tag:blogger.com,1999:blog-71641713332830511422024-03-27T08:38:11.020+02:00Cyber Security @ Linux HorizonIoanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-7164171333283051142.post-14174184035897942452018-02-13T00:01:00.001+02:002018-02-13T00:02:57.994+02:00Alkaline battery capacity<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "courier new" , "courier" , monospace;">Remaining capacity of</span></span></div>
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "courier new" , "courier" , monospace;">AA / AAA alkaline batteries</span></span></div>
<div style="text-align: center;">
<span style="font-size: large;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">(not a cyber security info but useful for hobbies)</span> </span></span></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin_kOgB70GAzzafqyl4j4A9yO6awWSquHoA6-H9QGI8BRwMCuGlVNswGm9iC0CfbZSs0BBm6c1aBHlAzof-f2G1TFUtdqCuGG8R-r91DFBYfXJSmpmrFOSzZMu3gdTDQ2rJQCkX0Yvg_k/s1600/battery-capacity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="540" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin_kOgB70GAzzafqyl4j4A9yO6awWSquHoA6-H9QGI8BRwMCuGlVNswGm9iC0CfbZSs0BBm6c1aBHlAzof-f2G1TFUtdqCuGG8R-r91DFBYfXJSmpmrFOSzZMu3gdTDQ2rJQCkX0Yvg_k/s1600/battery-capacity.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">Note: <br />* New unused alkaline batteries have 1.55-1.65 V<br />** Unused but on shelf for more than a year have 1.50-1.55 V<br /><br /><i><span style="font-size: x-small;">by Arduino_Mother_Hacker</span></i></span>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com2tag:blogger.com,1999:blog-7164171333283051142.post-91019991221356353212017-10-16T15:40:00.001+03:002017-10-16T15:40:04.070+03:00Locales cosmetics. Kali on Raspberry Pi<div style="text-align: justify;">
After installation of the Kali Linux on a Raspberry Pi platform (at least in the Kali GNU/Linux Rolling) I noticed that the Xfce login screen shows in the upper right corner the full list of local keyboards installed (the locales). I don't like it! :) I don't need other than C and US keyboard and more than that, you can save some precious space on the Raspberry Pi storage.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following post is purely cosmetic. There is no problem with the default installation despite the huge and not necessary keyboard list.</div>
<br />
So, let's free some space!<br />
<br />
1. First, after login (shell or X), run in console:<br />
<span style="font-family: "Courier New",Courier,monospace;"><i>locale -a (Display a list of all available locales)</i></span><br />
or<br /><span style="font-family: "Courier New",Courier,monospace;"><i>locale -a -v (As above but the -v option causes the LC_IDENTIFICATION </i>metadata about each locale to be included in the output)</span><br />
<br />
<br />2. Make sure the file /etc/default/locale exists (if not, create it) and has proper content, such as:<br />LANG="en_US"<br />LANGUAGE="en_US:en"<br />or only<br />LANG=C.UTF-8<br /><br />3. Delete all (<b>but C.UTF-8 and en_US.utf8</b>) generated locale data: <br /><span style="font-family: "Courier New",Courier,monospace;">rm -rfv /usr/lib/locale/*</span><br /><br />Generate again the new locales:<br /><span style="font-family: "Courier New",Courier,monospace;">locale-gen</span><br /><br />4. Restart the Pi or stop/start the X service:<br /><span style="font-family: "Courier New",Courier,monospace;">service lightdm stop<br />service lightdm start</span><br />
<br />
Of course, if you need more keyboards (or something different than US) you can in the step 3.Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com1tag:blogger.com,1999:blog-7164171333283051142.post-6812015103984028992017-09-28T14:16:00.001+03:002017-10-02T22:53:17.672+03:00SSH over proxy or over multiple hosts<span style="font-family: inherit;">Well, sometimes an evil sysadmin won't let us to live in peace and close all the ports that you need (of course, except the ssh).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Presuming that you already have a host with ssh and Internet access (host1 in the following example) you can use it as a "jump" platform or as SOCKS proxy server to reach a target host (host2 here).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><span style="font-family: "courier new" , "courier" , monospace;">+-----------+<--port 22-->+---------+<--port 2222-->+----------+ <br />| mybox |-------------| host1 |---------------| host2 | <br />+-----------+ +---------+ +----------+ <br />localhost:8080 "jump" host target </span></span><br />
