Project “AirCrack1″ : Warflying

AirCrack1If we can put the business and some fun together, so why the hesitation? For a while, I’m playing with flying toys. I already played with different models of RC helicopters and recently, I switched to another category: I bought a quadcopter. The idea to mix the technology of drones with WiFi audits popped up in my mind for a while. First of all, this is not something news. Darren from Hak5 had the same crazy idea before me (see the episode 1520). But there is a difference between watching a cool video and doing the same in real life. Thus, I decided to experiment the same! And if I could use it to perform WiFi assessments or pentest, it’s even more cool!

Read More →

May 2014 OWASP Belgium Chapter Meeting Wrap-Up

ATMWith a little delay, here is my wrap-up of the last OWASP Belgium chapter meeting. It was held at NVISO, an information security company located in Brussels which is known for its ApkScan tool. After some pizzas, drinks and chats with peers, two speakers came on stage. Amongst known faces, a lot of new people were present. That’s good to have fresh blood in such events!

The first speaker was Tiago Teles from Cigital. The title of his presentation was “Securing password storage – Increasing resistance to brute force attacks“. Passwords… a hot topic. Indeed, yesterday, eBay announced to have suffered of a data leak of users data. Passwords are in the wild now. Tiago explained how to handle properly the password of your users and started with a fact:

“Your passwords WILL be extracted from your system”

Thus, we have to make them unusable or at least make the attackers’ job more difficult. Modenr websites allow users to register and use credentials to buy stuff, to access private data, to organize their profile, etc. You’re responsible of those passwords and must protect them in the right way. After a review of the history of protections (do you remember the old /etc/passwd UNIX files with passwords hashed and stored in it, readable for everyone?) and the challenges we are facing, Tiago gave very interesting suggestions to protect the passwords against brute-force attacks. Hashing (with salt!) is a best practice. Why? 

  • They are unique
  • They are resistant to collision
  • They can’t be reversed
  • They can’t be predicted
  • They are… fast!

A technique to attack hashed passwords is to use rainbow tables but they also have limitations. To protect against brute force attack, Tiago explained what are adaptive hashes. They are designed to remove one of the properties of classic hashes: speed! Finally, Tiago give a very good advice to everybody: Be prepared to be attacked and to have a good communication plan! The slides are available here.

After a short break, the second talk was given by Daan Raman and Erik Van Buggenhout (from NVISO). The title was “A history of ATM violence – From blowing up safes over jackpotting to all-round malware“. ATM’s or “Automated Teller Machine” are used daily by most of us and are often nice targets for thieves. As said Erik: “We don’t need to ask why to target them! That’s were the money is…“. After a short history of ATM’s (did you know that they are currently 2.2 millions ATM’s worldwide?), Erik described the standard layout of a modern ATM. It is based on two main parts: the safe itself containing the money and a computer. The safe is usually quite well protected but the computer is vulnerable in many points. To learn how ATM’s work, Erik just bought its own and made some research! Computers used in ATM’s are classic computers with all the required I/O: USB ports, keyboard, mouse, CD player etc… Even if some physical attacks were reviewed with funny pictures, Erik & Daan focused on attacking the ATM via the built-in computer (which remains based on Windows XP in most cases). How?

ATM systems are based on a unique set of APIs that are developed by CEN/XFS (“eXtensions for Financial Services“). They allow to operated with the ATM devices like:

  • Cash dispensers
  • Identification card units
  • Personal identification number keypads (PIN)
  • Text terminal units

Like any API, there are two layers: vendor dependent and vendor independent. Using this API and some C code, Erik wrote a PoC tool called “ATMDispenser.exe” which can perform cash-out operations! To demonstrate the tool, a live funny demo was performed using Erik’s ATM fullfilled with fake banknotes. Of course, to install the malicious code, a physical access is required to the ATM but many people have access to it (maintenance team, cleaning teams). Sometimes the ATM is located in a public area. Funny note again, some computers are protected in the ATM rack with a lock and a key. This key looks to be the same for all ATMs and the lock has been opened by Erik in 10 mins using standard lock-picking tools. Nice presentation! The slides are available here.

