Decoding Secret Message with Python

Planning a Secret Message

Renaming a folder of 50 files will allow a puzzle to be solved.

The scenario involves a scrambled message because of the naming convention of image files. These files begin with numbers. If the numbers are removed, the images will be renamed and alphabetically categorized. Thereby revealing a message in the photos.

I will need to do the following:

1. Gather file names from the folder
2. Then rename or remove the numbers from each of the files within the folder

Here is the code and the explanation to do step 1 which is to gather file names from the folder:

import os #imports module, os

def rename_files(): #defines a new function

    file_list = os.listdir(r"C:\Users\HG Wells\Google Drive\Tech\Udacity\prank") #defines variable file_list and assigns functions listdir from the os module. This is added to import the list given the path file. R is to take string as is and not interpret it differently.

    print(file_list) #instruction to print variable file_list

rename_files() #runs defined function rename_files

The following will be the output when this function is run:

Step 2 is to rename the files. I will use the rename function from module os to accomplish this:

import os

def rename_files():

    #(1) retrieve files given folder location

    file_list = os.listdir(r"C:\Users\HG Wells\Google Drive\Tech\Udacity\prank")

    print(file_list)

    #shows current directory, which is where rename_files.py is saved.

    saved_path = os.getcwd()

    print("Current Working Directory is "+saved_path)

    #Changed current directory to the folder with the files we want to rename

    os.chdir(r"C:\Users\HG Wells\Google Drive\Tech\Udacity\prank")

    #(2) rename each file

    #loop to change each file in list

    for file_name in file_list:

    #runs rename function from os module where file_name is current name, and file_name.translate is function to rename what file should be named  

    #syntax for file_name.translate on the second line will remove the numbers found in files

        os.rename(file_name, file_name.translate(None,"0123456789"))

    #moves current directory back to original place

    os.chdir(saved_path)

rename_files()

Upon looking at the images in the folder, I can see that the images have new names (no longer has numbers) and the secret code is displayed:

(Photos from Udacity)

Keys are in the closet behind the shoe box.

Take a Break Python Program

Take a Break

This program will remind an employee to take a break every two hours.

In plain English this is the logic for this program:
1. Wait 2 hours.
2. Open browser as a break reminder.
3. Create loop to repeat steps during the work day.

I will be using Python 2.7.14 to build this program. Once I open Python Idle, I create a new file to write my program on.


webbrowser.open() will be the function used to open the web browser. Within the () a Youtube link will be placed that will open summoned to open in a browser. Before I run this program, I also need to explicitly state the library which the function belongs to:

import webbrowser

webbrowser.open("https://www.youtube.com/watch?v=WSUFzC6_fp8")

I save this as breaktime.py and when I click run or F5, the program opens the browser to the defined Youtube link.

Next, I will call the sleep function from the time library. I will place 10 for seconds in the input to test that, it will wait 10 seconds before calling the open web browser function:

import time
import webbrowser

time.sleep(10)
webbrowser.open("https://www.youtube.com/watch?v=WSUFzC6_fp8")

When I save and run the program (F5), the program waits 10 seconds before opening the link on the function.

Now the program requires a loop to prompt multiple breaks during a time interval.

Below I've added the time.ctime to display the time at the start of each loop. The program is also written to go through this loop 3 times ever 10 seconds. Which means the Youtube link will be called every 10 seconds at three different intervals:

import time
import webbrowser

break_total = 3
break_count = 0

print("Program iteration time: "+time.ctime())
while(break_count < break_total):
    time.sleep(10)
    webbrowser.open("https://www.youtube.com/watch?v=WSUFzC6_fp8")
    break_count = break_count + 1

Now in order to place this break reminder every two hours, I multiply number of seconds by minutes by two hours for the product equivalent. Note also that there are 3 total breaks which should be enough for the average 8 hour work day:

import time
import webbrowser

break_total = 3
break_count = 0

print("Program iteration time: "+time.ctime())
while(break_count < break_total):
    time.sleep(60*60*2)
    webbrowser.open("https://www.youtube.com/watch?v=WSUFzC6_fp8")
    break_count = break_count + 1


Additional Concepts:
Abstraction hides how certain functions work. This happened earlier while referencing the time and webbrowser libraries to use respective functions, sleep and open.

