WhiteWinterWolf.com - pentesthttps://www.whitewinterwolf.com/2017-11-23T00:00:00+01:00macof.py is now available2017-10-25T00:00:00+02:002017-10-25T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-25:/posts/2017/10/25/macofpy-is-now-available/<p><code>macof.py</code> is a <span class="caps">MAC</span> address table overflow utility.</p>
<p>The traditional tool for <span class="caps">MAC</span> table overflow attacks is <code>macof</code> from the
<a href="https://www.monkey.org/~dugsong/dsniff/" rel="external" title="dsniff project homepage">dsniff</a> project.
However I was not satisfied with this tool.</p>
<p>In particular:</p>
<ul>
<li>
<p><code>macof</code> has no rate limit mechanism, it sends the packets as fast as the
local <span class="caps">CPU</span> and the network adapter can support it.</p>
<p>This leaves no room for a proper interception of users data.</p>
</li>
<li>
<p>Half of the packets generated by <code>macof</code> <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/#using-the-right-tool" title="How to run a CAM table overflow attack in GNS3">violates</a> the Ethernet
protocol by having the multicast bit set on the sender’s <span class="caps">MAC</span> address.</p>
<p>As a result, these packets are considered corrupted and silently dropped by
the first encountered switch.</p>
<p>In other words, half of the packets generated by <code>macof</code> are generated
for nothing.</p>
</li>
<li>
<p><code>macof</code> constantly uses random <span class="caps">MAC</span> addresses for generated packets, meaning
that a given source <span class="caps">MAC</span> address is rarely used more than once.</p>
<p>This means that switches’ <span class="caps">MAC</span> table aging system …</p></li></ul><p><code>macof.py</code> is a <span class="caps">MAC</span> address table overflow utility.</p>
<p>The traditional tool for <span class="caps">MAC</span> table overflow attacks is <code>macof</code> from the
<a href="https://www.monkey.org/~dugsong/dsniff/" rel="external" title="dsniff project homepage">dsniff</a> project.
However I was not satisfied with this tool.</p>
<p>In particular:</p>
<ul>
<li>
<p><code>macof</code> has no rate limit mechanism, it sends the packets as fast as the
local <span class="caps">CPU</span> and the network adapter can support it.</p>
<p>This leaves no room for a proper interception of users data.</p>
</li>
<li>
<p>Half of the packets generated by <code>macof</code> <a href="/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/#using-the-right-tool" title="How to run a CAM table overflow attack in GNS3">violates</a> the Ethernet
protocol by having the multicast bit set on the sender’s <span class="caps">MAC</span> address.</p>
<p>As a result, these packets are considered corrupted and silently dropped by
the first encountered switch.</p>
<p>In other words, half of the packets generated by <code>macof</code> are generated
for nothing.</p>
</li>
<li>
<p><code>macof</code> constantly uses random <span class="caps">MAC</span> addresses for generated packets, meaning
that a given source <span class="caps">MAC</span> address is rarely used more than once.</p>
<p>This means that switches’ <span class="caps">MAC</span> table aging system will regularly clean the
table from all malicious entries.
Of course, the table will fill up again in a few seconds, but these seconds
may be enough for the switch to learn a few more legitimate addresses.
As a result data destined to these addresses won’t be broad-casted anymore.</p>
<p>In other words the interception process is, here again, unreliable.</p>
</li>
</ul>
<p>Most of these issues are probably due to the fact that this tool is now quite
old and seemingly unmaintained (last update in 2000).</p>
<p>I therefore decided to implement my own version, <code>macof.py</code>, compatible with
most options from dsniff’s <code>macof</code>:</p>
<ul>
<li>
<p><code>macof.py</code> allows to tune the frame emission rate to minimize the impact on
the attacker’s host and the network resources as much as possible.</p>
<p>This offers a more reliable propagation of the forged <span class="caps">MAC</span> addresses
throughout the switched network and a more efficient interception of
broadcast data.</p>
</li>
<li>
<p><code>macof.py</code> sends only valid frames, effectively updating switches <span class="caps">MAC</span>
address tables.</p>
</li>
<li>
<p><code>macof.py</code> first locally pre-generates a certain amount of Ethernet frames,
each with a unique random source <span class="caps">MAC</span> address, and then replays this same
set of frames in loop for all the attack duration.</p>
<p>This effectively simulate genuine devices activity, forcing the switches to
regularly reset the associated aging-timers, keeping their <span class="caps">MAC</span> address
table filled without interruption.</p>
</li>
</ul>
<p>In addition <code>macof.py</code> functionalities can be easily included in larger Python projects.</p>
<h3 id="get-it"><a class="toclink" href="#get-it">Get it</a></h3>
<p><em>macof.py</em> is <a href="https://github.com/WhiteWinterWolf/macof.py" rel="external" title="macof.py page on GitHub">freely available</a> (<span class="caps">GPL</span> v3).</p>
<p>Latest news on the project can be found on the <a href="/tags/macofpy/" title="macof.py project homepage">project’s main page</a>.</p>
<h3 id="install-it"><a class="toclink" href="#install-it">Install it</a></h3>
<p><code>macof.py</code> and its accompanying man page can be installed system-wide using the
following commands:</p>
<div class="codehilite"><pre>install -m 755 -D -t /usr/local/bin ./macof.py
mkdir -p /usr/local/share/man/man1
gzip -c ./macof.py.1 >/usr/local/share/man/man1/macof.py.1.gz
</pre></div>
<h3 id="documentation"><a class="toclink" href="#documentation">Documentation</a></h3>
<ul>
<li>
<p>The <a href="/man/1/macof.py/" title="macof.py(1) man page"><code>macof.py</code>(1) man page</a> describes <code>macof.py</code> usage and options.
It also provides advices and examples covering the most common use-cases.</p>
</li>
<li>
<p>You can also read this <a href="/posts/2017/10/25/mac-address-table-overflow/" title="MAC address table overflow">practical use-case</a>, part of a series
on network layer 2 exploitation and protection.</p>
</li>
</ul>
<h3 id="report-an-issue"><a class="toclink" href="#report-an-issue">Report an issue</a></h3>
<p>Please send bug reports to the <a href="http://github.com/WhiteWinterWolf/macof.py/issues" rel="external" title="macof.py issues (GitHub)">macof.py issues page</a> on GitHub.</p>EC-Council CEH certification review2017-10-04T00:00:00+02:002017-10-06T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-04:/posts/2017/10/04/ec-council-ceh-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/" rel="external" title="CEH certification homepage (EC-Council)"><abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> Certified Ethical Hacker</a> (<span class="caps">CEH</span>) is a technical
certification on penetration testing.</p>
<p>While being oriented toward technical people, the certification itself
goes lightly on the practical side but insists instead on having a broad
general culture.
This certification covers definitions, concepts, tools, as well as a strong
focus on ethic.</p>
<p>This certification never go really deep in any subject, but instead
attempts to cover the widest possible range of topics related to pentesting.
Example of covered topics include cryptography, regulation and compliance,
operating systems (client, server and mobile systems are all covered),
networking (including wireless networking), procedures, code review,
physical security, social engineering and, last but not least, ethic.</p>
</li>
<li>
<p><strong>When</strong>:
This certification has no prerequisite (a two years experience in <span class="caps">IT</span>
security allows to avoid the training requirement, but subscribing to an
approved training removes any experience prerequisite).</p>
<p>It is suitable for anyone interested …</p></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/" rel="external" title="CEH certification homepage (EC-Council)"><abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> Certified Ethical Hacker</a> (<span class="caps">CEH</span>) is a technical
certification on penetration testing.</p>
<p>While being oriented toward technical people, the certification itself
goes lightly on the practical side but insists instead on having a broad
general culture.
This certification covers definitions, concepts, tools, as well as a strong
focus on ethic.</p>
<p>This certification never go really deep in any subject, but instead
attempts to cover the widest possible range of topics related to pentesting.
Example of covered topics include cryptography, regulation and compliance,
operating systems (client, server and mobile systems are all covered),
networking (including wireless networking), procedures, code review,
physical security, social engineering and, last but not least, ethic.</p>
</li>
<li>
<p><strong>When</strong>:
This certification has no prerequisite (a two years experience in <span class="caps">IT</span>
security allows to avoid the training requirement, but subscribing to an
approved training removes any experience prerequisite).</p>
<p>It is suitable for anyone interested in computer security.
People with really no prior knowledge on computer security may find
themselves lost at first in the large number of topics covered by this
certification.
This just means that they will require more time to study, and progress
step-by-step.
With some efforts even fresh-beginners on the topic should be able to succeed.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrates a strong general culture on penetration
testing, the offensive side of <span class="caps">IT</span> security.</p>
<p>This certification however has little to no value in demonstrating
practical abilities (on the other side more practical certification cannot
cover such a wide range of subjects).
This is not a problem for entry-level jobs where no practical experience is
expected, however for more advanced level a complementary certification may
be useful.</p>
<p>For <span class="caps">US</span> people, this certification is part of the list of the
<a href="https://iase.disa.mil/iawip/Pages/iabaseline.aspx" rel="external" title="DoD Approved 8570 Baseline Certifications (IASE)"><abbr title="Department of Defense">DoD</abbr> 8570.01-M</a> approved certifications, so it may open you
some doors with some government entities or contractors.
If you intend to use it just as a label on your resume, you may want to
compare the cost of a <span class="caps">CEH</span> with other certifications: it may or may no be
the best choice depending on your specific situation and needs.</p>
</li>
<li>
<p><strong>Who</strong>:
This certification is mostly useful for people entering the field of <span class="caps">IT</span>
security and people regularly manipulating security-related tools or
issues and wanting to deepen their knowledge from an offensive point-of-view.</p>
<ul>
<li>
<p>People entering the field of <span class="caps">IT</span> security, either as a pentester or in
another role, will obviously directly benefit from the general culture
built by this certification.</p>
<p>People already with a few years of full-time work in the <span class="caps">IT</span> security
field may not benefit the most from this certification.
While it may help to fill some weaker areas, specialized certifications
focusing on identified weaknesses may be a better investment.</p>
</li>
<li>
<p>People regularly manipulating security-related tools or issues, a
typical example being system administrators, also benefit from this
certification by gaining knowledge of the offensive side of <span class="caps">IT</span> security.</p>
<p>This is a topic which is rarely covered in usual system and network
security certifications, but is mandatory in my opinion to have
a sane approach of security and risk evaluation.</p>
<p>As <a href="https://en.wikiquote.org/wiki/Sun_Tzu" rel="external" title="Sun Tzu (Wikipedia)">Sun Tzu</a> once wrote:</p>
<blockquote>
<p>If you know your enemies and know yourself, you will not be imperiled
in a hundred battles… if you do not know your enemies nor yourself,
you will be imperiled in every single battle.</p>
</blockquote>
<p>I just feel sorry for all those system administrators and <span class="caps">IT</span> managers
who rely solely on vendor’s marketing discourses to take their
decisions.
They may tend to spend sometimes huge amount of money and efforts on
things which will only marginally improve their security posture, while
leaving vulnerable entry points wide open either because they are less
profitable to their vendors or because they are too specific to appear on
automated security assessment dashboards.</p>
<p>This certification allows to get a more critical point-of-view on things
that really matters in terms of security, and better challenge vendors
to get the most out of their offerings.</p>
</li>
</ul>
</li>
<li>
<p><strong>Where</strong>:
The <span class="caps">CEH</span> exam can be taken in any Pearson <span class="caps">VUE</span> or Prometric test center.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you cannot justify of more than two years of experience in
<span class="caps">IT</span> security (and if you can, as stated above, you may want to double-check
if this certification is indeed the most appropriate for you), you must
subscribe to an official training to be eligible to take the exam.</p>
<p>See the <a href="#mandatory-training">mandatory training</a> section below for more information.</p>
</div>
<p>The exam cost has considerably increased since I took it myself.
The exam itself now costs around <a href="https://store.eccouncil.org/product/ceh-vue-exam-voucher/" rel="external" title="CEH VUE Exam Voucher (EC-Council store)">$1000 <span class="caps">USD</span></a> (since <span class="caps">CEH</span> v9,
<span class="caps">CEH</span> v7 and v8 cost was $500), add to this a non-refundable eligibility
application fee of $100), but all this is usually bundled in the price of
the nearly-mandatory training you must take.
All people certified after January 1st 2016 must also pay a
<a href="https://store.eccouncil.org/product/ece-membership-fee/" rel="external" title="ECE Annual Membership fee (EC-Council store)">$80</a> annual membership fee to keep their certification.</p>
<p>The exam itself is composed of 125 multiple-choice questions you must fill
in 4 hours.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The exam condition varies depending on where you take the exam.
See the <a href="#examination-process">examnation process</a> section for more information.</p>
</div>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>If you already are familiar with offensive security, then you will need little
to no practice for this exam.
Personally my only practice was for the <abbr title="Open Source Intelligence"><span class="caps">OSINT</span></abbr>-part which presented me new
tools and techniques, but this is a very minor point and took, all-in-all, a single-afternoon.</p>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> provides you as part of the official courseware a huge archive
containing 40 <span class="caps">GB</span> of Windows software (6 DVDs for the disc-based version).
Personally I never used them and have no use for them either (well, there was
a 3 minutes video about Kevin Mitnick, this was the only file usable on my
Linux box and that I bothered to open).
Even if I need to work on a Windows machine, I think I would prefer to download
the latest version of a given software directly form the project website than
using a potentially outdated version from such archives.</p>
<p>Nevertheless, people not familiar with offensive security will find in the
<span class="caps">CEH</span> curriculum a mater to a lot of practical exercises as numerous
tools and techniques are mentioned in the curriculum.
