Author: jmcclune

Fun with Flask: Creating Simple GET Endpoints

Python is a great programming language to build web applications with. Not only is the entry bar lower than other languages, there’s a wide variety of web frameworks to choose from (e.g. Flask, Django).

My personal favorite is Flask. Flask is easy to use and has the ability to scale out (i.e. Blueprints). When building my personal website, I wanted to keep things simple. The design is minimal and serves the intended purpose. With the endpoints however, I wanted to be more creative. Currently, there are two endpoints: /skills and /education. Both /skills and /education accept only two HTTP methods: GET and OPTIONS. Later on, I’m going to create some cooler endpoints that integrate with other Python libraries. However, for now, I think querying endpoints for data is just as cool.

card.mcclunetechnologies.net is my personal website. The site is essentially my virtual business card. I want to have endpoints that are under-the-radar and return more information about myself. Right now, you can query /skills and /education by navigating to the endpoints directly. You can also send a GET request using a tool like curl.

Both endpoints return JSON responses. When querying an endpoint like /skills, Python will open a connection to a remote MySQL database and fetch all information within the appropriate table. As the OPTIONS method describes, /skills will return the following:

user@debian:~$ curl -s -XOPTIONS https://card.mcclunetechnologies.net/skills
Supported Methods for /skills: GET
Provides the following information: skill_name (string), skill_description (string), years_of_experience (integer), and comfort_level (string; can either be low, medium, or high)

Sending a GET request to /skills will return the MySQL fetchall() response dumped into JSON:

user@debian:~$ curl -s -XGET https://card.mcclunetechnologies.net/skills
[
[
"Active Directory",
"Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. However, Active Directory became an umbrella title for a broad range of directory-based identity-related services.",
7,
"medium"
],
[
"Ansible",
"Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code. It runs on many Unix-like systems, and can configure both Unix-like systems as well as Microsoft Windows.",
2,
"medium"
],
[
"Apache CloudStack",
"CloudStack is open-source cloud computing software for creating, managing, and deploying infrastructure cloud services.",
3,
"medium"
],
[
"Bash",
"Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. First released in 1989, it has been used as the default login shell for most Linux distributions and all releases of Apple's macOS prior to macOS Catalina.",
4,
"medium"
],
[
"Cisco IOS",
"Cisco Internetwork Operating System (IOS) is a family of network operating systems used on many Cisco Systems routers and current Cisco network switches.",
7,
"medium"
],
[
"Git",
"Git is a distributed version-control system for tracking changes in any set of files, originally designed for coordinating work among programmers cooperating on source code during software development.",
4,
"medium"
],
[
"Linux",
"Linux is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged in a Linux distribution.",
7,
"high"
],
[
"Nagios",
"Nagios Core, formerly known as Nagios, is a free and open-source computer-software application that monitors systems, networks and infrastructure.",
6,
"medium"
],
[
"Python",
"Python is an interpreted, high-level and general-purpose programming language. Python's design philosophy emphasizes code readability with its notable use of significant whitespace. Its language constructs and object-oriented approach aim to help programmers write clear, logical code for small and large-scale projects.",
2,
"medium"
],
[
"Technical Support",
"Technical support (often shortened to tech support) refers to services that entities provide to users of technology products or services. In general, technical support provides help regarding specific problems with a product or service, rather than providing training, provision or customization of the product, or other support services.",
7,
"high"
]

Here’s the /skills endpoint within my Flask view:

@about.route("/skills", methods=["GET", "OPTIONS"])
def skills():
    if request.method == 'GET':
        conn = mysqlConn()
        skillsCursor = conn.cursor()
        skillsCursor.execute("SELECT * FROM skills")
        skillsInfo = skillsCursor.fetchall()
        skillsCursor.close()
        conn.close()
        return json.dumps(skillsInfo, indent=4)
    elif request.method == 'OPTIONS':
        return skillsOptions

/skills and /education don’t have filtering capabilities, however, you can use a tool like jq to achieve similar results. One example is filtering just the skill names:

user@debian:~$ curl -s -XGET https://card.mcclunetechnologies.net/skills | jq .[][0]
"Active Directory"
"Ansible"
"Apache CloudStack"
"Bash"
"Cisco IOS"
"Git"
"Linux"
"Nagios"
"Python"
"Technical Support"

Explaining & Illustrating curl

curl is an exceptionally useful program. As described on the project homepage (https://curl.se/), curl is a tool to transfer data from or to a server, using one of the supported protocols. curl can be used to send & receive data with the following protocols:

  • DICT
  • FILE
  • FTP
  • FTPS
  • GOPHER
  • HTTP
  • HTTPS
  • IMAP
  • IMAPS
  • LDAP
  • LDAPS
  • POP3
  • POP3S
  • RTMP
  • RTSP
  • SCP
  • SFTP
  • SMB
  • SMBS
  • SMTP
  • SMTPS
  • TELNET
  • TFTP

To better explain curl, I will demo curl on Ubuntu 14.04. First, I will execute curl http://gitlab.com

The command executes very quickly. However, a lot is actually being performed in the background.

curl http://gitlab.com

When the user executes curl http://gitlab.com, a request is sent from the application (i.e. curl) to the kernel.

