Category Archives: Security

22Dec/15

Why are the default credentials in the realm attribute?

Recently, I was poking around on Shodan (as I do when I am bored) and I stumbled across an interesting query.  If you search for “Default: admin/1234”, you get over 14,000 devices that are broadcasting their own default username and password.  The devices appear to be Edimax routers.  I reached out to both EmbedThis and Edimax to ask them about this.  EmbedThis said that it was added by the device manufacturer and Edimax neglected to respond to me.

Basic Auth Box

Default usernames and passwords are not a secret.  There are entire websites out there that catalog default usernames and passwords for devices but Edimax made it so that you did not even need to know the make and model of the device.  All you need to do it read the text on the authentication box.

02Nov/15

How to generate keys with the Web Cryptography API

I have been playing around with the Web Cryptography API a lot lately.  My most recent post was about getRandomValues().  I wanted to take a moment to investigate two more methods: generateKey() and exportKey().  The generation of a good cryptographic key is fairly fundamental.  I wrote up a short demo app, to demonstrate how the two functions work.

The code outputs to the console, so make sure to have Firebug open when you run the app.  Also, keep in mind that the Web Cryptography API is not fully supported in every browser, so not all of the functions in this demo will work everywhere.  I added in a description box for the crypto algorithms, so you can see the details of each one.

Have any questions? Feel free to drop a comment, below.

14Dec/13

How to use Nmap to identify what a server is running

Whether you are attacking a computer or protecting it, proper intelligence about a computer is important.  A very powerful option for learning about a given system is Nmap.  According to Nmap’s website:

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

I would like to take a look at a few of the things you can do with Nmap.  For these examples, my target is going to be jastreich.com (a server run by a friend and former coworker) .  This is definitely not a comprehensive guide but it will cover some high points.

 

Determine what domain names use that server (without pinging anything)

This scan does not ping the server in any way.  It simply does a reverse-DNS lookup.  The nmap website says that this scan is a “good sanity check” since it lets you verify the identity of your target.  I would have to agree.

nmap -sL [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 03:55 UTC

Nmap scan report for jastreich.com (192.81.210.134)

rDNS record for 192.81.210.134: piggyandmoo.com

Nmap done: 1 IP address (0 hosts up) scanned in 0.05 seconds

 

Trace path to the server (traceroute)

This sends packets to the server with decrementing TTL, in an attempt to elicit ICMP time-exceeded messages.  The goal is to identify every computer between you and your target.  This could help to identify alternate attack vectors.  Beware: traceroute requires root on your local machine.

nmap –traceroute [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:37 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00092s latency).

rDNS record for 192.81.210.134: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE

25/tcp open  smtp

80/tcp open  http

TRACEROUTE (using port 554/tcp)

HOP RTT      ADDRESS

1   11.49 ms 192.81.212.1

2   0.95 ms  piggyandmoo.com (192.81.210.134)

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

 

Application Version Detection

So, you know where your target is.  Next, you probably want to know what services your target is running.  This will tell you exactly what it is running (to the best of it’s ability).  Once you know what daemons are running and what versions are running, you can start looking for exploits that can be leveraged.

nmap -A [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:43 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00061s latency).

rDNS record for 192.81.210.133: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

25/tcp open  smtp    Postfix smtpd

|_smtp-commands: localhost, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

| ssl-cert: Subject: commonName=stkfactory

| Not valid before: 2012-10-17 21:47:37

|_Not valid after:  2022-10-15 21:47:37

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

|_http-title: J. A. Streich Home Page

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.00%E=4%D=12/14%OT=25%CT=1%CU=44180%PV=N%DS=2%DC=T%G=Y%TM=52ABE1

OS:FA%P=i686-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=8)OPS(O

OS:1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11N

OS:W6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R

OS:=Y%DF=Y%T=41%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S+%F=AS%

OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y

OS:%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R

OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=

OS:41%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S

OS:)

Network Distance: 2 hops

Service Info: Host:  localhost

TRACEROUTE (using port 80/tcp)

HOP RTT     ADDRESS

1   0.82 ms 192.81.212.1

2   1.01 ms piggyandmoo.com (192.81.210.134)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.82 seconds

 

TCP SYN Scan

This is a good first scan when analyzing a server.  It is fast and stealthy because it never completes a TCP connection.  It uses something called a half-open scan.

nmap -sS [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:57 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00031s latency).

rDNS record for 192.81.210.134: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE

25/tcp open  smtp

80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds