Wednesday, December 18, 2013

HOWTO : Build a Fortress for Your Home/SOHO Network

**** Content is updated for SmoothSec 3.4-1 on January 30, 2014 ****

Hardware

(A) Unified Threat Management System (UTM)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 2GB (DDR3-1066 SO-DIMM) 4GB
Hard Drive - 1 x 2.5-inch Hard Drive (80GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet

(B) Intrusion Detection/Prevention System (IDS/IPS)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 4GB (DDR3-1066 SO-DIMM) 8GB
Hard Drive - 1 x 2.5-inch Hard Drive (120GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet
USB Networking - PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 or Level One USB Gigabit Ethernet USB-0401

* A switch is also required for this setup if you have more than one computer.

I prefer the setup is as the following :

Internet - SmoothSec (Suricata) - Router (Untangle UTM) - Switch (any switch) - Computers

Software

(A) Untangle 10.0 (64-bit) as UTM
Make sure you install the Lite Package which is free of charge. If you want to purchase their services, such as Standard, you can install Standard Package. For home/SOHO, Lite Package is enough.

After the basic installation, you need to create an account to the untangle.com in order to install Lite Package (or Standard Package).

(B) SmoothSec 3.4-1 (64-bit) as IDS/IPS with Suricata
Before setting up your SmoothSec, you need to upgrade the SmoothSec scripts to 3.6 and follow the instruction at the link just provided.

To set up IDS/IPS with Suricata, you can follow this section. Make sure you select “suricata” as AF_ENGINE in the configure file. Meanwhile, you should follow this section to set up.

For rules handling, you can refer to this link.

To fully understand the setup, you can read this article even it is written for 3.6 (not yet released at the moment) and the concept is the same.

Conclusion

Due to the high performance of AF_PACKET of Suricata, Broadcom 57788 Gigabit Ethernet and the Intel ATOM D2550 CPU, the network can play 1440p Youtube video without problem. The QoS is set to Medium in the Untangle 10.0 is recommended.

Meanwhile, Minix Mini HD PC is around $120-US (barebone without RAM and Hard drive) and the hardware cost is not too expensive to setup a fortress to your home/SOHO network. The running cost of this setup is very low as the software are free of charge. The footprint of the Minix Mini HD PC is very small. Smaller than a standard ITX computer case.

If you do not know how to manage SmoothSec (Suricata), you can install Untangle only.

Friday, December 06, 2013

HOWTO : NoCloudAllowed on Kali Linux

Cloudflare is designed to protect the websites from being Denial of Service (DoS) or Distributed Denial of Service (DDoS). It is acting a proxy and the real IP address of the websites are hidden. She also acts as a Web Application Firewall (WAF) to the websites that behind her services.

However, there is a number of ways to bypass this protection. Since FTP services cannot be protected by Cloudflare, the ftp sub-domain of the websites will be disclosed by using penetration testing tool - Fierce Domain Scan (fierce.pl). There may be some other services that cannot be protected by Cloudflare too.

Another way is using NetCraft.com to find the IP address history of the websites. Why it works? It is because some websites have been published for a while before using Cloudflare service. The IP address of the websites are being archived by NetCraft.com. However, the IP address of those websites cannot be changed or the SysAdmin overlooked it.

The captioned methods had been mentioned at my previous article.

How about there is no FTP service and no IP address history at NetCraft.com? So, we are panic? Be patient! Allison Nixon found a way to overcome this problem. She did a presentation at BlackHat 2013 in the title of Denying Service to DDoS Protection Services.

She (or with her team) developed a tool - NoCloudAllowed. How it works? The tool compare a range of IP addresses with the content of the origin website in order to find the real IP address of the origin website. The tool is written in Perl.

Now, I will show you how to install it on Kali Linux.

Step 1 :

Install of String::Compare.

perl -MCPAN -e 'shell'
install ExtUtils::MakeMaker
install String::Compare
exit


Step 2 :

Download nocloudallowed.pl.

wget http://nocloudallowed.com/nocloudallowed.pl



Type the following for “help” :

perl nocloudallowed.pl --help

Step 3 :

Refer to the BlackHat 2013 video, the website NoCloudAllowed.com is protected by Cloudflare and there is no previous IP address history at NetCraft.com.

Let’s us ping the website to see the IP address :

ping nocloudallowed.com
PING nocloudallowed.com (199.83.134.211) 56(84) bytes of data.
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=1 ttl=128 time=818 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=2 ttl=128 time=262 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=3 ttl=128 time=274 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=4 ttl=128 time=502 ms
64 bytes from 199.83.134.211.ip.incapdns.net (199.83.134.211): icmp_req=5 ttl=128 time=264 ms
^C
--- nocloudallowed.com ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 6209ms rtt min/avg/max/mdev = 262.464/424.601/818.947/217.222 ms

ping www.nocloudallowed.com
PING 2ruek.x.incapdns.net (103.28.248.171) 56(84) bytes of data.
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=1 ttl=128 time=1433 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=2 ttl=128 time=450 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=3 ttl=128 time=278 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=4 ttl=128 time=472 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=5 ttl=128 time=495 ms
64 bytes from 103.28.248.171.ip.incapdns.net (103.28.248.171): icmp_req=6 ttl=128 time=519 ms
^C
--- 2ruek.x.incapdns.net ping statistics ---
7 packets transmitted, 6 received, 14% packet loss, time 6009ms rtt min/avg/max/mdev = 278.957/608.262/1433.255/377.086 ms, pipe 2


The result is that we got 2 different IP addresses - 199.83.134.211 and 103.28.248.171.

Step 4 :

There are two ways to use the nocloudallowed.pl. By "string matching" and "page percentage matching". Since the real IP address of nocloudallowed.com is 54.226.206.170, we limited the IP range from between 54.226.206.0 and 54.226.206.255 for the demo.

For realistic cases, the IP range may be from between 1.0.0.1 to 255.255.255.255. It will take a longer time to the result as predicted.

String matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255 -s @nixonnixoff

54.226.206.170 matched string


*** We select an unique string - @nixonnixoff at the front page of www.nocloudallowed.com for the matching purpose.

Page percentage matching :

perl nocloudallowed.pl -u http://www.nocloudallowed.com/ -i 54.226.206.0-54.226.206.255

54.226.206.46 is a 4.28008963583708% match 54.226.206.8 is a 4.97538454727825% match
54.226.206.96 is a 6.4580555778227% match 54.226.206.170 is a 76.6947984574021% match
54.226.206.178 is a 2.6906293003467% match 54.226.206.153 is a 13.6152088933292% match
54.226.206.196 is a 5.90278413052861% match 54.226.206.219 is a 6.97554375390092% match
54.226.206.149 is a 1.88944750445606% match 54.226.206.254 is a 3.71636207826023% match
54.226.206.252 is a 5.23038802551876% match 54.226.206.248 is a 9.19859919167773% match


The conclusion is that Cloudflare cannot protect your website as expected.

That’s all! See you.

Thursday, December 05, 2013

BlackHat 2013 - Denying Service to DDoS Protection Services

Speaker :

Allison Nixon
Integralis

Allison Nixon does penetration testing and incident response at Integralis, either assisting companies in post-compromise situation, or compromising them. She gained an interest in security by cheating at video games, but quickly learned that the only way to make real gold is to work for a real company. She is intensely interested in all facets of security and continues to perform security research spanning any and all topics. Allison is a regular host on the Pauldotcom podcast, has spoken at B-Sides Boston 2013, local OWASP meetings, and sits on the executive board of MalShare. She also designed the electronics and software for the laser maze at the 2012 Braintank conference.

Briefing :

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.



Archives :

Presentation & Paper

PoC :

NoCloudAllowed.com

After Thought :

Once the Cloudflare is bypassed and the origin IP address is obtained, you (attacker) can do anything on the origin as normal since the origin is not protected by the Cloudflare's WAF.

Reference :

HOWTO - NoCloudAllowed on Kali Linux

That’s all! See you.