NFC tags – automating reading and writing with LUA and Proxmark3.

Hello There, its been quite a while. But no time like the present to ressurect this blog. Since the beginning of ’21 i have been researching NFC and RFID tags as part of a Cyber Security course. It lead me to finding a hardware device called the Proxmark3 that allowed me to interact with the tags. But i wanted more. Youtube video here

https://youtu.be/FYHxatRUmEk

My goal was to write a LUA program that can be executed by the proxmark software. It would sit there listening until it detected a tag, then it would dump the information using that to write a new tag. As this project was for a class, i only had 4 weeks to develop something while learning a new language. I have posted the result (and interations of the build) on my GitHub – https://github.com/somefreak/proxmark-auto-mifare

The program i ended up with does not have the entire functionality that i set out to acheive. However i do not count that as failure. My programming skills are amateur level at best, so getting a working program with part functionality feels like i have accomplished something.

Luckily, there are many other LUA proxmark3 projects with more functionality than mine. Here is the references i used while researching and coding my solution:

https://swende.se/blog/Proxmark_Scripting_1.html
https://swende.se/blog/Proxmark_Scripting_2.html
https://stackoverflow.com/questions/1034334/easiest-way-to-make-lua-script-wait-pause-sleep-block-for-a-few-seconds
https://www.tutorialspoint.com/lua/lua_variables.htm
https://www.tutorialspoint.com/lua/lua_repeat_until_loop.htm
https://github.com/Proxmark/proxmark3/blob/master/client/scripts/formatMifare.lua
https://github.com/Proxmark/proxmark3/blob/master/client/scripts/mifare_autopwn.lua
https://github.com/Proxmark/proxmark3/issues/840
https://stackoverflow.com/questions/14629658/lua-repeat-until-seems-to-use-original-value
http://www.troubleshooters.com/codecorn/lua/luaio.htm

Through my research what i have discovered is these tags are just as vulnerable as normal locks with keys. There is no perfect security solution, the only difference between normal locks and lockpicks is the technical barrier of entry is higher for NFC but that doesn’t mean there isn’t digital lock picks out there.

Raspberry Pi 2 case mods

I use raspberry pi’s quite alot in my work and home life, they are a very handly little platform for both development and electronics that can be had very cheaply. Since the r-pi2’s have come out, i have been slowly moving some services onto the new boards, but not had cases to put them all into. This got me motivated to finally tackle a r-pi2 lego case. I made it from lego technic that i had lying around, it has worked quite well for 6+ months so far:

Lego r-pi2 case

However i have been battling with slow connections on the r-pi’s that i use as WAN connectivity devices (including a VPN router so i can go dark against data retention, Squid proxys, caching name servers, etc.). Although it would be a simple task to extend the lego case, i had come across another solution in my travels at work.

I had just been swapping out old Cisco 4400 series Digital Media Players. One was completely dead so i opened it up and stripped out the contents. I suspected it would be a good size for two r-pi2’s plus it has good shielding. I had to strip out the back plate, and also cut a hole in one side to allow the USB power connection to the pi2.

First r-pi2 mounted, you can see when the side needs to be cut to allow powering the r-pi2

The second r-pi2 also fits in with its USB power, making the case a very good size for these boards. I am a little concerned that they are only screwed in using one screw at the moment, i think i will probably mount some more brass stand offs to stabilise it. The USB and Ethernet ports are accessible

Success, two pi’s mounted in the case, about to be put back together

The top of the case touches on the ethernet ports of the r-pi2’s, but it doesn’t stop being able to re-fit it.

Done, and using the flash doesn’t re-boot it 🙂

Again, if you want to get your hands dirty with coding or mods, the r-pi’s are an excellent base to start with. And with a version of Windows 10 coming along to supplement the range of OS’s already available its becoming a very flexible platform.






Device Security – Cisco NTP

This week has seen a few vulnerabilities become very public, one that targets home routers (misfortune cookie) and another of note is for people running NTP (ntpd – http://www.eweek.com/security/four-flaws-expose-critical-network-time-keeping-servers-to-attack.html ). Between this and the hacks on sony, icloud etc. this year has served as a reminder to me that device security is something that often changes, and may be impacted by protocols, devices or other changes on your network be it home or otherwise.

