Wednesday, 16 December 2015

I got bored

I had a little spare time and I got bored (and if you look at my code, I was feeling lazy too) so I created a quick christmassy python app.

It draws a christmas tree! Happy days.

Requires:

  • sys
  • time
  • os
Download it here! 

Written in python 3.5

Saturday, 12 December 2015

Setting up an OpenVPN server

VPN (Virtual Private Networks) are lifesavers for people like me. Or they just make you super lazy... either way, that tends to be the same thing.

A virtual private network, lets me connect into a network from anywhere around the world, but appear as if I'm physically there on the network. This means that subnetting and IP addressing rules of you computer will adhere to the remote network you're trying to connect to. This is useful as I can then connect or remotely manage any of the computers on that network without actually needing to be there.

To set up my own private network, I used this instructions as a base guide. Thanks internet, for helping me out of my mess yet again!

http://www.thegeekstuff.com/2013/09/openvpn-setup/

Thursday, 10 December 2015

Setting up RSA keys for SSH

SSH is a wonderful thing. It allows us to emulate a terminal window, while being at a computer the other side of the world. I guess that's why so many people around the world use it everyday.

general syntax for connecting via ssh is ssh [parameters] username@domain.com

While this is very easy to remember, if you use this a lot it can get a bit tiresome. So to make it even easier we can set up a key pair that means we no longer have to put the password in. To do this, I followed the instructions on this website:

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

The good thing is, now I can also automate ssh connections using bash scripts, without having to type the password in every time. It also means peaking eyes don't get a chance to see me type the password either!

Applying this:

If we look at this script, we can now see an example of just how useful it is. 

As the credentials are securely stored we can connect to 'username@domain' without putting any credentials in. The automation means that this is done ever 2 minutes (120 seconds). I can now logon to 'username@domain' and will be able to establish a connection from anywhere. 

This is really useful as if I needed physical access to a network, it would be possible for me to put a little linux machine that reverses off my own server so I could connect remotely. 

Monday, 7 December 2015

turning off ASLR(aaaahhhhh!)

For one of my uni projects, part of my contribution was to set up a debian virtual machine. The setup of this machine was very similar to my kali installation earlier on this blog. However, this machine should be vulnerable, so I disabled a very important feature: ASLR.

Address space randomized layout basically means memory addresses and locations get randomized. This stops an everyday hacker from knowing the locations of executable code that get loaded from the OS in memory; in turn, this means it makes it harder for a hacker to "get shell". This makes something called 'zero-day-attacks' harder; a vulnerability in a OS could be discovered, but the user would not know how to access where that vulnerability was loaded into memory.

I have specifically turned this feature off in a debian machine, but nearly every operating system today will use this feature to prevent hackers from very simple exploits such as dropping a shell, buffer overflows and buffer underflows.

To turn this feature off on a linux installtion, you can follow these steps I found off the internet:


  1. Open a terminal
  2. "su" to switch to the super user
  3. "nano /etc/sysctl.conf"
  4. at the very end of that text file add "kernel.randomize_va_space=0"
  5. hit 'ctrl+x' and hit y to save and then hit enter to save
  6. back in your terminal window type "sysctl -p"
It's now turned off permanently. As well as being useful for hacking, this can also be useful for debugging your programs as variables in your programs should be given the same location and you can directly see their values in memory! 

Sunday, 6 December 2015

Things I've learnt this semmester


  • Linux is not a scary place: in fact, when you get over a fear of using the command line, it's fantastically brilliant at getting it do what you want it to do
  • Computers are very complicated: it's amazing how you'll use a computer everyday and not realize everything that goes on in the depths. Since starting my course, I've learn about machine code, assembly, registers... and trust me, it's computerception
  • People (including myself) are stupid: we put so much content online and don't realize just how easily accessible that information it is. People should always be so conscious of where they put their details in... nearly everything is networked these days. 
  • It's not all about specs: I used to think specs were everything, i7s... tons of RAM, but at the end of the day, it's really what you do with it. There's a way in which my beaglebone can provide me with more fun than my super-powerful gaming laptop ever could. Walking round with a tiny computer in my pocket is also pretty nifty too, huh! 
  • So far, I know this is something I really want to go into. Something about securities and vulnerabilities excite me. I want to find news way to explore exploits and be able to create new ways of protecting people from that. It's a subject I wasn't so sure about, but at least I've reached the end of the semester and I want to continue with! 

The final project

Finally made it... the project for this semester is finished.
It's quite impressive to make something out of nothing and even more impressive when it actually works and it's been great to help create an application that could actually be useful at some point in my life. I must say at this point, the group project included 4 other people and I and I was not responsible for too much of the coding, more project management!

Well, when I say useful... it's useful for talking to classmates in lectures when you've got nothing else to do. The project is basically an IRC chat server that works over the internet. Starting it is really simple. Just run a script that will always give you the most up to date version!

As soon as you've run this script... you're ready to log in. Of course the project being on a private repository, you must be added to a list of contributors first!

Once the program is downloaded you can log in and chat! We can see the server side on the right hand side of the screen has accepted the connection. In this instance, the server is running on the local host. We can also see we have a new connection from a client

Basic outlines of the project:

  • Works using the TCP protocol across any network (you can run it locally) or run it through the internet, which it does by default
  • Included user authentication so that users individually log in and do not connect until they have logged in
  • All messages are encrypted  and the initial connection is encrypted with a public key, until a key exchange has taken place
  • Also supports a file transfer system over SFTP (using a module called paramiko in python which controls the SSH traffic) allowing you to upload and download
  • The normal chat system uses the socket module in python and each client has their own socket on the server... each socket in a list also a generated key for encrypted message exchange
  • Runs on all linux systems! 
  • Very lightweight client and server

Possible improvements for the project:

  • Generating a new public/private key pair on a regular basis and send the keys to the clinents
  • Using compression for the file transfer to speed up uploads and downloads from the server
  • Attempt (again) at making a GUI using Tkinter included in python. My first attempt was successful on windows, just not on anything else! 
  • Have user-specific directories on the server for file transfer, meaning a user could have a public and private area for storing files. Could be done by CHMOD.
  • Impoving general security and making it less vulnerable to basic attacks, like DDoS

Things that personally went well:

  • I enjoyed the project management and deadlines were met on a regular basis, which helped to not cause issues later on
  • I was able to get involved in more than one aspect of the project, despite being project manager
  • THE SERVER AND CLIENT actually work! 
  • High level of understanding for how the code works
  • AES key was a good way of making sure that the messages were encrypted