Search My Blog

Wednesday, October 13, 2010

Ethical Hacker Challenges

Well, been a couple of weeks since I posted anything. This doesn't mean I haven't been busy. I have recently been following up on my "Ethical Hacking" skills and Security training. I stumbled across this site, Hellbound Hackers, which has some interesting challenges. They allow you to earn points for the challenges, so its kind of cool. They have challenges in many areas. I have been playing with the "Web Based" challenge area where they have 29 challenges.

Below are the answers.... I know...this is frowned upon. Many people believe one should only provide "hints" and let people flounder indefinitely.....But, seriously, to learn....sometimes it nice to have access to the answers when your stuck. I have provided the background detail then the actual answer. If you have stumbled on this via Google because your trying the challenges great...but be aware....... SPOILERS are below. I have made the font for the answers white so you have to highlight them to actually see the answer.

Note: This is an "Ethical Hacker" site. So, ideally there is nothing malicious going on here and your machine won't get infected while browsing the forums and such. However, it is "hacker related" and the Internet is the wild west of the 2000's so use caution. I strongly encourage you to use a VM to  go to sites like this. See my Virtualization Post on this.

Challenge #1
Basic login prompter. Nothing special here. It is the 1st Challenge. The Hint provided is: "Look at the source...."

Answer:
If you view the source you will see a comment:
it has four legs and most of the time its called 'man's best friend'
Answer: Dog

Challenge #2
This is a simple challenge as well. Just requires some basic knowledge of HTML.

Answer:
View the source and find:
IFRAME border='0' height='250' width='500' align='center' name='content' src='../basic1/b2/index.php' frameBorder='0'
IFRAME location is: ../basic1/b2/index.php

Challenge #3
Now, we start to get a little more complex. This involves spoofing your UserAgent.

Answer:
Change your user agent to bwh3_user_agent. This is pretty simple in Firefox. I used the Firefox Plug-in - useragentswitcher
You could also edit the Registry in Windows for IE....but why.... just use Firefox.

Challenge #4
Idea here is a simulation of a improperly configured login prompter that uses and htpasswd file. The file isn't found so you can see an error on the page.
First idea...... a path fuzzing challenge.

Answer:
"ERROR: htpasswd.php file not found in basic4/" means something.. so fuzz the dir paths.
You will find the password file located at:
http://www.hellboundhackers.org/challenges/basic5/htpasswd.php

Challenge #5
Just a pain to figure out, not because it is hard...but the format of the answer is hard.

Answer:
Doing a query for email or reading the source you will note * is the wildcard. Then, you have to realize that
the form is a login form AND search form.
So,
Box #1: *@*:*
Box #2: problems@Asterix-Protect.org

Challenge #6
Now, the challenges start to get a bit more "real". This one requires both some Unix simple skills and some fuzzing.

Answer:
First, fuzz the dir path:
http://www.hellboundhackers.org/challenges/basic6/logs/
You will see the files that need to be deleted. Then, run the appropriate commands.

Box #1: $ chmod a+x logs/logs.txt
Box #2: $ rm logs/logs.txt
Box #3: $ rm logs/track_logs.php

Challenge #7
This challenge requires some Binary math and knowledge of cookie manipulation.

Answer:
View your cookies. (I used Web Developer tool for Firefox)
username: sam
password: jillisdead
(This also happens to be in the source javascript, so viewing the cookie probably wasn't really required).

Now encode each into ascii:
http://www.theskull.com/javascript/ascii-binary.html
sam -> 011100110110000101101101
jillisdead -> 01101010011010010110110001101100011010010111001101100100011001010110000101100100

So, now just use the Firefox Web Developer plug-in to edit these values.
username=011100110110000101101101
password=01101010011010010110110001101100011010010111001101100100011001010110000101100100
And then fill in junk for the submit form and click go.

You will now be at the sql prompt:
Fill in 'sam' and submit

You could also use Javascript injection on the 1st part, but my example way is a little let typing.


Challenge #8
This challenge requires a slight bit of knowledge about PHP and the Register Globals vulnerability. See
http://en.wikibooks.org/wiki/PHP_Programming/Register_Globals. You can use this to perform an SQL Injection attack.

Answer:
Formulate an injection that will provide the password:
http://www.hellboundhackers.org/challenges/basic8/secure-area.php?sql_query=SELECT%20*%20FROM%20family_db

And you should get that the password is:
KingKong


Challenge #9
This challenge is complete using a type of code injection attack.

Answer:
Null Metacharacter Injection attack. ().
Search for: login.php
This will allow you to view the source of the PHP file, which will show you, if you view Source:


if($_POST['password'] == "environment" && $_POST['username'] == "FastLane"){

Go back to the Challenge Page and fill in the Username/Password combo of:
FastLane / environment


Challenge #10
This challenge requires that your IP address be in a specific range. You need to use a "free proxy service" if the page doesn't work immediately.


