Informative – Team ROT Information Security / Team ROT Information Security Tue, 05 Jan 2021 07:13:29 +0000 en-US hourly 1 https://wordpress.org/?v=6.2 /wp-content/uploads/2020/08/cropped-ROT2-WHITE-BG.eps_-2-32x32.png Informative – Team ROT Information Security / 32 32 Custom HTML on private collaborator domain /1692/ Mon, 04 Nov 2019 20:52:46 +0000 /?p=1692 .flex_column.av-2m3618-b829f09cdcce6639a67e296daeb7f0a1{ -webkit-border-radius:0px 0px 0px 0px; -moz-border-radius:0px 0px 0px 0px; border-radius:0px 0px 0px 0px; padding:0px 0px 0px 0px; }

Serving custom HTML on private collaborator domain

Note: Portswigger has now added support for custom HTML so this blog post is not needed!

https://portswigger.net/burp/documentation/collaborator/deploying#adding-custom-content-to-your-collaborator-server


Hosting a private Burp Collaborator on custom domain can be very handy. It allows you for example to bypass WAFs, to use it on closed networks, to use different port numbers, to appear more professional with branded domain and so on. However it currently has some limitations, one of them being the hard-coded index page. When the collaborator domain is accessed without using any actual collaborator subdomain, a generic web page like above will be shown to the user.
It would be useful to be able to customize this. For example, the default page could instruct viewers how to contact the collaborator owner. Another example would be serving any additional payload files from the same domain.
According to Portswigger support, there is a feature request for customizing it but currently there is no supported way to serve custom content. There are hackish ways to achieve it, but not all are working as intended so let’s take a look how not to do it and how to actually do it.

Wrong ways to implement

An easy way would be using Nginx or HAProxy between the user and collaborator and making it proxy HTTP-requests from collaborator subdomains to collaborator and proxy other subdomains to web server (or serve directly the custom content). This however will lose the user’s IP for HTTP-requests as the Nginx’s/HAProxy’s IP will be shown on all HTTP-request interactions in collaborator.

Another easy way would be using a DNS-proxy which points some specific subdomains to the web server and proxies DNS-queries for all other subdomains to the DNS-server in collaborator. This will lose the user’s IP for DNS-requests as the DNS-proxy’s IP will be shown on all DNS-request interactions in collaborator.

Working way to serve custom html

Well how can we do this without losing the original IP on DNS-request and HTTP-request? Linux kernel supports Netfilter Queue which provides an API for viewing, modifying and dropping packets directly from the Kernel Packet Filter queue. It can be used along with Scapy to transparently inspect DNS-queries and to return fake DNS-replies.
Basically we’ll need to make NFQueue intercept all packets to port 53/UDP (DNS), then parse the DNS-request inside the packet. Then we’ll need to check if the DNS-request is for A-record and what (sub-)domain is it asking for. This (sub-)domain will then be checked against a list of (sub-)domains (e.g. collab.fi and www.collab.fi). If it doesn’t match any (sub-)domain on the list, the packet will be passed back on the queue without any modifications. If it matches something on the white list, Scapy will be used to create a fake DNS-reply pointing towards our web server. This fake DNS-reply will then be sent back to the source and the original packet will be dropped. It’s not actually that hard to do and now there is a script for doing all that automatically!
There are still some limitations with this method, as it fakes the DNS-replies you’ll need to have two IPs. One IP is associated with your collaborator domain and another IP is associated with the web server that you want to serve the custom html with. You don’t need two different virtual machines, having two public IPs on single VM should be enough. Collaborator listening on the first IP and web server listening on the second IP. Please let me know if there is a way to make this work with a single IP!

How to do this automatically

If you installed your private collaborator using the previous guide, you should still have the privatecollaborator-directory. Run git pull inside the directory and you should get the latest code including a new extendburp-directory. The directory contains an installation script, systemd service and dnsmitm.py-script which implements the actual magic.
To install, simply open the extendburp-directory and run the following command:  ./extend_burp.sh TARGET_IP COLLABORATOR_DOMAIN
The TARGET_IP-parameter should be IP of the web server that will serve the custom content and COLLABORATOR_DOMAIN-parameter is your private burp collaborator domain.
After the script is done, your server should respond to DNS-queries in the following way thus redirecting the user to correct HTTP-destination:

  • DNS-query for www.yourcustomdomain.com -> Returns IP of the web server.
  • DNS-query for yourcustomdomain.com -> Returns IP of the web server.
  • DNS-query for AnythingElseLikeCollaboratorId.yourcustomdomain.com -> Returns IP of the Burp Collaborator.

