honeypot link collection. Wireless honeypot?

Just did a link collection to start myself off with honepots again – had this in draft for ages. Time to do something about it.

Perhaps it is time to start creating network-honeypots – as the counter is ticking down for the release of some possibly major WPA2-issues to be uncovered – creating dedicated wireless networks for monitoring of the possibility of being targeted is a nice idea.

https://github.com/threatstream/mhn/

http://conpot.org/

https://honeynet.org/

http://www.honeyd.org/

http://artemisa.sourceforge.net/

https://github.com/glastopf/conpot

https://www.cuckoosandbox.org/

Progress and success for a company?

Been looking at https://www.youtube.com/watch?v=A3DudqwsRPw, a summary over the history of AOL.

The feel I got – was that if you allow marketing to take charge without innovation – you get an AOL history. Doomed.
And – if you get a smaller company with tech-savvy ppl in charge only – you get no growth (based on personal experience).
If you get tech-savvy ppl with a understanding of “what’s next” – you get corporations like google (in the beginning).

But then, think again.. Some inovations press beyond our current boundries. Some boundries are ethical – and those are worse than that of simply “one-step-forward” thinking.

HaveIBeenPwned API simple API usage

Trying to get my brain to work again. It’s a slow process..
I’ve been thinking of an automated, scheduled check – instead of signing up all mailadresses for notifications – get the information of possible breach in one go and place.

Here’s the lazy test setup I managed to get working after a few cups of coffee.

1 – Get all the addys into a manageable list (I’ll presume MS AD as target for extracting emails first).

https://community.spiceworks.com/scripts/show/76-list-all-ad-email-addresses-including-aliases
(I simply used the vbscript above from a AD-connected machine..)

2 – filter out things with … non-microsoft related stuff:

cat email_addresses.txt | tr ":" "\n" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | grep @yourdomain | sort | uniq | grep -v { | grep -v MsExch | grep -v MSExch

Simply clean out non-wanted default-standard-exchange-crap, check your list in short…

3 – ask the API:


!#/bin/bash
# AskTheAPI.sh
for fn in `cat emails.txt`; do
wget --user-agent="Internal Pwned checker" https://haveibeenpwned.com/api/v2/breachedaccount/$fn
sleep 3
done

The 404’s should be a happy sight – means no hits for that specific address. The ones that does have information, well, you need to do something about it.

Check the simple API doc for doing more or less;

https://haveibeenpwned.com/API/v2

Fortinet webfilter test


# cat getthefilter.sh

#!/bin/bash
#wget http://fortiguard.com/webfilter
#New url..
wget http://fortiguard.com/webfilter/categories
grep wftest categories > raw
IN=`cat raw`
links=$(echo $IN | tr '"' "\n")
for addr in $links
do
if [[ $addr == *"html"* ]];then
echo $addr >> targets
fi
done

targets=`cat targets`
for filtaddr in $targets
do
echo http://fortiguard.com"$filtaddr"
wget -o /dev/null --spider -t 1 http://fortiguard.com"$filtaddr"
done
#rm raw targets webfilter

How do you disclose / inform / or get in contact with online companies today?

So, Troy Hunt got the following out;
https://www.troyhunt.com/kids-pass-just-reminded-us-how-hard-responsible-disclosure-is/

If we back a bit, we have a communication history in general.
Based on email…

abuse
webmaster
postmaster

@yourdomain – those where the general in-channels.

Troy got into a tight spot, I have not encountered that – sadly, I got into something worse. Ignorance and fudge..
Reporting anything in a public space – really? How come?

Public space / “social media” is usually under the hand of PR / marketing. Getting ’em to move their butts and report higher … Not the easiest way when we are not talking about security-aware companies.

So how do we determine or detect security-aware companies? We don’t. Bash’em with information – make a correct statement (like Troy and friend did) – and hope that the receiver is not part of the stupidity-bunch.

Rant//off.

Cracking open the worthless Zyxel X1 Armor (WAP6806)

Prepare yourself, this will be so far one of my longest rants to this day.

Bought my bloody MacBook Pro, and figured it was time to get a cheapish AC Access Point since the MacBooks USB ports is non existant – a good trade off so TimeMachine could do it’s thing and I would be none the wiser but lots poorer.

However – getting the Mac and getting it to a good state was the easier part. Getting that fudged Zyxel AP however…

Waste of plastic.

