “SolarWinds” hack, so I thought I would throw my two cents in. Whenever a “Nation State” hack is exposed, it is always met with feigned shock and outrage from government leaders. Our government agencies actively hack foreign infrastructure and agencies, and they respond in kind. It is the way it is – kind of like the old Spy vs Spy cartoon. The truth is, it has been going on forever, way before the “cyber” age – it is called “Espionage”.

Years ago, as a young IT professional working near Rochester, NY, I heard about a fascinating CIA Cold War espionage mission against the Russian embassy in DC that involved Xerox copy machines. The story about the Xerox 914 CIA “Spy Machine” was told in the January 1996 issue of Popular Science.

Basically, the Russian Embassy used a Xerox machine to photocopy sensitive information. The CIA trained a Xerox repairman to install a special spy camera unit during a maintenance call. Every time the machine made a copy, the camera took a picture of the document. The repairman would recover the camera or film on the next service call and replace it with another.

1967 patent 3,855,983, displaying miniature camera from the same creator of the Xerox Spy Cam

In reality, the art of espionage goes all the way back to ancient times, it is not anything new. The only thing that has changed is the medium. Instead of trying to train an agent, have them infiltrate a foreign agency, and gain a position of trust – something that could take years, or decades – it is now much easier to hack into an entity, target corporate or government leaders in an attempt to grab all the secrets at once.

In the same way that espionage units would scope out physical infrastructure and critical supply chain entities in an attempt to perform acts of sabotage – the same is now done in the “ether”.

One major benefit of “cyber espionage” other than the ability to gather large amounts of useful information with a single attack, is the ability of anonymity. While bouncing attacks through multiple countries, and mimicking other known attacks, it is much easier to hide the attacker’s true identity.

When I first got into cybersecurity ages ago, I performed a lot of basic malware analysis. A friend that did IT support for a department in a major company, that was getting repeatedly attacked. They asked me for help in finding the location of their attacker.

When I disassembled and analyzed the attacker’s code, it was hardwired to exfiltrate data to a random gaming server hosted in Texas! Did Texas declare war on this US company? Of course not! Attackers were using the hosted server as a command-and-control unit.

A lot of this was still new at the time and there was really no written in stone way to deal with attacks like these. I assume the friend’s company took the findings and approached the company who was being used as the “middle-man” portal for the attack.

Not being a government agency, they had no legal right to “hack back”. I never did know what happened after that, or how long it took for the company being misused to respond, but I assume they did.

Things have advanced a lot since that time, and some security companies/ agencies can do a lot to research the attacker style and the attacking nation, but it takes time and effort.

Am I condoning what the Russian hackers (allegedly) did? Of course not! But, sadly, they hack us, we hack them, it is the way of modern cyber espionage. The only reason why this is a big deal, politically, is that they were caught with their hand in the cookie jar.

Pi 400 & Kali Linux – The Perfect $100 Hacking System

The Pi 400 makes creating a hacking system with Raspberry Pi extremely simple – it is literally burn, boot and done!

The Pi 400 is an “all in one” keyboard version of the Raspberry Pi 4. For all intents and purposes, it is a Raspberry Pi 4, though it has been flattened out a bit and the circuitry has been modified to reflect the changes. The Pi 400 is perfect as a hacking system, as you can easily install and use a fully function version of Kali Linux on it.

In this article, we will look at installing Kali, and running some quick WIFI attacks. All that is needed hardware-wise for this article is the Pi 400 (complete kit) and a Kali compatible USB WIFI adapter. I used an TL-WN722N (v1!) and an Alfa AWUS036NHA, both worked “Out of the Box”.

I know, you can’t get the TL-WN722N v1 adapter new anymore, but there are tons of them out there, and it is one of the best short range WiFi adapters available.

The Pi 400 Complete kit is nice – it comes with the Pi 400, power supply, a memory card, mouse, HDMI cable and a “Raspberry Pi Beginners Guide” book. All you need is a monitor!

The Pi 400 complete kit also comes with a 16GB memory card pre-loaded with RaspiOS. Literally all you need to do is unbox, attach the peripherals, insert the memory card into the Pi, apply power and in a few seconds, we have a Raspbian desktop.

**NOTE: Never insert or remove the memory card when power is applied!

If you have never used a Raspberry Pi before, take your time and play with it. RaspiOS is a very good operating system, and a great way to learn how to use the PI – If you bought the complete Pi-400 kit, the included beginners guide will walk you through using RaspiOS, and more advanced topics like using the GPIO board and sensors.

Though that is not the purpose of this article, we want to turn the Pi-400 into a hacking platform, so let’s get to it!

Installing Kali Linux

Installing Kali Linux on the Pi 400 is very simple. If you are finished using RaspiOS, you can use the memory card from the Pi 400 Kit or just use a new or blank one. All you need to do is download the official Kali Linux Pi 4 64-bit ARM image from Offensive Security, write it to the memory card using a program like BalenaEtcher, then insert the card into the Pi, apply power and boot.

  1. From the Offensive Security Website, under “Raspberry Pi Foundation”, Download Kali Linux 4 (64 bit) image – https://www.offensive-security.com/kali-linux-arm-images/
  • Insert the memory card into the Pi 400, apply power and boot.

You now have a Kali Linux Desktop system!

Okay, So What Doesn’t Work

It’s not a Pi 4, it’s a Pi 400, something must be different, you say. Honestly, the only real difference I have run into so far is that the internal WiFi doesn’t seem to be recognized by Kali. Though it does work in RaspiOS. I am assuming it is some sort of driver issue, I haven’t had a chance yet to troubleshoot. Though I am not heart broken, I rarely use it, and always use a USB WiFi adapter for much better range and reliability.

WiFi Attacks with the Pi 400

Run “ifconfig” and make sure your wireless card is detected, it should show up as wlan0 and/or wlan1, once the onboard wifi driver is fixed.

First, let’s get the lay of the land with Airodump-ng. For the Wi-Fi hacking purists out there, who love iwconfig, Airodump will automatically put the card in the correct monitoring mode for you. All you need to do is run the command.

  • sudo airodump-ng wlan0

Our target, “Death Star” is currently running on Channel 11.

We can go for a “quick kill” using Besside-NG

  • sudo besside-ng -W -c [Channel] -b [Target_BSSID]

If the attack works, we get the WPA handshake file. It only took about 15 seconds; I’ve seen it work as fast as 5 seconds.

The Besside log file and the captured WPA handshake file (wpa.cap) are stored in the user’s home directory.

The handshake file can include a lot of unnecessary packets, you can clean these up with the beside-ng-crawler tool. Though it is really not necessary if just targeting a single target.

  • besside-ng-crawler [search_directory] [output_file]

The handshake file then needs to be cracked.

Bettercap

Bettercap 2 is an awesome Wireless attack tool with a lot more options. It is not installed by default, but is included in the Kali repository.

  • sudo apt install bettercap

Now all we need to do is run bettercap and turn on WiFi recon

  • sudo bettercap -iface wlan0
  • wifi.recon on

Looks a bit confusing, but we can clean it up with the Bettercap “Ticker” Display

  • set wifi.show.sort clients desc
  • set ticker.commands ‘clear; wifi.show’
  • ticker on

We now have nice color-coded display that works great even through SSH.

Now, let’s grab some handshake files:

  • wifi.recon.channel X (enter channel #)
  • wifi.assoc [BSSID]
  • or wifi.assoc all (warning – attacks all detected WiFi networks!)

Notice, “Death Star’s” Encryption type has turned to red. Bettercap successfully grabbed and saved the handshake. When finished, type “exit” to exit bettercap.

Captured handshake files and the bettercap log are stored in the Kali root user directory:

Unless the WPA key is extremely simple, you really don’t want to try to crack them on a Pi4. I highly recommend copying it off to a desktop system.

Conclusion

In this article we saw how to quickly and easily install Kali Linux on the new Pi 400 all in one keyboard system. The Pi 400 is a great choice as a hacking system due to it’s portability and compactness. It also can run a full desktop install of Kali Linux, or any other Pi 4 compatible OS, so your options are many.

We only covered using the Pi 400 in some quick WiFi tests, but as you have the full power of Kali Linux at your fingertips you could perform any level of pentesting with it that you could do with a normal desktop. Okay, it doesn’t have the same power as a high end desktop, so cracking passwords or some enterprise level tests may be out of the questions, but for $100 you can’t go wrong having the Pi 400 in your security testing toolkit.

If you want to learn a lot about security testing with the Raspberry Pi, check out my book, “Security Testing with Raspberry Pi“, available on Amazon.com.

Initial Access with Evil Calendar Files and GoPhish

Almost every time you sign up for an online event, you get one of those wonderful calendar reminders to set an appointment reminder. In this article we will take a look at using “evil” calendar .ics files in a pentesting or Red Team credential grabbing attack.

Crafting the E-Mail

The first thing we need to do is craft a Social Engineering e-mail to entice our corporate targets. Some may use cute puppy pics, or cat videos are always popular. As our pentesting target is a corporate environment, we will use what is near and dear to every worker – bonuses!

When I created this for a book chapter in my upcoming book, “Advanced Security Testing with Kali Linux”, I used GoPhish for the phishing management campaign. If you haven’t used it before, Gophish is a phishing framework that gives security professionals and pentesters the ability to perform live, real-time phishing attack simulations.

