Weekly Reading List for 1/18/14

I’ve decided to start posting a weekly reading list of interesting security-related articles I’ve come across in the past week. They’re not guaranteed to be new, but should at least still be relevant.

Using a BeagleBone to bypass 802.1x

Most security practitioners are already aware that NAC doesn’t provide meaningful security. While it’ll keep some random guy from plugging in to an exposed ethernet port in the lobby (shouldn’t that be turned off?), it won’t stop a determined attacker. You can just MITM the legitimate device, let it perform the 802.1x handshake, then send packets appearing to be from the legitimate device. To make it easier, ShellSherpa has put together a BeagleBone-based device to automatically MITM the NAC connection.

Screwing with microcontroller devices

Matasano and Square have announced a joint microcontroller-based CTF.

Which SDR to buy?

SDR continues to be a hot button topic, and Taylor Killian has a post from a couple of months ago to help you choose what SDR device you should get: HackRF vs. bladeRF vs. USRP. While you’ll need to understand basic radio concepts to get much out of the comparison, you should probably be at least at that level before you start doing much with SDR.

New disassembly framework

Capstone is a project to create a framework for disassembling binaries from a wide variety of architectures. Doesn’t seem to have binary extraction yet, so you’ll need to get the text segment yourself and rebase it, but I’m hopeful it’ll make its way into some interesting projects.

Dead Tree Reading

Although I’m mostly reading eBook formats, wanted to highlight which books I’m reading lately.


LD_PRELOAD for Binary Analysis

During the BreakIn CTF, there were a few challenges that depended on the return value of of libc functions like time() or rand(), and had differing behavior depending on those return values. In order to more easily reverse those binaries, it can be nice to control the return values of those functions. In other cases, you have binaries that may call functions like unlink(), system(), etc., where you prefer not to have those functions really called. (Though you are running these untrusted binaries in a VM, right?)

So let’s say there’s a program that’s built from the following source (over simplified for example):

1
2
3
4
5
6
7
8
9
10
11
12
#!c
#include <time.h>
#include <stdio.h>

int main(int argc, char **argv){
  if (time() % 86400 == 0) {
    puts("Win!\n");
    return 0;
  }
  puts("Lose\n");
  return 1;
}

So this is obviously a highly contrived example, but you only win if you hit it exactly at midnight. Now, I suppose you could change your computer clock, but you still only have a one second window to get it right. How can you control this to improve your outcomes?

There’s a wonderful trick that allows you to inject a custom shared library to be loaded before your program is run (and the symbols in it resolved) so that the functions provided by your library are used preferentially over the ones provided by the C library. First, let’s create our replacement version of time, and create one that allows us to set the time by setting an environment variable. (Note that we don’t have to replicate the same behavior of time(), as we know only the return value is used, and no pointer is passed in.)

1
2
3
4
5
6
7
8
9
10
#!c
#include <time.h>
#include <stdlib.h>

time_t time(time_t *out){
    char *tstr = getenv("TIME");
    if (tstr)
      return (time_t)atol(tstr);
    return (time_t)0;
}

Now we can build the shared object and run the program with our version of time. Note that you must use an absolute path for LD_PRELOAD, or it will only look in the LD search path.

1
2
3
4
5
6
#!sh
$ gcc -Wall -fPIC -shared -o time.so time.c
$ TIME=0 LD_PRELOAD=`pwd`/time.so ./challenge
Win!
$ TIME=1 LD_PRELOAD=`pwd`/time.so ./challenge
Lose

Note that you don’t have to completely re-implement the function you want to replace, you can actually get it and call it within your replacement function. (Note that this only works on GNU libc.) Maybe you only want unlink to work if called with the path “/deleteme”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!c
#define _GNU_SOURCE
#include <dlfcn.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>

#define TARGET "/deleteme"

int unlink(const char *path){
  int (*real_unlink)(const char *) = dlsym(RTLD_NEXT, "unlink");
  
  if (!strncmp(TARGET, path, strlen(TARGET))) {
    return real_unlink(path);
  }
  
  fprintf(stderr, "Would unlink(%s)", path);
  return 0;
}

You can use the same build and preload instructions as before, and this will allow to delete “/deleteme”, otherwise it will just print out what it would’ve done. There are many other uses of LD_PRELOAD, but these are a couple of ways I’ve found useful for quick-and-dirty hacks.


BreakIn CTF 2014

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.


2014 OKRs

At work, we use the OKR system for managing our objectives. I’ve decided to set myself some annual objectives and list out their key results here. At the end of the year, I’ll grade myself on my OKRs and we’ll see how I’m doing.

  • Get better at reversing
    • Complete OpenSecurityTraining.info x86 class
    • Complete 3 reversing challenges from WeChall
  • Play CTFs
    • Compete in at least 3 CTFs
    • (Stretch Goal) Top 10% Finish
    • Complete the challenges on OverTheWire.org
  • Blogging
    • At least 1 Blog Post/week
  • Lose Weight & Exercise
    • Lose 25 lbs.
    • Get at least 60 minutes aerobic exercise a week
  • Become a more powerful vim/zsh user
    • Use vim keybindings in zsh
    • Read full zsh guide
    • Learn 6 new vim commands

DerbyCon CTF

While at Derbycon last weekend, I played in the Derbycon Capture the Flag (CTF). I played with some people from the DefCon Group back in Atlanta (DC404) – and we had a great team and that lead to a 5th place finish out of more than 80 teams with points on the board. Big shout out to Michael (@decreasedsales), Aaron (@aaronmelton), Dan (@alltrueic), and all the others who helped out.

It was an attack-only format, with a range of IPs designated as “in scope” and the goal being to, as the name implies, capture the flags. The systems included a Windows Active Directory server, a handful of Linux webservers, and a Windows Server serving up ASP.net backed by MS-SQL. One of the Linux webservers had a variety of challenges in directories on it, most of which could be solved offline. These included a Windows 8 memory dump for forensics, a series of encrypted hashes for some crypto, a pcap for network forensics, and some obfuscation/general challenges.

Every time I do a CTF, I learn a bunch of new stuff, mostly about my weaknesses and where I need to improve.

  • Windows AD Skills
  • MS SQL Skills
  • Binary Reversing
  • Memory Forensics

I’ll try to do a writeup of a few of the challenges in the next few days, as I’m just recovering from a post-con flu.