,

T-Shirt Phishing and Code Injection

Sabato sera al HackInBo Security Dinner organizzato da Mario qui a Bologna ho indossato per la prima volta la T-Shirt Phishing disegnata da Oscar Cauda (Hey Graphic), la maglietta ha riscosso un buon successo e in diversi mi avete chiesto dove l’ho comprata e se era possibile comprarne delle altre.

Le T-Shirt sono due, entrambe disegnate da Oscar e riportano le diciture “Code Injection” e  “Phishing”. Sono state prodotte da Teezily a Novembre 2016 grazie ad una piccola campagna di raccolta fondi, era infatti necessario raggiungere almeno 10 ordinazioni per avviare la produzione. Raggiunto l’ordine minimo a Dicembre 2016 è avvenuta la spedizione di entrambe le T-Shirt che ho ricevuto a Febbraio, sì ci vuole molto tempo.

Attualmente è possibile specificare che siete interessati alla T-Shirt e quando Teezily riceverà un numero sufficiente di prenotazione avverrà una nuova produzione.

Link per la prenotazione:

Alternativamente sono disponibili anche sullo store Designbyhumans ma non ho esperienza diretta con quest’ultimo store.


For my English friends, I bought the “Phishing” and “Code Injection” T-shirts on Teezily through a crowdfunding. You can now report that you are interested in buying them when other people are interested will be produced other T-Shirts.

Link for reservation on Teezily:

Alternatively there is the Designbyhumans store but I have no experience with this store.

, ,

QNAP: Restore Samba (SMB) functioning

Recently I changed my QNAP, moving from an old 32bit model to a recent 64bit. The new NAS enabled me to install the 4.3.x firmware that introduces many new features and use 64-bit computing.

The migration occurred in conjunction with Wannacry (found on Homelab blog an article on how to exploit this vulnerability on NAS QNAP) and on my NAS was no longer running Samba (SMB). I don’t know if it is due to the wannacry patch or NAS/Firmware change. But Samba did not go anymore! Several people on the official QNAP forum complain about the same problem.

I solved by connecting via SSH to the NAS and editing the Samba configuration file. A small guide…

$ smb2status

smbd (samba daemon) Version 3.6.25
smbd (samba daemon) is not running.
max protocol SMB 2.1 enabled.

By typing the smb2status command, in output I had “smbd is not running” even if the WEB interface was correctly active.

$ mv /etc/config/smb.conf /etc/config/smb.conf.old

I did a backup copy of the Samba configuration file and saved it in smb.conf.old. Then I read the default configuration file:

$ cat /etc/default_config/smb.conf

Copy the contents of this file locally, in the text editor you prefer, then read the old configuration file:

$ cat /etc/config/smb.conf.old

Immediately after the Global Statement ([GLOBAL] … …) you will find the specifications of each of your shared folders, just copy this contents on your local text file.

You will then have a file composed of [GLOBAL] variable coming from the default file and then the variables of each of your shared folders coming from the old file. Example:

[global]

[Multimedia]
….

[Download]

[Web]

[Public]
….

Now you have to recreate the configuration file by copying inside it the newly built text:

$ rm /etc/config/smb.conf

$ vi /etc/config/smb.conf

Once the new Samba configuration file is pasted, we restart Samba.

$ /etc/init.d/smb.sh restart

After the reboot has finished, try typing smb2status again and it should be ok:

$ smb2status

smbd (samba daemon) Version 4.4.14
smbd (samba daemon) is running.
max protocol SMB 3.0 enabled.

, ,

Install ProxMox on Hetzner Dedicated Server

In this short article I want to explain to you an alternative method to install ProxMox on a dedicated server purchased on Hetzner.

Hetzner, I consider him one of the best European providers, does not offer a KVM free on his servers. So the installation phase of an operating system may be limiting, not having a graphical interface.

To install ProxMox I’ve hitherto followed Hetzner official guides, that is, installing a Debian machine, adding ProxMox repositories, and installing packages.

But I’ve always had trouble configuring the FileSystem ZFS, LVM, etc etc.

These aspects are much easier to handle using the official ISO of ProxMox and the GUI that follows you step by step in the installation.

So you can leverage the official ISO and GUI? Yes, it is possible 🙂 follow these steps:

  1. Start your machine in rescue mode with Linux 64bit;
  2. Connect to your dedicated server via SSH;
  3. Install QEMU ($ apt-get install qemu);
  4. Download ProxMox ISO (Select last ISO image on https://www.proxmox.com/en/downloads) and save locally in proxmox.iso file;
  5. Start QEMU Emulator ($ qemu-system-x86_64 -m 1024 -hda /dev/sda -hdb /dev/sdb -cdrom proxmox.iso -boot d -vnc :0);
  6. Connect via VNC to your server port 5900, and follow the installation procedure;
  7. Reboot rescue system.

Ok, now the system is installed;) Simple!

Two more tips, Repository and Let’s Encrypt!

ProxMox releases two types of repository, free and paid. If you want to use the free ones you have to change the source list.

Open the file /etc/apt/sources.list.d/pve-install-repo.list and remove or edit the content that should be:

deb http://download.proxmox.com/debian jessie pve-no-subscription

Currently, debian main distribution is Jessie, when it’s updated (es. Stretch), you’ll need to refresh the indication.

Finally I recommend using a valid SSL certificate to connect to the ProxMox Web GUI, on official wiki site there is a great guide!

 

,

Install Root & Intermediate Certificate Bundles on QNAP!

Unfortunately QNAP does not have Root and Intermediate Certificate Bundles, which means that no system software (such as Curl or Wget) can easily access SSL sites.