<span style="font-family: inherit;"><br /></span>
<b><span style="font-family: inherit;">Using as proxy server:</span></b><br />
<span style="font-family: inherit;">(in this example we have two steps, but you can join those steps in one. Hint: use && as <span style="font-family: inherit;">in <i>command1 && command2 and -f ssh parameter</i>).</span></span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">mybox:~$ ssh -D 8080 -N -p 22 user@host1</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">user@host1's password:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Type the password and let this terminal open and open another one.</span><br />
<br />
<span style="font-family: inherit;"><span style="font-family: "courier new" , "courier" , monospace;">mybox:~$ ssh -X -p 2222 user2@host2 -o ProxyCommand="/usr/bin/connect -5 -S localhost:8080 %h %p"</span></span><br />
<br />
<span style="font-family: inherit;"><b>Jumping over ssh: </b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;">mybox:~$ </span>ssh -t -X -p 22 user@host1 ssh -X -p 2222 user@host2</span><br />
<br />
<span style="font-family: inherit;">You may ask yourself "Why not using the second example all the time because is simple and more convenient???". </span><br />
<span style="font-family: inherit;">Well, the simple answer is that you can not use X11 forwarding (-X parameter) if the host1 had not implemented the X11 forwarding rule in the sshd_config. So, no X11 forwarding in this case.</span><br />
<span style="font-family: inherit;">The first example (proxy), because is a SOCKS tunnel, have no importance if the host1 have or not have the X11 forwarding rule active. As a tunnel, it pass the packets between the two ends of it. </span>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com19tag:blogger.com,1999:blog-7164171333283051142.post-82178216210384012522017-09-13T15:37:00.000+03:002017-09-13T15:37:22.988+03:00WordPress - Administration Over SSLThere are at least two ways to redirect over a SSL connection the WordPress administration.<br /><br />The most usual (and recommended ways) are:<br />
<br />
<h3>
1. In the wp-config.php file</h3>
Insert into the wp-config.php file the following line:<br /><br /><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">define('FORCE_SSL_ADMIN', true);</span></span><br /><br />It must be inserted somewhere above wp-settings.php location.<br />
<br />
<h3>
2. Modify the Apache virtual host settings (or .htaccess file or the main httpd.conf)</h3>
<br /><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"># Force SSL for wp-admin folder and wp-login.php file<br /> RewriteEngine On<br /> RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]<br /> RewriteCond %{HTTPS} !=on [NC]<br /> RewriteRule ^/?(wp-admin/|wp-login\.php) https://your-site.com%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"># End Force SSL... </span></span><br />
<br />
<br />
<b>Notice! </b><br />
For both ways, of course, you must also already have SSL configured on the server and a (virtual)
host configured for the secure server before your site will work
properly with these constants set to true.<br />
<br />
A more comprehensive reference here:<br /><a href="https://codex.wordpress.org/Administration_Over_SSL">https://codex.wordpress.org/Administration_Over_SSL</a>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com2tag:blogger.com,1999:blog-7164171333283051142.post-6773814870980806412017-09-13T09:02:00.003+03:002017-09-13T09:03:50.655+03:00rc.local issue and init.d scripts<br />
Well, the only issue with rc.local file is that this file does not exist in modern Debian flavors.<br />
For the old fashion guys like me that is an issue, at least for ten minutes. :)<br />
<br />
So, what can we do about? We have at least two options:<br />
To forgot about rc.local and start your task using init.d scripts, or<br />
To enable the rc.local script.<br />
<br />
Both
ways have pluses and minuses and is up to you what way you will choose.
For myself, I prefer the first way. Yes, it's a little bit strange to
make a script for each task you will run at boot but you have a better
granularity and control over the process.<br />
<br />
Nevertheless, one way or another, following the next steps you will have a script that run on boot (or in rcS.d, or in rcX.d) :)<br />
<br />
<h3>
The first option:</h3>
<br />
Making init.d scripts, copy and
paste this code and do the modifications in the start, stop sections.
