Saturday, July 26, 2014

Incidence Response: Important Linux Commands and Log Files

Most of the log files are located at

btmp, utmp, wtmp
last -f /var/log/btmp | more
recent login information for all the users

/var/log/secure       contains information about authentication and authorization


Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries

There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x 

Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates  permissions for all Other users.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.
File permissions can be set using below command (also refer Figure. File Permissions)
# chmod u+s test_suid

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

Wednesday, July 16, 2014

HTTP DDoS Mitigations

Multiple get requests to a specific resource which need resources to generate the response might lead to a DoS/DDoS condition.

Client tells the web server how large the message body is,say, “Content-Length = 800” but is sent with huge latency say 1 byte per 100 seconds.

Load balancers
Reverse Proxies
Attacker ---- Reverse Proxy ---- Original Server
Reverse Proxy serves the resources hiding original Web Server
Delayed binding
TCP slicing
Monitoring Header, request patterns
Malware/Bots/Scripts have a specific request patterns unlike human.
Invalid User-Agents, same packet size, dynamic referrers
Detection of rotating IP Addresses, User-Agent's, Referrers

Apache Mitigation mechanisms
LimitRequestBody directive

Akamai provides a real-time mapping info

Deleting Flows from OVSK and CPqD Switches

Start Mininet and on on Mininet console execute "pingall" which creates 2 default flows part of Table Zero.

To see the flows use
sudo ovs-ofctl -O OpenFlow13 dump-flows s1

To delete flows
sudo ovs-ofctl del−flows switch
sudo ovs-ofctl del−flows switch [flow]

With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows. 

sudo ovs-ofctl del−flows s1 "table=0"

Deleting flows from CPqD switch
sudo dpctl unix:/var/run/s1.sock flow-mod cmd=del,table=0
We can also use "del-flows".