Rick’s Playground

#include<stdio.h>

main()
{
    printf("Goodbye World");
}

What do you think of when you see the pinky pig ? And the balance
is tilt to the pinky pig !!

http://www.iss.net/

Oink..oink...

Last Thursday I  gave a presentation on Dan Kaminsky’s recent DNS finding to the local security meetup group folks. It has been a while since the previous time I laid my hands on network packets analysis, tweaking a bind9 server and even backtrack 3 looks fresh and interesting to me again.

Initially I thought it would be a huge task to set up a full POC environment of the DNS attack. I was planning and thinking about all the details such as the race conditions, full-function attacker controlled DNS server, segregation of testing environment. However the more I plann, the messier it becomes and until a point which I told myself - forget about it, this is not a huge corporate project which you need all the planning, risk analysis etc etc .  Let’s just be a normal script kiddy - get an available exploits, understand it and set up a minimum environment to try it, if it works, that’s it.   If it doesn’t work, then we analyze what the problem is. This turned out to be a fanatasic plan and again all my old friends - VMware, Ubuntun, Metasploit, Wireshark and Backtrack came into rescue.  Here is the simple but fully workable setup (all in one Lenonvo T61 laptop) :

Vulnerable DNS server

• Ubuntu 8.04 LTS Desktop Edition in VMware (server 1.06)
• IP address: 192.168.1.13
• with Bind9 packages installed
• A little tweaking of the named options (fixed query source port and allow recursion to the attacker’s subnet, see attached named option files)

Attacker machine

• Backtrack 3 Final in VMware (This is availabe directly from the home page, you don’t need to install into harddisk anymore)
• IP address: 192.168.1.24
• Update your Metasploit to make sure the auxiliary/spoof/DNS/bailiwicked_host” is available

Client PC

• Windows XP (The host machine which has the vmware-server installed)
• IP address: 192.168.1.4
• It just serves as a poor third-party DNS client who queries the vulnerable DNS server for IP info

The successful rate for the POC is quite high,  more than 70% of the spoof attacks (using the Metaslpoit module)  were able to successfully inject the records to the vulnerable DNS server within 20 minutes.  I have attached a copy of Metasploit screen output and a corresponding wireshark traffic dump for one of the POC attacks - make the vulnerable DNS server point www.jpmorgan.com point to ip address 192.168.1.226.

The POC for this attack is pretty safe because the traffic is only routed within the LAN except the initial target DNS nameservers list queries. Anyway the initial queries are harmless at all because they are just normal DNS query to a third party DNS server.   Lastly the Metasploit’s check for recusive DNS server is a bit buggy.  It throws out false-negative and always consider the target vulnerable DNS “not vulnerable”.  I am yet to find out the reason.

Bind9 Named Config Options:  namedconf.options

Metasploit Console Output: msf_output_jpmorgan

Meetup Slides: understand-kaminskys-dns-attacks-oct-2008.ppt

I just rushed back from this month’s Security meetup and finished attending a 40 minutes conference call with my teammates in US. Today’s meetup was really impressive because we have Rogan Dawes- the author of Webscarab in town and gave us an hour talk on Webscarab. It was really nice to meet up with these guys who created fantastic tools and brought tremendous values to the community. I also prepared a short presentation on Web Application Testing Using Burp Suite together with a little bit demo. However I encountered quite a few technical glitches with the projector and my Ubuntu laptop and wasted almost 30mins trying to fix them. It was really a pity that I couldn’t show all my materials although the guys in the group waited for me patiently. I shall find out the bugs and make sure my next presentation won’t be messed up.

Here is my presentation slide if you are interested: Web PT Using Burp Suite

Surprise, surprise, surprise! I can’t launch my newly baked VMware server 2.0 Beta on my Ubuntu 7.10 console. vm-anywhere patch? dependency issue? in-compatible customized kernel? But there is no error message and it just asks me to read the man page. Everything works fine when I use the web-ui … mmmm… . May the force be with you and my star-war heroes/villain’s chat cleared all my questions.