Save it to /etc/init.d/ folder and set the executions rights (chmod +x
/etc/init.d/your-script-name).<br />
<br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">#! /bin/sh<br />### BEGIN INIT INFO<br /># Provides: your-script-name<br /># Required-Start: $remote_fs $syslog<br /># Required-Stop: $remote_fs $syslog<br /># Default-Start: 2 3 4 5<br /># Default-Stop: 0 1 6<br /># Short-Description: Start daemon at boot time<br /># Description: Enable service provided by daemon.<br />### END INIT INFO<br /><br /># Some scripts that run always (it is not mandatory...)<br />touch /var/lock/your_script<br /><br /># Carry out specific functions when asked to by the system<br />case "$1" in<br /> start)<br /> echo "Starting script your-script-name"<br /> echo "Some info about..."<br /> /usr/local/bin/your-script #of course, this is an example<br /> ;;<br /> stop)<br /> echo "Stopping script your-script-name"<br /> echo "Some info about..."<br /> killall -9 your-script #of course, this is an example<br /> ;;<br /> restart)<br /> $0 stop<br /> $0 start<br /> ;;<br /> *)<br /> echo "Usage: /etc/init.d/your-script-name {start|stop|restart}"<br /> exit 1<br /> ;;<br />esac<br /><br />exit 0<br /><br />##################### End script<br /><br /># Adding the init.d script to default targets (in this case to level 2,3,4, and 5, see the script headers)<br />root@linuxhorizon:~# update-rc.d your-script-name defaults<br /><br /># Removing<br />root@linuxhoriozn:/etc/rc2.d# update-rc.d -f your-script-name remove</span></span><br />
<br />
<br />
<h3>
The second option:</h3>
<br />
Making the rc.local script<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">root@linuxhorizon:~# cat > /etc/rc.local<br />#!/bin/sh -e<br />#<br /># rc.local<br />#<br /># This script is executed at the end of each multiuser runlevel.<br /># Make sure that the script will "exit 0" on success or any other<br /># value on error.<br />#<br /># In order to enable or disable this script just change the execution<br /># bits.<br />#<br /># By default this script does nothing.<br /><br />/put/your/script/here<br /><br />exit 0<br />############### End rc.local<br /><br />root@linuxhorizon:~# chmod +x /etc/rc.local<br />root@linuxhorizon:~# systemctl start rc-local<br />root@linuxhorizon:~# systemctl status rc-local</span></span><br />
<br />
<br />
Now it's a good time for a coffee! :) <span style="font-family: inherit;"><span style="font-size: small;">By the way, do you know how it look the caffeine molecule? Probably you don't, so here it is, <a href="http://www.linuxhorizon.ro/images/caffeine-molecule.gif" target="_blank">click to enlarge!</a></span></span> Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com5tag:blogger.com,1999:blog-7164171333283051142.post-80174982042741745682017-09-12T16:15:00.000+03:002017-09-12T16:15:50.936+03:00The magic of REISUBWhen everything goes wrong and you graphic interface (X) will stop responding (dead, hung, freeze etc.) there is a magic word who can save you from a disastrous reboot by powering down your computer<br /><br />First, type "R" (the letter) while holding down Alt and SysRq (PrintScrn). This shortcut can give you the contorl over the keyboard letting you to switch to console mode (Ctrl-Alt-Fx, while x is is your terminal as F1, F2 etc.). If this is not working you can try the next step:<br /><br />Type the phrase “REISUB” while holding down Alt and SysRq (PrintScrn) with about 1 second between each letter. Your system will reboot. <br />
<br />
For a shutdown, REISUO will do the trick. :)<br /><br />But what are those letters do?<br /><br />r – Puts the keyboard into raw mode, taking control of it away from the X server.<br />e – Sends the terminate signal to all processes, asking them to end gracefully.<br />i – Sends the kill signal to all processes, forcing them to end immediately.<br />s – Flushes data from your cache to disk.<br />u – Remounts all file systems read-only.<br />b – Reboots your computer.<br />
o - Shutdown your computer.<br /><br />You can try step by step one the letters, maybe you are lucky enough to gain control over your computer without rebooting (the letter B).<br />
<br />
An Ubuntu cheat sheet could be found here: <a href="https://files.fosswire.com/2008/04/ubunturef.pdf">https://files.fosswire.com/2008/04/ubunturef.pdf</a>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com12tag:blogger.com,1999:blog-7164171333283051142.post-76354535628257400652017-09-01T14:39:00.001+03:002017-09-01T14:43:12.272+03:00The rkhunter (1.4.2) update issueI found that the rkhunter v1.4.2 (Debian distro, I don't know about other flavors or versions) had a strange problem. Installed for the first time, I can not update it:<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span><br />
<blockquote class="tr_bq">
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">host:/root# rkhunter --update</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"</span></span></blockquote>
Fixing this in config file (/etc/rkhunter.conf) by removeing /bin/false between quotes I had another error:<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">ns3:/etc# rkhunter --update<br />[ Rootkit Hunter version 1.4.2 ]<br /><br />Checking rkhunter data files...<br />Checking file mirrors.dat [ Skipped ]<br />Checking file programs_bad.dat [ Update failed ]<br />Checking file backdoorports.dat [ Update failed ]<br />Checking file suspscan.dat [ Update failed ]<br />Checking file i18n versions [ Update failed ]</span></span></blockquote>
