Posts

Posted on

Security Apprenticeship

“What do I need to know how to do in order to pursue a career in security?” Good news! I just happen to have drafted this roadmap of reading material just for you!

In my previous writeup, I provided a roadmap of reading material for anyone who is interested in developing a career in security. The material covered concepts that should be understood by anyone working in the field- but the material didn’t cover how to “do” security. This article summarizes topics & activities that are well understood by anyone doing security work professionally. If you develop mastery of these ideas, you’ll be approaching a point where you can start doing meaningful security work. Unfortunately you won’t be done reading after you’ve finished this writeup. I have at least two other guides in draft states that will help guide you on your path towards pursuing a career in Security. This guide helps you establish your foundational knowledge of techniques for restricting access to a system.

Walking The Security Practitioners Path

If we distill security to its most fundamental concept, security is about the controls that ensure that activities are authorized on a system.  

We can talk about these ideas abstractly, but unless you actually implement these ideas on a working system, your knowledge won’t have much application.  The best way to learn these ideas is by using Linux.  

Linux gives you plenty of experience with programs that don’t work because of security controls.  You’ll have to learn how to debug those problems in order to get the processes working and eventually you’ll develop taste for the correct way to implement those controls.

This next phase of your education covers how to activate a linux system, implement interesting programs like web servers and some basic capabilities for implementing access controls.  My goal in writing this is to provide pointers to well written guides that will help you learn to start “doing” security- which is to say, how to activate controls that protect a system.  In my opinion, mastering these topics should be manadatory- however I should highlight that I know many people in the security industry today who don’t have mastery i all of these topics.  There are areas in here that I’m not as strong as I’d like to be, as well. Everyone who is good at security struggles with the idea that they need to do more reading when time permits.

Learning Linux

Part 1- Well Begun is Half Done– Dip Your Toes into Linux.

Linux: TL;DR:  https://linuxjourney.com/

Learn what Linux is and it’s history.  You’ll want to learn about the basic purpose of linux if you have no experience with the Operating system.  Some day, you’ll need to learn about important related concepts like Posix (https://en.wikipedia.org/wiki/POSIX) and Ansi C (https://en.wikipedia.org/wiki/ANSI_C).  For now, let’s just learn some history: https://linuxjourney.com/lesson/linux-history

Learn about the Shell (aka the command line) on Linux.   Learning the shell is the Computer Science equivalent of learning to walk or bike.  You have an operating system or applications you want to interact with?  Generally you will be working within a shell.  A shell is ‘just’ a program that gives you the ability to use a keyboard to interact with the Operating System.  Some day you will need to write shell scripts to automate tedious tasks or filter large amounts of data through scripting, which is a way of executing a series of commands that will execute in some order based on whatever conditions you chose to define.  You’ll learn about “environment variables” like PATH and PYTHONPATH, which are variable names with values you’ll modify in order to make new programs or libraries accessible from any filesystem location while you’re in the shell.  The shell is your foundation for working with a linux machine.  https://linuxjourney.com/lesson/the-shell. Alternatively, this tutorial teaches you how to get around the shell.

Learn about User Accounts & Groups.  This helps you understand the foundational framework of access controls on computers.  When you need to protect data from access by an unauthorized party, you’ll need to use account & group management concepts.  Learning about accounts & groups will help you understand important concepts like what the “root” account’s purpose is, what the “wheel,” “www-data,” and “nobody” groups purpose are and more.  As you develop your security skills you’ll eventually need to learn about how hackers elevate privilege.  Learning accounts and groups his will give you a foundation when we are ready to learn about “privilege escalation” https://linuxjourney.com/lesson/users-and-groups