The kernel acts as a middle man between the system’s software applications and hardware. curl needs to talk to some of the hardware components, including the CPU, memory, and network adapter. Given that curl is a network application, the kernel definitely needs to talk with the network adapter. When curl http://gitlab.com is executed, the user is telling curl to send some data over HTTP, in hopes of a response.

In order to visualize the HTTP data being sent to http://gitlab.com, I will use WireShark to sniff the outgoing packets. Below is the packet capture performed while executing curl http://gitlab.com:

My computer is currently using Google’s public DNS server (8.8.4.4). Given that gitlab.com is out on the Internet, my computer has to send a DNS request to Google so the domain name can be translated to an IP address. Gitlab.com appears to be at 52.167.219.168. Now that my computer knows the IP address of gitlab.com, HTTP requests can be sent. The curl HTTP requests go from my computer, to my ISP gateway, and out to 52.167.219.168. The processes appear to have completed and data was received.

Let’s see what WireShark collected from the HTTP request:

The text highlighted in red was the request my computer sent to gitlab.com’s server. The text highlighted in blue is what was returned from gitlab.com’s server. When the request was sent to gitlab.com’s server, gitlab.com returned a 301 status. The HTTP 301 status code means Moved Permanently. This code is usually thrown when an user accesses a site and the web server redirects them to another. To prove this holds true, let’s open a web browser and go to http://gitlab.com.

When launching the HTTP request from my web browser, the server redirected me to this:

The URL http://gitlab.com takes you to the home page of gitlab.com:

Hard to believe all of that happens just by executing a small command! The preceding was the whole curl process, from the kernel to over the network, and completed on gitlab.com’s server.

(Originally posted on June 8th, 2017. Updated on December 29th, 2020)

Seattle: A Vulnerable Web Application (Walkthrough)

Currently, I’ve been gearing up for a cyber security conference which includes a CTF (Capture the Flag) competition. Being a newbie in the realm of computer security, I have been practicing my ethical hacking skills with the help of open source applications. There are so many free tools on the Internet. One of them being Seattle, an open source Linux distribution that includes a vulnerable web application. For more information, please follow this link: https://www.gracefulsecurity.com/vulnvm/

To give you an idea of what this application looks like, here is a screenshot:

The web application appears to be an online music store. This application includes some of the following vulnerabilities:

SQL Injection (Error-based)
SQL Injection (Blind)
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Insecure Direct-Object Reference
Username Enumeration
Path Traversal
Exposed phpinfo()
Exposed Administrative Interface
Weak Admin Credentials

During this walkthrough, I will point out two of the vulnerabilities:

The first thing I would do in any hacking situation would be reconnaissance. This includes using port scanners such as nmap. Even though the application is listening on port 80 (HTTP), it’s still wise to see if any other attack vectors exist.

As I suspected, only 80 is open. Now, I will run nikto (from my Kali Linux VM) in order to see which HTTP vulnerabilities can be found.

nikto produced all sorts of different things. However, two things pop out at me. One of those things include detecting phpinfo() output. On web servers running PHP, you can create a file that outputs information about the PHP environment. Though useful to a system administrator, information provided by phpinfo()can be detrimental if fallen into the hands of an attacker.

Typically, this file is created by using the following PHP script:

<?php

phpinfo();

?>

If this file is in the web server root, an attacker can navigate to this file and see all of that precious information. Below is an example:

This is something we would definitely need to address, especially when dealing with web server security.

For the second vulnerability, we’ll perform directory traversal. This vulnerability allows an attacker to utilize an improperly programmed script in order to “traverse” the system’s file directories from outside the web server root. Using directory traversal can allow an attack to see important files that might contain passwords, configurations, etc.

Luckily, referring back to our nikto scan, I found something really interesting.

I feel that there might be some more PHP vulnerabilities. The first thing I check is the dynamic PHP pages. After a couple of tries, I eventually find a vulnerable PHP page (download.php). Using the netcat application on port 80, I was able to inject some malicious traffic in order for me to see the /etc/passwd file. The attack is illustrated below:

Using the “dot dot slash” technique, I was able to traverse up the directories and uncover the /etc/passwd file. This is a high risk vulnerability and would need to get addressed as soon as possible.