So, digging a little bit I found the following solution. All you need is to replace the followings in the /etc/rkhunter.conf file: <br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">From UPDATE_MIRRORS=0 to UPDATE_MIRRORS=1<br />From MIRRORS_MODE=1 to MIRRORS_MODE=0<br />From WEB_CMD="/bin/false" to WEB_CMD="" </span></span></blockquote>
The funny thing is that in the rkhunter.conf comments, the recommended values are good. :)<br />
<br />Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com6tag:blogger.com,1999:blog-7164171333283051142.post-32266577913449167352017-06-30T08:55:00.000+03:002017-06-30T08:55:08.480+03:00GoldenEye? No! Tuesday! And is much worse!Tuesday's massive outbreak of malware that <a href="https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/">shut down computers around the world</a>
has been almost universally blamed on ransomware, which by definition
seeks to make money by unlocking data held hostage only if victims pay a
hefty fee. Now, some researchers are drawing an even bleaker
assessment—that the malware was a wiper with the objective of
permanently destroying data.<br />
<br />
Full story here: <a href="https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/" target="_blank">https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/ </a>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com0tag:blogger.com,1999:blog-7164171333283051142.post-15770893778500335482016-11-23T10:20:00.001+02:002016-11-23T10:23:17.788+02:00[0day] [exploit] Advancing exploitation: a scriptless 0day exploit against Linux desktops<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A powerful heap corruption vulnerability exists in the gstreamer decoder for the </span><a href="https://en.wikipedia.org/wiki/FLIC_%28file_format%29" style="text-decoration: none;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">FLIC file format</span></a><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Presented here is an 0day exploit for this vulnerability.</span></span></span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs.</span></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Thanks to solid ASLR / DEP protections on the (some) modern 64-bit Linux installs, and some other challenges, this vulnerability is a real beast to exploit.</span></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Most modern exploits defeat protections such as ASLR and DEP by using some form of scripting to manipulate the environment and make dynamic decisions and calculations to move the exploit forward. In a browser, that script is JavaScript (or ActionScript etc.) When attacking a kernel from userspace, the “script” is the userspace program. When attacking a TCP stack remotely, the “script” is the program running on the attacker’s computer. In my previous </span><a href="http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html" style="text-decoration: none;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">full gstreamer exploit against the NSF decoder</span></a><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, the script was an embedded 6502 machine code program.</span></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">But in order to attack the FLIC decoder, there simply isn’t any scripting opportunity. The attacker gets, once, to submit a bunch of scriptless bytes into the decoder, and try and gain code execution without further interaction...</span></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
</span></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">… and good luck with that! Welcome to the world of scriptless exploitation in an ASLR environment. Let’s give it our best shot.</span></span></span></span><br />
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The news was posted <a href="http://scarybeastsecurity.blogspot.ro/2016/11/0day-exploit-advancing-exploitation.html" target="_blank">here</a> by </span>Chris Evans aka scarybeasts.</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com1tag:blogger.com,1999:blog-7164171333283051142.post-65368221103281104912016-10-25T10:29:00.001+03:002016-10-25T10:32:11.054+03:00A day to remember! IoT botnet or when the decepticons army get to life.<i>Article published on the <a href="http://www.linuxhorizon.ro/mirai-iot-botnet.html">Linux Horizon</a> website </i><br />
<br />
<b>October 21, 2016 - A day to remember. The IoT gets to life but not in the good way.</b><br />
<br />
Friday, October 21 was the day when the IoT decepticons army had the first stroke.
Unfortunately is not a movie but this even have lot things in common with the Transformers movie.<br />
<br />
In few words, the IoT botnet lunched the biggest large distributed
denial-of-service attacks targeting the Krebs on Security website take
it down for a while.<br />
<br />
Well, in the IT security filed the things are moving fast, but this time was unexpected a such large attack using a
botnet designed primary to penetrate and take control over BusyBox systems.<br />
<br />
According to Javvad Malik, one of the AlienVault cyber-security specialists, and I quote,
<i>"The Mirai botnet is malware designed to take control of the BusyBox systems that are commonly used in IoT devices.
BusyBox software is a lightweight executable capable of running several Unix tools in a variety of POSIX environments that have
limited resources, making it an ideal candidate for IoT devices. It appears the DDoS attacks of October 21
have been identified as sourced from XiongMai Technologies IoT equipment."</i>.<br />
<br />
The peak power was reached on September 20, 2016 when the Mirai botnet
delivered 620 Gbps DDoS traffic to Krebs on Security website.<br />
<br />
That's was a record! 620 Gbps generated by IoT devices??? Wow!<br />
<br />
Do you think that was enough? Well, is more than that.<br />
The person who appear to be responsible for the attack, Anna-senpai published the source-code of the Mirai botnet client,
loader and CNC console: <a href="http://hackforums.net/showthread.php?tid=5420472" target="_blank">http://hackforums.net/showthread.php?tid=5420472</a><br />
For those who don't have hackforum account, the source was posted also on Github: <a href="https://github.com/jgamblin/Mirai-Source-Code/" target="_blank">https://github.com/jgamblin/Mirai-Source-Code/</a><br />
<br />
Hmmm... Source-code of a malware tool, do we want to release the demons
in the dark? Well, yes! Even so, publishing the source-code it's a good
thing after all. :)<br />
<br />
Reference:<br />
<ul>
<li>
<a href="https://www.alienvault.com/blogs/security-essentials/the-mirai-botnet-tip-of-the-iot-iceberg" target="_blank">https://www.alienvault.com/blogs/security-essentials/the-mirai-botnet-tip-of-the-iot-iceberg</a></li>
<li>
<a href="https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/" target="_blank">https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/</a></li>
<li><a href="http://www.linuxhorizon.ro/mirai-iot-botnet.html">http://www.linuxhorizon.ro/mirai-iot-botnet.html</a></li>
</ul>
Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com0tag:blogger.com,1999:blog-7164171333283051142.post-55939875935343607692016-04-21T11:32:00.002+03:002016-04-21T11:50:03.828+03:00Linux-in-the-middle - Linux box as transparent bridgeThe linux box as transparent bridge<br />
<br />
Sometime we can not mirror a switch port in order to access the data that are traveled on the wire... In this case how can we listen the data traffic? You can install a hub but on modern networks hubs that can sustain actual traffic speed is hard or even impossible to find.<br />
<br />
So, what is the solution?<br />
Well, the might Linux is here to help you. Of course, you need a laptop or another device (Raspberry PI?!?) with at least 3 network interfaces.<br />
<br />
<br />
Actually, we will transform the linux box into a bridge <br />
<br />
Before setting the bridge interface with <i>brctl</i> you should install the tools contained by <i>bridge-utils</i> package.<br />
<br />
For debian like distros all you have to do is:<br />
<br />
As root: <span style="font-family: "courier new" , "courier" , monospace;">apt-get install bridge-utils</span><br />
<br />
<br />
This is a bridge script. Notice that only eth1 and eth2 interfaces are include into the bridge. The eth0 is left for it's usual purpose.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">#!/bin/bash<br /><br />/etc/init.d/networking stop<br /><br />#Initializing bridge and interfaces</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">ifconfig br0 down<br />ifconfig eth1 down<br />ifconfig eth2 down<br />brctl delif br0 eth1<br />brctl delif br0 eth2<br />brctl delbr br0<br /><br />sleep 1<br />echo "Bridge should be empty by now..."<br />brctl show<br />echo<br />echo<br />#Starting the bridge </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">echo "Bridge construction started..."<br />ifconfig eth1 0.0.0.0 up<br />ifconfig eth2 0.0.0.0 up<br />brctl addbr br0<br />brctl addif br0 eth1<br />brctl addif br0 eth2<br />brctl stp br0 off<br />echo "Bridge rised!"<br />echo "1" > /proc/sys/net/ipv4/ip_forward<br />ifconfig br0 up<br />brctl show<br />brctl showstp br0<br />brctl showmacs br0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"># END script</span><br />
<br />
Now all you can do is to interconnect your linux box in the middle of a network connection as follows (for ASCII art fans):<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">+----------------+ +--------------+ +-------------+<br />| | | | | |<br />| Local network +-----+ Linux box +-----+ Workstation |<br />| | | | | |<br />+----------------+ +--------------+ +-------------+</span><br />
<br />
The bridge is transparent and you should not worry about what interface (we are talking only about eth1 and eth2) should be connected to the workstation or to the local network.<br />
