Browse Month

July 2016

Fixes for VM: No Internet Connectivity

Have you ever experienced situations when you Virtual Machines (VM) were unable to connect to the internet after you have boot it up?

Initially, you probably only have a loopback IP address like the following, well, you are not alone – it happened to me when I was setting up my new Kali Linux or Ubuntu VM as well.

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56011078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56011078 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4792283266 (4.4 GiB)  TX bytes:4792283266 (4.4 GiB)

You have probably restarted your networking services,

service restart networking

Or performed all kind of different steps, configuring your network, subnet, dhcp, etc information at /etc/network/interfaces but to no avail… you probably have an IP address, but you cannot connect to the internet.

ping: www.google.com: Name or service not known

Today, I am going to share a fix for this issue. It is actually very simple, but it took me a series of troubleshooting before I discover these simple steps to resolve this issue.

Step 1: Simply download the vmnetcfg.exe file, you can easily find an updated copy of the file from the internet. Don’t forget to scan it using virustotal, make it a habit.

By the way, if you are interested, vmnetcfg.exe is a tool which allow users to manage a Windows host computer’s virtual interfaces.

Step 2: Place the vmnetcfg.exe file inside your program files folder.

It is probably located at the default location of “C:\Program Files (x86)\VMware\VMware Workstation” when you installed VMware Workstation to your computer.

Step 3: Here is the most important part. Run your vmnetcfg.exe file, you will find the following window appearing on your screen.

Look for your VMnet0 or whichever port that is mapped to your machine’s network card, select the option of “Bridged (connect VMs directly to the external network)” and choose your network card in the drop down list. When you are done, click “OK” and there you go, your issue is probably fixed.

vm_no_internet_issue

Well, I hope that this post has served you well and helped you save some time.

RSA Conference 2016 Asia Pacific & Japan

My Thoughts on RSA Conference 2016 APAC

Last week, I attended the RSA Conference 2016 Asia Pacific & Japan which was held at Marina Bay Sands (MBS), Singapore. It was a pretty enriching experience as I get to not only hear directly from various security vendors about how their products are beneficial to the industry, but also get to attend keynote sessions with top-rated speakers in the information security industry.

RSA Conference 2016 Asia Pacific & Japan

RSA Conference 2016 Asia Pacific & Japan

There were many security vendors in the Sands Grand Ballroom level 5 with their respective booths being setup with their newest products. Each booths run their own product demonstration in every 1 or 2 hours intervals. Can see that most of the presenters are pretty enthusiastic in sharing their products’ new features.

RSA Conference 2016 Asia Pacific & Japan

To see the full list of exhibitors which have setup a product demonstration booth to share about their products, you can check out this link.

There were also some companies which also gotten a place to share about their products in an open area called the Demo Theatre. It is like a mini stage with a number of chairs. Unfortunately, there were not many attendees. I’m glad I attended a few sessions though and learnt quite a bit about how an enterprise can incorporate various types of products to improve on their security defenses to protect their company’s information and data.

RSA Conference 2016 Asia Pacific & Japan

Check out the full list of sessions at the Demo Theatre on this link.

Moving on to the best part of the event, the keynote sessions. Having attended the session on 21 July 2016, I sat in for all 4 of the keynote sessions.

RSA Conference 2016 Asia Pacific & Japan

First off is the “Security in the World-Sized Web” by Bruce Schneier. He came to raise the awareness to the information security experts in the industry about the uprising of IoT (Internet of Things) world-wide robots. These IoT devices are collecting information for a purpose, just like what robots are doing. These increased usage and coverage of IoT devices will not only give power to defenders, but also the attackers. He is suggesting for smart government involvement in this area, as he believe that regardless of whether we desire for it, government are going to be part of this. Therefore, the better way of involvement is to be involved “smartly”. And lastly, policy makers need to know about the technology, which is probably, not necessarily the case in today’s industry, and this have to be changed.

Next up is the “Business Defence – Managing the Insider Threat with Security Analytics” by Alex Taverner. He talks about how insider threat has always been an issue with companies, but it is remained largely neglected in the defensive security industry. He proposed a solution from his company (or any other company, if any) which could allow an enterprise to make use of various data sources to identify insider threats, such as the social media and the behavior of the employees. I feel that while this is something interesting and definitely helpful to a large company, the collection of data is something very difficult to be implemented. Even if it is implemented forcefully, it may not be enforced and thus, practical. Without accurate data, given the best formula and analytic tools, the results would not be beneficial, do you not agree?

