Twiddling with a Pineapple Nano

CPU: 400 MHz MIPS Atheros AR9331 SoC
Memory: 64 MB DDR2 RAM
Disk: 16 MB ROM + Micro SD (not included)
Wireless: Atheros AR9331 + Atheros AR9271, both IEEE 802.11 b/g/n
Ports: (2) RP-SMA Antenna, Ethernet over USB (ASIX AX88772A), USB 2.0 Host, Micro SD
Power: USB 5V 1.5A. Includes USB Y-Cable
Configurable Status Indicator LED
Configurable Reset Button

Refill at later date.


This year has been quite.. eventful, just as last year.
I am hoping that things will calm down and my head will start working in a more true sense of the word soon.
When this happens (if it happens..), I will start up a small ‘twiddling’ series – targeting the more amusing and fun toys that exists for us interested in, well, fun stuffs.
The baseline will simply be a presentation of the “what”, the “how”, the “why”, and my own small experiences with it, twiddling.
Look at it this way, it’s a getting-started-and-start-getting-your-mods-and-ideas-rolling series.

Traffic Baseline. Apps/OS.

Many “NGFW” creations looks into the application-stack “layer 8”. I am however pondering over, since many seems to also identify the underlying OS (for enabling better and easier rule-sets per device category for example) – why not also provide a baseline for that specific OS – what to expect and also identify the normally permitted traffic – and the underlying connectionpoints for those. With this reasoning, one could filter out lots of garbage traffic that otherwise needs to be looked at with all the possible UTM-profiles.
This would be something we all could benefit from, make easier exclusions on per OS-basis etc. If we learn what normal is, we do not have to look at it all the time – only in a fully forensic perspective would it be needed – to fully determine a timeline etc.

WiFi-Honeypot. #KeepCalmAndAnalyze

Step 0 – Create a new and updated infrastructure – migrate your connected devices.
Step 1 – do not update the infrastructure (the ‘broken’ one).
Step 2 – Isolate the infrastructure (meaning – place into a ‘pot’ mode with fake targets all over).
Step 3 – setup recording / detection of all things related to that part of the infrastructure.
Step 4 – monitor actions, step 1-3 and the possible broken part of WPA2 simply is a the entry-point.
Perhaps an exception of providing wireless access to resources would be a possible step 0 – but don’t just turn it off, make sure that the new way of connecting is communicated and understood.
In essence, WPA2-breakdown is like your locked cabinet of entry point for the network just gave away a way in to that specific portion.
It does not have to mean that all things are exposed. It has not broken the protocols that are in use (but they may already have their specific portion broken). You are not completely naked here.
What would be the general idea here? To always keep all things ‘up-to-date’ and isolated in the term of knowing how and where things communicate, separation of duties and communication still holds. Isolation in the world of connections means that you do not allow all things know or reach everything else of your infrastructure, ever.
The best part of this, is that sites/companies/entities can now detect (possibly) what kind of targets they are.
Is the attack general?
Just recon?
Already targeting specific (previously reachable) resources?
Someone trying to use you as a base of attack for another target?
Use this as an oppertunity, instead of doom.
My viewpoint here is – if you already have a wireless network attached to your infrastructure, you should already have isolated and made infrastructural decicions on access. There is no reason to go all in bananas because one of your entry points that already are a physical weakpoint might be now a even more broken entry point.

Building: Rasbian PiWall nDPI Kernel. Link collection.

Another cleanup of an old link collection, targeting the build of a nDPI Kernel for the ARM arch (raspberry pi).


honeypot link collection. Wireless honeypot?

Just did a link collection to start myself off with honepots again – had this in draft for ages. Time to do something about it.
Perhaps it is time to start creating network-honeypots – as the counter is ticking down for the release of some possibly major WPA2-issues to be uncovered – creating dedicated wireless networks for monitoring of the possibility of being targeted is a nice idea.

Progress and success for a company?

Been looking at, a summary over the history of AOL.
The feel I got – was that if you allow marketing to take charge without innovation – you get an AOL history. Doomed.
And – if you get a smaller company with tech-savvy ppl in charge only – you get no growth (based on personal experience).
If you get tech-savvy ppl with a understanding of “what’s next” – you get corporations like google (in the beginning).
But then, think again.. Some inovations press beyond our current boundries. Some boundries are ethical – and those are worse than that of simply “one-step-forward” thinking.

HaveIBeenPwned API simple API usage

Trying to get my brain to work again. It’s a slow process..
I’ve been thinking of an automated, scheduled check – instead of signing up all mailadresses for notifications – get the information of possible breach in one go and place.
Here’s the lazy test setup I managed to get working after a few cups of coffee.
1 – Get all the addys into a manageable list (I’ll presume MS AD as target for extracting emails first).
(I simply used the vbscript above from a AD-connected machine..)
2 – filter out things with … non-microsoft related stuff:

cat email_addresses.txt | tr ":" "\n" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | grep @yourdomain | sort | uniq | grep -v { | grep -v MsExch | grep -v MSExch

Simply clean out non-wanted default-standard-exchange-crap, check your list in short…
3 – ask the API:

for fn in `cat emails.txt`; do
wget --user-agent="Internal Pwned checker"$fn
sleep 3

The 404’s should be a happy sight – means no hits for that specific address. The ones that does have information, well, you need to do something about it.
Check the simple API doc for doing more or less;