Wednesday, May 27, 2009

Nessus 4.0.1 in Backtrack3

Due to license redistribution issues, Nessus, one of the powerful VA tool has not included in Backtrack 3 Final.

Here my try out of install Nessus 4 on Backtrack 3:

1. Download Nessus and NessusClient from http://nessus.org/download/
2. Install Nessus
Nessus-4.0.1-linux-generic32.tar.gz
gunzip Nessus-4.0.1-linux-generic32.tar.gz
tar -xvf Nessus-4.0.1-linux-generic32.tarcd Nessus-4.0.1
install.sh

Follow the install instructions
/opt/nessus/sbin/nessus-adduser
This should get Nessus installed. Now, update the plugins.
cd /opt/nessus/etc/nessusnessus-fetch --register XXX-YYY-ZZZ-VVV

Run the Nessus Server:
/opt/nessus/sbin/nessus-service -D

3. Install NessusClient
NessusClient-4.0.1-es4.i386.rpm
rpm2tgz NessusClient-4.0.1-es4.i386.rpminstallpkg NesssusClient-4.0.1-es4.i386.tgz
cp /usr/lib/libssl.so.0.9.8 /lib
cp /usr/lib/libcrypto.so.0.9.8 /libcd /lib
ln -s libcrypto.so.0.9.8 libcrypto.so.4
ln -s libssl.so.0.9.8 libssl.so.4
Launch the Client:/opt/nessus/bin/NessusClient
It worked!

Few other try out that failed:
1. I download the fc10 rpm version of NessusClient, rpm2tgz, installpkg it. When execute the dependencies error shown :

NessusClient: error while loading shared libraries: libQtXml.so.4: cannot open shared object file: No such file or directory

I solve it by install the related rpm one by one as error shown:

NessusClient: /usr/lib/libstdc++.so.6: version 'GLITCXX_3.4.9' not found (required by NessusClient)

NessusClient: /usr/lib/libpng12.so.0: no version information available (required by /usr/lib/libQtGui.so.4)

NessusClient: /usr/lib/libgcc_s.so.1: version 'GCC_4.2.0' not found (required by /usr/lib/libstdc++.so.6)

It stucked at the GCC_4.2.0

2. nessus.org download page is hard to access and need to refresh
3. For HomeFeed, same email account can register few times to get different keys.

Sunday, May 24, 2009

MWDB : Symfony setup



Just found some easy way to install Symfony, a web PHP framework. The reason i tried this is due to Malware Database by Honeynet Malaysia project. Ubuntu jaunty repository only provide v1.0.19.

gento@localhost:~$sudo pear channel-discover pear.symfony-project.com gento@localhost:~$sudo pear install symfony/symfony-1.1.4

It has done in minutes. easy way rather than make, make install...

Follow the INSTALL instruction by spoonfork, i loaded http://mwdb in firefox.

Error in /opt/lampp/var/www/mwdb/cache/frontend/dev/config/config_routing.yml.php,

"Fatal error: Class 'sfRoute' not found in....."

I straight rename this to config_routing.yml.php1. And a new config_routing.yml.php will be generated without the sfRoute function.


Reload the page, another problem found:

Warning: session_start() [function.session-start]: open(/var/www/mwdb/web/tmp/sess_93c6af070dc8acf754ec25e34d7badaf, O_RDWR) failed: No such file or directory (2) in /usr/share/php/symfony/storage/sfSessionStorage.class.php on line 94

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /usr/share/php/symfony/storage/sfSessionStorage.class.php:94) in /usr/share/php/symfony/storage/sfSessionStorage.class.php on line 94

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /usr/share/php/symfony/storage/sfSessionStorage.class.php:94) in /usr/share/php/symfony/storage/sfSessionStorage.class.php on line 94

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/php/symfony/storage/sfSessionStorage.class.php:94) in /usr/share/php/symfony/response/sfWebResponse.class.php on line 296

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/php/symfony/storage/sfSessionStorage.class.php:94) in /usr/share/php/symfony/response/sfWebResponse.class.php on line 310


Warning: session_write_close() [function.session-write-close]: open(/var/www/mwdb/web/tmp/sess_93c6af070dc8acf754ec25e34d7badaf, O_RDWR) failed: No such file or directory (2) in /usr/share/php/symfony/user/sfUser.class.php on line 269

Warning: session_write_close() [function.session-write-close]: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/www/mwdb/web/tmp) in /usr/share/php/symfony/user/sfUser.class.php on line 269
line 94

The problem should solve if we set the session.save_path corrently eg session.save_path = "/opt/lampp/var/www/mwdb/web/tmp/" in /etc/php.ini of LAMPP. Yet it wont solve after thousand try out! I suspect it is due to incompatibility or bug with LAMPP v1.7.1 and Symfony v1.4.1.

