Last year, I reviewed Jayson Street’s Dissecting The Hack: The F0rb1dd3n Network, uncovering a massive amount of plagiarism that resulted in the book getting pulled, pending a revision. Here are the posts that chronicle those events:
- The original review – …before I realized the extent of the plagiarism. To summarize: I enjoyed the book’s fictional section, despite some flaws. I had far more complaints with the “Security Threats Are Real” (STAR) section, which seemed very disjointed and unfocused.
- Amending My F0rb1dd3n Network Review – …upon a closer look, it became apparent that readers (and reviewers) were misled. The vast majority of the STAR section (comprising of all but 120 pages of the book’s total of 400) turned out to be plagiarized from various sources (primarily Wikipedia). I documented it and made this post to warn potential readers. The authors responded, pointing to the technical editor as the cause.
- Syngress Response to Plagiarism in Dissecting the Hack: The F0rb1dd3n Network – Syngress released a statement confirming the authors’ take on what happened, and announced that there would be a revised release of the book.
On July 15th, a revised edition was released, and I requested a review copy so that I could see what had changed, and provide this new review.
What do you get?
The book has the same basic appearance as the previous version, with the addition of a third author, Brian Baskin, on the cover. On the title page, Marcus Carey is added (in a smaller font) as an author, and Dustin D. Trammell is listed as the new technical editor. Apart from “Revised Edition”, there is no discussion or acknowledgment of the book’s past.
The book has gone on a bit of a diet, roughly 70 pages. This is a good thing, however, as the old STAR section was mostly irrelevant filler. The fiction remains, virtually untouched from the previous version, at about 120 pages of the book’s 330 page. The new STAR section is original content now, which is, of course, a dramatic improvement.
The Fiction
My comments from my first review mostly stand here. The fictional F0rb1dd3n Network story was always an original creation of Jayson and Kent’s. I am a big fan of the concept of “hacker fiction”, the likes of which you’ll find in another Syngress series, Stealing the Network. I am definitely supportive of any attempts at writing new material in this genre.
As a story, I enjoyed this section of the book, but found it to be very short. The plot is very much what one would expect out of a techno-thriller TV show (perhaps an episode of Leverage) and you get about the same degree of character development. Unlike the Stealing The Network series, explanations of the attacks are saved for the STAR section, rather than given in-character in the story. While I can see that this helps moves the story along, I think it makes the fiction seem quite short. When it ends, you’re left wondering about some things that probably could have been wrapped up within this story, particularly an incident of “dark-grey-hat” hacking the protagonists vow to atone for, but that is never revisited. It may be something that’s saved for a sequel, but it reads like the authors simply forgot about it by the end of the story.
I’m being critical here, but I really did like the story, as a whole, and I hope that there is an opportunity for the authors to continue it. If you liked Stealing the Network, you’ll definitely enjoy it. It ranks right up there with the best writing in that series.
(As an aside, if you want some awesome hacker fiction, check out Daniel Suarez’ Daemon and its sequel Freedom(TM))
While one of the selling points of the book is that all of the attacks discussed in the fiction are real and documented in greater detail in STAR, there are some minor quibbles with that. There are times in the story where it seems as though the authors have hit the limits of their own experience with attacks, on more difficult topics like reverse engineering and exploit development. In the handful of times this comes up, artistic license is taken, hands are waved, meaningless phrases are thrown around (“pop the sled on that buffer”) and the story moves on without one of those STAR references. Only once does a technical error directly impact the story, and honestly it’s not something even most security professionals would have caught. These are small issues, though I would have liked it if some outside help would have been brought in to lend some authenticity to those points and document them in STAR.
The “Security Threats Are Real” (STAR) section
The STAR section is greatly improved. Gone are the page-chewing screenshots of blogs and descriptions of unrelated tools. There is a greater focus on describing the attacks that are in the story than in the previous edition. Overall, it reads as being much more professional.