Learn about File Permissions.  When you are ready to actually protect that data from unauthorized access, you’ll have to read & evaluate the correctness of filesystem permissions.  If you have a file on a system with multiple users, you need to learn how to control who can access it and define the level of access (read, write, executable, SUID, etc).  Again- some day you will be responsible for helping make sure sensitive files are only accessible by the correct people- and that those people have the right level of access.  You need to learn file permissions to perform this task.  One way to know if you’ve mastered this topic is to evaluate if you can propose accurate Access Control Permissions on a web directory.  Make one version that’s dangerous, and one that’s safe.  Be able to explain why they’re dangerous, and how they could be exploited.  Start your journey here:  https://linuxjourney.com/lesson/file-permissions

Learn about the “Filesystem.”  A file system is the logical structure where you store “files.”  An operating system without the ability to process files is of limited utility.  In the windows world, we have drives with names and folders.  In the MacOS world, we have drives with names & folders.  in iOS & Android, there is a file system, but it’s implementation is not as central to the user experience.  In linux, deeply understanding what the directories are under”/” is critically important.  There are “files” in the /proc directory that can tell you important statistics about system performance.  Configuring servers that you’ll install will require an understanding of the /etc, /var and other directories.  If a server is under DDOS attack, you’ll need to understand information about the number of network connections that the system is currently supporting.  You can indirectly use tooling like ifconfig to gather system performance information, or you could just do an ls against /proc/net/dev.  You’ll also need to learn about read only filesystems like squashFS (https://tldp.org/HOWTO/SquashFS-HOWTO/whatis.html). Someday, you’ll need to figure out what is actually happening when you type “ls” into the shell and it somehow enumerates the files that were in your current directory. If you type another random command in, it doesn’t work. Why? How did the OS know which version of “ls” to run? Where does this “ls” binary live anyway? Learning file systems is mandatory.  https://linuxjourney.com/lesson/filesystem-hierarchy

Learn about /dev.  An extremely important design philosophy in Unix is that “everything is a file.”  Hardware is directly accessible through the file system.  Some hardware is represented as file system objects.   Learning about the dev directory will give you important insight into how devices work on the system, which at some point, you may want to tamper with if you aspire to be a hardware hacker.  https://linuxjourney.com/lesson/dev-directory

Learn about the Kernel.  The kernel is the mechanism for controlling hardware.  It is where security policies get enforced.  If the kernel is compromised, all security assumptions break.  You need to understand this important resource conceptually to work in this industry- both for defense & offense.  https://linuxjourney.com/lesson/kernel-overview

If you aspire to penetration testing or red teaming, you need to go further and learn about interacting with the kernel.  

Linux programming interface: https://www.amazon.com/Linux-Programming-Interface-System-Handbook/dp/1593272200

Kernel Hacking (as in MIT definition): https://www.kernel.org/doc/html/latest/kernel-hacking/index.html

Kernel Hacking (as in exploitation): https://github.com/xairy/linux-kernel-exploitation

The Snowball Effect

If you’ve gotten this far, we learned about the Kernel, the Filesystem, Permissions, User accounts and a little hardware. This is a good stopping point- we have a golfball-sized snowball- you basically know the perimeter of the pitch. In my next sections, we’ll take that snowball up to the top of a mountain and give it a nudge: We’ll cover how to make things happen on a Linux system through process management and we’ll learn how to make our linux system talk through the power of IP networking. After that, we’ll start to cover the topics of a security practitioner: reverse engineering, vulnerability discovery, exploitation & remediation and eventually how to protect processes, systems & keys.

Posted on

Suggestions on How To Become A Security Engineer: Learn the Path to Becoming a Security Engineer

Successful Security Engineers are able to identify the assumptions that need to be challenged.

Developing taste in identifying the right assumptions for challenging takes experience, knowledge & wisdom. Below is my suggested roadmap of reading material that should help anyone develop a successful career in Security.