In case you want to redirect more subdomains to the web server, simply insert those in the dnsmitm.py script.
Over and out –putsi.

]]> Self-hosted Burp collaborator with custom domain /self-hosted-burp-collaborator-with-custom-domain/ Thu, 23 May 2019 22:15:55 +0000 /?p=1558

Self-hosted Burp collaborator for fun and profit


The Burp Suite Collaborator is a valuable tool for penetration testers and bug bounty hunters. It basically gives you unique subdomains and logs all interactions (DNS, HTTP(S), SMTP(S)) towards the subdomains. This can be used for example to detect SSRF-vulnerabilities and exfiltrate data.
Burp Suite Professional provides a collaborator service under the domain burpcollaborator.net and using it is usually fine. However on the rare occasions it can be blacklisted / blocked or otherwise unreachable from the target. Luckily, the Burp collaborator can also be self-hosted and set to use a whole custom domain.
This blog post guides how to set up private Burp Collaborator instance on Amazon AWS and how to configure it to use a whole domain with a free Let’s Encrypt SSL-certificate.
Note: If you’d like to use DigitalOcean instead of AWS, the automation script supports also that (with and without floating IP).
If you’d like to use some completely other IaaS-platform, make sure that the VM’s network interface IP matches the public IP and the script should yet again work.

Step 1: Create AWS Instance and Elastic IP

TL;DR: Create Ubuntu Server 18.04 instance and assign Elastic IP to it. Allow inbound SMTP(S), HTTP(S) and DNS from everywhere and ports 9090&9443 from your own IP.
First we’ll need to create a virtual machine for the Collaborator. Log in to your AWS-account and follow the steps:

  1. First, lets create the virtual machine.
  2. Navigate to Instance wizard and select Ubuntu Server 18.04 LTS (HVM), SSD Volume Type.
  3. Select t2.micro or t3.micro depending on which has the free tier eligible tag on your AWS region. Then click Next: Configure Instance Details.
  4. Uncheck T2/T3 Unlimited as it might cause some expenses and then click Next: Add Storage.
  5. Go with default size and click Review and Launch.
  6. Click Launch.
  7. Create a new keypair and download it and click Launch instances.
  8. Next, lets create free-tier eligible Elastic IP. This allows us to always have a static IP which can be linked to AWS virtual machines. Its not required but it makes things easier if you need to re-create your virtual machine.
  9. Navigate to Allocate new address and click Allocate.
  10. Go back to the Elastic IP List, right click your Elastic IP, and Associate Address to the virtual machine created in the previous steps.
  11. Next, go to Instances and click your instance. On bottom of the page, click the Security Group and it should open.
  12. Create Inbound rules like in the image below. Use your own PC IP for the port 9443 and 9090 as you don’t want anyone else using your collaborator.

Step 2: Configure the collaborator domain

Next we’ll have to configure the domain to have the Elastic IP as nameserver. Most providers require two unique nameservers so we will use one.one.one.one as the second one. If your domain is registered on GoDaddy, see here for GoDaddy-specific instructions, otherwise follow the steps below.

  1. First, find out hostname for your Elastic IP. You can for example use MxToolbox and it should give you something like ec2-00-00-00-00.eu-north-1.compute.amazonaws.com.
  2. Next, add nameservers for your collaborator domain in domain registrar settings. Use hostname from the previous step as first nameserver and one.one.one.one as second nameserver:
  3. Done! All DNS-queries towards your private collaborator domain should now end up in the Elastic IP.

Instructions for domains registered in GoDaddy:

  1. Go to My Domains on GoDaddy.
  2. Click the three black dots next to your collaborator domain and then click Manage DNS.
  3. In Advanced Features section click the Host names.
  4. Add ns-host with your Elastic IP:
  5. Next, modify the domain nameservers on the DNS Management page. Select Custom and set ns.YOUR_COLLABORATOR_DOMAIN as first one and one.one.one.one as second one:
  6. Done! All DNS-queries towards your private collaborator domain should now end up in the Elastic IP.

