I’m not the most organised person, especially when it comes to staying focused on something (sorry was I talking about??). If you’ve read this blog before you would have picked up that I’ve decided to expand on my IT Security skills.
To that end I’ve created a 12 month training plan, nothing fancy just a list of technologies/software that I want to learn how to use better. It won’t make me an expert (I’m not that silly), but it will hopefully mean that come BSides London 2013 I might be able to give a track 3 talk.
The training plan includes, Ruby (not Python for the time being), wireshark, metasploit framework, nmap and a long period for scapy. I like the idea of being able to write packets so I’ve dedicated a lot of time to this.
Along the way I will blog about my progress and hopefully start getting some more InfoSec related posts up here instead of my ranting about stuff..
Below is the training plan, feel free to pass any comments if you think I’ve missed anything obvious, my goal is to be able to run pen tests (against my own systems), without resorting to “automated” tools.
I’m also looking (still) for a UK-based InfoSec mentor, if any of you lot are feeling generous (I’m not expecting a lot, just answering some questions when I get stuck). If you’re up for it let @infosecmentors know.
On April the 25th 2012 a group of crack InfoSec professionals, enthusiasts, hobbyist and newbies (that’s me by the way), descended on the Barbican Centre in London for the security event of the year (in my opinion).
That’s right; B-Sides London 2012 had arrived.
Most of you probably already know what the B-Sides events are all about, so I won’t bore you with going over that, If you don’t then you go find the main website here; http://www.securitybsides.com or the B-Sides London website is here; http://www.securitybsides.org.uk/.
This was going to be my first B-Sides event and as I was reading the website to find out as much as possible before the event, there were two comments on the front page that really stood out for me.
The first was this “built by the community for the community“,I’m still trying to find my way in InfoSec, but what makes it easier (and more fun) is the people that have the passion, drive, commitment and wiliness to share their knowledge with people like me. Without community events like B-Sides (and there is others) trying to navigate your way around the world of InfoSec would be a lot harder.
The second comment was “So make BSidesLondon whatever you want it to be“, for me this was really important I didn’t want to attend an event and be anonymous. I have a tendency in new environments to be a little bit shy and I wanted to make the most of the day, meet new people and try to become part of the community rather than a lurker in the corner.
So with less than a week to the event, I volunteered to help out on the day, yes that’s right I was now on the crew roster for B-Sides London 2012. Due to work commitments I wasn’t able to get to the Barbican early to help out with setting up, but I would just like to say at this point a HUGE thank you to Iggy (@geekchickuk) and the rest of the B-Sides London crew for getting everything ready for the day and in fact for all their work during the day.
Working as crew on the day for me was awesome; I met a lot of new people and had a lot of fun. What did I do on the day?, well if you bought raffle tickets between 10:00 – 12:00 from the table in the corner next to the guys from SANS that was me (sorry about making you write out your own tickets), and in the afternoon (from about 14:30) I was on the swag desk. I may or may not have also been involved in the nerf rocket war between the B-Sides crew and the guys from MWR InfoSecurity.
In the end I only attended one talk which was by Robin Wood on “Breaking in to Security” (check out the B-Sides London website because a lot of the talks were videoed and will be available to watch), but for the me day was still a success.
Would I help out again next year? Hell yeah, if fact I’ve already told Iggy I will, but next year I’m going to do a talk on Track 3 (that’s the turn up and talk about something track), I have no idea what about yet, but I’ve got a year to work that out.
See you all next year…
Apologises in advance if I ramble during this post or if it seems a bit long, there is a point to it and hopefully it will be come more clear as we go.
DISCLAIMER: The following post is the random collections of my thoughts and opinions and has no bearing or relation to the InfoSec Mentor Project (which I think is great by the way).
Back in December last year, @securityninja wrote a blog post called “Random Thoughts on Education & Learning from @markofu” the post was about security education, mostly in Universities courses but I posted some comments about how difficult I found it to “break into” the InfoSec community. @markofu very kindly replied with some tips about what I could do and one of the suggestions was the InfoSec Mentor project. I signed up to be a mentee and patiently (well my version of patience anyway)waited to hear back.