We start the fun right here…

BusyBox v1.12.1 (2016-10-26 15:52:49 CST) multi-call binary

So.. After you enable TELNET (IN 2017!), and since you cannot change the “admin” password (default “1234”) to anything with “special chars” (I’ll append the f-ked message later on), you prolly log in with admin and 1234, over TELNET…

Ah – did I mention that you need to log out for the password change to stick? No? Okay.. Now I did..

This will leave you with the setup of;


# cat /proc/cpuinfo
system type : Ralink SoC
processor : 0
cpu model : MIPS 1004Kc V2.15
BogoMIPS : 583.68
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0000, 0x0000, 0x0000]
ASEs implemented : mips16 dsp mt
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available

processor : 1
cpu model : MIPS 1004Kc V2.15
BogoMIPS : 583.68
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0000, 0x0000, 0x0000]
ASEs implemented : mips16 dsp mt
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available

The CPU in this is laughable, or weird … So “much” umpf – for what? But, it’s not the main part – I knew I was in for a cheap-thrill to begin with with all the dinks and donks.


# cat /proc/meminfo
MemTotal: 58928 kB
MemFree: 23576 kB
Buffers: 0 kB
Cached: 21236 kB
SwapCached: 0 kB
Active: 580 kB
Inactive: 2872 kB
Active(anon): 564 kB
Inactive(anon): 2868 kB
Active(file): 16 kB
Inactive(file): 4 kB
Unevictable: 21196 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 3412 kB
Mapped: 2316 kB
Shmem: 20 kB
Slab: 7748 kB
SReclaimable: 2312 kB
SUnreclaim: 5436 kB
KernelStack: 400 kB
PageTables: 292 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 29464 kB
Committed_AS: 7968 kB
VmallocTotal: 1048372 kB
VmallocUsed: 2340 kB
VmallocChunk: 1044532 kB


# uname -a
Linux WAP6806 2.6.36 #173 SMP Tue Nov 1 11:37:47 CST 2016 mips unknown

The kernel is a bit more enjoyable – as I know it could at least do networking of some sort…

But, the REALLY sad part?

They have hardcoded a few bridge interfaces.. Why? NO F-ING IDEA!
The setup was supposed to be kinda straight forward – it is a disaster! With a old as hell kernel in (release 2016) 2017!

# ifconfig
br0 Link encap:Ethernet HWaddr 1C:xxxxxxx
inet addr:192.168.x.x Bcast:192.168.x.x Mask:255.255.255.x
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:21870 errors:0 dropped:0 overruns:0 frame:0
TX packets:25841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1344357 (1.2 MiB) TX bytes:6758904 (6.4 MiB)

br0:1 Link encap:Ethernet HWaddr 1C:xxxxxxxxxxxx
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

br0:9 Link encap:Ethernet HWaddr 1C:xxxxxxxxxxx
inet addr:1.1.1.1 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

eth2 Link encap:Ethernet HWaddr 1C:---------
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:715 errors:0 dropped:0 overruns:0 frame:0
TX packets:1414 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63796 (62.3 KiB) TX bytes:631847 (617.0 KiB)
Interrupt:3

eth3 Link encap:Ethernet HWaddr 00.......
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21170 errors:0 dropped:0 overruns:0 frame:0
TX packets:25096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1587641 (1.5 MiB) TX bytes:6223369 (5.9 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:115 errors:0 dropped:0 overruns:0 frame:0
TX packets:115 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9880 (9.6 KiB) TX bytes:9880 (9.6 KiB)

#


The static non-existant iwconfig;

# iwconfig
lo no wireless extensions.

eth2 no wireless extensions.

ra0 RTWIFI SoftAP Access Point: 1E:xx:xx:xx:

sit0 no wireless extensions.

ip6tnl0 no wireless extensions.

ra1 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:--------
Bit Rate=300 Mb/s

ra2 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:----------
Bit Rate=300 Mb/s

ra3 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:---------
Bit Rate=300 Mb/s

apcli0 RTWIFI SoftAP ESSID:""
Mode:Managed 13 Access Point: Not-Associated
Bit Rate:300 Mb/s

eth3 no wireless extensions.

br0 no wireless extensions.

Well, I do have some idea – the interface 1.1.1.2 seems to be their tied in for static interface. Dozens of cgi-scripts calls it.

