Thursday, September 06, 2012

SANS Webcast: Passing the CompTIA CASP Exam

I'll be conducting a webcast on September 7th called Passing the CompTIA CASP Exam.

If you miss the live webcast, an archive will be posted shortly thereafter.

My slide deck is posted here.

As I posted previously:
It is based on the new CompTIA Advanced Security Practitioner (CASP) certification, which is the first in CompTIA's "Mastery Series of Exams". 
I passed the CASP a few months ago, and was throughly impressed. It seems designed to be a more technical alternative to the CISSP. CompTIA has stated that is targeted for IA Technical Level III and IA  Management Level II of the US DoD Directive 8570. The CASP exam was also recently ISO certified.
'The CASP is the result of our being advised over a couple of years that the Department of Defense was looking for a more technical security exam to include in the “IA Technical Level III” job classification, for those military and military contractors who are in information assurance roles.  The job classification that I referred to is in the Dept. of Defense “8570” directive that requires certification of all information assurance personnel.
The CASP is targeted at the lead security professional in the enterprise environment who has years of experience with security considerations specific to large multi-location organizations.  The U.S. military refers to that environment as the “enclave”, which means the same thing as the enterprise in the corporate environment.'
Source: CASP – The Evolution of Technical Security Certifications? (ethicalhacker.net)



Wednesday, July 11, 2012

Teensy talk at SANSFIRE SANS360

I'm reposting some information from a previous post, for a SANS360 talk tonight at SANSFIRE 2012
My paper is available here. The Arduino sketches used in my talk are here.
Here are the resources I used to launch the Teensy attack:
Here are some excellent Teensy articles:

Monday, July 02, 2012

CISSP Study Guide, 2nd Edition

Just a quick note to say the CISSP Study Guide, 2nd Edition, will be out in a few weeks. More details to follow: stay tuned.

Here's the Amazon Link.

Here's the Syngress link.

Monday, May 14, 2012

Installing OpenWRT on a RouterBOARD 750GL

I have a project that requires a small Linux router/firewall, with a requirement of no wireless (due to physical security policies for the site). There are many third-party firmware options for wireless routers, with distributions such as dd-wrt and Open-WRT on APs from Linksys, Buffalo, etc. But the options for a simple wired router are more limited.

I found this excellent post: OpenWRT on Mikrotik Routerboard 411/750 on Wolfs Tech Blog, which indicated that OpenWRT is flashable onto a RouterBoard 750GL. I bought a pair from rOc-nOc.com. They were $59.95 each via Google Checkout, and shipping was fast.

I highly recommend rOc-nOc.com: great service!

The RouterBOARD 750GL has 5 gigabit ports, 64MB of SDRAM, 64MB NAND, and it literally fits in the palm of your hand.
RouterBOARDs ship with a proprietary RouterOS, but my project requires Linux.

I used the Wolfs Tech Blog post as my guide for installation, with help from this German post, with an assist from Google Translate. I ran into a few gotchas, so I thought I'd save someone else future grief and post my step-by-step instructions. Firmware installation can be tricky: there is no serial or display port on the 750GL: you need to "fly blind" and install over the network.

I used Xubuntu 12.4 as the OS for building OpenWRT, and as the TFTP/DHCP server to boot the RouterBoard via the network. I initially tried using a VMWare Workstation guest, but later encountered problems making the DHCP server work properly via a bridged interface. I ended up installing to USB, booted off the USB, and ran Xubuntu natively.

Install the required packages and Wireshark (which will be handy later):
$ sudo apt-get install subversion
$ sudo apt-get install g++ gawk libncurses5-dev zlib1g-dev git-core
$ sudo apt-get install dhcp3-server atftpd apache2
$ sudo apt-get install wireshark
Download the OpenWRT trunk code with Subversion and "make menuconfig":
$ cd
$ mkdir openwrt
$ cd openwrt
$ svn co svn://svn.openwrt.org/openwrt/trunk
$ cd trunk
$ make menuconfig
We need to compile twice. Once for the .tar.gz file, and once for the ramdisk.  Two steps because the .tar.gz file has has different requirements than the ramdisk, such as squashfs.

First the tar.gz file:

Choose:
  • Target System: Atheros AR7xxx/AR9xxx 
  • Subtarget: (Devices with NAND flash (mostly Mikrotik)) 
  • Target Images: .tar.gz
Exit and type "make". It will take a long time to compile.

When complete, type the following:
$ cp ~/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-nand-vmlinux-initramfs.elf /var/www
$ cp ~/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-nand-rootfs.tar.gz /var/www
This prepares them for the "wget2nand" flashing step, coming up later.

Next the ramdisk:
$ cd ~/openwrt/trunk
$ make clean
$ make menuconfig
Choose:
  • Target System: Atheros AR7xxx/AR9xxx 
  • Subtarget: (Devices with NAND flash (mostly Mikrotik)) 
  • Target Images: ramdisk
Exit and type "make". 

When complete copy the ramdisk to /srv/tftp:
$ cp ~/openwrt/trunk/bin/ar71xx/openwrt-ar71xx-nand-vmlinux-initramfs.elf /srv/tftp/
Configure atftpd and isc-dhcp-server. I used 192.168.1.3 as the TFTP server address, and assigned 192.168.1.99 to the RouterBoard. Avoid 192.168.1.1 (the default OpenWRT IP address).