Answer
Viewing source on the access denied page will show you that the range needs to be:
range is around 200 to 230 and 23 to 91
Now, Google for free proxy services and use Firefox's FoxProxy to help you solve this. It is more trial and error to find a proxy in this range. I used Proxy IP: 81.168.92.66 Port: 8080

or 82.148.227.62 Port 80



Challenge #11
Basically the same as challenge #3

Answer:
Edit useragent to be:
Mozilla (HellBoundHackersOS)

I'll post some answers to the remaining 17 challenges when I get a chance to solve them. I did jump to the end..... #29 uses XPATH injection.... :-)

Sunday, September 12, 2010

Computer Forensic Analysis - The Series

This posting is not completed yet. Think of it as a preview.

Recently, a friend of mine sent me a job posting for a computer forensics analysis position.  Now, I don’t currently, nor have I ever done this type of work professionally. However,  I have done this type of work “academically” or at home for personal “enrichment”. So, I do have the experience and knowledge to perform these types of activities. The job posting “sparked” an idea in my head, that maybe I should post a blog entry about system analysis and investigation into an attack. I can’t really post it all in one blog entry, so this might be a series or something. (Time permitting in my personal life.)  Today, I figured I would cover the top level kind of stuff.

Now, before I start, I will say that normally I would have used the Backtrack LiveBoot CD or the OWASP toolkit to perform this analysis. This posting isn’t going to use those.....why? Well, the job posting asked for experience with Helix. I’ve never used Helix…. So what better reason to learn about it. Also, I think I’m going to focus on Windows based analysis.


I started my day (for this blog entry) trying to find a copy of Helix. Turns out, in 2008, the publisher of that distribution made it “commercial only” and wants ~$240 for Helix Pro. That’s pretty reasonable, but I’m not going to buy it just to blog about it. So, I did more searching and found the last free distribution ISO Helix2008R1 (https://kinqpinz.info/library/h/#00f87509 ). Ok, the site looks “shady”…so I did do some virus scanning and validation on the ISO.  I should note that my AV system went crazy with this distribution. It claims there are viruses in a number of the components of this ISO.  I have found clean copies of the components that were infected, so I’m pretty sure the virus identifications are correct vice being “false positives”. Secondly, my AV software doesn’t like that a lot of the tools are “Security Assessment Tools” and blocks them….. So, I had to move to a VM just to build a “clean” and updated distribution of the Helix suite. I’m going to refer to my “custom build” as HelixCustom. I've updated a bunch of the SysInternals tools, fixed the "Virus Infected" libraries, and added a few things to the distribution.

Now, since I’m doing this windows-based approach, my VM is a Windows 7 x64 image. It was out of date so I spent like 2 hours installing updates.  With that out of the way, I took a clean snapshot of it and turned off the virus protection……. (oh no!!!!!). Yes, I had to turn of the virus protection to build the “clean” distribution of HelixCustom. I’ll scan my custom ISO after I’m complete on a different system to verify its integrity.

Responding to an Incident

There are defined steps one must take when responding to a “potential” attack. If you are responding in a legal capacity, there are extra steps you must take to protect the evidence chain and make the data admissible in court. I’m not in law enforcement….. I do have a number of friends that are, but I don’t really want to add to the complexity of this blog posting. We are going to focus on just how to solve/investigate your incident.

NOTE: If you are Corporate IT guy and are looking to do some collection before informing Law Enforcement of a known breach…. DON’T! You will corrupt the scene. Call them now and let them respond. You may overwrite data that they can use.

RFC 3227 - Guidelines for Evidence Collection and Archiving defines the “best practices” for general digital evidence collection. Collection is based on the volatility of the data so memory is generally regarded as the first thing to collect. 

Capture Memory
(Preference: WinDD)
First step in responding to an incident would be to dump the physical memory. Computers these days have GB of memory. It is very important to preserve what is currently resident in the memory,  before proceeding. It is possible that as you respond to the situation, that memory will be overwritten or lost, so best to dump the memory as your 1st step.

In Windows, you can use WinDD from (MoonSols Windows Memory Toolkit - http://www.moonsols.com/), if you have a Helix distro use DD.exe or mdd (Mantech Memory Dump),  HBGary FastDump Pro, Nigilant32,  or other means. I will note that WinDD was probably the easiest, especially on Win64 based platforms since they require signed drivers.

Obtain Relevant System Details
Using the Helix3 distro, launch cmdenv1.bat. This will set-up your directory path to use the Helix trusted executables.