It’s a good first-read for people interested in computer security. There are some technical issues and organizational issues (some topics don’t really fit with the phase of attack they’re classified in), but it’s good for someone who’s gauging their potential interest in security. Experienced readers might be slightly disappointed. There is a lot of material on hacker culture that is heavily skewed to the authors’ experiences with various events, people, and conferences, which the uninitiated might take as gospel for the entire scene. I think that a lot of this could have been trimmed down (perhaps placed on the website) to give a more in-depth and complete coverage of the attacks in the fiction section.
Should you buy it?
I believe that most of the regular readers of this site are the more technical members of the security community: penetration testers, folk who do forensics and incident response. Readers in these are similar areas that are already “in” security will get a fun read out of this book (and it’s worth it for that, especially if you’re pining for more Stealing the Network) but are not likely to pick up any new skills.
If you’re new to this stuff, or if you’re testing the waters to see if security even catches your interest in the first place, this book might be an entertaining way to learn some basic concepts. You’ll pick up a few simple skills, and you’ll have some points at which you can start researching something that interests you. While I don’t see this book as keeping the attention of non-technical people that wish to stay non-technical, if you’re a motivated learner, it’s a decent place to start.
Overall: It’s a great book for the audience it should be marketed to. Good work and congratulations to Jayson, Kent, Brian, Marcus, and Dustin Trammell for fixing up the book and seeing it through to the end.
http://www.mcgrewsecurity.com/2009/10/12/book-review-dissecting-the-hack-the-f0rb1dd3n-network/
Tags:
The results are in for the sixth Network Forensics Puzzle contest, and I won first place! You can see my writeup, along with many of the other winner’s entries, at the forensicscontest.com blog:
Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.
I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth. Here are some of the features I describe in my writeup:
- HTML reports that allow for easy navigation/importing into a larger report
- Generates a summary of flows between hosts on the network
- Flows are broken up by segments representing parts of the conversation
- Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6
While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well. You can view the report generated by pcapline here:
(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious. I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report. You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)
Here’s the script itself. It’s a slightly newer version than the one on forensicscontest.com . I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.
Enjoy!
Tags:
Jul 02 2010
Filed In: links
I really enjoy reading non-infosec books, audiobooks, articles and the like, consuming them with a mental exercise: finding out what lessons could be learned and applied to security. My specific interests are in forensics, penetration testing, vulnerability analysis, exploit development, and profiling attackers. Currently, as an occasional escape from technical material, I’m looking at some of Paul Ekman’s books on deception, with an eye for how it applies to topics like social engineering engagements, and even interactions with others in the infosec community. Even with the controversy surrounding the research, there are some lessons to be learned, tricks to pick up, and things to think about.
As much as infosec professionals quote Sun Tzu’s The Art of War, I thought that I ought to check it out. I downloaded a translation of it onto my iPod Touch and read through it in my spare time. I felt as though I must have missed something, as I really didn’t see how most of it applied to security in anything more than a superficial way.
Now, at least I know that if I missed something, attrition.org missed it too. They’ve posted a very well-reasoned analysis of the use of Sun Tzu’s work in infosec, pointing out all the places that it really doesn’t make sense. Many of these are sticking points I also had when I tried to make the connection myself. I especially agree with a fundamental point that the Attrition.org folk make: Defenders in infosec are strictly defenders, with their hands tied behind their backs when it comes to attacking the other side. This is kind of a buzzkill for much of Tzu’s advice.
As with most Attrition.org articles, they pull no punches and call out people specifically. This makes some readers uncomfortable, though I do think that it’s a fair and honest assessment. Give it a shot if you’re looking for a good (and very different) read.
(Disclaimer: I have cooperated with the attrition.org guys on a couple of their writeups (though nothing compared to their original research), and I am pretty partial towards them and many of their views. I just hope that if I ever stray into the danger zone of their “charlatan” list that I’ll have earned some kind of warning first ;) )
Introduction
I was contacted a few days ago by a person who had knowledge of a small Electronik Tribulation Army botnet. You might remember these guys as being GhostExodus’ old group. The contact sent me the source code of a PHP bot that connects to an IRC command & control. The source was was obfuscated using the Free Online PHP Obfuscator. To find the C&C server, I went through a process of stripping away the obfuscator’s layers of encoding, which I’m documenting here. This information might be useful if you’re doing similar reverse-engineering work on this PHP obfuscator (or others).
