Epic and the gang over at
roothack.org have revived the old but
popular and fun wargames in a new style. The old games used to be
72-hour team-based games but are now level-based Capture the Flag (CTF)
along the same vein as the PullThePlug games. If PTP was too hard for
you or you're just looking for a change of pace then hop on over to the
H3C wargames and give it a shot. Start
on the system erinys and make your way to erebus. It's been a
lot of fun so far. Marcin and I have started a new account
(team-tssci) and will be working collaboratively as the games have
now gotten more technical, involving having to write shellcode and such.
Make yourself an account, play the games, and we invite you to beat us
on the scoreboard.
Posted by Casey on Wednesday, November 7, 2007 in
Hacking.
The default user environment on OS X is not exactly very productive. On
my Linux and FreeBSD systems I prefer to work in a highly customized
user environment that allows me to work faster and more efficiently. I
have tried numerous ways of accomplishing this; customizing bash, using
alternate shells such as zsh and yet, none of these options provided me
with what I was looking for. I was exploring the net with StumbleUpon
and came across tcshrc, a set of
tcsh configuration files that provides you with a customized and highly
capable shell environment. On OS X, it took a few modifications to the
scripts to work as I expected it; on FreeBSD and Linux they worked great
out of the box.
After installation in OS X, you'll notice the ls command doesn't
work -- it throws an error about invalid options. The scripts include in
.tcshrc.aliases a line that reads "ls --color". OS X doesn't
have terminal colors supported by default, so you need to remove the
--color flag.
The second thing that didn't work quite the way I wanted was my
backspace key behavior. In .tcsh.bindkeys look for the darwin case
in the $ostype switch and then find the line that reads
'bindkey ^? delete-char'. You need to either comment that out or
delete that line if you want your backspace key to function as normal;
else you have to use ^H (Ctrl+H) to backspace.
Posted by Casey on Monday, November 5, 2007 in
Apple.
So this week, we've had a roundup of posts on Apple's latest OS X
release, Leopard, and the security "features" that went into it, where
they fall short, and what's missing. Thomas Ptacek has a great
post
over at Matasano with even more insightful comments on the security of
Apple's latest OS. (To those less technically inclined, the techiness
increases exponentially. I love it!) Daniel Meissler also
posted
about the latest trojan to hit Mac, which in my opinion... isn't a
trojan at all. To summarize his post, this is what's required for the
"trojan" to pwn you:
1. Go to a malicious site. 2. Get prompted to install software. 3.
Choose to install it. 4. Put in your admin password when it asks for
it. 5. Get pwned.
So this brings me to, "an operating system is only as secure as the
idiot using it." I'm tired of arguing about the security of Windows
versus Linux versus OS X. They're pretty much all the same, and they're
all insecure. A competent user or sysadmin managing it will limit the
number of services running and ports open, install only signed/verified
applications, and practice safe browsing. This won't protect you or them
from an 0day.
Whether your grandma is more secure using one OS over another, again...
it'll only be as secure as she can be. With more and more
vulnerabilities exploiting the browser and targeting the user, no OS is
secure.
Posted by Marcin on Thursday, November 1, 2007 in
Apple,
Linux,
Security and
Windows.
I recently upgraded my laptop to Ubuntu 7.10 'Gutsy Gibbon' from 7.04
'Feisty Fawn' and needed to install VMware Server again. Since my
previous post was very popular in helping people get VMware Server
installed on
Feisty,
I thought I would do the same for Gutsy for those who are interested.
There are several prerequisites before we get started. We'll need the
following packages installed first:
- build-essential
- linux-headers-`uname -r`
- xinetd
Some people report having to have installed xorg-dev as well, but my
system did not require it. Those who have needed to install it, says it
fixed an issue with the installer failing to accept the serial number. I
do not see the correlation between the two, since xorg-dev is the
development libraries for Xorg X Windows system.
Anyways, we'll need VMware Server (version 1.0.4) which you can download
from VMware's download site. Go
ahead and grab the tar.gz or if you want, the VMware Server Linux client
package that contains an additional Perl scripting and programming
API's. I just downloaded the VMware Server for Linux.
Extract the tar.gz and do as follows:
marcin@thinker:/vmware$ tar xfz VMware-server-1.0.4-56528.tar.gz marcin@thinker:/vmware$ ls VMware-server-1.0.4-56528.tar.gz vmware-server-distrib marcin@thinker:/vmware$ cd vmware-server-distrib/ marcin@thinker:/vmware/vmware-server-distrib$ ls bin doc etc FILES installer lib man sbin vmware-install.pl vmware-vix
vmware-install.pl is the installation script we will need to run with
root privileges.
marcin@thinker:/vmware/vmware-server-distrib/$ sudo ./vmware-install.pl
From here on, you can go ahead and accept the defaults for all options.
You can view the output of the entire installation script as it went for
me
here.
I did not run into any problems with installation except for the
following, which is pretty obvious since if you read the paragraph
earlier.