I decided to unable the session function by comment out session_start() and session_write_close().

In /usr/share/php/symfony/storage/sfSessionStorage.class.php ( Line 94)


if ($this->options['auto_start'] && !self::$sessionStarted)
{
// session_start(); // modify by gento
self::$sessionStarted = true;
}

In /usr/share/php/symfony/user/sfUser.class.php (Line 269)

// write culture to the storage
$this->storage->write(self::CULTURE_NAMESPACE, $this->culture);

//session_write_close(); // modify by gento
}


It works! Now i have exact same mwdb layout as in http://mwdb.my-honeynet.org/.

Current mwdb in my-honeynet.org only work well with Symfony v 1.1.4, i tried on v1.0.19 and latest v1.2.7, both have errors.

Next : automated submission script for sample data analysis to mwdb

Friday, May 22, 2009

Windows LiveCD

Today i need to create a livecd for WinXP. It should be a quite simple task to go with PEBuilder http://www.nu2.nu/pebuilder I found that this PEbulder will have error if we put in OEM version Windows. As i only have Dell OEM Reinstallation CD, it keep show 4 error and 1 warning when i try to build it. 4 errors all related to i cant delete 4 files, even manual. The only way to delete the file is by Safe Mode. Too bad, the buildding process still fail in Safe Mode.

I tried on UBDC4Win v3.5 as well. Still meet with some error that related to DeleteFile(). I can say that Dell has modified the OEM version and PEBuilder not able to recognise it.

Solution : I will search for a non-OEM version Win XP CD, i think this should work well as mentioned by a lot people in forum.


Scibble : VM player can play VM image well,we no need to pay for license..We can install new app in the image as well. Tested!

Wednesday, May 20, 2009

F-13 labs

Just found a vx community that founded by M'sian( lclee_vx). This independent group has quite number of vx sources and techniques available on their web. I just read through the "Cracking Password with Only Physical Access" which demonstrate some kiddie skill, but useful for some particular cases. I also glance through the paper that lclee_vx presented in DEFCON 16 entitled "Comparison Virus on Windows Platform and Linux Platform". I familiar with PE format but yet to learn ELF.

Not sure how active the group now. I will spend my this week time on browsing the site.

http://www.f13-labs.net

Monday, May 18, 2009

Wireshark & N-map


Today starts my internship at Firmus Security. The Hacking Exposed 6th Edition that on the table totally catch my eye. This spend me around 2 hours on it, since no assignment yet.

I briefly read through "Hacking the Code" and "Malware" part I able to recall back some common technique : buffer overflow, heap overflow, format string attack, off- one-error code. The rootkit part i gain quite a lot. Hacker Defender a.k.a hxdef has elaborated quite details in it. I wonder how famous this rootkit now?

Emm, today is my first time touch on Wireshark and since the NIC is in promicious mode, it able to get traffic in. I will work more on the analysis soon.

Nmap-gui, just now played with it. I stil stick to my favor TCP SYN

#nmap -sS -O 192.168.1.1-254

More to go.. Woot!

Two nice JAVA library that i tried

It has been a tough 2 weeks from May. I had to rush for ELISSA project (Early Intervention Support System for Special Children). It is a Java + MySQL based app. Intergration of it with RFID and Serial really headache.

Two nice JAVA library that i had tried it on.

1. JFreeChart, it indeed a nice libraty for chart plotting and displaying. We can easily manipulate the input, axis label and which type of chart display. I used BarChart3DDemo4.java that provided in the demo set,since the threshold need to be set and diplay it above the result.

