Mosref (MOsquito Remote Execution Framework) is what Metasploit's Meterpreter really wants to be. It is (on paper) a platform-agnostic virtual machine and Lisp interpreter with strong encryption on top of multiple communication channels. In reality, I could never get it to compile; nor could many other people based on the conversation in the mosref mailing list. And even if I could have, I would have had to learn the Mosquito dialect of Lisp for it to be any kind of useful.
After Wes Brown's and Scott Dunlop's talk about it at Defcon 14, I really wanted to see Mosquito succeed. Unfortunately, it never had any updates after that talk (the last developer cvs transaction according to source forge was the initial commit). The mailing list contained almost no discussion of development. This afternoon I visited ephemeralsecurity.com only to discover that the domain is now parked by an advertiser and whois lists the owner as "Domain Discreet". I was disappointed to learn this but not surprised.
Oh, well. If you want a platform-independent in-memory rootkit, you'll just have to write it yourself.
Monday, June 11, 2007
Tuesday, January 23, 2007
Turnabout
My home firewall runs an ssh server. Every few days, I go through my logs and find that someone has been attempting to guess account names and passwords on that server. For a while, I just allowed it to continue because I found it interesting to see what usernames were being guessed. After a few months of getting guess attempts every couple of seconds with almost no interruptions from dozens of ip addresses, I decided I didn't want to take the risk of somebody actually getting in and set up iptables rules to blackhole any ip address that sent more than ten SYN packets to ssh in less than two minutes. A friend pointed me to denyhosts, a tool to watch your logs for failed ssh attempts and put the offending host into your /etc/hosts.deny for a certain period of time. This is effectively the same as the iptables rules. Both of these methods are very effective but not as interesting as seeing all the usernames tried. So I downloaded the source for openssh-4.4p1 and made a few modifications. My new sshd:
If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:
The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:
Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:
Output will look something like this:
Happy hunting!
- Logs all connections
- Logs usernames and passwords
- Never opens a shell no matter what
If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:
tar xzvf openssh-logger.tar.gz
cd openssh-logger
./configure --prefix /usr/honey/ \
--with-privsep-path=/usr/honey/chroot \
--with-pid-dir=/usr/honey/var/run
make
The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:
su
make install
touch /usr/honey/chroot/sshattacks.log
chown sshd:sshd /usr/honey/chroot/sshattacks.log
Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:
so your client will connect to the correct server. Now everything should be set up and you should start seeing brute force attacks in /usr/honey/chroot/sshattacks.log in no more than a couple of days.
Host <hostname>
Port <real server's port>
Output will look something like this:
host: 10.0.0.100 port: 45677
user: root pass: root
user: root pass: t00r
user: root pass: r00t
Happy hunting!
Monday, January 15, 2007
Nastier tricks with ssh
In my daily blog reading a week or so ago, I stumbled on Jon Hart's blog. In it, he notes the facts that root can read any file whatsoever on a *nix system and that ssh agent forwarding is accomplished using unix sockets. The corollary to this is that root (or someone with access to your account) can steal your password-protected ssh keys after you decrypt them.
Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.
Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.
Friday, January 12, 2007
On ssh and timeouts
It turns out that ssh by default doesn't like to stay connected forever. If you setup a port forward as described below and don't connect to it right away one end or the other will timeout (not sure which, but it doesn't really matter). To circumvent this issue, I've taken to setting up the forward, connecting to the remote box, then connecting through the port forward in a screen session, and detaching screen (or not, depending on my mood). Now ssh won't be able to tell that there's no interaction and will stay connected indefinitely.
Incidentally, if you love the power of the command line and haven't heard of screen, you should install it at the earliest opportunity. Thank me later.
Incidentally, if you love the power of the command line and haven't heard of screen, you should install it at the earliest opportunity. Thank me later.
Sunday, December 17, 2006
Tricks with SSH
Do you want to ssh to your NATed box at home? Want to connect in to your machine at work that drops SYN packets at the perimeter? Tired of having to live without tab-completion and other handy features when an exploit sends a shell back to netcat? SSH to the rescue.
First, from the firewalled machine (call it BoxA) run:
then on BoxB.example.com:
So what exactly does this do? Let's take a look at the relevant sections from ``man ssh'':
``-nNT'' means we aren't going to give ssh any input, so don't execute a shell and don't allocate a tty. -R is a little trickier; it says start forwarding port 2222 of the remote machine (BoxB) to port 22 of the machine you're running ssh from (BoxA). Now when you run
Caveats:
I love open source. They've really thought of everything.
First, from the firewalled machine (call it BoxA) run:
ssh -nNT -R 2222:localhost:22 user@boxb.example.com &then on BoxB.example.com:
ssh user@localhost -p2222So what exactly does this do? Let's take a look at the relevant sections from ``man ssh'':
-n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background.
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
-T Disable pseudo-tty allocation.