Note: At each stage, I have stripped the “<?php” tags to prevent the code from running accidentally. If you are following along, you’ll need to re-insert them (and preferably do so within a sandbox environment).
Stage 1
Here’s the original chunk of code:
On the first line, a variable is being set to a string that’s being represented by a mix of hexadecimal (‘\x’) and octal (‘\’) escape sequences. This obfuscator makes extensive use of this technique. Python uses the same escapes as PHP for hex and octal, so it’s easy to use my always-open python shell to see a “normalized” ascii representation of these strings:
>>> "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65"
'base64_decode'
PHP allows strings to be used as function names with a very easy syntax, so the variable $v539ded4bc2c gets set to “base64_decode”, which is then called with a large string of base64-encoded code. The decoded string of code then gets passed to eval() to execute. We’d rather just see what the decoded string is, so the easiest thing to do is replace the eval() with a print(). Then we can dump out the next stage:
hacbooknano:php_reverse wesley$ php original_print.txt > stage2_1.txt
Stage 2
Here’s what we have now:
The lack of line breaks is annoying, so a little dirty python code to split that up:
#!/usr/bin/python
import sys
fp = open(sys.argv[1])
data = fp.read()
fp.close()
for i in data:
sys.stdout.write(i)
if i == ';':
sys.stdout.write('\n')
Running this:
hacbooknano:php_reverse wesley$ ./breaklines.py stage2_1.txt > stage2_2_linebreaks.txt
We now have this:
The first 133 lines set up obfuscated names for the rest of the code in this stage. It builds them a character at a time, interleaving them.
We can decode these names by copying those assignments out to another file, and printing the obfuscated names out at the end:
hacbooknano:php_reverse wesley$ php stage2_3_displaynames.txt
x24b0884a06dee76da986eb65ba2940d = base64_decode
t104a34fab793aa8acc27101aa69e16d = ereg_replace
f28748ed1b08d4ce5faba4c5bbe478a2 = file_get_contents
sba02b7a6e9217c818bda90209467b6b = gzinflate
k9c9e40dc7cf4574c577417cdc8ae8a4 = md5
fafd3e80e124e1f5d45522b2e31e3eab = ob_end_clean
n8ad08ea0791139ed748c49d82092979 = ob_end_flush
v077b05ec0999fba76a979f188a32e32 = ob_get_contents
gb6e4eb13daf014a331ffe0376f2357b = ob_start
ff29e8f9567141dfd9b4c31c83a38d63 = str_replace
gb4ceeb3708efd3539d845de0b7fd52e = str_rot13
g52eba32e62d0a481f8e5efd196b27b8 = strpos
n8af683210c35ad36253a33d28a3fbde = strtok
Now, you can take this and go back to stage2_2_linebreaks to rename all the functions to their more readable names. I did this manually with search-and-replace in TextMate, since I wanted to see what was being replaced and when. I also normalized the strings as I did in stage 1. You wind up with the following code:
There’s what appears to be a tamper check, though I didn’t really play with it much since there’s no reason to. All we’re interested in at this point is the body of that “if” clause. A chunk of encoded text is ROT-13′d, base64 decoded, gunzipped, and finally eval()’d. If we chop out the tamper check, and replace the eval() with a print() again, we get to move on.
Stage 3
Here’s what we have now:
This is close to the original code. The obfuscator has encoded the strings, done away with whitespace, and randomized variable names. We can normalize the strings, as above, and reformat the code. For variable names, that’s where we have to do some more human-eyes analysis. By looking at what the variables are set to, what functions they are being passed into, and other contextual information, we can give most variables much more reader-friendly names.
