iPhone Honeypot Project

July 27, 2010

Introduction: Draft 1

Filed under: draft,Introduction,latex,paper,thesis,writing — abnev @ 11:54 am
Tags: , , , , , ,
I. INTRODUCTION
A smart-phone is a device which unifies the func- tionality of a mobile phone device, a personal digital assistant (PDA) and a digital camera with the power of a PC. As these type of mobile devices such as the iPhone, Android or blackberry become increasingly powerful and important, attackers are increasingly targeting them in an attempt to obtain sensitive information. Most honeypot technologies in the past have yet to be ported over to mobile platforms. In addition, the closed nature of most of these devices also hinder the collection and analysis of such attacks. By constructing a suitable network for use in the collection of such data, attack vectors can be identified and explored further.
According to Gartner, samrt-phone sales are still on the rise. These devices which hold even more informa- tion than before; text messages, photos, music, contact information, browsing history, voice mail, e-mail are all at risk to being compromised when connecting to a network; telecom or otherwise due to background services enabled by default. Currently, Apple hold a 15 percent market share as of 2010 with an estimated 10 percent of those users using a jailbroken* phone. Services like OpenSSH and Apple Filing Protocol (AFP) can all be easily installed and easily accessible once a network connection is established. By utilising these type of services, telecom networks are no longer the only security threat. Many have long realised that as we bridge home networks, sensor networks and similar systems to the Internet for more flexible services, we also give opportunities to Internet based intrusions.
For example, in 2004, ”Cabir” was the first version of a network worm which propagated via mobile devices. This is especially alarming as these type of devices act as end-points between telecom and wireless networks and have the potential to launch large global scale distributed-deniel-of-service (DDoS) attacks crippling the telecom infrastructure i.e. attacks focused on critical call centers such as emergency services (999). These type of worms indicate the rate at which Internet security threats are becoming more prevalent towards smart- phone technologies and high-light the need to understand such attacks to ensure measures can be taken to mitigate the threat posed.
This paper aims to propose a methodology for creating an environment for a high-interactive honeypot which can be used to capture attacks focused on these types of devices. A high-interactive Honeypot is a trap set to detect and observe attempts at unauthorised use of information systems consisting of a device that appears to be part of a network but is in fact actually isolated, vulnerable and monitored. By taking this concept, and applying it to a smart-phone device, an experiment is conducted whereby the proposed system is built and the results or attacks are analysed. The results presented aim to bring attention to the dangers that Internet-ready smart-phones inherit and proposes recommendations to mitigate such attacks.

July 22, 2010

SSH Patch – Record Failed Login Passwords

Filed under: bash,gcc,logging,SSH,syslog,unix — abnev @ 10:55 am
Tags: , , , , , ,
I wanted to find a way to record passwords for failed login attempts. I spoke to some openssh dev’s using their mailing list and it was suggested to modify auth-passwd.c. I inspected the code, made the changes, recompiled and tested it out with success. I constructed this patch below for the world. This was done on openssh 5.5p1. See below for a copy of the patch.
diff -crB ossh/openssh-5.5p1/auth-passwd.c openssh-5.5p1/auth-passwd.c
*** ossh/openssh-5.5p1/auth-passwd.c    2009-03-08 00:40:28.000000000 +0000
— openssh-5.5p1/auth-passwd.c 2010-07-21 02:10:26.000000000 +0100
***************
*** 125,130 ****
— 125,134 —-
result = sys_auth_passwd(authctxt, password);
if (authctxt->force_pwchange)
disable_forwarding();
+       if (result != 0) {
+               logit(“TEST: %.100s”, password);
+       }
+
return (result && ok);
}
I’ve been trying to cross-compile this for testing but it’s missing too many libs which is causing problems. I may have to leave this bit out of the project as time is becoming quite limited.

July 18, 2010

Pilot Test: Preliminary Results

Note: I have removed the attacking IP addresses as I don’t want the user to become aware that they are accessing a honeypot if they were to google their IP. This post will be updated with full IP address information once the project has completed.