Step 3: Configure the virtual machine

Next you’ll need to fetch Let’s encrypt certificate and configure the virtual machine and do some other stuff. There’s a script for it so let’s use that. The script also implements automatic certificate renewal so you don’t have to manually renew the Let’s Encrypt every 90 days.

  1. First, use the keypair you downloaded to log in to the virtual machine:
    • chmod 0600 newpair.pem
    • ssh -i newpair.pem ubuntu@YOUR_ELASTIC_IP
  2. Clone the scripts:
    • git clone https://github.com/putsi/privatecollaborator && cd privatecollaborator
  3. Copy your Burp Suite Professional JAR-file to the privatecollaborator-directory.
    • scp -i newpair.pem /your/own/pc/burp.jar ubuntu@YOUR_ELASTIC_IP:~/privatecollaborator/
  4. Run the installer script and place your domain as a command line parameter. The email is for Let’s Encrypt expiry notifications and can either be a valid one or a non-existing one:
    • sudo ./install.sh collab.fi your@email.fi
  5. Accept any package installations that the script suggests and also enter your email address for Lets Encrypt notifications.
  6. Let’s Encrypt should now succeed creating a certificate for you. If it fails, you can try to run the install-script again couple of times. If it still fails, your domain DNS configuration from earlier steps most likely hasn’t refreshed yet. If that’s not the case, check your domain DNS configuration for typos and also check the security group inbound rules for port 53.
  7. You can now start the Burp collaborator service.
    • sudo service burpcollaborator start

Step 4: Configure Burp Suite

If you didn’t do it already on previous step, start the private collaborator by running: sudo service burpcollaborator start. Then check logs with sudo systemctl status burpcollaborator. It should tell you about listening on various ports and should not show any errors.
Next start up your Burp Suite and open Project Options -> Misc. Set up the private collaborator config according to the below image, but using your own domain instead of collab.fi:

Then click Run health check and wait for results. It should succeed on everything else than inbound SMTP (this is due to AWS policies):

If everything was OK, you should now be able to use the private collaborator instance normally on Burp Suite:

Conclusions

We made it! It works!
Now you can for example add more non-standard ports to the configuration or do whatever else you might imagine.
In the future, this blog post will hopefully be updated on the subject of how to extend the Collaborator. Potential subjects include:

  • Capturing interactions for protocols other than DNS, HTTP(S) and SMTP(S).
  • Serving custom content as HTTP(S)-response.
  • Dockerize the whole process.
  • Run as a less-privileged user and properly set iptables redirections.
  • Create a single-click setup for AWS.
  • Something else? Let us know what you’d like to learn and we will see if we can help.

Over and out –putsi.

]]> How to create an awesome Hackday event /how-to-create-an-awesome-hackday-event/ Mon, 20 May 2019 19:03:36 +0000 /?p=1550 What is a Hackday?

Hackday (not to be confused with ‘hackathon’ events) is a live event where a group or groups of hackers do security testing to some target (i.e. hack the target). Usually the target is a web application or for example some IoT device. The event may last from one day to a few days. It is common that the organizer will pay bounties for the security vulnerabilities reported by the participants. Organizer(s) can coax hackers to participate with some amazing swag, bounties or other prices that can be won in the event. Bigger the prices, the more hackers will want to join and more experienced hackers will be participating.

The usual flow of the event will be; registering of participants, informational meetup to all, hacking and reporting of vulnerabilities, end meetup and some networking at the end.

This document aims to guide organizers to create and amazing hacking event so everyone participating will have amazing time! Organizer will get the target tested for vulnerabilities and will get good PR from the event.