-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.
...
By default, the listening socket on the server will be bound to the loopback interface only. This may be overriden by specifying a bind_address.
``-nNT'' means we aren't going to give ssh any input, so don't execute a shell and don't allocate a tty. -R is a little trickier; it says start forwarding port 2222 of the remote machine (BoxB) to port 22 of the machine you're running ssh from (BoxA). Now when you run
ssh localhost -p2222, you're connecting to the port forward that you just set up which sends your connection through an encrypted tunnel to BoxA, bypassing the firewall rules because the tunnel is already connected.Caveats:
- You're connecting to localhost from BoxB but the traffic is actually going to BoxA. This will confuse ssh who thinks that localhost should have the same fingerprint each time. To get around this, you'll likely have to delete the line beginning with ``localhost'' in your
~/.ssh/known_hosts. - If you're using an exploit you'll have to know the account's password (or steal an ssh key)
- Don't complain to me if your sysadmin gets mad and blocks outbound ssh. =)
I love open source. They've really thought of everything.
Tuesday, November 21, 2006
Securosis and Daringflamebait
I'm constantly updating my daily blog list and today I stumbled on securosis.com. He's got decent advice for the less technically savvy (which happens to mirror a lot of what I've been telling the uninitiated for a while now). He also explained to John Gruber that the so-called challenge he proposed to Ellch and Maynor was asinine in a far more even tone than I might have.
Plus this great quote:
Plus this great quote:
Give honest answers to honest questions, and when someone asks for the ROI of a firewall ask them for the ROI on their desk.
Wednesday, November 08, 2006
Keyboard Dancing
Keyloggers are cool. Hardware keyloggers are cooler because they are undetectable to the operating system. A mark against hardware gizmos is that for them to be useful, one must install the gizmo and then retrieve it. Until now. Now it doesn't have to be retreived. Now all one has to do is drop the gizmo and watch for traffic on the internet. Or own a keyboard manufacturing company.
Sunday, October 15, 2006
Vikings are not magical
I've been resisting the new Lego sets for a while now because of their futuristic depictions of supposedly historical eras. For example, the Knights' Kingdom II and Vikings series both have giant spring-loaded projectile weapons. Well today I broke down and bought a vikings set. I'm still uncertain about the ridiculous giant catapult powered by a lone viking. Launching boulders at least three times as big as himself doesn't seem within the realm of possibility for an 8th-11th century warrior, even if he is a badass. On the other hand, the armor, weapons, and non-specialty bricks are awesome.
On a completely unrelated note, Willyk set me up with a new gallery account today. Check it out if you're interested.
Update 2006-11-05: the gallery url has changed and now works. =)
On a completely unrelated note, Willyk set me up with a new gallery account today. Check it out if you're interested.
Update 2006-11-05: the gallery url has changed and now works. =)
Sunday, September 03, 2006
Siren's call
In the last few weeks, we've rented a number of movies. So I will succumb to the Internet's siren-like call to publish my opinion so that all who care to read it might find something with which they disagree. In alphabetical order:
- Blood Rayne - Vampires. We gave it the MST3K treatment and got our two bucks worth.
- The Ice Harvest - My executive summary: "John Cusack and Billybob Thornton steal some money. People die. There are breasts." Might be a decent movie iff you like film noir.
- Kiss Kiss Bang Bang - A good detective film with assorted twists. I was on the edge of my seat for much of this movie and laughing the rest of the time (Val Kilmer's character is called "Gay Perry"). Great movie with a solid cast, entertaining plot and funny dialogue. Highly recommended.
- RV - This was billed as a slightly ridiculous comedy and it definitely lives up to that description. But it's not retarded like, say, anything Will Ferrell has ever done.
- Unleashed - From the cover and the back-of-the-case description, this is your standard martial arts movie. Do not let that fool you; in addition to his incredible physical abilities, Jet Li is quite an actor and Unleashed is a phenomenal movie.
Wednesday, August 09, 2006
Defcon 0x0E
Defcon was a blast. I met a bunch of cool people and got to hang out with some old friends. fednaught, a Capture the Flag team, got second place despite my help.
My favorite talks were Hacking Malware: Offence is the New Defence by Danny Quist and Valsmith and Exploit Writing Using Injectable Virtual Machines by Wes Brown and another fellow from the same organization. The latter because James and I were discussing what we would need in order to be prepared for next year's CtF only moments before going into this presentation and hearing that it had already been written.
My favorite talks were Hacking Malware: Offence is the New Defence by Danny Quist and Valsmith and Exploit Writing Using Injectable Virtual Machines by Wes Brown and another fellow from the same organization. The latter because James and I were discussing what we would need in order to be prepared for next year's CtF only moments before going into this presentation and hearing that it had already been written.