In such case, if nothing else the archive is at least a safe way to ensure that
you have access to the software described in the course (even-though there is
sadly not a 1:1 matching between the software mentioned in the course and the
software available in the archive, and the software available in the archive
may not be up-to-date).</p>
<p>Unless explicitly mentioned, the <span class="caps">CEH</span> exam won’t test you on any advanced
feature of the mentioned tools.
What is important is to know their name, when and how they are most commonly
used and how they work internally at a high level.
Corner cases are usually out-of-topic.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>As stated in the <a href="https://cert.eccouncil.org/application-process-eligibility.html#ceh" rel="external" title="CEH eligibility criteria (EC-Council)"><span class="caps">CEH</span> eligibility criteria</a>, if you cannot justify
of more than two years of professional experience in an <span class="caps">IT</span> security job, you
must <em>must</em> buy training from an <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> partner to be eligible to take the exam.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Buying the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> official courseware does not count as an official
training.
The eligibility criteria page may seem confusing about this, but this is
(a bit more) clearly stated in the <a href="https://store.eccouncil.org/product/cehv9-courseware-im/" rel="external" title="CEHv9 e-Courseware Only (EC-COuncil store)">courseware</a> page (emphasize is mine):</p>
<blockquote>
<p>Exam voucher is not included.
<strong>Students must apply for eligibility before purchasing exam voucher.</strong>
Please check the eligibility criteria</p>
</blockquote>
</div>
<p>This is not a question about your current skills and knowledge, this is not a
question about your sense of organization allowing you to reliably
self-study from books.
In my opinion this is a question of <em>business</em>: it is the way for the
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> to bring guaranteed customers (and money) to its partners training companies.</p>
<p>Fortunately, several companies provide affordable e-learning courses that
satisfy these prerequisites.
So the most affordable route to the <span class="caps">CEH</span> exam is to study from books as you
would do for any other exam, and then subscribe to such e-learning courses to
satisfy the exam eligibility conditions.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>E-learning offers often go by period.
Self-learning on your side before starting the e-learning program allows
you to ensure that you won’t need to renew or buy training time extensions
which may often be very expensive.</p>
<p>I suspect that some training provider have a business model where they
sell one-month (for instance) e-learning training session at a very low
price to attract customers, with the assumption that no student will never
be able go through the whole <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> curriculum in such a low time, so
they will be able to fund themselves by selling overpriced time extensions.</p>
<p>A <span class="caps">CEH</span> exam is very expensive when you have to pay it from your own pocket
(even more now, personally I’m even not sure I would do it now), so you may
want to act wisely.</p>
</div>
<h5 id="self-study"><a class="toclink" href="#self-study">Self-study</a></h5>
<p><span class="lb-small"><a href="#books.jpg" id="books.jpg-thumb" title="Click to enlarge"><img alt="Recommended self-study books" src="https://www.whitewinterwolf.com/posts/2017/10/04/ec-council-ceh-certification-review/books.jpg"/></a></span></p>
<p>The books by <a href="https://www.amazon.com/Certified-Ethical-Hacker-Guide-Third/dp/125983655X/?tag=electronicfro-20" rel="external" title="CEH Certified Ethical Hacker All-in-One Exam Guide, Third Edition (Amazon)">Matt Walker</a> (<em>All-in-One</em> series) and
<a href="https://www.amazon.com/CEH-v9-Certified-Ethical-Version/dp/1119252245/?tag=electronicfro-20" rel="external" title="CEH v9: Certified Ethical Hacker Version 9 Study Guide (Amazon)">Sean-Philip Oriyano</a> (<em>Sybex</em>) are safe values for your studies.
I recommend buying both as they complement well each other.
Which one you will use as your primary study material is left to your choosing.</p>
<p>Personally I passed more time with Matt’s book as it is written in a
more enjoyable style, with personal anecdotes scattered throughout the book.</p>
<p>Sean-Philip however goes more deeper in background information, which
come particularly handy on areas where Matt’s book may be lighter (like
cryptography or wireless networks), but Matt provides some information missing
in Sean-Philip’s book.
Moreover, having two books is useful when you want to double-check an
“<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> approved” definition.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Beware of technical terms and definitions when studying for the <span class="caps">CEH</span> exam.
Some may more reflect <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s own opinion on a specific matter than a
universally accepted position.</p>
<p>In such cases the <span class="caps">CEH</span> exam is not about what <em>you</em> think.
It is testing whether or not you know <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s own position on the matter.</p>
<p>The books mentioned here are well written and do not refrain from
highlighting such discrepancies between the <span class="caps">CEH</span> curriculum and the usual
field practices.
They ultimate goal is indeed not to make you become certified but to make
you become a reliable professional.</p>
</div>
<p>Matt’s book is also provided with a free <em>.pdf</em> version of the book.
I found it specially useful to quickly search throughout the book from any
random term.</p>
<p>Now both are also available in bundled versions providing more exam-like
questions (see <a href="https://www.amazon.com/Certified-Ethical-Hacker-Bundle-Third/dp/125983753X/?tag=electronicfro-20" rel="external" title="CEH Certified Ethical Hacker Bundle, Third Edition (All-In-One) (Amazon)">here</a> and <a href="https://www.amazon.com/CEH-v9-Certified-Ethical-Version/dp/1119314003/?tag=electronicfro-20" rel="external" title="CEH v9: Certified Ethical Hacker Version 9 Kit">there</a>).
When I passed my exam only Matt’s book proposed this and I took advantage of
this and was happy with the questions.
However, depending on the mandatory training offer you will subscribe, this
may be optional.</p>
<p>Books’ questions do a great job in allowing you to thoroughly test
your knowledge and detect weak areas, but they are not actual <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s
questions.
I strongly recommend to also get your hands on questions from old exams, depending
on the formula you subscribe you may get them as part of your mandatory
training (after having signed a non-disclosure agreement, of course).
They will help to prepare yourself to better handle <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s sometimes
odd questions and phrasing.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Also fetch a book on Metasploit.
I would recommend it even if you already know how to use it:
a lot of people only know the feature they commonly use and ignore the
existence of certain other features.</p>
<p>Matt only very briefly presents it, Sean-Philip doesn’t even mention it
(according to the index), and you will most likely get questions on it in
your exam (mainly about features and names).</p>
<p>I bought <a href="https://www.amazon.com/Mastering-Metasploit-Nipun-Jaswal/dp/1782162224/?tag=electronicfro-20" rel="external" title="Mastering Metasploit (Amazon)">Mastering Metasploit</a> by Nipun Jaswal which provides a
good introduction on everything you need to know on Metasploit, but other
book may also be fine.</p>
<p>As with anything else, there is no requirement of any practical experience
with Metasploit to pass the exam so simply reading the book once should be sufficient.</p>
</div>
<h5 id="mandatory-training"><a class="toclink" href="#mandatory-training">Mandatory training</a></h5>
<p>The cheapest <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> approved training formulas may be quite barebone.
As with any official training, you will be provided with:</p>
<ul>
<li>The 40 <span class="caps">GB</span> archive of Windows software I mentioned in the
<a href="#building-a-lab">building a lab</a> section.</li>
<li>A set of more than 2000 slides in <em>.pdf</em> files (in fact
<span class="caps">DRM</span>-protected 1-year limited <em>.pdf</em> files readable only on Windows hosts
allowing connections to a non-standard, potentially firewalled port to
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> servers to validate your right to open the file).
While these files may be usable very occasionally to confirm <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s
official position on certain topics, I consider them unusable for self-learning.</li>
</ul>
<p>Depending on your formula, you may also have access to some kind of forum or
chat to ask questions to a trainer, and you may also have an option to get
access to exam-like questions.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If your e-learning formula proposes exam questions as an option and at
a reasonable price, seriously consider subscribing to it as it may be a
very good investment.</p>
<p><span class="caps">CEH</span> questions and expected answers may sometimes seem… odd.
Official training partners usually have access to genuine <span class="caps">CEH</span> questions
from past exams protected behind a <abbr title="Non-Disclosure-Agreement"><span class="caps">NDA</span></abbr>.</p>
<p>These exam questions was the highest value I got from my mandatory
training, and these questions helped me far more than the questions
available in published books (they are good to test your knowledge, less
good to prepare you against <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s specific tricks).</p>
</div>
<p>When choosing a training, you must make sure:</p>
<ul>
<li>
<p>That it is an official training counting as a replacement for the two
years of experience requirement.
Don’t assume it as some training providers may use ambiguous marketing
buzzwords and logos but contact them and check this explicitly.</p>
</li>
<li>
<p>Check whether or not the exam voucher is included in the training
price.
Either way is good, but the exam voucher alone is around $1000 <span class="caps">USD</span> so
you must take this into account when comparing training prices from
different providers.</p>
</li>
</ul>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p><span class="caps">CEH</span> curriculum is very wide, and successfully allows to build a general culture
in a large number of domains.</p>
<p>It is light regarding practical training but I think this is intended and, as
long as it is expected, I don’t consider this a negative point:</p>
<ul>
<li>
<p>The curriculum is designed to teach a body of knowledge not only for actual
pentesters but also for people more remotely involved with <span class="caps">IT</span> security like
system administrators for instance.</p>
<p>People planning to become pentester usually already have a practical
knowledge that system administrators (to keep the same example) may not
have.
I therefore consider it normal that they may consider this certification to
be weak from a practical point-of-view: it simply targets a more wider
audience than pure <span class="caps">IT</span> security experts.</p>
</li>
<li>
<p>Due to the wide range of domains covered, entering into the details of each
domain would make the <span class="caps">CEH</span> curriculum size grow exponentially while
answering no real need as no one needs a detailed knowledge of everything.</p>
<p>This certification provides a strong general culture.
When a topic requires further digging, more closely study can be done as the
need comes either as part of a personal technology watch or as part of
another, more focused certification.</p>
</li>
</ul>
<p>This certification has a strong focus on learning definitions and software
names.
While I understand the need of definitions to establish a common language, and
the need of software names to be able to invoke the right tool for a given task,
the <span class="caps">CEH</span> curriculum pushes this either too far or not enough, I don’t know, but
the software names part in particular left me a very uncomfortable feeling.</p>
<ul>
<li>
<p>Either there is a list of software that any security professional is meant
to know.
In such case, the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> should publish this list as part of the <span class="caps">CEH</span> curriculum.</p>
<p>Currently the names of several hundred tools and websites (URLs) is
mentioned, most often only once and given in an informal example,
scattered over the 2000+ official slides.
However, each tool and website name may be equally testable.
I don’t see how one is expected to study this.</p>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> should publish a standalone index of well-known security
tools and reference websites.
This would both make studying easier, and allow the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> to put a
stronger focus on the tools and information sources that <em>they</em> consider
essential for the profession.</p>
<p>This would be a win-win.</p>
</li>
<li>
<p>Otherwise questions about software and sites names should be made less frequent
to get less weight on the final score.</p>
<p>I passed the <span class="caps">CISSP</span> exam too, another certification which follows a similar
“general culture” goal than the <span class="caps">CEH</span>.
The <span class="caps">CISSP</span> also mentions some tools and websites as part of the curriculum,
but very few so our attention can remain focused on actionable information,
and there are really few questions about such names during the exam as this is
not considered a major knowledge.</p>
<p>Simply knowing a set of names doesn’t make you a greater practitioner in field.</p>
</li>
</ul>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<h5 id="questions-quality"><a class="toclink" href="#questions-quality">Questions quality</a></h5>
<p>While for all the <a href="/tags/certification" title="See other certification articles">other certifications</a> I covered until now I always
began this section by stating <em>“the question are clear and non-ambiguous”</em>,
I won’t do this here.</p>
<p>A noticeable amount of <span class="caps">CEH</span> exams questions are definitively unclear, ambiguous,
out-of-nowhere or the expected answer may be dubious if not plain wrong (see
this <a href="https://security.stackexchange.com/q/170274/32746" rel="external" title="Is the site wrong about an ethical hacking question or am I? (Stack Exchange)">example</a>).
Expect to loose 10-15% of your total score on such questions: as it is random
is may be less, but it shouldn’t be more.</p>
<p>While being a significant number, this shouldn’t however prevent you from
successfully passing the exam, just don’t expect to ever reach 100% either in
realistic trainings or in the final exam.
While in training just ensure that you consistently get at least 85% of
right answers, and you should be fine for the final exam.</p>
<h5 id="examination-process"><a class="toclink" href="#examination-process">Examination process</a></h5>
<p>The examination process varies depending on the location where you pass the exam:</p>
<ul>
<li>
<p>Prometric test centers deliver exams in similar condition than common
trainings: 125 questions, 4 hours, with the
possibility to review previous questions at any time.</p>
</li>
<li>
<p>Pearson <span class="caps">VUE</span> test centers divide the exam in several sections, following
the <a href="https://www.eccouncil.org/wp-content/uploads/2016/02/CEH-Exam-Blueprint-v2.0.pdf" rel="external" title="CEH Exam Blueprint v2.0 (EC-Council)"><span class="caps">CEH</span> Blueprint</a> sections.
The sections come in random orders.</p>
<p>The 4 hours time is divided between these sections proportionally to the number of
questions, the shortest time is for the <em>Ethics</em> section where the three
questions must be answered in less than 5 minutes (it is really scary when
you are not prepared to this! Moreover <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> “ethic” questions may
be really confusing at times…).</p>
<p>To not arrange anything, the time not used for a previous section is <em>not</em>
added to the following section.
Let’s say that you had 30 minutes left in a section and the next one will
be the <em>Ethics</em> one, the timer still starts at 5 minutes, in bold orange
warning mode.</p>
<p>At last, while you can review previous questions from the current section,
you cannot review previously validated sections.
Each section behaves as an individual exam.</p>
</li>
</ul>
<p>Needless to say that the Pearson <span class="caps">VUE</span> examination process is far more stressful
and less convenient than the Prometric one, in particular when you are not
expecting this (I didn’t find this documented anywhere) and are wondering
during the whole exam if you are facing a bug of if it is normal (and it is
indeed “normal”, one of the many surprises awaiting the <span class="caps">CEH</span> students ;) !).</p>
<p>At least, dear reader, <em>you</em> are now warned and can now prepare yourself !</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> heavily relies on marketing:</p>
<ul>
<li>
<p>Their website is stuffed with buzzwords: open-source security tools become
<em>“Underground Hacking Tools”</em>, a virtual lab becomes a <em>“Cyber range”</em>,
and of course the entry-level <span class="caps">CEH</span> certification is described as:</p>
<blockquote>
<p>The Certified Ethical Hacker program is the pinnacle of the most desired
information security training program any information security
professional will ever want to be in.</p>
</blockquote>
</li>
<li>
<p>Preparing for the exam is very expensive, with an ingenious system to push
students to training centers.</p>
<p>When I passed my certification prices were far lower than they are now
(voucher price increased by 100%, just <span class="caps">WTF</span>?) and no annual fee was
required.
Personally I’m not sure I would do it in the current conditions, at least
not from my own pocket.</p>
</li>
<li>
<p>Their students resources is protected with a highly demonstrative security.</p>
<p>The website is protected using mandatory two-factor authentication. Well,
in fact a one-time code is sent upon each connection attempt to your
mailbox, but this is indeed two-factor, isn’t it?
And despite being bothering to use at least it significantly improves
security, doesn’t it?</p>
<p>And once connected to your student area you can download their slides as
<span class="caps">DRM</span>-protected <em>.pdf</em> files requiring a Windows host and an update of your
firewall rules to be opened.
But these files must be very precious to be so carefully protected!</p>
</li>
<li>
<p>The learning material seems both very classy, very impressive, and very useless.</p>
<p>I still don’t know what to do with their six DVDs full of Windows
hAx0r 1337 stuffz (whoops, sorry, <em>“Underground Hacking Tools”</em>).
Their 2000+ slides also are all very eye-candy, crafted by professional
graphic designers, very colorful with a lot of graphical effects and so
on… all this making them completely unusable for a proper learning
experience where the medium must not be distracting to the student.</p>
</li>
<li>
<p>Once you passed the exam, you very regularly receive ads for paid events
organized by the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> (but rest easy, you benefit from “exclusive”
reductions reserved to the elite people you now belong to!).</p>
</li>
</ul>
<p><a href="https://youtu.be/1dkn_40nf-U?t=54" rel="external" title="'Going Postal' excerpt (YouTube)"><em><span class="dquo">“</span>dazzling the masses with bauble”</em></a>, as he said…</p>
<p>Nevertheless, <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> marketing is also dual-sided: while they are trying to
sell things to you, they are also selling the certification to companies which
is good thing as this is those company which will then want to hire <span class="caps">CEH</span> people
like you.
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> marketing power therefore also benefits to you.</p>
<p>Doing abstraction from these various money making techniques, I still believe
the content of the curriculum to be interesting.
This certification was indeed the occasion to cover domains that wasn’t
covered by any of the other certs I took until now.
However, again, the latest price increase may now make it less interesting for self-learners.</p>Introduction to z/OS and IBM mainframes world and security2017-10-01T00:00:00+02:002017-10-01T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-01:/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/<p>Mainframes are often designated as <em>“legacy platforms”</em>.
This triggers the mental image of those old 80’s era enormous bulky computers
which can be found in any good computers museum and vintage videos, and leaves a
mixed feeling about the place of such machines in todays computing world.</p>
<p>However, nothing could be such wrong:</p>
<ol>
<li>
<p>A lot of the technologies which made today’s computing what it is actually
owe to the mainframe world.</p>
<p>Things like non-executable memory, process isolation, virtualization and
symmetric multiprocessing to name just a few are all technologies that were
first developed for mainframes environments, and only then ported onto
other architectures.</p>
</li>
<li>
<p>Today’s mainframes hardware has nothing in common with antique computers,
they evolved as the rest of the computer world did.</p>
<p>They are bulky but not as much as one may imagine, the size of a large
fridge to give a rough idea.
They remains …</p></li></ol><p>Mainframes are often designated as <em>“legacy platforms”</em>.
This triggers the mental image of those old 80’s era enormous bulky computers
which can be found in any good computers museum and vintage videos, and leaves a
mixed feeling about the place of such machines in todays computing world.</p>
<p>However, nothing could be such wrong:</p>
<ol>
<li>
<p>A lot of the technologies which made today’s computing what it is actually
owe to the mainframe world.</p>
<p>Things like non-executable memory, process isolation, virtualization and
symmetric multiprocessing to name just a few are all technologies that were
first developed for mainframes environments, and only then ported onto
other architectures.</p>
</li>
<li>
<p>Today’s mainframes hardware has nothing in common with antique computers,
they evolved as the rest of the computer world did.</p>
<p>They are bulky but not as much as one may imagine, the size of a large
fridge to give a rough idea.
They remains made of thick steel though with the main unit weighting a
around a ton, hence their pet name of <em>“big iron”</em>.
Despite of this, some <a href="https://www.youtube.com/watch?v=45X4VP8CGtk" rel="external" title="Connor Krukosky - Here's What Happens When an 18 Year Old Buys a Mainframe (SHARE channel YouTube)">student</a> managed to install one in his
basement, and the Australian custom’s cargo processing and intelligence
center in Sydney International Airport managed to get two simply
<a href="http://www.smh.com.au/articles/2003/09/04/1062548967124.html" rel="external" title="The brazen airport computer theft that has Australia's anti-terror fighters up in arms (The Sydney Morning Herald)">stolen</a> from their top-security room.</p>
<p>On the inside, the latest generation (introduced in July, 2017) can host up
to 170 central processors, each with 10 cores and backed by numerous other
purpose specific processors, the whole thing lying on up to 32 <span class="caps">TB</span> <span class="caps">RAM</span> and
fiber channels for data communication.</p>
</li>
</ol>
<p>This is not exactly what I would call a <em>“legacy system”</em>.
What is usually <em>legacy</em> in fact is not the system itself, but the application
running on it.</p>
<p>One of the key point of the mainframe system is indeed <em>backward-compatibility</em>.
Mainframes are used in the most sensitive environments where any bug will most
likely have huge consequences.
In such environments, as long as things work, people are always wary of
touching anything.
The usual motto is:</p>
<blockquote>
<p>If it ain’t broke, don’t fix it.<sup id="fnref-lance"><a class="footnote-ref" href="#fn-lance">1</a></sup></p>
</blockquote>
<p>So don’t think of rewriting or migrating to a different software: things worked
this way by the past, so the best way to make work in the future is to keep
them as-is.</p>
<p>Mainframe architecture and its main operating system z/<span class="caps">OS</span> (a mainframe is
designed to run several operating systems in parallel, even Linux including
<span class="caps">KVM</span> support) ensure that the applications that worked for the last 20 years
will continue to work the same on newer systems.</p>
<p>Despite the system characteristics mentioned above, mainframe systems must
however not be confused with super-computer (which usually run Linux as their
main operating system by-the-way):</p>
<ul>
<li>
<p>As expected super-computers excel in <em>fast</em> processing.
They can handle highly complex computational tasks, such as weather
forecasting, very quickly and very efficiently.</p>
</li>
<li>
<p>On the other side mainframes computers would be inefficient for such task.
Where they particularly shine however is <em>parallel</em> processing.
They can handle thousands of simultaneous transactions with very high
exigences in terms of throughput, reliability, integrity and accountability.
This is for instance a mainframe which will at the end update your bank
account when you fetch some money at a cash dispenser.</p>
</li>
</ul>
<h3 id="what-on-earth-is-a-mainframe-david-stephens"><a class="toclink" href="#what-on-earth-is-a-mainframe-david-stephens">What On Earth is a Mainframe? (David Stephens)</a></h3>
<p><span class="lb-small floatright"><a href="#what-on-earth-is-a-mainframe.jpg" id="what-on-earth-is-a-mainframe.jpg-thumb" title="Click to enlarge"><img alt="Cover of 'What On Earth is a Mainframe?'" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/what-on-earth-is-a-mainframe.jpg"/></a></span>
<em>What On earth is a Mainframe</em> is a low-technical introduction to the
mainframe world.
It is subtitled
<em>“An introduction to <span class="caps">IBM</span> zSeries Mainframes and z/<span class="caps">OS</span> Operating System for Total Beginners”</em>,
which accurately describes the content of this book.</p>
<p>David Stephens worked in various positions at managing and operating mainframes
and condensed in a short (200 pages) and easy-to-read book all
you need to know to become more familiar with what may first appear as an
obscure world:</p>
<ul>
<li>
<p>A bit of history but mostly to focus on the principles that made the
mainframes what they are now and explain how they acquired and kept
their position at the core of the most critical infrastructures.</p>
</li>
<li>
<p>A good description of the hardware, the storage, terminals, networking.</p>
</li>
<li>
<p>The operating system and the main software you will usually encounter in
mainframe environments (including from non-<span class="caps">IBM</span> providers).</p>
</li>
<li>
<p>The people gravitating around the mainframe system and their respective
roles and duties.</p>
</li>
<li>
<p>The procedures designed to reduce unavailability time, such as change
management and disaster recovery, as they are applied in such sensitive environments.</p>
</li>
</ul>
<p>This book manages to be both high-level enough to remain readable and
interesting to low-technical people, while still remaining accurate, factual
and informative to be also interesting to technical people not used to the
mainframe world or only to a part of it and who would-like to grasp a larger
picture of it.</p>
<p class="buy button"><a href="https://www.amazon.com/What-Earth-Mainframe-David-Stephens/dp/1409225356/?tag=electronicfro-20" rel="external" title="Buy 'What On Earth is a Mainframe?' (Amazon)">Buy on Amazon</a></p>
<h3 id="mainframe-basics-for-security-professionals-pomerantz-vander-weele-nelson-hahn"><a class="toclink" href="#mainframe-basics-for-security-professionals-pomerantz-vander-weele-nelson-hahn">Mainframe Basics for Security Professionals (Pomerantz, Vander Weele, Nelson <span class="amp">&</span> Hahn)</a></h3>
<p><span class="lb-small floatright"><a href="#mainframe-basics-for-security-professionals.jpg" id="mainframe-basics-for-security-professionals.jpg-thumb" title="Click to enlarge"><img alt="Cover of 'Mainframe Basics for Security Professionals: Getting Started with RACF'" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/mainframe-basics-for-security-professionals.jpg"/></a></span>
This book is designed for people who come from a Unix background and would-like
to know more about mainframe security from a practical perspective.</p>
<p>This book too is short, around 200 pages, and relies heavily on practice.
In fact, the reader is expected to read it while having access to a z/<span class="caps">OS</span> image
where he can test and play with the book’s commands.</p>
<ul>
<li>
<p>This book assumes no previous knowledge on mainframes, so it start very slowly
with how to connect to a mainframe and display a first “Hello world” on the <span class="caps">TSO</span> prompt.</p>
</li>
<li>
<p>Then it builds over that, step-by-step and covering users management,
data protection (including <em>z/<span class="caps">OS</span> <span class="caps">UNIX</span></em> and <em>Security Labels</em>, the latter
should remind something to people already familiar with SELinux ;) )
and logging.</p>
</li>
<li>
<p>Once these technical basis are set mainframes auditing and limited-authority
administrators are covered.</p>
</li>
<li>
<p>At last the books closes with a more theoretical overview of
enterprise-wide security.</p>
</li>
</ul>
<p>It is designed as a practical entry into the mainframe world, and accomplishes
this task very well.
A number of subjects are only over-viewed to keep the book short and
to-the-point, but this is always clearly told and numerous references to the
official documentation is provided to deepen any particular subject.</p>
<p class="buy button"><a href="https://www.amazon.com/Mainframe-Basics-Security-Professionals-Getting/dp/0131738569/?tag=electronicfro-20" rel="external" title="Buy 'Mainframe Basics for Security Professionals: Getting Started with RACF' (Amazon)">Buy on Amazon</a></p>
<h3 id="pentesting-mainframes-philip-young-and-dominic-white-talks"><a class="toclink" href="#pentesting-mainframes-philip-young-and-dominic-white-talks">Pentesting mainframes (Philip Young and Dominic White talks)</a></h3>
<p><span class="lb-small"><a href="#smashing-the-mainframe.jpg" id="smashing-the-mainframe.jpg-thumb" title="Click to enlarge"><img alt="Philip Young - Smashing the Mainframe for Fun and Prison Time at Hacktivity, 2014" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/smashing-the-mainframe.jpg"/></a></span></p>
<p>Philip Young is an advocacy of practical testing of mainframe security.
He gave numerous talks, stating the same fact:</p>
<blockquote>
<p>There is a huge disconnect between security and the mainframe world,
even-though the mainframe is sort of build as this amazing security platform.</p>
</blockquote>
<p>I recommend you in particular the following presentations:</p>
<ul>
<li><a href="https://www.youtube.com/watch?v=SjtyifWTqmc" rel="external" title="Philip Young - Smashing the Mainframe for Fun and Prison Time - Hacktivity, 2014 (Hacktivity channel, YouTube)">Smashing the Mainframe for Fun and Prison Time</a>,
speaking of mainframes in front of hackers.</li>
<li><a href="https://www.youtube.com/watch?v=5Ra4Ehmifh4" rel="external" title="Philip Young - How to Embrace Hacker Culture For z/OS - SHARE, 2015 (SHARE channel, YouTube)">How to Embrace Hacker Culture For z/<span class="caps">OS</span></a>, speaking
of hackers in front of mainframes administrators and operators.</li>
</ul>
<p>He describes the researches he started back in 2012, and the trouble he got
as it was during the same period that a major hack targeting mainframes notably
used by the Swedish government happened<sup id="fnref-anakata"><a class="footnote-ref" href="#fn-anakata">2</a></sup>.