 Capture Date and Time
 Standard ways to get that would be date /t  and time /t

11:52:10.59 D:\IR> date /t
Sun 09/12/2010

11:52:13.55 D:\IR> time /t
11:52 AM
 Derive Hostname
 Using the hostname command
11:52:16.78 D:\IR> hostname
CraigLaptop-PC

Derive your current identity
Using the whoami command
11:53:03.93 D:\> whoami
Craig
Derive OS Version
Using the ver command
11:55:10.12 D:\> ver
Microsoft Windows [Version 6.1.7600]
Determine IP Interfaces and their active modes
To get the interface IP addresses in use run iplist
DiamondCS IP Enumerator v1.0 (www.diamondcs.com.au)
#         ADDRESS       BROADCAST       NETMASK
403574956 172.16.14.24  255.255.255.255 255.255.255.0
28682432  192.168.181.1 255.255.255.255 255.255.255.0
25798848  192.168.137.1 255.255.255.255 255.255.255.0
20490432  192.168.56.1  255.255.255.255 255.255.255.0
16777343  127.0.0.1     0.0.0.0         255.0.0.0
5 interfaces found.

12:36:25.73 D:\>

To determine their active modes use promiscdetect

PromiscDetect 1.0 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu) - http://ntsecurity.nu/toolbox/promiscdetect/

Adapter name:

 - PCI-E Gigabit Ethernet Controller

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - VirtualBox Host-Only Ethernet Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - RemoteControl USB LAN LINK

Warning: Cannot open the adapter

Adapter name:

 - Intel(R) WiFi Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

12:37:05.69 D:\>
 Obtain System Uptime
 I like to use uptime and psinfo. Psinfo provides a better level of granularity and a bit more info.
12:58:27.29 D:\> uptime
Unknown HZ value! (-1868102526) Assume 100.
 12:58:38 up  4:23,0 users,load average: 0.00, 0.00, 0.00

12:58:38.19 D:\> psinfo -h -d

PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\CRAIGLAPTOP-PC:
Uptime:                    0 days 4 hours 23 minutes 38 seconds
Kernel version:            Windows 7 Professional, Multiprocessor Free
Product type:              Professional
Product version:           6.1
Service pack:              0
Kernel build number:       7600
Registered organization:   Microsoft
Registered owner:          Microsoft
IE version:                8.0000
System root:               C:\Windows
Processors:                2
Processor speed:           2.2 GHz
Processor type:            Intel(R) Core(TM)2 Duo CPU     P8400  @
Physical memory:           2940 MB
Video driver:              Mobile Intel(R) 4 Series Express Chipset Family
Volume Type  Format Label Size       Free        Free
C: Fixed     NTFS         290.07 GB  191.63 GB  66.1%
D: CD-ROM    CDFS   HC    701.76 MB              0.0%
E: Removable                                     0.0%

Installed     HotFix
n/a           Internet Explorer - 0

12:58:45.82 D:\IR>
You can also use DumpWin (http://www.niiconsulting.com/innovation/tools.html#sysinfo ) for this; however, DumpWin has a lot of other features and can be better used at other steps.

Determine Active Logged On Sessions
You can do this a bunch of ways. I’m going to use netusers and psloggedon.

13:38:40.59 D:\> netusers /l /h /v

--------------------------------------------------------
History of users logged on locally at CRAIGLAPTOP-PC:    Last Logon:
--------------------------------------------------------
CraigLaptop-PC\Craig                                     2010/09/12 11:10
--------------------------------------------------------
The command completed successfully.

13:38:53.81 D:\> psloggedon
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     9/12/2010 8:36:22 AM       CraigLaptop-PC\Craig

Users logged on via resource shares:
     9/12/2010 1:39:21 PM       (null)\Craig

13:39:24.95 D:\>
Also, running logonsessions –p will provide active data about current sessions and processes these session are running. The output of this is a bit long, so I’m not going to show it.

NOT COMPLETE YET
I know..... I still have to complete this posting. as of Sept-30-2010... I haven't found the time to sit down and finish this one up. I really do plan on doing it. Maybe this weekend :-).... It's really interesting stuff.....just the personal/family time stuff takes up my "nerd posting time"....

Saturday, September 4, 2010

You are not as anonymous as you think....

From the Panopticlick Project:
Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.
When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies are already using technology to try to identify individual computers. But how effective would this kind of online tracking be?
 Turns out your not really that unique and tracking data you can't really prevent can identify your PC down to 1 in 286,777.... that's like 18.1 bits of entropy....geez

Check out the white paper.

Virtualization to mitigate virus attacks..... or "Mitigate work for Me"

All my friends know that I work on/with computers on a daily basis. They know I have a very solid background in the area, so when their PC is messed up... I get the call. Somehow, the viruses they get are generally all related to web browsing and clicking on pop-ups and other junk from "unscrupulous" sites. Lately, this has become an even bigger problem with the newer Flash based attacks. Also, many of them continue to use Internet Explorer as their primary browser. (Side note: My wife refused to upgrade from IE6 until she was forced with the Windows 7 upgrade. That was a nightmare. She would constantly state: Why is my machine so messed up???...blah..blah...blah.... I learned from her internet usage that LiveJournal is full of viruses, along with pointless other stuff.....).

