Great talks about Security products and how they suck

The following talks are presented by Joe McCray. He will show you how to bypassing the very expensive (sometimes) security products which claimed themselves can protect your network/system from being attack.

He also urge all the bosses to put more budget on security guys and security training but not just purchase a (or some) security product(s) only.

Bio :

Joe McCray - Advanced Security Lead Instructor

Joseph McCray is the lead / head instructor for Advanced Security by Academy of Computer Education. Joe oversees the quality of instruction of all of our hacking and forensics courses and makes sure that our entire team of instructors has what they need and is prepared to the fullest for each and every class. Joe has been leading Advanced Security's hacking and forensics training classes since 2004.

Joe McCray is a retired Air Force Veteran and has been in security for over 15 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe also runs a successful international security training website called Strategic Security.


Please watch them in an open mind. Here we go :

Hacktivity 2012 - Big Bang Theory : The Evolution of Pentesting High Security Environments





Defcon 18 - You Spent All That Money and You Still Got Owned???





You Spent All That Money and You Still Got Owned????




That's all! See you.

HOWTO : Setup My Back|Track 5r3 Personal Supercomputer

My Hardware

CPU : Intel i7-3930K (6 cores, 12 cores with Hyper-Threading, Socket 2011)
Motherboard : ASUS SaberTooth X79
RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)
Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2
Hard Drive : WD SATA III 3TB
Power Supply : Seasonic X-series 1250W
Cooling : Water cooling system with EK products
Case : Lian Li PC-z70 (modified)

My Operating System

Back|Track 5r3 64-bit system as the host operating system for the captioned hardware.

My Problem

When boot up the Back|Track 5r3 and started "startx", the screen of the monitor will be black out. It is because I have nVidia display card in the system.

The only way to solve it is when booting up to the Back|Track 5r3, press "Tab" in the boot option menu. Then enter the following at the end of "text splash vga=791".

text splash vga=791 nomodeset

After that, the Back|Track 5r3 will boot up after entering the command "startx". Install the system as usual to your hard drive.

After the installation is completed, do not reboot the system. Edit the following file instead after mounted the partitions of the hard drive.

nano /etc/default/grub

Locate 'GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"' and append the following :

text splash vga=791 nomodeset

and it will be looking like this :

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 nomodeset"

Then execute the following commands :

update-grub
fix-splash

Reboot the system.

My nVidia and CUDA drivers

Install the nVidia current driver from the repos of Back|Track :

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

After the nVidia driver is installed, execute the following command :

nvidia-xconfig

Now, it is high time to install the CUDA driver. Go to the CUDA Developer site and download the driver. Make sure you selected Ubuntu 10.04 version.

64-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_64_ubuntu10.04-1.run

32-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_32_ubuntu10.04-1.run

After the download, make it the be executable.

For example :

chmod +x cuda_5.0.35_linux_64_ubuntu10.04-1.run

Then, install it and follow the instruction on screen. Accept the default settings.

cuda_5.0.35_linux_64_ubuntu10.04-1.run

The last step for the installation is to set up the path of the executable files and libraries.

nano /root/.bashrc

Append the following line at the end of the file.

PATH=$PATH:/usr/local/cuda-5.0/bin

nano /etc/ld.so.conf.d/cuda.conf

Add the following lines to the file.

/usr/local/cuda-5.0/lib
/usr/local/cuda-5.0/lib64

Then execute the following command and reboot afterward.

ldconfig

My Hash Cracking Power

We use oclhashcat+ to test the performance of the cracking power of this hardware.

cd /pentest/passwod/oclhastcat+
./cudaExample0.sh
./cudaExample400.sh
./cudaExample500.sh

If you can see the hashes are cracked, the CUDA is setting up properly.

My Addtional Softwares

This host is for hashes and passwords cracking. The penentration testing work will be doing on virtual machines.

I will install virtualbox, sysinfo, shutter, synaptic, gtk-recordmydesktop, and sensors-applet to enhance the function of this host.

By the way, I need to fix the minor bugs of the Back|Track 5r3.

Bug #1 :

There is no sound since Back|Track 5.

mkdir /root/.config/autostart
nano /root/.config/autostart/pulseaudio.desktop

Add the following lines to the file.

[Desktop Entry]
Type=Application
Exec=/usr/bin/pulseaudio
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Pulseaudio
Comment=Start Pulseaudio

Bug #2 :

Wicd cannot connect to D-Bus since Back|Track 5.

dpkg-reconfigure wicd
update-rc.d wicd defaults

That's all! See you.

