List all keys

gpg –list-keys

print key to a file (mypublickey) – <keyid> is listed when you do list-keys

gpg -ao mypublickey.key –export <keyid>

show secret keys

gpg –list-secret-keys

backup secret keys

gpg -a –export-secret-keys <keyid> | gpg-aco myprivatkeyfile.key.gpg

Restoring the key

gpg –import {keyfile}

Restore an encrypted key

gpg –decrypt {privatekeyfile} | gpg –import

Sign a file

gpg –output doc.sig –sign doc

verify signature

gpg –output mydoc –decrypt doc.sig

Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.

Good advice, but sometimes you need to get stuff done anyway. This is experimenting with pam and execv from a stupid google apps pam module I wrote

PID = fork();
if (PID == 0) {
  //child
  char* argvarray[4] = {progarg0, username, newpass, (char *) 0};
  execv(netprog, argvarray);
  if (debug == 1)
    printf("forking failure\n");
  report_error(1);
  return PAM_CRED_ERR;
}
else if (PID < 0) {
  if (debug == 1)
    printf("unexpected error\n");
  report_error(1);
  return PAM_CRED_ERR;
}
 
wait(&amp;execreturn);
//make sure this does exit properly and isn't killed
if (WIFEXITED(execreturn)) {
  rc = WEXITSTATUS(execreturn);
}
else {
  report_error(1);
  return PAM_CRED_ERR;
}

The first 18 lines emulate a system call. The rest is used to get the return value, which you would also need to do with a system call. Basically, it has close to the same functionality as if it were:

system("programcall");
 
wait(&execreturn);
//make sure this does exit properly and isn't killed
if (WIFEXITED(execreturn)) {
  rc = WEXITSTATUS(execreturn);
}
else {
  report_error(1);
  return PAM_CRED_ERR;
}

I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.

First, to avoid any changes to usual browsing, a new firefox profile was created using:

firefox -ProfileManager

Additionally, to run both firefox profiles at once, the first was run as normal, which the second has the additional options:

firefox -P <new-profile> -no-remote

I add this to my taskbar alongside the regular old firefox %u so I can choose a profile with a click.

To hide the HTTP referer, a firefox extension called RefControl was selected  https://addons.mozilla.org/en-US/firefox/addon/953. This simply replaces the referer for every query with one that is configurable. Although this is certainly possible with a more traditional proxy (like paros), RefControl’s ease of use is essential with the shear number of queries that were performed for this research. For this research, I changed the referer passed several times from names like “yahoo.com”, “cnn.com”, etc. Although the traffic patterns may still seem suspicious to an administrator who carefully monitors his logs, it reveals virtually no information about what it is that is being searched for.

To obfuscate the IP address, tor and privoxy were used. Tor bounces the HTTP requests around a distributed network of relays all around the world. An in depth discussion of Tor is out of the context here, but in a nutshell “it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location” http://www.torproject.org/. Privoxy is additionally used to prevent applications like flash or dns from leaking information. Since both privoxy and tor are required, you need to install these:

apt-get install tor privoxy

and to get privoxy to work with tor, I uncommented the following line (if it’s not there just add it):

forward-socks4a / localhost:9050 .

Despite the advantages, this did make browsing for names quite slow. I really like torbutton. In the not so distant future I remember having to modify proxy settings every time I wanted to go back and forth using tor. With tor

Lastly, the noscript firefox plugin was used to mitigate all javascript based attacks that might be used to obtain IP information http://noscript.net/.

Anyway, here is some. The README:

Rich Lundeen
lundrich@isu.edu

The Specification:
———————————

The purpose of this assignment is to introduce you to the software tools we will use for the
AVR microprocessor, and to give you a better understanding of the run-time environment that
a C program operates under.
For this assignment, you will write a C main program and two subroutines – one in AVR
assembly, and the other in C. The subroutines should each do the same thing:
1. Monitor a port (your choice) that is connected to a switch. Wait until the switch is
pressed.
2. Once pressed, the routine should keep track of how long the switch is held down.
3. Wait for approximately one second.
4. Using another port (your choice) connected to a LED, turn on the LED for the same
amount of time that the switch was pressed earlier.
In addition to writing the code, determine the size of the code (main and both subroutines) in
your program.