He then describes the vulnerabilities that were revealed by these attacks plus
some others from his own research.</p>
<p>The Swedish government had to force <span class="caps">IBM</span> to publish CVEs for the vulnerabilities
revealed by the above-mentioned attack.
In fact, mainframe vulnerabilities are normally kept secret by <span class="caps">IBM</span>.
This is also a subject of worry to Philip who find it
<em>“unbelievable that vulnerabilities are kept secret”</em>:</p>
<blockquote>
<p>People are more concerned about their system’s availability than they are in
having them tested.
In the Windows and Linux world where I come from you just assume it gets
tested all the time.
If you put a machine on the Internet, it’s just getting hit non-stop.
It’s just background noise on the Internet.
<br/><em>[…]</em><br/>
The more people you have looking at something, the more secure it’s going to
be.
The more people who are actively to break into a system (in their spare-time,
at home, they aren’t breaking into their bank), the more secure it’s going to
be for you and for the world.</p>
</blockquote>
<p>Personally what worries me even more is that for most of their life mainframes
could indeed be assumed as secure because:</p>
<ul>
<li>The knowledge how to operate them was uncommon.</li>
<li>They ran unusual services.</li>
<li>They were not connected to common networks (old-generation mainframes had
no <span class="caps">IP</span> support, you used <span class="caps">SNA</span>/<span class="caps">LU</span> instead, don’t expect to use <code>nmap</code> or
<code>netcat</code> over this!).</li>
<li>Enough profit could be obtained by exploiting far easier targets than
having to deal with the big iron thing.</li>
</ul>
<p>However time went on:</p>
<ul>
<li>Anyone can learn and study mainframes at home now: enough software and
documentation is available.</li>
<li>Mainframes now run Unix with standard services, they run Java, parse <span class="caps">XML</span> files.</li>
<li>They are widely connected to <span class="caps">IP</span> networks, some are even directly facing the Internet.</li>
<li>Due to years of extensive testing, the rest of the infrastructure became
more and more protected by equipping itself with <abbr title="Intrustion Detection Service"><span class="caps">IDS</span></abbr>, <abbr title="Intrustion Prevention Service"><span class="caps">IPS</span></abbr>, <span class="caps">SIEM</span>, network
segmentation, next-generation firewalls, hardened hosts and services, and
so on.
The lack of practical testing of the mainframe system can now easily turn
it from the central, secure and safe position it had to become part of the
weakest components of the security chain, where the expected profit vs.
exploit complexity ratio could designate it as the most interesting target.
The talks linked here show how security issues that were solved
dozens of years ago on classical architectures (what is the last time you
saw a Unix server still using <span class="caps">DES</span> to protect system passwords?) are still
current on mainframes.</li>
</ul>
<p>In case you are still not depressed enough, note that Philip mainly focuses his
research on the mainframe system itself.
<a href="https://www.youtube.com/watch?v=3HFiv7NvWrM" rel="external" title="Hacking Mainframes Vulnerabilities in applications exposed over TN3270, Dominic White (YouTube)">Dominic White</a> on his side focuses on mainframe applications just to
find that the picture was the same with blatant security holes including
security relying <em>on the client</em> through the use of hidden fields just like
if a web server would store your access level in clear in a cookie and rely
on it to determine your privileges, that applied to systems critical to
governments, financial institutions, etc.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-lance">
<p>This phrase, originally attributed to the businessman
<a href="https://en.wikipedia.org/wiki/Bert_Lance#.22If_it_ain.27t_broke.2C_don.27t_fix_it..22" rel="external" title="Bert Lance: 'If it ain't broke, don't fix it.' (Wikipedia)">Bert Lance</a>, often serves as a justification to keep old and
obsolete technologies in production… until a disaster happens. <a class="footnote-backref" href="#fnref-lance" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-anakata">
<p>This hack has been perpetrated in 2012 by <a href="https://en.wikipedia.org/wiki/Gottfrid_Svartholm" rel="external" title="Gottfrid Svartholm (Wikipedia)">Gottfrid Svartholm Warg</a>,
alias Anakata, one of the co-founder of The Pirate Bay torrent exchange website
and targeted Swedish governmental and banking data.
Found guilty of breaking copyright rules with The Pirate Bay in 2010, he did
not present himself to the Swedish authorities but settled-down in Cambodia.
I can imagine that these hacks may have been some kind of revenge on his part.
The Pirate Bay trial is the object of a very well-made film i heavily recommend:
<a href="https://www.youtube.com/watch?v=eTOKXCEwo_8" rel="external" title="TPB AFK: The Pirate Bay Away From Keyboard (YouTube)">The Pirate Bay - Away From Keyboard</a> <a class="footnote-backref" href="#fnref-anakata" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>Professional Penetration Testing (Thomas Wilhelm)2017-08-19T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-19:/posts/2017/08/19/professional-penetration-testing-thomas-wilhelm/<p>This book does not teach you penetration testing technically, it teaches you
penetration testing <em>professionally</em>.
Here, the pentest is not a technical exercise anymore, it becomes a paid
service delivered to a customer to satisfy a business need.
This requires more than throwing a bunch of tools and lines of code toward a
target.
This requires things like planning, methodology, quality and risks management,
and communication.
<em>This</em> is what this book is about.</p>
<p>This book target mainly three kind of audiences:</p>
<ul>
<li>
<p>People who are already familiar with the technical side of pentesting and
are wondering if making it a career would be interesting for them (doing
something as a hobby and as a job is not the same) and, if so, how to
proceed and what to expect.</p>
</li>
<li>
<p>Pentesters already in the field but who would-like to have a broader view
of their current job.</p>
</li>
<li>
<p>Project managers who are already …</p></li></ul><p>This book does not teach you penetration testing technically, it teaches you
penetration testing <em>professionally</em>.
Here, the pentest is not a technical exercise anymore, it becomes a paid
service delivered to a customer to satisfy a business need.
This requires more than throwing a bunch of tools and lines of code toward a
target.
This requires things like planning, methodology, quality and risks management,
and communication.
<em>This</em> is what this book is about.</p>
<p>This book target mainly three kind of audiences:</p>
<ul>
<li>
<p>People who are already familiar with the technical side of pentesting and
are wondering if making it a career would be interesting for them (doing
something as a hobby and as a job is not the same) and, if so, how to
proceed and what to expect.</p>
</li>
<li>
<p>Pentesters already in the field but who would-like to have a broader view
of their current job.</p>
</li>
<li>
<p>Project managers who are already familiar in handling technical projects
but are new in the field of penetration testing.</p>
</li>
</ul>
<p>A lot of books describe pentesting in a world of exploits and mitigations.
The fact that this one describes pentesting in a world of business needs,
risks and costs sets it apart from the others.</p>
<p>While in the introduction I heavily emphasize on the management aspect of this
book, this is actually only half the book.
Technical aspects such as
<em>“creating and operating a formal hacking lab”</em><sup id="fnref-subtitle"><a class="footnote-ref" href="#fn-subtitle">1</a></sup> and the several
phases of conducting a penetration test from information gathering to writing
the final report are also well covered (a <span class="caps">DVD</span> is even provided to feed your
pentest lab with targets systems).</p>
<p>However, if you are only interested in these technical aspects, other books
analyze them more deeply.
Here they are covered mainly to allow technical and management people to
understand each other by speaking the same language and having a better
realization of the ins and outs of each other’s activity.</p>
<p class="buy button"><a href="https://www.amazon.com/Professional-Penetration-Testing-Second-Creating/dp/1597499935?tag=electronicfro-20" rel="external" title="Buy 'Professional Penetration Testing' (Amazon)">Buy on Amazon</a></p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-subtitle">
<p><em><span class="dquo">“</span>creating and operating a formal hacking lab”</em> happens to be the
subtitle of the first edition of the book, <em>“learning”</em> replacing
<em>“operating”</em> in the second edition.
I find this subtitles a bit misleading as people buying this book in order
to technically learn to build and work with a pentest lab are usually
disappointed by the relatively small amount of information compared to
other books dedicated to the subject. <a class="footnote-backref" href="#fnref-subtitle" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Why I teach people how to hack (Ýmir Vigfússon)2017-08-17T00:00:00+02:002017-08-17T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-17:/posts/2017/08/17/why-i-teach-people-how-to-hack-ymir-vigfusson/<p>In this short TEDx talk, Ýmir Vigfússon tells us what it means to be a hacker,
from the curious teenage who does not really have a “moral compass” (yet!) to
the senior professional sharing his knowledge.</p>
<p>He tells us what leads people in this direction, but above us he tells us how
all these people, from the teenage to professional, do all benefit to the
society as a whole.</p>
<p>For those who may not know this text, this video has a strong feeling of the
<a href="/posts/2017/08/12/hackers-manifesto-the-mentor/" title="Hacker's Manifesto (The Mentor)">Hacker’s Manifesto</a>, but now explained by a well-respected professional and
assistant professor instead of a 11 years old teenager.</p>
<p class="watch button"><a href="https://www.youtube.com/watch?v=KwJyKmCbOws" rel="external" title="Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík (YouTube)">Watch on YouTube</a></p><p>In this short TEDx talk, Ýmir Vigfússon tells us what it means to be a hacker,
from the curious teenage who does not really have a “moral compass” (yet!) to
the senior professional sharing his knowledge.</p>
<p>He tells us what leads people in this direction, but above us he tells us how
all these people, from the teenage to professional, do all benefit to the
society as a whole.</p>
<p>For those who may not know this text, this video has a strong feeling of the
<a href="/posts/2017/08/12/hackers-manifesto-the-mentor/" title="Hacker's Manifesto (The Mentor)">Hacker’s Manifesto</a>, but now explained by a well-respected professional and
assistant professor instead of a 11 years old teenager.</p>
<p class="watch button"><a href="https://www.youtube.com/watch?v=KwJyKmCbOws" rel="external" title="Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík (YouTube)">Watch on YouTube</a></p>Where to find virtual machines and ISO files?2017-08-14T00:00:00+02:002017-11-23T00:00:00+01:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-14:/posts/2017/08/14/where-to-find-virtual-machines-and-iso-files/<h3>Free software</h3>
<h4>Virtual machines</h4>
<p>Several websites offer a large selection of freely downloadable virtual
machines with pre-configured free software, for instance:</p>
<ul>
<li><a href="https://www.turnkeylinux.org/" rel="external" title="TurnKey Linux homepage">TurnKey Linux</a>.</li>
<li><a href="https://bitnami.com/" rel="external" title="Bitnami homepage">Bitnami</a>.</li>
</ul>
<p>You can also check the marketplaces maintained by virtualization-related
software, such as <a href="https://marketplace.vmware.com/vsx/" rel="external" title="VMware Solution Exchange homepage">VMware</a> and <a href="https://community.gns3.com/marketplace" rel="external" title="GNS3 Marketplace homepage"><span class="caps">GNS3</span></a>.</p>
<h4><a class="toclink" href="#iso-files"><span class="caps">ISO</span> files</a></h4>
<p>Obviously the main place to get free software <span class="caps">ISO</span> files is from the projects website.</p>
<p>However, FrozenCow maintains a <a href="http://softwarebakery.com/apps/drivedroid/distributions.html" rel="external" title="FrozenCow: DriveDroid distribution list (Software Bakery)">centralized list</a> of direct links to
a fair number of Linux and <span class="caps">BSD</span> installation <span class="caps">ISO</span> files.</p>
<p>Some projects host all previous versions of their system, but sometimes they
are not easy to find.
Search in priority on the master repository as these older versions may not
be copied onto mirrors.
Sometimes they are stored in a separate “archive” area.
At last, <a href="https://winworldpc.com/library" rel="external" title="WinWorld library (WinWorld)">WinWorld</a> does a great job in collecting old systems
installation medias, including discontinued Linux distributions.</p>
<p>If you are not sure which Linux or <span class="caps">BSD</span> system to choose, <a href="https://distrowatch.com/" rel="external" title="DistroWatch.com homepage">DistroWatch</a> might …</p><h3 id="free-software"><a class="toclink" href="#free-software">Free software</a></h3>
<h4 id="virtual-machines"><a class="toclink" href="#virtual-machines">Virtual machines</a></h4>
<p>Several websites offer a large selection of freely downloadable virtual
machines with pre-configured free software, for instance:</p>
<ul>
<li><a href="https://www.turnkeylinux.org/" rel="external" title="TurnKey Linux homepage">TurnKey Linux</a>.</li>
<li><a href="https://bitnami.com/" rel="external" title="Bitnami homepage">Bitnami</a>.</li>
</ul>
<p>You can also check the marketplaces maintained by virtualization-related
software, such as <a href="https://marketplace.vmware.com/vsx/" rel="external" title="VMware Solution Exchange homepage">VMware</a> and <a href="https://community.gns3.com/marketplace" rel="external" title="GNS3 Marketplace homepage"><span class="caps">GNS3</span></a>.</p>
<h4 id="iso-files"><a class="toclink" href="#iso-files"><span class="caps">ISO</span> files</a></h4>
<p>Obviously the main place to get free software <span class="caps">ISO</span> files is from the projects website.</p>
<p>However, FrozenCow maintains a <a href="http://softwarebakery.com/apps/drivedroid/distributions.html" rel="external" title="FrozenCow: DriveDroid distribution list (Software Bakery)">centralized list</a> of direct links to
a fair number of Linux and <span class="caps">BSD</span> installation <span class="caps">ISO</span> files.</p>
<p>Some projects host all previous versions of their system, but sometimes they
are not easy to find.
Search in priority on the master repository as these older versions may not
be copied onto mirrors.