HOWTO : Install edb-debugger on Ubuntu 12.10

When we are doing debugging work on Windows system, we will use Immunity Debugger or Olldbg. Those are very good debuggers for Windows system. When doing debugging work on Linux, there is a command line version, namely GDB (The GNU Project Debugger). How about the GUI version of Linux debugger? Yes, there is one available, it is namely Evan's Debugger (edb-debugger).

The current version is 0.9.18. However, it is not working properly on Ubuntu 12.04 LTS and 12.10. The available deb package version 0.9.17 cannot work properly on the captioned version of Ubuntu too.

The only solution is to install the svn version (current is 0.9.19). I am going to show you how.

Step 1 :

sudo apt-get update
sudo apt-get install libqt4-dev libboost1.48-all-dev subversion

Step 2 :

svn checkout http://edb-debugger.googlecode.com/svn/trunk/ edb-debugger
cd edb-debugger
qmake
make
sudo make install

Step 3 :

To see where is the edb installed to.

whereis edb

The following is showing the 64-bit system :

/bin/edb /lib64/edb

Go back to the user directory, such as /home/samiux.

cd /home/samiux
mkdir .edb

Step 4 :

Run the program :

sudo edb

Once the program is launched, there is a popup saying that the library files cannot be located. You need to go to the "Directories" at the "Preferences".

Symbol Directory - /home/samiux/.edb
Plugin Directory - /lib64/edb/
Session Directory - /home/samiux/.edb

That's all! See you.

Love Your Neighbour as Yourself

Again, this time I am not going to talk about IT or Infosec.

A video is better than a thousand words ....



That's all! See you.

Quit smoking now!

This time I am not going to talk about IT or Infosec. I am going to show you a Thai made quit smoking advertising. If you are a smoker, I would like you to have some minutes to watch. May be you will agree with the video.



That's all! See you.

HOWTO : Make Sure Your Server Is Really Hidden

You are so brilliant to find a way to hide your server from the internet. However, you are not 100% sure. By using Penetrating Testing tools, you can confirm your hidden server is really hidden.

Here we use the tools in the BackTrack 5 r3.

nmap -sS -sV -v -Pn samiux.com

cd /pentest/enumeration/dns/fierce/

perl fierce.pl -dns samiux.com

*** where "samiux.com" is the domain name, here is only an example.

From the last output result, make sure your server IP address is not listed when she says that she is hidden.

Now, your server IP address is not shown. So, your server is really hidden? I guess not, maybe. To further test it with the searchdns.netcracft.net for the history records. You may find your server's IP address history records unfortunately (if any).

If your server IP address is in the history record of netcracft, you may consider to change the IP address when necessary in order to hide your server from the internet.

That's all! See you.

DerbyCon 2012 - Intro to Linux System Hardening

Too sad that this talk is only from System Administrator to System Administrator but not for Information Security (InfoSec) guys. The speaker, Chris Jenks (rattis), is in the view of System Administrator to harden Linux system instead of an InfoSec view. However, it is an InfoSec Conference. Strange.

In general, a System Administrator has no knowledge of about how malicious hackers thinking and doing. Their knowledge about InfoSec is limited. They just guessing what they done can prevent from being attack.

Description of the Talk (Written by the speaker) :

This introductory level talk is designed for people that know a little bit about Linux and a how to run Backtrack. The main target audience would have a junior level administration experience, who also knows about Bactrack.

It looks at how to do basic system hardening on CentOS and Ubuntu, using systems with default installs. It then looks at using those same tactics to systems running Backtrack. Along the way, I discuss why I don’t like using virtual machines, multiboot, liveCD or USB to run Bactrack in the field, and why I think it should be ran on a dedicated machine.

BIO of Speaker :

Experience includes fifteen years of network engineering and thirteen years system administration. He is currently studying Information Assurance at Eastern Michigan University. That degree will supplement his degrees in Computer Information Systems and Anthropology. Certifications include Security+ and Offensive Security Wireless Professional. Involved in Michigan’s Locksport scene, and a regular at Arbsec and MiSec. He’s the ”rat” in the Rats and Rouges InfoSec Podcast.



My Own Opinion :

Basically, BackTrack Linux is a Linux distribution for Penetration Testing. That mean, it is a tool for attackers (you can think like this in order to make your mind clear). Just like Thai boxers who will not wear any protective equipment to protect themselve during the fight. It is because those protective equipment may causing obstruction to their performance in the fight.