Target(s)

  • If possible, use a testing/staging environment for the Hackday, with extended logging to catch more data in case errors occur (and to avoid causing trouble in Production).
  • Permitting hackers to access the log data can help them to dig up issues that lie deep in the application.
  • Define the scope of the target in detail. This is hugely important for fair game and equal opportunity for all the teams. And also to safeguard production systems from being hammered.
  • Benchmark the system for heavy loads (e.g high amount of requests/queries). Testing can impact availability especially when multiple teams are trying to break it simultaneously.
  • In some cases it can be beneficial to allow reconnaissance and testing prior to the event for more value from the event itself, at the risk of low volume of reports in the event itself.
  • Prepare user specific or at least team specific set of credentials for the target system. If the permission system is multi-tiered, create at least one user for each user role for each of the testers or teams. Two separate user accounts are necessary for testing certain issues.
  • Consider disabling or limiting the use of external security controls such as WAF (Web Application Firewalls) and/or IPS (Intrusion Prevention Systems). This allows the teams to spend time more efficiently on finding vulnerabilities rather than trying to bypass the controls, which can be bypassed by a motivated attacker in the production anyway.

Facilities

  • Prepare a room for each of the teams. This will allow the testers to openly communicate about the application and potential vulnerabilities without having to worry about the competing team overhearing the strategy.
  • Connectivity options for wired and wireless networks in case one of the options is suffering poor availability.
  • Reserve some snacks, refreshing beverages and arrange a quick lunch/dinner depending on the length of the event.

Rewards

  • When announcing the event, include what kind of bounties will be available and if monetary, how much is reserved and how it will be paid out to the hackers. This will be the main attraction for many great hackers.
  • Explain how you’ll be paying the bounties, whether it is by vulnerability type or by points earned from reporting the vulnerabilities.
  • Preferably pay bounties based on business impact instead of vulnerability types. Bug Bounty programs are a great way to find the necessary details.
  • If possible, reward each attending hacker/team regardless of their possible findings. This will help hackers cut their travel expenses and motivate them to to try harder next time. The reward can also be some kind of tech gift that is appealing to technically oriented people.
  • Prepare the Swag! (great publicity for the company)
    • Stickers/T-Shirts/Hoodies/Backpacks/other

Acknowledgement

  • Give warm thanks to your friendly neighborhood hackers. They spend hours travelling to your event to help you secure the target system and to challenge themselves while doing so.
  • Don’t underestimate the public “thank you!”. Praise the teams in social media (or other), they will be grateful for it!
  • Decide if the best finding/most vulnerabilities/most severe/etc vulnerability will be awarded somehow. This could also increase competitiveness between groups and at least give positive feeling of appreciation to winning group / person.
  • Engage in one on one conversations with the participants to establish rapport.

Rules and Reporting

  • Non-Disclosure Agreement (reasonable terms).
  • Rules
    • Define what happens if a group breaks the rules, e.g. going out-of-scope, disturb other groups, unethical behaviour in the event etc.
    • Out-Of-Scope vulnerabilities should be accepted, but only as informational vulnerabilities in the event and without any points. More value for the money.
    • Malicious intent should be defined in the agreement.
    • Rules, non-disclosure agreements etc. documentation should preferably be sent beforehand for the participants to read.
    • Remember to inform that participants can not share information about the vulnerabilities publicly (or they may lose the bounty for that vulnerability).
  • You should define what kind of vulnerability reports will not be rewarded.
  • When and how will bounties be paid.
  • Ask for consent before unleashing your media team on hackers for surprise photoshoots.
  • Allow teams to see reported vulnerabilities (at least the subject of each report) so hackers know not to spend time on duplicate vulnerabilities that will be disqualified.
  • Explain what is and what isn’t a duplicate report to avoid confusion.
  • Require a definition of impact and a working POC (Proof of Concept) for each reported vulnerability so that the issue is easily reproduced.
  • Consider if you want to ban or limit the use of automated scanners. They can help find vulnerabilities but can also negatively affect the system and event by generating excessive amount of traffic.
  • Inform teams that all confidential material such as vulnerability details should be removed from hacker’s devices before leaving the event.
  • Be prepared to make judgement and decisions swiftly on the spot. Have a clear jury/judge who can make decisions.

Schedule

  • Time used to test the target application will of course affect the test coverage. In general, minimum of eight (8) hours should be reserved for testing.
  • At the start of the event, go through the rules and specify what is in scope.