The following guide, taken partially by Stefan Wienert, allows you to install the complete bundled root certificates.

Connect via SSH to your QNAP NAS and type the following commands:

# cd /share/
# curl https://curl.haxx.se/ca/cacert.pem -O -k
# mkdir certs
# cat cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "certs/cert" n ".pem”}'
# cd certs
# for filename in cert*pem;do mv $filename `openssl x509 -hash -noout -in $filename`.0; done;
# cp *.0 /etc/ssl/certs/

I’ve tried in QTOS 4.2.x firmware released in May 2017 and it works perfectly.

 

, ,

Hacking Lab: Virtualize Metasploitable on ProxMox

Proxmox is open source server virtualization management software. It is a Debian-based Linux distribution  and very perfect to create your Hacking Lab on your local networking.

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Never expose this VM to an untrusted network 😉 it’s very dangerous!

On my YouTube you can find a video guide about virtualization of Metasploitable on ProxMox!

Finally, you can find a list of all vulnerabilities in Metasploitable on the official Rapid7 website.

, ,

[English Version] Remotely reboot of HP and other printers!

(I apologize for my bad English – La versione Italia è qui.)

Premise

My HP LaserJet Pro presents punctually two problems after several days without activity, the most obvious problem is the on the scanner function that will create a scansion with vertical bars of different colors over the page. The second issue involves printing, is very slow in receiving data. Both problems seem to be related to an incorrect management of RAM which leaving the printer unused for several days you go to saturate.

The customer assistance recommend to perform reset of NVRAM, but this procedure loss all configurations. It’s been over a year since my report and other users of this problem, but nothing changed. No firmware update was unfortunately released, last in February 2015, bringing even behind the failure to resolve several vulnerabilities (such as OpenSSL).

To quickly solve the problems described above, just do a manual reboot of the printer, but are always in a hurry when I happen to do a scan and detect the problem which forces me to wait further.

In the past I have checked if it was possible to perform a reboot by software, as well as to automate the process, but unfortunately the Web interface or Telnet does not have a restart function. Absurd! I found then a first procedure via FTP but did not work, the printer prints a blank page and a second procedure again via FTP by sending a custom text string. This second procedure did not generate some effect.

During the feast of Santo Stefano (26 December) my wife has different printed material for his blog and printed was evidently slow in receiving the data (going from memory I had used the printer the last time 7 days before), the first printing of 11 sheets it took about 13 minutes and after a restart printing the same material took less than two minutes.

I tried again a solution to automatically reboot and found an article in a German blog (I did not understand who the author) illustrating a procedure to be performed by running Microsoft PowerShell that uses the protocol SNMP .

$PrinterIP = "192.168.1.87"
$SNMP = New-Object -ComObject olePrn.OleSNMP
$SNMP.Open($PrinterIP, "public")
$SNMP.Set(".1.3.6.1.2.1.43.5.1.1.3.1",4)
$SNMP.Close()

For Linux/Unix you must install the SNMP package using aptitude:

sudo apt-get install snmp

and you can run the HP Printer Reboot through the terminal with the simple command:

snmpset -v 1 -c public 192.168.1.87 ".1.3.6.1.2.1.43.5.1.1.3.1" i 4

you have replace 192.168.1.87 with the IP address of your printer.

I then decided to include an automatic cron, on my home server, which at 2 am, and every 2 days I run a reboot:

0 2 */2 * * /usr/bin/snmpset -v 1 -c public 192.168.2.41 ".1.3.6.1.2.1.43.5.1.1.3.1" i 4

IT Security: Remotely Reboot Without Password

With the steps I finally solved the problem, but I found that there is no authentication request in the command that impute.

The SNMP protocol is used by multiple printers to communicate to the user/client the state in which the printer is located (in use, the document added to the queue, finished cartridge, etc.) and uses UDP port 161 for questions and answers, and UDP port 162 as the destination of the messages.

I then exposed port 161 of my printer on the Internet and its related web interface. By a external connection I run the command described above with the public IP of my VDSL connection being able to remotely reboot the printer. Yes, I restarted my printer without any authentication.

The printer displays a “Restarting …” message as it has received the restart command.

By Shodan I discover the presence of nearly 3 million devices connected to the internet with port 161 open, but they are not just printers. A more precise search locates 30248 HP device with port 161 open but also other brands like 494 device Epson, 4235 devices Exor and 541 devices Lexmark.

I did a test on a Lexmark printer connected remotely, it is also possible to restart it. I do not however carried out tests on the Epson device, Exor or other brands because I do not have. If someone has a printer of another brand and wanted to prove I can update this article with your test.

A printer Should not be exposed on the Internet, on this point I think we all agree. But producers should pay attention in the implementation of the functionality and safety of the devices they sell. An attacker could restart continuously printers on a hospital infrastructure or a large company by blocking the printing of reports or important documents.

Or just wake up in the night your friends because of the noise of the rollers of its laser printer! 😀

[UPDATE]

From the official HP forum, I learned that a Firmware was privately released that fixes the issue, inexplicably has not been made public.

The firmware is September 24, 2015 (M276_colorMFP_Series_FW_Update-20150924.exe)! The file hash are:

    • MD5: 880def824221e2ac394947ba62c35642
    • SHA1: b719e646fff20cd89ecdb40d7658aef822e7353c
    • SHA256: 00281dc29c2821b77617517b2407fc7f216db4b12fa889cfbb690d7d74c57004

Download: M276_colorMFP_Series_FW_Update-20150924.exe

I DO NOT take any responsibility for using this firmware.