Edit /etc/network/interfaces, use 192.168.1.3 as a static IP address:
auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
Edit /etc/default/atftpd, changes in bold:
USE_INETD=false
OPTIONS="--bind-address 192.168.1.3 --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=5 /srv/tftp"
Locate the first MAC address printed on the bottom of the RouterBOARD 750GL:
Edit /etc/dhcp/dhcpd.conf, and use the first listed MAC address as the hardware ethernet address:
authoritative;
allow booting;
allow bootp;
one-lease-per-client true;

subnet 192.168.1.0 netmask 255.255.255.0 {
  option routers 192.168.1.254;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.1.255;
  ignore client-updates;
}

group {
  host routerboard {
    hardware ethernet 00:0c:42:aa:bb:cc;
    next-server 192.168.1.3;
    fixed-address 192.168.1.99;
    filename "openwrt-ar71xx-nand-vmlinux-initramfs.elf";
  }
}
Now restart networking, atftpd and isc-dhcp-server:
$ sudo /etc/init.d/networking restart
$ sudo /etc/init.d/atftpd restart
$ sudo /etc/init.d/isc-dhcp-server restart
Run Wireshark, sniffing on eth0, to watch network traffic.

Boot the RouterBOARD 750GL via TFTP:
  • Connect an ethernet cable between port 1 on the RouterBOARD 750GL and the TFTP server.
    • Other ports won't work 
  • Press the small "RES" button and plug in the power cable. 
  • The "PWR" and "ACT" lights will illuminate. Then "ACT" will flash, and finally stop. 
  • Now release the "RES" button. 
  • The 750GL should request a DHCP address, receive 192.168.1.99, download openwrt-ar71xx-nand-vmlinux-initramfs.elf via TFTP, and boot OpenWRT. 
Use Wireshark to ensure everything's working; look for the TFTP "DATA Packet" packets to verify the ramdisk download.
The device will boot OpenWRT and use IP address 192.168.1.1.

Swap the cable to a different port to access OpenWRT. I used port 2 (port 1 won't work). Then telnet to the device:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to openwrt.lan.
Escape character is '^]'.
 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.19.4 (2012-05-10 11:17:53 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (Bleeding Edge, r31673)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:/# 
Now that the 750GL has booted to ramdisk, the last step is flashing OpenWRT to make it permanent.

WARNING: the next steps will erase the existing RouterOS installation. Make sure to back up the OS, configuration and license first.
root@OpenWrt:/# wget2nand http://192.168.1.3
Connecting to 192.168.1.3 (192.168.1.3:80)
kernel               100% |*******************************|  2717k  0:00:00 ETA
Connecting to 192.168.1.3 (192.168.1.3:80)
rootfs.tgz           100% |*******************************|  1222k  0:00:00 ETA
Erasing filesystem...
Mounting /dev/mtdblock2 as new root and /dev/mtdblock1 as kernel partition
Copying kernel...
Preparing filesystem...
...
Cleaning up...
Image written, you can now reboot.  Remember to change the boot source to Boot from Nand
The 750GL should boot OpenWRT natively and respond to pings shortly.

Friday, March 23, 2012

USB Reloaded: the Teensy Attack

I'm posting this information in advance of my "USB Reloaded: the Teensy Attack" lightning talk, which I am delivering at SANS 2012 in Orlando. The talk is part of SANS360: Top Security Takeaways. The talk is scheduled for Tuesday, March 27, 2012 at 7:30 PM EDT and will be streamed live here.


Ten talks in 60 minutes, with 360 seconds per speaker. I can't wait!


My paper is available here. The Arduino sketches used in my talk are here.


Here are the resources I used to launch the Teensy attack:
Here are some excellent Teensy articles:

Wednesday, February 08, 2012

Announcing SANS Security 528: SANS Training Program for the New CompTIA Advanced Security Practitioner Certification

I am happy to announce my brand-new SANS course: SANS Security 528, SANS Training Program for the New CompTIA Advanced Security Practitioner Certification.

It is based on the new CompTIA Advanced Security Practitioner (CASP) certification, which is the first in CompTIA's "Mastery Series of Exams".

I passed the CASP a few months ago, and was throughly impressed. It seems designed to be a more technical alternative to the CISSP. CompTIA has stated that is targeted for IA Technical Level III and IA  Management Level II of the US DoD Directive 8570. The CASP exam was also recently ISO certified.

The CASP is the result of our being advised over a couple of years that the Department of Defense was looking for a more technical security exam to include in the “IA Technical Level III” job classification, for those military and military contractors who are in information assurance roles.  The job classification that I referred to is in the Dept. of Defense “8570” directive that requires certification of all information assurance personnel.
The CASP is targeted at the lead security professional in the enterprise environment who has years of experience with security considerations specific to large multi-location organizations.  The U.S. military refers to that environment as the “enclave”, which means the same thing as the enterprise in the corporate environment.  
Source: CASP – The Evolution of Technical Security Certifications? (ethicalhacker.net)