The other one, is their “alias” address, hardcoded into existance from factory at 192.168.1.2. Makes no sense. NO SENSE.

The awesome part was this -it has a “nice” Autodetect mode of what kind of mode it should be in – AP, Client or Repeater.
My unit got stuck in a rotating state – and kept changing mode ALL THE TIME.
And since the routing table get screwed up with the static parts – it’s really enjoyable.. I got a “new” release of the firmware (do NOT get me started on the versioning on their firmware…No, seriously, don’t). That “new” “release” “fixed” it.


# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
239.255.255.250 * 255.255.255.255 UH 0 0 0 br0
192.168.x.y * 255.255.255.x U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
1.1.1.0 * 255.255.255.0 U 0 0 0 br0
default 192.168.x.y 0.0.0.0 UG 1 0 0 br0

The above example is missing out the static entry of br0:1 – as I killed it off so my network didn’t explode on itself since it’s supposed to be in another broadcast domain…

I could produce and sell a better setup software-wise myself. Why oh WHY don’t they (since they don’t seem to be interested in doing anything right or giving their R&D time to develop something resembeling a working state) simply make a pledge to dd-wrt or openwrt instead (edit: according to source I cannot remember, this is based on an old fork-ish setup of openwrt…), meaning they can instead contribute and make sure their plastic is not wasted nor the components..

I am not sure where to end this.. So I’ll just update it as it comes and publish it. Meaning this line moves down.

Update;


# from /proc -
# pwd
/proc
# ls
13482 6002 1683 1074 990 45 30 26 22 13 9 5 self fs sys mtd timer_list pagetypeinfo slabinfo cpuinfo meminfo softirqs diskstats
12324 3840 1604 1033 447 38 29 25 16 12 8 3 mounts driver irq execdomains modules vmstat filesystems devices stat kcore partitions
6223 1685 1395 1028 139 37 28 24 15 11 7 2 net tty misc ioports kallsyms zoneinfo locks interrupts uptime kmsg mt7621
6100 1684 1385 1021 47 31 27 23 14 10 6 1 sysvipc bus scsi iomem buddyinfo vmallocinfo cmdline loadavg version crypto
#

# cat diskstats
1 0 ram0 0 0 0 0 0 0 0 0 0 0 0
1 1 ram1 0 0 0 0 0 0 0 0 0 0 0
1 2 ram2 0 0 0 0 0 0 0 0 0 0 0
1 3 ram3 0 0 0 0 0 0 0 0 0 0 0
1 4 ram4 0 0 0 0 0 0 0 0 0 0 0
1 5 ram5 0 0 0 0 0 0 0 0 0 0 0
1 6 ram6 0 0 0 0 0 0 0 0 0 0 0
1 7 ram7 0 0 0 0 0 0 0 0 0 0 0
1 8 ram8 0 0 0 0 0 0 0 0 0 0 0
1 9 ram9 0 0 0 0 0 0 0 0 0 0 0
1 10 ram10 0 0 0 0 0 0 0 0 0 0 0
1 11 ram11 0 0 0 0 0 0 0 0 0 0 0
1 12 ram12 0 0 0 0 0 0 0 0 0 0 0
1 13 ram13 0 0 0 0 0 0 0 0 0 0 0
1 14 ram14 0 0 0 0 0 0 0 0 0 0 0
1 15 ram15 0 0 0 0 0 0 0 0 0 0 0
31 0 mtdblock0 0 0 0 0 0 0 0 0 0 0 0
31 1 mtdblock1 0 0 0 0 0 0 0 0 0 0 0
31 2 mtdblock2 0 0 0 0 0 0 0 0 0 0 0
31 3 mtdblock3 0 0 0 0 0 0 0 0 0 0 0
31 4 mtdblock4 0 0 0 0 0 0 0 0 0 0 0
31 5 mtdblock5 0 0 0 0 0 0 0 0 0 0 0
31 6 mtdblock6 0 0 0 0 0 0 0 0 0 0 0
31 7 mtdblock7 0 0 0 0 0 0 0 0 0 0 0
31 8 mtdblock8 0 0 0 0 0 0 0 0 0 0 0
31 9 mtdblock9 0 0 0 0 0 0 0 0 0 0 0
# cat partitions
major minor #blocks name

