3 – Kali Pi Forwarding X over SSH

Now say for example you would like to see a graphical tool over SSH this is very easy and possible and all you have to do is add the -X switch after your normal ssh login

Step 1:

Forwarding X over SSH

ssh username@kali_ipaddress -X

1 - SSH Kali Forwarding X

1 – SSH Kali Forwarding X

Step 2:

Running wireshark with a graphical user interface (GUI) over ssh

wireshark &

2 - Start wireshark X forwarding

2 – Start wireshark X forwarding

Step 3:

Select OK to continue

3 - Wireshark click OK

3 – Wireshark click OK

Step 4:

Click OK again

4 - Wireshark click OK 2

4 – Wireshark click OK 2

Step 5:

Select the network interface you wish to capture on and click on Start

5 - select interface and click start

5 – select interface and click start

Result: A GUI environment over SSH and a very fast instance of wireshark running on such a small device

6 - Wireshark running

 

2 – Kali Pi after install what next

Now that we have Kali working on the Pi it is time to make some changes to the system and run updates.

I am going to carry out this work via SSH.

Step 1:

Run ssh username@kali_ip_address

1 - ssh to kali pi

1 – ssh to kali pi

Step 2:

Change the password by typing “passwd” and pressing enter, don’t worry when you don’t see anything appearing in the password field as this is normal and all you have to do is enter the new password correct twice

2 - kali change password

2 – kali change password

Step 3:

Update first with apt-get update

3 - kali apt-get update

3 – kali apt-get update

This should end without error like below

3.1 - kali apt-get update finish

3.1 – kali apt-get update finish

Step 4:

Once “apt-get update” has completed successfully you will want to run “apt-get upgrade”, you can run “apt-get upgrade -y” if you want to continue with any upgrades found

4 - kali apt-get upgrade

4 – kali apt-get upgrade

This should also end without error

4.1 - kali apt-get upgrade finish

4.1 – kali apt-get upgrade finish

A way to do this quickly can be seen below by linking the commands together

4.2 - kali quick update and upgrade

4.2 – kali quick update and upgrade

Step 5:

My last step is to reboot even though you don’t technically need to I like to do this myself after any updates or upgrades and it is quick

5 - Reboot kali

5 – Reboot kali

 

1 – Kali from Git clone and Booting in 19 steps + some more – UPDATED 24/02/2015

This has been left here for historical purposes, please see the new fully working guide here!

Ok I had a previous attempt running the install from Linux Mint 17 and I had some issues, one of those issues being a 3GB partition with only one script in it and nothing else which was a bit strange, I did however notice during creation certain folders failed to be found like “init” for example which at the time I figured was a bit odd but I proceeded nonetheless. What follows is a full guide on how I got Kali Linux running on the Raspberry Pi 2 successfully:

Step 1:

Create a directory to work out of and navigate into it

mkdir Kali-Git

cd Kali-Git

1 - Kali make dir

 

1.1 - Kali change dir

Step 2:

git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7 to pull down for the “armhf” image creation

2 - Kali Git Clone

Output once finished it should look as follows

2.1 - Kali Git Clone Finish

Step 3:

Check your working directory with “pwd” and then ls to check the gcc-arm directory is there and use this information to export the path

3 - Check pwd and directory

Step 4:

Export the path with /root/Kali-Git being the working directory and gcc-arm-linux-gnueabihf-4.7/bin being the directory and bin directory contained within that you just cloned from git

4 - Export Kali

Step 5:

Clone the kali-arm-build-scripts from github

5 - Clone Kali Arm Scripts

Output once finished it should look as follows

5.1 - Clone Kali Arm Scripts finish

Step 6:

Now as the Pi has a different architecture you need to modify the rpi.sh script in the cloned repository with the editor of your choice

6 - Change to Kali arm scripts dir

Step 7:

Modifying two separate locations as outlined in the below image

7 - Change Kali architecture

Step 8:

I also choose to comment out the last few lines at the end in order to be able to troubleshoot and not compress or build a shasum as you can see below and make sure to save it

8 - rpi script comment out

Step 9:

Copy the following pastebin script from here and create a new file in the kernel directory or alternatively run wget http://pastebin.com/download.php?i=Rv3zpsiv -O rpi-3.1.8.config from the terminal to do this for you and download it straight to the directory ready to edit.