However, the speaker of the talk advised users of BackTrack to enable firewall (iptables) and configure the Apache web server to listen to the localhost (127.0.0.1). He also suggests to re-configure the SSH to not allow root login and create a sudoer account. More tools, such as denyhosts, fail2ban, tripwire and logcheck, are also advised to be installed in BackTrack.

If firewall is enabled and other tools (such as denyhosts, fail2ban, tripwire) to be installed in BackTrack, it is something like shooting on our foot when using it to do the pentesting. Meanwhile, the speaker do not know the function of the Apache web server at the BackTrack as he do not know why she is there. Moreover, SSH in BackTrack is for attack purpose instead of administration function. Almost all the tools in BackTrack requires root privilege to run, therefore, the sudoer account is not required.

BackTrack is not a normal Linux distribution for general users to use daily and casually. It is a special designed distribution for Penetration Testing; it is designed for attackers (you can think that Penetration Tester is an attacker but he is not a bad guy). It is designed to attack but not to defence.

Weird enough that the speaker has some qualifications of InfoSec. Overall, this talk is misleading in the view of a BackTrack user. Not recommended.

UPDATED on November 10, 2012 :

I find out that he had another 2 more talks on the same topic and spreading the same wrong information to the listeners. Too sad.

I am doubt that if the SysAdmin hack back (if any), what can he get? What can he do? As he said, shut down the attacker's box? The attacker is just using a BackTrack and if the root password has been changed, there is no chance for a SysAdmin doing something evil to the attacker. It is really doubt, in my opinion.

He even don't know the difference between 127.0.0.1 and 0.0.0.0 as he suggest to turn off CUPS as it is running as root. However, CUPS is listening to localhost and the user account running is already root. So, what does he want?

By the way, he use Denyhosts to block the unwanted SSH access, that mean he do not know how to use SSH to perform an attack.

He also suggest to disable the mail function. However, how can we (attacker) to perform an attack via mail?

I am doubt that he do not know how to use BackTrack. Not kidding!

Finally, one thing that I do agree with him is to change the root password to something else and may be changing the hostname too.

Anyway, he is just a System Administrator only but not an Information Security guy.

HOWTO : Activate nVidia GeForce GT650M on 15" MacBook Pro Retina

You are required to install the following packages.

gfxCardStatus will switch to nVidia GT650M automatically when the software running is capable for 3D acceleration, such as VirtualBox. Or, you can switch it manually.

CUDA will be loaded automatically when the softwares are using CUDA feature.

That's all! See you.

HOWTO : nVidia Optimus on Back|Track 5 r3

(A) Hardware (nVidia Optimus)

Brand : Asus n82jv-vx072v
CPU : Intel i5 450M, 2.4Ghz
RAM : 4096MB DDR3 1066
Display card : nVidia GeForce GT335M 1G VRAM DDR3

(B) Hardware (nVidia GeForce)

Any computer comes with nVidia GeForce display card that is CUDA capable.

Problem

You will be experienced to get a black screen when boot up and you cannot go further to get the Back|Track to be installed. This tutorial not only apply for Back|Track but also apply for other Linux distributions.

Solution

Step 1 :

When bootup in the "Boot Option Menu", press "Tab" (Other version of Linux will be different) and append the following to the end of the kernel option line :

text splash vga=791 i915.modeset=1 nomodeset

*** Remarks : "i915.modeset=1 nomodest" is for Optimus only. If nVidia GeForce, just need "nomodeset".

Step 2 :

Once booted up and installed, do not restart and continue to test. Mount up the hard drive and you need to edit as the following :

nano /etc/default/grub

Locate 'GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"' and append the following :

text splash vga=791 i915.modeset=1 nomodeset

and it will be looking like this :

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 i915.modeset=1 nomodeset"

update-grub

The following command is for Back|Track only.

fix-splash

Step 3 :

Reboot your computer.

Step 4 (If you do Step 4a, DO NOT do this step, skip it.) :

Not to run "startx". This step should be running without X. For other Linux distributions, press "Alt + F2" to console mode.

Download CUDA 5.0 for 64-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_64_ubuntu10.04.run

Download CUDA 5.0 for 32-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_32_ubuntu10.04.run

chmod +x cuda_5.0.35_linux_64_ubuntu10.04.run

or

chmod +x cuda_5.0.35_linux_32_ubuntu10.04.run

Then run the following command.

./cuda_5.0.35_linux_64_ubuntu10.04.run

or

./cuda_5.0.35_linux_32_ubuntu10.04.run

Answer "accept" and install nVidia driver (current version is 304.54) as well as nVidia CUDA Toolkit (current is 5.0.35). If you want to install samples, please do. When asking for the path or directory, please press enter to accept the default setting.

