| View previous topic :: View next topic |
| Author |
Message |
blommethomas
Apprentice
Joined: 16 Nov 2005
Posts: 285
Location: roeselare, belgium
|
 Posted: Mon Jun 26, 2006 6:25 pm Post subject: hacking into your own pc |
 |
|
Hi,
I read some things about hardened gentoo, merely PaX.
Instead of installing the PaX kernel modules without knowing what they do, I'd like to try to hack my system myself first.
Are there secure ways(in which the code does not harm the system) to do this?
AS I read in PaX documentation, there are 3 sorts:
(1) introduce/execute arbitrary code
(2) execute existing code out of original program order
(3) execute existing code in original program order with arbitrary data
I'd like to test all of them in which for example I gain root access through shellcode injection
Can I find good documentation on this(which I did not find yet) or are their community members who have experience?
This whole idea will hopefully lead me to have abeeter view on what hardened gentoo is trying to do and what I should install for it. If I'm able to cause an attack I can test if the protection works fully.
Is it possible to perform these actrions on a gentoo system with a new kernel to boot from without having to affect the other kernels and only a small part of the programms. This would prevent my whole system to be broken down if I make a fault somewhere
_________________
IK BEN GEK |
|
| Back to top |
|
 |
madchaz
l33t
Joined: 01 Jul 2003
Posts: 995
Location: Quebec, Canada
|
| Posted: Mon Jun 26, 2006 7:33 pm Post subject: |
|
|
I'd personaly recomend building a box for the single purpoce of breaking into it. Any time you are learning about breaking security, you rish breaking a lot of other things. You can use an older computer for this (as old as a 486 if you have to), but it'll be a lot less dangerous then trying to break into your main box
_________________
Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it. |
|
| Back to top |
|
|
celestialwizard
Tux's lil' helper
Joined: 15 Jun 2006
Posts: 81
Location: Brisbane, Australia
|
| Posted: Tue Jun 27, 2006 3:30 am Post subject: |
|
|
Virtualisation is perfect for this type of task.
You can create a "gold" install and attack it without having to worry about what state it is in, data integrity, etc...
To begin with, get vmware-player and some sample VMs from http://www.vmware.com/vmtn/appliances/ |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Tue Jun 27, 2006 1:31 pm Post subject: |
|
|
| colinux is probably a good option too, faster than vmware and open source! |
|
| Back to top |
|
|
blommethomas
Apprentice
Joined: 16 Nov 2005
Posts: 285
Location: roeselare, belgium
|
|
| Back to top |
|
|
sgarcia
Apprentice
Joined: 21 May 2003
Posts: 254
Location: Bakersfield, CA
|
| Posted: Fri Aug 11, 2006 2:18 pm Post subject: |
|
|
Install your own Gentoo.
Pick ANY prebuilt VMWare image. Download it. Boot it from the install CD and install Gentoo over the top of whatever was there.
You can't create your own virtual machine with VMWare Player (that means you can't change the hardware), but you CAN do whatever you want with any virtual machine you have, including installing new OSes.
Keep a copy of the VM you download and make it a base for any number of VMs with different OSes that you want to attack. Your main limitation will be how much room you have to store the images. |
|
| Back to top |
|
|
a7thson
Apprentice
Joined: 08 Apr 2006
Posts: 176
Location: your pineal gland
|
| Posted: Fri Aug 11, 2006 3:11 pm Post subject: |
|
|
| sgarcia wrote: |
You can't create your own virtual machine with VMWare Player (that means you can't change the hardware), but you CAN do whatever you want with any virtual machine you have, including installing new OSes.
|
This is both true and not true, as can be seen in this thread on using VMplayer. More details are given here outside the gentoo forums, this was a hot topic a few months ago and the methods are all over the blogosphere. An even simpler method is to use an online VMX generator like this one. Any and all of these methods are legal and authorized by VMware, you are breaking no laws by creating your own VMX image. Then use vmplayer to boot an install cd with that config file set up for the machine etc.
| Quote: |
I'd like to test all of them in which for example I gain root access through shellcode injection
Can I find good documentation on this(which I did not find yet) or are their community members who have experience?
This whole idea will hopefully lead me to have abeeter view on what hardened gentoo is trying to do and what I should install for it. If I'm able to cause an attack I can test if the protection works fully.
|
The easiest solution of all would be to use vmware-server ("emerge vmware-server"), which is free and allows you to create your own images. Best bet, though, as mentioned, is probably to find some pre-built appliances - unless you have a special requirement/target in mind. There are people here (including me) who would be interested to see your results against the various platforms. You may also want to use the pax-utils to check your own assessment (just "emerge pax-utils" in Gentoo, or find the package in whatever distro you're using), as they are designed to quickly test your system in all the areas that PaX is intended to protect against, thus you can check your assessment work against theirs.
btw-also consider hardened toolchain versus vanilla compiler, as it adds stack smashing protection among other things; stack-smashing attacks are one of the more common exploits of [Li/U]nix boxen, check for example the classic Phrack 49 article smashing the stack for fun and profit for a decent (and highly technical) introduction to the topic. Good luck!