GoPhish is not necessary for our “evil calendar” test, but it is a perfect solution if you wanted to roll the test out to a large number of users. Honestly, you don’t need the calendar .ics file either, you could just used boobytrapped links or attachments in GoPhish for the same effect, but what is the fun in that?  

Installing GoPhish

Installing and using GoPhish is very easy. Though I just used it in a local lab, in a corporate test you would need to install GoPhish on a Cloud, VPS or other system with access to an e-mail server.

Download the latest release of GoPhish, extract it, and make the main gophish file executable. Once you run gophish, you need to open a browser to connect to the Web GUI.  

When you create a new phishing campaign, you first will create an e-mail template, target users & groups and a landing page, or the fake website that you will use to monitor who fell for the Phishing e-mail and who did not. Then setup your sending mail server in Sending Profiles. Lastly, start the e-mail campaign using the campaign menu.

E-Mail Template

Creating the e-mail template is where you will put your social engineering skills to the test. You want an e-mail that looks believable and have the greatest chance to have your target click on it. Some internal security testing teams may prefer to put a small hint in the e-mail that it is fake.

For the most part though, you want to make the e-mail as real looking as possible for a true test. Gophish allows you to import an e-mail to use as a template or you can use the HTML WYSIWYG editor included.

Good start, now we just need to add our evil calendar event. We can take a .ics calendar file and add a link to a non-existing server, as seen below:

As with any social engineering request, you would use wording that would entice the user to click on the link. I went with the totally innocuous “Evil Calendar Event”. Nobody would ever click on that. On second thought, trust me, yes, they would.

Now just add the Calendar File as an attachment to our E-mail in GoPhish. Again, you don’t need Gophish for this, it just makes it easier for sending large amounts of e-mails during a real test.  

When we kick off the GoPhish campaign, our targets get an e-mail that looks something like this:

Now the trap is set, we just need to have something to respond to the bogus “corporate_server\join_now” link when people click on it. Responder will work perfectly!

Starting Responder

Responder is an LLMNR, NBT-NS and MDNS poisoner, that will answer service requests for multiple services. What’s nice about it is you can set it to prompt users for a login prompt, when they try to surf to a non-existent network resource. This is exactly what we are using in our evil calendar file.

In real life, Responder would have to be running on an internal system, one already connected to the target network – say running on a drop box.

  • sudo responder -I eth0 -wb

This starts the responder service and it begins looking for service requests to poison. In our case, we want it to respond to any server request, where the server doesn’t exist, and prompt the user for “login credentials”.

Creds from Calendar Files

Now, back on the target desktop. When the calendar file is opened in Outlook, it looks like this:

When they click on the “Join Now” link, they will be given a Responder login prompt:

If they enter the credentials, we get them in plain text!

As seen below:

And that’s it! Our job here is done.

Conclusion

As mentioned, you do not need to use GoPhish for this, and you don’t really have to use a calendar event to do it. You could use any link, even one to the Browser Exploitation Framework (BeEF) if you wished.

And prompt them for their Facebook Creds, using the BeEF Social Engineering attack:

Though using the Calendar technique is a nice way to get creds if you know you will be onsite or have onsite access on a certain day.

For a lot more information on using Kali Linux as a security testing platform, check out my “Basic Security Testing with Kali Linux” book. For more advanced techniques, keep an eye out for my upcoming book, “Advanced Security Testing with Kali Linux”, available soon!

Kali 2020.4 is here – and with a slightly new look!

The latest version of Kali Linux 2020.4 dropped this week. Let’s take a quick look!

At first glance it seems like mostly visual changes – Love it or hate it, they switched to the ZSH shell by default. If you are not used to it, it is a little disorientating at first, but you get used to it quick.

Kali is now using Metasploit Framework 6 which has some nice updates that I really like. I did a demo of the MSF 6 Docker to Host bypass demo a while back for my Instagram followers. It is called the “Docker_Priveleged_Container_escape” and works great!

Escaping a privileged Ubuntu Docker container back to the Kali Linux Host

As mentioned, the default shell is now ZSH. I was not a fan of ZSH, but it is growing on me. It also kind of makes Kali look more like Parrot OS, but I won’t say that in public, lol.

chsh -s /bin/bash or chsh -s /bin/zsh and a reboot allows you to change between the two shells, but bash has also been modified to look the same, though it does act differently.

You can check which shell is active by using echo $0

If you haven’t noticed in the previous versions, some tools that you may have normally used have been removed (like BeEF) from the default VMWare image and are now part of the “Large” install package. You can still apt install any of the missing tools that you need.

Oh and apt update works again in this version! There was a typo in several of the Kali 2020.3 version sources file that caused an error on update.

Always happy to get a new Kali version, and looking forward to Kali 2021! For more information on all the new Kali 2020.4 features, check out the official release post!