Self test:

Below are questions you should be able to answer:

  • What do “Confidentiality”, “Integrity” and “Availability” have to do with security?
  • What properties make a discussion a “security” problem rather than a “privacy” problem?
  • What is the 7-Layer OSI model? Can you enumerate the layers from memory?
  • Can you describe the important transactions that make up a TLS handshake?
  • Describe the role of “Input Validation” in any resource accepting input from an untrusted party.
  • What technical solutions can be implemented to perform input validation?
  • What is the role of CVEs in infrastructure security? Why are they important? What practice should be implemented to reduce the risk of events?
  • What is the difference between TCP & UDP? Describe the security utility of a “UDP scan”
  • What tools should you use to discover the entry points to a system on the Internet? How would you exploit them?

If you can go through the material above without breaking a sweat, congratulations! You’re obviously a security engineer and you probably found some useful copy-pasta. Perhaps you’d like to explore doing work with my team? https://www.amazon.jobs/en/search?base_query=digitalsecurity

But if the material above was not easy- it’s time to build some skills:

Establish your Computing Basics Foundation

For a computing foundation- simply master this file: https://github.com/alex/what-happens-when

Pay close attention to the following sections and be able to explain their function:

Learn to program in a memory managed language & a language without memory management

I’ve seen guides online that suggest you can be a good security engineer without programming knowledge. I’ve been working in this industry since 1998. There was a time where I did not consider myself a developer, despite working in security. I later developed sufficient coding skills & experience to know that you cannot succeed at security if you don’t deeply understand what developers experience. You need to learn to code. There is no way to provide significant value if you are unable to transform large amounts of data into a meaningful summary without the use of code. Until you get your hands dirty crafting the tooling to create unexpected outcomes, your opinions have limited utility. You might as well make critical commentary on a pro athlete’s form. Until you’ve walked the path, devs aren’t likely to take your advice seriously- and there’s a high degree of likelihood you are overestimating the utility of your recommendations. There is no substitute for being able to hand craft connections to a server and evaluating responses. You have to learn at least one language (I recommend python because of all of the security tutorials that are available which build upon python- but Go should be considered as a viable long term alternative). If you learn C, you’ll have an advantage in understanding & crafting exploits.

Python is a simple interpreted language that is popular and has lots of security related tutorials. You should just go through https://learnpythonthehardway.org/ if you’re starting from scratch.

C is a commonly used programing language without memory management. You’ll get the benefits of speed, but all of the security danger of managing memory. Lucky for you, the “hardway” folks have a page dedicated to C: https://learncodethehardway.org/c/

Read RFCs on how the Internet works:

  1. Requirements 101: Should, Must, Shall, etc: https://www.rfc-editor.org/rfc/rfc2119.txt
  2. IPV4 Specification: https://tools.ietf.org/html/rfc791
  3. Private IP ranges: https://tools.ietf.org/html/rfc1918
  4. UDP: https://tools.ietf.org/html/rfc768
  5. TCP: https://tools.ietf.org/html/rfc793
  6. Requirements for Internet Hosts- Communication Layers: https://tools.ietf.org/html/rfc1122 “In general, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect.”
  7. http semantics: https://www.rfc-editor.org/rfc/rfc7231.txt
  8. TLS 1.3: https://tools.ietf.org/html/rfc8446

Go Practice:

Vulnhub.com is a wonderful practice resource.  I particularly like the Mr. Robot exercise, because it gives you a good opportunity to practice discovering entrypoints, exploiting them and ultimately elevating privilege to solve the challenge: https://www.vulnhub.com/entry/mr-robot-1,151/  This would give you an opportunity to practice with nmap, sqlmap, dirbuster, as well as privilege escalation basics. 

Pentesterlab.com is a very inexpensive subscription service that has detailed writeups for the exercises.  It’s beneficial because of the breadth of exercises- you can see individual CVEs and then practice working to exploit them.  Want to learn about Oauth exploitation?  Lots of examples.  XSS, SQL Injection, CSRF, etc.  As long as you have an account and time to practice, I guarantee you’ll have a good starting foundation after going through the labs. This will give you good hands on, per vuln category exploitation experience.