Yesterday at 15:06, I changed the router configuration to forward all packets designated for my router to redirect via the network tap to my iPhone. Additionally, all iPhone syslog logs were being forwarded to a secure central logging server. I am currently in the process of splitting the pcap file into usable chunks for analysis in Wireshark. However, the following are the preliminary results recorded via syslog.

abnev-lpt2:pilot-test abnev$ grep launch logclient-192.168.1.102.log  | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq -c | sort -r
44 x.x.x.x
5 192.168.1.100
1 x.x.x.x
The above shows 44 attempts from the top IP and 1 from the last. The middle, as a network address is ignored.
bash-3.2$ grep launch logclient-192.168.1.102.log  | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq > ips.txt
bash-3.2$ ~/ipwhois.sh ips.txt
192.168.1.100 GeoIP Country Edition: IP Address not found ̀
x.x.x.x GeoIP Country Edition: ID, Indonesia ̀
x.x.x.x GeoIP Country Edition: KR, Korea, Republic of ̀
I have appended the ipwhois.sh script I wrote for this.
#!/bin/bash
# read a file line by line

cat $1| uniq |
while read ip;
do

echo $ip ̀| sed -e “s|$ip|& $(geoiplookup $ip)|g”
done

exit 0
Additionally, there were many invalid login attempts. The following is a list of the invalid accounts attempted:
bash-3.2# grep “invalid user” logclient-192.168.1.102.log  | grep ssh2 | awk ‘{print $12}’ | uniq -c | sort -r
2 user3
2 sami
2 greku
2 bin
1 puangsan
1 oracle
1 openflow
1 iasiasur
The following are a list of valid accounts attempted:
bash-3.2# grep “Failed password for” logclient-192.168.1.102.log  | grep -v invalid | awk ‘{print $10}’ | uniq -c
22 root
I’ll conduct a preliminary result of the pcap dump shortly.

July 16, 2010

Splunk: Log Analysis for iPhone

Following the post yesterday, I decided as an experiment to set up Splunk to index and aid in the analysis of the logs being collected. The interface is nice and clean. I’ve used this before in a production setting but we’ll see how it correlates to the network traffic collected later after the pilot test. I have appended a screenshot below.

I have some more experimenting with Splunk, but I may use it during the analysis stage of this project.

July 15, 2010

Capturing SSH Keystrokes (Continued)

So, the test on my macbook from the previous post worked nicely. I contacted my supervisor to get his opinion on the method I decided upon. Porting this method over to the iPhone was a little messy but seems to be working nicely. Firstly, I set up my macbook as a central logging server. This was done by modifying the /etc/syslog.conf.

Firstly, we move the existing syslog.conf to a backup file to restore later:

mv /etc/syslog.conf /etc/syslog.conf.bak; touch /etc/syslog.conf

I then copy the following configuration into /etc/syslog.conf using an editor:

*.* /var/log/logclient.log

And finally, restart the syslog service:

launchctl unload /System/Library/LaunchDaemon/com.apple.syslog.plist

launch load /System/Library/LaunchDaemon/com.apple.syslog.plist

At this point, I opened up a terminal and ran tail -f /var/log/logclient.log to keep an eye (in real time) of the logs being generated (if any). Setting up the iPhone as a client was a different story. On OSX systems, the plist file (the configuration) file is stored as a plist at /System/Library/LaunchDaemons/com.apple.syslogd.plist in XML. However, on the iPhone, it’s stored as a binary file and the iOS base doesn’t include plutil to convert it back to XML for modification. To circumvent this problem, I decided to create my own config instead. This was done by creating a /etc/syslog.conf file and adding the following configuration:

*.* @192.168.1.100

To load this configuration, I restart syslog on the iPhone.

launchctl unload /System/Library/LaunchDaemon/com.apple.syslog.plist

launch load /System/Library/LaunchDaemon/com.apple.syslog.plist

Obviously, in the above, the IP of the central logging server (my macbook) is at 192.168.1.100. At this point, I generated some alerts by opening SMS, sending an email, launching a third-party application to ensure logs were being generated and sent over the network via syslog.

Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Installing: com.apple.MobileSMS [MobileSMS] (478.52)
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/MailToAttachmentMessageUI.dylib
Jul 15 16:33:34 192.168.1.102 abnev-ip1 UIKitApplication: com.apple.MobileSMS[0xe734][489]: MS:Warning: message not found [NSFileManager rawDirectoryContentsAtPath:]
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: *** _NSAutoreleaseNoPool(): Object 0x10c210 of class NSPathStore2 autoreleased with no pool in place – just leaking\nStack: (0x326edf87 0x326c2135 0x326c3bb3 0x326c4b15 0x326c47c3 0x326c4639 0x326c5f33 0x336079c5 0x33477b27 0x3347ce93 0x3347a245 0x33477a11 0x33477747 0x334784df 0x33477337 0x334774ef 0x47408 0x47a7c 0x43c14 0x2fe0be0d 0x2fe0be31 0x2fe09d7f 0x2fe0a16d 0x2fe01dd9 0x2fe08247 0x328c4975 0xa038 0x2fe0bd7d 0x2fe0be39 0x2fe09d7f 0x2fe0a16d 0x2fe0228b 0x2fe06a15 0x2fe016fd 0x2fe01050)
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: *** _NSAutoreleaseNoPool(): Object 0x10c710 of class NSPathStore2 autoreleased with no pool in place – just leaking\nStack: (0x326edf87 0x326c2135 0x326c3bb3 0x326c31a7 0x326c5b9d 0x326c46f3 0x326c5f33 0x336079c5 0x33477b27 0x3347ce93 0x3347a245 0x33477a11 0x33477747 0x334784df 0x33477337 0x334774ef 0x47408 0x47a7c 0x43c14 0x2fe0be0d 0x2fe0be31 0x2fe09d7f 0x2fe0a16d 0x2fe01dd9 0x2fe08247 0x328c4975 0xa038 0x2fe0bd7d 0x2fe0be39 0x2fe09d7f 0x2fe0a16d 0x2fe0228b 0x2fe06a15 0x2fe016fd 0x2fe01050)
Jul 15 16:33:34 192.168.1.102 abnev-ip1 UIKitApplication: com.apple.MobileSMS[0xe734][489]: MS:Warning: message not found [MailComposeController _setupForMessageWithURL:]
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/WinterBoard.dylib
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: WB:Notice: WinterBoard
Jul 15 16:33:34 192.168.1.102 abnev-ip1 MobileSMS[489]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/iNoRotate.dylib
Now that the syslog was working correctly, It was necessary to get bash logging keystrokes. I originally thought about writing a patch but then thought using logger would be easier. Unfortunately, logger isn’t part of the base iOS so alternitives were looked at such as script(1) and tee(1). However, to ensure the correct functionality as per the previous post, it was necessary to have logger working.
To achieve this, I checked out the source of FreeBSD 8 and found logger.c in /usr/src/usr.sbin/logger/logger.c which included a Makefile. I tar’ed this up and moved it onto my macbook. After unpacking the files, I attempted to compile on OSX. This failed due to the following errors:
logger.c:47: error: expected declaration specifiers or ‘…’ before string constant
logger.c:47: warning: data definition has no type or storage class
Inspecting line 47 showed:
47 __FBSDID(“$FreeBSD: src/usr.bin/logger/logger.c,v 1.17.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $”);
I removed this line and attempted to copile suing gcc -o logger logger.c omitting the -DINET6 flag as specified in the Makefile for IPV6 support. This compiled fine. Using my script, gcc2 from previous posts, I cross-compiled logger.c for use on the iPhone. This compiled without errors. I sftp’ed the binary up to the iPhone and tested it by executing on the command line over SSH. Once it produced the usage output, I copied it over to /usr/sbin on the iPhone filesystem and modified the /etc/profile script to include the following:
# System-wide .profile for sh(1)

