-
Secure Programming is one of the Computer Science Core Electives I had chosen from my Software Engineering Degree
-
Total Hours Spent:
- Fix: Not in a hypervisor partition (HVP=0) (VERR_NEM_NOT_AVAILABLE) or VT-x is disabled in the BIOS for all CPU modes (VERR_VMX_MSR_ALL_VMX_DISABLED)
- Fix: Cannot install Ubuntu in VirtualBox due to "this kernel requires an x86-64 CPU, but only detects an i686 CPU, unable to boot" error
- Fix: Installation Step Failed (installing the system) - Kali Linux
- Perform the following using programming
- Write a secure program by avoiding vulnerable programming factors like Eval and printf.
- Demonstrate Format string vulnerabilities with example
- Demonstrate Format String exploit with example
-
The format string program accepts the command line arguments and parses the input using printf function to display output.
-
Three types of payloads given as inputs in the following examples
-
Payload 1:
-
The Safe Code from the program
- The line printf("%s", argv[1]); in the example is safe, if you compile the program and run it:
./main "%s%s%s%s%s%s"- The printf in the first line will not interpret the “%s%s%s%s%s%s” in the input string, and the output will be:
“%s%s%s%s%s%s”
-
The Vulnerable Code from the program
- The line printf(argv[1]); in the example is vulnerable, if you compile the program and run it:
./main "%s%s%s%s%s%s"- The printf in the second line will interpret the %s%s%s%s%s%s in the input string as a reference to string pointers, so it will try to interpret every %s as a pointer to a string, starting from the location of the buffer (probably on the Stack).
- At some point, it will get to an invalid address, and attempting to access it will cause the program to crash.
-
Different Payloads
- An attacker can also use this to get information, not just crash the software.
- For example, running:
./main "%p %p %p %p %p %p"- Will print the lines:
%p%p%p%p%p%p 0x7fd084a750000x7fd08484f9e00x7fd08457a3c00xffffffff(nil)0x7ffdcd 0948e8- Another example:
./main "%x%x%x%x%x%x"- Will print the lines:
%x%x%x%x%x%x 18bfb000189d59e0187003c0ffffffff0e09496f8- The first line is printed from the non-vulnerable version of printf, and the second line from the vulnerable line. The values printed are the values on the stack of my computer at the moment of running this example.
- Also reading and writing to any memory location is possible in some conditions, and even code execution
- Format string vulnerabilities and exploits are successfully demonstrated by writing a C program with a secure code and a vulnerable code using printf function and string parameters
- Perform the following
- DHCP attack and prevention of DHCP attack
- MAC flooding attack
- CAM table overflow attack
- A DHCP starvation attack is a malicious digital attack that targets DHCP servers.
- During a DHCP attack, a hostile actor floods a DHCP server with bogus DISCOVER packets until the DHCP server exhausts its supply of IP addresses.
- Once that happens, the attacker can deny legitimate network users service, or even supply an alternate DHCP connection that leads to a Man-in-the-Middle (MITM) attack.
- Countermeasures against DHCP attack
- Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addresses.
- The reason for this is that the switch regulates the flow of data between its ports.
- It actively monitors (cache) the MAC address on each port, which helps it pass data only to its intended target.
- This is the main difference between a switch and passive hub.
- A passive hub has no mapping, and thus broadcasts line data to every port on the device.
- The data is typically rejected by all network cards, except the one it was intended for.
- However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network.
- While this is nice for a hacker, most networks use switches, which inherently restrict this activity.
- Macof can flood a switch with random MAC addresses. This is called MAC flooding.
- This fills in the switch’s CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.
- Options
- Syntax:
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
-i interface Specify the interface to send on. -s src Specify source IP address. -d dst Specify destination IP address. -e Specify target hardware address. -x sport Specify TCP source port. -y dport Specify TCP destination port. -n times Specify the number of packets to send.- `macof ` - flood a switched LAN with random MAC addresses SYNOPSIS - `macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]` - Syntax:
- LAB 2.2.1: Simple Flooding
- Macof can flood a switch with random MAC addresses. This is called MAC flooding.
- This fills in the switch’s CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.
- command:
macof -i eth1 -n 10
- LAB 2.2.2: Targeted Flooding
- Macof can flood a switch with random MAC addresses destinated to 192.168.1.1.
- command:
macof -i eth1 -d 192.168.1.1 - While conducting a pentest, this tool comes in handy while sniffing.
- Some switches don’t allow to spoof arp packets.
- This tool can be used in such situations to check if the switch is overloaded. Some switches behave like hubs, transmitting all source packets to all destinations.
- Then sniffing would be very easy.
- Some switches tend to crash & reboot also.
- Such kind of layer 2 stress testing can be done with this handy tool.
- Countermeasures against MAC Flooding
- Some of the major countermeasures against MAC Flooding are:
- Port Security : Limits the no of MAC addresses connecting to a single port on the Switch.
