The Future of Open Source Security
The ‘hacker’ archetype has evolved quite a bit from its cyberpunk, basement-dwelling origins— these days, it’s not so out of the ordinary for computer criminals to take on the leading roles of hit TV shows and blockbuster action-thrillers. But to Josh Ewing, our new QA and Security Engineer, cyber-security has always been en vogue. So much so that he recently built his very own open source security application, NetSec-Framework, which he demoed at this year’s Black Hat USA to several hundred people. We sat down with Josh to talk about his application, his experience at the Arsenal Station, and his thoughts on security.
Josh from Reaction Commerce (on the right), giving a demo of his security tool.
Why is NetSec-Framework so unique?
It’s an educational tool that can be used by anyone to hypothetically harvest credentials from a network. It takes away some of the guesswork and does most of the work automatically, so the user doesn’t need to understand all the ins-and-outs of the security tools that the command-line interface utilizes. It’s also the very first tool that features a multitude of man-in-the-middle attack capabilities (in which an attacker intercepts communications between two systems), all located in one place.
Tell us more about the NetSec-Framework tool. How does it work?
It’s a command-line interface, which I wrote in Python. The idea was to be able to boot up a vanilla Debian-based distro. The user would then run the Python script, which would install all dependencies for you and configure your system, including iptables and port forwarding. It then holds your hand through the process as it runs nmap scans and performs man-in-the-middle attacks within just a couple minutes. The tool allows the user to use Arpspoof, Ettercap, and sslstrip-generating timestamped pcap files, which can later be opened using Wireshark or running dsniff against. It also allows the user to install most security tools on the fly.
A screenshot of Josh's application.
What were some challenges you faced while building it, and how did you overcome those challenges?
I actually wrote the tool as an exercise while I was learning Python.
The tool uses a lot of system calls, so getting stdout to work properly was a bit of a challenge. For instance, in order to use sslstrip, the attacker would first have to ARP poison a client IP or Gateway. When arpspoof starts, it can be a little cluttery, so it’s important to be able to execute multiple tools through the command-line interface and keep stdout to a minimum, while also keeping the output so it can be saved as a pcap file.
What was it like demoing your tool at the Arsenal Station?
It was amazing. The first 30 minutes or so were a bit nerve racking, but it got easier. I would get waves of people at a time every five minutes or so. I met a variety of security professionals, ranging from individuals just getting into security, to Red and Blue Team members, and even some military. Many of them were excited to try out my tool in the field. I got that a lot, especially from Red Team members, who want to get up and running quickly, which is exactly what my tool is designed for. I was a bit surprised, but I only received praise and positive feedback. And when my demo time was finished, I was immediately approached by the ToolsWatch and Black Hat crew, who asked me to resubmit my tool for BlackHat Europe later this year. So, we’ll see how that goes.
What are some of the highlights from the event, both from the conference side and personally?
All of the highlights this time around really revolved around meeting people and making new friends. Last year, I was a little timid, mostly going to the briefings and talks, and didn’t do a lot of reaching out. This time, I ended up spending my time talking with individuals: defense contractors, pentesters, endpoint security specialists. It was incredible to be able to talk about security with your peers, and everyone around you knows what you’re talking about. You find an immediate connection with people from all over the world. This only happens to me once a year, so it's fun and exciting.
At DefCon, when I wasn’t talking with people, I spent a good amount of time at the Lockpick, Internet of Things, and BioHacking Villages. I’ve always wanted to learn basic lock-picking. And at the BioHacking Village, they were implanting tiny RFID chips into people’s hands! At least, that’s what I could see amidst the sea of mohawks.
Are there any security projects you’re looking forward to tackling for Reaction?
Well, I think security for Reaction, being a Meteor node.js platform, is going to bring its own set of challenges.
I predict that Meteor security is going to evolve in the next couple years. There are a ton of layers to peel back. Everything from greater exposure to man-in-the-middle attacks, system misconfigurations, server/client publications, third-party npm packages, using Docker in a production environment, V8— they all have their own set of security concerns. Every one of these issues require a separate set of security analysis and research — not simply vulnerability scanners, but also setting up their own proof of concepts.