RSA Conference 2016 Asia Pacific & Japan

Moving on to “Maximize the Value of Your Threat Intelligence” by Jason Rolleston. He discussed about the topic of effective protection, which is something I strongly agreed. A large company can definitely invest in all the newest technologies and software, but how well do they truly integrates? Check out the image above, this is a very true situation in many companies which I have come across either personally or understood through my contacts. Allow me to put them into text,

Emerging challenge will lead to an isolated tactical mode, where the challenge overwhelm the security teams of a large corporation. The management team will then invest in the procurement of a new technology or products without proper evaluation on how well they could integrate with the existing systems. After much struggling and a long time taken, they finally managed to complete the integration with various implementation design flaws here and there, which lead to a short-lived efficiency. After a number of such scenarios have taken place in the company, it will lead to technology sprawl where once again, the vicious cycle of security team being overwhelmed will take place again. Management need to have the far sight and try to understand the technology instead of blindly follow the trend and keep investing without planning.

RSA Conference 2016 Asia Pacific & Japan

Lastly, we have the “How to Build a World-Class Network Defence Organization” by Chris Coryea. This man gives an aura of confidence, the entire speech really leaves a strong impression to me. He shared a lot of real life examples on how a corporation can build a strong network defense through various key areas. The only complaint that I have is that he focuses too strongly on his company’s product, other than that, I really like his session. In fact, allow me to share one of the statements which he shared during his session, which I like the most, and fully agreed upon (with both hands),

Technology can be taught, the framework can be integrated – but focusing on the analytical mindset is the common thread for building an effective team.

In short, to build the best security defense team, you don’t necessarily need people who have “computer science” background or “master in forensics” in their CV or resume, what you need is people with a strong passion and hunger to solve tough problems.

n00bz Level 14

Hacking for n00bz – Level 14

Level 14 shows the exact same format of a file to be downloaded, just like some of the past few levels. So, let’s download it and get started with some analysis.

n00bz Level 14

Well, it seems like there is no file to be downloaded after all, upon clicking “Yes”, it basically opens up a phpMyAdmin SQL Dump with a lot of information, mainly the databases related to level 14. Strange enough, it seems like there was a WordPress blog being setup in this database before. There were many information in this dump, including the admin login credentials.

Among the entire list, one of the most suspicious record is definitely the id number 104 record of the “friends” table,

INSERT INTO `friends` (`id`, `name`, `address`, `status`) VALUES
(104, ‘\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073’, ‘annoying’, ‘0x0a’);

Why is the name field made up from so many weird characters and numbers?

The string is actually a hexadecimal value being written into text. See the double backslash symbol, it is for displaying the string on HTML without having any syntax error. In order to see the “real” value, you should replace the double backslash symbols (\\) with single backslash symbols (\). You can do it yourself, or choose to copy from mine (I did it using notepad’s Find and Replace feature…)

\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073

If you throw it into a Hexadecimal to ASCII converter tool, you will get the flag for level 14, “infosec_flagis_whatsorceryisthis

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

n00bz Level 13

Hacking for n00bz – Level 13

Level 13 require us to find the backup file for the challenge. Well, looks like the search for the backup file is the challenge itself.

n00bz Level 13

I tried to navigate to some of the common web pages which I can think of, such as /levelthirteen-backup.php, /levelthirteen_backup.php, /archive.php, /archives.php, /backup.php, /backups.php, and etc., but there seems to be no luck. After that, I read some forums, seems like some people do quick backup based on dates or version, such as /levelthirteen.php.20160520 or /levelthirteen.php.v2.2, and etc.

And then there are also some people who conveniently add a “old” behind the file name… such as /levelthirteen.php.old, which in this case, is the location where the backup of level 13 is stored. Trial and error – checked!

As shared in my previous write-ups, I like to use file and strings on any files which I come across to perform a simple check. And that is exactly what I did.

strings levelthirteen.php.old

Based on the content of the backup file, we can see a new PHP code snippet which prompts us to download a mysterious file, “misc/imadecoy” – just the same way in the past challenges. I bet you are getting a hang of it by now. Let’s check what is that new mysterious file we just downloaded.

file imadecoy

Below is the output:

imadecoy: tcpdump capture file (little-endian) – version 2.4 (Linux “cooked”, capture length 65535)

Looks like it is a tcpdump capture file. Remember we used Wireshark to open and analyse the pcap file in level 6? Let’s do the same for this file.

First, you open the file and as you can see, there are a lot of DNS traffic. Let’s look for HTTP traffic by performing a packet display filter,

tcp contains http

n00bz Level 13

Looks like there are quite a number of files related to honeypy that were transmitted during the tcpdump capture. You will also notice that the source and destination are both 127.0.0.1 / localhost. If that is the case, you cannot go to the same website to see what are the contents. However, you can export the objects. Simply go to “File > Export Objects > HTTP…” and you will see the following prompt,

n00bz Level 13

You can choose to save all files and perform further analysis. For level 13, you will only require “HoneyPY.PNG” file as the flag is right in the file, flag is “infosec_flagis_morepackets

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

  • 1
  • 2