Sunday, April 13, 2014

Immutable Data and Memory Sensitivity..

Considered this python code snippets

import hashlib
while True:
   print("Enter your password")
   s = raw_input('--> ')
   print(s)
   print("Now the md5sum")
   s = hashlib.md5(s).hexdigest()
   print(s)

By any means it's relatively a simple code to understand, we use s as a placeholder for our incoming data string, compute it's md5sum and replace the s value with a hexdigest.. In short s now contain the md5sum in hex right? So any plaintext that we've entered should vanished and and flush out by the garbage collector in python VM right?

Let's give it a test.


So most people would think any previous plaintext value would be washed out from the memory. The String DogFood  won`t exist right? Let's attach this current script on a debugger ('Im using edb debugger , the best thing besides windbg sorry stallman gdb just sux!!!!');


I like using edb debugger, it helps for example binary search string. Since we have replace the s value from DogFood to a hex string. We shouldn`t see any DogFood string in the memory right? Unfortunely that is entirely not true :(




DogFood in Hex
 High-level languages often have data types that are immutable. The program can only write to an immutable object once, at creation time. In other words s is just a label and the string maybe be stored in the same address or  anywhere in the memory. (Noted to self, heap/stack/bss/dss/ is actually some sort of label the computer generated to ou  give it some of approximate understanding on a specific region in the memory) 

Let's search for the md5sum string. 36f65df05afee9fb079943b7ba5d9617



The string was stored in a different address!!


So in a High Level Language,  there is no gurantee your initial plaintext data in an address would be overwrite with a encrypted blob/binary . The only way to ensure overwrite is 100% is to use either mutable data structure that are capable of replacing dynamics element.

So why did u see a chunk of the unencrypted/crypted data in the heartbleed heak leak? Not a surprise anymore right?




Thursday, April 10, 2014

Epilogue Pentest: Forget about Heartbleed and Enter the Reality of Volatile Memory

From XKCD..



Yeah there's lot of buzz on heartbleed as the worst bug ever. My opinion? It is a serious bug due to the fallacy of the way C works . Despite the hype memory leakage is not exactly something new and skillful botnet/attackers/pentesters have exploited  it for years.

What can we learn from this bug?.. At the Beginning and at the End of an Encrypted Connection lies the encrypted data. Don`t the trust user input in one thing, but trusting your server memory and hands behind it is also well sucks.

If you are one of the CISO fans well PCI  often said "End-to-End Encryption" .. which means data + communication channel are supposed to be well encrypted.. Which is good

But there's one catch...

Suppose an attacker/sysadmin managed to get hold on a server with a privileged access (or decided to abused it anyway). Hypothetically something like this.



So we have root privileged. Yes in most tutorial no doubt people will start dumping /etc/shadow and yadax2 implement fake/website blax3.

Suppose that all data is encryted and there's no way to see it in plaintext form.. If you understand the bug in heartbleed , it tells us that unencrypted related data  lies in the process memory closely at at the heap/free store..

Pick up one process 5356 in this example and examine the maps.


Data memory leaked in heart bleed relies on how the heap was align/rebased/mapped blax3.,


We can use  gcore or  Folks from Rohitab  have created one nice tool similar to procdump in Windows :)




And it's a gold mine..





Do you trust your sysadmin? I know I don`t.  And dark tips. Don`t trust your router memory either...

What about dumping in Windows? It's as easy as .




Volatile memory are dangerous... 








Sunday, April 6, 2014

Transform your Dir-615 TM into a Wifi Dumper/Cracking Machine

My health is not that good lately, for some reason , I was diagnosed for  asthma  few days ago. 

During Wireless Penetration Testing analysis , i often found that people love to talk about some china/brand wireless card such as SignalKing/Alpha etcx3. While those card might work , it's not portable enough due to the fact you need a PC/Notebook nearby in order to powered up those devices. Which is not good for professional lazy pentester. 

 

So the solution? Turn your antics DIR-615 into a portable wireless monster machine!!!

Disclaimer (If you screw somewhere along the way), well too bad

Steps.1  Flash DIR615 with this firmware ..http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-615-d-squashfs-factory.bin

To flash you are required to turn off your DIR-615 machine, and hold the reset button for a few seconds, u set your IP to 192.168.0.x>1 , go to 192.168.0.1 and you will be redirected to the firmware upgrade page.


Upload the firmware.

Step2. 
  • Download the sysupgrade firmware http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin 
  • Setup openwrt initially
  • Push sysupgrade into openwrt via scp to /tmp
  • ssh into your openwrt and use the sysupgrade  -v openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin

Step 3
  • If you have luci you can set the wifi into Monitor mode via Luci HTTP.
  • or modified /etc/config/wireless to be something like this

  • Tips your openwrt should`t have Internet connection, opkg relies on wget which respect http_proxy env,, I used polipo proxy so to make opkg works i usually use ssh root@192.168.1.1 -R8123:localhost:8123 

After that install  opkg install aircrack-ng kmod-usb-storage kmod-fs-vfat wireless-tools screen . Try not to install too much stuff since space is very limited.

And that's it. use screen to deamonized your stuff.


Knowledge about dumping to your usb drive and airocrack usage is left for your own exercise..

By the way, It is illegal to steal Wifi in Malaysia.  .. This is just a simple tutorial on how yet to built your own powerful portable wifi-pentesting machine.