- Implementation of 802.1X : Allows packet filtering rules issued by a centralised AAA server based on dynamic learning of clients.
- MAC Filtering : Limits the no of MAC addresses to a certain extent.
- CAM table stands for Content Addressable Memory
- The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters
- CAM tables have a fixed size
-
CAM Table Full
-
Once the CAM table is full, traffic without a CAM entry is flooded out every port on that VLAN but NOT traffic with an existing CAM entry
-
This will turn a VLAN on a switch basically into a hub
-
This attack will also fill the CAM tables of adjacent switches
-
BTW Cisco switches never overwrites an existing entry Idle entries are removed 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ? 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ? 10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) <- OOPS 10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) <- OOPS
-
Countermeasures for MAC Attacks
- DHCP attack and prevention of DHCP attack
- DHCP Snooping using Packet Tracer (YouTube Tutorial)
- Protecting against DHCP attacks using a Cisco switch (YouTube Tutorial)
- Cisco CCNA Packet Tracer Ultimate labs: DHCP Snooping: Answers Part 1 (YouTube Tutorial) - David Bombal
- Cisco CCNA Packet Tracer Ultimate labs: DHCP Snooping: Answers Part 2 (YouTube Tutorial) - David Bombal
- MAC flooding attack (lab)
- CAM Table Overflow Attack (lab)
- Additional resources -
- DHCP Explanation (Youtube Tutorial)
- DHCP Simulation - GitHub Repo
- Simulation tools - Article
- Simulation tools - Resource
- MAC flooding
- CAM Table Overflow Attack Explained - Article
- DHCP attack, MAC flooding attack and CAM table overflow attack are successfully demonstrated.
- Defeating malware through
- Building trojans
- Scan for Rootkits, backdoors
- Exploits Using Rootkit Hunter
- In computing, a Trojan horse or simply trojan is any malware which misleads users of its true intent.
- The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
- In computing, a Trojan horse, or trojan, is any malware which misleads users of its true intent.
- Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity
- Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.
- Example: Ransomware attacks are often carried out using a trojan.
- Unlike computer viruses, worms, and rogue security software, trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.
Note: I have installed Windows 10 Virtual Machine on my VirtualBox to work safely with malware in a sandbox environment.
- Code: (File name: Trojan.bat)
- Create a simple trojan by using Windows Batch File (.bat)
- Type these below code in notepad and save it as Trojan.bat
- Double click on Trojan.bat file.
- When the trojan code executes, it will open MS-Paint, Notepad, Command Prompt, Explorer, etc., infinitely.
- Restart the computer to stop the execution of this trojan.
- rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
- It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
- rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.)
- The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.
- GMER is a software tool written by a Polish researcher Przemysław Gmerek, for detecting and removing rootkits.
- It runs on Microsoft Windows and has support for Windows NT, 2000, XP, Vista, 7, 8 and 10. With version 2.0.18327 full support for Windows x64 is added.
- STEP 1:
- Visit GMER's website (see Resources) and download the GMER executable.
- Click the "Download EXE" button to download the program with a random file name, as some rootkits will close “gmer.exe” before you can open it.
- STEP 2:
- Click the "Scan" button in the lower-right corner of the dialog box. Allow the program to scan your entire hard drive.
- STEP 3:
- If the red item is a service, it may be protected. Right-click the service and select "Disable."
- Reboot your computer and run the scan again, this time selecting "Delete" when that service is detected.
- When your computer is free of Rootkits, close the program and restart your PC.
- Once completing all of the 3 steps, the Rootkit Hunter found no malwares in my Windows 10 Virtual Machine, and hence after search completion, it restarted the OS.
- The following were successfully performed:
- Building Trojans,
- Scanning Rootkits, backdoors and exploits Using Rootkit Hunter.
- Demonstrate the following
- Buffer overflow attacks
- How to exploit Buffer overflow vulnerability lab
- Exploitation with a Buffer overflow and shellcode
- A buffer, in terms of a program in execution, can be thought of as a region of computer’s main memory that has certain boundaries in context with the program variable that references this memory.
- A buffer is said to be overflown when the data (meant to be written into memory buffer) gets written past the left or the right boundary of the buffer.
- This way the data gets written to a portion of memory which does not belong to the program variable that references the buffer.
- A buffer overflow (or buffer overrun) also occurs when the volume of data exceeds the storage capacity of the memory buffer.
- If the transaction overwrites executable code, it can cause the program to behave unpredictably and generate incorrect results, memory access errors, or crashes.
- Buffer overflow gets worse when an attacker comes to know about a buffer over flow in your program and he/she exploits it.
- Consider the following exploit code:
- The program above simulates scenario where a program expects a password from user and if the password is correct then it grants root privileges to the user.