9 - change kernel and create file

Step 10:

Paste the above pastebin content into the new file, save it and then modify the following line so that we can copy the Raspbian boot directory over afterwards as this is also required in order to make things run smoothly and get rid of X freezing. CONFIG_LOCALVERSION=”-v7″ to CONFIG_LOCALVERSION=”-v7+” you only need to add a + to the end.

10 - Change kernel

Step 11:

Fix any local dependencies you may require by running the following script

11 - Build Kali dependencies

Output of the above script should finish like the following with no errors

11.1 - Kali dependencies finish

Step 12:

Now modify the rpi.sh script for the kernel changes to be picked up and change the kernel number to match the file that you just created

12 - Kali config change

Step 13:

The output should initiate as below when the rpi.sh script is run with the version number of your choice and be patient as depending on your internet connection this can take some time to complete

13 - run rpi script

 

When finished it should look something like this

13.1 - run rpi script finish

Step 14:

Check the directory and your image are there

14 - check the kali image is created

Step 15:

Now it’s time to burn your image to your micro sd card with dd but first you will have to find your micro sd card. Use “fdisk -l” to list available partitions /dev/sda is my main local disk and /dev/sdb is the micro sd card. If you don’t know which one is your micro sd just unplug it and run “fdisk -l” again and see what has changed, then plug it back in again and you should see it now.

14.1 Kali list disk

Now it’s time to run the dd command to burn the image to the micro sd

Usage:

dd – to run and copy the image file

if=/the directory of your image file in this case the rpi-1.0.1 file directory

of=/the micro sd card to copy the image to

bs=1M – for a blocksize of 1MB

14.2 Kali dd to disk

Output should look similar to the following

14.3 Kali dd finish

Step 16:

I booted up at this stage and I was getting the freeze that was talked about on the Kali Linux forum once Kali is installed.

Step 17:

I then copied the boot loader partition from the Raspbian image over and replaced the files that had been installed on the Kali Pi image just created. First though you need to mount the Raspbian image to extract the boot loader

Calculate the block size for mounting first by calculating the number of bytes by the starting block so in this case 512 x 122880.

17 - calculate block size

Once you have this information you can then mount Raspbian with the following command

mount -o loop,offset=$((512 * 122880)) 2015-01-31-raspbian.img /mnt/raspbian

 

17.1 - mnt raspbian

Step 18:

Insert your Micro SD card create a folder in the Kali Pi /lib/ directory on the main partition called modules

18 - create modules directory

Step 19:

Copy the directory “3.18.5-v7+” from the Raspbian image over to theKali Pi /lib/modules/ directory that was just created. I advise opening a new terminal window for this though so you can check with “pwd” and get the correct working directory

19 - copy raspbian to kali

So from this we need to copy /mnt/raspbian/lib/modules/3.18.5-v7+ to the Kali Micro SD card  which is in the following directory for me and yours will be different to this /media/96ceeab2-4f55-41fb-8e55-91cd598e066e/lib/modules

cp -r (Copy the directory)

/mnt/raspbian/lib/modules/3.18.5-v7+ (The Raspbian directory we are copying)

/media/96ceeab2-4f55-41fb-8e55-91cd598e066e/lib/modules (Kali on the Micro SD card)

cp -r /mnt/raspbian/lib/modules/3.18.5-v7+ /media/96ceeab2-4f55-41fb-8e55-91cd598e066e/lib/modules

19.1 - copy raspbian to kali copied

Check the directory copied over correctly

19.2 - copy raspbian to kali copied check

Now to repeat a somewhat similar process of mounting and copying with the boot loader

19.3 - mount raspbian boot loader

Calculate the block size for mounting first by calculating the number of bytes by the starting block so in this case 512 x 8192.

19.4 - mount raspbian boot loader active

Now to Copy the boot-loader contents from the Raspbian Pi image to replace the contents of the Kali boot-loader but first remove all the contents on the Kali Micro SD card in the bootloader with “rm -rf *” Be careful with this as if you don’t know what you are doing you will remove the contents of the directory you are currently in. You have been warned.

19.6 - Kali boot loader directory clear

 

Copy the full directory, all contents on the Raspbian boot loader to the Kali Micro SD boot loader

19.7 - Kali boot raspbian copy

Check the Kali boot-loader again with ls and you should now see the Raspbian contents in the Kali boot-loader

19.8 - Kali boot raspbian copied

Result: Kali Pi is booting up and X is also working and I have to say it is extremely fast! The first Pi was so slow compared to this and I only ever used it via SSH and used the terminal. I don’t think I can use the old one any longer now after this, I might re-purpose it as something but from now all focus is on the RPi 2!