Sometimes they are stored in a separate “archive” area.
At last, <a href="https://winworldpc.com/library" rel="external" title="WinWorld library (WinWorld)">WinWorld</a> does a great job in collecting old systems
installation medias, including discontinued Linux distributions.</p>
<p>If you are not sure which Linux or <span class="caps">BSD</span> system to choose, <a href="https://distrowatch.com/" rel="external" title="DistroWatch.com homepage">DistroWatch</a> might
be a good source if information.</p>
<p>If you hesitate between similar applications, <a href="https://sysadmin.libhunt.com/" rel="external" title="LibHunt: Awesome SysAdmin homepage">LibHunt</a> and <a href="https://alternativeto.net/" rel="external" title="alternativeTo homepage">alternativeTo</a> may help you.</p>
<h3 id="microsoft"><a class="toclink" href="#microsoft">Microsoft</a></h3>
<h4 id="evaluation-versions"><a class="toclink" href="#evaluation-versions">Evaluation versions</a></h4>
<p>Microsoft distributes freely downloadable evaluation versions of some of its
latest products through several channels:</p>
<ul>
<li>
<p><a href="https://www.microsoft.com/en-us/evalcenter/search?r=16" rel="external" title="Microsoft TechNet Evaluation Center: Search (Microsoft)">TechNet Evaluation Center</a>, which provides the evaluation
version (virtual image files and <em>.iso</em> installation disks) of various
Microsoft Enterprise systems and products.</p>
</li>
<li>
<p><a href="https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/" rel="external" title="Microsoft Edge Development: Download virtual machines (Microsoft)">Microsoft Edge Development</a>, which provides Windows virtual
machines (including older client versions not found in the previous link)
with various versions of Internet Explorer and Edge for web application testing.</p>
</li>
<li>
<p>Older but still supported Windows versions (both client and server)
may still be downloadable even if the pages linked above do not list them.
To find their URLs, do such kind of search in you favorite search engine:</p>
<div class="codehilite"><pre>"windows 2008" "care.dlservice.microsoft.com" site:github.com
</pre></div>
<p>This should provide you various projects maintaining lists of Microsoft
download URLs.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Double-check that the <span class="caps">URL</span> uses a legitimate Microsoft domain
(usually either <em>care.dlservice.microsoft.com</em> or
<em>download.microsoft.com</em>) to avoid potentially malicious files.</p>
</div>
</li>
</ul>
<p>Depending on the image these systems expire 30, 90 or 180 days after their
first boot.</p>
<h4 id="retail-versions"><a class="toclink" href="#retail-versions">Retail versions</a></h4>
<p>As long as you have a valid corresponding product key, it is possible to
<a href="https://www.microsoft.com/en-us/software-download/" rel="external" title="Microsoft Software Download (Microsoft)">download <em>.iso</em> files</a> for all currently supported products.</p>
<p>Images of old systems installation media can be found in
<a href="https://winworldpc.com/library" rel="external" title="WinWorld library (WinWorld)">WinWorld’s library</a>.</p>
<p>Installation medias for systems not distributed anymore by Microsoft but not
old enough to be part of WinWorld library can usually be bought for very few
money on websites like eBay.</p>
<h3 id="apple"><a class="toclink" href="#apple">Apple</a></h3>
<p>I don’t know any official and clean way to get a recent version of Apple’s
operating system (Mac <span class="caps">OS</span> X, <span class="caps">OS</span> X, macOS, or however it is called now) to run in
a virtual machine.</p>
<p>Even the underlying “open source” system Darwin is not usable as-is anymore
and is just distributed as source archives instead of binary executable as it
was once.
There are <a href="https://en.wikipedia.org/wiki/Darwin_(operating_system)#Derived_projects" rel="external" title="Darwin derived projects (Wikipedia)">projects</a> attempting to build something out of it
but with nothing practically usable for now.</p>
<p>If you search the web you may find more-or-less reliable ways to, from a macOS
system, build an installation media from an upgrade package (the method to use
seems different for every upgrade).
You may also find ready-made virtual machines, but use due caution as with any
content downloaded from untrusted sources (while such files <em>may</em> be suitable
for testing purpose, do not use them for anything sensitive).</p>
<h3 id="vulnerable-targets"><a class="toclink" href="#vulnerable-targets">Vulnerable targets</a></h3>
<p>Two well known projects are:</p>
<ul>
<li><a href="https://www.owasp.org/index.php/OWASP_Security_Shepherd" rel="external" title="Security Sheperd project homepage">Security Sheperd</a> from <span class="caps">OWASP</span>, which targets web and mobile applications.</li>
<li><a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" rel="external" title="Metasploitable 2 download (SourceForge)">Metasploitable2</a> from Rapid7, which targets services exploitation.</li>
</ul>
<p>To go further, <a href="https://github.com/joe-shenouda/awesome-cyber-skills" rel="external" title="Joe Shenouda: awesome-cyber-skills (GitHub)">Joe Shenouda</a> maintains a very good list of hacking
environments you can use to expand your practical knowledge.</p>How to build a virtual pentest lab2017-08-11T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-11:/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/<p>Standalone virtual machines are both a cheaper and more practical solution to
test systems as they doesn’t need to dedicate hardware and are easier to
handle than physical installation (actions such as cloning, doing a snapshot
or a rollback become trivial).</p>
<p>Network virtualization goes a step further and apply the same system to a whole
network, including workstations, servers, and all networking devices such as
switches, routers and firewalls.
A virtual network can be of any size and topology, and can mimic any real-life
situation such as Active Directory domains, remote-access or site-to-site VPNs
or test protocols of every network plane.</p>
<p>Such virtual network can be either fully isolated or have one or several link
to physical devices and networks, its all up to you to decide.</p>
<h3>Hardware</h3>
<h4>Prerequisites</h4>
<p>The goal of a virtual lab is to be able to quickly setup the environment which
will allow you to …</p><p>Standalone virtual machines are both a cheaper and more practical solution to
test systems as they doesn’t need to dedicate hardware and are easier to
handle than physical installation (actions such as cloning, doing a snapshot
or a rollback become trivial).</p>
<p>Network virtualization goes a step further and apply the same system to a whole
network, including workstations, servers, and all networking devices such as
switches, routers and firewalls.
A virtual network can be of any size and topology, and can mimic any real-life
situation such as Active Directory domains, remote-access or site-to-site VPNs
or test protocols of every network plane.</p>
<p>Such virtual network can be either fully isolated or have one or several link
to physical devices and networks, its all up to you to decide.</p>
<h3 id="hardware"><a class="toclink" href="#hardware">Hardware</a></h3>
<h4 id="prerequisites"><a class="toclink" href="#prerequisites">Prerequisites</a></h4>
<p>The goal of a virtual lab is to be able to quickly setup the environment which
will allow you to test whatever you would like to test.</p>
<p>If you have to use it on a regular basis, investing on a dedicated machine is,
I think, a must-have.
Indeed, the <em>“I must shutdown my browser to free memory to start my <span class="caps">VM</span>”</em>
usually followed by
<em>“I must hibernate the <span class="caps">VM</span> to reopen my browser to do some search”</em> is really
not sustainable on the long run.</p>
<p>This machine however doesn’t require to be anything extravagant or expensive.
However, there are some prerequisites that you will need to fulfill in order to
have a comfortable, and therefore usable virtual lab.</p>
<ol>
<li>
<p><em><span class="caps">RAM</span></em>: This is the first, main and single really mandatory criteria.
If you want to start two virtual machines configured to have 2 <span class="caps">GB</span> of <span class="caps">RAM</span>
each, your hardware must have at least 6 <span class="caps">GB</span> of <em>physical</em> <span class="caps">RAM</span> (4 <span class="caps">GB</span> for
the virtual machines, plus 2 <span class="caps">GB</span> for the host <span class="caps">OS</span>, don’t forget it).</p>
<p>If your hardware don’t have the sufficient amount of <span class="caps">RAM</span>, this will just
not work.
Yes, you may modify the virtual machines settings to lower their <span class="caps">RAM</span>
requirement, but unless you <em>really</em> know what you are doing you will most
likely end-up facing unexpected and buggy behaviors.</p>
<p>If you want to have a comfortable virtual lab, 8 <span class="caps">GB</span> of <span class="caps">RAM</span> is the bare
minimum, but I strongly recommend to aim 16 <span class="caps">GB</span>.
Note that a motherboard has a limitation on the amount of <span class="caps">RAM</span> it can handle,
check it before buying anything.</p>
</li>
<li>
<p><em>Disk space</em>: A virtual lab stores archived installation medias, virtual
machines disk images, plus their snapshots and backup copies.
All this consumes a lot of space.
Hopefully, not only it is easy to add or replace a hard disk (no
motherboard limitation like the amount of <span class="caps">RAM</span>), but above all if your
virtual lab gets low on hard disk space nothing prevents you from using
some network storage to store some or all of your data on an external device.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Unlike <span class="caps">RAM</span>, on test systems such as the one we are building disk space
is usually not provisioned.
This means that while a virtual machine configured to 2 <span class="caps">GB</span> of <span class="caps">RAM</span> will
indeed allocate 2 <span class="caps">GB</span> of <span class="caps">RAM</span>, a virtual machine configured to 40 <span class="caps">GB</span> of
disk space will only allocate the disk space it really uses.
The 40 <span class="caps">GB</span> only acts as an upper-bound limit that the virtual machine
will not exceed, in most cases its used space will be far inferior.</p>
</div>
<p>A few hundreds <span class="caps">GB</span> of disk space is the bare minimum, a terabyte should be
sufficient for most personal needs, no need of <span class="caps">SSD</span> (storage speed is
useless here, invest your money in more <span class="caps">RAM</span> or storage space instead).</p>
</li>
<li>
<p><em><span class="caps">CPU</span></em>: Obviously the <span class="caps">CPU</span> <em>must</em> support hardware-assisted virtualization
instructions, but this is quite a common technology now (it appeared in
2006) and most CPUs have them (with the notable exception of
low-consumption and <span class="caps">RISC</span>-based CPUs: don’t expect to build a good virtual
lab on top of a Raspberry Pi!).</p>
<p>Apart from that, the <span class="caps">CPU</span> will only define the speed of and the amount of
parallelism in the execution of your virtual machines: a quicker <span class="caps">CPU</span> with
more cores allows more virtual machines to process data simultaneously.</p>
<p>For personal use, there is no need for anything really powerful as you
rarely require true parallelism, and speed is something nice but not
required here.
This may change however if there is several people using the same
virtualization hardware simultaneously, or if you prepare yourself for
a <span class="caps">CCNE</span> certification and need to virtualize a large network with dozens
of devices handling a constant flow of network packets in every direction simultaneously.</p>
</li>
</ol>
<h4 id="the-wolfs-choice"><a class="toclink" href="#the-wolfs-choice">The Wolf’s choice</a></h4>
<p>Personally, I went on a second-hand <a href="https://www.apple.com/mac-mini/specs/" rel="external" title="Mac mini technical specifications">Mac mini</a>:</p>
<p><span class="lb-small"><a href="#mac-mini.jpg" id="mac-mini.jpg-thumb" title="Click to enlarge"><img alt="Mac mini enclosure" src="https://www.whitewinterwolf.com/posts/2017/08/11/how-to-build-a-virtual-pentest-lab/mac-mini.jpg"/></a></span></p>
<p>A Mac mini has all you may want from a personal virtualization system in a very
small and quiet enclosure:</p>
<ul>
<li>
<p>Supports up to 16 <span class="caps">GB</span> <span class="caps">RAM</span> (and I warmly recommend to install this amount of
<span class="caps">RAM</span>).</p>
</li>
<li>
<p>A <span class="caps">SSD</span> disk… to feed your old laptop.
This is the only negative point of this machine (this and the fact it has
only a single network interface) as you will need to go on <a href="https://www.ifixit.com/Device/Mac_Mini_Unibody" rel="external" title="iFixIt guides for the Mac mini">iFixIt</a> to
find the required guides and tools to disassemble it and change the
hard-disk (screw you, Apple!).
But on the other-side, the Mac mini supports up to two 2.5” hard-drives
(even the standard edition, see iFixIt related pages, don’t spend any money
for the so-called “server” version!).
Mine has a 1 <span class="caps">TB</span> drive.</p>
</li>
<li>
<p>Intel Core i5 or i7 CPUs.
Those coming with the i7 <span class="caps">CPU</span> are noticeably more expensive than the i5 ones
with no real benefits for a personal usage.
Personally I took one with a i5 <span class="caps">CPU</span>.</p>
</li>
<li>
<p>At last but not least, being a genuine Mac device, you can
technically and legally run Apple’s operating systems in your lab.</p>
</li>
</ul>
<p>For moderately higher needs (<span class="caps">CCNE</span> or small teams for instance), I saw several
blogs of people using a cluster of two Core i7 Mac mini connected to a <span class="caps">NAS</span> box
and were very happy with the result.</p>
<h3 id="software"><a class="toclink" href="#software">Software</a></h3>
<h4 id="operating-system"><a class="toclink" href="#operating-system">Operating system</a></h4>
<p>I researched and tried several solutions, I think it may be useful to share my
feedback here about each one of them.</p>
<h5 id="vmware-esxi"><a class="toclink" href="#vmware-esxi">VMware ESXi</a></h5>
<p>The ESXi is a “free” (as in free-beer, see Promox below) software based on a
customized Linux system
It embeds only the drivers matching the supported systems… and the Mac mini
is not one of them, although some other <a href="https://www.vmware.com/resources/compatibility/search.php?deviceCategory=server&details=1&partner=269" rel="external" title="VMware Hardware Compatiblity Liste: supported Apple systems">Apple systems</a> are supported
in order to run their operating system.</p>
<p>The main consequence of this is that at the time I was testing ESXi systems on
my lab, the driver of the network adapter was missing (ESXi 5).
