Recently in Geekery Category

No, not the feline kind.

I was reading a good book the other day (Hacking: The Art of Exploitation) when I ran into something that I hadn't thought about before:

cat foo - | program

Such a simple little thing, and immediately I want "Oh!  How come I didn't make that connection before?"  It makes perfect sense, first it shoves the contents of foo to program and then hands control back to the user.  How utterly useful at times.

It got me to thinking, could I get away with:

cat - - foo | program

And sure enough, that works too!  Utility, I think there might be a use or two, but so far the ones I've come up with are sort of contrived.

And finally, an alternate method:

perl -e 'stuff(); while(<>) { print;} ; other_stuff()' | program

Also works quite sufficiently (not that it would be any surprise.

Now why hadn't I thought of this before?  I'm not sure, but now I have and it's added to my toolkit.

RSA, as many of you may have heard in other blogs was a silly rehash of vague promises of 'securing your enterprise' and 'vertical security' without anyone actually being willing to put on their material what their products did and didn't do. I don't like it when I look at a booth and I see nothing that indicates what technology or technologies are being sold. If you're a VPN product, tell me you're a VPN product, don't advertise as "securing your remote users". It's way too vague, and on top of that, it's probably not true.

Tomorrow I depart for Blackhat and defcon. I expect to see no fluff, no vague promises of security as a service, or other over-generalized hogwash as an attempt to lure me in and waste my time on a product space that either I've already bought, already discarded, or have been told I have no budget to purchase. I do expect some vendors, providing parties (yay!) and useful information about their products. I expect some excellent talks (anyone that hasn't heard that Dan Kaminsky will be talking about the DNS flaws at blackhat has been living under a rock for too long) on a wide range of topics, some of which will not be of interest and some of which will undoubtedly be way over my head (but I like the feeling of drowning in information technology overload).

For the first time, one of my co-workers will be in attendance, and my boss. Oh joy.

My plan is to post some highlights of things that especially catch my attention. Hopefully you'll find them as interesting as I do or did when I see them. (What is the correct tense when talking about things in the future that will be in the past when you will be talking about them?)

A couple days ago my officemate had a computer blow up. The typical "oh I smell the ozone" sort of power supply death syndrome. No big deal, he's a good computer guy, yank the hard drives out, throw them into external enclosures, and bring them up on another machine to grab the desired data.

Unfortunately, the disk with the work data on it decided that it didn't like this tactic at all, and said no to mounting. He worked at it a little bit, and then handed it to me.

Now I'm sure all of you have been handed a reasonably big disk to deal with forensically, you copy the disk so you can work on a copy of the copy and have a copy to copy to start work on again when you totally bork the situation and want to start over from scratch (which is why you copy from the original to start off with, and why did you copy the copy? Cause an external Firewire or USB 2.0 isn't going to be as fast as an internal disk-to-disk copy of that same 200+GB.)

Hit it up with the usual tools, mmls¹ to show me what the partition table looked like in the file, then fdisk to go in and look at it again:

fdisk image.dd

The number of cylinders for this disk is set to 378602.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/sdd: 250.0 GB, 250059350016 bytes
86 heads, 15 sectors/track, 378602 cylinders
Units = cylinders of 1290 * 512 = 660480 bytes

Device Boot Start End Blocks Id System
/dev/sdd1 * 1 208090 134217727+ 4 FAT16 <32M

After changing the partition type to 0x07 (NTFS), it was time to rip that partition out again, and mount it up. Start 'dcfldd if=image.dd of=image.c.img bs=512 skip=1 status=on'² (this time it's not a forensics case I'm just trying to get some files for a friend so who cares about MD5 hashes). Sit back and wait, and wait, and wait.

I admit it, I'm not patient a lot of the time. When I start something like this I want it done, I don't want to have to wait, so I tend to keep fiddling with something while the long process is running. This time it definitely paid off.

I went looking for what the bits were that indicated the start of an NTFS filesystem, and found a little write-up ( http://www.ntfs.com/ntfs-partition-boot-sector.htm ) that told me precisely what I wanted to know. With a little bit of knowledge and knowing a few tools you can get into a lot of trouble :), I whipped out head, and hexdump, and less, and put together:

head -500k image.dd | hexdump -C | less

And started looking for the header, and found it 0x7e00 ... which with a little math one figures out is 32k bytes into the file. You'll also note that this is not where I started to cut the file apart with dd, you'll notice that I started at byte 512. Now that I've been letting the earlier dd run for most of the day while working on other things, I didn't really want to restart it at the new offset so I went looking for an alternative... and found it!