Still with me?
Fast forward to March 2012 and at work I was promoted (yah me), to Technical Lead – Wintel, for those not sure what “Wintel” is, it’s basically Windows running on Intel servers. What it actually means is, anything that is not Network or Midrange related (so quite a lot of things). One of my new functions in this role was to MENTOR people in areas I knew and understood.
I’m not what you would call a stereotypical “MENTOR” type, in a recent management “thing” other managers provided me with some 360 feedback (I think it’s called a Johari Window 360), and I managed to get zero ticks (that’s bad I think) for the areas of Caring, Encouraging, Motivational and Formal (not too worried about the formal part, I do swear a LOT). Doesn’t sound like ideal MENTOR material does it??, added to that I have a low threshold for people that ask me questions which can easily be found out (I like people that at least try) and when asked “Have you tried Google?” they look at me blankly while they mouth the word “G O O G L E” as it sinks in.
So am I doomed in my new role to be a MENTOR.. well to be honest no, although I have several flaws in what some might class as key areas to mentor people, I did get a lot of ticks (back to this Johari window thing) in areas such as Patient, Determined, Sociable, Dynamic and a few others. Why? I like to think it’s the passion and the experience I have that make up for those “fluffy” areas I lack in.
Just this week I started mentoring some of the Operations team on Netscalers. Netscalers are something I work on a lot, and I like to think I know a fair bit about them, and I’m passionate about them as a product. What does this matter? Well if you enjoy something and are passionate about it, giving the first of many 2 hour training sessions with no materials (other than a white board) and the knowledge in your head is easy and fun. I enjoyed sharing my knowledge with other people, they benefited from my experience and I got the chance to develop some of my softer skills.
So you’ve read all of this and none of it seems to have a point? OK let me explain..the InfoSec Mentor Project to me, is something that is key to the growth of the InfoSec Community, a place for people to connect with others and help build and develop skills. I still struggle to see how you can easily break into the world of InfoSec if you sit on the outside (and I’ve been trying and will continue to do so) so Projects like this are really important.
The project will always need people to offer to be mentors (well I would assume so) and no doubt you are thinking “I’m too busy” or “I’m not the mentor type”, even if you can give a couple of hours a week for someone out there that could be enough to help them, if the mentee has the drive and passion then a helping hand when they get stuck would be all that would be required. Not sure you are the mentor type? look through the post again, notice the words in BOLD? they are some of what I think are key behaviors for a mentor but you don’t need all of them. It’s not just what knowledge you will give to others but also about what you will get in return.
Maybe (and this is just me thinking out loud) even if you don’t work in InfoSec but you have rocking Ruby skills or are a Cisco wizard and you have some time to spare, the InfoSec Mentor Project could benefit from you too, InfoSec guys need good networking skills and help with code (yes both apply to me) so maybe a forum where you can offer your time and answer questions from mentors and mentee’s alike??
Right that’s me done ranting at you.. sorry I mean Persuasively getting my point across. Have time? What to help the community, go sign up to be a MENTOR.
All make sense now?? (probably not but it’s polite to ask)..
Before I get started I just want to clear something up. I am in no way shape or form a programmer.. It’s one of those areas that up until recently has made my head hurt (and not just from banging my head on the desk a lot) but it is an area that I want to improve on and the best way for me to learn is to do.
So how do you end a series of blog posts about Netscaler cookies and how to decrypt them.. well you write a program to do it for you. I decided to use python to write my little decryption program as it will run on both Windows and Linux (I’ve even tested it to make sure) and it seems to be used a lot by InfoSec type people.
Now this is my first ever python program/script/application and in fact it’s the very first time I’ve ever written something like this (unless you count the macro I wrote in Word 7 that did a cypher substitution encryption), so yes while the code might not be perfect and possibly badly written the important thing is that it works.
Now before I get to the part where I give you the link to the script (is script the right word??) here’s how it works (in basic terms).
