joshua.smith

learning to reverse

 assembly, programming  No Responses »
May 172011
 

over the past week the topic of learning how to reverse engineer malware/binaries has come up several times in conversation.

i am not a skilled reverser, but i have been working over the last year or so to get better at it and really understand what is going on at the binary level.

earlier this year i discovered a series called “reversing with lena”. lena, the author, touts the series as a way to learn how to reverse for complete beginners, no programming experience required. its 40 lessons long (i am still on lesson 10, so i can only vouch for the first 10 being very good), and the flash videos and .exe’s you need to reverse are included. all reversing takes place  on a 32-bit intel x86 platform.

this series has helped me more than any other to actually understand reversing in the real world and i thought others might enjoy it as well.

before you download:

  • i take no responsibility for what you do with the knowledge you gain (i am using this to get better at reversing malware).
  • some of the programs will most likely be flagged as virus’ by your AV solution, which i don’t believe is accurate (but can’t guarantee either).
  • the password to the 7zip archive is ‘reverse’ (no quotes)
  • download the 7zip archive here (~140 mb)

i found the tutorial on tuts4you.com, a reverse engineering community that has lots of other resources on it (how good or bad, i do not know).

changing the backtrack 5 menu icon

 backtrack, security  8 Responses »
May 122011
 

first off, the backtrack team rocks. they produce an amazing product for an equally amazing cost. the aesthetics are even top notch, which i can appreciate.

that being said, i don’t usually like to advertise to people that i am running backtrack (people get nervous when they think “hacker”), and a flaming red dragon is no way to keep things on the down low.

so, for anyone else out there i thought i would post where to change the default backtrack 5 menu icon.

the icon file is a svg, and is located at: /usr/share/icons/Humanity-Dark/places/24/start-here.svg

to clean my desktop up to something more benign (and useful), i replaced the backtrack menu logo with a blank svg and changed the wallpaper to corelanc0d3r’s exploit dev cheatsheet.

steps taken:

  1. renamed original svg file (mv /usr/share/icons/Humanity-Dark/places/24/start-here.svg /usr/share/icons/Humanity-Dark/places/24/start-here.svg.original)
  2. created a blank 24×24 svg to replace original svg (you can download here, created with inkscape on mint).
  3. move new, blank svg to /usr/share/icons/Humanity-Dark/places/24/start-here.svg
  4. restart the taskbar (pkill gnome-panel)
  5. if you are interested in the wallpaper, you can find them here

quick post: virtual private server (vps) review

 Uncategorized  No Responses »
Apr 242011
 

i had been on the lookout for a good, cheap virtual private server (vps) to do some testing on and finally found one:

www.intovps.com

why i like them:

  1. cheap ($10/month)
  2. you get root access
  3. re-imaging is painless, quick, and has plenty of options
  4. includes a public ip
  5. ip is out of the united states
  6. did i mention the price? ;)

 

packet logging with iptables

 security  1 Response »
Apr 092011
 

<note>
i wasted 2 hours of my life getting this working on a fresh install of unbuntu 10.10. turns out that the default version of rsyslog that you get when you ‘apt-get install rsyslog’ is version 4.x, which has a bug that prevents the logging from being directed correctly to /var/log/iptables.log. i had to remove rsyslog (apt-get remove rsyslog), then go get the newest version of rsyslog (5.8) from the site and compile from source. after compiling and pulling in the new conf file (its a little different in rsyslog 5.x than 4.x), things worked as expected. ye be warned.
</note>

recently i wanted to see what packets were getting passed or blocked on a linux server running iptables. i really wanted to see a log that showed every inbound and outbound packet, and both dropped and allowed packets.

you can see all the packets in tcpdump/wireshark/etc, but it doesn’t show you that iptables dropped the connection (you just see there is no syn ack response). so my goal was to create a iptables ruleset that logged every packet to a separate file, distinguished what was allowed and what was dropped, and to have the logs rotating automatically. here is how i did it:

Continue reading »

kismet oldcore on backtrack 4 r2

 backtrack, security, wireless  No Responses »
Mar 112011
 

i am working on some wireless testing for my SANS wireless certification (joshua wright’s stuff, who is really good at what he does).

i haven’t been playing with wireless too much lately, so i hadn’t noticed that in backtrack 4 r2 kismet had been upgraded to the newcore version, with no trace of oldcore installed or available via repo’s. i wanted both oldcore and newcore, since newcore doesn’t support things like a strings dump, eap authentication type identification, etc.

here is what i did to install kismet oldcore side-by-side with newcore on backtrack 4 r2 (line-by-line command at bottom):

  1. download oldcore into /pentest/wireless
    Continue reading »

high assurance platform

 security  1 Response »
Feb 212011
 

earlier this month i presented at my local infragard chapter.