if [ -x /usr/libexec/path_helper ]; then
eval `/usr/libexec/path_helper -s`
fi

if [ “${BASH-no}” != “no” ]; then
[ -r /etc/bashrc ] && . /etc/bashrc
fi

function log2syslog
{
declare COMMAND
COMMAND=$(fc -ln -0)
logger -p local1.notice -t bash -i — “${USER}:${COMMAND}”
}
trap log2syslog DEBUG
Modifying the user accounts to launch bash was necessary. As a quick fix, I sym-linked using ln(1) /bin/sh to /bin/bash (bash was installed form Cydia). I then restarted syslog and logged out of the shell and reestablished the connection to the iPhone on the root account.
launchctl unload /System/Library/LaunchDaemons/com.apple.syslog.plist
launch load /System/Library/LaunchDaemons/com.apple.syslog.plist
exit
On establishing the SSH connection, I tried out some simple commands, e.g. ls(1), cd(1), uname(1) etc. and checked the /var/log/logclient.log on my macbook to ensure the keystrokes were being sent as expected. The following were the contents:
Jul 15 16:19:27 192.168.1.102 abnev-ip1 bash[474]: root: ls -al
Jul 15 16:19:32 192.168.1.102 abnev-ip1 bash[477]: root: cat /etc/profile
Jul 15 16:19:33 192.168.1.102 abnev-ip1 bash[480]: root: ls -al
Jul 15 16:19:34 192.168.1.102 abnev-ip1 bash[483]: root: w
Success. I’ll await to see my supervisors response, but I think this is very promising. I may be ready to run a pilot tonight. In the meantime, I’ll charge up my old-skool Nokia phone to swap out the SIM, backup the iPhone using iTunes and create a host of fake contacts and information to place on the iPhone.

July 13, 2010

Capturing SSH Keystrokes

Filed under: bash,gcc,logging,Network,router,SSH — abnev @ 5:08 pm
Tags: , , , , , ,

I have been looking into the final element of this project – methods and techniques to capture and record keystrokes within a SSH tunnel. The various methods I’ve found were kernel modules (similar to the Sebek approach), hacking openssh to record keystrokes to a file on the filesystem, hacking bash to record keystroes, or using a program like tee, logger or script to capture everything by having it launch automatically from /etc/profile, ~/.profile or something similar.

In order to try retain the security of the iPhone and the data collected isn’t tampered with, I’d like to somehow use syslog or syslog-ng to log everything to a remote host in real time using UDP. To do this, I ran a quick test on my Macbook using tee which worked quite well and writing a quick and dirty script to add to /etc/profile which logs everything to syslog which can then be sent to a remote host.


function log2syslog
{
declare COMMAND
COMMAND=$(fc -ln -0)
logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

Inspecting /var/log/system.log we can see the keystrokes being captured:


Jul 13 17:33:44 abnev-lpt2 bash[95803]: abnev:
Jul 13 17:33:44 abnev-lpt2 bash[95805]: abnev:
Jul 13 17:33:47 abnev-lpt2 bash[95807]: abnev: pico .profile
Jul 13 17:33:53 abnev-lpt2 bash[95810]: abnev: fail -f /var/log/system.log
Jul 13 17:34:09 abnev-lpt2 login[95815]: USER_PROCESS: 95815 ttys004
Jul 13 17:34:10 abnev-lpt2 bash[95820]: abnev:
Jul 13 17:34:10 abnev-lpt2 bash[95822]: abnev:
Jul 13 17:34:11 abnev-lpt2 bash[95824]: abnev: pico .profile
Jul 13 17:34:14 abnev-lpt2 login[95815]: DEAD_PROCESS: 95815 ttys004

This is promising. By replacing syslogd with syslog-ng I can easily whip up a config file to relay everything over to a remote host on the network. I have also looked into getting syslog-ng on the iPhone. This may be possible using cross-compiling for the iPhone architecture. I’ll have to look into this further. In the mean time, I’ve picked up a spare phone so I can use the iPhone for the project when everything is redirected from the router. I have to run a test to ensure wifi works when the simcard is removed from the phone. I have been told otherwise but requires testing.

I also found this neat ssh server written in python using the Twisted framework from http://twistedmatrix.com/users/z3p/files/conch-talk.html and a tutorial covering it at http://www.devshed.com/c/a/Python/SSH-with-Twisted/.


#!/usr/bin/env python

# Copyright (c) 2009 Twisted Matrix Laboratories.
# See LICENSE for details.

from twisted.cred import portal, checkers
from twisted.conch import error, avatar
from twisted.conch.checkers import SSHPublicKeyDatabase
from twisted.conch.ssh import factory, userauth, connection, keys, session
from twisted.internet import reactor, protocol, defer
from twisted.python import log
from zope.interface import implements
import sys
log.startLogging(sys.stderr)

