Saturday, July 26, 2014

Incidence Response: Important Linux Commands and Log Files

Most of the log files are located at
/var/log/

btmp, utmp, wtmp
last -f /var/log/btmp | more
last
recent login information for all the users
lastlog                

/var/log/secure       contains information about authentication and authorization

auth.log
maillog

Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries


There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x 

Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates  permissions for all Other users.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.
File permissions can be set using below command (also refer Figure. File Permissions)
# chmod u+s test_suid

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

Wednesday, July 16, 2014

HTTP DDoS Mitigations

Multiple get requests to a specific resource which need resources to generate the response might lead to a DoS/DDoS condition.

HTTP POST DDoS
Client tells the web server how large the message body is,say, “Content-Length = 800” but is sent with huge latency say 1 byte per 100 seconds.

Load balancers
Reverse Proxies
Attacker ---- Reverse Proxy ---- Original Server
Reverse Proxy serves the resources hiding original Web Server
Delayed binding
TCP slicing
Monitoring Header, request patterns
Malware/Bots/Scripts have a specific request patterns unlike human.
Cookies
Captchas
Invalid User-Agents, same packet size, dynamic referrers
Detection of rotating IP Addresses, User-Agent's, Referrers


Apache Mitigation mechanisms
mod_reqtimeout
LimitRequestBody directive
mod_antiloris

Akamai provides a real-time mapping info
http://www.akamai.com/html/technology/dataviz1.html

Deleting Flows from OVSK and CPqD Switches

Start Mininet and on on Mininet console execute "pingall" which creates 2 default flows part of Table Zero.

To see the flows use
sudo ovs-ofctl -O OpenFlow13 dump-flows s1

To delete flows
sudo ovs-ofctl del−flows switch
sudo ovs-ofctl del−flows switch [flow]
 

With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows. 

sudo ovs-ofctl del−flows s1 "table=0"

Deleting flows from CPqD switch
sudo dpctl unix:/var/run/s1.sock flow-mod cmd=del,table=0
We can also use "del-flows".