Example for the axis label manipulation that i changed :

ModuleBarChart graph1 = new ModuleBarChart("Result 1");
graph1.charttitle = "Fine motor";
graph1.xaxistitle = "Subgroup";
graph1.xlabel1 = "Swimming";
graph1.ylabel1 = 5;
graph1.chartDisplay();


2. iTEX PdfWriter, easy-to-use library to make the app output to PDF format. Their website provided some dummy sample and i manage to get it on after a few trys. The output pdf file will created the your current working directory.

public static void main(String[] args) {

String text = " ELISSA Assessment result test";
String imgpath = "resources/images/dataguiback.jpg" ;

System.out.println("ELISSA report");

// step 1: creation of a document-object
Document document = new Document();
try {
// step 2:
// we create a writer that listens to the document
// and directs a PDF-stream to System.out (and a txt file)
PdfWriter w = PdfWriter.getInstance(document, System.out);
w.setCloseStream(false); // System.out should not be closed
PdfWriter.getInstance(document,
new FileOutputStream("output.pdf"));

// step 3: we open the document
document.open();
// step 4: we add a paragraph to the document
document.add(new Paragraph(text));

document.add(new Paragraph("Assessment Result"));
Image jpg = Image.getInstance(imgpath);
document.add(jpg);

} catch (DocumentException de) {
System.err.println(de.getMessage());
} catch (IOException ioe) {
System.err.println(ioe.getMessage());
}

// step 5: we close the document
document.close();
}
}

Friday, May 1, 2009

Szprotect

Just read this thesis by senior about Szproject, features quite same as Aspack.

5 main features :

a. Code protection ( by aPlib compression library indirectly resulted encryption effect)
b. Import table hiding
c. Antidebugger protection
d. Resource hiding
e. Extra protection

The antidebugging technique as below:
a. use the driver that used by SoftIce. If the original driver detected, flag toogled.
b. for Ring 3 debugger, read PEB ( process environement block) for certain value.
c. copy IsDebuggerPresent() in kernel32.dll to Szprotect. This may avoid the bypass

These going to spend my holiday

1. " Reversing : Secret of Reversing Engineering" Eldad Eilam(2005)
2. " The Shellcoder's Handbook: Discovering and Exploiting Security" Jack Koziel (2004)
3. "EXE Tools forum" http://forum.exetools.com
4. "Reversing Labs" http://ap0x.jezgra.net
5. " pediy" http://bbs.pediy.com


Nepenthes 0.2.2 build for source

This is how i install nepenthes 0.2.2 on newly installed Ubuntu 8.04. And the current ubuntu repository only got v0.2.0. So i build from source.

$./configure

1. (Error) /usr/bin/ld: crt1.o: No such file: No such file or directory
Solution $sudo apt-get install libc6-dev

2. (Error) configure: error: libcurl curl-config was not found in PATH

Solution $sudo apt-get install libcurl4-gnutls-dev libcurl4-openssl-dev

3. (Error) configure: error: libpcre is missing - install it please)

Solution $sudo apt-get install libpcre3-dev

4. (Error) configure: error: libmagic is missing - install it please
Solution $sudo apt-get install libmagic-dev

5. (Error) configure: error: at least one dnsresolver has to work
Solution $sudo apt-get install libadns1-dev

In short

$ sudo aptp-get install libc6-dev libcurl4-gnutls-dev libcurl4-openssl-dev libpcre3-dev libmagic-dev libadns1-dev libtool g++

$sudo make

$sudo make install

Without any configuration, I straight away

gento@localhost:/opt/nepenthes/bin$ sudo ./nepenthes -u nepenthes

Nepenthes Version 0.2.2
Compiled on Linux/x86 at Apr 30 2009 19:32:57 with g++ 4.2.4 (Ubuntu 4.2.4-1ubuntu3)
Started on gento running Linux/i686 release 2.6.24-19-generic

[ info mgr ] Loaded Nepenthes Configuration from "/opt/nepenthes/etc/nepenthes/nepenthes.conf".
[ info sc module ] Loading signatures from file var/cache/nepenthes/signatures/shellcode-signatures.sc
[ debug info fixme ] Logfile var/log/nepenthes.log ownership is now 1001:0 (nepenthes:root)
[ info mgr ] The process 24754 was given capabilities = cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot+eip


For testing, i browse my Mozilla Firefox with http://localhost

[ warn dia ] Unknown IIS 351 bytes State 2
[ warn dia ] Unknown IIS 351 bytes State 2
[ warn dia ] Unknown IIS 332 bytes State 2


Bingo! Next, get exposed to external network! Adrelina level up. Wooot.