Mosref (MOsquito Remote Execution Framework) is what Metasploit's Meterpreter really wants to be. It is (on paper) a platform-agnostic virtual machine and Lisp interpreter with strong encryption on top of multiple communication channels. In reality, I could never get it to compile; nor could many other people based on the conversation in the mosref mailing list. And even if I could have, I would have had to learn the Mosquito dialect of Lisp for it to be any kind of useful.
After Wes Brown's and Scott Dunlop's talk about it at Defcon 14, I really wanted to see Mosquito succeed. Unfortunately, it never had any updates after that talk (the last developer cvs transaction according to source forge was the initial commit). The mailing list contained almost no discussion of development. This afternoon I visited ephemeralsecurity.com only to discover that the domain is now parked by an advertiser and whois lists the owner as "Domain Discreet". I was disappointed to learn this but not surprised.
Oh, well. If you want a platform-independent in-memory rootkit, you'll just have to write it yourself.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Monday, June 11, 2007
Tuesday, January 23, 2007
Turnabout
My home firewall runs an ssh server. Every few days, I go through my logs and find that someone has been attempting to guess account names and passwords on that server. For a while, I just allowed it to continue because I found it interesting to see what usernames were being guessed. After a few months of getting guess attempts every couple of seconds with almost no interruptions from dozens of ip addresses, I decided I didn't want to take the risk of somebody actually getting in and set up iptables rules to blackhole any ip address that sent more than ten SYN packets to ssh in less than two minutes. A friend pointed me to denyhosts, a tool to watch your logs for failed ssh attempts and put the offending host into your /etc/hosts.deny for a certain period of time. This is effectively the same as the iptables rules. Both of these methods are very effective but not as interesting as seeing all the usernames tried. So I downloaded the source for openssh-4.4p1 and made a few modifications. My new sshd:
If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:
The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:
Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:
Output will look something like this:
Happy hunting!
- Logs all connections
- Logs usernames and passwords
- Never opens a shell no matter what
If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-4.4p1, and don't want to download the whole thing just for a few modifications you can get just the diff. Then run the following commands:
tar xzvf openssh-logger.tar.gz
cd openssh-logger
./configure --prefix /usr/honey/ \
--with-privsep-path=/usr/honey/chroot \
--with-pid-dir=/usr/honey/var/run
make
The purpose of putting it in a strange directory is that we don't want to hose your real ssh server. If that went well, run:
su
make install
touch /usr/honey/chroot/sshattacks.log
chown sshd:sshd /usr/honey/chroot/sshattacks.log
Remember: if you run a real ssh server, you'll want to change the port it listens on in your /etc/ssh/sshd_config. You can add section to your ~/.ssh/config like this:
so your client will connect to the correct server. Now everything should be set up and you should start seeing brute force attacks in /usr/honey/chroot/sshattacks.log in no more than a couple of days.
Host <hostname>
Port <real server's port>
Output will look something like this:
host: 10.0.0.100 port: 45677
user: root pass: root
user: root pass: t00r
user: root pass: r00t
Happy hunting!
Monday, January 15, 2007
Nastier tricks with ssh
In my daily blog reading a week or so ago, I stumbled on Jon Hart's blog. In it, he notes the facts that root can read any file whatsoever on a *nix system and that ssh agent forwarding is accomplished using unix sockets. The corollary to this is that root (or someone with access to your account) can steal your password-protected ssh keys after you decrypt them.
Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.
Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.
Wednesday, November 08, 2006
Keyboard Dancing
Keyloggers are cool. Hardware keyloggers are cooler because they are undetectable to the operating system. A mark against hardware gizmos is that for them to be useful, one must install the gizmo and then retrieve it. Until now. Now it doesn't have to be retreived. Now all one has to do is drop the gizmo and watch for traffic on the internet. Or own a keyboard manufacturing company.
Subscribe to:
Posts (Atom)