BUT! We need to also get the kernel patched for Wi-Fi injection also so 

Step 20:

SSH into your Kali distro

20 - recompile kernel for wi-fi

Using the editor of your choosing create a file called “recompile_kernel” or whatever you want like below and then copy and paste into your new file. Thanks to Cyberkryption for this as I hadn’t spotted it yet but this was the reason I was wanted to boot Kali on the Pi

sudo apt-get install linux-source
sudo apt-get install bc gcc gcc-4.6 libc-bin libc-dev-bin libc6 libc6-dev linux-libc-dev make manpages-dev
git clone --depth=1 https://github.com/raspberrypi/linux
cd linux
zcat /proc/config.gz > ~/linux/arch/arm/configs/pi_defconfig
mkdir -p ../patches
wget https://raw.github.com/offensive-security/kali-arm-build-scripts/master/patches/kali-wifi-injection-3.12.patch -O ../patches/mac80211.patch
patch -p1 --no-backup-if-mismatch < ../patches/mac80211.patch
make pi_defconfig
make modules
make modules install
sudo cp /boot/kernel.img /boot/kernel-bup.img
sudo cp arch/arm/boot/Image /boot/kernel.img

20.1 - recompile kernel for wi-fi

Should look like this

20.2 - recompile kernel for wi-fi

Now chmod +x the file to make it executable

20.3 - recompile kernel for wi-fi

Should look like this

20.4 - recompile kernel for wi-fi

 

Step 20 is not working for me yet and I am getting a few errors that I need to look into a bit further, Cyberkryption on the other hand has this working.

Going back to the start of step 20 again to get wi-fi injection working on the Pi

Step 20 revisited:

I was having problems with installing “linux-source” so I had to run “apt-get update –fix-missing” first to rectify the problem, most likely due to something I was doing last night

1 - apt-get-update-fix-missing

It finished like this

1.1 - apt-get-update-fix-missing-finish

Now to run “apt-get install linux-source” again and accept with -y

2 - linux-source

It finishes like this

2 - linux-source-finish

Now run “apt-get install bc gcc gcc-4.6 libc-bin libc-dev-bin libc6 libc6-dev linux-libc-dev make manpages-dev” but as that step had ran without issue previously this step was already completed last night.

3 - more install

Now run “git clone –depth=1 https://github.com/raspberrypi/linux” and it should finish like below

4 - git linux

“cd” into linux and “ls” to check the contents

5 cd linux and ls

Output the current kernel
zcat /proc/config.gz > ~/linux/arch/arm/configs/pi_defconfig
6 - output current kernel

Make a directory called patches in the previous directory where you created the linux file

7 make dir patches

Run:
wget https://raw.github.com/offensive-security/kali-arm-build-scripts/master/patches/kali-wifi-injection-3.12.patch -O ../patches/mac80211.patch
patch -p1 –no-backup-if-mismatch < ../patches/mac80211.patch
8 - wifi injection patch
Patch:
patch -p1 –no-backup-if-mismatch < ../patches/mac80211.patch
9 - wifi injection patched

make pi_defconfig

10 - Write kernel config

make modules – currently looks like this after a few hours so be patient!

11 - make modules

TO BE CONTINUED!

Congratulations on making it this far, have fun!

References:

Kali Fourm

Cyberkryption Blog

Big thanks to:
mame82, Ram0n & Cyberkryption for fixes along the way and sharing their knowledge.

 

MS15-011 & MS15-014

A whole host of vulnerabilities have been patched in the latest Microsoft Patch Tuesday release which has a number of critical vulnerabilities that you really need to pay attention to, they are MS15-011 and MS15-014 as these two patches require you to make additional changes after you have implemented them on your systems and they affect Group Policy.

This is another vulnerability that has been out there for over a decade, 15-years to be correct. It affects all PC’s running all supported versions of Windows. It will however remain unpatched in Windows Server 2003 which support will be ending for soon, Microsoft however decided not to patch it even though it should have an extra five months of support. The attack is theoretical but you should patch and reboot as soon as you can even if you are not affected by these vulnerabilities.

MS15-011 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. For more information about the vulnerability, see the Vulnerability Information section.

To be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483.

 

MS15-014 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker, by way of a man-in-the-middle attack, causes the Group Policy Security Configuration Engine policy file on a targeted system to become corrupted or otherwise unreadable. This results in the Group Policy settings on the system to revert to their default, and potentially less secure, state.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how Group Policy settings are applied when the Security Configuration Engine policy file is corrupted or otherwise unreadable. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3004361.