Infosec VS. Airplane Security

Airline SecurityIn a previous post, I spoke about the importance of the “context” during a pentest. In a recent project, I faced a situation similar to airplane crashes. Let me explain this… Despites the fact that the crash of an airplane results sometimes in a huge amount of deaths once, airplaines can be considered as safe. Statistically, flying is less dangerous than driving to the airport with your car! Modern airplanes are very reliable: they all have multiple engines but they are designed to be able to fly with one of them being out-of-service. The cabine crew is also trained to fly in such conditions. Airplanes are also under maintenance regularly and inspected from A to Z.

Read More →

Challenge Ahead: Win Your Ticket to “Hack in Paris” or “La Nuit Du Hack”

Challenge Accepted<Warning>Challenge completed</Warning>

Warning! In a few weeks, hackers will be back in Disney Land Resort Paris for two events: Hack in Paris and La Nuit du Hack! I should be present to both events to do some live coverage and write wrap-up’s. The two agenda have been published (here & here). In the mean time, the organizers kindly give me some gifts for my readers!

The first event is a classic two-days security conference with top international speakers like Winn Schwartau, Jayson E. Street (as keynote speakers), Sebastien Andrivet or Francis Alexander. The second one is organized during the weekend following the classic conference and is more “funny” with talks, workshops, challenges and a big party. A very long night!

Read More →

BSidesLondon 2014 Wrap-Up

BSides BannerThe fourth edition of BSidesLondon is already over! I remember the first one in 2011, things have changed! Year after yesar, it looks more and more professional! As usual, here is my quick wrap-up. I arrived a bit late due to a strike in the London tube. Bad timeing but it’s not a strike which will prevent hackers to meet! :-) According to a tweet from the organizers, 70% of attendees were nevertheless present! Travelling early from Belgium, I was also in that case, it was not easy to get to the venue but I arrived… late but I was there!

Read More →

Heartbleed Impact in Belgium?

Heartbleed-beHeartbleed“… Probably one of the top queries typed in search engines for a few weeks! Of course, I followed the story but I did not blog (yet) about it until today. Why repeat again and again what has been said? Some bloggers and analysts wrote very good overviews about this modern nightmare.

Read More →

DahuCon Wrap-Up or … Perhaps Not?

DahuI spent the end of the week “somewhere”  in Switzerland to attend a nice security event called “DahuCon” or perhaps not! Who knows! The event was organized by two Swiss guys. They successfully attracted 50 security professionals to a very nice place. Attendees came from Switzerland, France, Germany, Austria and… Belgium of course! (only with a  personal invitation) The challenge was not to bring them all together in a lost place but in a place without any network coverage! A very weak mobile signal which made all data connections allmost impossible (and forget the 3G!). Honestly, everybody survived!

The particularity of DahuCon was to be based on the “Chatam House Rule“. This means that, in an event held under this rule,  anyone who comes to the meeting is free to quote what has been said (except if explicitely requested to not disclose it), but is not allowed to say who. The goal is to make the event more open to discussions.

If there is a domain in which information disclosure can be very touchy, it is information security! So, speakers were free to discuss about their favourite topic, no guideline was given except to be “imaginative” and it was! Some topics covered:

  • 0-days attacks
  • DDoS
  • Full-Disclosure (hot topic for many people!)
  • Memory tracing
  • Secure messaging
  • Old games
  • Hardware
  • Malware reversing

Thanks to the Chatam House Rule and the “anonymity” of speakers, it was an opportunity to see some talks going much deeper than in regular conferences. Some of them revealing very interesting information!

I would like to thank the organizers for inviting me. It was a pleasure and I hope to be invited to a second edition with the same format. It was really a challenge to organize this and you did it! Executing Commands per IP Address

Batch ProcessingDuring a penetration test, I had to execute specific commands against some IP networks. Those networks were represented under the CIDR form (network/subnet). Being a lazy guy, I spent some time to write a small Python script to solve this problem. The idea was based on the “xargs” UNIX command which is used to build complex command lines. From the xargs man page:

xargs reads items from the standard input, delimited by blanks (which can be protected with double or single quotes or a backslash) or newlines, and executes the command (default is /bin/echo) one or more times with any initial-arguments followed by items read from standard input. Blank lines on the standard input are ignored.

