Tuesday, July 24, 2012

Collaborative PenTest Platform with EC2, Metasploit, and Armitage

This post will go over how to establish a relatively low cost penetrating testing framework using Amazon Cloud (EC2) and leveraging collaborative "red-teaming" 
functionality using Metasploit Framework and Armitage's deconfliction services.

Deploying this type of collaborative penetration testing environment in Amazon's cloud (EC2) offers some nice benefits:
  • On Demand / Low Cost - You can spin up or bring your penetration testing platform as needed and you only pay for the resources you consume them.
  • Scalable - If your project or engagement requires a more computing power then you can easily bring this to bear.
  • High bandwidth - Bottlenecks are reduced for network assessment activities that might tax other uplinks.
  • Quick External viewpoint - For internal security teams, AWS instances provide a convenient vantage point to test/simulate attacker actions from outside back in.
  • Team From Anywhere - By focusing your efforts through a central cloud instance, your assessment team can initiate their testing activities easily through central IP without need of additional VPN.

At the end of this setup you will be able to share scans results, metasploit sessions, and more between team members. See the video below for usage examples:

Step 1. Establish Or Login To Your Amazon Web Services Account.


Step 2. Setting Up An Ubuntu Instance in Amazon EC2 Cloud.

If you've never used EC2 before you will definitely need to familiarize yourself with this platform.

Amazon has some good getting started guides here (high recommended):

A good video tutorial walk-through has been provided on YouTube:

The basic steps that we need to take with bring this Ubuntu Instance up is the following:
  • Select Ubuntu Server 12.04 LTS x64
  • Use Micro Tier (t1.micro, 613MB) for test setup. This may be a bit slow but it is eligble for free usage tier.
  • Save and Backup Your Key Pair (PEM file). Don't lose this file! You will need to access your EC2 instance.
  • Create A Customized Security Group that allows inbound access to SSH (tcp 22) and Armitage Deconfliction Server (TCP 55553).

Step 3. Accessing and Configuring Ubuntu Instance

After your instance has started, you will need to access it using SSH and the Key file you saved.
chmod 400 example.pem
ssh -i example.pem [email protected]

Once you are connected in you will need to patch the box and get some needed base packages installed (below).
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install ruby libruby ri rubygems subversion ruby-dev libpcap-dev libpq-dev postgresql nmap
sudo gem install --no-rdoc --no-ri pg
sudo gem install msgpack

Step 4. Installing and Configuring Metasploit

Grab MSF with subversion and symlink the binaries.
sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/metasploit/msf3/
sudo ln -sf /opt/metasploit/msf3/msf* /usr/local/bin/
sudo msfupdate

Step 5. Postgresql Database Setup

Basic DB Setup.
sudo /etc/init.d/postgresql start
sudo -u postgres createuser msf -P
Enter password for new role: 'enteryourpassword'
Enter it again: 'enteryourpassword'
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
sudo -u postgres createdb --owner=msf metasploit3

We'll need to run msfconsole and connect to database to populate the tables.

msf > db_status
[*] postgresql selected, no connection

msf > db_connect  msf:[email protected] metasploit3

NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE:  CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
msf > db_status
[*] postgresql connected to metasploit3

msf > quit

Echo this line out to config file to have msfconsole connect to database on startup automatically.
echo "db_connect msf:[email protected]:5432/metasploit3" > ~/.msf4/msfconsole.rc

We'll also need to create a database YML file so that Armitage can connect to the Postgres DB.

We'll place it in /opt/metasploit/msf3/database.yml
It should be formatted as below replacing password with the values you set for msf db user account.
  adapter: "postgresql"
  database: "metasploit3"
  username: "msf"
  password: "enteryourpassword"
  port: 5432
  host: "localhost"
  pool: 256
  timeout: 5
After creating the file, we'll set environmental variable so that Artimage can find this.
sudo /bin/sh -c 'echo "MSF_DATABASE_CONFIG=/opt/metasploit/msf3/database.yml" >> /etc/environment'

