Most of the log files are located at
/var/log/
btmp, utmp, wtmp
last -f /var/log/btmp | more
last
recent login information for all the users
lastlog
/var/log/secure contains information about authentication and authorization
auth.log
maillog
Bit of Everything! Vulnerability Research, Reverse Engineering, Malware Analysis, Exploits etc...
Saturday, July 26, 2014
Sunday, July 20, 2014
Privilege Escalation by Exploiting SUID Binaries
There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.
Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x
Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates permissions for all Other users.
Figure. Program to demo SUID exploitation
test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.
When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.
Figure.Executing binary with SUID bit not set
Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.
File permissions can be set using below command (also refer Figure. File Permissions)
# chmod u+s test_suid
Figure. Executing binary with SUID bit set
Checking the permissions of important file like passwd
Figure. File Permissions
Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
Wednesday, July 16, 2014
HTTP DDoS Mitigations
Multiple get requests to a specific resource which need resources to generate the response might lead to a DoS/DDoS condition.
HTTP POST DDoS
Client tells the web server how large the message body is,say, “Content-Length = 800” but is sent with huge latency say 1 byte per 100 seconds.
Load balancers
Reverse Proxies
Attacker ---- Reverse Proxy ---- Original Server
Reverse Proxy serves the resources hiding original Web Server
Delayed binding
TCP slicing
Monitoring Header, request patterns
Malware/Bots/Scripts have a specific request patterns unlike human.
Cookies
Captchas
Invalid User-Agents, same packet size, dynamic referrers
Detection of rotating IP Addresses, User-Agent's, Referrers
Apache Mitigation mechanisms
mod_reqtimeout
LimitRequestBody directive
mod_antiloris
Akamai provides a real-time mapping info
http://www.akamai.com/html/technology/dataviz1.html
HTTP POST DDoS
Client tells the web server how large the message body is,say, “Content-Length = 800” but is sent with huge latency say 1 byte per 100 seconds.
Load balancers
Reverse Proxies
Attacker ---- Reverse Proxy ---- Original Server
Reverse Proxy serves the resources hiding original Web Server
Delayed binding
TCP slicing
Monitoring Header, request patterns
Malware/Bots/Scripts have a specific request patterns unlike human.
Cookies
Captchas
Invalid User-Agents, same packet size, dynamic referrers
Detection of rotating IP Addresses, User-Agent's, Referrers
Apache Mitigation mechanisms
mod_reqtimeout
LimitRequestBody directive
mod_antiloris
Akamai provides a real-time mapping info
http://www.akamai.com/html/technology/dataviz1.html
Deleting Flows from OVSK and CPqD Switches
Start Mininet and on on Mininet console execute "pingall" which creates 2 default flows part of Table Zero.
To see the flows use
sudo ovs-ofctl -O OpenFlow13 dump-flows s1
To delete flows
sudo ovs-ofctl del−flows switch
sudo ovs-ofctl del−flows switch [flow]
With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows.
sudo ovs-ofctl del−flows s1 "table=0"
Deleting flows from CPqD switch
To see the flows use
sudo ovs-ofctl -O OpenFlow13 dump-flows s1
To delete flows
sudo ovs-ofctl del−flows switch
sudo ovs-ofctl del−flows switch [flow]
With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows.
sudo ovs-ofctl del−flows s1 "table=0"
Deleting flows from CPqD switch
sudo dpctl unix:/var/run/s1.sock flow-mod cmd=del,table=0
We can also use "del-flows".
Thursday, July 3, 2014
Learn IoT/IoE/SCADA/SmartGrid Security
Below links might be useful for learning different attacks on SCADA Systems and different concepts related to SCADA.
http://iotsecuritylab.com/
http://builditsecure.ly/
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
Industrial Security
https://ics-cert.us-cert.gov/
http://smartgrid.ieee.org/
http://www.cpni.gov.uk/advice/cyber/scada/
http://www.tenable.com/solutions/scada-security
http://scadahacker.com/library/
http://www.kaspersky.com/industrial-security-cip
http://www.icscybersecurityconference.com/session/kaspersky-industrial-protection-simulation-kips/
http://www.wbdg.org/resources/cybersecurity.php?r=secure_safe
http://www.technologyuk.net/telecommunications/industrial_networks/
Tools
https://code.google.com/p/plcscan/
https://code.google.com/p/modscan/
https://code.google.com/p/scada-tools/source/browse/profinet_scanner.py
https://code.google.com/p/scada-tools/
Modbus Emulator
http://www.modbustools.com/download.asp
http://sourceforge.net/projects/libnodave/
Protocol Dissector
http://www.wireshark.org/docs/dfref/c/cip.html
http://sourceforge.net/projects/s7commwireshark/
Other References
www.odva.org
http://scadastrangelove.org/
http://www.scadahacker.com/
http://www.digitalbond.com/
http://iotsecuritylab.com/
http://builditsecure.ly/
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
Industrial Security
https://ics-cert.us-cert.gov/
http://smartgrid.ieee.org/
http://www.cpni.gov.uk/advice/cyber/scada/
http://www.tenable.com/solutions/scada-security
http://scadahacker.com/library/
http://www.kaspersky.com/industrial-security-cip
http://www.icscybersecurityconference.com/session/kaspersky-industrial-protection-simulation-kips/
http://www.wbdg.org/resources/cybersecurity.php?r=secure_safe
http://www.technologyuk.net/telecommunications/industrial_networks/
Tools
https://code.google.com/p/plcscan/
https://code.google.com/p/modscan/
https://code.google.com/p/scada-tools/source/browse/profinet_scanner.py
https://code.google.com/p/scada-tools/
Modbus Emulator
http://www.modbustools.com/download.asp
http://sourceforge.net/projects/libnodave/
Protocol Dissector
http://www.wireshark.org/docs/dfref/c/cip.html
http://sourceforge.net/projects/s7commwireshark/
Other References
www.odva.org
http://scadastrangelove.org/
http://www.scadahacker.com/
http://www.digitalbond.com/
Subscribe to:
Posts (Atom)