Since I know I can't change people's browsing behavior and I don't want to be a jerk and not help them out with a fix, I have come up with my new "Fix" approach.
Virtualization

VirtualBox (http://www.virtualbox.org/) is a free and fairly simple, yet powerful, virtualization package. Since it is relatively easy to use (even for a novice computer user), I have created a image (Fedora 13) with virus protection, Firefox plug-ins, Flash player...etc.. all preconfigured. Now, from this point forward, I can install VirtualBox on my friends/family members' PCs..... provide them the image......and showing them how to revert the image back to the "baseline" snapshot. As long as they use the VM to do all web browsing and such, they shouldn't have any issues. If the VM gets "infected", they can solve the problem themselves with 2 clicks.....

Now, I will say, my wife says this is the most convoluted idea ever. My brother-in-law told me "Launching this VM is too many clicks..." Geez, it takes 3 clicks to launch the VM.... and the isolation it provides is great. I guess from my standpoint it's great...from theirs it's "meh.." as they just have me fix their broken PC, so no sweat of their backs....

Silent Ringtone to "Blacklist" nuisance callers

Lately, my wife has been getting calls from two different numbers asking for the same person. My wife repeatedly explains to them they have the wrong number, but to no avail they continue to call. They call everyday....guess the person owes them money or something. So, I looked into how to Blacklist a number on the iPhone. Apparently, you have to download an app...... :-(. This should be a built -in feature... I mean really.....

Anyway, the apps are mostly like $1.99...so no big deal. The most feature filled app seems to be "Blacklist" by CallerDB. It will blacklist numbers of your choosing, as well as, a host of known telemarketing numbers.

If you don't want to actually buy an app ($1.99 is a small price to pay), you could just download or make a silent ringtone, save off nuisance numbers in your contacts list, then assign them this silent ringtone. CallerDB has a SilentRingtone.m4r file available (but really they want you to buy the app then use it) or you can make your own ringtone for nuisance callers.

Friday, September 3, 2010

Force Firefox to reload the page and ignore cache copies of the page

This isn't really a full blog posting. Just a thought. I am frequently using other machines or installing systems. Internet Explorer will allow you, through the GUI,  the ability to "Check for new versions of stored pages" off the General Tab. However, Firefox doesn't seem to offer this function through a GUI. To get to it you have to do the following:

In the address bar if Firefox type:
about:config
It will load a config page. In the filter at the top of the page filter for:
browser.cache.check_doc_frequency
Change the value to: 1

Possible settings are:
3 - only check if it seems outdated (Default Setting)
2 - always use cached version
1 - always check for newer version
0 - check for newer version once per session

Sunday, August 1, 2010

USB Install of Backtrack 4 and other good stuff

So, I decided in "preparation" for our Network Security and Vulnerability after-hours working group, I would setup BackTrack Linux 4 – Penetration Testing Distribution. (Who knows if I'll go this week, seeing as my wife might go into labor this week :-) ) This product is open-source and contains many packages that would be used to do network assessments and penetration testing. I wanted my setup to work on any machine and be highly portable, so I decided I would install it in a 16GB thumb drive.

Note: You can get by with only like 4GB (really 8GB to be safe so you can do all the updates), but those that know me have found, I like to go that extra mile.... :-) After, installing it, I planned on setting up some extra software packages and I hate to run out of space.....and conveniently I had a 16GB SanDisk laying around. After I was done, my ~14GB of space was left with ~6Gb free.

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb1             14713768   7681148   6285200  55% /

Note 2: This install is for mobile testing purpose to really test and educate one's self you would be best to install a copy on a real VMWare VM with a 40GB disk. I'm not going to go into how to do all that today. I will point you to http://www.offensive-security.com/metasploit-unleashed/ which is a really good tutorial on the MetaSploit framework (part of BackTrack). It will require a 40GB VM to do the whole tutorial.


I have never installed Linux to a thumb drive, so I did some Google searching. That resulted in a few links... most of which were just installing in "Live Boot" mode...which means you lose all changes between every reboot. "Live Mode" has its "upsides" for certain purposes, but I want to keep my stuff around for a while and don't plan on using it in "real on the job" work. The best instruction I found are here
http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/
but, this guy wanted you to either have burned the BT-Final.ISO to a CD/DVD, then boot via the CD/DVD, then install to the the thumb drive. I didn't really want to waste a DVD/CD....plus he has A LOT of extra steps (since he wants to keep the multiple boot modes). If you want to do that, then great follow his instructions, they are good.

Here is the quicker way (well assuming you have VMWare or a DVD/CD). I already have VMWare running on my laptop. So, I created a VM with NO hard drive, mounted the BT-Final.ISO to the VM's CD-ROM. Started the VM. The VM will detect you have a thumb drive and you can use it as it's hard drive. (If you don't have VMWare..then you can still do it this way, but you have to burn a CD/DVD and then reboot your real machine with the CD/DVD in the tray.)