Step6. Configuring Java JRE

Armitage depends on Oracle's Java 1.7. You will encounter problems if you use openjdk.
wget --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F" "http://download.oracle.com/otn-pub/java/jdk/7u5-b05/jre-7u5-linux-x64.tar.gz"
tar xvzf jre-7u5-linux-i586.tar.gz
sudo mkdir /usr/lib/jvm
sudo mv jre1.7.0_05/ /usr/lib/jvm/jre1.7.0
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jre1.7.0/bin/java 1
sudo ln -sf /usr/lib/jvm/jre1.7.0/bin/keytool /usr/local/bin/keytool

Step 7. Starting Armitage Deconfliction Server

EC2 uses symmetric 1:1 NAT to route traffic to instances. You will need to start Armitage Deconfliction Server on the public hostname/address associated with your EC2 instance. 
(Thanks To Raphael Mudge for notes on how to avoid issues here.)

We can use ec2metadata utility to help with this.
  • Note: You may get some connection refused messages for several seconds after launch. Give the teamserver script time to run (esp. on Micro Tier instances).
cd /opt/metasploit3/msf3/data/armitage

sudo ./teamserver `ec2metadata --public-hostname` testing
[+] Generating X509 certificate and keystore (for SSL)
[+] Starting RPC daemon
[*] MSGRPC starting on (NO SSL):Msg...
[*] MSGRPC backgrounding at Thu Jul 05 05:50:36 +0000 2012...
[+] sleeping for 20s (to let msfrpcd initialize)
Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused at server.sl:392
Use the following connection details to connect your clients:
 Host: ec2-23-20-105-99.compute-1.amazonaws.com
 Port: 55553
 User: msf
 Pass: testing

 Fingerprint (check for this string when you connect):

feel free to connect now, Armitage is ready for collaboration

Step 8. Connecting Your Red Team Members

You will need Oracle Java 1.7 installed on your client machines as well.

Aftering making sure Java is installed, download armitage from http://www.fastandeasyhacking.com/download

java -jar armitage.jar

We'll connect to Artimage on the public DNS address with the username msf and the password we set with the teamserver script in Step7.

You need to make sure that the server fingerprint matches the console output from teamserver script.

Now that team members are connected the fun can begin....but see last step/note below.

Step 9. Obtaining Authorization For Penetration Testing Use.

Amazon will detect and throttle certain assessment activities like portscans. To remove these restrictions and avoid some inevitable abuse emails, Amazon requires that you 
obtain formal authorization to use your instance as a security testing platform. This is handled by visiting the following page and filling out the linked form:

Monday, July 23, 2012

InfoSec Job Postings - What Are Employers Telling Us?

The inimitable Brian Krebs has a series of interesting blog posts where he's interviewed several IS luminaries about "breaking into" Infosec fields. The advice in these articles is great and ranges from the technical to the somewhat philosophical (I especially like Schneier's prescription of - STUDY, DO, SHOW). You can check it out here:

In addition to this excellent advice, we can also learn a great deal from IS employers via the job postings they provide AND the aggregate data indicators these posts contain concerning the knowledge, skills, certifications, and aptitudes sought for various roles. To achieve this viewpoint, I've compiled data from over 150 IS job postings(US only) looking at the weighted repetition of categorical qualifications for several popular InfoSec roles (see interactive charts below). In addition to satisfying my own unhealthy compulsion to quantify things, there were some interesting take aways.

Analyzing the Data: Observations and Findings

#1: Communication Is Critical (aka Try To Act Normal)

While communication skills are frequently cited in professional postings as desired, with InfoSec positions this seems to be true without exception. As evidenced in collected data,
the ability to write and speak clearly to non-technical audiences about IS issues is a critical skill for almost every job role. I'm sure several readers have experienced the reality warp
that comes with wrestling technically complex issues, engagements, or investigations for prolonged time periods. While it may not be fair, employers expect and value that even if you
have been huffin packet dumps and subsiding on pocky sticks and energy drinks for a week that you can still retain the ability to speak "human" to your customers and to senior leadership. Go figure...

#2: Education Is Important AND Work Experience Is Essential

Almost all of the Information Security positions list a Bachelor's degree as a minimum requirement for eligibility, but beyond this the lion's share of your value to potential employers hinges on the
years of relevant experience you've had in some role within IS. The clear message here is that employers desire educated IS professionals with real world experience. You shouldn't expect to
come right out of school and get a job unless you have professional experience and achievements that clearly demonstrate your proficiencies.
For this reason, internships are highly recommended way for students to couple education with "in the trenches" IS challenges.