———————————-

This code requires avrdude, avr-gcc, and objcopy are installed.

To compile the C version, type:

make

To compile the asm version, type:

make asm

After it’s compiled, to install to a connected and powered on atmega16 board, type:

make install

homework1.avi contains a short demonstration of the C version – however, both do the same thing. It
will play with vlc or mplayer.

Here is a demo of the program.. oooh blinky lights. Yeah, and anyway, the hardest part is just to find a hello world. This includes one in both C and assembly, so good hunting!

Download the source here,

/*main.c*/
#include "portstuff.h"

int main (void) {
  DDRB = 0xff;  /*11111111 means all output */
  DDRD = 0x00;  /*00000000 for all input */

  PORTB = 0xff;
  portmon();
  return(0);
}

/*portstuff.h*/
#include
#include
#include

void portmon();

/* portstuff.c */
#include "portstuff.h"

/*this is in clock cycles for my board.
* 30000 seems to be close to about a sec */
const DELAY = 30000;

void portmon() {
  while(1) {
    unsigned long timer = 0;
    unsigned long i;
    /*while a button is pressed */
    while (PIND != 0xff) {
      /*light up the button pressed */
      PORTB = PIND;
      timer += 1;
    }
    PORTB = 0xff;
    /*if the timer is not zero, we need to handle a button pressed */
    if (timer != 0) {
      /*delay for about a second */
      for (i = DELAY; i!=0; i--);
      PORTB = 0x00;
      /*delay for timer roughly equal to how long button was pressed */
      for (i = timer; i!=0; i--);
      timer = 0;
    }
  }
}

#Makefile
#c specific - this is the default

homework1.hex: homework1.out
    objcopy -S -O ihex homework1.out homework1.hex
homework1.out: main.o portstuff.o
    avr-gcc -mmcu=atmega16 main.o portstuff.o -o homework1.out
main.o: portstuff.h main.c
    avr-gcc -c -mmcu=atmega16 main.c
portstuff.o: portstuff.h portstuff.c
    avr-gcc -c -mmcu=atmega16 portstuff.c

#assembly specific rules

asm: howework1asm.out
    objcopy -S -O ihex homework1.out homework1.hex
howework1asm.out: main.o portstuffasm.o
    avr-gcc -mmcu=atmega16 main.o portstuffasm.o -o homework1.out
portstuffasm.o: portstuff.h portstuff.s
    avr-gcc -c -mmcu=atmega16 portstuff.s -o portstuffasm.o

#clean and install

clean:
    rm ./*.o ./*.hex ./homework1.out

install:
    avrdude -y -C /etc/avrdude/avrdude.conf -p atmega16 -P /dev/ttyS0 -c stk500v2 -U flash:w:homework1.hex:i

/*portstuff.s*/
#include "portstuff.h"

.file	"portstuff.c"
PORTB  = 56-0x20
PORTD  = 48-0x20
ALLON  = 31
WAIT   = 0xa
.text
.global	portmon
.type	portmon, @function
portmon:
/*initialize count to zero */
.BEGIN:
/*r18 is our counter*/
ldi     r18,0x00

/*initialize port values*/
in  r24,PORTD
out PORTB, r24

.LEDWAIT:
in  r24,PORTD
nop

/*see if the button is currently pressed - if it is then continue
if not jump to .LEDWAIT */
cpi r24, lo8(-1)
breq .LEDWAIT

.BUTTONPRESSED:

out PORTB, r24

/*measure the number of delays the button is pressed*/
rcall delay
inc r18

/*see if button is still currently pressed - if it is then
jump to Buttonpressed */

in   r24, PORTD
cpi  r24, lo8(-1)
brne .BUTTONPRESSED

out PORTB, r24
ldi r23, WAIT
.DELAYSECOND:
/*theoretically this delays a second */
rcall delay
dec r23
cpi r23,0
brne .DELAYSECOND

.LEDSON:
/*light up all leds for the amount of time the one was pressed*/
out PORTB, ALLON
rcall delay
dec r18
cpi r18,0
breq .BEGIN
rjmp .LEDSON

/*delay function makes time reasonable to deal with */
delay:
ldi r17,0x60
waitouterloop:
ldi r16,0xFF
waitinnerloop:
subi r16,0x01
brne waitinnerloop
subi r17,0x01
brne waitouterloop
ret

.size	portmon, .-portmon

One security problem in particular is php. suexec was built for cgi-bin stuff – but php is a whole other beast. That’s what I’m talking about here – getting php to run as the user who owns it. More specifically, this will show how /home/user/public_html/myphp.php will run as “user”, but stuff in /var/www will still run as www-data.