I uncovered other vulnerabilities, however, for the sake of brevity, I am not going to discuss those. If you would like to give this challenge a try, please refer to the link above. I used my trusty Oracle VM VirtualBox to setup my pentesting lab. The other cool addition to the Seattle practice application is the ability to auto-import the system into Oracle VM VirtualBox for a quick setup.

(Originally posted on July 1st, 2016. Updated on December 29th, 2020)

Please Bring Back Cub Linux!

Cub Linux (formerly Chromixium) is a great Linux distribution that mixes both the Chrome and Ubuntu experience. Cub Linux’s development has officially stopped, however, there is hope that Cub Linux will carry on. There is talk that a fork of Cub Linux is in-development. The forked project is called Phoenix Linux. For more information, please visit this open issue:

https://github.com/CubLinux/one/issues/4

I commented on the issue:

I just want to say that I continue to use Cub Linux everyday! I love Cub Linux! 

I don’t have a great amount of development experience within furthering Linux OS features. However, if there is anything I can do to help, please let me know! I have taken Cub Linux (Ubuntu 14.04) and upgraded it to Ubuntu 16.04. There were some features that broke (going from 14.04 to 16.04). However, it still works okay for me.

Very eager to see Phoenix Linux! 

I have to speak my mind on this project because Cub Linux needs to continue. I understand that in the open source community, there can be developers that feel unappreciated. I am writing this to say that every project in the open source community is welcome and appreciated! No matter what a project’s purpose is, everyone should be welcome to contribute to open source applications.

Thank you to anyone reading this post! Please spread the word about Cub Linux! Here are some resources to get you acquainted with what Cub Linux is, if you don’t know already:

https://en.wikipedia.org/wiki/Cub_Linux

http://www.makeuseof.com/tag/replicate-chrome-os-laptop-cub-linux/

https://github.com/CubLinux

(Originally posted on August 5th, 2017. Updated on December 29th, 2020)

SANS Holiday Hack 2015: Gnome in Your Home

The SANS Institute created a fun hacking challenge for this year’s Holiday Hack. Everything from packet analysis to web exploits were included. The packet capture showed how the devious Gnomes were taking pictures of children and receiving them through DNS queries. To be honest, I didn’t think this type of malicious intent was possible (especially through DNS queries). Here’s what I’m talking about:

The following is the packet capture with the image encoded in Base64. Using tools such as Burp Suite and the Linux base64 utilities will help uncover the image secretly hiding within.

Here is the packet capture with the UDP stream of DNS requests being sent to the SuperGnomes. SuperGnomes were the super computers that housed the data collected from the individual GIYH’s.

After exporting the UDP stream to a RAW format, I then used foremost (a tool contained within Kali Linux) to carve out the picture. The JPG was found after decoding the base64 encoding within the capture.

Here is 00000000.jpg, which was the file being sent over the Gnome’s command and control channel:

The packet capture challenge was just one of many activities in this year’s Holiday Hack. For the sake of brevity, I am only going to post this one. However, if you are interested in doing this challenge next year, please check out the website at https://holidayhackchallenge.com or by going to https://sans.org.

(Originally posted on January 10th, 2016. Updated on December 29th, 2020)

OSPF Routing

This is an OSPF single area network. OSPF or Open Shortest Path First is an interior gateway routing protocol used in dynamic network architectures.

The topology above is a simple OSPF setup, nothing fancy. Hopefully, I can expand on this network in the future and make it more sophisticated.

(Originally posted on September 29th, 2015. Updated on December 29th, 2020)

IGRP & EIGRP Routing

As you can see, GNS3 does an awesome job with simulating real life networks. In this lab, I simulated two Cisco 3700 Series Routers running EIGRP with the autonomous system ID of 12. The two routers are connected via Serial and the network layout is as follows:

192.168.2.2 (My real life network adapter; I can communicate with the virtual network from the real world)

192.168.2.4 (R1’s Fast Ethernet0/0 adapter, in order to communicate with the outside world)

192.168.15.10 (AS12) – Network connection in order to bridge the two networks together (192.168.2.0 and 174.16.34.0)

192.168.15.11 (AS12) – Network connection in order to bridge the two networks together (192.168.2.0 and 174.16.34.0)

174.16.34.1 – Virtual FastEthernet0/0 interface on other side of virtual network.

In the end, I was able to ping from my real Windows laptop to R2’s FastEthernet0/0 interface (172.16.34.1). Although I had to add the routes manually in Windows, this still proves connectivity from the real world to the virtual world.

(Originally posted on September 28th, 2015. Updated on December 29th, 2020)

Having Fun with RIP Routing

As you can see, a pretty simple setup. Think of the two networks as two separate locations. The Serial WAN link would simulate going over an ISP connection. We have Network 1 (192.168.10.0) and Network 2 (192.168.20.0) routing data between each other using RIP (Routing Information Protocol).