Quoted from Linux Mag http://www.linux-mag.com/id/4403
============================================

We take you now to the Planet Virtual, where two combatants are already engaged in mortal combat. Laser swords drawn and at the ready, and facing each other on opposing levitating anti-gravity platforms hovering over a fiery river of molten metal, the opponents utter their final words.

Open Source Kernobi: Darth, slow, memory hogging and less functional Web interfaces compared to native Linux software are evil. Why did you remove the native Linux console client from VMware Server in the 2.0 release? We’ve been using it for years and its worked great.

Darth VMware: Evil from your point of view! From my point of view, the Open Source freeloaders and non-paying end-users are evil. You should be lucky that we give you a free Server product, period. And besides, if you don’t like the Web interface, you can always use the Windows-based Virtual Infrastructure client. You want native? Use our free VMware Player or buy VMware Workstation.

Open Source Kernobi: Well, then you are lost! That’s not what we Linux users want! Don’t you remember who and what you started with, back in 1999? Developers and power users need a free server with a native client!

Darth VMware: This is the end for you, My Linux community. I wish it were otherwise.

The fighting continues for what seems like an eternity, with the opponents trading blows against each other, until what seems like a stalemate. Finally, Kernobi opens up his Targus laptop bag, and produces a huge stack of DVDs, containing Linux distro builds with integrated Xen, KVM, and Virtualbox — all native and Open Source Virtualization packages for Linux.

Kernobi: It’s over, Darth. Open Source has the the high ground. Our hypervisors and management tools are catching up to you in polish and functionality, while you lag behind in driver support in your enterprise product offerings, produce bloatware, and alienate the fan base which got your company started in the first place.

Darth VMware: We’ve outgrown your community, Kernobi. You underestimate our power! We have more than 80 percent market share and we’re backed by one of the biggest names in enterprise storage. We can sit on our laurels, force end-users to eat what ever we give them, and we’ll get away with it too.

Kernobi: Don’t try it, Darth. Once the end users get a taste of free and open source virtualization, they’ll want to go to Citrix, Oracle, Red Hat, Novell, SWsoft or any other vendor that will give them support at their enterprise. Your 80 percent market share will shrink like a slice of Bantha bacon hitting a cast iron pan.

And so it went. Well, we all know how that sucky movie ended. Darth got burnt to a cinder and ended up having to wear a permanent sleep apnea mask welded to his face, and Kernobi and the rest of his kind retreated into the safety of their Open Source development model, one day to return and conquer the proprietary villains.

Of course, it didn’t have to end that way if Darth didn’t want to maintain the native Linux client anymore, they could have open sourced it for the community to maintain it themselves. Or better yet, release their entire hosted virtualization product as open source, since their enterprise hypervisor-based version ESX Server and its derivative products are what make them the big bucks anyway.

And as to Darth’s concerns of an open source version detracting from sales of their hosted VMware Workstation product, from which VMware Server shares much of its technology? Well, think of it as free development resources. Red Hat and Novell have been able to make that work for them. People still want to pay for support for a fully regression tested and stable version.

Of course, if I were one of Darth’s competitors and one of Kernobi’s friends — such as the aforementioned Citrix, Oracle, Red Hat or Novell all of which are using Open Source hypervisors as basis for their commercial virtualization products — I’d come out with an easy to install free product that seamlessly and easily converted VMware images over to whatever their native VM file format is, as well as a physical-to-virtual converter utility, with a nice, fast and native Linux GUI front-end. I might write it in a multi-platform toolset like QT, or maybe even Java so the client will run on Macs and Windows too.

Oh yeah, and if they want support and enterprise capabilities, they should charge them for that too. Cause, like, people pay for that. Even the Linux freeloaders, when they go to their day jobs in corporate America.

Jason Perlow is Senior Technology Editor of Linux Magazine. You can send Jason email at jperlow@linux-mag.com.
==============================================

It took me a few nights to figure out what’s wrong with the failed kernel re-configuration. My customized Ubuntu 7.10 kernel always stuck at the ubuntu logo stage. The re-compile process usually takes 55mins on my INSPIRON 8600 and it is really time-consuming. I am not sure whether there is any short-cut available.