So, its all booted up, and you are sitting at the root@bt# prompt. (Default Login: root/toor)

Startup Networking Services

root@bt# /etc/init.d/networking start
This should go though all your interfaces and get them configured (provided DHCP is running on your network)

Start the Installer
root@bt# startx
(Loads the KDE Desktop)
double-click on the install.sh file on the desktop

Then, just click next on the installer screens until you get to (Step 4 of 7) you should be on the "Prepare Disk Space" screen. It should show your USB drive as the only drive available. (If you booted from CD/DVD, it will show your system disk DO NOT PICK THAT DISK, you will over-write your systems OS). Basically, make sure the disk you are installing to matches the same size as your thumb drive.

Also, take note of it "device mapping" should be something like (sda, sdb, sdc...etc). Whichever one is the thumb drive, take note of that. Mine was sda, since I booted from VMWare and it can't see any other drives.

Now, next on the installer screens until you get to (Step 7 of 7)  Click "Advanced" at the bottom of this screen. In the pop-up change the "Boot Loader" to install on "/dev/sda" (or whatever your Thumb Drive was (sda, sdb, sdc..etc)

Ok, this process takes a while. In my case, it took like 35 minutes or so. When done it is time to test the thumb drive. So, shutdown the VMWare box and your whole PC. Leave the thumb drive in (and provided your BIOS is set to boot from the USB) it should boot up off the thumb drive. (If you have VMWare, you can use the PLOP Bootloader ISO to boot the USB drive in a VMWare environment...saving you the trouble of rebooting your whole machine. Just mount the ISO in a VMWare Server CD/DVD drive and start it up.). PLOP Bootmanager can be found here: http://www.plop.at/en/bootmanagerdl.html


Customize the Install


So, login to the system as root and start KDE (startx).

Create a User Accoun
t

We need to create a regular user. Login into a system directly as root is a BAD idea. So, KDE->System->Users and Groups (or in a console window run 'users-admin') This will pull up the GUI and then you can create a user. You could use the command line 'useradd'...but that is no fun.

Now, add that user (in my case 'cpoma') to the /etc/sudoers file
root@bt# visudo
Add the following line:
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    cpoma ALL=(ALL) ALL
You could just add 'cpoma' to the 'admin' group and avoid this step... same effect

NOW.. LOGOUT!!! AND LOGIN AS THE USER YOU JUST CREATED!!!

So, login to the system as 'cpoma' (or whoever) and start KDE (startx). Open a console, then sudo to root, since you have to be root to do the rest of this stuff....: (I know..why not just stay logged in as root. DON'T DO IT. IT IS A BAD SECURITY PRACTICE!)
cpoma@bt:~$ sudo su
Start Network
root@bt:/home/cpoma# /etc/init.d/networking start
Fix Networking to Start Automatically

Ok, this step is optional, but will save you the trouble of starting the networking stuff up manually every time you boot up:
root@bt:/home/cpoma# /usr/sbin/update-rc.d networking defaults
Wireless Card Configuration

Next issue I had was that the wireless card was not being detected correctly by the KDE Network Monitoring components. I checked that it was detected by the OS by looking at my ifconfig and though the use of Kismet. Kismet could see the card and other networks...KDE in general could not. I fixed this by removing..then reinstalling the "Wicd Network Manager"
root@bt:/home/cpoma# apt-get remove wicd
root@bt:/home/cpoma# apt-get install wicd
It will get installed (and probably remove some components) and it show up under the start menu KDE->Internet-> Wicd Network Manager. From there you can click the arrow down icon next to your SSID, click on Advanced, fill in your security info, Apply, check automatically connect to this network, and click connect.

Update/Upgrade the Image

Undoubtedly the image from the BT-Final.ISO will be out of date. So, we need to update the system and upgrade out-of-date installed packages. The upgrade step takes a while. To do this:
root@bt:/home/cpoma# apt-get -y update
root@bt:/home/cpoma# apt-get -y upgrade
root@bt:/home/cpoma# apt-get clean
Update the Pentesting Tools

Offensive Security provides an updater to keep Fast-Track, Metasploit, Aircrack-NG, W3Af, Nikto, Milw0rm Exploits, Kismet-Newcore, and SQLMap current. You need to run fast-track from it's own directory so make sure you CD into the /pentest/exploits/fasttrack directory.

Just run the following and pick the appropriate options in the updater prompts (I chose option 1(Fasttrack update) then option 12 (update everything)):
root@bt:/home/cpoma# cd /pentest/exploits/fasttrack/
root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i
It will complain that you have never run setup during the update, the stuff is already installed, but doesn't hurt to run the setup utility to make FastTrack "happy":

root@bt:/home/cpoma# cd /pentest/exploits/fasttrack/
root@bt:/pentest/exploits/fasttrack# ./setup.py install
Oddly, if you run setup 1st, you will get stuck in a dependance loop and never actually complete setup... wierd.