A great example of this is consumer routers coming with IPv6 support. Years ago, i swapped to a new router, that came with IPv6 support. Little did i know at the time that my ISP automatically assigned clients a /56 IPv6 subnet by default. My router was then happily handing out a /64 to the lan segment meaning all my home devices automatically got a public IPv6 address. I can tell you, it was very scary the day i was able to connect from an public network to my NAS and other network devices without filtering. This security issue arose because i changed one piece of hardware without realising the full impact that change would make.

Getting to the topic, alot of people configure up their cisco routers and switches to use NTP. However i have found in the past, that in doing this, it also enables the cisco device as an NTP server. Yep, thats right, if you typed in “ntp server pool.ntp.org” into your cisco router as an example, it has not only started the client to update its own time, but it has started acting as a server too! Luckily, you are able to secure it, Here is what you need to do.

(in this example i will use 10.1.10.1 and 10.2.20.1 as the NTP servers)

First, we will need to create an ACL to allow traffic to the NTP servers that we want our device to synchronise with:

!

configure terminal

access-list 10 permit 10.1.10.1

access-list 10 permit 10.2.20.1

access-list 10 deny any

!

Here i will assume you will have already configured your servers, next step is to apply the ACL. Even though i use the command “ntp server 10.1.10.1” rather than “ntp peer 10.1.10.1” as they do different things (see here – http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html ) when you apply the ACL, you need to use the following command:

!

ntp access-group peer 10

!

Your network devices should now no longer respond to queries (except from hosts in that ACL).

Wishing everyone all the best for the holidays and 2015! Remember backup those videos and photos 🙂






Network Management using L.A.M.P., SNMP and Freeradius.

During my career i have been able to work with a number of programmers, students working on thesis or masters projects and programming for personal projects. One of the projects i helped with the development of, was called scripts. It was built using a L.A.M.P. setup, but also leveraging on other linux freeware such as SNMP, freeradius, cron/shell scripting, Subversion and Rancid. Scripts does nightly backups of configurations, allowing myself and others to do diffs and searches using grep and other linux processing tools.

Scripts front end was via the web interface, it authenticates users via LDAP and only displays the options they should be able to see.

scripts_home

 

For example, almost everyone wants to be able to see the “Managed ADSL Authentication Logs” but not everyone should be able to see configuration generators. The configuration generation was used to help installers keep to the standard baseline configuration, allowing other tools (like an over worked CiscoWorks LMS) to still function.

scripts1

 

Using information from mysql, it would then build the configuration, and leave it in a tftp/ftp directory that was cleaned out daily. Configuration of the switch once it was connected was a cut/paste job.

scripts2

 

Other tools included L2/Spanning-tree and L3/Vlan/IP configuration, ACL generation and Routing (OSPF, Policy Routing, Static Routing) generation. Being a web interface it worked well on laptops, desktops and mobile devices making it a go to tool.






L.A.M.P. Servers

I have made use of Linux, Apache, MySQL (or Posgresql) and PHP servers for alot of personal and work related projects. For example, i have used L.A.M.P servers to run things like freeradius servers or DHCP servers that use SQL for information to drive the services. Apache and PHP were used to provide an easy way for support people to check status of services and do other admin tasks.

I have also used PHP, MySQL and SNMP to do network management tasks, such as baseline checking of switch configurations, OS management, switch deployments and other standardized configuration tasks.

 

 






Remote Access and Site to Site VPN

During my career i have been able to deploy a number of VPN configurations to help support a corporate environment.

I was able to deploy Remote Access VPN services using Cisco VPN3000’s and then later Cisco ASA (eg. 5515X, 5525, 5585 models) to suit the requirements of the corporate environment. I was also able to utilize ASA’s to do Site-to-Site VPN to allow sharing sensitive corporate and medical information between organizations while maintaining security of both the corporate environments.

I have experience with software VPN products such as OpenVPN. OpenVPN was an excellent solution for out of band connectivity as there is good hardware and OS support. I used it to get OpenGear terminals to connect to a cloud VPS running OpenVPN for accessing terminals when a network disaster happens. I have established CA’s when using OpenVPN for certificate based authentication of users and terminals.