Dynamic ARP Inspection (DAI) Mitigates ARP Poisoning to Prevent Man in the Middle Attacks (MITM)

Address Resolution Protocol allows a device to resolve an IP address with a mac address. By example, assume PC A is connected to a switch which is connected to a router. PC A needs to send traffic to the router’s IP of 192.168.4.3 but the switch doesn’t know which mac address to send this traffic to. ARP allows the switch to learn the mac address by forwarding a frame received from PC A’s port and broadcasting it out on all the other ports in the switch. This frame is asking what is the mac address of the device that owns 192.168.4.3? Devices on the other ports will drop the frame if it doesn’t match its IP address. The router will do the opposite and will send replies back with its mac address information because it has the IP address the switch was looking for. This enables communication between PC A and the router.

This ARP process, can be exploited through ARP Poisoning also known as ARP spoofing to eavesdrop on the traffic. Let’s say PC B is the attacker PC that will conduct ARP spoofing and is plugged into this environment above. PC B will send what is called a gratuitous ARP – it is an ARP message that wasn’t requested, but it is sent on its own accord to update ARP information. PC B’s ARP message directed towards PC A will show that it’s IP is 192.168.4.3, so send traffic to PC B’s mac address. PC B also directs a gratuitous ARP to the router saying that it is PC A’s IP address, so send traffic to PC B’s mac address. If the switch believes this, PC B will have successfully conducted ARP poisoning. PC B can than forward the frames between the router and PC A after eavesdropping or manipulating the traffic. ARP spoofing then becomes a MITM attack.

To mitigate this attack, Dynamic ARP Inspection can be used. When configured on a VLAN, it defaults all ports on the VLAN as untrusted and requiring traffic inspection. (Trusted ports are placed for trunks since access ports are mostly where attacks will come from. These are limited to 15 packets per second for ARP traffic to prevent attacks like ping suite.) The inspection verifies a traffic’s mac and IP address have a source or destination is true. DHCP Snooping tables allow this verification to happen for matches between which IP addresses where actually allocated to which mac addresses. This means that PC B will not be able to exploit traffic confidentiality as a MITM server, because DHCP Snooping would know that PC B’s mac address wasn’t provided with the IP address it claims to be.

Some devices will not be on the DHCP Snooping table. In these cases, a static ARP ACL can be manually configured to train a switch what mac addresses to look for to resolve an IP.

Other ways to verify includes checking the mac address of the header, or an IP address inside of a payload.

Taking precautionary measures at the layer 2 level, can help prevent compromise or the integrity of the traffic. Dynamic ARP inspection is a good measure to place as a checklist in hardening network security.

Private VLAN

Big Picture

Private VLANs allows an IP subnet to be used among different subset VLANs. It is categorized by a primary VLAN which is a regular VLAN configured to hold the secondary VLAN subsets. PVLAN design is used mostly in ISPs to separate customers from each other as it helps save addressing space in the LAN.

Another scenario a private VLAN may be is that a branch office in City A is given one Subnet IP. Private VLAN can be used to take this subnet IP and provide addresses to the secondary VLAN subsets.

What makes up the Private VLAN?

The Private VLAN is made up of the primary VLAN and secondary VLAN. An IP subnet is given to the primary VLAN which is shared with the secondary VLAN (subsets of the primary VLAN). As it is divided with the secondary VLAN, depending on the configuration, ports of the same subnet may not be able to talk to ports.

In the secondary VLAN, there are three main ideas:

1.     Community Group – This group allows all ports within this group to communicate with each other. Many community groups can be made in a secondary VLAN. But one community group cannot crossover with other community groups to communicate. The only way to get outside communication is to go through the promiscuous port.

2.     Isolated Group – There is only one allowed isolated group in a secondary VLAN. All ports in this group are not allowed to communicate to each other. If it needs to talk to the outside world, it will go through the promiscuous port.

3.     Promiscuous Port – It is called such due to the willing nature of the port to communicate to all ports. That means it will talk to the Isolated, and Community Group, as well as the outside world. Usually the Promiscuous Port is connected to a default gateway, which will know how to send the traffic.