mount -t ntfs -o loop,ro,offset=0x7e00 image.dd /mnt

Yup, that's right, you can mount starting at an offset. If you happen to know where the filesystem header is, just point mount at it and let it figure it out. Having figured that out, and it worked great, the entire contents of the filesystem were there, and I started tarring off the files from it that my officemate wanted. But now I had a thought, if I can do a fix to the partition table of the original disk, then I can hand him the external disk in an enclosure and it gets even easier. A little trip into fdisk again, and I am able to again try to mount the actual drive... and it doesn't like me. I think it had something to do with that starting sector being set to 1. On a whim, I decided to try:

mount -t ntfs -o ro,offset=0x7e00 /dev/sdd /mnt

and discovered that it will do the same thing with hardware as with a loop interface. I don't think I'm fearless enough that I'm willing to try to mangle the partition table to point it at the right location. I'll let the tar finish, and give my officemate the tar so he can have the files he cares about back, and we can wipe the drive and start over entirely.

[1] mmls is part of The Sleuthkit, available at: http://www.sleuthkit.org/sleuthkit/index.php
² dcfldd is an 'improved' dd, which includes things like status, and hashing of the data transfered. It's available at: http://dcfldd.sourceforge.net/

RSnake over at ha.ckers.org has posted a really cool cross site scripting (XSS) cheat sheet. It includes a variety of techniques for testing for the presence of a XSS vulnerability complete with tags for which browsers it works with. A great tool to add to one's toolbox.

After much gnashing of teeth and googling around, I finally managed to get GnuCash installed and working. Turns out that if you are running OS X, the best way is to install Darwin Ports (now called MacPorts) instead of fink. Now I just need to figure out how to use the damn thing. I'm digging my way through wiki.gnucash.org at the moment. Any other really good resources I should know about?

This is a story about a box. The box was at work. This is a linux box. The box had 2 IPs. This was causing some problems with something non-essential, like backups. The box was then changed to have 1 IP. Time passes and someone decides to try to use the old IP only to discover that something is still using it. That something turns out to be a box. Thus begins a story about a box.

Being curious, I took a look at the box. Everyone knows ifconfig, it's great, it tells you all the interface settings for a box. Except, well, the IP that the box is responding to isn't on the list. netstat also doesn't know about the IP. Hmmm, curiouser and curiouser.

Restart the network of the box (always lots of fun to do remotely) to see if the mysterious IP address goes away, still there. Reboot the machine, the IP is still there. I know I removed that IP from this machine!

Restart the network again and watch what it says... "Bringing up interface eth0..." "Bringing up interface eth0-old...". That's a little odd, but I remember that I renamed the file for the old settings, Just In Case ™. Maybe that wasn't such a hot idea? But if I have a config file that invokes the same interface as before (eth0), should it quietly create a ghost IP address and let people use it?

As a little test I set up an sshd config that specifically listened on an odd port at this ghost IP address and was able to connect to it! And once the port was added to the firewall rules, I could talk to it remotely as well. So the machine is using this IP, but why would it when ifconfig still reports that only one IP is in use which is the one it is supposed to be using, and ifconfig doesn't report any additional IPs on any interfaces.

And then I found it, the 'new and improved' way of adding IPs to a linux machine: ip addr . If you add additional IPs using ip addr, ifconfig will never display the information about the additional IPs.

So as a test, after the machine has booted, I try 'ip addr 10.2.3.45 dev eth0' and then look at ifconfig. I would expect that this would show a secondary address to eth0 in ifconfig. Nope, all I see is the original IP of the machine. 'ip addr' on the other hand does show me both IP addresses now residing on the interface. Fortunately, ip addr will delete the address, though attempting to delete the additional address with ifconfig appears to do bad things in some situations (1 of the 2 machines I tested this on it appears to have turned off the interface entirely, oops).

I wonder how useful this could be if you wanted to set up some backdoors on a system, but didn't want anyone to know they exist? I mean, who would think to remotely scan the wrong IP of a machine to see what was listening on it?

(Discovered on RHEL AS 4.0 and further tested on FC4, kernel 2.6.14 and FC5 2.6.17 .)

Update: Fixed a couple grammar items, and confirmed the issue still exists: FC8 kernel 2.6.23.15-137

There are some tools that are just cool, I've tried to put links to some of them in our information pages. There are other tools that are pretty sucky, we try to bash into them for security problems.

Then there's tools that make all the other tools more useful. One of these is VMWare. Anyone that's done a computer security class likely knows about it already. You set up one computer, install VMWare, and then install a number of other computers inside of it. It's great! You can set up an entire lab of computers to play with on one workstation with a bunch of memory. Which means you can have a couple victims, and a couple of attacking hosts of various OS flavors and your favorite tools, or tools you want to test, or configurations you want to test.

You know those single ISO OS images? You can point your first CDRom in vmware to that iso image, and it's as if you put the CD in the drive. Same with floppy images (this worked great for me recently when I wanted a fast minimal install of FreeBSD 4.11-final when I didnt' want to wait for an ISO to download on the less hotel wireless network).

And now, this great multi-facted highly practical tool is free.

But wait, there's more... they (VMWare) are also encouraging people to build downloadable VMs (Virtual Machines) which are preconfigured and ready to go. Maybe a vendor you're working with has one for that product you want to evaluate, nice and simple.

And my latest thought on the whole VM thing is: game makers could build inside a VM and control every aspect of the OS: file system, memory management, display, and resource allocation. Imagine the creativity you could have with a game engine with that level of control and flexibility.

If you want to check out VMWare: www.vmware.com

http://www.crypto.com/papers/wiretapping/

A lovely little paper about a couple methods of defeating wiretaps. The easiest way was to play a low C tone, the wiretapping device would think that the phone had been hung up and stopped recording.

See, it doesn't have to be complex to beat a complexly designed machine.

I run a DNS server (oooh, aaah) and I secondary a few (200+) domains for some friends of mine. One of them (whom I like, don't take this the wrong way if you read it and think it's you) notoriously will not tell me when he's had new domains added, or when he's no longer the domain holder of record for a domain.

Sometimes I can be a bit finicky, and I go on cleaning and data purification binges (behold the Information Inquisition! Our primary weapon is vi and perl...). On the most recent of these cleaning binges I realized I wanted to know two things, who claimed I was acting as authoritative for their domain, and who I though I was authoritative for, but was not listed.

A couple of moments thinking about DNS and you will quickly understand that the first of these two questions is ridiculously hard to answer by querying DNS. I'll have to figure it out from the logs of my DNS server another day. However, the first of these turns out to be pretty quick to answer. Given a little perl hackery, and the willingness to visually scan the output, you can quickly find those hosts that you have listed in your zone files and for which you aren't actually listed at the root servers as an authoritative server.

I discovered a couple things along the way, and built in appropriate code to solve the problems:

1) The different TLD's have different root name servers. So I dynamically grab, from the local name server, what the root name servers are for each TLD. (TLD stands for top level domain, e.g. com org net ru to se)

2) The different TLD servers answer NS queries by putting the results of the query in different locations. com and net (run off of Verisigns root name servers) puts the results in the ANSWER section of the response, nice and logical. Everyone else seems to think that an NS query should have the answer stuffed into the AUTHORITY section of the answer. I didn't go read the RFC to see if either of them was the right way, cause it doesn't matter to me, I just needed to learn that I had to look in both sections to make sure I got the results of my query.

Yes, I realize that I could have spent another few minutes and actually had it look for my domain server name(s) in the NS records and if I didn't find one then spew an appropriate message, but I'm good and fast at visual greps on relatively small (less than 5000 lines) of output so I didn't bother. If you'd like to do that to this script and send me your suggestion, I'll take it into consideration.

Without further ado, a little bit of perl that will show you who the listed authoritative servers are for a domain (cutting and pasting the script I discovered that this lovely little system replaces all the " that are in the code with either a start " or an end ", and you need to go through and replace them all in the code, just so you're warned it won't run right off the page):

#!perl

use strict;               # cause I'm that sort of person
use Net::DNS;       # cause that's what we're working with today


my %q;

while (<>) {
    my $result;
    my @servers;

    /([0-9A-z\-]+)\.([A-z]+)/;
    my $tld    = $2;
    my $second = $1;
    print "\n$second.$tld\n";

    if ( !$q{$tld} ) {
        print "New TLD: ", $tld, "\n";
        $q{$tld} = Net::DNS::Resolver->new;
        $q{$tld}->recurse(0);

        $result = $q{$tld}->send( $tld, "NS" );
        @servers = ();
        foreach my $rr ( $result->answer() ) {
            print "\t Adding NS: ", $rr->nsdname, "\n";
            @servers = ( @servers, $rr->nsdname );
        }
        $q{$tld}->nameservers(@servers);
        # $q{$tld}->debug(1);
        print "\n";
    }

    # do the query for the domain
    my $result = $q{$tld}->send( "$second.$tld", "NS" );
    print "   answer from: ", $result->answerfrom, "\n";
    foreach my $rr ( $result->answer() ) {
        print "\t", $rr->string, "\n";
    }
    foreach my $rr ( $result->authority() ) {
        print "\t", $rr->string, "\n";
    }
}