I only partially went through this process with this file, as I found what I needed, and had a good idea of the rest of the file. The partial cleanup is here:
Here’s where it’s assigns the botnet C&C server settings:
error_reporting(0);
set_time_limit(0);
$filename = "./a73v9.php";
$current_dir = "./";
$channel = "#nobotshere";
$host = "complexity.razorhack.org";
$port = 65000;
The system, at the time, had been compromised by the ETA member, MR^E, giving shoutouts to the other ETA members:
(Real smart, defacing your own botnet C&C)
Conclusions
I’d like to thank my twitter followers for being very rapid in getting back-channels in-gear to get the C&C hosting and domain taken out. While they’re back to much more typical skiddie activities (as opposed to backdooring hospital HVAC systems), it’s obvious that these guys haven’t learned much of a lesson. One can only hope that one day they’ll realize that they can build on the skills they’re using to run nets like this to get a start in legitimate security work, before it’s too late and they manage to burn their bridges and/or get busted.
Hopefully this will help some folk get a start in reversing PHP (and other interpreted language) de-obfuscation as well. It’s pretty easy, and I think that files like this would serve as a good introduction for students to the concepts involved in reverse engineering in general. After a few baby-steps like this we can move them up to compiled code :).
Update: Looks like the original author of the bot code found out about this post, and decided to post the original source, along with a rant about how I “pick on retards”:
Tags:
Today, the US Attorney’s Office announced that Jesse “GhostExodus” McGraw, has entered a guilty plea on two charges of transmitting a malicious code. Jesse had compromised more than 14 computers at the Carrell Clinic in Dallas, Texas, where he worked as a night-shift security guard. This included the system running the HMI (Human Machine Interface) for the hospital’s HVAC system. To the best of my knowledge this is the only arrest and conviction of a hacker involved in a control systems/SCADA incident in the United States.
This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI. Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents. I am also very happy with this outcome. This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.
The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:
I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea. The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case. I’m looking forward to going through them again.
Tags:
The idea for doing this comparison came to me after seeing some back-and-forth on twitter between @attritionorg and @dralijahangiri about the Live Hacking CD. After @attritionorg called the point of the Live Hacking CD into question (when Backtrack 4 is already available), Dr. Ali Jahangiri made claims that “Live Hacking CD is much easier than BackTrack and its tools are updated”, and that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”. Dr. Jahangiri followed this up with an example that there are “old” tools in Backtrack: Kismet.
I had not used the Live Hacking CD before, so I figured that testing out these claims and comparing the two distributions might be worth doing. I’m always interested in new live CDs, both for my own use, and as recommendations for students and others new to infosec. Backtrack 4 is the current pentest-distro-of-choice around here. It’s to the point now that a BT4 install is about as good as anything I’d roll myself for a pen-testing Linux install, and it’s also something I can recommend to the students for lab exercises, and our end-of-semester CTF.
One might ask, why would the Live Hacking folks want to re-invent the wheel? If you are just a user of Backtrack, it may not have occurred to you, but there is a business rationale for competition in the pen-test Live CD arena. The BT4 maintainers, Offensive Security, offer some very well-liked and technical training classes that use Backtrack in a classroom setting. Live Hacking also holds workshops that teach similar material. It would make sense, then, that one training company would not want to have students spending much of their time in class staring at an advertising vehicle for another company.
So, the Live Hacking CD makes sense for the Live Hacking training. They don’t have students sitting and looking at their competitor’s logos throughout class. They can load it up with the specific tools that they teach in the class and update it along with their material. At the NFTC, we’ll likely soon be doing something similar with a forensics live distro, so I definitely “get it”.
The question is: if I am not currently in the Live Hacking training, is their Live CD something that is useful independent of the class? The answer for Backtrack 4, with the new features for cleanly installing and package management, is a resounding “yes”. Backtrack serves as a tough competitor, but Dr. Jahangiri seems to compare the Live Hacking CD favorably to BT4, so let’s take it to task:
Tools
I considered building a table that compared the two sets of tools, but there’s honestly no point. Backtrack 4 is a DVD distribution, giving it a huge advantage over Live Hacking’s CD in this category. You can view a list of tools that are on the Live Hacking CD here, though I am not aware of a list for Backtrack 4 (there is a Backtrack 3 list here, though it’s not quite accurate for BT4).