"""
Example of running another protocol over an SSH channel.
log in with username "user" and password "password".
"""

class ExampleAvatar(avatar.ConchUser):

def __init__(self, username):
avatar.ConchUser.__init__(self)
self.username = username
self.channelLookup.update({'session':session.SSHSession})

class ExampleRealm:
implements(portal.IRealm)

def requestAvatar(self, avatarId, mind, *interfaces):
return interfaces[0], ExampleAvatar(avatarId), lambda: None

class EchoProtocol(protocol.Protocol):
"""this is our example protocol that we will run over SSH
"""
def dataReceived(self, data):
if data == '\r':
data = '\r\n'
elif data == '\x03': #^C
self.transport.loseConnection()
return
self.transport.write(data)

publicKey = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEArzJx8OYOnJmzf4tfBEvLi8DVPrJ3/c9k2I/Az64fxjHf9imyRJbixtQhlH9lfNjUIx+4LmrJH5QNRsFporcHDKOTwTTYLh5KmRpslkYHRivcJSkbh/C+BR3utDS555mV'

privateKey = """-----BEGIN RSA PRIVATE KEY-----
MIIByAIBAAJhAK8ycfDmDpyZs3+LXwRLy4vA1T6yd/3PZNiPwM+uH8Yx3/YpskSW
4sbUIZR/ZXzY1CMfuC5qyR+UDUbBaaK3Bwyjk8E02C4eSpkabJZGB0Yr3CUpG4fw
vgUd7rQ0ueeZlQIBIwJgbh+1VZfr7WftK5lu7MHtqE1S1vPWZQYE3+VUn8yJADyb
Z4fsZaCrzW9lkIqXkE3GIY+ojdhZhkO1gbG0118sIgphwSWKRxK0mvh6ERxKqIt1
xJEJO74EykXZV4oNJ8sjAjEA3J9r2ZghVhGN6V8DnQrTk24Td0E8hU8AcP0FVP+8
PQm/g/aXf2QQkQT+omdHVEJrAjEAy0pL0EBH6EVS98evDCBtQw22OZT52qXlAwZ2
gyTriKFVoqjeEjt3SZKKqXHSApP/AjBLpF99zcJJZRq2abgYlf9lv1chkrWqDHUu
DZttmYJeEfiFBBavVYIF1dOlZT0G8jMCMBc7sOSZodFnAiryP+Qg9otSBjJ3bQML
pSTqy7c3a2AScC/YyOwkDaICHnnD3XyjMwIxALRzl0tQEKMXs6hH8ToUdlLROCrP
EhQ0wahUTCk1gKA4uPD6TMTChavbh4K63OvbKg==
-----END RSA PRIVATE KEY-----"""

class InMemoryPublicKeyChecker(SSHPublicKeyDatabase):

def checkKey(self, credentials):
return credentials.username == 'user' and \
keys.Key.fromString(data=publicKey).blob() == credentials.blob

class ExampleSession:

def __init__(self, avatar):
"""
We don't use it, but the adapter is passed the avatar as its first
argument.
"""

def getPty(self, term, windowSize, attrs):
pass

def execCommand(self, proto, cmd):
raise Exception("no executing commands")

def openShell(self, trans):
ep = EchoProtocol()
ep.makeConnection(trans)
trans.makeConnection(session.wrapProtocol(ep))

def eofReceived(self):
pass

def closed(self):
pass

from twisted.python import components
components.registerAdapter(ExampleSession, ExampleAvatar, session.ISession)

class ExampleFactory(factory.SSHFactory):
publicKeys = {
'ssh-rsa': keys.Key.fromString(data=publicKey)
}
privateKeys = {
'ssh-rsa': keys.Key.fromString(data=privateKey)
}
services = {
'ssh-userauth': userauth.SSHUserAuthServer,
'ssh-connection': connection.SSHConnection
}

portal = portal.Portal(ExampleRealm())
passwdDB = checkers.InMemoryUsernamePasswordDatabaseDontUse()
passwdDB.addUser('user', 'password')
portal.registerChecker(passwdDB)
portal.registerChecker(InMemoryPublicKeyChecker())
ExampleFactory.portal = portal

if __name__ == '__main__':
reactor.listenTCP(5022, ExampleFactory())
reactor.run()

This required installing py-crypto via MacPorts:

sudo port -v install py-crypto

July 7, 2010

Building Bridges with Iron, Braun and Steel

After much pain, I’ve managed to build myself a network tap or bridge as it’s more commonly known using FreeBSD 8.0 and an array of network interfaces. I haven’t posted in a bit but I’ve been doing a lost of testing with various techniques to record network traffic wired and wireless bridges, various router firmwares, port spanning using additional interfaces etc. Currently, I have a basic set up working using two wired network interfaces. I abandoned the wireless interface bridging the WAN to the LAN using a network hub due to support (or lackthereof rather) issues in FreeBSD. It seemed to be working but I couldn’t associate with the network. Attempting various configurations open, closed, ad-hoc, wep enabled, wpa, wpa2[personal/enterprise] etc. to no avail. Taking bits from the attic, I’ve managed to build a box. The specs are primitive but usable; Pentium III Xeon/Celeron processor, 447.69MHz, 40GB hard drive, 2 network interfaces (rl0, vr0), video card, and power supply. A picture of this can be found below.

