Wednesday, 16 December 2015

I got bored

I had a little spare time and I got bored (and if you look at my code, I was feeling lazy too) so I created a quick christmassy python app.

It draws a christmas tree! Happy days.

Requires:

  • sys
  • time
  • os
Download it here! 

Written in python 3.5

Saturday, 12 December 2015

Setting up an OpenVPN server

VPN (Virtual Private Networks) are lifesavers for people like me. Or they just make you super lazy... either way, that tends to be the same thing.

A virtual private network, lets me connect into a network from anywhere around the world, but appear as if I'm physically there on the network. This means that subnetting and IP addressing rules of you computer will adhere to the remote network you're trying to connect to. This is useful as I can then connect or remotely manage any of the computers on that network without actually needing to be there.

To set up my own private network, I used this instructions as a base guide. Thanks internet, for helping me out of my mess yet again!

http://www.thegeekstuff.com/2013/09/openvpn-setup/

Thursday, 10 December 2015

Setting up RSA keys for SSH

SSH is a wonderful thing. It allows us to emulate a terminal window, while being at a computer the other side of the world. I guess that's why so many people around the world use it everyday.

general syntax for connecting via ssh is ssh [parameters] username@domain.com

While this is very easy to remember, if you use this a lot it can get a bit tiresome. So to make it even easier we can set up a key pair that means we no longer have to put the password in. To do this, I followed the instructions on this website:

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

The good thing is, now I can also automate ssh connections using bash scripts, without having to type the password in every time. It also means peaking eyes don't get a chance to see me type the password either!

Applying this:

If we look at this script, we can now see an example of just how useful it is. 

As the credentials are securely stored we can connect to 'username@domain' without putting any credentials in. The automation means that this is done ever 2 minutes (120 seconds). I can now logon to 'username@domain' and will be able to establish a connection from anywhere. 

This is really useful as if I needed physical access to a network, it would be possible for me to put a little linux machine that reverses off my own server so I could connect remotely. 

Monday, 7 December 2015

turning off ASLR(aaaahhhhh!)

For one of my uni projects, part of my contribution was to set up a debian virtual machine. The setup of this machine was very similar to my kali installation earlier on this blog. However, this machine should be vulnerable, so I disabled a very important feature: ASLR.

Address space randomized layout basically means memory addresses and locations get randomized. This stops an everyday hacker from knowing the locations of executable code that get loaded from the OS in memory; in turn, this means it makes it harder for a hacker to "get shell". This makes something called 'zero-day-attacks' harder; a vulnerability in a OS could be discovered, but the user would not know how to access where that vulnerability was loaded into memory.

I have specifically turned this feature off in a debian machine, but nearly every operating system today will use this feature to prevent hackers from very simple exploits such as dropping a shell, buffer overflows and buffer underflows.

To turn this feature off on a linux installtion, you can follow these steps I found off the internet:


  1. Open a terminal
  2. "su" to switch to the super user
  3. "nano /etc/sysctl.conf"
  4. at the very end of that text file add "kernel.randomize_va_space=0"
  5. hit 'ctrl+x' and hit y to save and then hit enter to save
  6. back in your terminal window type "sysctl -p"
It's now turned off permanently. As well as being useful for hacking, this can also be useful for debugging your programs as variables in your programs should be given the same location and you can directly see their values in memory! 

Sunday, 6 December 2015

Things I've learnt this semmester


  • Linux is not a scary place: in fact, when you get over a fear of using the command line, it's fantastically brilliant at getting it do what you want it to do
  • Computers are very complicated: it's amazing how you'll use a computer everyday and not realize everything that goes on in the depths. Since starting my course, I've learn about machine code, assembly, registers... and trust me, it's computerception
  • People (including myself) are stupid: we put so much content online and don't realize just how easily accessible that information it is. People should always be so conscious of where they put their details in... nearly everything is networked these days. 
  • It's not all about specs: I used to think specs were everything, i7s... tons of RAM, but at the end of the day, it's really what you do with it. There's a way in which my beaglebone can provide me with more fun than my super-powerful gaming laptop ever could. Walking round with a tiny computer in my pocket is also pretty nifty too, huh! 
  • So far, I know this is something I really want to go into. Something about securities and vulnerabilities excite me. I want to find news way to explore exploits and be able to create new ways of protecting people from that. It's a subject I wasn't so sure about, but at least I've reached the end of the semester and I want to continue with! 

The final project

Finally made it... the project for this semester is finished.
It's quite impressive to make something out of nothing and even more impressive when it actually works and it's been great to help create an application that could actually be useful at some point in my life. I must say at this point, the group project included 4 other people and I and I was not responsible for too much of the coding, more project management!