SSH Setup

By default BackTrack has SSH setup so that the root can login over SSH. Personal Preference: Turn this feature off, login as a regular user and sudo tasks that require it.
root@bt:/home/cpoma# nano /etc/ssh/sshd_config
Change the parameter “PermitRootLogin” to no. It is around line #26

Next issue I had was that the RSA and DSA host keys didn't exist. When you create them leave the "passphrase" blank. So, to make them run:
root@bt:/home/cpoma# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
root@bt:/home/cpoma# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
Ok, should be all set now, so start it and make it default to started at boot time. It shouldn't print any errors. If you don't want it starting a boot time, skip the second command:
root@bt:/home/cpoma# /etc/init.d/ssh start
root@bt:/home/cpoma# update-rc.d ssh defaults
Upgrade FireFox

Get the latest version of Firefox from Mozilla.org. For me it was 3.6.8. I download the TAR.BZ2 file and installed it.
root@bt:/home/cpoma# tar xvfj firefox-3.6.8.tar.bz2
root@bt:/home/cpoma# mv firefox /usr/lib/firefox-3.6.8
root@bt:/home/cpoma# rm /usr/bin/firefox
root@bt:/home/cpoma# ln -s /usr/lib/firefox-3.6.8/firefox /usr/bin/firefox
For reference the old pointers were:
lrwxrwxrwx 1 root root 11 2010-07-31 12:39 firefox -> firefox-3.0
lrwxrwxrwx 1 root root 32 2010-07-31 12:39 firefox-3.0 -> ../lib/firefox-3.0.15/firefox.sh
Add some Firefox Plug-in/Add-ons

Go to  https://addons.mozilla.org/en-US/firefox/collection/webdeveloper
and update or install enable/disable the following plug-ins:
FireBug (updated, enable)
PixIr (install)
ColorZilla - (install)
TamperData (updated)
ShowIP (install)
GreaseMonkey (updated, leave disabled)
WebDeveloper (install)
FireProxy Standard - (updated, leave disabled)
HackBar (remove)
MeasureIt (install)
Live HTTP Headers (install)
User Agent Switcher (install)
Random Other Browser Plugin Configuration Stuff

I wanted Adobe Flash and Adobe Air. So, I went to Adobe's website and downloaded the .deb files for each of the items. The Firefox NoScript Plugin is ON by default so you will have to enable scripts so the down-loader will work on Adobe's site. To install them, go to the directory you downloaded them to and run:
root@bt:/home/cpoma# dpkg -i install_flash_player_10_linux.deb
root@bt:/home/cpoma# dpkg -i adobe_air.deb
I also went to Pandora and download the Pandora One player (as I am a Pandora Subscriber and want to listen to music while I work). Basically, you download the .air file. Then, install it using the AIR installer: KDE->Utilities->Adobe AIR Application Installer

Install OpenOffice Office
I would like to use something better than a basic text editor, so I'm going to install OpenOffice. You don't have to do this, but it will be a lot nicer to have this than some random text editor.

This step didn't go so well. In hindsight, you should probably have just run the 'synaptic' installer and it would have probably grabbed everything correctly. I chose to go to OpenOffice.org and download it directly and just install it from the TAR file. It didn't work completely correctly. But, I did get it to work. So, you should probably just run KDE->System->Synaptic Package Manager..... but here is the convoluted set of steps I ended up performing....

Download TAR of the DEB Files directly then:
root@bt:/home/cpoma# tar -xzvf OOo_3.2.1_Linux_x86_install-deb_en-US.tar.gz
root@bt:/home/cpoma#cd OOO320_m18_native_packed-1_en-US.9502/DEBS
root@bt:/home/cpoma/OOO320_m18_native_packed-1_en-US.9502/DEBS# dpkg -i *.deb
root@bt:/home/cpoma/OOO320_m18_native_packed-1_en-US.9502/DEBS# cd desktop-integration
root@bt:/home/cpoma/OOO320_m18_native_packed-1_en-US.9502/DEBS/desktop-integration# dpkg -i *.deb
So, after all that it didn't work..... :-( No worries. Lets see if the GUI installer can help :-)
root@bt:/home/cpoma# synaptic
(will open the Synaptic GUI Software Configuration)

Search for openoffice.org  I get a list of a whole bunch of stuff, but notice while scrolling, that it has installed the OpenOffice parts I downloaded. However, there is a top level OpenOffice Suite, that is not installed, also it is missing the English Help and Thesaurus. So, I check them off and click "apply" in that top bar. It says, it will remove the "desktop customization menus" I installed above, and it needs to download like 41 things. Ok... can't hurt. Install.