Pictured below is the RIP table using the show ip rip database command:

(Originally posted on September 16th, 2015. Updated on December 29th, 2020)

Primer to Cryptography

I watched a video on Coursera through Stanford University titled Cryptography. Here are some things that I learned from the first week:

Cryptography = secure communication between two entities.

Cryptography consists of two parts:

  • Secret key establishment
  • Secure communication

Both entities need to have a shared key in order to communicate with each other. Cryptography provides confidentiality and integrity for the data being transmitted.

Cryptography also provides bi-directional anonymity though mix net (i.e. onion routing (Tor), anonymous re-mailers).

Mix net – Alice sends Bob messages through a series of proxies (i.e. different public IP’s 65.87.234.34, 123.3.234.12, 89.24.124.35, etc.) so Bob will not know where Alice is.

Anonymous digital cash – Can I spend a “digital coin” without anyone knowing who I am? How to prevent double spending?

Cryptography is a rigorous science.

The three steps of cryptography:

  • Precisely specify threat model (i.e. How to make something un-forgeable?)
  • Propose a construction
  • Prove that breaking construction under threat mode will solve an underlying problem (i.e. How to keep your data safe no matter what?)

(Originally posted on March 8th, 2015. Updated on December 29th, 2020)

Defending Yourself From Cyber Attacks

People have asked me what they can do to protect themselves from being hacked. First, let me clarify something very important: NO ONE WILL EVER BE 100% SAFE FROM A HACK. With the constant changes in technology, there will always be new vulnerabilities that hackers will try to exploit. This is unfortunately the world we live in. That being said, the inevitability of an attack shouldn’t deter you from adopting good security practices. Here are some basic steps in protecting yourself from hackers:

1.) There’s always antivirus

Years ago, I would’ve recommended antivirus on all devices. Unfortunately, background processes associated with antivirus applications consume an excessive amount of computing power. Personally, I don’t use antivirus. Being a Debian guy, I run ufw. If I notice anything suspicious, I’ll investigate network/socket traffic and system processes. If you want to use antivirus, there are several providers to choose from. Remember, smartphones are computers too. Smartphones are just as vulnerable as a computer when it comes to malware.

2.) Always use HTTPS when you can

HTTPS stands for “Hypertext Transport Protocol with Security” or “Secure Hypertext Transfer Protocol”.  The HTTPS protocol uses an encryption framework known as SSL or “Secure Sockets Layer”. This provides a bidirectional encryption tunnel between the data you are sending and receiving. Using SSL makes it very difficult for a hacker to eavesdrop on a connection. Think of HTTPS as creating a “protection tunnel” between you and a website. Your data is being transmitted through this tunnel of encryption so that no third-parties can know what you’re doing.

You can check to see if a site has HTTPS by requesting it (i.e. https://www.bing.com or https://www.google.com). If you type your site in with HTTPS and a lock comes up, then you should be going over an encrypted connection. Now, a big misconception about HTTPS is that if a site has HTTPS, it’s legit. THE PRECEDING IS NOT TRUE! Just because a site provides HTTPS, doesn’t mean it’s legit. Always do a background check before submitting data to a site, no matter what type of encryption and protection it offers.

3.) Secure your wireless network

Securing your wireless network is another way of protecting yourself from hackers. Hackers can perform an action called “wardriving”. Wardriving is when a hacker scans around for insecure networks. If they find a network that is insecure, they will connect to it and sniff the traffic. Network traffic may contain sensitive information about yourself (e.g. credit card numbers). Always implement strong passphrases and use modern security frameworks (e.g. WPA2 or WPA2-EAP).

4.) Incorporating a network firewall

Adding a network firewall & web filter increases your security greatly. However, this requires more technical knowledge. Network firewalls can run on a dedicated computer and intercept all data that goes out to the Internet. This can provide the capability of scanning websites for malware and blocking users from getting to them. There are many different types of open source firewalls available (e.g. pfSense).

5.) VPNs

Just as incorporating a network firewall can be difficult, VPNs can be equally challenging. However, many home routers now provide a built-in VPN implementation (e.g. OpenVPN). When people are on the go and need to access resources from home securely, VPNs are a perfect solution. VPNs or Virtual Private Networks enable users to access data from a different network without physically being there. For example, someone can connect to a VPN provided by their employer and access work-related documents from home. You can also implement a VPN at home for Internet privacy. Let’s say you’re browsing the web at a local cafe. The cafe’s WiFi is public, so a malicious user could sniff around and intercept your traffic. However, if you connect to your home VPN and route your Internet traffic through the VPN, the only traffic that may be visible is an encrypted request to your VPN. Everything else will go out your home’s Internet connection.

(Originally posted on February 8th, 2015. Updated on December 29th, 2020)