Wednesday, February 25, 2009

Briefly: IDA Pro on CentOS 5.2

This is almost a non-post, but who knows, it might be useful to someone... So today I while installing Ida Pro on CentOS, I hit a small snafu. Everything went well for key extraction: here's a nice tutorial for that. However after I retrieved the key, I placed it according to the README file in the $HOME/.idapro directory.

However, when running it I was faced with the following problem:


$ ./idal
./idal: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory



I noticed that my library was incompatible since it was libstdc++.so.6. Luckily, there are ``compat'' packages that contain these older libraries. You can install them with yum:


# yum install -y compat-libstdc++-33.i386



At this point, IDA Pro starts up nicely:





Sunday, February 22, 2009

Some Brief BH DC Afterthoughts

Though it's almost too late for this, I thought I would write briefly on BH DC. I had a blast while I was there and there were some very interesting talks. In case you are interested in the content of these talks, slides, papers, demos and videos are being uploaded to this site:

https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html

The talks I liked the most were:


Let Your Mach-0 Fly by Vincenzo Iozzo


This talk describes how to replace a running process in memory with another by unmapping the current process, replacing the header and enveloping the old process with the new process. It was really cool to see the demos, but if you watch the video (if it is uploaded), you will see he has trouble with the safari example. I didn't have time to confirm my suspicions, but I thought this is because he didn't supply the entire path to the desired executable. I came to him after the talk to ask about this, but things were so rushed at the end that I didn't get a chance to ask. I emailed him and he replied: ``I found the problem, I forgot to patch a known bug before my talk,'' so he seems to have found the problem. The code for this one is available online.

New Techniques for Defeating SSL/TLS by Moxie Marlinspike

I wasn't completely sure at first that this was going to be an interesting talk, but it turned out very nice. The title is misleading in that it wasn't really about SSL in general but about https specifically. He has a tool that can MITM connections by
stripping out references to https to http. While that is not as interesting, the more interesting part comes into play with the creation and usage of fake certificates to make things "secure". It was also funny how he used the favicon feature to make give a positive indicator by switching it with a padlock. I'm not sure how effective it would be against items like Yahoo!'s sign in seal (among others), but there are other interesting possibilities. The code for his presentation is also available online. (updated link)


Attacking Intel(R) Trusted Execution Technology by Joanna Rutkowska
and Rafal Wojtczuk


This was an awesome talk. It was a pleasure to see this team of famous researchers talk about the intense of TXT and how they could exploit it. The video for this one is up, it would definitely be worthwhile to watch it. The video for this one is available online. Joanna has also posted the videos from the slides here:
http://theinvisiblethings.blogspot.com/2009/02/attacking-intel-txt-paper-and-slides.html

Defending Against BGP Man-In-the-Middle Attacks by Earl Zmijewski

This was another awesome talk! I didn't know the fine details about routers before the talk, but the MITM attack is quite simple. It was also very interesting to see how they came to a solution for detecting these attacks. It was also interesting that there after they had refined their detection algorithm they only found three instances of the attack "in the wild", all of which could be explained. Another must read/watch I think, and Earl is entertaining :-)

Monday, February 16, 2009

Blackhat DC

Looks like I'll be attending Blackhat DC this week. Should be fun. Not sure if I want to do the picks thing... but there are some interesting talks scheduled.

I will probably be sticking mainly to Track 2 talks, (with some exceptions) however...

Monday, February 02, 2009

PTK on CentOS 5.2

Having some spare time over the weekend caused me to attempt an installation of PTK on my spare CentOS box. I've succeeded in getting it to run under Fedora, so I had a little bit of an idea of what I was getting myself into...

Before you get started, make sure you have the following packages installed:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit



If you need EWF or AFF support you can install them from:


libewf
afflib




After installing everything, you need to initialize MySQL (as root):


# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'



You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also start the http server(as root):


# /sbin/service httpd start



Now you are ready to download and install PTK from sourceforge. I downloaded version 1.0.5.

In order to install PTK, extract the tarball in your webserver directory as root:


# cd /var/www/html
# ls
ptk-1.0.5.tar.gz

# tar -xzf ptk-1.0.5.tar.gz
# chown -R apache.apache ptk



The last command above makes sure that all files are owned by the webserver user.


Now we have address a problem that still exists regarding the installation script. Go inside the ptk folder. At this point, you should see the install.php script. If you have Sleuthkit installed in /usr/local/bin the install script will not work as expected because this is not in its path. You can find out where it is installed by typing which plus one of the Sleuthkit commands e.g.:


$ which istat



If the path returned is /usr/local/bin then you can modify the install.php file by changing entries like:


$istat = shell_exec("which istat");



to


$istat = shell_exec('export PATH="/usr/bin:/usr/local/bin"; which istat');



and so on...

If all goes well, you will get to the options screen, which should look something like the following:



Fill everything out as you like (including distro) and press next. Now, when I installed PTK under Fedora, everything was ready to go at this point. With CentOS, it was another story. For some reason, things did not get updated with the extra configure scripts.

So, you have to manually add the locations for your Sleuthkit executables in the following files:


config/conf.php
config/conf.pl



where config is the folder within the ptk folder [/var/www/html/ptk/config]. If you open up conf.pl it may look like:


installdir => '/var/www/html/ptk/',
md5_bin => '/usr/bin/md5sum',
sha1_bin => '/usr/bin/sha1sum',
fsstat_bin => '',
mmls_bin => '',
fls_bin => '',
istat_bin => '',
[snip]



Notice that there are some blank entries. Therefore you will have to enter the correct path for those executables.

All right, so I'm not going to make you do it... :-) Here are the modified files for my CentOS box. Just make sure you put then in the right places, and you might have to chown them as well.

Enjoy! and hope this helps someone out there...