Other

  • Identify (drivers license or other) each attending hacker.
  • Collect bank account details (if applies) for bounty payments.
  • Prepare a reporting platform for handling vulnerability reports.
  • Consider allowing internet access to hackers so they can access more resources (e.g ad-hoc research).
  • It is recommended to have technically inclined staff (developers) and a product owner on site to answer questions and help the jury evaluating vulnerability impact.
  • The event must have jury which will decide and evaluate severity and impact of each vulnerability and the possible bounty sum.
  • Assist students and/or newbies by guiding them and getting them to know “seniors”. Attract more experienced hackers to teach the juniors with some small reward.
  • When the event ends, kill the connections to the target, this way you can be sure that no one tests anymore.
]]> Kuntahaaste /team-rot-3-suomi-kuntahaaste/ /team-rot-3-suomi-kuntahaaste/#respond Sun, 10 Sep 2017 18:21:08 +0000 http://blog.rot.fi/?p=837 Hei!
Toivottavasti tämä avoin kirje tavoittaa kunnan päättäjät, tietoturvapäälliköt, tai muut kuntien vastaavissa tehtävissä toimivat henkilöt. Tarjoamme teille mielenkiintoista kokeilua, jonka avulla voitte parantaa kuntanne tietoturvaa ilmaiseksi.
Olemme Team Rot. Tietoturva on intohimomme ja teemme teknisiä tietoturvatarkastuksia järjestelmiin ja laitteistoihin sekä vapaa-ajallamme että työksemme. Olemme osallistuneet lukuisiin haavoittuvuuspalkinto-ohjelmiin (engl. “Bug Bounty”) maailmanlaajuisesti ja tiimimme jäsenet ovat tunnettuja myös kansainvälisesti. Nyt haluamme parantaa tietoturvaa Suomen kunnissa ja tarjoamme yhdelle Suomen kunnalle työpanostamme – ilmaiseksi, jotta Suomi saadaan turvallisemmaksi.
Esimerkkejä tiimin tietoturva-aiheisista tuotoksista:

Team Rot tarjoutuu käyttämään 15h/henkilö/kohde kunnan järjestelmien teknisen tietoturvan tutkimiseen. Havaitut ongelmat raportoidaan kunnan määrittelemälle henkilölle, yleensä siis tietoturvasta vastaavalle. Tämän lisäksi Team Rot ilmoittaa havainnoista myös Viestintäviraston kyberturvallisuuskeskukselle, CERT-FI:lle joka avustaa tarvittaessa esimerkiksi koordinoinnin kanssa jos haavoittuvuus koskee kunnan ulkopuolisia organisaatioita tai vaikkapa ulkoiselta toimittajalta ostettua ohjelmistoa. Kun raportoidut havainnot on korjattu, niin Team Rot julkistaa niistä yhteenvedon. Yhteenveto käydään ennen julkistamista lävitse yhdessä kunnan kanssa ja sisällöstä poistetaan tarvittaessa esimerkiksi luottamukselliset tiedot.
Havaittujen haavoittuvuuksien kokonaismäärä voidaan julkaista ennen varsinaista ongelman korjaamista, mutta haavoittuvuuksien tarkempia tietoja ja osallistuvaa kuntaa ei julkaista vielä tässä vaiheessa.
Jotta tietoturvatarkastus olisi mahdollisimman sujuva ja reilu kummallekin osapuolelle, niin kunta voi määritellä itse halutun kohteen ja esimerkiksi rajata tietynlaiset testitapaukset pois tarkastuksesta. Team Rot kuitenkin suosittelee että kohteena olisi kaikki kunnan järjestelmät, jotka ovat saatavissa julkisessa verkossa. Näin ollen kunta hyötyy Team Rotin tekemästä työstä mahdollisimman paljon. Team Rot pyrkii olemaan aiheuttamatta minkäänlaista ongelmaa kohdejärjestelmän saatavuuden, eheyden ja luottamuksellisuuden kanssa testauksen aikana.
Mikäli kiinnostuit, ota yhteyttä niin sovitaan jatkosta ja muista mahdollisista velvoitteista.
Sähköpostilla: team@rot.fi
Iiro Uusitalo
Jarkko Vesiluoma
Jarmo Puttonen
< Jake-Matti Lahtinen

]]> /team-rot-3-suomi-kuntahaaste/feed/ 0