At this point it was still not showing up in the menus.... OK, I'll just add the program group to the menu manually, I know the parts are all installed. So, right-click on the "KDE" tray icon, "Edit the Menu", and manually add the items. The run commands for the various parts of OpenOffice are the following and should each be an icon:
ooffice -writer %U
ooffice -calc %U
ooffice -math %U
ooffice -impress %U
ooffice -draw %U
Install Nessus

The Nessus vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. Nessus can be obtained from Tenable Network Security at http://www.nessus.org/download/ Both the Client and Server are part of the .DEB a  single package as of version 4.2.
root@bt:/home/cpoma# dpkg -i Nessus-4.2.2-ubuntu810_i386.deb
Side Note: A Podcast with some of the guys from Tenable Network Security see PaulDotCom Security Weekly (http://pauldotcom.com/security-weekly/)

Ok, so to finish this up, we need to create a Nessus Admin user. Make his rules set EMPTY when asked:
root@bt:/home/cpoma# /opt/nessus/sbin/nessus-adduser
Now, in order for it to work properly, we need to register it by going to:
http://www.tenablesecurity.com/plugins/index.php?view=register
Register and get a key for home-use. It will be emailed to you. After you get it:
root@bt:/home/cpoma# /opt/nessus/bin/nessus-fetch --register [CODE HERE FROM EMAIL]
Lastly, it takes a little while for the Nessus Scanner to actually start (Like 10 minutes). So, to prevent it from slowing our boot, we will make sure it doesn't start at boot.
root@bt:/home/cpoma# /usr/sbin/update-rc.d -f nessusd remove
You can start it by-hand by running:
root@bt:/home/cpoma# /etc/init.d/nessusd start
It runs on port 8834. It will take a minute or two to fully start up. To check its progress run:
root@bt:/home/cpoma# netstat -napt
 Once the scanner starts, you can login to it at: https://localhost:8834/

And we are finally done. Well, at least with the stuff I felt like configuring today.

Wednesday, July 28, 2010

Installing Oracle 11gR2 on Fedora 13

So, here is my "short" copy of how to install Oracle 11gR2 on a Fedora 13 box. Sorry if the formating is a little rough......
 
Pre-Requisite Checks
Hosts File
The /etc/hosts file must contain a fully qualified name for the server:

Example:
    127.0.0.1 localhost localhost.myhost.com localhost
    192.168.1.101 Fedora13Dev Fedora13Dev.myhost.com Fedora13Dev

Set Kernel Parameters
Oracle recommends the following minimum parameter settings:

    fs.aio-max-nr = 1048576
    fs.file-max = 6815744
    kernel.shmall = 2097152
    kernel.shmmax = 536870912
    kernel.shmmni = 4096
    kernel.sem = 250 32000 100 128
    net.ipv4.ip_local_port_range = 9000 65500
    net.core.rmem_default = 262144
    net.core.rmem_max = 4194304
    net.core.wmem_default = 262144
    net.core.wmem_max = 1048586

The current values can be tested using the following command:
    /sbin/sysctl -a | grep < command parameter > 

Add or amend the following lines in the "/etc/sysctl.conf" file. The raw Fedora 13 install didn’t have any of these, so I just added them to the end of the sysctl.conf file.

           fs.aio-max-nr = 1048576
           fs.file-max = 6815744
           kernel.shmall = 2097152
           kernel.shmmax = 536870912
           kernel.shmmni = 4096
           # semaphores: semmsl, semmns, semopm,semmni
           kernel.sem = 250 32000 100 128
           net.ipv4.ip_local_port_range = 9000 65500
           net.core.rmem_default=4194304
           net.core.rmem_max=4194304
           net.core.wmem_default=262144
           net.core.wmem_max=1048586

Run the following command updated the new current kernel parameters:

           /sbin/sysctl –p

Add the following lines to the /etc/security/limits.conf file:

           oracle soft nproc 2047
           oracle hard nproc 16384
           oracle soft nofile 1024
           oracle hard nofile 65536

Add the following line to the /etc/pam.d/login file:

           session required pam_limits.so

Disable (or set it to permissive) Secure Linux (SELinux) by editing the /etc/selinux/config file, making sure the SELINUX flag is set as follows:

           SELINUX=permissive
OR
           SELINUX=disabled

NOTE: You could use the GUI tool (Applications -> System Settings -> Security Level). Click on the SELinux tab and disable/permissive the feature. (You need to reboot if you disable it)

Update/Install Required Modules

I cheated here. Some of the modules might have existed… but if you run this it will update them. And, since I used wildcards it added a few I didn’t need…but I’m not concerned. You need to be root for this:

           yum install binutils-2.*\
             nanoelfutils-libelf*\
             gcc-4.*\
             gcc-c++-4.*\
             glibc-2.*\
             glibc-common-2.*\
             glibc-devel-2.*\
             glibc-headers-2.*\
             ksh*\
             libgomp-4.*\
             libgcc-4.*\
             make-3.*\
             sysstat*\
             libaio-*\
             glibc-2*\
             compat-libstdc++*\
             libgcc-*\
             libstdc+*\
             unixODBC*

Create the new groups and users
You need to be root for this:

           groupadd oinstall           groupadd dba           groupadd oper           groupadd asmadmin           useradd -g oinstall -G dba,oper,asmadmin oracle           passwd oracle

Note. The"asmadmin" group is for ASM. I’m not planning on using ASM. So, its just getting created for “throughness”. I’m going to lock it in the OS.


Create the directories in which the Oracle software will be installed
You need to be root for this:

           mkdir -p /u01/app/oracle/product/11.2.0/db_1           chown -R oracle:oinstall /u01           chmod -R 775 /u01

As root and issue the following command
I’m not doing it via an xterm connection… so you could skip this:

           xhost +<machinename>

Login as the oracle user and add the following lines at the end of the .bash_profile file

           # Oracle Settings 

export TMP=/tmp   
export TMPDIR=$TMP
export ORACLE_HOSTNAME=Fedora13Dev   
export ORACLE_UNQNAME=DB11G   
export ORACLE_BASE=/u01/app/oracle   
export ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1   
export ORACLE_SID=DB11G   
export ORACLE_TERM=xterm   
export PATH=/usr/sbin:$ORACLE_HOME/bin:$PATH    
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib   
export CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib


           if [ $USER = "oracle" ]; then
             if [ $SHELL = "/bin/ksh" ]; then
              ulimit -p 16384
              ulimit -n 65536
             else
              ulimit -u 16384 -n 65536
             fi
           fi

Edit the /etc/redhat-release file
Replacing the current release information (Fedora release 13 (Goddard)) with the following:

           redhat release 5

Procedure to add a swap file
Depending on your current config, you might need to add more swap space. You need to use dd command to create swapfile. Then, you need to use mkswap command to set up a Linux swap area on a device or in a file. As root:

Create 512MB swap file (1024 * 512MB = 524288 block size):

           dd if=/dev/zero of=/myextraswap bs=1024 count=524288
           mkswap /myextraswap
           swapon /myextraswap
This will only work unit the box is rebooted, so to make it permanant you need to add an entry to /etc/fstab file.

           nano /etc/fstab

Add following line:

           /myextraswap swap swap defaults 0 0

Ok. So, at this point you are ready to run the Oracle 11gR2 installer. However, it is going to fail when it tries to compile/link the Oracle Enterprise Manager parts. (Error will be something like “'agent nmhs' linking error”) So, in order to avoid this I recommend the following:

How to avoid the 'agent nmhs' linking Error

When you start to install with ./runInstaller (you should be running this as oracle…i.e. the ‘oracle’ user), spawn another terminal window (as root). While runInstaller is executing the “Install Product” phase.

           ls /u01/app/oracle/product/11.2.0/db_1/sysman/lib/ins_emagent.mk

At first this will produce an error, as the “Install Product” phase will not have created this file yet.
Once the file exists, do:

           nano /u01/app/oracle/product/11.2.0/db_1/sysman/lib/ins_emagent.mk

Search for the line

           $(MK_EMAGENT_NMECTL)

Change it to:

           $(MK_EMAGENT_NMECTL) -lnnz11

Save the file. If you are fast enough, everything should just compile and be happy…. If you get an error, you were not fast enough… just finish your edit then click on “Retry” in the popup.
Official Linking error is:

           INFO: /usr/bin/ld:
           /u01/app/oracle/product/11.2.0/db_1/sysman/lib/libnmectl.a(nmectlt.o):
           undefined reference to symbol 'B_DestroyKeyObject'
           /usr/bin/ld: note: 'B_DestroyKeyObject' is defined in DSO
           /u01/app/oracle/product/11.2.0/db_1/lib/libnnz11.so so try adding it to
           the linker command line /u01/app/oracle/product/11.2.0/db_1/lib/libnnz11.so:
           could not read symbols: Invalid operation
           collect2: ld returned 1 exit status

This means that the gcc linker phase lacked an option for "-lnnz11”

Post Installation

Re-Edit the /etc/redhat-release file
Replacing the current release information (redhat release 5) with the following:

           Fedora release 13 (Goddard)

If you didn’t select to create a DB during the install.
You will need to run the Network Configuration Assistant (netca) and the Database Creation Assistant (dbca)

           netca           dbca

netca was used to create a default listener. The file will be located in:
/u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora

Sometimes, the listener, at startup, doesn't register the DB correctly. So, to "force" it I like to hard code it into the listener file. Here is an example of that:
SID_LIST_LISTENER=
  (SID_LIST=
    (SID_DESC=
      (GLOBAL_DBNAME=DB11G)
      (ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1)
      (SID_NAME=DB11G)
    )
  )
You can test that you listener can see your DB using the tnsping commandline tool. Or, by checking
lsnrctl status

Edit the /etc/oratab file
Now, fix the database to restart each instance to 'Y'. This assumes you took the default ORACLE_SID (DB11G) when creating the database.

           DB11G:/u01/app/oracle/product/11.2.0/db_1:Y