I've had ftp.disloops.com running for about ten years. It's an FTP host that's configured to allow anonymous connections and uploads. This creates some security risks that I wrote about when I deployed it. A previous article explored some of those risks in depth.
I recently wanted to extract all the username/password combinations I'd seen since deploying the server. Only two usernames are accepted by anonymous VSFTPD servers:
FTP. Clients using these usernames receive a prompt for an arbitrary password. Sessions initiated with any other username are immediately ended.
To extract the authentication data, I created a script that accepts a VSFTPD log file as input. It pulls all username/password combinations from the file and exports them as text or CSV.
The script can be downloaded here: https://github.com/disloops/vsftpd_parse
You can see sample output from my own server here: results.txt
Note that the script is currently designed for a server that only allows anonymous connections. This VSFTPD configuration results in a specific log format since passwords are not accepted for non-anonymous usernames. The script could easily be modified to handle non-anonymous logins instead.
I am interested in any kind of open-world server that I can host and allow others to join. It was just a matter of time before I got into Minecraft. This article details the steps I took to do the following:
- Create a new EC2 instance and install the Minecraft Bedrock server
- Allow remote access and configure logging through CloudWatch
- Create an alert that generates SMS messages when users connect
- Connect to the instance from the PS4 console
Come play on
minecraft.disloops.com if you just want to see the finished product. It's a vanilla Bedrock server on survival mode.
...continue reading "Minecraft Bedrock Server in AWS"
In Part One we discovered an object that lets us execute arbitrary commands via unsafe handling of user input - the Alley room. Now we want to understand the blast radius of this issue. The first question to ask is, "What does the Alley control?"
Flags: TRUST STICKY VISUAL BATHROOM
Owner: 8BitMUSH Zone: NOTHING Coins: 0
Created: Sat Apr 28 13:14:31 2001
The help entry for
...continue reading "Back-Alley Hacking: 8Bit MUSH (Part Two)"
help control tells us that if the Alley has the
TRUST flag, it controls anything with the same owner that isn't set
WIZARD. As it turns out, the
8BitMUSH user owns a great deal of things throughout 8Bit.
I created a MUSH called Parlor City in the beginning of 2019. This is an online, multi-player, text-based social game that uses a rudimentary code base for world-building.
Parlor City was opened after about 18 months of work, at which time I sought out another MUSH where I could gain some experience and a change of scenery. MUSH trackers suggest that there are roughly eight-hundred different MUSH-style games available, each with unique themes and styles.
I asked users of PennMUSH (an invaluable coding forum) if any particular crew was known to be hostile or disreputable. The answer came back: "The folks at 8Bit have been known to break MUSHes for fun." So that's what I wanted to join.
...continue reading "Back-Alley Hacking: 8Bit MUSH (Part One)"
I've always liked having the ability to view public webcams around the world. During the last hurricane, for example, there was a camera streaming from an oil rig a mile or more out to sea that let us see the strength of the storm before it made landfall.
Now that I'm a homeowner, I wanted to put a camera on our roof and stream the view from up there. I bought a weatherproof Amcrest IP8M-2597EW-28MM and dropped it through the soffit under our roof. The process of snaking the ethernet cord through an air duct up to the attic will not be covered here.
Amcrest cameras act as RTSP (real-time streaming protocol) servers that can be accessed on a specific port. This means that it's necessary to run an active RTSP client to consume the live feed.
...continue reading "Streaming an Amcrest Camera to YouTube"
I have slowly been working on a MUSH, which is an online, multi-player, text-based social game. The game Zork (1977) is probably the most popular game in this style, although it is not multi-player. I decided to use PennMUSH as the server distro since it seems to have the widest support.
MUSH servers open a raw TCP socket for incoming connections and most sessions occur over plaintext. There are a handful of MUSH clients that players can use but a simple TELNET connection also works. MUSH servers understand enough of the TELNET protocol to refuse option negotiation.
Rather than expose the MUSH server to the open internet, I decided to create restricted shell accounts for users and have them connect to the MUSH via
localhost instead. This drastically reduces the accessibility of the MUSH and would likely deter prospective players but it works for our current user base.
Despite the huge number of active MUDs on the internet, forcing users through SSH still seems safer than exposing the MUSH service. I'm using AWS security groups on the MUSH host to prevent external access to that port.
Note: After some testing, I have walked this back and decided to just open it to the internet after the initial release. Shell accounts will still be an option. See this page for some details.
...continue reading "MUSH and Restricted Shell"
In a previous article I described how to install and run the Port Scan Attack Detector (PSAD) on a Raspberry Pi. It is the closest thing to a full IDS that works on the Raspberry Pi and it's extremely easy to set up.
None of the existing visualization tools for PSAD data really met my needs, so I created a custom Python script that generates an HTML page from the live PSAD data.
The PSADify script is available here: PSADify on Github
You can see the actual data here: Live PSAD Attack Data
On my own host running PSAD, there is a cronjob that runs this script every five minutes and uploads the output to an AWS S3 bucket. If the local configuration or the settings on the AWS side would be useful to anyone, let me know!
...continue reading "PSADify – Custom PSAD Output Tool"
I have never gotten a full intrusion detection system (IDS) working correctly on a Raspberry Pi. The two most popular – Snort and Bro IDS – either have problems with their dependencies or the ARM architecture.
I recently came across PSAD – the Port Scan Attack Detector. It is essentially a collection of daemons that analyze
iptables logs to identify patterns of malicious traffic. When used in conjunction with fwsnort, PSAD can also correlate blocked traffic with many of the "Emerging Threats" Snort rules.
PSAD was extremely easy to set up on a Raspberry Pi that's deployed as a catch-all DMZ host on my home network. Before diving into the details, you can see live data being collected by that host here: https://psad.disloops.com
...continue reading "PSAD on Raspberry Pi"
I recently needed to run Nmap against a ton of hosts at once but my internet connection died as soon as I launched all the concurrent threads. That had never happened before – turns out that I maxed out the “state table” on my SG-2440 pfSense router.
The default settings allow it to hold 405,000 max connections in the firewall state table. Every million states take about a gig of RAM and the router has 4 gig total, so the default is to let the state table take up 10% of the total memory capacity at most. Apparently running around 50+ Nmap threads against all ports per host maxes that out immediately.
I had to SSH into the router and flush the state table (“pfctl -F states”) to get my connection working again. Then I bumped the max states up to 3M and I scaled back the number of Nmap threads I’m running. Now it works but I thought that was a funny problem to come across; I didn’t foresee my fancy router being the bottleneck.
I recently spent some time exploring the issue of CloudFront domain hijacking. This is not a new issue but I think it has gone mostly unnoticed for a few reasons:
- CloudFront's default behavior is not intuitive. Some standard DNS configurations can mislead users into thinking that their vulnerable domains are configured correctly.
- In the past year, misconfigured S3 buckets have been everyone's priority. Other AWS security issues have played second banana.
- Because a misconfigured domain presents an obvious error message, one would assume there is no "low-hanging fruit" for attackers.
There are a couple reports on HackerOne but I'd say that this issue is still relatively unexplored. So I devoted some time to finding the right targets and scripting the testing process. The results are below.
...continue reading "CloudFront Hijacking"