Well, when I say useful... it's useful for talking to classmates in lectures when you've got nothing else to do. The project is basically an IRC chat server that works over the internet. Starting it is really simple. Just run a script that will always give you the most up to date version!

As soon as you've run this script... you're ready to log in. Of course the project being on a private repository, you must be added to a list of contributors first!

Once the program is downloaded you can log in and chat! We can see the server side on the right hand side of the screen has accepted the connection. In this instance, the server is running on the local host. We can also see we have a new connection from a client

Basic outlines of the project:

  • Works using the TCP protocol across any network (you can run it locally) or run it through the internet, which it does by default
  • Included user authentication so that users individually log in and do not connect until they have logged in
  • All messages are encrypted  and the initial connection is encrypted with a public key, until a key exchange has taken place
  • Also supports a file transfer system over SFTP (using a module called paramiko in python which controls the SSH traffic) allowing you to upload and download
  • The normal chat system uses the socket module in python and each client has their own socket on the server... each socket in a list also a generated key for encrypted message exchange
  • Runs on all linux systems! 
  • Very lightweight client and server

Possible improvements for the project:

  • Generating a new public/private key pair on a regular basis and send the keys to the clinents
  • Using compression for the file transfer to speed up uploads and downloads from the server
  • Attempt (again) at making a GUI using Tkinter included in python. My first attempt was successful on windows, just not on anything else! 
  • Have user-specific directories on the server for file transfer, meaning a user could have a public and private area for storing files. Could be done by CHMOD.
  • Impoving general security and making it less vulnerable to basic attacks, like DDoS

Things that personally went well:

  • I enjoyed the project management and deadlines were met on a regular basis, which helped to not cause issues later on
  • I was able to get involved in more than one aspect of the project, despite being project manager
  • THE SERVER AND CLIENT actually work! 
  • High level of understanding for how the code works
  • AES key was a good way of making sure that the messages were encrypted

Friday, 25 September 2015

An introduction to bash

Well, today was the today. Originally, I thought my Chromebook would be some kind of device that runs a mediocre browser and doesn't do very much.

I couldn't be more wrong. Turn off OS Verification and it's another story. Suddenly this Chromebook becomes this fun little thing where you can do commands on and know that because it's such a simple little thing, you're not going to destroy the thing on day one. Besides, even if you do - Google's ChromeOS recovery is top notch. Anyway, enough about the Chromebook - if you'd like to read more, be sure to check out an upcoming review and top 10 best things about a Chromebook.

It would seem after today - this little thing has already developed to be my friend. I've learnt so much already and if you haven't already guessed by the blog title - it's using bash. For those of you who don't know, bash is basically a terminal window - I didn't even know it was called 'bash' until today.

 Seeing as I'm doing ethical hacking it made sense to have a go at putting Kali linux on it. Unfortunately, you can only do this in a KDE environment (which is sooooo 2000), but with a view of my friends, we hit the developer terminal.

For those of you who don't know - you can do this with cntrl, alt +t. From there, you can just get into a shell, by typing "shell" and this sets you up at the chronos user. If you want to do anything with admin rights - just add sudo at the beginning. Kali took several attempt to install, but with a few attemps and a group of friends; we all got there. For those who want to find out how to install Kali - I will attach a link at the bottom.

I don't remember having as much fun in ages, while trying to install Kali. This command window that I was so afraid of before, I'm now learning to love and the sense of achievement has given me something to hold onto when my proper lectures start on Monday. I've learnt so many new commands and features today, but for the first time ever, I want to know more!

I really can't wait to start this year - and thank you, Chromebook, for allowing me to do that with a smile on my face.

Link to how to install kali on a chromebook:
http://grephaxs.com/chromebook-install-kali-with-crouton/

Thursday, 24 September 2015

This course

I won't lie. I chose this course on a little bit of a whim. I was confused about courses, what this one would entail others that I apply to. So far, I think it's fair to say I've been quite satisfied. My lectures seem nice, my group seems nice and I get a free chromebook - what's not to love, eh? My methodology in choosing my course  also applies when I think what I want to do after my course. The only reason reason this blog came up is because I've already been offered a job - cray cray! Fortunate for me, I've got passed the days where I want to go up to be a taxi driver or train driver, but from there... who knows?! I guess this is where my course comes in.

When people have asked, I've always said I want to be an analyst. I have an internal desire for working things out, coming up with better solutions and being overly critical. I've always wanted to be a source of knowledge, available to help people. The moment I walked into my course - that's all changed. Suddenly I don't know any more, I can see how intensive my course is and how much fun it can be so where that leaves me on the job market - who knows.

I guess that leaves me for what I want to get out of the course. Something fun and something that provides me with a multitude of knowledge, but also leaves me with the desire to learn more. Something that continues innovating and leaves you questioning. Ethical hacking, is really as good as it sounds...

Installing Kali

Useful commands here...