While Backtrack 4 has all but a few of the tools from Live Hacking (Relay Scanner, for example), there are some interesting omissions from Live Hacking. The Live Hacking CD seems to focus on reconnaissance, spoofing, and wireless tools. It’s missing a lot of vulnerability finding and exploitation tools. For example, it’s very surprising to me to see a live CD meant for penetration testing that does not include the Metasploit framework. I don’t see any web application tools, either.
I’m sure there’s good reason for this on the Live Hacking CD side of things. If you’re building a CD to go along with exercises for a class, there’s no reason to put a tool on the disc that isn’t used in an exercise. This doesn’t make for a good pen-testing disc for general use, though, and I’d have to say that Backtrack 4 wins hands-down on this.
Updates
There was a claim that the tools on the Live Hacking CD are “updated”. I’ll take that as an opportunity to look at how they both handle updates. This cuts to the very nature of each disc, really illustrating how they’re meant for very different purposes.
The Live Hacking CD is heavily based on the Ubuntu Desktop 9.10 ISO. So much so, that VMWare Workstation detects the ISO as being Ubuntu 9.10 and offers to do a quick install. If you check the sources.list, you will find that it even uses Ubuntu’s repositories. Many of the pen-testing tools are installed from Ubuntu’s repositories, and have recent version numbers. If a tool were to be updated in the 9.10 repositories, you would be able to update it in LHCD easily.
Other tools that aren’t in the Ubuntu repos (such as metoscan) or haven’t been updated in a while (Kismet) appear to have been installed manually. To use Dr. Jahangiri’s example, Kismet in LHCD is from the January 2010 release (found by running ’strings’ on the kismet_server binary). On Backtrack 4, Kismet was built from SVN in July of 2009.
So, Kismet is newer on LHCD than on the Backtrack 4 DVD. On Backtrack, however, Kismet is a package maintained by the BT4 developers. Backtrack, like LHCD, is based on Ubuntu, but unlike LHCD, the Backtrack developers have put a lot of work into setting up their own repositories and providing updates and tools independently of Ubuntu. Because of this, the BT4 developers could, at any time, rebuild Kismet from SVN and you would be able to apt-get it in. If the LHCD maintainers were to update Kismet, it would likely require a new version of the disc.
So, while the Live Hacking CD might have slightly newer versions of some tools, Backtrack 4 has a better framework for keeping those tools up to date.
Ease of Use
I’m not sure how to measure this claim, but I hesitate to say that either one is “much easier” to use than the other. Both are a collection of tools and you either know how to use them, or you don’t. Backtrack 4 is a more popular distro than Live Hacking, and therefore you may be able to find help with problems on Google easier, but there’s not anything inherently easier about one over the other.
A claim was made that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”. If this is part of the argument that LHCD is easier, I would have to disagree. There are many tools in BT4 that I don’t use, but they don’t get in my way, or reduce the ease at which I use the others.
Conclusions
If it weren’t for the claims made about the Live Hacking CD comparing it to Backtrack 4, I probably wouldn’t have looked at the two together or posted about it. It really isn’t anything resembling a close-call. They are two very different beasts.
The Live Hacking CD is a disc designed as a companion to a class, and I’m sure it fits that purpose well. There are good reasons for developing custom live CD’s for classes. It does, however, have limited use outside of the class.
Outside of the classroom, Backtrack 4 is a much better choice, in my opinion. It has a much more comprehensive set of tools, a system for updating them, and a team of developers that are committed to keeping it relevant. Unless you have a very specific need for something else, BT4 is as good as it gets for pen-testing Live CDs.
Tags:
Apr 20 2010
Filed In: CTF
I let the law enforcement class go on break briefly this morning so that I could be there to witness the end of this semester’s Capture The Flag competition. In the tradition I began last year, playing “Eye of the Tiger” during the last moments of the competition, Chris loaded up “The Final Countdown”. This is a tradition we enjoy, but it drives most of the participants crazy.