Monday, July 24, 2006
Highly Sceintific Random Internet Tests
Apparently I'm in the 93rd percentile for nerdiness based on this Highly Scientific Random Internet Test. This is a dubious honor but one that I felt was worth sharing.
Friday, July 07, 2006
Hello, I must be going
We've been in Idaho Falls for about three weeks now. My job is interesting and I'm enjoying my work. I haven't learned all the ropes yet; I just figured out how to fill in time cards yesterday. We're just about settled into our new house but there are still a bunch of boxes that haven't been unpacked. And now I'm going on travel for two weeks. That's not really a bad thing; it will be fun and interesting and I will probably learn a ton on my first outing. But there are a lot of things I need to do here in Idaho Falls. Mostly paperwork things but important things nonetheless, like finding out where my paycheck goes and making sure it gets deposited before our first month's bills come due.
Tuesday, June 06, 2006
Hurray for IBM
I bought a refurbished Thinkpad T40 in March with a 90-day manufacturer's warranty. After having it for about two months, the USB ports died and the video card started flaking out everytime I pressed the machine in the wrong spot. This was about the time when finals were approching fast and I could not live without my laptop, so I sucked it up and decided I would just pay to get it fixed out of warranty after the end of the semester. This afternoon I found the invoice and called IBM. It turns out that in IBM-land a 90-day warranty that started in March expires in October so they are going fix it for free.
Additionally, in the past I have told Dell customer support representatives that the machine I'm calling about does not have Windows installed. Their response has pretty much universally been, "Then it's your problem, not ours." I told the IBM tech support guy the same thing and he said, "We don't care about that."
Hurray for IBM!
Additionally, in the past I have told Dell customer support representatives that the machine I'm calling about does not have Windows installed. Their response has pretty much universally been, "Then it's your problem, not ours." I told the IBM tech support guy the same thing and he said, "We don't care about that."
Hurray for IBM!
Monday, June 05, 2006
Mmm... Socorro...
The closer I get to moving, the more I wish it wasn't so near.
I've been in Socorro for just shy of six years, now. For the first 4, I didn't care at all about the town. But in the last two years, I've made some really great friends and I've come to enjoy many elements of Socorro and New Mexico Tech. I think a lot of it is the college-town aspect of this place. I enjoy walking around campus in the middle of the night for no particular reason and running into a bunch of other caffeinated people doing the same thing. I find it hilarious when I'm talking to a towny and they ask if I "go to the tech". I like writing code at El Camino til 4 in the morning. I like having conversations with random people I've never seen before who laugh at my stupid jokes about big-O notation.
I'll miss you guys. And El Camino's green chile cheese fries.
I've been in Socorro for just shy of six years, now. For the first 4, I didn't care at all about the town. But in the last two years, I've made some really great friends and I've come to enjoy many elements of Socorro and New Mexico Tech. I think a lot of it is the college-town aspect of this place. I enjoy walking around campus in the middle of the night for no particular reason and running into a bunch of other caffeinated people doing the same thing. I find it hilarious when I'm talking to a towny and they ask if I "go to the tech". I like writing code at El Camino til 4 in the morning. I like having conversations with random people I've never seen before who laugh at my stupid jokes about big-O notation.
I'll miss you guys. And El Camino's green chile cheese fries.
Sunday, May 07, 2006
New to blogging.
Not really new to blogging... but new to automated blogging. My previous blog management software was vim. Don't get me wrong, vim rocks. But every time I made a post, which happend quite infrequently because it was a pain in the ass, I thought, "Man, I should really write some code to automate this process."
In the fine CS tradition of not reinventing the wheel I decided to use someone else's code instead. As an added bonus, I'm using someone else's server and someone else's bandwidth as well. =)
Repost of my ramblings which spurred me to get a blogger account:
In the fine CS tradition of not reinventing the wheel I decided to use someone else's code instead. As an added bonus, I'm using someone else's server and someone else's bandwidth as well. =)
Repost of my ramblings which spurred me to get a blogger account:
I'm about to graduate a week from today so 'the real world', as it is often called, has been on my mind a lot recently. It really bugs me when I tell people I'm going to graduate and they say something like: "Well I guess you'll soon find out how much the real world sucks. Have to get up earlier and work longer."
I did some math. I'm studying, working at my student job, doing homework or sitting in class for 60-70 hours per week. That 40 hour/week job with no homework everyone complains about so much sounds pretty sweet.
I think the 'real world' that you're talking about does suck. I wouldn't want to do something meaningless everyday for eight hours. But a large percentage of my friends and acquantainces who don't have a degree seem to think that college is a breeze and that we just screw around for 4 years (well, 6 for me) until we get a job like theirs that we hate like they do.
So in conclusion, no, college is not like the 'real world'. But in two month's time, I'm going to be working with some of the best hackers in the world securing some of the country's most important assets. I'm not sure if that's the real world, either...
Subscribe to:
Posts (Atom)