Posts

Reverse engineering a simple C program part 2 : GDB

Image
In part 1 of this simple reverse engineering exercise I examined a basic C program with 'Strings', 'Hexdump', and 'Ltrace'. These tools are useful for scratching the surface of a program with, but for in-depth analysis it is necessary to disassemble the program entirely. After loading GDB with the license crack program, setting a break point on main, running the program with no user input, and using the 'disassemble main' command, we are given the following output: The 'main' function This output is of the programs first and only function - 'main'. Every C program starts with a main function, and some may end within the main function while others may make calls to additional functions contained within the same code. The end goal here is to examine the programs functions until we draw a complete map of how the program executes. The focus will largely be on conditional instructions that influence flow control. Flow control is

Reverse engineering a simple C program part 1: Strings, ltrace, hexdump

Image
Reverse engineering is something I find quite interesting, and a topic I am endeavoring to spend more time studying. There's nothing better than hands on practice, so lets take a look at a very simple 'license check' program written in C. Here's the code: This program will simply check for user input and then compare that input to a stored string. If the user input matches the string "ABCD-Z34K-42-OK" than the program will print "License confirmed" to the user. If the string does not match than the program will print "License incorrect" to the user. If no input is detected at all than the program simply prints "Usage: <key>" and exits. When this program is compiled none of the source code will be available. The process of compiling will result in the source code being translated (it can also be thought of as transforming) into the machine language that is read by computer hardware. Our challenge is to compile

Sunday afternoon Python: Morse code

Image
... That is to say the code was written on a Sunday afternoon. The publish date of this post may vary. A lazy Sunday afternoon reading about Morse code made me hit upon the idea of a Python script that writes plain text into Morse code, and converts Morse code back to plain text. Some time spent mulling over the idea gave me a list of initial requirements: I would need to map plain text letters back to Morse code (and vice versa), let the user of the script choose between converting plain text into Morse code or vice versa, and take input from the user. Mapping text to Morse code with Python Data Structures  Mapping the plain text letters of the alphabet to Morse code can really be thought of as a pair like relationship between two data sets. In Python, dictionaries are a type of data structure that store key/value pairs - perfect! The 'key' in this instance would be a letter of the alphabet and the 'value' of that key would be its corresponding Morse code. The o

501 million 'Pwned Passwords'

Image
'Password strength' is a phrase that almost everyone will be familiar with to some degree. There is no universally agreed upon way to measure the strength of a password (this is somewhat part of a wider problem), which leads to every online service having a different system for gauging whether or not a given password is secure enough to be used. Normally, when discussing password security, the conversation will look something like this: "Make all of your passwords at least 16 characters long and never use them more than once" . I am going to take a different approach: I'm going to show you how not to protect yourself online, how to crack weak passwords with little to no effort, and how to check whether a password is already compromised before you use it online. With any luck, you'll be a little wiser about password security by the end of this post. To achieve all of this I'm going to use data from the recently released "Pwned Passwords" l

Exploiting OpenSSH 4.7 / OpenSSL 0.9.8 (Metasploitable 2)

Image
Metasploitable 2 is a deliberately vulnerable machine designed by Rapid 7, the company behind the immensely powerful and popular Metasploit Project. The machine is intended to be used for general security training and target practice; a perfect way to spend a lazy Sunday! The focus for this particular post will be the OpenSSH 4.7 protocol used by the vulnerable machine. This version of OpenSSH is several years old now, but the lessons learned here are still transferable to other services and newer versions. Before diving into the exploit it is necessary to understand the protocol being attacked and why it was vulnerable in the first place. OpenSSH is the freely available, open-source version of the SSH protocol. SSH itself is a cryptographic network protocol used to connect with network services securely over an un-trusted network. In plain English this means SSH is a secure way to login to servers and embedded devices that support the SSH protocol. While SSH has other uses

Decoding PHP exploits and banning brute-force attackers

Image
This post will discuss forensics on a Linux system and use basic forensics techniques to investigate two attacks made against a Linux web server. Specifically, this post is going to focus on reading and understanding information contained in log files.  The first attack is an attempt by an adversary to gain un-authorised administrative access on a WordPress website by attacking the wp-login.php page. The second attack is an obfuscated PHP script that, when decoded, attempts to find and exploit several PHP files commonly used by Joomla websites. Before looking at either attack it is necessary to establish some prerequisite knowledge regarding Linux and how system events are logged.                           the '/var/log' directory on a Kali Linux system Linux systems log all events in text files known simply as log files. There is no shortage of information to be found within these files; everything from kernel events, network events, SSH login attempts a