I'm going to avoid the "CISSP certification debate" here. For better or worse, the findings of this review reinforce that CISSP is clearly the de facto IS certification regarded by employers as
offering professional "bona fides". It's obvious that having this certification can open doors in several IS job roles that otherwise might be closed by HR resume bots. One of the reasons for such
universal regard of CISSP is that you have to at least 5 years of working experience in IS roles (or equivalent education, certification, + experience) to qualify to take the exam (experience again).
If you already meet the requirements for eligibility to sit for the CISSP, its pretty clear that there are some substantial hiring benefits for taking the time to achieve this credential.

#4: Programming Isn't Just For Programmers

Another finding lurking in the aggregate data is that employers clearly value and place emphasis on Information Security Professionals who can offer scripting and programming experience. One
reason for this importance may be the growing critical role of AppSec for many organizations. Having security professionals on staff who can speak "apples to apples" with developers presents
considerable value towards not only identifying risks/problems but also participating in the fix.

#5: Security Clearance Gateway

The large need for high-quality security services within the federal sphere really is driving valuation for more professionals with top secret or higher clearances. Achieving these clearances often
involves extensive background review that can take several months. As a result, those who already have the necessary clearances are very valuable to employers who serve federal customers.


If you are considering a career in Information Security, then it helps to realize that the field is very specialized and the total body of knowledge represented by the varied job roles is greater than any
one person can master in a lifetime. Therefore there is real value to be able to focus your efforts on those skills, knowledge, and aptitutdes that give you the greatest flexibility, opportunities,
and satisfication. Also remember, that the skills of yesterday may not be the skills of tomorrow. You need to integrate continual learning into your daily habits.
Learn something new within your field everyday!

Tuesday, July 10, 2012

Portable Encrypted Storage

Native Android encryption presents some limitations when you want to easily and securely exchange your data to your PC.
However, using Truecrypt you can easily set most Android smartphones to act as encrypted mobile storage devices.
Why bother with those easy to lose and rarely encrypted USB Flash Drives when you always have your smartphone with you?

What You Will Need
Personal Computer. (Windows, Linux, OSX, BSD ..doesn't matter)
Android smartphone or mobile device that accepts MicroSD storage and has a USB connector.
Decently size MicroSD storage card (the larger the better).
TrueCrypt Software
Some basic knowledge of setting up partitions on WindowsLinuxOSX, or BSD.

Step #1 - Backup Your Data!
If you have any data that you don't want to risk losing, you need to backup it up off your mobile device's MicroSD" card.
If this data is protected with native Android encryption you will first need to decrypt it.

Step #2 - Wipe The MicroSD Partition Table
Connect your mobile device via USB to your computer and fire up your favorite partitioning tool.
Using this tool, first remove all partitions off the storage device that respresents the MicroSD storage card within the device.

Step #3 - Set Up partition for your Android Device
Next, we'll want to set up a partition that the mobile device can use.
You want to size this partition to be enough for basic use but also leave enough remaining space on the storage media for your encrypted storage needs.
Since I have a 32GB MicroSD card, I have chosen to slice off 8GB for my phone.
This first partition needs to be formatted as a FAT partition to ensure compatabilitiy with your Android device.

Step #4 - Set Up partition for encrypted Truecrypt volume
Now add a second partition that covers the remaining space on your storage media.

After you've done this your partition layout should look something like this:

Step #5 
With your new partition table in place, you can now fire up Truecrypt to use the second partition an encrypted volume.

Select Create a volume within a partition/drive.

Make sure to select the second partition that you created on your Android internal storage media.
Make a mistake here and you can wipe your data. Be careful!

Follow instructions to set up a password and select the encryption and hashing algorithm you wish to use for your encrypted volume.
Note: Make sure that your password is strong!!
After TrueCrypt has finished setting up the encrypted volume on your partition you will be able to access it.
Simply select the appropriate encrypted device partition (sdd2 in this example) and input your passphrase to mount the drive on your PC.

Voila! You now have convenient portable encrypted storage that goes where you go