I called the tool logically “” as it allows you to execute a provided command for each IP address from a subnet or a range. The syntax is simple:

$ ./ -h
Usage: [options]

 --version             show program's version number and exit
 -h, --help            show this help message and exit
                       IP Addresses subnets to expand
 -c COMMAND, --command=COMMAND
                       Command to execute for each IP ("{}" will be replaced by the IP)
 -o OUTPUT, --output=OUTPUT
                       Send commands output to a file
 -s, --split           Split outfile files per IP address
 -d, --debug           Debug output

The IP addresses can be added in two formats: x.x.x.x/x or x.x.x.x-x. Multiple subnets can be delimited by commas and subnet starting with a “-” will be excluded. Examples:

$ ./ -i,,- -c "echo {}"

This command will return:

Like the “find” UNIX command, “{}” are replaced by the IP address (multiple {} pairs can be used). With the “-o <file>” option, the command output will be stored to the file (stderr & stdout). You can split the output across multiple files using the switch “-s“. In this case, <file> will end the IP addresses.

This is a quick and dirty tool which helped me a lot. I already have some ideas to improve it, if I’ve time… The script is available on my github repository.

Log Awareness Trainings?

ChuckawareMore and more companies organize “security awareness” trainings for their team members. With the growing threats faced by people while using their computers or any connected device, it is definitively a good idea. The goal of such trainings is to make people open their eyes and change their attitude towards security.

If the goal of an awareness training is to change the attitude of people, why not apply the same in other domains? Log files sounds a good example! Most log management solutions prone to be extended to collect and digest almost any type of log files. With their standard configuration, they are able to process logfiles generated by most solutions on the information security market but they can also “learn” unknown logfile formats. Maaaagic!

Read More →

The Day Windows XP Died!

XP TombstoneTuesday 8th of April 2014, a page of the computer industry has been turned! Windows XP is dead! Of course, I had to write a blog post about this event. For months now, Microsoft warned its customers that XP won’t be supported starting from today. Do you remember: Windows XP was available on floppies and had – in the beginning – no native USB support! What does it mean today? From a end-users’ point of view, their computer will not collapse! No need to repeat some voodoo formulas, it will boot again and work like yesterday… Except if something bad happens. In this case, Microsoft won’t help you (instead they will be very happy to propose you an upgrade to Windows 8.1). Well, this is not 100% true: Microsoft is still ready to “offer” you some support if you subscribe to their Premium Service program! (Business is business)

Things are more nasty from a security point of view! Your computer will still run but will be vulnerable to new attacks. By “new” I mean the ones that will be discovered (because XP will be a very nice target seeing its installed base – see the graph below). But I’m also pretty sure that some vulnerabilities have been discovered for a while and kept below the radar ready to be used in the wild. And this may occur very soon tomorrow. People are still migrating to a newer operating system and the surface attacks will reduce itself with time. For an attacker perspective, this is the right time!

But, is this old Windows XP still a problem? People had quite a long time to switch to alternative OS rights? Have a look at the following statistics. They come from the blog and are based on the last 30 days:

Windows Statistics

Based on Google Analytics, 11% of my visitors are still using Windows XP! Based on my regular audience and the content of this blog, I could expect people to have a “high-level profile” like IT professional, infosec people, etc. Those people should have get rid of XP for a while. Ok, let’s reduce this number by a few percents due to fake User-Agents used by some of you or bots and crawlers. Let’s make a final estimation to 7-8%? This remains a huge amount of vulnerable computers (my blog does not generate a lot of traffic). I’m curious to see statistics for big players on the web… Somebody can share?

If you’re still using XP today, have a look a top of your head, there is sword of Damocles! Windows XP was not only used on desktop computers. They are plenty of services still running on top of it:

  • Bank ATM’s
  • Medical devices
  • SCADA systems
  • PoS
  • Kioks

 What can you do against this? First reaction: upgrade as soon as possible (for laptops & desktops). Installation like medical devices have the bad reputation to not be easily upgradable (or not at all). In all other cases, security best practices apply as usual:

  • Locate devices running XP on your network! Could be stupid but many companies don’t know what devices are connected on the LAN!
  • Prohibit those devices or isolate them in a separate network zone. NAC (“Network Access Control“) solutions can be useful to put them in a dedicated & hardened VLAN
  • Disconnect them from the Internet
  • Don’t run “services” on them
  • Don’t surf from them

Finally, if you have old applications, test them on a newer OS in the “Windows XP” compatibility mode. Please take actions today!