the title of the presentation was “defense in depth: raising the bar”, and it focused on the NSA’s secure computing iniative, high assurance platform (HAP).

the goal of the presentation was more about talking points, discussion, and ideas about what security will look like tomorrow and where we, as the security community, should be leading our organizations. point blank i would say that HAP is not for everyone, but there are certain aspects that i think we can all learn from.

also, one point that was brought out that i thought was interesting was “this HAP stuff is way too much, who could really use this”? i certainly imagine that comment was heard when defense in depth began to be pushed by the NSA 10 years ago (see “we already have a firewall, why would we need to add X product?”)

it may or may not be the way of the future, but it was an interesting infragard discussion!

here is the presentation:

20110208_hap_01 on Prezi

and here is where i got my information:

http://www.nsa.gov/ia/programs/h_a_p/index.shtml

also, this is a video about HAP in action. its a bit drawn out, but it does lay out the situation nicely (albeit in a *very* vanilla fashion):

http://www.nsa.gov/ia/media_center/video/orlando2010/flash.shtml

backtrack 4 r2 exploitdb svn update failing

 backtrack  7 Responses »
Jan 242011
 

i have an older copy of backtrack 4 that i have upgraded since the initial release. while working through the PWB course from offensive security, i wanted to upgrade the local version of exploitdb. here is what i got:

1
2

root@bt:/pentest/exploits/exploitdb# svn update
svn: Repository UUID 'c54f1b57-f3df-4c37-b561-881cde1baa19' doesn't match expected UUID '8072406e-18fd-45b5-acae-fc56dbc62dfa'

apparently in the time i installed backtrack 4 and the current version, they have blown away/moved the svn database. after googling, i found two options.

  1. download the newest version of backtrack and start from scratch
  2. fix the problem ;)

i have too much time invested in the box, so i found out how to fix the issue. here is what you do (assuming you are in the /pentest/exploits directory):

1
2

rm -rf exploitdb/
svn co svn://www.exploit-db.com/exploitdb

just a quick and dirty way to drop the old svn repository and add it from scratch.

setting up armitage on ubuntu with a postgres db

 metasploit  13 Responses »
Dec 242010
 

update: as someone commented below, armitage is now distributed with metasploit. there is no need to follow these directions any more, they are depreciated.

i wanted a pretty gui to show off some metasploit functionality recently which led me to armitage.

i use (and love) backtrack 4, as does most of the world, but i also have a ubuntu based distro (mint 10, which is based on ubuntu 10.10) that i like to use. i found a lot of tutorials on how to install armitage on backtrack, but hardly anything on installing armitage on a non-backtrack machine, and practically nothing for installing armitage on ubuntu with a postgres backend. i decided i wanted to install armitage on the mint machine using postgres (per the armitage recommendation here) and not finding any good instructions, i thought i would give it a go and document. here we go:

first, you need to have some of the basics installed. i will leave it to others to describe how to install these if you need help (others == google).

  1. java 1.6 (has to be the official oracle java version)
  2. metasploit 3.5+

next, lets install postgres:

sudo apt-get install postgresql-8.4

now that postgres is installed, we need to create a db and a user for armitage to use. i su’ed to the postgres user to do this:

 

Continue reading »

silverlight 4 deployment in the enterprise

 gpo's, msi's, network administration  9 Responses »
Oct 282010
 

this is a quick and dirty how to for installing silverlight 4 (specifically 4.0.50917.0) in an enterprise environment.

we have run into a few situations where users are asking for silverlight (rather, they are trying to go to sites written with silverlight). we finally reached the tipping point and agreed that it was a business need to install it on our terminal server farm.

i said that i would take care of it, but much to my surprise microsoft doesn’t provide a MSI for GPO deployment (at least not in the way i was expecting it). it took me a few hours, but i found a good way to get this accomplished pretty quickly and thought i would share.

  1. get silverlight @ http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx and save the exe into c:\silverlight
    Continue reading »

stuxnet: a technical, political, and business analysis

 security  No Responses »
Oct 122010
 

updated: i just finished another presentation on stuxnet and moved the presentation over to a prezi. there is still a link to a pdf from my first presentation, along with a link to the stuxnet prezi

today i did a presentation for our local infragard chapter on stuxnet.

as you can tell from the title, “stuxnet: a technical, political, and business analysis”, it was designed to show how complex and thorough stuxnet is, but then to also look at the political implications, followed up by the most important piece: what this means to the business community.

to clarify, its more of a recap of the articles i have read on stuxnet, and in simple enough terms that someone that is not terribly technical can grasp, while giving the coders something to chew on.

click the following link to download the pdf if you are interested. feel free to comment or drop me line if you have any questions!

stuxnet v01

20110530_stuxnet_01 on Prezi

stuxnet presentation

 Older Entries  Newer Entries