If the Private VLAN is configured correctly, this will allow a proper IP subnet addressing; additionally it’ll provide the functionality of privacy in a community, or for isolated individuals.

DHCP Snooping vs Raspberry PI (A beginner concept)

Elliot is a savvy techie that works at Price Wright Corporation. This morning, his routine seemed all too normal. He arrived at work at 9am sharp, filled his mug with coffee and started to chat with his colleagues. As he chatted away, the back of his mind was running with a technical sequence he planned to execute.

In Elliot’s backpack, he brought a specifically configured Raspberry PI that would do his bidding. The fifth floor of Price Wright Corporation was under construction. No one was on this floor. This is where he would find a port to plug in the router. He sneaks away from the conversation he was having, and proceeds to execute his plan.

At his cubicle, he remotely checks to see if his plan worked. The Raspberry PI should have already ran the necessary configurations.

1.     DHCP Starvation Attack – Kali is running on the Raspberry PI. A script on this OS would begin the process to flood Price Wright Corporation’s DHCP server with fake DHCP requests. The DHCP server would no longer be able to hand out IP addresses at this point.

2.     Rouge DHCP Server – Then the Kali box would supplant the DHCP server. All devices would then be requesting IP address information from Kali. That includes the DNS Server, and default gateway information.

3.     Man in the Middle – End clients would have their traffic rerouted because, IP addressing is owned. Traffic would be forwarded to a MITM Server as a proxy to the internet. All traffic would then be visible to Elliot. The network would be considered owned.

When Elliot logs into the remote server traffic is to be forwarded to, he finds no forwarded traffic. After troubleshooting, he finds out the Kali Box was denied of the DHCP server status.

In this scenario, the DHCP Starvation attack is thwarted by a concept called DHCP Snooping. When DHCP snooping is applied, switch ports are able to restrict the type of DHCP data that is forwarded to it.

DHCP negotiation is remembered by the acronym DORA – Discover, Request, Offer, and Acknowledgement. Discover and request traffic are made by machines requesting for IP address information, while the offer and acknowledgement traffic are DHCP server traffic. The DHCP server traffic should only come from the appropriate DHCP server. DHCP snooping restricts ports that should not have DHCP server traffic running through it. This was the case for Price Wright Corporation.

DHCP snooping was enabled for Price Wright Corporation which restricted the Kali Box from acting as the DHCP server. Their environment only allowed DHCP server traffic coming from the access port of the main DHCP server, the trunk link to the switch of the fault tolerant server, and the access port of the fault tolerant DHCP server.

Although there are malicious reasons rogue DHCP servers enter the environment, it is also very likely an accident by an employer. Sometimes employees bring in a router to have more accessible ports, and when it’s plugged into the company network, the router acts as a DHCP server. The intent isn’t malicious if done by accident. It was an unknowing mistake. Routers by default become a DHCP server when plugged into a network. If computers decide to use this DHCP server, they won’t be able to talk to the network. The accident would cause a denial of service, DoS.

Kali’s Macof for CAM Table Overflow Attack is Denied by Port Security

Kali OS, the one with the cool dragon logo on it is a great toolkit for the hacker’s arsenal. If you’ve ever seen Mr. Robot, you’ll see the dragon symbol on their computer to own Evil Corp. With this OS, networks can be owned, if they aren’t configured well.

Macof is a program that can run inside the Kali OS. If this is run against a port on a switch, it does what’s called a Content Addressable Memory Table Overflow Attack, or CAM Table Overflow Attack for short. The CAM Table is used to remember which port to reference a mac address to. Because, the table can only store so many mac addresses, older mac addresses start to be removed when the table reaches capacity. This is what begins to happen when the macof program is utilized, the program sends 1000s on 1000s mac addresses until CAM Table reaches capacity and the oldest mac addresses are removed.