31 0 131072 mtdblock0
31 1 1024 mtdblock1
31 2 1024 mtdblock2
31 3 1024 mtdblock3
31 4 1024 mtdblock4
31 5 32768 mtdblock5
31 6 32768 mtdblock6
31 7 1024 mtdblock7
31 8 16384 mtdblock8
31 9 44032 mtdblock9
#

# cat mounts
rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
none /var ramfs rw,relatime 0 0
none /etc ramfs rw,relatime 0 0
none /tmp ramfs rw,relatime 0 0
none /media ramfs rw,relatime 0 0
none /sys sysfs rw,relatime 0 0
none /dev/pts devpts rw,relatime,mode=600 0 0
#

# cd driver
# ls
nand
# cat nand
ID: 0xc2f1, total size: 128MiB
Current working in polling mode
#

So, I guess I did manage to grab the NAND-size anyway – yay for digging while typing…

Could this mean, that I do have a 128mb nand flash, and the following memory where the ramdrive lives?


# free
total used free shared buffers
Mem: 58928 40452 18476 0 0
Swap: 0 0 0
Total: 58928 40452 18476
#

We broke the internet, by inventing the internet.

Rant… This is a rant.

But in short, by the birth of the internet – interconnected computing, and the applications of that era – why whould not part of the first users take over in a hostile model what they started or, partially took over.

It’s a matter of cost. Looking back at my own involvement with the military – I get it. For low priority stuff you might even hook it up to the interwebs.

But – the problem is, they need to start just do what we do with our normal armies. Stuff ’em as security at the boarder and threatening power. Not enslaving the whole of us. Not stepping on rules, and regulations the majority of us keep. I am not talking about the amount of data. The amount of data is irrelevant. It is the intent of the normal average person connected to the internet. The persona that thinks they have nothing to loose. Nothing to hide, and the worst fear is loosing their smartphone.

Is it really about “defending ours”?

How about it’s time we simply stopped the intelligence community from walking into our livingrooms, and the corporations from owning us instead of us being the consumer of their products.

Time to step up the game, by laying down the rules.

So.. What are the rules?

In war – spare the civilians.

If you have to wage wars on the webs, stop involving us- and our data.

Logging temperature data with Python / MySQL / Arduino over serial

While back, I did create an arduino setup, and has since then been meaning to do something more useful with it.

Well, it took a while. I fiddled around a bit, and now finally managed to combine it with looking into python.

I’ve pasted the pythoncode in below, you will need python-mysql and pyserial (pip install).


import io
import serial
import MySQLdb

ser = serial.Serial('COM3', 9600) 
db = MySQLdb.connect(host="IP", user="USER", passwd="MYSECRET",db="DB")
cursor = db.cursor()
while True:
    out = ser.readline()
    # example output ' Temperature: 21.94 -  Humidity: 21.58\n
    print (out)
    tempdata = out[14:19]
    huedata = out[33:38]
    #trim the output
    tempdata.strip()
    huedata.strip()
    query = ("INSERT INTO mytemperaturetable (`temp`,`hue`) VALUES('%s','%s')") %(tempdata,huedata)
    cursor.execute(query)
    db.commit()
db.close()
ser.close()

You can find my original post here.

For the Arduino you need to hook up it to something that gets the mesurements; I did it and needed to fetch SHT1x.h.
The unclean arduino code looks like this (it still beeps when the obvious heat comes on):


#include 

#define dataPin 8
#define clockPin 12

  int del=100; 
  int delo = 10000;
  int val = 0;
  const int speakerPin = 6;
  const char notes[] = "ccggaagffeeddc ";
  const int beats[] = { 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 2, 4 };
  const int length = sizeof (beats) / sizeof (beats [0]);
  const int tempo = 50;
  
void playTone(int tone, int duration) {
 for (long i = 0; i < duration * 1000L; i += tone * 2) {
   digitalWrite(speakerPin, HIGH);
   delayMicroseconds(tone);
   digitalWrite(speakerPin, LOW);
   delayMicroseconds(tone);
 }
}
void playNote(char note, int duration) {
  const char names[] = { 'c', 'd', 'e', 'f', 'g', 'a', 'b', 'C' };
  const int tones[] = { 1915, 1700, 1519, 1432, 1275, 1136, 1014, 956 };
  for (int i = 0; i < 8; i++) {
    if (names[i] == note) {
	playTone(tones[i], duration);
    }
   }
}
void playTune (const char* notes, const int* beats, int length, int tempo)
{
  for (int i = 0; i < length; i++) {
    if (notes[i] == ' ') {
     delay(beats[i] * tempo); // rest
  } else {
     playNote(notes[i], beats[i] * tempo);
  }
  }
  delay(tempo / 2);
}