One good article I found describing this is here: http://alain.knaff.lu/howto/PhpSuexec/

First things first – mod_php needs to be disabled. This can be done globally, but it’s better to just disable it for public_html dirs. This can be done by adding the following to /etc/apache2/apache2.conf.

<Directory /home>
 php_admin_flag engine off
</Directory>

First install php-cgi. and the apache2 prefork which has some things we’ll need later on.

apt-get install php-cgi apache2-prefork-dev

Download the latest suphp module from http://www.suphp.org/Home.html.  Compile this like:

tar xfzv suphp-SNAPSHOT-2008-03-31.tar.gz
cd suphp-SNAPSHOT-2008-03-31
./configure --with-apxs=/usr/bin/apxs2 --with-setid-mode=owner
make
make install

Modify apache’s config

LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so
<Directory /home>
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-php
suPHP_Engine on
</Directory>

Now in /usr/local/etc/suphp.conf

[global]
webserver_user=www-data
docroot=${HOME}/public_html
check_vhost_docroot=false

[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/usr/bin/php-cgi"

Restart apache. To debug, check /var/log/apache2/errors.log.  To test create scripts in public_html directories and in /var/www that exec(‘whoami’) and make sure they’re called with the correct permissions.

It’s a start, but then there’s always stuff like XSS, etc.

/etc/network/interfaces

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    address 134.50.1.2
    netmask 255.255.0.0
    gateway 134.50.1.254
    bridge_ports eth0 vbox0 vbox1

# The loopback network interface
auto lo
iface lo inet loopback

/etc/vbox/interfaces

vbox0 lundeen br0
vbox1 lundeen br0

Awesome, now firewall rules work. In the vulnbox, I give myself an ip address. On the host, I set up very strict firewall rules using iptables.

Another big issue is auto-restore. Since the class often gets an address wrong, the vulnbox often crashes.

The following will shut the box down, revert to a snapshot, and turn it back on.

/usr/bin/VBoxManage controlvm vulnxp poweroff;
sleep 5;
/usr/bin/VBoxManage snapshot vulnxp discardcurrent -state
sleep 10;
/usr/bin/VBoxManage startvm vulnxp</pre>

Anyway, I put this in crontab to do every 20 minutes.

0,20,40 * * * * /path/to/virtualscript

find . -type f -exec cat {} ; | wc -l

and if you don’t want repeats

find . -type f -exec cat {} ; | egrep \S | wc -l

I even thought about cat, but I ended up doing something like:

total=0
for i in $( find -H . -type f ); do
  temp=$( wc -l "$i" | cut -f 1 -d  )
  if [ $temp > 0 ]; then
    total=$(($total+$temp))
  fi
  echo $total
done
echo $total

The first step is to identify where the partitions are.

# fdisk -l /mnt/backup/brian/brian.iso 

Disk /mnt/backup/brian/brian.iso: 250 GB, 250056737280 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

                      Device Boot      Start         End      Blocks   Id  System 
/mnt/backup/brian/brian.iso1               1           6       48163   de  Dell Utility
/mnt/backup/brian/brian.iso2   *           7       30009   240991065    7  HPFS/NTFS
/mnt/backup/brian/brian.iso3           30010       30401     3140707    f  Extended LBA

Notice the cylinder size (512) and where the partitions are.

TODO: fix this. The -u option should be used so fdisk specifies cylinders. then it can be mounted with loop and offset.

http://madwifi-project.org/wiki/About/MadWifi?redirectedfrom=MadWifi

https://www.ath9k.org/wiki/UserDocs/MonitorModeInterface

blam.

I mean, it’s got interfaces to act as vaps, to go in rfmon mode…  pretty cool.  I haven’t figured out how to reach the full potential of my prism2.5 card yet though, so I guess I’ll need more experimenting with both