Monday, April 2, 2018

Setting up HTTP Basic Authentication


- Layout for this exercise:

- Web applications may provide their own access control methods, but a web server can also restrict access by using two types of authentications that are part of the HTTP standard: Basic and Digest authentication.

- HTTP Basic Authentication (BA) is the simplest way to enforce access control to web resources. When making a request, the user agent  provides credentials (username and password) to the web server.

- BA uses standard fields in the HTTP header, not providing confidentiality because the credentials are sent just encoded with Base64, but not encrypted or hashed at all. 

- For further information about HTTP Basic Authentication:

- To implement Basic Authentication on an Apache web server, first of all a password file must be created, so that Apache can read it whenever the web page is requested.

- The utility htpasswd (part of the apache2-utils package) manages user files for basic authentication. As an example, let's take:

username: admin (very common as default username in many devices)
password: ababa (simple, for the purpose of ease in this exercise)

- The hidden file .htpasswd has been created and stored encrypted on the server side:

- The default encryption format to store the credentials is "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.

See source file apr_md5.c for the details of the algorithm:

- Editing the Ubuntu default virtual host file (000-default.conf):

- Adding the HTTP BA restriction for the directory called "basicauth", where the web page is contained. The <Directory> block specifies that the type of authentication is Basic, the name of the realm (the realm name defines a protection space for a web resource in combination with the canonical root URL of the server being accessed), the path to the .htpasswd file, and the requirement of "valid-user" credentials:

- In this way, we have established a per-directory basis HTTP BA specific for the directory "basicauth" that we are interested in. 

- After editing the virtual host file, let's restart the web server:

- Configtest command checks that the syntax of the configuration file is correct:

- Reviewing the status of the web server:

- Now, a user is prompted to enter credentials when trying to access the web resources contained in the directory "basicauth".

- In case of introducing bad credentials, the server answers with the default "Unauthorized" message:

- Introducing the correct credentials, the web resources are finally available:

Thursday, March 8, 2018

Pentest via cellular network (V): Nmap port scanner with SMS message


- Layout for this exercise (Smartphone and Raspberry Pi / SIM card / Modem):

- This exercise is based on the four previous exercises:

1 - Writing the Python script

- The Python script used in this exercise uses libraries and scripts from previous exercises:

- Some libraries are imported:

- A function is defined  to process the SMS message requests:

- External stored data is invoked:

- The script waits until an SMS message arrives, then processing it, and finally giving back an answer:

2 - Testing the script

- First, from the smartphone an SMS message is launched asking about the port 22 of the localhost:

- Running the Python script at the Raspberry Pi, it detects the request from the smartphone and finally gives back an answer:

- Before launching another test to the host, let's perform an Nmap scan in the usual way:

- Now,  from the smartphone an SMS message is launched inquiring about the port 135 of the host

- The Raspberry Pi gives an answer back to the smartphone via an SMS message, and the result is equal to the usual Nmap port scanning: port 135 is open.

Pentest via cellular network (IV): port scanning with Python-nmap


- Layout for this exercise (Smartphone and Raspberry Pi / SIM card / Modem):

1 - Installing Python-Map on the Raspeberry Pi

- python-nmap is a python library which helps in using Nmap port scanner.

- It allows to easilly manipulate nmap scan results and will be a perfect tool for systems administrators who want to automatize scanning task and reports. 

- It also supports nmap script outputs.

- For further information:

- Python-nmap works on top of Nmap, so let's make sure that Nmap is previosly installed:

- Downloading python-nmap:

- Uncompressing:

- Setting up and installing:

2 - Testing python-nmap with Python interactive mode

- Now, let's check its funcionality scanning the port 22 of the localhost Raspberry Pi, invoking python-nmap from Python:

- The SSH port 22 is in "open" status:

3 - Writing a Python script using python-nmap

- This Python script uses python-nmap for scanning, and it is based on the documentation provided by the python-nmap official website:

- Let's notice that the final section of the script just indicates to scan the localhost port 22:

- Running the script the result is successful:

Pentest via cellular network (III): SMS messages with Hologram Python SDK


- Layout for this exercise (Smartphone and Raspberry Pi / SIM card / Modem):

- The goal of this exercise is to send/receive SMS messages between a Hologram modem (installed at a Raspberry Pi device) and a smartphone via the celullar network, using the Hologram Python SDK library.

- First of all, let's create an external data script where the device key and the phone number are stored:

- Now, importing libraries from the Hologram Python SDK, this Python script sends an SMS  message and prints the successful result:

- Running

- In similar way, this Python script puts the modem into receiving mode and prints the message once it has been received:

- Running (in the image I have removed the sender phone number by privacy reasons):                                                                                                                                                                                

- The smartphone screen displays the SMS messages exchanged with the modem: