DeadBeefCafe

RSA, as many of you may have heard in other blogs was a silly rehash of vague promises of ’securing your enterprise’ and ‘vertical security’ without anyone actually being willing to put on their material what their products did and didn’t do. I don’t like it when I look at a booth and I see nothing that indicates what technology or technologies are being sold. If you’re a VPN product, tell me you’re a VPN product, don’t advertise as “securing your remote users”. It’s way too vague, and on top of that, it’s probably not true.

Tomorrow I depart for Blackhat and defcon. I expect to see no fluff, no vague promises of security as a service, or other over-generalized hogwash as an attempt to lure me in and waste my time on a product space that either I’ve already bought, already discarded, or have been told I have no budget to purchase. I do expect some vendors, providing parties (yay!) and useful information about their products. I expect some excellent talks (anyone that hasn’t heard that Dan Kaminsky will be talking about the DNS flaws at blackhat has been living under a rock for too long) on a wide range of topics, some of which will not be of interest and some of which will undoubtedly be way over my head (but I like the feeling of drowning in information technology overload).

For the first time, one of my co-workers will be in attendance, and my boss. Oh joy.

My plan is to post some highlights of things that especially catch my attention. Hopefully you’ll find them as interesting as I do or did when I see them. (What is the correct tense when talking about things in the future that will be in the past when you will be talking about them?)

A couple days ago my officemate had a computer blow up. The typical “oh I smell the ozone” sort of power supply death syndrome. No big deal, he’s a good computer guy, yank the hard drives out, throw them into external enclosures, and bring them up on another machine to grab the desired data.

Unfortunately, the disk with the work data on it decided that it didn’t like this tactic at all, and said no to mounting. He worked at it a little bit, and then handed it to me.

Now I’m sure all of you have been handed a reasonably big disk to deal with forensically, you copy the disk so you can work on a copy of the copy and have a copy to copy to start work on again when you totally bork the situation and want to start over from scratch (which is why you copy from the original to start off with, and why did you copy the copy? Cause an external Firewire or USB 2.0 isn’t going to be as fast as an internal disk-to-disk copy of that same 200+GB.)

Hit it up with the usual tools, mmls[1] to show me what the partition table looked like in the file, then fdisk to go in and look at it again:


fdisk image.dd

Device Boot Start End Blocks Id System
/dev/sdd1 * 1 208090 134217727+ 4 FAT16 <32M


After changing the partition type to 0×07 (NTFS), it was time to rip that partition out again, and mount it up. Start ‘dcfldd if=image.dd of=image.c.img bs=512 skip=1 status=on’[2] (this time it’s not a forensics case I’m just trying to get some files for a friend so who cares about MD5 hashes). Sit back and wait, and wait, and wait.

I admit it, I’m not patient a lot of the time. When I start something like this I want it done, I don’t want to have to wait, so I tend to keep fiddling with something while the long process is running. This time it definitely paid off.

I went looking for what the bits were that indicated the start of an NTFS filesystem, and found a little write-up ( http://www.ntfs.com/ntfs-partition-boot-sector.htm ) that told me precisely what I wanted to know. With a little bit of knowledge and knowing a few tools you can get into a lot of trouble :), I whipped out head, and hexdump, and less, and put together:

head -500k image.dd | hexdump -C | less

And started looking for the header, and found it 0×7e00 … which with a little math one figures out is 32k bytes into the file. You’ll also note that this is not where I started to cut the file apart with dd, you’ll notice that I started at byte 512. Now that I’ve been letting the earlier dd run for most of the day while working on other things, I didn’t really want to restart it at the new offset so I went looking for an alternative… and found it!

mount -t ntfs -o loop,ro,offset=0×7e00 image.dd /mnt

Yup, that’s right, you can mount starting at an offset. If you happen to know where the filesystem header is, just point mount at it and let it figure it out. Having figured that out, and it worked great, the entire contents of the filesystem were there, and I started tarring off the files from it that my officemate wanted. But now I had a thought, if I can do a fix to the partition table of the original disk, then I can hand him the external disk in an enclosure and it gets even easier. A little trip into fdisk again, and I am able to again try to mount the actual drive… and it doesn’t like me. I think it had something to do with that starting sector being set to 1. On a whim, I decided to try:

mount -t ntfs -o ro,offset=0×7e00 /dev/sdd /mnt

and discovered that it will do the same thing with hardware as with a loop interface. I don’t think I’m fearless enough that I’m willing to try to mangle the partition table to point it at the right location. I’ll let the tar finish, and give my officemate the tar so he can have the files he cares about back, and we can wipe the drive and start over entirely.

[1] mmls is part of The Sleuthkit, available at: http://www.sleuthkit.org/sleuthkit/index.php
[2] dcfldd is an ‘improved’ dd, which includes things like status, and hashing of the data transfered. It’s available at: http://dcfldd.sourceforge.net/

RSnake over at ha.ckers.org has posted a really cool cross site scripting (XSS) cheat sheet. It includes a variety of techniques for testing for the presence of a XSS vulnerability complete with tags for which browsers it works with. A great tool to add to one’s toolbox.

After much gnashing of teeth and googling around, I finally managed to get GnuCash installed and working. Turns out that if you are running OS X, the best way is to install Darwin Ports (now called MacPorts) instead of fink. Now I just need to figure out how to use the damn thing. I’m digging my way through wiki.gnucash.org at the moment. Any other really good resources I should know about?

This is a story about a box. The box was at work. This is a linux box. The box had 2 IPs. This was causing some problems with something non-essential, like backups. The box was then changed to have 1 IP. Time passes and someone decides to try to use the old IP only to discover that something is still using it. That something turns out to be a box. Thus begins a story about a box.

Being curious, I took a look at the box. Everyone knows ifconfig, it’s great, it tells you all the interface settings for a box. Except, well, the IP that the box is responding to isn’t on the list. netstat also doesn’t know about the IP. Hmmm, curiouser and curiouser.

Restart the network of the box (always lots of fun to do remotely) to see if the mysterious IP address goes away, still there. Reboot the machine, the IP is still there. I know I removed that IP from this machine!

Restart the network again and watch what it says… “Bringing up interface eth0…” “Bringing up interface eth0-old…”. That’s a little odd, but I remember that I renamed the file for the old settings, Just In Case ™. Maybe that wasn’t such a hot idea? But if I have a config file that invokes the same interface as before (eth0), should it quietly create a ghost IP address and let people use it?

As a little test I set up an sshd config that specifically listened on an odd port at this ghost IP address and was able to connect to it! And once the port was added to the firewall rules, I could talk to it remotely as well. So the machine is using this IP, but why would it when ifconfig still reports that only one IP is in use which is the one it is supposed to be using, and ifconfig doesn’t report any additional IPs on any interfaces.

And then I found it, the ‘new and improved’ way of adding IPs to a linux machine: ip addr . If you add additional IPs using ip addr, ifconfig will never display the information about the additional IPs.

So as a test, after the machine has booted, I try ‘ip addr 10.2.3.45 dev eth0′ and then look at ifconfig. I would expect that this would show a secondary address to eth0 in ifconfig. Nope, all I see is the original IP of the machine. ‘ip addr’ on the other hand does show me both IP addresses now residing on the interface. Fortunately, ip addr will delete the address, though attempting to delete the additional address with ifconfig appears to do bad things in some situations (1 of the 2 machines I tested this on it appears to have turned off the interface entirely, oops).

I wonder how useful this could be if you wanted to set up some backdoors on a system, but didn’t want anyone to know they exist? I mean, who would think to remotely scan the wrong IP of a machine to see what was listening on it?

(Discovered on RHEL AS 4.0 and further tested on FC4, kernel 2.6.14 and FC5 2.6.17 .)

Update: Fixed a couple grammar items, and confirmed the issue still exists: FC8 kernel 2.6.23.15-137