So what does this mean to me if I don’t patch it?

Well you will then be an easy target as outlined in the diagram below:

MS15-011 & MS15-014 - Attack Diagram

MS15-011 & MS15-014 – Attack Diagram

In the above attack scenario, an attacker is trying to make changes to a shared network switch in a public place (eg free Wi-Fi) and can direct the client traffic to an attacker-controlled system via a MITM attack.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.23\Share\Login.bat .
  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
    1. The attacker then crafts a malicious payload into Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.23 is now routed through to the attacker’s machine.
  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.
  5. This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

Ok I patched my systems now what?

Visit the microsoft support article and enable UNC hardening in Group Policy your will be still exploitable after the updates have been installed.

References:

https://technet.microsoft.com/en-us/library/security/ms15-011.aspx

https://technet.microsoft.com/en-us/library/security/ms15-014.aspx

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

http://support.microsoft.com/kb/3000483

https://support.microsoft.com/kb/3004361

 

Ransomware

Ransomware, it’s nothing new but it is making a big comeback over the last few years and I have seen it gradually rise and encrypt peoples laptops, servers and heard of entire networks held to ransom. Due to the current rise I decided to write about it.

When was the first known encrypting ransomware discovered?

1989, the year of the “AIDS” trojan, aka. “Aids Info Disk” or “PC Cyborg Trojan” which replaced the AUTOEXEC.BAT file and it would then count the number of times the machine had booted, once it reached 90 days it would then hide directories and encrypt the names of all the files on the C: drive and rendered the system to be unusable. It would then display a message to the user asking them to “renew the license” and contact PC Cyborg Corporation for payment, this involved sending $189 to a post office box in Panama! Like today’s ransomware more than one type of variant exists and different one’s will do slightly different things, except one thing and that is to try and extort money from you. AIDS actually had an end user license agreement and would display it to the user, an excerpt can be seen below.

If you install [this] on a microcomputer…

then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs…

In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use…

These program mechanisms will adversely affect other program applications…

You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life…

and your [PC] will stop functioning normally…

You are strictly prohibited from sharing [this product] with others…

A few years later the AIDS Trojan was analyzed even further. A fatal weakness was discovered in the malware by Young and Yung and pointed out to show that that the AIDS Trojan relied on symmetric cryptography. They then showed how to use public key cryptography in order to implement a secure extortion attack. They published and expanded on this in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan or cryptoworm hybrid encrypts the victim’s files using the public key of the author and the victim must pay to obtain the needed session key. This is one of many attacks, both overt and covert in the field known as Cryptovirology.

What is Cryptovirology?

It is a field that studies how to use cryptography to design powerful malicious software (malware). Think of Regin, Stuxnet, Dark Hotel APT which have come from nation states, have been stealthy and intended to steal information or spy on users for an extended period of time without them knowing about it, they may also be used to cause harm and often sabotage.

The first attack that was identified was called “Cryptoviral extortion”. This involves a virus, worm or trojan hybrid encrypting the victim’s files and then they must pay the malware author to receive the needed session key which providing they have no backups will be the only option available to recover their data from the grasps of the lock on anything that it has touched.

What do I do if I am infected?

  1. Turn off your machine, disconnect it from the network and restore from a backup. If you are seeing a pop up asking for payment then the chance of your files being already encrypted already is very high as you usually will not see this until it has finished the encryption process.
  2. Alert your IT/Security department of what has happened as they will need to assess the damage and see if there has been any sort of spread within the company network eg network shares.
  3. You may be able to decrypt some files if hit by CrypoLocker for example with an online decryption tool like this one by FireEye and FoxIT in which the key’s were obtained during Operation Tovar when a huge amount of Law enforcement and business joined forces in order to take down the Gameover Zeus botnet which was believed by the investigators to have been used in bank fraud and the distribution of CryptoLocker. Now at this point I will say don’t hold your breath as this is only for CryptoLocker and there are many, many variants out there!

How do I protect myself or users?