Remarks : Please note that CUDA has an updated version.

Step 4a (Don't do with Step 4 together, only one of it) :

Not to run "startx". This step should be running without X. For other Linux distributions, press "Alt + F2" to console mode.

add-apt-repository ppa:ubuntu-x-swat/x-updates

Edit : The x-swat ppa does not work anymore. Use Back|Track repos instead. Just do the following commands only.

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

Your nVidia driver has been installed (current version is 304.60).

Download CUDA 5.0 for 64-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_64_ubuntu10.04.run

Download CUDA 5.0 for 32-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_32_ubuntu10.04.run

chmod +x cuda_5.0.35_linux_64_ubuntu10.04.run

or

chmod +x cuda_5.0.35_linux_32_ubuntu10.04.run

Then run the following command.

./cuda_5.0.35_linux_64_ubuntu10.04.run

or

./cuda_5.0.35_linux_32_ubuntu10.04.run

Answer "accept" and DO NOT install nVidia driver. Only install nVidia CUDA Toolkit (current is 5.0.35). If you want to install samples, please do. When asking for the path or directory, please press enter to accept the default setting.

Remarks : Please note that CUDA has an updated version.

Step 5 :

The below is for Back|Track only. If other Linux distributions, please replace "root" with any username.

nano /root/.bashrc

Append the following :

PATH=$PATH:/usr/local/cuda-5.0/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda-5.0/lib:/usr/local/cuda-5.0/lib64:/lib
export PATH
export LD_LIBRARY_PATH

Or, you can do the following instead for any Linux distributions.

nano /etc/ld.so.conf.d/cuda.conf

/usr/local/cuda-5.0/bin
/usr/local/cuda-5.0/lib
/usr/local/cuda-5.0/lib64

Save and then run the following command :

ldconfig

Then, reboot.

Step 6 : (For nVidia Optimus only)

To install Bumblebee :

sudo add-apt-repository ppa:bumblebee/stable

sudo apt-get update

sudo apt-get install bumblebee bumblebee-nvidia

Then, reboot the box.

Step 7 : (For nVidia Optimus only)

To test it to see if nVidia driver is workable or not :

glxspheres

optirun glxspheres

Step 8 : (Optional)

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing). Back|Track 5 r3 may installed pyrit but not for the CUDA.

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
python setup.py install

To test if the installation is correct or not. If you are not using Optimus, the "optirun" is not required.

optirun pyrit list_cores
optirun pyrit benchmark
optirun pyrit benchmark_long

Finally, thank you for Malko to test it and confirm it is working.

That's all! See you.

HOWTO : Cracking WPA2 Passpharse Made Easy

Many people out there still think that cracking WPA2 passpharse requires dictionaries. However, it is not true.

You can brute force the WPA2 passpharse with the help of GPUs. Here is my discoveries on April 16, 2010 and May 22, 2011.



If the wifi router is equipped with WPS (Wifi Protected Setup) and it is enabled, to crack it is very easy with the tool namely reaver.



In additional, it is risky to use public wifi or public free wifi too. No matter they have passpharse or not. (Please refer to "See Also" for details) You are also be informed that there are some high power and long range wifi adaptors in the market.

Alfa Network produces some high power and long range wifi adaptors, such as Alfa AWUS036H and Alfa AWUS036NHR. They can connect to the vicitm's wifi router in the distance of 1KM+ away.

That's all! See you.

See Also :

HOWTO : Sniffing SSL with ettercap on Back|Track 5

HOWTO : Protect you from being ARP spoofing

EXPLOIT-DEV : CentOS 6.3 vs Ubuntu 12.04

There are many methods to exploit Local File Inclusion (LFI) of a vulnerability PHP web application in Linux systems. Some of them are invalid in the latest version of Linux distributions, I think. For example, those methods are processes injection, log files injection, session files injection and etc.

Unfortunately, in my recently research, I find out that PHP session files of CentOS 6.3 (maybe applied for previous versions) in default settings can be injected and loaded. However, Ubuntu 12.04 cannot. (Remarks : I did not check the other Linux distributions for this research.)

When the PHP session files can be injected and loaded along with LFI vulnerability, a remote shell can be obtained by attackers.

Basically, CentOS is a clone of RedHat Enterprise Linux.

Reference : Web vulnerabilities to gain access to the system

That's all! See you.