The script is designed to do 2 things, it accepts an Netscaler Cookie from the command line;
python nsccookiedecrypt.py NSC_rfse-gesfe-etsgsvs... (not the complete cookie)
It then runs two
re.search functions to separate the cookie name (the Netscaler load balancer vserver name) and then the Server IP (IP address of the server your are persistent too).
Once it has these variables, it performs two decryption actions, the first is the cipher substitution to give you the real Server Name;
It then runs the XOR decryption based on the key that was mentioned in Part 2 of my series to give you then Server IP;
Currently the script outputs both to the command line, it’s not exactly high end coding but it’s not a bad start for me.
You can find the script HERE, I’ve tested in on over a dozen real life Netscaler Cookies, so I’m 90% happy it will work in all cases, it doesn’t use any fancy imports so you should be good to go with just a standard python install.
If you find any bugs or want to let me know how to make it better, please drop me a line. Over time once I get better at coding I will probably improve it. I’ve created a new “Page” on my blog with links to the code and hopefully over time I will add to it.
If you want to modify the script for your own uses, please do, however if you let me know so I can keep tabs on how it’s being used and what I can do to improve it.
I would like to thank Alejandro Nolla for inspiring me to write this (check out his load balancer finder) and Daniel Grootveld for helping me with the XOR decryption (and by help I mean stopping me from using a Excel spreadsheet).
At the beginning of the week I wrote here about the Cookie’s that the Netscaler uses for persistence. In that post I explained how I discovered that the Cookie name was encrypted using a simple substitution cipher. The cookie value itself was encrypted to contain the Service IP (the IP of the server that your session sticks to) and the Service Port.
I assumed that this part of the cookie was encrypted using a “real” encryption method such as SHA-256 or some other similar cipher. I spent the next couple of days looking online to see if I could match the cookie length and output (it’s all Hex) to a cipher. In the end I gave up, not because it was too difficult but because I thought of a more cunning plan..
This is an example Netscaler cookie (and by example I mean from a website on the internet);
My previous post dealt with how the “encrypted” cookie name was formed (that’s the bit up to the ‘=’), this post is about the 8 characters after the ffffffff (everything else after that apart from the last 4 characters seems to be padding).
This is what I knew about the encrypted values:
1. The cookie started with ffffffff which I believed was not required to identify the Service IP.
2. The output was Hex, so I assumed that there must be some way to reverse engineer the encryption back to the real IP.
3. The encrypted value for each octet of the IP address was not encrypted using the same method (I knew that because when looking at cookie value I could see the same IP octet encrypted to different values in the cookie).
4. The encrypted values were consistent across different Netscalers (ruling out the encryption being based on appliance specific details i.e. hostname or MAC address).
In order to decrypt the Service IP out of the cookie I could decided that using a VPX (Virtual Netscaler) I could generate a cookie value for each of the 255 IP address in each octet, armed with the power of Excel and Notepad I generated the necessary Netscaler config to create my samples and then using this command on the Netscaler;
show lb vserver [vserver name] | more
This allowed me to see each server and the matching Netscaler cookie value. I started entering these into Excel with the “real” IP value. I had worked through about 60 of the last octet (starting at x.x.x.0) when I realised that I was seeing a pattern. To work out the pattern I took a wild guess (they are the best sometimes) and tried this in Excel;
This was the breakthrough I was looking for.. and here’s why
On the last octet of the IP address the Hex value 11 was really 0 if you the formula above you get the result “17″, use this formula for the next 16 real values (remember I have collected 60 already from earlier) and you see the following pattern:
Real Value Difference
Carry on for another 16 and you find this:
Real Value Difference
The next 16 after this repeated first example, in fact all of the decryption for each octet required a repeating pattern, I just needed to find the key. Before rushing ahead I used the 2 patterns above to fill the remaining last octet of 255 addresses but I swapped the formula to create the Netscaler Hex value (and save myself sometime);
I then double checked this was correct by looking at my other generated cookie values and checking some from another 2 Netscalers that use this method in “live”. I was one happy geek, I then needed to do the same pattern matching for the other 3 octets, but because I knew I was looking for a pattern I only needed to generate a smaller sample set to work with.