<br />
Now, you can dig into the network traffic listening the br0 interface... The <i>tcpdump</i> will show his magic. :)Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com0tag:blogger.com,1999:blog-7164171333283051142.post-16627901723381824422015-11-25T13:49:00.001+02:002015-11-25T13:49:10.253+02:00Seahorse "Gnome2 key storage" unlock issue<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">The issue: </span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Seahorse -> </span></span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Certificates -> "Gnome2 Key Storage" folder unable to unlock</span></span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">The fix:</span></span><br />
<ol>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Close seahorse </span></span></li>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Make a backup of the </span></span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;"><i><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;"><i>~/.local/share/keyrings/</i></span></span>user.keystore</i> file and remove it.</span></span></li>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Start seahorse again </span></span></li>
</ol>
Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com24tag:blogger.com,1999:blog-7164171333283051142.post-40821563876075957662015-11-19T14:54:00.001+02:002015-11-19T14:54:40.667+02:00Linux Horizon at DefCamp #6<p dir="ltr">Yes, Linux Horizon was here! :)</p>
<p dir="ltr">A story will come in few days...<br>
</p>
<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7eCH6ZzSpUXgpL6h-RIPxMUx33-NdEAZ4QCde2WkBfGI4tbnfWoHlzc7z4Pc3mSsYv-7dlVSBGm1AoGnDxRIOuwzamS2qbhzoTN5d8QKMkD0_olMqLix-WGz49PpvFnCYGvD_ErGiIWs/s1600/DefCamp6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"> <img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7eCH6ZzSpUXgpL6h-RIPxMUx33-NdEAZ4QCde2WkBfGI4tbnfWoHlzc7z4Pc3mSsYv-7dlVSBGm1AoGnDxRIOuwzamS2qbhzoTN5d8QKMkD0_olMqLix-WGz49PpvFnCYGvD_ErGiIWs/s640/DefCamp6.jpg"> </a> </div>Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com1tag:blogger.com,1999:blog-7164171333283051142.post-15333914417186591132015-10-23T10:39:00.003+03:002015-10-23T10:39:43.937+03:00Mounting a NTFS partition saved as iso fileSimple as that, <a href="https://en.wikipedia.org/wiki/NTFS-3G">ntfs-3g</a> does the magic:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">root@ubuntu:/home/partimag/2015-10-22-15-img# ntfs-3g sda4.iso /dir-to-mount-location/</span><br />
<br />
This example is somehow correlated with <a href="http://cybersec-linuxhorizon.blogspot.ro/2015/10/partclone-v0273-bug.html">http://cybersec-linuxhorizon.blogspot.ro/2015/10/partclone-v0273-bug.html</a><br />
<br />
Do not try to mount as loop (mount -o loop) because is not working...<br />
<br />
<br />Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com0tag:blogger.com,1999:blog-7164171333283051142.post-43476438171719126612015-10-23T09:58:00.000+03:002015-10-23T11:08:26.658+03:00Partclone (v0.2.73) bugRestoring a <a href="http://clonezilla.org/">Clonezilla</a> partition backup using partclone v0.2.73 could fail as follow:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">root@ubuntu:/home/partimag/2015-10-22-15-img# cat /home/partimage/sda4.ntfs-ptcl-img.gz.aa | gzip -d -c | partclone.restore -C -s - -O /home/partimage/sda4.iso<br />Partclone v0.2.73 http://partclone.org<br />Starting to restore image (-) to device (sda4.iso)<br />device (sda4.iso) is mounted at <br />error exit<br />Partclone fail, please check /var/log/partclone.log !</span><br />
<br />
Digging a little bit, I found that the reason is very simple and I do not know if I can call it a bug or not.<br />
<br />
Pure and simple, before running the restoring command you should create the <i>iso</i> file. In my example, you should create the <i>sda4.iso</i> file and the simple way is:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">root@ubuntu:/home/partimag/2015-10-22-15-img#touch sda4.iso</span><br />
<br />
I'm pretty sure that other partclone versions have the same issue...<br />
<br />
I must say that Clonezilla distribution is a very useful tool for disk and/or partition cloning/restoring. Partclone is included in the Clonezilla distribution.<br />
<br />
If your recovered partition is NTFS and want to mount it, use ntfs-3g as here: <a href="http://cybersec-linuxhorizon.blogspot.ro/2015/10/mounting-ntfs-partition-saved-as-iso.html">http://cybersec-linuxhorizon.blogspot.ro/2015/10/mounting-ntfs-partition-saved-as-iso.html</a> Ioanhttp://www.blogger.com/profile/15292255364911734122noreply@blogger.com1