So why is this an issue? Let’s say there’s a switch with CAM Table capacity of 2000 mac addresses. On this switch there are three ports occupied. One is a Windows computer, and one of them is an Ubuntu machine. These machines have been on the switch and have been able to send traffic as wanted. Until now. A Kali laptop is newly plugged into the switch. It runs the macof program. The CAM Table Overflow Attack makes the switch forget the mac addresses for the two other legitimate computers. Therefore once these computers try to talk with each other, the switch will not know which ports to send the traffic to, as the port reference for the mac addresses has been forgotten. Switch logic then dictates, to figure out who owns these addresses by sending out the traffic to all the ports (except for the one the traffic initiated from). When the traffic is sent, the Kali Laptop can then receive and interpret the traffic from the other devices on the switch.

The CAM Table Overflow attack is a huge risk. This attack leaves traffic exposed, and can make avenues for further risk escalation into the network ie DNS Poisoning via MITM. Luckily, switches have preventative measures to mitigate risks, and to specifically block the CAM Table Overflow attack.

Port security is the preventative measure that Cisco switches have for attacks from Kali’s macof program. It prevents CAM Table overflow attacks by three major actions:

1.     Protect – This is basic protection and rarely used. It simply doesn’t allow for traffic beyond what is configured for it. For instance if a port is configured to have 3 mac addresses only, it will not allow traffic beyond these 3 mac addresses. So when a machine with the 4^th mac addresses is plugged into it, the port simply just does not allow the traffic to continue. There are no messages that are sent to alert administrators of this 4^th mac addresses, the port simply just prevents the traffic.

2.     Restrict – This is like protect in that it stops traffic from mac addresses that isn’t configured for the port. It also does an additional action by telling someone if there is a violation. A violation would look like a machine with 4^th mac address plugged into the port, when that port is configured to have 3 mac addresses on it. As soon as this machine is plugged in and tries to communicate, the port will not recognize the mac address and will send an alert to the proper administrator of this violation. Additionally counters are incremented of the violation.

3.     Shutdown – This has the same principle as the previous two ports. With this mode, traffic is still denied if there’s a violation. However, greater measures are taken by completely shutting down the port for a violation. Like Restrict Mode, this will also send SNMP alerts and increment counters.

It may be helpful to note that I have also seen Shutdown VLAN added to this list if a violation occurs.

To differentiate the appropriate mac addresses to be allowed on a switch, there are also three primary modes that can be configured for this. By default, switches are configured to have one mac address per port. But this can also be configured with the help of three primary modes:

1.     Dynamic – Mac addresses are learned without any manually configuration. If a port is set to have 4 mac addresses, dynamic mode will learn and apply the first 4 machines that are plugged into the port. Beyond that, a violation occurs. This is the default mode.

2.     Static – This mode requires that mac addresses are applied manually. If port security allows to have 3 mac addresses on a port, then 1 mac address can be assigned manually, and also allow 2 more mac addresses allowed through dynamic mode.

3.     Sticky – Sticky is like dynamic and allows a direct save to the running configuration. So if the running configuration is saved to the startup configuration, when a switch is rebooted, the mac addresses remembered.

Port security can also be configured more specifically. Though any configuration of port security is only limited to access or trunk ports. So if a switch has a port that is dynamic and allows for either access or trunk ports, then port security cannot be configured here. If a port is either an access or a trunk port the configurations, and even more specific port security configurations can be made. More specific configuration include different capacities of mac addresses allowed on each vlan; what mode a vlan can have; and also aging the mac addresses out of the CAM Table.

The problem of the CAM Table Overflow attack can be defended with the proper implementation of port security. If the switch in our attack scenario was configured to have a violation of 2 before shutting down, and the CAM Table capacity was at 8000, when Kali executed macof, nothing would happen and the port would be shutdown. An alert would be sent to an administrator, and they would have to investigate this port before bringing it back up again.

Confidentiality Integrity and Availability vs Techman X

CIA is the acronym that boils down the basics of security - and no, I don’t mean CIA as in the intelligence organization. In tech, it’s a standard acronym that is Confidentiality, Integrity and Availability. It is the measurements that determine security in an environment. If these measurements look good in your environment, you can feel good that the bad guys will do no harm. In this post I’ll give a briefer through examples with Techman X.

Confidentiality

A bad guy, Techman X, learns that Gym A puts their customers’ credit card information on one particular laptop. Techman X thinks, “Aha! My recon work is done. If I get my hands on that laptop, I can steal other people’s credit card information.” One evening, Techman X tip toes into the gym. While no one is looking he snatches the laptop, and sneaks out! “Success!” so he thinks.

Techman X is a pretty smart guy. He knows how tech stuff works. So later that evening, he grabs one of his fancy forensic tech tools. The tool should allow him to see what’s in the laptop without the password. But a surprise hits Techman X. When he attempts to pwn the laptop, he’s stunned at what he sees… Giberrish… The data in the laptop is jumbled up.

This is confidentiality. It is the idea that allows for credit card information to be kept secret for Gym A. Encryption falls into this category, and was the saving defense for Gym A – it made the data look like gibberish.

Other aspects to confidentiality, also include authentication. Users can access secret information if they have authorized credentials such as a username and password. Some companies also use smart cards to authenticate. This gives an extra layer of security by having a physical item as a prerequisite to access.

Integrity

This topic is based on reputation. Can the data that you have be trusted? Or has it morphed into something evil? Perhaps. Well, at least in the next scenario with Techman X it has.

Techman X decides to use an executable to steal credit card information. On a Saturday morning, he poses as a patching technician that corporate sent to Gym A. The local IT guy at Gym A is weary because he hasn’t been informed about this surprise visit. Techman X tries to ease the local IT guy’s nerves, “It’s all good, I don’t have to stay. You can perform the patching. Here’s the regular OS update from Big Company.” Techman X hands the local IT guy the usb with the patch from Big Company’s OS update. The patch is an executable and it looks legit.

When the surprise visitor leaves, local IT guy takes off his glasses and dons the blue cape. BlueTeamTech goes into action. He goes to Big Company’s website to see that the executable’s name is legitimate, patch.exe. That checks out. BlueTeamTech has abilities that are out of this planet, so he doesn’t stop there. He checks to see if there is a hash for the executable. Behold, Big Company has the hash.

BlueTeamTech goes to his isolated sandbox, and navigates to the terminal and types:

cd D:

certutil –hashfile patch.exe

The terminal spits out a hash. BlueTeamTech checks to see if it matches with Big Company’s hash. It doesn’t. BlueTeamTech immediately destroys the isolated sandbox and reports the usb incident to proper authorities.

Integrity checks beyond what seems reputable. In this case, the patch, looked legitimate. But at a closer look shows it wasn’t. The data couldn’t be trusted.

Availability

Backups and throughputs could sum up availability. These two components allow continuous use of data. Backups allows continuous use of data if previous data happens to become corrupt. Throughputs allows continuous use of data, by making sure there is no obstacles in the way to get to the data (ie network latency).

With this example with Techman X, I’ll explore the throughput side of availability.

Techman X is at it again. His plans keep getting foiled. But this time, he thinks, “If I make my attacks more sophisticated, I will eventually steal the credit card information.” So he devises.

On his white board he draw out what he’s going to do. On the left side of the board, he draws 10 computers representing 1,000,000 other computers. On the right, he draws Gym A’s infrastructure where website credit card payments are processed. In the middle is Gym A’s main website IP, and his Man-in-the-Middle Server. His plan is to unleash a full scale distributed denial of service attacks from his unaware cavalry of 1,000,000 computers against Gym A’s website IP. This should bring it down. Meanwhile, he will enable his MITM Server to go live to replicate Gym A’s website. With the MITM Server, users who enter credit card information will now be visible to Techman X.

The Zero Day DDOS attack approaches and is executed. 1,000,000 unwitting soldiers fire shots of ping, and syn flood messages towards the website IP. Techman X’s eyes are wide with malicious hope. One minute goes by, and the attack rages on. Two minutes… Three minutes… Four minutes… Nothing is happening. His MITM server isn’t online, and customers are still able to use Gym A’s website. Techman X is infuriated, “It must be that darn local IT guy!”

It was that darn local IT guy. With network visibility, BlueTeamTech laughed as he saw the attack being thwarted by his sophisticated fortress. The network perimeter was built with next generation equipment. Stacked with Intrusion Prevention Systems, and load balancers in mind, the website was impregnable. Availability prevailed.