Daily Weblog 9/20/17

Today, I fixed the problem with my previous attempt at the Evil Twin attack and executed it. I turned the ALFA external USB wifi card to monitor mode, then collected the broadcasted information of the "elab-guest" wifi network and cloned it, broadcasting an identical network that appeared exactly like another access point from my wifi card. I checked on my phone that it looked identical to the elab-guest network - in fact there was no change on activation from the "victim's" point of view. I could have forcibly deauthenticated my phone from the real elab-guest wifi using another Aircrack utility, Aireplay, but I did not because that utility deauthenticates everyone on the network, and I worried that someone else may have been using it. Instead, I disconnected from the phone manually, then reconnected, and saw the connection open on my computer. Next time, I will use other Kali suite tools such as Wireshark to monitor connections to my fake network and attempt to inject "malicious" content into pages. I will also try to clone more secure networks, such as the elab main network or the HPA RAD network - I'm not sure how easy it is to replicate keys on networks with real security.

I used these two guides:

0 comments

Daily Weblog 9/19/17

Today, I set up for an "Evil Twin" attack. Kali Linux, it turns out, comes preinstalled with drivers for the ALFA USB network chip, so I set it up and ran tests on how the attack could work. However, the Aircrack utility I was using did not work with the chip. I do not know why, and this needs further research.

0 comments

Daily Weblog 9/18/17

Missed today for Oahu doctor's appointment.

0 comments

Weekly Weblog 9/16/17

This week, I researched for my drone takedown idea. I have found articles detailing how this has been done before. Next week, I will do more research into the specifics of how it is done with a ham radio (including what frequencies etc are used by the drones we have) and check the radio equipment at the Elab. When Dr. Bill is back, I will try the first phase of the project, which will be simply jamming the drones' signal with a ham radio.

0 comments

Daily Weblog 9/13/17

Today, I researched more on how to take down or jam drones. I found five articles about the process:
https://wetalkuav.com/coptersafe/
https://phantompilots.com/threads/take-down-drones-with-a-ham-radio.121625/
https://www.theverge.com/2017/6/21/15848344/drones-russian-software-hack-dji-jailbreak
https://arstechnica.com/information-technology/2016/10/drone-hijacker-gives-hackers-complete-control-of-aircraft-in-midflight/
https://arstechnica.com/information-technology/2016/05/dronebuster-will-let-you-point-and-shoot-command-hacks-at-pesky-drones/
https://phantompilots.com/threads/drones-being-hacked.42499/
I think that it should be possible to use a ham radio of the sort that the Elab drone team has access to to jam the signal of the Phantom (or even the larger drones; jamming the signal is implied to be relatively trivial with a powerful enough radio), and possibly hijack the drone being built, depending on the type of controller it uses.

0 comments

Daily Weblog 9/11/17

This 9/11, I worked on the remote drone takedown idea. I found a USB wifi adapter, which I want to use for an "evil twin" attack, which works by cloning a wifi network's data, then stealing information when a computer (or drone) automatically connects to it. I was unable to install drivers for it, however; on Wednesday I will bring an external DVD drive to install them from the disk included with the adapter.


0 comments

Weekly Weblog 9/9/17

This week, I worked on my personal website, olivergrayson.com, as well as begin researching a new application of my security project. I want to try to bring the old Phantom drones down remotely, or at least jam the signal. I will cooperate with Sneha and the other radio team members to learn more about the communications systems drones use, and perhaps with the drone team as well, to learn how to disable drones in flight.

0 comments

Daily Weblog 9/8/17

Today, I put some finishing touches on my personal website. It's now live, although I'm still adding content - more of this blog is tagged now, so I can link to each project individually. I also helped several other people with their projects, and assisted Ilan fixing his laptop's USB port, with partial success.

0 comments

Daily Weblog 9/7/17

Today, I worked on my personal website, olivergrayson.com. I'd like to have it done as soon as possible to host information about me and my projects, so I'm trying to finish is up quickly for my college applications. The main page is almost done; what it needs now is just more content creation, so I am working on tagging all of my project documentation here on the Physics site so that I can link to specific projects.

0 comments

Daily Weblog 9/5/17

Today, I researched for a shift in my project's focus. As Cyberstart is no longer available, its window of opportunity closed, I have started looking into more direct applications of security skills. One field that I found interesting was that of drone jamming and hijacking - both the methods of preventing drone flight and of actually taking over, about which there are many intriguing articles. It is an up-and-coming field that combines several of the current Elab projects - the drone project, the radio project, and my own security focus. This needs more research, but I would like to try to interrupt communications in the drones that the Elab currently has (only in controlled, very low altitude flight, of course). Certain specific vulnerabilities have been highlighted recently, which I would like to try to replicate the use of, such as in this article.

