Tuesday, August 26, 2008

HeX 021: Decode base64

There are a lot of malicious contents which are actually encoded with base64 to create confusion.

This is just quick one as I have friend asking about it on how to decode base64 encoding. One liner with python -

shell>python -c "import binascii; \
binascii.a2b_base64('encoded strings here')


Or you can use nsm console if you are running HeX -

nsm>decode base64 'encoded strings here'

Enjoy ;]

Tuesday, August 19, 2008

HeX 021: Resolving Ihack 2008 password.pcap

My friend ayoi has posted Ihack 2008: Defense Challenge here, I don't really have time to look into the whole game. However I have tried to give it a shot for password.pcap to figure out what's the passphrase.

I decide to use HeX liveCD for this quick challenge since chfl4gs_ has presented it in IHack. Initial look at the traffic -

shell>tcpdump -ttttnnr password.pcap
reading from file /home/analyzt/rp-Analysis/password.pcap, link-type EN10MB (Ethernet)
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:1879048192(0) win 512
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 1879048193 win 0
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:872415232(0) win 512
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3288334337 win 0
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:603979776(0) win 512
2008-08-14 12:21:12.959710 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3019898881 win 0
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:889192448(0) win 512

Output truncated .....

Initial view of the network traffic tells you that the network traffic contains no data transfer, and it is heavily crafted(port). It also hints you that the passphrase should be residing in the packet header. Therefore I start dig into the header by printing it in hex and ascii dump output.

shell>tcpdump -XXttttnnr password.pcap
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...

2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
1879048193 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 7000 0001 5014 .~zi.9....p...P.
0x0030: 0000 5d9a 0000 ..]...

2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......

2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
3288334337 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 3400 0001 5014 .~zi.9....4...P.
0x0030: 0000 999a 0000 ......


Output truncated .....

When comes to examing the packet header, it's best to look at the pattern, and realizing that some fields are usually static in this case helps you to identify the different, if we look at the 4 packets above, you may spot

10.10.3.126 -> 10.10.75.1 - tcp sequence number
10.10.75.1 -> 10.10.3.126 - tcp acknowledge number(tcp sequence number + 1)

So to get the answer, you can just print the connection from one side(from 10.10.3.126 to 10.10.75.1) -

shell>tcpdump -XXttttnnr password.pcap ip src 10.10.3.126
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...

2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......

2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:6
03979776(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 6200 0000 4006 b63d 0a0a 037e 0a0a .(b...@..=...~..
0x0020: 4b01 0539 7a69 2400 0000 0000 0000 5002 K..9zi$.......P.
0x0030: 0200 a7ad 0000 ......

2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:8
89192448(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 8d00 0000 4006 8b3d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3500 0000 0000 0000 5002 K..9zi5.......P.
0x0030: 0200 96ad 0000 ......


Output truncated .....

If you want to see another side of the traffic, just tune the bpf filter to ip src 10.10.75.1, however for that you will need to look at the acknowledge number. You should have the answer now.

Anyway when comes to print certain field in the header, you can use tshark(part of wireshark), and force it to print certain field, for example -

shell>tshark -Tfields -e 'tcp.seq' -nr password.pcap -o tcp.relative_sequence_numbers:FALSE -R 'ip.src == 10.10.3.126'
1879048192
872415232
603979776
889192448
1996488704
805306368
1912602624
1677721600
536870912
822083584
889192448
536870912
822083584
838860800
855638016
167772160

That's your answer in decimal, you can convert the number to hex and from hex to ascii. Using pythong quickies -

Decimal to Hex -
shell>python -c 'print hex()'

HeX to Ascii
shell>python -c 'import binascii; print binascii.a2b_hex("")'

You should have the passphrase to unrar Questions.rar

shell>unrar e Questions.rar

Bump in the passphrase and you will be able to retrieve all the files you need.

During the challenge event, I don't see any participants use HeX for this purpose. And lot of them just use wireshark to examine, my opinion is using wireshark is not effective in this scenario as wireshark is great when you want to do per packet examination or dealing with network protocols you are not familiar with. However for this, I would say tcpdump and tshark are more effective tools to obtain the clue.