Using a Zyxel Prestiage router, a Linksys WRT54G and heaps of cables the netowrk was created. This included a hub and a wireless network to allow people in the house use the internet as normal.  The bridge needed to be configured correctly first. The following are the commands required to set up a bridge after the network interfaces were tested by assigning an addresses and pinging various machines around the netowrk both wired and on the wireless interfaces.

# ifconfig bridge create
bridge0
# ifconfig bridge0
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 96:3d:4b:f1:79:7a
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0

Add the member network interfaces to the bridge. For the bridge to forward packets all member interfaces and the bridge need to be up:

# ifconfig bridge0 addm rl0 addm vr0 up
# ifconfig rl0 up
# ifconfig vr0 up

The bridge is now forwarding Ethernet frames between rl0 and vr0. The equivalent configuration in /etc/rc.conf so the bridge is created at startup is:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm rl0 addm vr0 up"
ifconfig_rl0="up"
ifconfig_fvr0="up"

Finally, enabling IP forwarding by modifying the kernel parameters using sysctl:

# sysctl -w net.inet.ip.forwarding=1

Thus leaving us with a functioning bridge:

I need to start working on some keystroke logging. I have looked at several options; either hacking openssh to log keystrokes, writing a patch for bash to record it, or launching a script which uses tee() to record everything to a file. I’m currently running tests by seeing if i can get the bash patch to log via syslog-ng to a remote logging server. In the meantime, I shall complete a test of recording traffic to see the average data collected etc and then conduct a pilot when the ssh server is ready. I may write my own server in python also using the twisted framework – I’ve found some tutorials on this.

June 24, 2010

Routers, NAT and Packets, Oh My!

The last couple of days have been spent destroying my home network, much to the anger of my family for lack of interwebs. From the last post, it was suggested to try out OpenWRT on my router which is essentially a minamalistic version of Linux designed for use with a variety of routers. From their documentation, users and IRC channel, I was told I could record all packet data using tcpdump and pass-through all connections to the iPhone to save on having to build a home-made bridge to do the work. Unfortunately, I tried this several times which almost bricked my router and took several hours to get back online. In the end, I had to revert to the previous configuration but I have decided to upgrade the firmware on both the router (Zyxel Prestigue – 3.0) and the Wireless AP (Linksys WAP54G).

As it stands, this was a postitive move. The upgraded firmware gave me SUA configuration options in the NAT configuration. This allowed me configured a pass-through forwarding all connections from the WAN to the LAN to a specific IP address. I tested this without the bridge and ran tcpdump on the iPhone itself, NOT’ing the IP addresss I was sshing from to avoid heaps of packets showing up from the SSH connection.

tcpdump -w ~/Media/test.pcap host not 192.168.1.33

This was tested to ensure that the NAT on the router wasn’t translating ALL addresses and connection attempts as they wre being passed-through. The last thing I’d need is a heap of adresses originating from within the network. The test was conducted and the test.pcap file was transferred and exmained using Wireshark. This proved successful. I also attempted opening an SSH connection from redbrick.dcu.ie via their proxy server and threw a few bad passwords at it to see what the login attempts would look like. This looked promising.

The following is a screenshot of the analysis with some of the packet info:

.. and some of the packets extracted via tcpdump:

This all looks good. The next step is to a unix box, forward all traffic to it and bridge two interfaces together. I can then begin to sniff on the bridged interface (br0) and record the data. This may be ideal to store into a MySQL db for easier extraction/analysis.