HOWTO : Web Application Attack

The following tutorials are created by Prateek Gianchandani who has interests in the field of Penetration Testing, Web Application Security and Intrusion Detection. He is currently a researcher for InfoSec Institute. In the past he has worked for security-based startups. In his pastime he maintains his website searching-eye.com.

Burp Suite Walkthrough

Inserting Vulnerabilities in Web Applications

Hacking Web Authentication – Part 1

Hacking Web Authentication – Part 2

W3af walkthrough and tutorial – Part 1

w3af walkthrough and tutorial part 2 – Discovery and Audit plugins

w3af walkthrough and tutorial part 3 – Remaining plugins

w3af walkthrough and tutorial part 4 – w3af tools, profiles and scripting

That's all! See you.

HOWTO : SQLi Lab Series by Audi-1

The following is the SQLi Lab, which is created by Audi-1 who is an Offensive Security Certified Expert (OSCE). He explains how SQLi works.

SQLi Lab Series - Introduction

SQLi Lab Series - Error Based

SQLi Lab Series - Double Query / SubQuery

SQLi Lab Series - Blind Injection - Boolean Based

SQLi Lab Series - Blind Injection - Time Based

SQLi Lab Series - Using Outfile / Dumpfile

SQLi Lab Series - Post Based

SQLi Lab Series - Double Query

SQLi Lab Series - Update Query

SQLi Lab Series - Insert Query / Headers

SQLi Lab Series - Cookie Based

Second Order Injection

Bypassing blacklist filters (Part 1)

Bypassing blacklist filters (Part 2)

The whole series of the video of SQLi Lab Series

That's all! See you.

Course Review - Cracking the Perimeter (CTP)

Before enroll for the course of Cracking the Perimeter, you need to solve a problem. This problem is to confirm you have some related skills before taking this course. This course is not designed for newbies.

If you do not have knowledge of penetration testing, I recommend you to take Penetration Testing with BackTrack.

The Course

Debugger for Windows are used mostly in the course for the purpose of Anti-virus bypass, backdooring and exploit writing. You should have some knowledge on x86 assembly language, Linux, Windows and web site scripting languages, such as PHP as well. You are also required to do a lot of researches on the topic of exploit writing. In addition, some more extra exercises to improve your skills are recommended. The course also cover web application attack.

One of the modules in the course I like most and hate most is HP Openview Network Node Manager NNM 7.5.0. In the beginning, I overlook this module and think that it is a very specific case. The solution will not apply to others exploit writing. Later, I find this module very interesting and I spend a lot of time to understand what is going on. Fortunately, I fully understand what it is finally.

Mati (the founder of Offensive Security) has a talk at DefCon 16 about this exploit writing where he states that he cannot solve this problem in the early beginning. Here you are :



You should enroll for the exam within 90 days after the lab access time expire. Otherwise, you need to pay for the exam.

The Challenge

The Challenge have 47 hours and 45 minutes for you to solve a series of problems. You need to submit the report within 24 hours after the challenge ends.

Finally, the exam was over and the report was submitted. Within 3 business days, I received an email telling me that I passed the challenge. I am now an Offensive Security Certified Expert (OSCE).

The Conclusion

In conclusion, this course will teach you about exploit writing and some skills of AV bypass and backdooring. You need to have some skills on Penetration Testing before taking this course. This course is an eye-opener, you can learn a lot of things during the course. Make sure you fully understand the course materials. Recommended!

HOWTO : Apparmor for VirtualBox on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for VirtualBox is not existed in /etc/apparmor.d/ and you should build your own. You can copy the following source code to the directory and enable it.

Step 1 :

sudo apt-get install apparmor-utils

Make sure Virtualbox is installed.

Step 2 :

usr.bin.VBox



Copy the captioned source code and placed it to /etc/apparmor.d/ and name them as the name that is underlined.

Step 3 :

sudo aa-enforce /etc/apparmor.d/usr.bin.VBox

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

HOWTO : Apparmor for xChat on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for xChat is not existed in /etc/apparmor.d/ and you should build your own. You can copy the following source code to the directory and enable it.

Step 1 :

sudo apt-get install apparmor-utils
sudo apt-get install xchat

Step 2 :

usr.bin.xchat



Make sure the line #19, #34 and #36 are match the installed version of Python. If you upgraded the Python to other version, make sure to change it accordingly; otherwise, xChat will not run as it is blocked by apparmor.