Enjoy (;])

Monday, August 18, 2008

Little note about GDB

This is just for myself as I'm not the guy who uses debugger much. However sometimes it helps when you have core dump for the program you are running. This is simple one of what you can examine with the core dump file.

shell>gdb bro bro.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `bro'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libmagic.so.3...done.
Loaded symbols for /usr/lib/libmagic.so.3
Reading symbols from /lib/libz.so.4...done.
Loaded symbols for /lib/libz.so.4
Reading symbols from /usr/lib/libssl.so.5...done.
Loaded symbols for /usr/lib/libssl.so.5
Reading symbols from /lib/libcrypto.so.5...done.
Loaded symbols for /lib/libcrypto.so.5
Reading symbols from /lib/libncurses.so.7...done.
Loaded symbols for /lib/libncurses.so.7
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libm.so.5...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x080518ef in copy_string () at SSLInterpreter.cc:30
30 */

(gdb) print copy_string
$1 = {} 0x80518d0

(gdb) bt

#0 0x080518ef in copy_string () at SSLInterpreter.cc:30
#1 0x0809e249 in DNS_Mapping (this=0x843e6c8,
host=0x810e00c1
, h=0x830c0d0)
at DNS_Mgr.cc:171
#2 0x080a049f in DNS_Mgr::AddResult (this=0x830bd68, dr=0x843e210,
r=0xbfbf9070) at DNS_Mgr.cc:697
#3 0x080a08d6 in DNS_Mgr::Resolve (this=0x830bd68) at DNS_Mgr.cc:601
#4 0x080a0edd in DNS_Mgr::LookupHost (this=0x830bd68,
name=0x843398e "l.root-servers.net") at DNS_Mgr.cc:485
#5 0x0806826a in brolex () at scan.l:330
#6 0x08053d5c in yyparse () at p.c:2277
#7 0x0804efb6 in main (argc=5, argv=0xbfbfebac) at main.cc:751

(gdb) up
#1 0x0809e249 in DNS_Mapping (this=0x843e6c8,
host=0x810e00c1
, h=0x830c0d0)
at DNS_Mgr.cc:171
171 req_host = copy_string(host);

I'm still learning how to interpret them correctly, hopefully more to come.

Cheers ;]

Saturday, August 16, 2008

FreeBSD: Bpfstat is in Netstat

My friend Richard(Taosecurity) has blogged about bpfstat here, and for now bpfstat is already ported as part of netstat in FreeBSD 7. You can run the netstat with -B option -

shell>netstat -B -I le0
Pid Netif Flags Recv Drop Match Sblen Hblen Command
820 le0 p--s--- 989344 0 958346 0 0 bro
761 le0 p--s--- 989444 0 989444 216 0 argus
754 le0 p--s--- 410 0 410 1392 0 ourmon
330 le0 -ifs--l 989458 0 440 0 0 dhclient

As you can see it is very useful when comes to monitor the libpcap based tools, however there's one feature I miss during the time I use bpfstat which is -i(interval of wait second to report). To simulate similar function, I have found a simple way by using infinite loops -

shell>z=1; while [ $z -eq 1 ]; do netstat -B -I le0; sleep 3; done

This way it will report every 3 seconds(sleep 3), and if you just want to monitor particular tools, use grep will do.

Cheers ;]

Wednesday, August 06, 2008

HeX 2.0 RC1 is now

After long time development, we have finally reached the stage where we are brave enough to release version 2 of HeX, Release Candidate 1. This is the first public version for HeX 2.0 and we hope that by releasing this, people who are interested in it can help testing out this version. I won't be mentioning the new features that we are adding to HeX 2 here as I will put up all the information once we reach the 2.0 Release instead of RC. For the moment, we need people to test all the applications that we have added, a lot of them can be accessed via fluxbox menu so please help in testing.

Currently there are few known problems -

- Netdude is broken
- Autopsy is broken(sleuthkit issue)
- Gvim is broken(font not available)
- Flowtag is broken(Looking for older version of tk while new one is installed)
- NSM Console(Snort module where wrong path is defined in snort configuration file)
- Silktools(Flowcap and Rwflowpack)
- Ragraph is broken
- Zsh is missing

Most of the issues are already fixed in the development repository, therefore don't report to us if you encounter similar problem in HeX 2.0 RC1. If you encounter any other issues, please do report to us via mailing list -

http://groups.google.com/group/HeX-liveCD

Anyway here's the HeX 2.0 RC1 iso -

http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.md5
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.sha256

Alternatively, you can download from US mirror -

http://us.rawpacket.org/image/hex-i386-2.0-RC1-20080803.iso

Thanks to all the raWPacket members who have put the effort in HeX 2.0 development, you guys are walys rocking!

Enjoy (;])