Reverseme – very very easy Linux

December 28, 2007 Leave a comment

This would probably be a good place to start if you’ve never reversed anything before.  Too easy for my taste though, and I’m just a beginner.

To try it, see http://crackmes.de/users/cyrex/linux_crackme/

With an objdump, you can see the strcmp is called right after scanf asks for the password.

The password is hard coded.  It is pushed from 0x80486a3.  Revealing what it is is as simple as starting up gdb and typing x/s 0x80486a4.  It is also revealed with the strings command or a hexdump.

Filed under GrayHat Tagged with , ,

Rescue initramfs

December 20, 2007 Leave a comment

In my opinion, the best way to rescue after a failure is a live cd like knoppix.  However, there are times when you are a bit unprepared and don’t have the livecd with you, or your machind doesn’t have a cdrom drive, etc.  Yes, I could go to my office, grab a spare, bring it back, tear the computer apart, add the cdrom drive and do it that way.   Sometimes even this is not an option, like in the case of my tablet, which does not even have an option in the bios to boot from a cd or usb.  When I originally installed it was a network install.

More often than not, I just add init=/bin/bash to the kernel option in grub and boot to a shell.  This has many obvious disadvantages though.  You do not have any virtual consoles.  There is no job control. control-C and control-Z do not work.  You’d better not ping anything or you have to reboot!  For quick fixes this is an allright solution.

Another interesting option, although not as universal as adding /bin/bash to the init, is only really easy in Debian derivitives as far as I know.  It is, at least, different to do with red hat because of their different handling of initramfs.  But anyway, in Debian, navigate to your initramfs.conf file and set $DELAY seconds.  Now, when you’re booting, press the enter key when it says ‘waiting for $DELAY seconds’ to obtain a real Debian environment shell prompt that is much easier to use than the first option.  You can interupt and kill jobs, have more than one terminal, etc.

Filed under Linux Tagged with

websitebaker module: Random pic with text

November 29, 2007 1 Comment

This module includes a function you can call to randomly pick an image from a directory. It is based on a module written by John Maats, and I just added the captioning. 

Here is a link to the zip.

<?php
/* Random image snippet
   Call this nsippet with:
   RandomImage ('/media');
   in your template */

function RandomImage($dir) {
        //read folder and get the picture names
        $folder=opendir(WB_PATH.$dir.'/.');
        while ($file = readdir($folder))
        $names[count($names)] = $file;
        closedir($folder);

        //remove any non-images from array
        $tempvar=0;
        for ($i=0;$names[$i];$i++){
                $ext=strtolower(substr($names[$i],-4));
                if ($ext==&quot;.jpg&quot;||$ext==&quot;.gif&quot;||$ext==&quot;.png&quot;){
			$names1[$tempvar]=$names[$i];$tempvar++;
		}
        }

        //random
        srand ((double) microtime() * 10000000);
        $rand_keys = array_rand ($names1, 2);

        //random image from array
        $image=$names1[$rand_keys[0]];

        //name of image for alt text
        $name=substr($image,0,-4);

        //print associated Text
        echo &quot;<p><b>$name</b></p>";

        //read in the file if it exists

        if(file_exists(WB_PATH.$dir . '/' . "$name" . ".txt"))
        {
                $myfile=file(WB_PATH.$dir . '/' . "$name" . ".txt");
                echo '<p>';

                foreach ($myfile as $val)
                {
                  echo "$val ";
                }
                echo '</p>';
        }

        //image dimensions
        $dimensions = GetImageSize(WB_URL.$dir.'/'.$image);
        echo '<img src="'.WB_URL.$dir.'/'.$image.'" alt="'.$name.' image" />';
}
?>

Filed under Programming Tagged with , ,

Really global environment variables for ssh

November 29, 2007 Leave a comment

<mopey> how do I export a variable in pvm?  I add it to my .bashrc or .profile but it ignores it.
<mopey> an environment variable
<mopey> Because I get this error:
<mopey> The value of the $PVM_ROOT environment
<mopey> variable on compute-0-1 is invalid (“”).
<mopey> Use the absolute path to the pvm3/ directory.
<mopey> but if I ssh into compute-0-1, echo $PVM_ROOT it is set correctly
<staynalive_> mopey: I don’t know much about PVM
<staynalive_> but I would check to see if it gets set for non-login sessions
<staynalive_> by doing (in one command) “ssh compute-0-1 printenv”
<staynalive_> Yeah, I just tested it and that’s the issue.
<mopey> good call, it’s not being set for some reason, although it’s “being set” in ~/.bashrc
<mopey> where would I set it, if not bashrc?
<staynalive_> Umm
<mopey> my .profile calls bashrc btw, although that shouldn’t really matter since that’s only on interactive logins, right?
<staynalive_> Yeah
<staynalive_> I think I actully changed a ssh flag to carry the environment variables through to the new machine in a ssh session.
<staynalive_> “PermitUserEnvironment yes”
<mopey> oh.  well that’s handy.
<staynalive_> That way if users set something up funky they can carry it to the nodes.
<staynalive_> But the manual warns of some possible security issues…
<mopey> if someone is on my frontend node, it’s only being used on the compute nodes, so it shouldn’t be that big of a deal.
<mopey> since they are basically thin
<mopey> aaah, ssh has env variables all of it’s own…
<mopey> I remember telling you that at one point.  I guess I’m losing my marbles