Copy the captioned source code and placed it to /etc/apparmor.d/ and name it as "usr.bin.xchat"

Step 3 :

After making the changes (if any), then enable it.

sudo aa-enforce /etc/apparmor.d/usr.bin.xchat

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

HOWTO : Apparmor for Firefox on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for Firefox is already installed to /etc/apparmor.d/ but it is not enabled by default.

Step 1 :

sudo apt-get install apparmor-utils

Step 2 :



Make sure the line #120 to #127 are match your language that is installed in your Ubuntu. The line #122 to #123 and #126 to #127 are showing the Traditional Chinese of Public and Downloads directories.

Step 3 :

After making the changes (if any), then enable it.

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

EXPLOIT-DEV : Quick TFTP Server Pro 2.1 Case Study

Quick TFTP Server Pro is a multi-threaded tftp server and telnet server for Microsoft Windows . It designed to allow network administrators and users to save and write files from various network equipment , and allow users to login to the server to execute various commands, such as listing file and directory information, reverse ping network equipment.

The current version 2.1 is vulnerable to Buffer Overflow which is announced on March 26, 2008 and Directory Traversal Vulnerability which is announced on November 5, 2011.

I only focus on the Buffer Overflow vulnerability. This piece of software does not fix the problem since 2008 after the vulnerability is discovered. I wonder to know the reason why.

Then I make up my mind to investigate. After the enquiry, it is confirmed that this piece of software is only exploitable on Windows XP SP2 and below. Windows XP SP3 or up cannot be exploited even it is vulnerability. Why?

I find out that this piece of software comes with no dll file and it is a standalone executable file. After the Windows XP SP3, Microsoft implemented Data Execution Prevention (DEP) and it enforces non-executable pages on the stack that prevent the execution of arbitrary shellcode.

In addition, this software has no other modules file (dll) that is not compiled with SafeSEH and all the system files are SafeSEHed. Although you can find a pointer at unicode.nls but because of null byte there is no chance to make the shellcode to work.

At least, I find out that so far. If anyone find out any method to exploit this software on Windows XP SP3 or up, please let me know. By the way, the ret2libc and ROP methods I have not been tried yet.

Therefore, it is only affect Windows XP SP2 and below. Since Windows XP SP2 is not supported by Microsoft any more, I think the developer of the software think that it is not necessary to fix the vulnerability.

That's all! See you.

HOWTO : Back|Track 5 r3 on Gigabyte TouchNote T1028X/M1028

Gigabyte TouchNote T1028X/M1028 equipped with Intel Atom N280 and eGalax touch screen. It runs Back|Track 5 r3 flawlessly except touchpad. This tutorial is telling you how to overcome this problem.

The kernel version of Back|Track 5 r3 is 3.2.6 and the touch screen is functioning flawlessly.

Touchscreen Hardware

"lsusb" shows the following :

Bus 005 Device 002: ID 0eef:0001 D-WAV Scientific Co., Ltd eGalax TouchScreen

Step 1 :

Boot up the 32-bit version of Back|Track 5 r3 USB stick which is created by Unetbootin or DVD-ROM. On the menu screen, press "Tab" and append the following to the end of the line.

i8042.noloop=1 reboot=b

Then install as usual and then reboot.

Step 2 :

After login, enter the following :

nano /etc/default/grub

Append "i8042.noloop=1 reboot=b" to "GRUB_CMDLINE_LINUX_DEFAULT".

It will look like this :

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i8042.noloop=1 reboot=b"

Save and exit.

Then execute the following commands :

update-grub
fix-splash

Then power off the computer and switch it on again.

That's all! See you.

HOWTO : Encrypt the Home Directory in Ubuntu

You may want to encrypt the home working directory or any user's working home directory if you have not been set it up during the installation of Ubuntu.

Step 1 :

sudo apt-get install ecryptfs-utils

Step 2 :

adduser tempuser admin

Logout and re-login as tempuser.

Step 3 :

sudo ecryptfs-migrate-home -u samiux

Logout and re-login as samiux. But DO NOT reboot your system.

If you are not asking for the "Passphrase", you should enter the following command :

sudo ecryptfs-add-passphrase

Step 4 (Optional) :

You can check the Passphrase at any time by the following command :

sudo ecryptfs-unwrap-passphrase

Save the "Passphrase" somewhere and keep it safe for manual recovery.

Step 5 (Optional) :

I suggest you to encrypt the swap too.

sudo ecryptfs-setup-swap

Step 6 :

Then, if everything is working fine, you can delete the ramdonized file and delete the tempuser.

sudo rm -rf /home/samiux.*
sudo deluser --remove-home tempuser

That's all! See you.