WiFi – Centralized infrastructure

Wireless has become an essential access medium, but it has been a headache to manage on a larger scale. I got involved with migrating access points from autonomous access points to being centrally managed when the company i was working for deployed 802.1x wireless authentication to try and get rid of an older web based authentication. At that point we only had about 200 Ap’s, but it was decided that changing them to lightweight, and using central controllers was the way to go. We ended up deploying two Cisco WiSM1 modules (second was for redundancy) and connecting them up to the central authentication services (LDAP, Kerberos, AD) via a Radius server (radiator).

The wireless network grew very quickly after that, and soon i was tasked with building a fully redundant central wireless module. I deployed two Cisco 6509’s in VSS configuration, each had two Supervisors, one 10Gb module and 5 WiSM2 modules, the last slot was reserved in case of failure so we could swap cards if needed. The WiSM2 modules were initially installed as stand alone, but were later run in AP-SSO mode to ensure our clients got the highest level of service. Fortigate firewalls were installed to provide content filtering and guest access, i used two of the 800C model in HA mode. Multiple VDOM’s were used on the fortigate to allow easy deployment of networks for guest companies on site, this was coupled with VRF light on the Cisco VSS MLS allowing great flexability.

This was coupled with freeradius (to proxy requests) and later Cisco ISE to offer the complete BYOD solution.






Fibre Optics, wide area, metro area and wave division

Due to the requirements of some infrastructure i have supported, we have needed to utilize high bandwidth, but low cost wan links. Some dark fibres were between brisbane and sydney, but most were in the Brisbane/Ipswich area. For quite a number of links we were able to get away with running either LR or ZX optics depending on link loss to get connections up and running. This was great for data, but as soon as you want multiple services for redundancy, or Fibre Channel etc. you can be better off looking at WDM.

My first experience was joining two sites via a common middle point on their path. The middle point needed to be serviced by either end, and the two far ends needed to communicate directly rather than using layer 2. The best solution at the time was to deploy a CWDM solution, patching through a wavelength in the middle site to allow one piece of fibre to service two links. You can use BX optics to get the same effect, but CWDM scales better if you are looking to add more services.

Which is what happened, coupled with the need to multiple 10Gbps links drove my involvement in deploying Cisco ONS15216 OADM’s and building DWDM links. The DWDM installation included doing things like bench testing hardware, to ensure stable operation, doing loss calculations. As we were using the middle hop, we needed to do things like add in loss on the middle site for their wave lengths, and on other links, we needed to use Cisco EDFA3’s to amplify the signal to get rid of errors and poor performance.

I got the opportunity to install DWDM on links just over 40Km, i was also the primary support for faults relating to the DWDM network and other Fibre links.






Fibre Optics for Buildings/LAN

During my career i have had the opportunity to work with various different types of fibre optic media. I have been involved with the design phase (ie. specification of cables types eg. OM3, OS1 for internal communication room interconnects) through liasing with architects. I have then been able to follow through the building stage and overseeing the qualified cable installers work.

I have been involved in network deployments utilizing fibre optic terminations and their associated equipment, single mode and multi mode, from 10Mbps to 40Gbps(SR, LRM, LR, ZX). I am also well experienced in cleaning and handling fibre connections, troubleshooting problems with links (ie. finding loss across multiple interconnects).

 






Conference Networks

Conference Networks are always challenging, they only need to be working for a short time, but they HAVE to be working. In the past i have setup, supported and torn down networks for conferences. Some involved links to external carriers using BGP, some involved doing a IPv6 roll out from scratch for wired and wireless clients.

Most of the conferences i have done have used carrier (telstra, optus, aarnet, etc.)  and venue infrastructure. Overlaying a conference network on existing infrastructure (q-in-q, gre tunnels, etc.) where it was required.

Conference attendees generally want an easy access experience but maintaining security is also important. I have successfully designed and deployed temporary wireless coverage across different venues. I have also needed to enable authenticated access to Eduroam (using temporary radius servers) along with Web Content Filtering, Firewalling and Shaping services.

 

Some of the conferences i have worked on include:

AusCERT 2005 – 2013

eResearch 

International Maths Olympiad 2013

Questnet

World Computer Congress 2010