3 weird bugs I encountered:

- Symmetric multi-processing support

When this option is enabled, there will be a setting of “Maximum number of CPUs (2-255)”. The initial generic kernel configuration enable SMP and set the max number at 8. It seems the moment I change this number to 4 or 2 etc. The new kernel will stuck at the Ubuntu logo page. I still can’t figure it out why this option matters. For the moment, i disable SMP at all (anyway my lappy is not SMP) and it works fine.

- firmware files are not copied

Somehow the firmwares located in the /lib/firmware/2.6.22-14-generic directores are not copied to the new kernel directory if you follow the kernel recompiling proceedure in my previous post. One of the affected components is my wireless ipw-2100 driver. Anyway just copy them to the new kernel directory and it solves all the problems since we are only re-configuring the kernel using the same source.

- abnormally big initrd.img

Initially it is very weird that the newly configured kernel initrd.img is significantly larger (>40M, the generic one is only 7M). But the new vmlinux is 0.3M (15%) smaller and system.map is 40k (5%) smaller. After googling a bit, I managed to find the reason from this thread. ‘Kernel hacking / Kernel debuggung’ option need to be disabled manually. Again this is funny because I copied the generic config file and used it as the base for my customization, but somehow the kernel debugging option is enabled in the config although it is not so in the generic kernel. After disable the ‘Kernel debugging’, the initrd.img size is back to normal (6.7M) and 0.5M (7%) smaller than the generic one.

In conclusion, there are still bugs here and there in the kernel compilation process, but the mass user base of Ubuntu provides excellent support for all the trouble-shootings. It is much easier and more convenient to do kernel re-configuration nowadays.

Just manged to get a 2nd hand Dell Inspiron 8600 lappy for less than s$220. It came from a liquidation sale and in almost new condition. However the charger was spoiled and 512MB ram was merely sufficient for me to run at most 1 VM instance. Sourcing for a replacement charger and 1G DDR1 ram did take some time and finally I got everything ready for a total sum of s$130. So s$350 for a almost new Dell is definitely a bargain. To my surprise the battery life is excellent and can last more than 3.5hours with continuous wifi connections. I guess dimming the back-light does help a lot to save battery.

This lappu will be the new playground for my infosec + linux + exploits + MMORPG hacking + anything geeky under the sun research activities. 1st thing 1st …Ubuntu 7.10… the installation was a breeze until I want to run the linux EVE-online client and it just hang after the initial login screen. Then I realized it is using wine and since I haven’t done much study of Wine configuation, I decided to figure it out later. After the initial installation, a customized kernel is what I ususally do in my Redhat days and same here for Ubuntu.

1) Check current kernel verion and download the kernel source. Mine ubuntu 7.10 Desktop version is currently using 2.6.22-14

$uname -a

2) (optiona) Patch the source and create /usr/src/linux softlink

3) Copy kernel config from existing kernel to /usr/src/linux

$cp /boot/config-`uname -r` ./.config

4) Configure kernel

$make menuconfig

Here i will strongly suggest you to start with your current kernel and add/remove modules in batches so that when problem occurs and you will know exactly which change causes it. Yes, I know you need to recompile the kernel and it takes a lot of time, but unless you are very sure what each module is doing, otherwise it will cost you longer time to figure out what goes wrong if you make all the changes in one go.

5) Compile kernel

$make-kpkg clean
$fakeroot make-kpkg –initrd –append-to-version=-custom kernel_image kernel_headers

(It took more than 50 mins on my Dell)

6) Create boot image

$dpkg -i linux-image-2.6.18.1-custom_2.6.18.1-custom-10.00.Custom_i386.deb
$dpkg -i linux-headers-2.6.18.1-custom_2.6.18.1-custom-10.00.Custom_i386.deb

(This is very handy)

7) Verify your entry in /boot/grub/menu.lst

Restart your machine and pray it works !

One of the main reference I used is here.