1 comment

Weekly Weblog 9/2/17

This week, I worked on security challenges through Cyberstart, and executed my first attack. I tested whether certain features of the Physics server post and comment system were secure, and they are. I also have deduced the basic mechanics behind the weblog security system, and it seems to use the recommended forms of protection against XSS attacks.

0 comments

Daily Weblog 8/31/17

Today, I researched and performed an XSS (Cross-Site Scripting) attack on the Physics server. Using the comment system and the post system, I created a weblog entry entitled "XSS test", tagged under "attack", as all of my weblog entries directly referencing exploit attempts will be. I tried six different methods of attack, with the goal of inserting a JavaScript alert on interacting with the page saying "success!":
  • First, I attempted the simplest method of attack, of simply using a quote to terminate the input string and inserting a script tag, using the standard weblog text editor. This failed, as the script tag was removed by the editor and the quotes I attempted to use to terminate the string were converted to an HTML encoding ("""). From this, I can conclude that script tags are removed by the editor, and that quotes (and possibly all punctuation) are converted to HTML encodings to prevent being parsed.
  • Secondly, I attempted the same type of attack in the comment section. This failed for similar reasons. From this, I can conclude that the comment section is not parsed as HTML, as the <a> that I wrote appears as plaintext.
  • Next, I tried a JavaScript-enabled links using the direct HTML editor. I started by setting the link destination (href) to a javascript function using the "javascript:code" format. This was censored by the editor.
  • I then tried two alternate versions of the JavaScript-enabled link attack, using alternate capitalization and using encoding to avoid writing the actual letters, in case it was a simple regular expression. None of these worked. From this, I think it is likely that the site uses a whitelist of allowed HTML, rather than a blacklist of disallowed HTML - as is the recommended policy.
  • Next, I tried an attack using HTML5's keyword "onmousewheel", in case the editor had not been updated recently with new definitions. This also failed, as the server is up to date with its definitions.
  • Finally, I attacked the tag system itself, tagging the post with a JavaScript command, which was also defeated via text encoding.
I used this site to research XSS attacks and to source the different types of attack that I used in this experiment (a real link this time, I promise). I also researched on here for the last attack with the tag system, because that was more of a url parameter attack and not an XSS attack.

0 comments

XSS test

This is placeholder text for your new blog entry. Replace it with your own.
alert("success!");

1 comment

Daily Weblog 8/29/17

Today, I worked more on the CPA course. I learned about buffer overflow - one challenge required me to overflow the buffer with a specific sequence, while not causing a segmentation fault with an overly long input. A buffer overflow occurs when a variable is written with a value that exceeds the variable size, causing data after what is assigned to the variable to be written to instead - it can be used to inject command sequences and data into places without permissions, although a well-written program will generally dump the command and throw a segmentation fault error instead of allowing an overflow.

0 comments

Daily Weblog 8/28/17

Today, I spent my time on the Cyberstart program again. I advanced to Level 12, with a total of over 70,000 points. The most Web-attack relevant thing I learned today was about how to execute an XSS attack. XSS stands for Cross-Site Scripting, and it is a type of attack frequent on forums and other sites (such as the Physics server weblogs, in fact) that allow user-generated posts. A user embeds script in their post's HTML, which will be run on the computer of anyone who views the page if the post is not properly sanitized of executable content. This allows users to steal each others' session cookies, redirect links, and so on, using various types of malicious JavaScript. Next class, I will work on Level 12, which so far seems to involve more cryptography than other levels. Additionally, I noticed that the laser cutters are unpacked and partially set up. If there is an opportunity to help with that process, I would like to join in.

0 comments

Weekly Weblog 8/26/17

This was the first full week back from summer vacation, and I'm starting off with my projects as quickly as I can. I submitted my proposal for the security project early this week, and I am ready to begin working on that - I'd like to start out with learning to use Wireshark, and target the guest networks first, as they are less secure. I have been working on the CPA Cyberstart program to learn more about hacking and security, and I am now close to 70% complete, with access to level 11. Additionally, I have been a part of the fab-lab's creation, and I will help set up the laser cutters and ventilation system when available.

0 comments

Daily Weblog 8/24/17

Today, I worked with the new MIDI keyboard that Dr. Bill got and did several problems on Cyberstart, the cybersecurity program I have been working on. I am now 63% done. The MIDI keyboard is supposed to require its own software to operate, but I set up GarageBand, which accepted it as a normal MIDI input. All of the functionality works, such as the octave switchers. I look forward to using the keyboard more.