You normally had to go through complex manual manipulations to install it
manually, but William Lam shared <a href="http://www.virtuallyghetto.com/2013/09/running-esxi-55-on-apple-mac-mini.html" rel="external" title="Running ESXi 5.5/5.5u1 on Apple Mac Mini + Thunderbolt Ethernet Adapter Caveat">modified <span class="caps">ISO</span> files</a> downloadable
from his blog.
Once installed, the ESXi worked fine on the Mac mini (even if I was not very
happy with the concept of using installation medias downloaded from a blog
instead of official sources).</p>
<p>Going back on his blog as I write this article, it seems that
<a href="http://www.virtuallyghetto.com/2015/02/esxi-6-0-works-ootb-for-apple-mac-mini-mac-pro.html" rel="external" title="ESXi 6.0 works OOTB for Apple Mac Mini & Mac Pro">things evolved</a> in the good direction since then and that ESXi 6 now
embeds the missing drivers.
This doesn’t make however Mac mini a supported platform, but this solves the
update and upgrade issues plaguing the previous version ESXi on this system
<em>as long as these drivers are available</em> (not supported means that VMware will
most likely not invest any specific effort to solve an issue related to these
drivers and may remove them without prior notice if they cause any trouble).</p>
<p>But beyond the update issues, the real limitation of ESXi comes from its
closed-source nature.
While you can tinker with it (as shown by the driver issue and the modified <span class="caps">ISO</span>
file), things quickly become unnecessary complicated and hardly documented.
As with closed-source software, you are supposed to use the product a certain
way and you depend on the vendor for everything.</p>
<p>All-in-all someone like me quickly finds such system way too cramped to be comfortable.</p>
<h5 id="alpine-linux"><a class="toclink" href="#alpine-linux">Alpine Linux</a></h5>
<p><a href="https://alpinelinux.org/" rel="external" title="Alpine Linux project homepage">Alpine Linux</a> is a security oriented Linux distribution targeting embedded
systems.
Both its lightness and security properties make it a good choice for a
“small, simple and secure” (as the project presents itself) shell to
administrate a virtual machines server.</p>
<p>However, when I tried it <span class="caps">UEFI</span> was not natively supported by this system: the
installation process goes fine but no way to start the system from the
hard-disk once installed.</p>
<p>When I say “no way” I’m probably lying a bit since there were already indeed some
resources and ongoing work in this area, but this did not smell good at that
time and was still more looking as some kind of rabbit hole than reliable,
step-by-step solution.</p>
<p>Nevertheless, I like the concept in ESXi of a minimalistic Linux used as
backend to manage and monitor virtual machines, and I still believe that a
system such as Alpine Linux would be the ideal fit to do the same thing, but
better.
The fact that it was not ready at that time does not mean that I will not
come back at it again in the future.</p>
<h5 id="debian"><a class="toclink" href="#debian">Debian</a></h5>
<p>Well… it just works, what else to say?
Plug the installation disc, install, reboot, and <code>apt-get</code> your favorite software!</p>
<p>This is what I’m using now.</p>
<h5 id="proxmox"><a class="toclink" href="#proxmox">Proxmox</a></h5>
<p><a href="https://www.proxmox.com/en/" rel="external" title="Proxmox project homepage">Proxmox</a> is a Debian derivative (with Ubuntu’s kernel).
It is <em>the</em> free (as in free-speech and ) alternative to ESXi, so if you need
some kind of drop-in replacement there you have it.</p>
<p>In my case I do not need a web interface, am satisfied with a command-line
interface, and have a few other requirements (like using <span class="caps">GNS3</span> or emulating
legacy systems) that would make Proxmox features overkill and unnecessary.</p>
<h4 id="host-virtualization-software"><a class="toclink" href="#host-virtualization-software">Host virtualization software</a></h4>
<h5 id="xen"><a class="toclink" href="#xen">Xen</a></h5>
<p>Xen is a bare-metal hypervisor, meaning it interacts directly with the
hardware without going through an intermediary operating system (even the
management domain, <em>Dom0</em>, is technically just a guest system with more privileges).</p>
<p>While there already was <a href="https://wiki.xenproject.org/wiki/Xen_EFI" rel="external" title="Xen EFI project page">some work</a> ongoing to enable <span class="caps">UEFI</span> support in
Xen, on my side I was not able to setup a reliable system:</p>
<ul>
<li>By default Grub starts Xen through multiboot.
At this stage Xen has no access anymore to some <span class="caps">EFI</span> parameters, resulting
in the detection of only one processor core and a malfunctoning <span class="caps">ACPI</span>
systematically freezing any virtual machine (both DomU and Dom0) when
attempting to shutdown or restart it. .</li>
<li>
<p>In theory Xen should be able to start through Grub’s chainloader, in
practice I was not able to make it start this way.</p>
</li>
<li>
<p>I was however able to start Xen directly from the <span class="caps">EFI</span> using
<a href="https://sourceforge.net/projects/cloverefiboot/" rel="external" title="EFI bootloader project homepage"><span class="caps">EFI</span> bootloader</a>, all <span class="caps">CPU</span> cores were now detected, but the <span class="caps">ACPI</span> issue was
still present.</p>
</li>
</ul>
<h5 id="kvm"><a class="toclink" href="#kvm"><span class="caps">KVM</span></a></h5>
<p><span class="caps">KVM</span> stands for Kernel-based Virtual Machine, and as the name implies while
Xen is a bare-machine virtualization software this one relies on a
full-fledged Linux kernel.</p>
<p>The major advantage of this is that <span class="caps">KVM</span> doesn’t need to handle direct interaction
with the hardware: all this is left to the Linux kernel, which in turn can rely
on standard modules (drivers).</p>
<p>While trying to get Xen running on certain platforms can quickly become
cumbersome (similarly to the ESXi we saw earlier, which is also a micro-kernel
based bare-metal hypervisor such as Xen), where a Linux can run <span class="caps">KVM</span> can run too.</p>
<h5 id="xen-vs-kvm"><a class="toclink" href="#xen-vs-kvm">Xen vs. <span class="caps">KVM</span></a></h5>
<p>Performance-wise, <a href="http://lib.dr.iastate.edu/cgi/viewcontent.cgi?article=3243&context=etd" rel="external" title="A performance analysis of Xen and KVM hypervisors for hosting the Xen Worlds Project">a 2011 study</a> shows that <span class="caps">KVM</span> being implemented
low-enough in the kernel stack, it presents similar if not better performances
than Xen as an hardware virtualization software (ie. emulating the computer
hardware in order to start any kind of operating system).</p>
<p>Where Xen shines is in its initial and core functionality: paravirtualization
(run a modified operating system which communicates directly with the
virtualization software instead of communicating with emulated computer devices).</p>
<ul>
<li>
<p>If you want to build a <span class="caps">EC2</span> Cloud with tons of Linux instances in the most
efficient way (or, in broader terms, your environment will be generally
composed of paravirtualized VMs and virtualized hardware will be the
exception), then Xen may be your best fit.</p>
</li>
<li>
<p>On the contrary if hardware virtualization will be the rule and
paravirtualization (supported by <span class="caps">KVM</span> through the virtio system, but slower
than Xen) the exception, then <span class="caps">KVM</span> will be a both easier and more efficient solution.</p>
</li>
</ul>
<h5 id="vmware-player"><a class="toclink" href="#vmware-player">VMware Player</a></h5>
<p>For now, keeping a VMware Player at hand remains handy.
I know this is closed-source and closed-source is evil and all, but there are
some situations where having it available might save your day:</p>
<ul>
<li>
<p>It is still a de-facto standard to share and run virtual machines.
While you can still convert a VMware Player virtual machine into another
format, sometimes you want to reduce Murpy’s Law to the minimum and cannot
accept to loose any time (some closed-source applications even specially
check that they are running in a VMware virtual machine and not another
<span class="caps">VM</span> to enforce their supported platforms conditions).</p>
<p>In these occasions, if a provider gives you a virtual machine tested on VMware
Player with a strong recommendation to use the same software on your side,
it is better to not be extremist and just do it this way.
When you have more time later, you can check the provider’s support forum
and read the issues encountered by other people who tried the hard way.</p>
</li>
<li>
<p>VMware has still a noticeable advance compared to Qemu/<span class="caps">KVM</span> on some
necessary features such as some pass-through functionalities allowing to
directly use some host’s physical devices from within the guest and
related things.</p>
<p>A typical example is connecting a physical <span class="caps">USB</span> key to a guest system: the
feature exists in Qemu but no way to get it working, I suspect it is broken.
On the other side this is a trivial operation on VMware Player.</p>
<p>Some other potential areas of concern are:</p>
<ul>
<li>
<p>The support of 3D hardware acceleration in the guest (there is some work
ongoing on Qemu side about this, be sure to use the <span class="caps">GTK</span> display
interface to benefit from it, but I don’t know how advanced it is
compared to VMware Player).</p>
</li>
<li>
<p>Nested virtualization, allowing to benefit from hardware-assisted
virtualization from within the guest.
VMware supports it for some times now (even-though I’m not sure if they
put it in their free Player too or reserved it to their paid
Workstation software), it is not yet supported by Qemu but <span class="caps">IIRC</span> I saw a
mention of this feature added in some recent Linux kernel change so it
is coming.</p>
</li>
</ul>
</li>
</ul>
<h5 id="oracle-vm-virtualbox"><a class="toclink" href="#oracle-vm-virtualbox">Oracle <span class="caps">VM</span> VirtualBox</a></h5>
<p>This software is not completely free (some parts are available free of charge
for evaluation and personal use only), is not really a standard, and has no
special or unique feature compared to its alternatives.</p>
<p>Is there any reason to use it?
Tell me because I don’t see any.</p>
<h4 id="network-virtualization-software"><a class="toclink" href="#network-virtualization-software">Network virtualization software</a></h4>
<p>Once you have made up your mind about host virtualization software, time to
think bigger and to emulate a whole network in your small box.</p>
<p>Here also, several software packages are available, with their advantages and
disadvantages.
As long as they offer interconnection with external networks, it should be
possible to make different software to interoperate (each one sees the other as
an external network).
In some cases, this may make sense to combine features which can only be found
in two different network virtualization applications.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Some network certification trainings provide a “network simulator” software.</p>
<p>The functionalities of such software is usually very limited, to the point
that you often cannot even edit the network topology but are restricted to
the topologies proposed by the software author, with the more interesting
ones available in paid add-ons.</p>
</div>
<h5 id="virl"><a class="toclink" href="#virl"><span class="caps">VIRL</span></a></h5>
<p><a href="http://virl.cisco.com/" rel="external"><span class="caps">VIRL</span></a> is the Cisco proprietary and paid network virtualization software.
It relies on ported virtual versions of the Cisco devices.
To say it again: this software does not emulate Cisco devices, instead devices
code has been ported to run natively on the host as <span class="caps">VIRL</span> modules.
So, instead of running a real <span class="caps">IOS</span> and <span class="caps">ASA</span> for instance, it will run IOSv and
ASAv.
This provides far better performances, but may react differently or offer
different options than real gear.</p>
<p>As it is a paid software and I did not need its features, I did not try it and
therefore cannot say a lot about it.</p>
<h5 id="gns3"><a class="toclink" href="#gns3"><span class="caps">GNS3</span></a></h5>
<p><a href="https://gns3.com" rel="external" title="GNS3 project homepage"><span class="caps">GNS3</span></a> it the free alternative to Cisco’s <span class="caps">VRL</span>.
While initially a graphical frontend and continuation of Dynamips, a free Cisco
devices hardware emulator allowing to execute <span class="caps">IOS</span> firmware images, it evolved
now as a de-facto standard in network simulation in the open-source community,
with the
support of the <a href="https://docs.gns3.com/1FFbs5hOBbx8O855KxLetlCwlbymTN8L1zXXQzCqfmy4/index.html#h.appliances" rel="external" title="GNS3 documentation: Appliances">appliances</a> from a large number of free and
commercial providers and a <a href="https://gns3.com/marketplace" rel="external" title="GNS3 marketplace">market place</a> offering both
software and learning material.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The fact that <span class="caps">GNS3</span> is a free software and supports the emulation of
proprietary appliances and devices does not make these solutions free.</p>
<p>Support means that they has been tested to work and that if you encounter
an issue you can raise a ticket to the <span class="caps">GNS3</span> development team.
If you want to actually include such devices and appliances in you topology,
you will need to provide the path to either a firmware image or an
installation media not provided with <span class="caps">GNS3</span> or its appliances.</p>
</div>
<p>While a technical tool, <span class="caps">GNS3</span> is graphical making it easy enough to learn while
proposing advanced features (including the support of clusters to spread large
network topologies on several computers) making it also suitable for large projects.</p>
<p>Having passed some time on this tool, I will soon write a set of articles
describing in details how to use it to build virtualized networks focused on
<span class="caps">IT</span> security testing.</p>
<h5 id="unetlab-eve-ng"><a class="toclink" href="#unetlab-eve-ng">Unetlab / <span class="caps">EVE</span>-<span class="caps">NG</span></a></h5>
<p><a href="http://www.routereflector.com/unetlab/" rel="external" title="Unetlab project homepage">Unetlab</a> (Unified Networking Lab), which has been recently refactored as
<a href="http://www.eve-ng.com/" rel="external" title="EVE-NG project homepage"><span class="caps">EVE</span>-<span class="caps">NG</span></a> (Emulated Virtual Environment - Next Generation) by its creator, can
be seen as a <span class="caps">GNS3</span> alternative targeting team-working.</p>
<p>At its core it provides similar functionalities as <span class="caps">GNS3</span>: network
virtualization involving Cisco devices and hardware-virtualized hosts.
Nevertheless, instead of providing a standalone graphical window here
everything can be done through a shared web interface (no need of heavy
client), in a multiuser user environment, with various sharing and
export/import features.</p>
<p>For a single user, this seems overkill to me, but for team-working this is
certainly something I would try.</p>
<h5 id="hynesim"><a class="toclink" href="#hynesim">Hynesim</a></h5>
<p><a href="https://www.hynesim.org/" rel="external" title="Hynesim project homepage">Hynesim</a> is a network simulator specially designed for <span class="caps">IT</span> security training.
It was initially developed for the <span class="caps">DGA</span> (Direction Générale de l’Armement, the
French Government Defense procurement and technology agency) and seems to
target team-working with some ACLs features.</p>
<p>While the source-code is released under the <span class="caps">GNU</span> licence, it is not completely
“free” in the the spirit as the downloadable source-code code is more than a
year old now and a few versions behind the version available for paid customers,
and access to the complete documentation is also restricted to paid customers.
Moreover, most of the website being written in French, it may not be very
accessible to foreign people.</p>
<p>Despite its release and documentation issues, this project may still remain
interesting due to its primary focus on security testing.
A quick glance over the few available documentation and the source code seems
to indicate that it supports WiFi (but I don’t know what exactly is supported
here) and Dynamips (emulation of Cisco devices).
An <a href="https://vc2009cfp.wordpress.com/2008/12/30/hynesim-working-toward-a-hybrid-network-virtualization-opensource-framework/" rel="external" title="Hynesim : working toward a hybrid network virtualization opensource framework">old paper</a> from 2008 announcing the project creation also
mentioned Bluetooth, but this seem to have been abandoned.</p>
<p>The project team is also developing complementary utilities such as Action
Manager, an automation tool apparently designed to simulate end-user activity
within a guest (quoting the <a href="https://www.hynesim.org/roadmap/" rel="external" title="Hynesim project roadmap">roadmap</a> page:
<em>“mail related, web browsing related, text writer related…”</em>), but it is not
released yet.</p>
<h5 id="mininet-wifi"><a class="toclink" href="#mininet-wifi">Mininet-WiFi</a></h5>
<p><a href="https://github.com/intrig-unicamp/mininet-wifi/" rel="external" title="Mininet-WiFi project homepage">Mininet-WiFi</a> is a fork of <a href="http://mininet.org/" rel="external" title="Mininet project homepage">Mininet</a> adding WiFi capability to the latter.</p>
<p>Mininet is a Linux network virtualization software.
It takes advantage of Linux kernel features to emulate potentially large Linux
networks while staying very low on resources and offering better performances.
The <a href="http://mininet.org/overview/" rel="external" title="Mininet overview">documentation </a> mentions running hundreds of guests and
switches on a single host and 2 Gbps total bandwidth on modest hardware.</p>
<p>However, this is <span class="caps">OS</span>-level virtualization, meaning all nodes will actually be
Linux systems and all will share the same host’s kernel.
Nevertheless, <span class="caps">GNS3</span> published <a href="https://gns3.com/news/article/sdn-101-mininet-openflow-and-gns" rel="external" title="SDN 101: Mininet (OpenFlow) and GNS3">an article</a> describing how to
interoperate Mininet and <span class="caps">GNS3</span> to get the best of both worlds.</p>
<p>At last, Mininet-WiFi comes on top of this and, thanks to a virtual WiFi driver,
adds the WiFi network simulation capability.</p>
<p>The features announced in its documentation seem pretty promising:</p>
<ul>
<li>It takes into account distance from the access point, signal attribute,
overlapping, interferences and nodes movement.</li>
<li>It handles authentication, from <span class="caps">WEP</span> to <span class="caps">WPA2</span> and including <span class="caps">RADIUS</span> (all this
using standard Linux stack: the virtualization part being handled by the driver).</li>
<li>It seems that the virtual device also supports monitor mode.</li>
</ul>
<p>All this should be enough to reproduce most WiFi-related security scenarios
(as long as all involved devices are or can be simulated with Linux systems).</p>
<p>I will certainly deep further into this one as soon as I have the occasion.</p>
<h5 id="others"><a class="toclink" href="#others">Others</a></h5>
<p>Brian Linkleter maintains a <a href="http://www.brianlinkletter.com/open-source-network-simulators/" rel="external" title="Open-Source Network Simulators">good list</a> of open-source network
simulation software.</p>
<p>In addition to the most well-known and general purpose projects I already
mentioned here, you will find other ones which are either more confidential or
address very specific uses cases (for instance the <a href="https://shadow.github.io/" rel="external" title="Shadow project homepage">Shadow</a> project allows
to simulate large Internet-scale peer-to-peer infrastructures such as the Tor
or Bitcoin networks).</p>How to run a CAM table overflow attack in GNS32016-06-26T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2016-06-26:/posts/2016/06/26/how-to-run-a-cam-table-overflow-attack-in-gns3/<h3>Knowing where difference with real gears lies</h3>
<p>For performance reasons, a lot of switch things are actually not part of the
<span class="caps">IOS</span> code but are implemented in hardware.
This includes the <span class="caps">ARL</span>, or <a href="http://computernetworkingsimplified.com/data-link-layer/basic-theory-operation-l2-switch/" rel="external">Address Resolution Logic</a>, which provides all the
methods to add, remove and lookup entries in the <span class="caps">MAC</span> address table.</p>
<p>Therefore, for the <span class="caps">NM</span>-<span class="caps">16ESW</span> module to work in <span class="caps">GNS3</span>, Dynamips had to reimplement
all these normally hardware provided services, or at least push this far enough
to allow an unmodified <span class="caps">IOS</span> to run on it correctly.</p>
<p>The sad thing is indeed that this is unfinished work, as stated in this
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">module’s source code</a> header:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span class="cm">/*</span>
<span class="cm"> * Cisco router simulation platform.</span>
<span class="cm"> * Copyright (c) 2006 Christophe Fillot (cf@utc.fr)</span>
<span class="cm"> *</span>
<span class="cm"> * NM-16ESW ethernet switch module (experimental!)</span>
<span class="cm"> *</span>
<span class="cm"> * It's an attempt of proof of concept, so not optimized at all at this …</span></pre></div></td></tr></table></div><h3 id="knowing-where-difference-with-real-gears-lies"><a class="toclink" href="#knowing-where-difference-with-real-gears-lies">Knowing where difference with real gears lies</a></h3>
<p>For performance reasons, a lot of switch things are actually not part of the
<span class="caps">IOS</span> code but are implemented in hardware.
This includes the <span class="caps">ARL</span>, or <a href="http://computernetworkingsimplified.com/data-link-layer/basic-theory-operation-l2-switch/" rel="external">Address Resolution Logic</a>, which provides all the
methods to add, remove and lookup entries in the <span class="caps">MAC</span> address table.</p>
<p>Therefore, for the <span class="caps">NM</span>-<span class="caps">16ESW</span> module to work in <span class="caps">GNS3</span>, Dynamips had to reimplement
all these normally hardware provided services, or at least push this far enough
to allow an unmodified <span class="caps">IOS</span> to run on it correctly.</p>
<p>The sad thing is indeed that this is unfinished work, as stated in this
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">module’s source code</a> header:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span class="cm">/*</span>
<span class="cm"> * Cisco router simulation platform.</span>
<span class="cm"> * Copyright (c) 2006 Christophe Fillot (cf@utc.fr)</span>
<span class="cm"> *</span>
<span class="cm"> * NM-16ESW ethernet switch module (experimental!)</span>
<span class="cm"> *</span>
<span class="cm"> * It's an attempt of proof of concept, so not optimized at all at this time.</span>
<span class="cm"> * Only L2 switching will be managed (no L3 at all).</span>
<span class="cm"> *</span>
<span class="cm"> * To do next: QoS features (CoS/DSCP handling).</span>
<span class="cm"> */</span>
</pre></div>
</td></tr></table></div>
<p>So you’re warned: forget about QoS and expect some oddities.</p>
<p>Hopefully here we are not dealing with QoS but with <span class="caps">CAM</span> overflow, and except
the final bug (of which the correction should be included in a future versoin
of <span class="caps">GNS3</span>) there are two main oddities which are of concern to us: one is
affecting the <span class="caps">MAC</span> address table size and the other the <span class="caps">MAC</span> address aging process.</p>
<h4 id="first-difference-the-mac-address-table-size-tops-at-8189-entries"><a class="toclink" href="#first-difference-the-mac-address-table-size-tops-at-8189-entries">First difference: the <span class="caps">MAC</span> address table size tops at 8189 entries</a></h4>
<p>This is actually a non-issue.</p>
<p>The <span class="caps">CAM</span> overflow attack exploits the fact that a switch is not able to add any
new entry to its <span class="caps">CAM</span> table, and therefore fallbacks into <em>“behaving like a hub”</em>
(as it is often described, I’ll come on this later).</p>
<p>Most probably due to a minor bug, it seems that the <span class="caps">MAC</span> table is considered
full at 8189 entries instead of 8192. However, full still means full: the <span class="caps">ARL</span>
should still fail to store any supplementary entry and the <span class="caps">CAM</span> overflow attack
should still be successful.</p>
<h4 id="second-difference-the-aging-time-setting-is-not-honored"><a class="toclink" href="#second-difference-the-aging-time-setting-is-not-honored">Second difference: the <code>aging-time</code> setting is not honored</a></h4>
<p>By default, <span class="caps">MAC</span> entries should remain the <span class="caps">MAC</span> address table for at least 5
minutes (=300 seconds), as defined by the <code>aging-time</code> setting:</p>
<div class="codehilite"><pre><span class="go">SW1#show mac-address-table aging-time</span>
<span class="go">Mac address aging time 300</span>
</pre></div>
<p>However, in real gear the whole process behind this parameter is implemented in
hardware, and this setting is currently simply ignored by Dynamips’
implementation of the <span class="caps">NM</span>-<span class="caps">16ESW</span> module.</p>
<p>Dynamips implements its own garbage collection system which deletes old <span class="caps">MAC</span>
entries after only 30 seconds, making <span class="caps">CAM</span> overflow attacks noticeably more
tricky to stabilize (but may be a good training against the <em>“backpressure”</em>
functionality, designed to allow faster <span class="caps">MAC</span> aging when there is a flood of new
addresses according to <a href="https://networkengineering.stackexchange.com/a/20319/27387" rel="external">Lukasz</a>.).</p>
<p>The code in charge of this can be found around line 2515 of the
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">dev_nm_16esw.c</a> file:</p>
<div class="codehilite"><pre><span class="cm">/* Start the MAC address ager */</span>
<span class="n">data</span><span class="o">-></span><span class="n">ager_tid</span> <span class="o">=</span> <span class="n">timer_create_entry</span><span class="p">(</span><span class="mi">15000</span><span class="p">,</span><span class="n">FALSE</span><span class="p">,</span><span class="mi">10</span><span class="p">,</span>
<span class="p">(</span><span class="n">timer_proc</span><span class="p">)</span><span class="n">bcm5600_arl_ager</span><span class="p">,</span><span class="n">data</span><span class="p">);</span>
</pre></div>
<p>This launches the <code>bcm5600_arl_ager()</code> function every 15 seconds. What this
function does is to scan the whole <span class="caps">CAM</span> table and check a hit flag associated to
each <span class="caps">MAC</span> address:</p>
<ul>
<li>If the flag is set, unset it.</li>
<li>If the flag is unset, delete the <span class="caps">MAC</span> address from the table.</li>
</ul>
<p>This flag is re-enabled whenever the switch receives a new packet from the
corresponding <span class="caps">MAC</span> address, keeping active addresses in the table.</p>
<p>You <em>will</em> have to take this behavior into account in order to design a
successful <span class="caps">CAM</span> overflow attack:</p>
<ul>
<li>
<p>Using only random <span class="caps">MAC</span> addresses will not do it (sorry <code>macof</code>…) since it
would allow the switch to flush all faked addresses at once every 30
seconds, making the exploit unstable.</p>
</li>
<li>
<p>Each <span class="caps">MAC</span> address must be used as a sender at least once every 15 seconds.</p>
</li>
<li>
<p>Actually due to possible issues caused by the increased load, in order to
avoid a single packet to be lost or arrive later you would prefer each <span class="caps">MAC</span>
address to be used two or three times in less than 15 seconds.
This should be enough to make your flood both stable and reliable, with <span class="caps">CAM</span>
tables consistently and constantly filled on all switches on the whole <span class="caps">LAN</span>.</p>
</li>
</ul>
<h3 id="understanding-what-you-can-really-expect"><a class="toclink" href="#understanding-what-you-can-really-expect">Understanding what you can really expect</a></h3>
<p>As explained in the introduction, a lot of literature explains this attack as
<em>“making the switch behave like a hub”</em>. While a good overview for the layman,
this oversimplified description is wrong from a technical point of view.</p>
<p>To explain this I will first detail how a switches works under normal
circumstances, what’s the algorithm behind them:</p>
<ol>
<li>
<p>The switch receives an incoming packet on a some port,</p>
</li>
<li>
<p>The switch then checks if the source <span class="caps">MAC</span> address is already stored in the
<span class="caps">MAC</span> address table.
If it isn’t and there is a free slot, it records this new <span class="caps">MAC</span> address
associated to its incoming port (and by the way if the address is already
present but associated to another port, it will update the record with the
new port).
This is also the occasion to reset the aging timer associated to this entry,
no matter if it is new or not.</p>
</li>
<li>
<p>The switch then checks if the destination <span class="caps">MAC</span> address is already stored in
the <span class="caps">MAC</span> address table. If it is, then this is all good and the switch
outputs the packet on the interface associated to the matching <span class="caps">CAM</span> table
entry.