********
The VMware VmPerl Scripting API was not installed. Errors
encountered during compilation and installation of the
module can be found here: /tmp/vmware-config0You will not be able to use the "vmware-cmd" program.Errors can be found in the log file:
'/tmp/vmware-config0/control-only/make.log'
********
If everything installed correctly, you should see this (always welcome)
message:
Starting VMware services:
Virtual machine monitor done
Virtual ethernet done
Bridged networking on /dev/vmnet0 done
Bridged networking on /dev/vmnet2 done
Host-only networking on /dev/vmnet8 (background) done
NAT service on /dev/vmnet8 doneThe configuration of VMware Server 1.0.4 build-56528 for Linux
for this running kernel completed successfully.
That's all for now.. You can now run vmware from the terminal or
from 'the application launcher. If you have any questions or comments,
please post a comment. If you've found this post useful and informative,
Digg
it!
Posted by Marcin on Thursday, October 25, 2007 in
Linux.
This is the second blog post covering Sunday's talks at ToorCon 9. You
can read the first installment
here.
After a hard night of partying, I didn't want to get out of bed early in
the morning. Gotta give props to Hikari for foreseeing this and not
scheduling anything before noon, haha.. One thing I liked about Sunday,
was that speakers were given only 20-25 minutes each. Lots of technical
information jam-packed into a turbo-talk -- awesome.
The first talk I went to was by Nathan Rittenhouse, "Byakugan:
Automating Exploitation,"
who went and gave an update on the
WindDBG
plugin and also showcased
NOXdbg, Ruby's equivalent of
PyDbg. Johny Cache was
present as well, who demonstrated a sick ass 3-d process heap
visualizer. Unfortunately, he only had a couple minutes left, and didn't
have the time to show his 20 minute video that showed what it could
really do. I had lunch with Johny the other day and he is a funny guy.
If you're reading this Johny, I got a Greasemonkey script for you :)
My buddy Paul Batistta presented a massive cheatsheet of commonly
overlooked SQL injection techniques that he and Matt Fisher (of SPI
Dynamics) had put together to aid in penetration tests. A lot of good
stuff, that outlined many of the basics and delved deeper into various
ways of quickly determining whether an SQL injection vulnerability
exists and ways to bypass tricky blacklists. Paul also included
references to the usual suspects (ha.ckers, 0x000000, etc) and also some
lesser known resources. Some commonly overlooked tests that can get
pretty fancy included:
?errorcode=(1+1)
?errormsg=erro’+’r
?errormsg=err'+substring('error',4,1)+'r
?errormsg=erro%
?errorcode=2 exec master.dbo.xp_cmdshell vncserver
Be sure to check out Paul's
presentation,
available at his site, Security
Experiment.
Next up was |)ruid, who presented "Context Keyed Payload
Encoding," a new way of more
effectively bypassing filters and various other conditions that prevent
an exploit from working. The current problem with payload encoding, is
an active observer can intercept payload traffic and easily decode it
for analysis. What |)ruid had done, was use a keyed encoder that did
not include the key in the decoder stub. This would prevent the observer
from decoding the payload. "Then how does the target decode the
payload," you ask? Well, the decoder stub is prepended to the original
payload and is executed first on the target. The decoder is responsible
for locating the context key [out of application data/process
memory/temporal data, etc] and then decoding it. This requires the
context key to be predictable, so long as the data remains the same long
enough for the decoder stub to locate it. Metasploit's Shikata Ga Nai is
an example of this. If that's not enough for you, then |)ruid's
slides should be. :P
The last talk I saw of the day was "URI Use and
Abuse," by Nathan McFeters,
Billy (BK) Rios (absent), and Rob Carter of
xs-sniper.com. Billy was recently hired
by Microsoft and for reasons
unknown, was not able to make it to the presentation. Regardless, Nathan
and Rob did a great job of demonstrating the flaws within URI protocol
handler on Windows. The issue is not specific to Windows, as Linux does
handle URI's as well. I ended up talking with Nate and Rob at the San
Diego airport for quite a while, who were flying through Phoenix to get
home and our flight was delayed. Speaking of URI abuse, in my own past
research I've found some sites (IRC search engines) host links that when
clicked, open the client application associated with the irc:// URI, and
copies text within the href 'title' tag to your clipboard. In Firefox,
the text is not copied automatically, for you have to set
signed.applets.codebase_principal_support to 'true' before this
behavior is possible. Something about that just doesn't sit well with me
at the time, and still doesn't today.
Well, that's my wrap-up for ToorCon 9 posts. Dre will post about some of
the topics in a little more detail later on. Overall, the conference was
a blast, and I would definitely recommend it over DefCon. It was a lot
like ShmooCon, in that it had that "togetherness" feeling -- everybody
was hanging out, talking, drinking, partying etc.. If you couldn't make
it to ToorCon, try and get to ShmooCon in Washington, D.C. in February.
Posted by Marcin on Thursday, October 25, 2007 in
Conferences,
Hacking,
People and
Security.