// The setup() method runs once, when the sketch starts
void setup()
{
  Serial.begin(9600);
  pinMode(2, OUTPUT);
  pinMode(3, OUTPUT);
  pinMode(4, OUTPUT);
  pinMode(5, OUTPUT);
  pinMode(6, OUTPUT);  
}

void loop()
{
  SHT1x sht1x(dataPin, clockPin);
  float tempC = sht1x.readTemperatureC();
  float tempF = sht1x.readTemperatureF();
  float humidity = sht1x.readHumidity(); 
  float maxtemp = 30.10; 
  
 
    if (tempC > maxtemp){
      delo = 1000;
      Serial.print("WARNING - HIGH TEMP");
      digitalWrite(2, HIGH);   // turn on LED on pin 2
      delay(del);              // wait (length determined by value of 'del')
      digitalWrite(2, LOW);    // turn it off

      digitalWrite(3, HIGH);   // turn on LED on pin 3
      delay(del);              // wait
      digitalWrite(3, LOW);    // turn it off
      
      digitalWrite(4, HIGH);   // turn on LED on pin 4
      delay(del);              // wait
      digitalWrite(4, LOW);    // turn it off
      
      digitalWrite(5, HIGH);   // turn on LED on pin 5
      delay(del);              // wait
      digitalWrite(5, LOW);    // turn it off
      
      digitalWrite(4, HIGH);   // turn on LED on pin 4
      delay(del);              // wait
      digitalWrite(4, LOW);    // turn it off

      digitalWrite(3, HIGH);   // turn on LED on pin 3
      delay(del);              // wait
      digitalWrite(3, LOW);    // turn it off

      playTune (notes, beats, length, tempo);
      
    }
    else
    {
     delo = 10000;
     digitalWrite(2, HIGH);   // turn on LED on pin 2
     delay(del);              // wait (length determined by value of 'del')
     digitalWrite(2, LOW);    // turn it off  
    }
 
  Serial.print(" delo = ");
  Serial.print(delo);
  Serial.print(" ");
  Serial.print(" Temp C - F: ");
  Serial.print(tempC);
  Serial.print(" - ");
  Serial.print(tempF);
  Serial.print(" Humidity :");
  Serial.print(humidity);
  Serial.print("\n");
  delay(delo); 
}

FreeCom MusicPal

Still have my old trusty Freecom MusicPal as alarmclock. Tried to get another one, but even ebay came out short… Sad sad day.

However, I need to document the following tweakies;

Get usable info from the web interface – and be able to start telnet access;

http://[IP]/admin/cgi-bin/debug

telnet straight over with root. Your web-access usr/pwd also works.

live data is used in /home/etc with symlinks to /etc/ for “changeable” things.

My version, 1.67 uses;

2.6.16.16-88w8xx8 #438 PREEMPT Wed Dec 2 14:00:59 UTC 2009 armv5tejl unknown

With the layout of:

$ df -h
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock0 7.3M 6.8M 460.0k 94% /
tmpfs 9.0M 48.0k 9.0M 1% /tmp
tmpfs 1.0M 0 1.0M 0% /dev
/dev/mtdblock1 384.0k 224.0k 160.0k 58% /home

The superduper cpu is;

$ cat /proc/cpu
/proc/cpu/ /proc/cpuinfo
~ $ cat /proc/cpuinfo
Processor : ARM926EJ-Sid(wb) rev 1 (v5l)
BogoMIPS : 175.30
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TE
CPU variant : 0x1
CPU part : 0x926
CPU revision : 1
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 32768
I assoc : 1
I line length : 32
I sets : 1024
D size : 32768
D assoc : 4
D line length : 32
D sets : 256

Hardware : MV88W8618-HS35
Revision : 0031
Serial : 0000000000000000

Memory with idle runs around;

$ free
total used free shared buffers
Mem: 29132 13372 15760 0 0
Swap: 0 0 0
Total: 29132 13372 15760

Thanks to tolletechnik for having written this up back in 2008 (in german.. ).