_________________
i7-3610QM | E5-2670 | FX-8300 |
|
| Back to top |
|
|
gentleman
Tux's lil' helper
Joined: 02 Dec 2005
Posts: 140
Location: Germany, Paderborn
|
| Posted: Thu Aug 23, 2007 6:58 am Post subject: |
|
|
Hi folk,
concnerning the original title of this topic, I have another question. I am system administrator for a department in my university. I read books about server security and think I have good knowledge about the topic, BUT: I have damn no imagination HOW an execution of "arbitrary code" - like it is called in alle the gentoo announces - can be done. All books tell about it and to therefore keep the software fresh, but nowhere is said, how i can test execution of such code by myself. So I would - like the auther of this thread - like to set one of my own machines under "stress" (to simulate a DoS) and then go on, using e.g. a buffer overflow for a program i wrote by myself.
I did not find anything according this, so perhaps someone give me a hint.
_________________
Everything works, you just have to do it correctly. |
|
| Back to top |
|
|
Akkara
Bodhisattva
Joined: 28 Mar 2006
Posts: 6702
Location: &akkara
|
| Posted: Thu Aug 23, 2007 8:38 am Post subject: |
|
|
| Quote: | | I have damn no imagination HOW an execution of "arbitrary code" - like it is called in all the gentoo announces - can be done. |
Well, to do it successfully, requires one or more bugs in an application that exposes vulnerability.
A very common class of bugs is the buffer-overflow, which is simply a buffer that lacks bounds checking and is too small to hold the data that is presented to it. That data ends up overwriting other data causing the program to malfunction. Occasionally the malfunction is so severe that by carefully crafting the data sent to it, can cause the program to do almost anything at all.
For example, this simple program: | Code: | #include <stdio.h>
void message(void)
{
printf("Hi there!\n");
}
int main(int ac, char **av)
{
char buf[16]; /* <== BAD CODE do not do this */
gets(buf); /* <== BAD CODE do not do this */
printf("You entered: %s\n", buf);
return 0;
} |
If you run it and type something longer than 15 characters, you'll likely get a "Segmentation fault". With carefully-crafted input that overwrites main's return address on the stack, one might get it to print "Hi! there" even though that function was never explicitly called.
Another class of bugs of the so-called script-injection type. This type is easy to illustrate. For example, here is a short shell-script that lists directories: | Code: | #!/bin/sh
echo -n "Directory you wish to see (ctrl-D to exit): "
while read PLACE; do
ls $PLACE
echo -n "Directory you wish to see (ctrl-D to exit): "
done
echo |
If you put that in a file and run it, and type /tmp, it'll list /tmp for you. But what if you type -l /tmp. Now it gives a long listing, which might not have been what the script-writer intended and it could mess up subsequent processing if this was a part of something larger. If this is web-accessible in some way, the vulnerability is magnified because now anyone can try to poke at it.
(The fix here is to replace the ls line with ls -- "$PLACE") |
|
| Back to top |
|
|
user124
Tux's lil' helper
Joined: 02 May 2002
Posts: 86
|
| Posted: Thu Aug 23, 2007 11:22 am Post subject: fdsssds |
|
|
| Akkara wrote: |
Another class of bugs of the so-called script-injection type. This type is easy to illustrate. For example, here is a short shell-script that lists directories: | Code: | #!/bin/sh
echo -n "Directory you wish to see (ctrl-D to exit): "
while read PLACE; do
ls $PLACE
echo -n "Directory you wish to see (ctrl-D to exit): "
done
echo |
(The fix here is to replace the ls line with ls -- "$PLACE") |
hmm..i wonder what happens if you input "$(rm -r /)" for $PLACE ^^ |
|
| Back to top |
|
|
gentleman
Tux's lil' helper
Joined: 02 Dec 2005
Posts: 140
Location: Germany, Paderborn
|
| Posted: Thu Aug 23, 2007 11:33 am Post subject: |
|
|
| Akkara wrote: | | Code: | #include <stdio.h>
void message(void)
{
printf("Hi there!\n");
}
int main(int ac, char **av)
{
char buf[16]; /* <== BAD CODE do not do this */
gets(buf); /* <== BAD CODE do not do this */
printf("You entered: %s\n", buf);
return 0;
} |
If you run it and type something longer than 15 characters, you'll likely get a "Segmentation fault". With carefully-crafted input that overwrites main's return address on the stack, one might get it to print "Hi! there" even though that function was never explicitly called. |
Hey, thanks for replies. But is it therefore not necessary to know the exact program code to know where memory is taken? Oh no, let me guess. If you once have the binary you can execute strace on it to get memory positions or even get the due decompiling the binary??
_________________
Everything works, you just have to do it correctly. |
|
| Back to top |
|
|
mzet
n00b
Joined: 26 May 2005
Posts: 41
Location: Poland
|
| Posted: Thu Aug 23, 2007 11:53 am Post subject: |
|
|
blommethomas,
If you want to hack gentoo boxes I recommend trying out excellent wargames http://pulltheplug.org/wargames/index.html . Vortex is about hacking "normal" system wheres Blacksun is about hacking Gentoo Hardened system. From Blacksun you can learn what "hardened" really means from attacker point of view, I guess.
Regards,
mzet |
|
| Back to top |
|
|
|
Networking & Security