June 19, 2010

Basic Bridge Plan

Previously, I had decided to create a bridge to aid in traffic logging. I did up a quick plan for this (attached below) and aim to use FreeBSD 8.0 as the OS. The concept is simple, the bridge is to act completely transparent so the attacker has absoutely no knowledge or suspicion in the fact that they are being passed through a bridge, thus allowing for complete network logging (with the exception of SSH, of course). The SSH issue will be another milestone to overcome. I have the use of a static IP address at home so I may as well put it to use.

The idea behind this is thus; a single static address on the router which is configured to pass-through connections to the bridge. The interface connecting to the router will have no IP assigned to it and will be configured to pass-through all connections through a second interface with the help of ipf (aka ipfilter – which will be compiled into the kernel). The second interface will connect to a wireless access point (AP) which will allow the iPhone to connect to the network. This is where I enter unfamiliar territory. The fact that the AP is connected to the bridge via a wired connection (cross over cable), the AP will appear to have the external address. This is not exactly what we want as the iPhone will have to utilise some network address translation (NAT) to obtain any external access which will be problematic.

To overcome this I propose amalgamating the wireless AP and the bridge into a single system. Thus, the second interface will in-fact become a ad-hoc interface utilising a prism2 chipset and the 2.4GHz spectrum. This can be achieved by replacing the second interface with a wireless card, compiling wireless support into the kernel and setting up the interface using wiconfig. By associating the iPhone with the bridge in ad-hoc mode and configuring ipf to pass-through all connections to the wireless interface I believe our objective can be met.

It’s now just a matter of convincing the family they’ll survive without the internet for a few days while I take apart the network. I’ll work on getting the bridge set up. I may have to visit my computer graveyard in the attic and throw together anything I can find.

June 17, 2010

GCC on iPhone – Progress? (Continued)

Filed under: bash,Darwin,gcc,libpcap,scripe,SDK — abnev @ 2:05 pm
Tags: , , , , , ,

I EVENTUALLY managed to get back to where I was yesterday after I hit a bump in the road where I stepped back and could no longer compile simple applications on my Mac OSX destined for the iPhone arch. This time, I have created a simple script called ‘gcc2’ which sets all the appropriate options.

#!/bin/sh

GCC=”/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gcc”

ISYSROOT=”/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS3.1.3.sdk”      #3.1.3

EXPECTED_ARGS=3

# check num of args supplied

if [ $# -ne $EXPECTED_ARGS ]

then

#print usage

echo “Usage: `basename $0`: no input files”

exit -1      #exit on error

fi

# e.g. gcc -arch armv6 -isysroot $ISYSROOT -o test test.c

$GCC -arch armv6 -isysroot $ISYSROOT $1 $2 $3

Additionally, I have attached my bash_history file for setting up the environment etc.
abnev-lpt2:iphone-gcc abnev$ cat test.c
#include <stdio.h>
int main() {
printf(“Hello, World!\n”);
return(0);
}
abnev-lpt2:iphone-gcc abnev$ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gcc -arch armv6 -isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS3.1.3.sdk/
abnev-lpt2:iphone-gcc abnev$ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gcc -arch armv6 -isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS3.1.3.sdk -o test test.c
abnev-lpt2:iphone-gcc abnev$ cd ~
abnev-lpt2:~ abnev$ mkdir bin
abnev-lpt2:~ abnev$ cd bin
abnev-lpt2:bin abnev$ pico gcc2
abnev-lpt2:bin abnev$ PATH=$PATH:/Users/abnev/bin
abnev-lpt2:bin abnev$ chmod 755 gcc2
abnev-lpt2:bin abnev$ gcc2
arm-apple-darwin10-gcc-4.2.1: no input files
abnev-lpt2:bin abnev$ cp ~/test.c .
abnev-lpt2:bin abnev$ gcc2 -o test test.c
abnev-lpt2:bin abnev$ ./test
-bash: ./test: Bad CPU type in executable
abnev-lpt2:bin abnev$

Just an extra note, to make sure the environment would be set up after reboots etc I modified my ~/.profile to include the correct PATH environment variables pointing towards ~/bin where gcc2 now resides. This was done by adding/changing the line:

export PATH=/opt/bin:/opt/local/bin:/opt/local/sbin:$PATH

to

export PATH=/Users/abnev/bin:/opt/bin:/opt/local/bin:/opt/local/sbin:$PATH

I’ll continue trying to get it to compile using libpcap.

Next Page »

Create a free website or blog at WordPress.com.