If it isn’t, the switch outputs the packet on all interfaces except the
incoming one (all interfaces belonging to the same <span class="caps">VLAN</span> + trunk ports as
long as this <span class="caps">VLAN</span> is not pruned).</p>
</li>
</ol>
<p>Now, let’s see how a switch works when the <span class="caps">CAM</span> overflow condition has been
triggered and he did fallback into the so-called <em>“hub”</em> mode…
Actually all of this is just nonsense: there is no hub mode and the <span class="caps">CAM</span>
overflow triggered strictly nothing.
The switch just continues to work as it always did:</p>
<ol>
<li>
<p>On incoming packets, <em>if and only if</em> the source <span class="caps">MAC</span> address is not present
in the table will the <span class="caps">CAM</span> overflow have any effect since the switch will
have no free slot to add this new one and will therefore skip this step.
If the address is already present in the table, the switch will reset its
aging timer as usual.</p>
</li>
<li>
<p>On outgoing packets, <em>if and only if</em> the destination <span class="caps">MAC</span> address is not
present in the table will the switch indeed send the packet through “all”
of its interfaces.
If the <span class="caps">MAC</span> address is present in the table, the switch has strictly no
reason to act weirdly: it will simply proceed as usual and send the packet
only through the port associated to the <span class="caps">MAC</span> address.</p>
</li>
</ol>
<p>The main consequences of this are:</p>
<ul>
<li>
<p>Despite what is often told, <span class="caps">CAM</span> overflow attacks are not a magical way to
turn switches into hubs.
You will <em>not</em> be forwarded all the traffic passing through the switch.</p>
</li>
<li>
<p>You will <em>not</em> be able to eavesdrop any already active communication (ie.
any communication initiated before the <span class="caps">MAC</span> flood start). The devices’ <span class="caps">MAC</span>
address will be already known to the switch and legitimate packets will
regularly reset the switch’s aging counters.
No matter how hard you flood it these devices’ <span class="caps">MAC</span> addresses will stay in
the switch’s <span class="caps">CAM</span> table and the switch will only forward the traffic to the
appropriate ports.</p>
</li>
<li>
<p>You will most likely be able to eavesdrop <em>only</em> a one-side communication
from the router to previously inactive devices (shut down or in sleep mode
for instance).
In real world scenarios, at least during business hours the switch will
nearly permanently have the router’s <span class="caps">MAC</span> address in its <span class="caps">CAM</span> table since
almost any traffic on the network will pass through it and, therefore,
constantly refresh the aging timer.
The main goal of the <span class="caps">MAC</span> flood will therefore be to keep previously
inactive devices from successfully register their <span class="caps">MAC</span> address too onto the switch.</p>
<p>To give a concrete example of the result, most chances are that you will
not be able to eavesdrop the user’s password and requests, but you may be
able to get the server provided session identifiers and data.</p>
</li>
<li>
<p>But to end with depressing news, what you <em>will</em> achieve is that if you
take care to not overload the switches, they will happily forward your
flooding packets from switch-to-switch until they contaminate the whole
Layer 2 <span class="caps">LAN</span>.
Only <span class="caps">VLAN</span> pruning or a Layer 3 device on the way may limit this
dissemination, without that even switches offering only unrelated VLANs
ports will see their <span class="caps">CAM</span> table being filled-up.</p>
<p>In other words, depending on the topology details launching the attack from
<span class="caps">VLAN</span> 2 can allow you to access <span class="caps">VLAN</span> 2 traffic forwarded from several
switches away and can also allow you to affect <span class="caps">VLAN</span> 3 switches behavior.</p>
</li>
</ul>
<h3 id="using-the-right-tool"><a class="toclink" href="#using-the-right-tool">Using the right tool</a></h3>
<p>The tool classically recommended for <span class="caps">CAM</span> table overflow attacks is <code>macof</code>
(from the <a href="https://www.monkey.org/~dugsong/dsniff/" rel="external">dsniff</a> project, unmaintained for years).
However, this tool makes me the effect of a primitive barbarian from some
fantasy story: brutal, inefficient and unreliable.</p>
<p>This tool generates packets using fully random <span class="caps">MAC</span> addresses generated on the
fly.
This is wrong for two reasons:</p>
<ul>
<li>
<p>As we saw above, every inactive <span class="caps">MAC</span> addresses are automatically deleted
from the <span class="caps">CAM</span> table, temporarily freeing a large amount of slots available
to record genuine <span class="caps">MAC</span> addresses until we managed to fill the table again
(which may take a few time if the target is several switches away).
And as we also saw, a single genuine packet is sufficient to update the <span class="caps">CAM</span>
table with a true information and put a definitive end on our eavesdropping
on this particular target.</p>
</li>
<li>
<p>Statistically half of the randomly generated MACs have the
<a href="https://en.wikipedia.org/wiki/MAC_address#Address_details" rel="external">I/G group bit</a> set.
However, it is forbidden to use a group <span class="caps">MAC</span> address as sender, as stated in
<a href="http://standards.ieee.org/about/get/802/802.3.html" rel="external"><span class="caps">IEEE</span> 802.3-2002, Section 3.2.3(b)</a>:</p>
<blockquote>
<p>In the Source Address field, the first bit is reserved and set to 0.</p>
</blockquote>
<p>Cisco switches (and probably others) are aware of that, and consider such
packets as malformed and drop them.
This means that half of the packets generated by <code>macof</code> are dropped by the
first switch they encounter.</p>
</li>
</ul>
<p><code>macof</code> also relies on some brute-force strategy by sending its malicious
packets as fast as the attacker’s device and the network allows.</p>
<p>This cause several issues:</p>
<ul>
<li>
<p>Switches may malfunction or even crash during the flooding process (several
reports state that the switch’s management plane was frozen during such flooding).</p>
</li>
<li>
<p>Due to the load caused on switch-side, these packets may not be reliably
relayed from switch-to-switch, causing only the first attacker-facing switch to
have its <span class="caps">CAM</span> table effectively overflown.</p>
</li>
<li>
<p>Due to the load on attacker’s side, either the network card is fully
congested or the <span class="caps">CPU</span> usage maxes out. In all cases it is impossible to
capture any traffic from the same device, which is sad since capturing
traffic is precisely the goal of this attack. The usual advice is to stop
flooding when capturing, and alternate between flooding and capturing on a
regular basis (every minute for instance given the 5 minutes default aging
on real gears, and regarding Dynamips’ 30 seconds it becomes just hopeless).
I would also advise to have enough luck to be indeed capturing when
interesting information was being exchanged and enough luck to be able to
properly counter the periodic <span class="caps">MAC</span> table cleaning which seems pretty
unfeasible in such conditions.</p>
</li>
</ul>
<p>A good <span class="caps">CAM</span> overflow attack tool should:</p>
<ul>
<li>Not use more resources than necessary in order to allow a reliable eavesdropping.</li>
<li>Generate well-formed packets (ie. no useless packets which will get
dropped anyway and no packets which will make Wireshark (or an <span class="caps">IDS</span>…) complain).</li>
<li>Ensure that the <span class="caps">CAM</span> tables remain constantly filled so new devices will
have no chance to register their <span class="caps">MAC</span> address.</li>
</ul>
<p><code>macof</code> fails on these three requirements and is therefore not a suitable tool.
A quick search did not revealed any relevant alternative, so I went the
<a href="http://www.secdev.org/projects/scapy/" rel="external">Scapy</a> route (Scapy is a Python library and interactive tool allowing to
freely build and manipulate network packets).</p>
<p>Here is the code I used to successfully test <span class="caps">CAM</span> table overflow in a <span class="caps">GNS3</span> environment:</p>
<div class="hilitewrapper"><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36</pre></div></td><td class="code"><div class="codehilite"><pre>#! /usr/bin/python
nbpkts = 8192
iface = "eth0"
import sys
from scapy.all import sendpfast, Ether, IP, RandIP, RandMAC, TCP
print("Initializing...")
# We first build all packets...
pkts = []
for i in xrange(0, nbpkts):
macaddr = str(RandMAC())
# Quick-and-dirty way to ensure that the I/G remains unset
macaddr = macaddr[:1] + "0" + macaddr[2:]
# This packet structure mimics a TCP SYN sent to a HTTP server.
# A random dst mac should also work, setting one fixed can be useful
# to easily filter-out flood-related packets when capturing traffic.
# You can use IPs valid for your range, but be cautious that if any
# host is made to send some RST for instance its MAC address will be
# registered by the switches.
pkts.append(Ether(src=macaddr, dst="ff:ff:ff:ff:ff:ff")/
IP(src=str(RandIP()), dst=str(RandIP()))/
TCP(dport=80, flags="S", options=[('Timestamp', (0, 0))]))
print("Launching attack, press Ctrl+C to stop...")
# ...and then we send them in loop.
while True:
# Adapt pps (Packets Per Second) to your needs. Running a complex
# GNS3 topology on a low-end machine will take all the CPU causing
# packet loss, pps will then need to be high to replay lost packets.
# Given enough CPU, packet loss can remain low and pps can be lowered
# too.
sendpfast(pkts, iface=iface, file_cache=True, pps=5000, loop=999)
</pre></div>
</td></tr></table></div>
<p>This is a quick-and-dirty, few-lines examples which could be improved in
several ways.
For instance, would it be used against real gears it may make sense to use two
successive sending iterations, the first one being quick in order to rapidly
take over <span class="caps">CAM</span> tables, and the second one working at a far more slowly pace,
taking full advantage of the 5 minutes aging delay to stay below the radar as
much as possible (when this default delay is changed, it is generally to be
raised and not diminished, and moreover I have some doubts that someone who do
not take care of enabling port security on his switches will really bother
changing such kind of setting).</p>
<h3 id="correct-a-bug-currently-affecting-dynamips"><a class="toclink" href="#correct-a-bug-currently-affecting-dynamips">Correct a bug currently affecting dynamips</a></h3>
<p>Sadly, when you are through all this, you will discover that when their <span class="caps">CAM</span>
table is properly filled, the switches in <span class="caps">GNS3</span> will not start to flood packets
through “all” of their ports, but they will drop them instead.</p>
<p>This is due to a bug affecting the <code>bcm5600_handle_rx_pkt()</code> function in charge
of handling received packets and located around line 2170 of the
<a href="https://github.com/GNS3/dynamips/blob/master/common/dev_nm_16esw.c" rel="external">dev_nm_16esw.c</a> file:</p>
<div class="codehilite"><pre><span class="cm">/* Source MAC address learning */</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">bcm5600_src_mac_learning</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="n">p</span><span class="p">))</span>
<span class="k">return</span><span class="p">(</span><span class="n">FALSE</span><span class="p">);</span>
</pre></div>
<p>Currently, when the <span class="caps">ARL</span> failed to store a new <span class="caps">MAC</span> address, the handling of the
incoming packet is aborted, effectively resulting in it being drop.
The fix is just to ignore the <span class="caps">ARL</span> status and continue processing the packet
anyway, since this what real gear actually do:</p>
<div class="codehilite"><pre><span class="cm">/* Source MAC address learning */</span>
<span class="n">bcm5600_src_mac_learning</span><span class="p">(</span><span class="n">d</span><span class="p">,</span><span class="n">p</span><span class="p">);</span>
</pre></div>
<p>I’ve raised <a href="https://github.com/GNS3/dynamips/issues/72" rel="external">this issue</a> to <span class="caps">GNS3</span> teams so it can be fixed in <span class="caps">GNS3</span> future
updates.
I also advocated to <a href="https://github.com/GNS3/dynamips/issues/39" rel="external">raise the <span class="caps">MAC</span> table garbage collection timeout</a> from
the current 15 seconds to 5 minutes in order to be closer to real gear behavior.</p>
<p>Until this gets fixed upstream, it requires a manual modification and
recompilation of Dynamips source code but this is a very quick and simple
process (there is no need to recompile the whole <span class="caps">GNS3</span>, only the <code>dynamips</code>
binary, and I provided the patches in the tickets linked above).</p>
<h3 id="final-notes"><a class="toclink" href="#final-notes">Final notes</a></h3>
<p>After you do that, you will be able to test and repeat <span class="caps">MAC</span> overflow attacks in
<span class="caps">GNS3</span> with router-based switches in a stable and predictable manner.</p>
<p>Here are two final notes:</p>
<ul>
<li>
<p>While router-based switches allow to test <span class="caps">CAM</span> overflow attacks, they will
not allow to test proper mitigation techniques as they do not implement
port security.
I think this is a limitation from <span class="caps">IOS</span> rather than <span class="caps">GNS3</span> since the relevant
options are not even prevent in the shell.
<a href="http://evilrouters.net/cisco-iou-faq" rel="external"><span class="caps">IOU</span></a> proposes these options, however due to its <span class="caps">CAM</span> table allowing
nearly 200 million entries (compared to the 8192 of a real <span class="caps">IOS</span>) it seems
out of reach for a traditional <span class="caps">CAM</span> overflow attack. So <span class="caps">IOU</span> is at the
opposite of router-based switches: they can be used to test mitigation
techniques but not to reproduce the attack. Be aware also that <span class="caps">IOU</span>
implementation of the Spanning Tree Protocol (<span class="caps">STP</span>) is heavily buggy and
topology loops must be avoided.</p>
</li>
<li>
<p>Speaking of <span class="caps">STP</span> and depending on the topology, becoming <span class="caps">STP</span> Root
(<code>yersinia stp -attack 4</code>) should induce a clearing of most <span class="caps">MAC</span> tables
dynamic entries due to the topology change and may provide you a more
efficient flooding and eavesdropping experience ;).</p>
</li>
</ul>
<hr/>
<p class="footnote">Article based on a <a href="https://networkengineering.stackexchange.com/q/20313/27387#32567" rel="external">StackExchange answer</a>.</p>