Protostar is one of the best memory corruption exercises I’ve been exposed to: https://exploit-exercises.lains.space/protostar/.  These exercises are much harder than everything above, but if you have desire to develop exploitation skills, these exercises will pay dividends.  This will give you memory corruption experience which seems to be the prerquisite necessary for identifying 0-days in open source software.

Get Inspiration

Videos can be helpful. The LiveOverflow channel is great and covers a lot of valuable exploitation examples: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w

George Hotz (aka Geohot) used to livestream his CTF activities. I’d be surprised if you don’t learn a few tricks from some of his demos:

https://www.youtube.com/watch?v=td1KEUhlSuk

https://www.youtube.com/watch?v=7bv_DNRpHaY

https://www.youtube.com/watch?v=Sx7JszqkL-w

The above is my guide for security neophytes. We need more of security engineers! It’s a long road, but it’s a deeply satisfying career path. It’s nourishing to spend your career building solutions that people can rely on for both functionality & for safety. Do some reading and join our weird cohort.

Posted on

Creating a PCAP with old TLS/SSL

I need a pcap that we can use to test scripts which discover insecure protocols.  I tried using pcapr.net, but the site seems to be functionally offline at this point.  I tried a few different strategies for generating the packets.  Others may want to build on this.

First- I tried to create an python client & server- but I found that it is difficult to select which protocol version you’re using for your SSL connections. You might find this page interesting, but I found it to be a dead end. The python team is working so hard to make it easy to do security right, I can’t figure out how to force a client to downgrade to, for example, SSLV2. Looks like it might be covered here though:

https://docs.python.org/3/library/ssl.html

Next, I tried to create the packets directly in scapy- it got me a little closer, but not as far as I’d like:
First: create an ssl key:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Now we have two important files:  a key.pem and a certificate.pem file.
Next- open a TLS server via python by opening a terminal & typing “Python3”

import socket import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain('certificate.pem', 'key.pem')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:     sock.bind(('0.0.0.0', 8443)) # this allows connections from outside localhost     sock.listen(5)     with context.wrap_socket(sock, server_side=True) as ssock:         conn, addr = ssock.accept()

Now, from your machine with scapy, you’ll want to launch it without sudo.

scapy

And your next step is to go ahead and setup your connections:

from scapy_ssl_tls.ssl_tls import *
target = ('192.168.0.5',8443) #this was the IP of the machine running the server 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target)

This gets you a connection to the server.  Now we need to set up our SSL connection:

p = SSLv2Record() / SSLv2ClientHello(cipher_suites=SSLv2_CIPHER_SUITES.keys(),challenge='a' * 16,session_id='a' * 16) #sslv2 

p = TLSRecord(version="SSL_3_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #SSLV3 

p = TLSRecord(version="TLS_1_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.0

p = TLSRecord(version="TLS_1_1") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.1 

p = TLSRecord(version="TLS_1_2") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.2

p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #Better TLS 1.2

You can use https://github.com/tintinweb/scapy-ssl_tls/blob/master/scapy_ssl_tls/ssl_tls.py#L247 to find appropriate version values. Now you’re ready to fire your packet for each of the different packet objects. I did this manually- if you try to use all the code above, it’ll only give you a packet for the “Better TLS 1.2” implementaiton.

s.sendall(str(p))

Now, you can go cruise on over to wireshark and put some appropriate filters on & capture traffic. I needed this pcap to build some tests for confirming I catch traffic with insecure connection properties. Here’s a bespoke pcap with crummy SSL/TLS client Hellos for SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2: https://www.amazon.com/clouddrive/share/jYAtRHbGN6pLqy8xRuTmZP3WJOq0oyVEazpTc9E2nVb

Mission complete- you can tinker with the pcap directly- but perhaps you want to also generate some bad traffic. Knock yourself out.

Protip:

This page looked like a great learning site for folks doing their first bits of tinkering with SSL & wireshark: https://realpython.com/python-https/