The final scores reflect all of the flags captured by the teams. Everyone managed to submit theirs on time, just before the 9:30 deadline. Here are the scores:
- Team Firewall – 30
- Team Sniffer – 23
- Team Wireshark – 20
- Team Burp Suite – 15
- Team Nmap – 9
- Team Tracker – 8
Automated sniffing and resubmission of flags was performed successfully by many teams this semester, and it made for an interesting dynamic in the post-game discussion and wrap-up. Team Sniffer disclosed that 8 of their flags were captured off the wire and resubmitted. Other teams also had success with stealing others’ flags in the same way. This also had an unforeseen circumstance: often a team would sniff and submit a flag without knowing where it came from in the game. Those teams would then spend time actually breaking into a system to capture a flag, only to find out it was one they already had submitted.
Congratulations to Team Firewall for an outstanding CTF performance, and I am looking forward to examining some of the tools and scripts the teams wrote for this competition.
Tags:
Apr 18 2010
Filed In: CTF
Everyone still has the itus from the food and festivities yesterday, so things are moving a little bit slow in the lab today. There was only one pen-tester-in-training in there when I just checked, but it was obvious that others had been through, judging from the food wrappers in the garbage. This is how hackers in the deep south roll on Sundays: It’s a day of rest, but you still have to scratch that itch to hack.
The lone participant was a member of Team Sniffer, and assured me that they have every expectation and plan to catch up with Team Firewall. There’s a lot of prime late-night hacking time between now and the end of CTF on Tuesday morning, so I don’t think it’s a bluff on Sniffer’s part.
The scores, as of 2:00PM on Sunday:
- Team Firewall – 27
- Team Sniffer – 11
- Team Wireshark – 3
- Team Burp Suite – 1
- Team Nmap – 0
- Team Tracker – 0
For a moment, I thought I needed to get Fyodor to give Team Nmap a call to get them into action (would they know who he is? :) ), but I did notice that Team Nmap has reserved a computer for running processes persistently. Maybe they’re sitting on their flags for the moment.
Tags:
Apr 17 2010
Filed In: CTF
While everyone else is out partaking in food and fun at MSU’s Super Bulldog Weekend, Old Main Music Festival, and Cotton District Arts Festival this weekend, the true alpha-security-nerds are living it up in the lab. On my way over to the music festival, I have stopped by the lab to see how the teams are doing. A couple of guys (from two different teams) were in at the moment, hacking away.
One participant informed me as soon as I arrived that one of the targets was down. I logged in and took a look: the VM was completely off. New rule: no “shutdown -h now” :)
The scores as of approximately 7:00PM:
- Team Firewall – 27
- Team Sniffer – 6
- Team Wireshark – 3
- Team Burp Suite – 1
- Team Nmap – 0
- Team Tracker -0
Team Sniffer has bumped their score up significantly, and it’s likely that they are sitting on some un-submitted flags.
I’ll be back at some point tomorrow to post a Sunday update. For now, it’s off to the Old Main Music Festival for me.
Tags:
Apr 16 2010
Filed In: CTF
The meta-game of sniffing and counter-sniffing on our CTF normally makes teams paranoid about submitting flags early in the game. This paranoia even outweighs the main benefit of submitting early: ties are broken by the time of last submission. At this point in the game scores are normally low.
This is not a normal instance of CTF, though. One team, Team Firewall has embraced the risks and run up their score early. As of this morning at 8:15 AM, the scores are as follows:
- Team Firewall – 24 points
- Team Wireshark – 3 points
- Team Sniffer – 1
- Team Burp Suite – 1
- Team Nmap – 0
- Team Tracker – 0
This year, initial team names were chosen by the security class’ professor, Dr. Ray Vaughn. The names don’t reflect any association with the listed open-source projects (though if the members want to work out endorsement deals, they are welcome to!).
In true nerd fashion, we’ll see how much activity we have in CTF over the weekend with the university’s Super Bulldog Weekend festivities going on.
Tags:
