Thursday, April 8, 2010

Flawfinder - Source code examiner tool

Flawfinder, nice source code examiner tool for security issues and vulnerability. It is a source code static analysis tool written by David Wheeler and it managed to detect several RealNetwork application flaw in year 2005. Even this happened quite a while ago, I believe that the tool has the real value and applicable for certain extent.

How it works?


As stated from the site http://www.dwheeler.com/flawfinder/, Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don't have to create this database - it comes with the tool.

Flawfinder then takes the source code text, and matches the source code text against those names, while ignoring text inside comments and strings (except for flawfinder directives).

Installation

Simple as normal.

gento@localhost~:$sudo apt-get install flawfinder

How to use?

gento@localhost~:$flawfinder directory-contain-sourcecode

The testing can be done with the offcial test.c

I have create a simple C program, to read input from stdio and output it to a temp.txt The code as below :

#include
#include

int main()
{
char *string_input;
int bytes_read;
int nbytes = 50;

FILE *fp;
char outputFilename[] = "temp.txt";
puts ("Coded by gento_");
puts ("Please enter the text. Your input will be stored in temp.txt : ");

string_input = (char *) malloc (nbytes + 1);
bytes_read = getline (&string_input, &nbytes, stdin);

fp = fopen(outputFilename, "w");

if (!fp)
{
puts ("ERROR : Cannot write to tmp.txt. Please check the folder and file permission ");
}

if (bytes_read == -1)
{
puts ("ERROR!");
}
else
{
puts ("The input that you typed:");
puts (string_input);
fputs(string_input,fp);
}

free(string_input);
fclose(fp);
return 0;
}

The test result of flawfinder as below :

Wednesday, April 7, 2010

Scapytain

Just come across a web application that enables you to store, organise and run test campaigns on top of Scapy : Scapytain. This tool may help to relief the pain to scapy-based testing. This can be used to build the SMB test bed for Dionaea, since Dionaea SMB stack is build on Scapy.

From the official site http://www.secdev.org/projects/scapytain/, some term we need to clear with :
Test
A small python snippet that can succeed (returns True or None) or fail (returns False or raises an exception)
Objective
A property you want to verify. The verification is done by one or more tests.
Test Plan
A set of objectives.
Test mean
A collection of equipments used for the tests. Each test mean can be given some initialization code that will be run before the tests so that test's implementation can be independant of things such as target IP addresses, etc.
Campaign
A set of test plans to run through.
Campaign run
One complete or partial run of all tests regarded by objectives in campaign's test plans.

I have installed Scapytain in my machine, and 1 dependencies which needed but not mention in the manual :

gento@localhost:~$sudo apt-get install python-trml2pdf

The test mean :
target="192.168.1.23"

The simple test code :

a=IP()/TCP()
a.src="192.168.1.10"
a.dst=target
a.sport=1122
a.dport=80
b=a/NBTSession()/SMBNegotiate_Protocol_Request_Header()
c=b/SMBSession_Setup_AndX_Response()
c
send(c)

The test result is Passed and my netcat which listen on port 80 has show the connection.

Monday, April 5, 2010

Dionaea XMPP function

Dionaea has used XMPP for the distributed sensor setup and secure messaging purpose. The implementation has code by Markus, the author of Dionaea and commited the overall code at Feb 2010. The configuration as shown :

Dionaea --> XMPP server (Prosody) --> Backend (Store the streamed data into disk or postgre)

The Dionaea sensor will act as the client connect to XMPP server. The sensor will auto-join the specific Groupchat channel which is "anon-events" and "anon-files". With the JABBER/XMPP client such as Psi joined the channel, we may obtain the dionaea event log from the distributed network. Love this idea very much.

I have try to setup XMPP server for local use. I followed the guideline which blogged by Markus http://carnivore.it/?btng[post][tags]=xmpp Several modification I have made to suit my local environment

Simple note :

1. Dionaea will only support for Legacy SSL in XMPP connection. Port 5223 must in listening state for the complete connection. Port 5222 which is the default XMPP port will not be the focus.

I found that the port 5223 not listening at first. After some simple modification, it appeared. The different of my prosody.cft.lua with the blogged as below :

////////////////////////////
Host "*"
-- neglected

ssl = {
key = "/opt/prosody//etc/prosody/certs/localhost.key";
certificate = "/opt/prosody//etc/prosody/certs/localhost.cert";
}

pidfile = "/opt/prosody/var/run/prosody.pid"
legacy_ssl_ports = { 5223 }

--neglected

Host "localhost"
-- Remove the following line to activate this host!
enabled = true -- This will disable the host, preserving the config, but denying connections

-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/opt/prosody/etc/prosody/certs/localhost.key";
certificate = "/opt/prosody/etc/prosody/certs/localhost.cert";
}


-- Set up a MUC (multi-user chat) room server on conference.example.com:
Component "dionaea.localhost" "muc"

/////////////////////////////////////////

2. My dionaea.conf as below :

logxmpp = {
/**
* this section defines a single xmpp logging target
* you can have multiple
*/
carnviore = {
server = "localhost"

/**
* as dionaea does not support starttls (xmpp on port 5223),
* we rely on 'legacy ssl' for the xmpp connection (port 5222)
*/
port = "5223"
muc = "dionaea.localhost"

/**
* if the server exists, this is a valid account
*/
username = "user@localhost"
password = "user"

3. In dionaea, the "logxmpp" in ihandler must enable for the XMPP support. This spend me quite some time to fix this before the sensor able connect to server.

4. My Psi setting


The end result of the success XMPP connection between sensor and server in GroupChat

To do : The debug info has filled all the terminal space. The polishing and slimming work should be continued.

Thank Markus for the help!

Sunday, April 4, 2010

Dionaea NTLMv2 support

As I know current Dionaea cannot support for NTLMv2 authentication, I have tried to make some changes to smb.py and smbfield.py. The test is done with Metasploit MS08-067 exploit as the exploit is use NTLMv2 authentication.

The current Dionaea may process until the stage of SessionSetup AndX Request,NTLMSSP_NEGOTIATE. The response is incomplete and Wireshark showed the negotiation stop there. This is due to the lack of NTLMv2 support.


After I make some changes, with the fixed security blob content (simple method as no need to deal with GSSAPI for the moment), the NTLM authentication of Metasploit MS08-067 exploit is successfully and the shellcode has delivered. Wireshark has showed the complete NTLM negotiation and further continue the TreeConnect AndX Request.


Dionaea showed shellcode has found and profiling has performed.


Metasploit showed the exploited has completed.


p/s : this method of modication actually breaking dionaea overall function and the modication only support for the NTLM negotiation with security blob. The purpose of the modication is for testing but not the applicable patch use.