<mopey> has anyone ever gotten sshrc to succesfully set ssh environment variables?
<mopey> it *should* be straightforward
<mopey> the sshd man page says:  8.  If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, runs it; otherwise runs xauth.  The “rc” files are
<mopey>  given the X11 authentication protocol and cookie in standard input.
<mopey> is this not run (when I do ‘ssh compute-0-0 env’) because it is too late in the process?
<mopey> because my $HOME/.ssh/environment _is_ run, and I can set them that way.  Except that I want to do it for all users and that seems to be a lame solution.
<mopey> It seems like the command should be executed *after* the rc files are read (it’s step 9)
<mopey> So I wonder why the hell it’s being ignored…
<mopey> staynalive, you said you use “PermitUserEnvironment yes”.  So do you just set a $HOME/.ssh/environment for each user?

<mopey> haha
<mopey> for those who care, pam overrides my ssh variables for the most part
<mopey> so you can define variables in /etc/security/pam_env.conf
<mopey> god, that took forever to figure out why my /etc/environment variables weren’t getting set over ssh
* Vog-work has quit (“ChatZilla 0.9.79 [Firefox 2.0.0.10/2007111504]“)
<twinprism> thanks for sharing, mopey, I care…
<mopey> weird.
<mopey> :)
<_sera> I don’y
<_sera> sheesh… don’t
<mopey> Normally it probably doesn’t matter I’m sure.  Like if you get a bash shell and can actually execute profile/bashrc
<mopey> But if you have a crippled pvm shell or something, it’s way important
<mopey> plus I think pam_env is how PATHs and junk get set on login – at least on ubuntu
<mopey> *gdm/kdm/xdm login

Filed under Linux, Security Tools Tagged with , , ,

chkrootkit

November 26, 2007 Leave a comment

chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.

From the man page:

chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file  can be found  at  /usr/lib/chkrootkit.

I installed using apt-get.

By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed).  The following entry is /etc/cron.daily/chkrootkit.  So it gets logged and mailed.

#!/bin/sh -e

CHKROOTKIT=/usr/sbin/chkrootkit
CF=/etc/chkrootkit.conf
LOG_DIR=/var/cache/chkrootkit
MAILTO=root

if [ ! -x $CHKROOTKIT ]; then
exit 0
fi

if [ -f $CF ]; then
. $CF
fi

if [ "$RUN_DAILY" = "true" ]; then
  if [ "$DIFF_MODE" = "true" ]; then
    $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1
    if [ ! -f $LOG_DIR/log.old ] \
      || ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then
      cat $LOG_DIR/log.new
    fi
    mv $LOG_DIR/log.new $LOG_DIR/log.old
  else
    $CHKROOTKIT $RUN_DAILY_OPTS
  fi
fi
/usr/sbin/chkrootkit

chkrootkit seems like it has quite a bit of promise.  I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.

Filed under Linux, Security Tools Tagged with ,

Build a Bridge and Get Over it

November 6, 2007 Leave a comment

In my environment, the best kind of firewall is the bridge kind of firewall. Meaning: a transparent kind of firewall. Here’s how I generally set them up.

So, I don’t have control of the gateway routers. I have IP addresses all over the place in my little IP pool. For example I have one little server room with a 134.50.7.24 a 134.50.7.88 and a 134.50.7.244. What I want is a firewall complete with IDP to limit access to stuff in a centralized way. BTW, I also tend to have firewalls on every machine, I guess for the double layer of protection. Firewalls are sort of like condoms. Double layering doesn’t seem to help that much, but it couldn’t hurt. And either way, once you’re penetrated, you’re fucked.

To clarify, what I want is something completely invisible to the outside. As far as the outside is concerned, there is nothing there. In fact, this could be the case as far as the inside is concerned. However, you may want to give the bridge an IP address and let something through so you can ssh in to fix whatever problems.

So:

Network —– Bridge ——switch —Internal Network of various IPs

The cool thing about a bridge is you can stick it anywhere and it won’t change how any of your other hosts are hooked up.

For this task, I chose everyone’s favorite os, Linux. I also chose a minimalist version of Ubuntu since I heart ubuntu. This is actually a pretty trivial thing to set up.

# apt-get install bridge-utils

Then you want to create a new bridge device and add your ethx to it. Your ethx will obviously probably be eth0, eth1, eth2 or whatever network devices you want on the bridge.

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ip link set br0 up

Now guess what. You’ve now turned your $300 machine into a $10 hub.

Next if you want to give your bridge an ip address and a route:

# ip addr add x.x.x.x/x brd + dev br0
# route add default gw x.x.x.x dev br0

Where x is your ip and your subnet and gateway.

I find as I’m writing this I’m just repeating what else is out there. Go and read http://www.linuxjournal.com/article/8172 and it will show you the way.

Now that you’ve got your bridge working you can filter traffic using ebtables (on the hardware level) and iptables (on the ip level) and snort and whatever. There are tons of examples of this online, so I won’t bore you here. Awesome.

Put all this in rc.local or whatever boot up script so that your system remembers everything and you’re golden! To all those people who say “just use smoothwall and don’t worry about iptables” in your face! smoothwall/ipcop/monowall are all pretty cool, but being a transparent bridge isn’t one of the things they are capable of out of the box. They are mostly meant to be gateways or whatever.

Filed under Linux, Network Tagged with , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.