0 comments

Project Proposal 2017-2018

Oliver Grayson

Independent Science Research

Dr. Wiecking

Cybersecurity and Penetration Testing


ABSTRACT

In the current era, secure digital systems are extremely important to the functioning of any institution. This project will attempt to fix potential issues and improve security on the HPA campus network by utilizing various penetration testing techniques to verify the integrity of the school’s cybersecurity, find loopholes through which the school could be attacked, and provide input on how any problems can be fixed.

INTRODUCTION

The various components of the HPA network, from the school Wi-Fi to the various servers that hpa.edu runs on, are essential to the school’s function. Students need access to their accounts, as do teachers, administrators, and all other members of the HPA community. We are dependent on the HPA account integration with PowerSchool to record every grade, dependent on the Honu database for the honor system, and dependent on the integration of Naviance to record test scores and college applications. Without these systems, the school’s ability to run smoothly would be greatly impacted. Therefore, it is essential to verify that no attacker - from an irritated student to a bored “black hat” hacker - can digitally break into the HPA systems using existing tools, by conducting penetration testing on the vulnerable parts of the network. Penetration testing, in the context of cybersecurity, is the practice of acting in the place of a potential attacker to try finding exploitable security flaws in a system, to be able to patch them before a real attacker can use them.

A malicious user could theoretically access school data, and execute many malicious programs to destroy or modify school data - delete student profiles, change grades, add or subtract demerits, or manipulate the system in any other way, given enough access. Several potential security issues are apparent at the moment, and could be exploited by a clever attacker. The goal of this project will be to practice breaking into these same systems first, and provide input on how to foil similar attacks in the future. Using Kali Linux and its suite of built-in tools for penetration testing, basic security flaws in the network can be found, proved exploitable, and then patched to prevent the same attack from a legitimately nefarious actor trying to access the network.

GOALS

By the end of this project, obvious loopholes and security problems on the HPA network should have been spotted and solutions proposed. I want to have learned about typical attack vectors used against networks like that at HPA. Using the security testing techniques I will learn about and research, I will improve the state of the system for all users. No attacker with access to similar tools as I enter this project will be able to gain access in the same ways as I do, because any errors that I find will be fixed.

IMPLEMENTATION AND CHALLENGES

The challenge in this project will be the integrity of the existing HPA network systems. The HPA network consists of several major systems: the RAD network, its attached guest network, the Elab wifi systems (of which there are a few operating independently), and the individual access points that are not affiliated with any of the major systems (set up by individual teachers and the like). I will test all of these systems, until it is provable that they are secure. As the entire point is to crack the systems, acting as a stand-in for a malicious user, I should not need any special administrator privileges on the school network. All I will need is my own personal laptop (which contains tools for cracking various systems, thanks to my Kali Linux partition) to work on the project. Depending on the nature of the HPA network (how the various subnets are set up to interact with each other), I may need to go to specific locations to execute some tests. I will use various techniques covered by built-in Kali Linux tools, such as packet sniffing to view content served over http, stealing data from physically-connected school computers through techniques such as ARP cache poisoning, and testing command and query injection against insecure hpa.edu pages. As for fixing the security flaws uncovered, I plan to leave that to the relevant school officials.

IMPACT AND LEGACY

This project will leave behind a more secure HPA network. Continuing this project will be a useful asset for the school if any new systems (like the Honu server last year) are implemented, as they will need to be secured properly. My weblog will contain instructions for students following me to install Kali Linux and use its array of tools - that way, any future Independent Science Research students can get a head start on learning cybersecurity. The world needs more people trained in how to protect themselves, their business ventures, and everything else, from cyber attacks - with everything becoming more and more dependent on the Internet, these attacks are more dangerous than anything in the physical world, and a more secure network at HPA is a good start. Additionally, I will be leaving for college next year. I will take this security knowledge with me, and be able to conduct similar tests in the future as a security analyst.

APPENDIX A: KEY RESOURCES

APPENDIX B: TOOLS AND MATERIALS

  • My MacBook Pro, dual booting OSX and Kali Linux

  • External Wifi antenna

  • Online guides and tools


0 comments

Daily Weblog 8/22/17

Today, I planned out my proposal in more detail, and made additions to the document (now posted above). I also planned with my fellow ISR students a meeting tomorrow morning to help rearrange the Elab to expedite the fab-lab coming online. To this end (and for future communication), I created an ISR F group on Slack. I also helped Sameer begin setting up the new hydroponics system - I will need to move the sensors into the new area when it is ready.

0 comments

Daily Weblog 8/21/17

Today, we went over our project plans again, with some new information. I am unsure of exactly what I will be doing, although I have made edits to my proposal and will post the finished version with my next weblog. I may undertake several side projects as well, so as to be able to participate in exciting new opportunities like the possible cubesat project. Additionally, we unpacked one of the laser cutters today enough to get the instruction manual out; on Wednesday, I will help rearrange the robotics lab to start creating the new "fab lab".

0 comments