  1. Back up all your important data or anything that you do not want to lose and make sure it is not left connected to your machine if you choose to backup locally. Try to use some form of online backup service also if it is really important as there is more of a chance of restoring your data if you can restore previous versions of your files.
  2. Make sure you have an up to date Anti-Virus and also maybe some other third party tools like Malwarebytes, Spybot etc and use a nice layered approach, IDS and also some form of packet analysis can help with the cleanup if you need to trawl through the network and see how far the infection has spread.
  3. Use a standard user with UAC enabled to the maximum and have a separate administrator account with a different password.
  4. Make sure all your software is up to date, you can use Personal Software Inspector from Secunia for this as this provides an effective automated patch management solution.
  5. Be vigilant when clicking on emails and avoid clicking on or opening attachments from people you don’t know or companies you have not previously done business with.
  6. Don’t use internet explorer, use firefox or chrome and use a plugin like no-script to make judgements yourself on what to and what not to allow access to run in your browser. I have been using this for years and it is very effective and quite possibly the best protection for blocking malicious payloads from being delivered to your system from within the browser.
  7. Drive-by downloads are a common form of infection and as per step 5 above use no-script to protect against something like this, just don’t allow scripts to run globally and you should be ok.
  8. Show hidden file-extensions within your browser, for example if you receive an e-mail that says “super_secret.PDF.EXE” it should raise concerns, this however requires vigilance and with some proper “Spear Phising“ you may not notice this and click it regardless, at this point just turn of your machine and disconnect it from the network.
  9. Disable files from running in AppData or LocalAppData folders and this can be done one of two ways, manual and the automated tool which has instructions here on usage.
  10. Disable RDP XP, 7, 8 & 8.1.

There is quite possibly more you could do to protect yourself also but informing the user and providing some form of user awareness training about the dangers of emails and testing your users internally which yes I know sounds a bit cruel but it is a very good way to make them learn.

Users are your weakest link, you can have the best endpoint protection in place but without a signature for the latest variant of ransomware, virus, malware etc you then find yourself infected again. It is your responsibility to inform your users and if you don’t then don’t blame them, they don’t know any better, just because you know doesn’t mean everyone does so spread awareness and watch the infections fall.

Before I let you go though I would like to make you aware of the latest attack vector’s coming your way and that is RansomWeb which has been given the name due to similarities with ransomware like the extortion of money for example after encrypting your database, think Personally Identifiable Information (PII), credit cards etc.

File integrity monitoring is the trick to detecting RansomWeb but this is not always the case with a web application provider so it may be some time before this becomes a reality and when this get’s out of control providers will be reactive rather than proactive to the latest threat.

It’s also hard to gauge how successful RansomWeb will be, but if RansomWare is anything to go by, threat agents will find a way to make it a lucrative business and start reeling in the money.

Finally the way I see this moving in your internal network is as follows:

  1. System is infected.
  2. Encrypted.
  3. Held to Ransom with a timer.
  4. Timer runs out, you haven’t paid the ransom so you get a system wipe. (Destructive Malware, Wiper) You have already lost your data once encrypted but this just puts the final nail in the coffin.

Why do I think this? Well just look at the Sony hack before Christmas when exactly that happened to them. According to the FBI this was North Korea who did this but the smell of inside job is so strong with this I am not even going to get into it here as it is another article in itself.

What we learned though is 100TB’s + was exfiltrated from their network, the ransom was asked, denied and then their systems were wiped and staff were forced to use pen and paper to carry out their work. Would you be able to sustain such a hit to your business?

I also feel this is just another way to invoke more stringent regulations on the internet, we will see how true this is but when “North Korea” is apparently hacking your country and “Cyber Terrorism” and “Cyber War” are been thrown around you have to STOP, LISTEN, LOOK and then make your own educated judgement, don’t believe all the hype as the media likes to bite on certain things and make them sound far worse than they actually are.

 

References:

http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx?carouselActionctl00_ctl14=next&carouselIndexctl00_ctl14=0

http://en.wikipedia.org/wiki/Ransomware

http://en.wikipedia.org/wiki/Scareware

http://en.wikipedia.org/wiki/AIDS_(Trojan_horse)

http://en.wikipedia.org/wiki/Cryptovirology

http://en.wikipedia.org/wiki/Malware

http://en.wikipedia.org/wiki/Kleptography

http://www.microsoft.com/security/Portal/mmpc/help/Infection.aspx

http://www.gfi.com/blog/how-to-protect-against-ransomware-in-three-easy-steps/

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://www.welivesecurity.com/2013/12/12/11-things-you-can-do-to-protect-against-ransomware-including-cryptolocker/

http://www.foolishit.com/vb6-projects/cryptoprevent/?ap_id=Bleeping

http://www.foolishit.com/

https://www.decryptcryptolocker.com/

http://en.wikipedia.org/wiki/Operation_Tovar

http://en.wikipedia.org/wiki/Gameover_ZeuS