Check out this page for useful linux commands!
http://www.thegeekstuff.com/2010/11/50-linux-commands/

Creating an new User in Kali


I thought I would upload a youtube video on how to create a new user in Kali. It's really simple (despite the fact I got it wrong a view times).

Just follow the steps I typed and you can then login to that user straight away! :-) 



This is a fantastic link to a site that explained this all for me, with lots of different switches on how to create more specialised users: 

In progress

Installing Kali Linux.
Basically, I need to have installed this operating system for my uni course, so this is just a quick post with a couple of screenshots on how to do that. The installation is fairly simple and if you download the latest version of Kali you can do it through the standard Debian GNU installer...

Tuesday, 22 September 2015

The monopoly of e-commerce

E-commerce. A system that billions of people use everyday, if it ordering if Amazon, buying stuff of eBay or just ordering a Pizza; which of course is its most productive use. We use it everyday without a care in the world for where our money really goes and the routes it takes - we just enter our login or card details and that's it.

Paypal: you've probably heard of it and it was developed 16 years ago to make online payments easier (and possibly) less secure than they have been. A user name and password is all you need to get into your bank account and pay for stuff online with no limitations at all; selling something as being easier and not mentioning how compromising it is just seems unethical in itself.

In 2014 the company made just over 8 billion US Dollars - it's fair to say they have a large share of the e-commerce market with 165m users. However, known to some people, it's a 165m users minus the likes of wiki leaks.

Wait, what?... A company which tried to make payments easier also makes it harder by excluding sites (like wiki leaks) that don't meet up to their standard. This seems logical...

If you don't already know, Wiki Leaks is a controversial website which leaks often government or political information for the public to see, often releasing information about the current level of corruption around us.

Personally, I think this is a good idea, adding a level of transparency of what's going on in this world is needed - however, like anything on the internet should be taken with a pinch of salt and some context.

None the less, paypal issued a statement claiming that it was a website promoting people to engage in illegal activity and they would be closing down the account linking to the Wiki Leaks donation page. Amazon have also made similar decisions and have decided to cut ties with the page.


I'm sure you've had it all before from your parents, but "if you were told to jump off a cliff, would you?"... NO. THE ANSWER IS NO. (If you chose yes, you have some serious issues and I seriously suggest you consider jumping of a cliff sometime...like, today)

You can't question morals and ethics based on an interpretation that a few people take about a site. FYI, Amazon, if we are really going to talk about ethics, perhaps not putting your workers on 0 hour contract and over working them is a good place to start. However, just because I have a question of the ethics involved in your company, it does not mean I stopped using your services - in fact I am a very loyal customer.

Neither do I feel encouraged to employ people and have them slave away - just because that's something you do, does not mean every other person is compelled to do it either.

It's utterly ridiculous that companies that make profit on e-commerce should be limiting where or where not you can spend your money - it's your money and frankly, that level of control should only be coming from the government itself, not a rich-ass CEO.

So there you go, if you haven't already formed an opinion on this, I'm quite happy for you to adopt mine and agree it's unethical to limit where people can and can not spend there money based on a possible interpretation.

- I think that's my rant over, if you got this far, then thank you :-)

Monday, 21 September 2015

Day One

Hi. I'm guessing if you're here, you're in the wrong place or you have an unusual desire to read a boring blog about aspects of Ethical Hacking and Network Security. 

If the latter is the case, you're probably still in the wrong place. As I write this, I'm still officially a newbie - a fresher newbie. It is correct; today I officially started at Uni, the cause of writing this blog. Today I have:-

- Joined a group called "Team Ultra Deep Penetration" or Team UDP for short. Needless to say, I am going to regret standing up in front of a bunch of professionals along with the "we put the D in UDP" tagline that comes with it. 

- Learnt we get Chromebooks - apparently they are nice and new. I also discovered with some wizardry (technical term) that you can run a kernel in a kernel, which allows you to have more than one operating system.
... Hooray for getting rid of the boring HTML5 web browser and replacing it with something a little bit more useful. 




BeagleBoard, Black- On top of the Chromebooks, I also get a BeagleBoard which is like a Raspberry Pi, but without the apparent compatibility issues. It shouldn't be long till I get to play with mine and set up a linux distro on it. It's been a personal wish to have something like this for ages, I want to get into linux programming, but with a cool way to do it. It will be utterly awesome to find things that interface with it. 
I do wonder about the specs of this little guy though, 256MB of DDR2 RAM is quite low, even for a command line version of linux. 

Finally, I've learnt this is going to be one hell of a year. I've got so much to learn (like linux!) and it already feels I've got so little time to learn it. I'm already lucky enough to have good friends and dare I tempt fate, by saying I think I have good lectures too. 



FYI - if you got to the end of this blog, you have no life. :-)