Whereas the first pattern I discovered was based on chunks of 16 the others weren’t, the first octet is using the numbers 1 & 3 in chunks of 4 (and the negative values for these as well), the second octet is just based on 8′s in chunks of 8(+8 and -8), and the third was totally random (not the pattern, more the logic behind it) and work on 2,6,10,14,18,22,26 & 30 in chunks of 16 again(and then the negative versions).
Rather than boring you with pages of information I’ve produced a PDF with it all in here.
So I’ve tested this as much as I can, and it works, the cookies I’ve looked at (where I know the Service IP) matches against this decryption sheet and again that is over 4 different Netscalers, running different appliances, IP addresses and versions of firmware.
Once I learn how to write in some sort of programming language I am hoping to write this into an application, where you can input the cookie value and it will provide you the decrypted values, I can think of a couple of uses outside of Netscaler administration and I’m sure any Pen Testers/Ethical Hackers reading this can probably think of a few more..
So to recap, I now know how to decrypt the Load Balancer name from the Cookie name and the Server IP from the Cookie value, the remaining part is the Service Port but I’m not too worried about that (at the moment) as I know that it if a Netscaler cookie ends 3660 then it’s port 80.
Let me know if you have any questions or feel that my maths is wrong somewhere along the line..
Happy cookie decrypting.
Today was the first day back after my Christmas break, so it was a bit “slow”. Never to sit around being bored, I was writing up some notes on Netscaler cookie’s for an ethical hacker called Alejandro Nolla who has written up a cool application for checking to see if a domain has a load balancer behind it. You can find the application here or follow Alejandro on Twitter at @z0mbiehunt3r
Anyway while typing up my info I discovered something about the Netscaler cookies that I hadn’t noticed before. The Netscaler cookies are by default “encrypted” in 3 parts. Below is the extract from Citrix regarding Netscaler cookies:
The format of the cookie that the NetScaler appliance inserts is:
NSC_XXXX is the virtual server ID that is derived from the virtual server name.
ServiceIP is an encrypted representation of the service IP address.
ServicePort is an encrypted representation of the service port.
So the 3 “encrypted” parts are Virtual Server ID, ServiceIP and then ServicePort. After a bit of coffee I realised something about the Virtual Server ID, it is “encrypted” using a substitution cipher, for example a=z, d=c etc. etc. the name “NSC_mc_udru” would be “NSC_lb_test” on the Netscaler as the configured load balancer name.
Now it might not seem much to you, but I was happy with my discovery, my next challenge finding out how the ServiceIP and ServicePort is encrypted. This is an NSC cookie
Now to me at first it looked like HEX the first 8 F’s equally to 255 255 255 255 which seemed like it was a subnet address you use to reference a single host (as you would expect from a persistence cookie), I also know that af when converted from hex to dec equals 175 but the server IP actually starts with 172. I’ve converted the rest from hex to dec but the numbers are out for the server IP. At the end of the example above I know that for port 80 (http) the value is 3660 only changes if the port changes, the rest seems to stay the same.
So I’m a third of the way there.. maybe I will never break the encryption but it’s fun trying and it’s given my brain a good workout. If you can spot something I’ve missed then let me know.
I’ve mentioned before in my blog that a “passion” of mine is IT Security (or InfoSec), it’s something that I’m going to be dedicating a lot of time towards during 2012. At the moment I am reading a lot of InfoSec books most around penetration testing and related materials.
A few of the books keep talking about the process of a penetration test, and then describe them in detail. This is great, however I like to have some visual aid that I can refer back to without going through a book each time.
With that in mind I headed off to Google to see if I could find a diagram that was already “in the wild”, but alas I couldn’t find one, so I’ve created my own..
It’s a very basic diagram but it helps me remember the steps needed when performing a pen test. I’ve colour coded some of the boxes, green boxes are functions or actions that you can perform without getting into trouble (always check your local and state laws first), red boxes are things you shouldn’t do without the permission of the people you are pen testing. You will notice that War Driving is marked red, this is because it’s a bit of a gray area in terms of what is and isn’t legal (always better to be safe than sorry).
Let me know if I’ve got anything wrong…
Enjoy and happy new year..