- Let’s the run the program with correct password i.e. ‘thegeekstuff’:
- Output:
-
This works as expected.
-
The passwords match and root privileges are given.
-
But there is a possibility of buffer overflow in this program.
-
The gets() function does not check the array bounds and can even write string of length greater than the size of the buffer to which the string is written.
-
Now, we can understand what an attacker can do with this kind of a loophole in our program.
-
Here is three different output examples from online compilers:
-
Output i:
- Output ii:
-
The above two compilers are clearly well built, as they detect our buffer overflow exploit and terminates the program with “stack smashing detected” warning message.
-
Output iii:
- In the above example, even after entering a wrong password, the program worked as if you gave the correct password.
- There is a logic behind the output above. What attacker did was, he/she supplied an input of length greater than what buffer can hold and at a particular length of input the buffer overflow so took place that it overwrote the memory of integer ‘pass’.
- So despite of a wrong password, the value of ‘pass’ became non zero and hence root privileges were granted to an attacker.
- There are several other advanced techniques (like code injection and execution) through which buffer over flow attacks can be done but it is always important to first know about the basics of buffer, its overflow and why it is harmful.
- Functions like strcat() and strcpy() do not check the length of the input strings relative to the size of the destination buffer – exactly the condition we are looking to exploit.
- Safe usage of these functions relies entirely upon the programmer’s implementation.
- Consider the following exploit code:
- The program takes one argument and passes it into vulnerableFunc() which creates a buffer and copies the argument into it. Then the program prints “Exiting…” and quits.
- The call to strcpy() on line 7 is what we are going to be exploiting – notice how we didn’t check the length of what was being copied into buffer.
- Most operating systems and compilers have certain features enabled by default to prevent buffer overflows.
- Let’s execute the exploit code terminal directly to see what happens:
- The first execution went as expected, we see “Exiting…” printed to the console.
- But the second execution crashed and printed “Segmentation fault”. Normally not a great sign when coding, but this is good news for us!
- A segmentation fault is an error thrown when a program tries to access restricted memory.
- The only thing that changed between the first and second call to overflow was our input – clearly something happened the second time around that caused our program to try and access off-limits memory.
- In order to figure out what is going on, we’re going to have to take a brief look at debugging C code with the GNU Debugger (GDB).
- Let’s list the “vulnerableFunc” from overflow.c program. Then, we’re going to stop at line 7 and line 8 by setting some breakpoints, immediately before and immediately after we copy our input into the buffer.
- Later, let’s run the code with “AAAA” as input and inspect the buffer for memory addresses.
- The second command x /128bx buffer displays 128 bytes as hexadecimal characters, starting where buffer is stored in memory.
- The first four values of our buffer are now 0x41. The 0x41 is how the ASCII character A is represented as a hexadecimal value.
- We know from looking at the source code that buffer is an array of 80 characters.
- Let’s run the program again, this time with 79 A’s, and see what our memory looks like after strcpy() returns.
- From the below output, It looks like buffer starts at address 0x7fffffffdf20 and ends at address 0x7fffffffdf70, which is 80 bytes away.
- The goal is to overwrite the return address so we can control what the program does next.
- GDB makes this very easy with the info frame command.
- From the above output we can see that, the stack frame holding some data about where our function was called from, the arguments, and the return address, are present at the address 0x7fffffffdf70.
- 0xef78 – 0xef20 = 0x58 (Hexadecimal) => 8810 (Decimal)
- Finding the difference between the addresses and converting it to decimal tells us that the return address is stored 88 bytes after the start of buffer.
- Hence, if we provided 96 characters we would fill up the buffer, overflow so we are close to the return address, and then overwrite the entire return address.
- info frame command shows us that the return address is stored at 0x7fffffffdf70.
- But when we look at the memory, we can see that we successfully overwrote the return address. When our function ends, the program will look to 0x7fffffffdf70 to find which instruction to execute next. But instead of the original location, it will try and go to 0x4141414141414141.
- The odds of there being anything useful in that location are pretty small. A Hacker can change the return address to be equal to the address of the buffer so he/she can provide their own malicious code to run.
- To avoid buffer overflow attacks, the general advice that is given to programmers is to follow good programming practices.
- Make sure that the memory auditing is done properly in the program using utilities like valgrind memcheck
- Use fgets() instead of gets().
- Use strncmp() instead of strcmp(), strncpy() instead of strcpy() and so on. The moral of the story: Never trust user input!
- Buffer Overflow Explanation - Article
- Buffer Overflow Attack Demo - Article
- Running a Buffer Overflow Attack - Computerphile (YouTube Tutorial)
- The following buffer overflow vulnerabilities were demonstrated successfully
- Buffer overflow attacks
- How to exploit Buffer overflow vulnerability lab
- Exploitation with a Buffer overflow and shellcode
- Demonstrate the following
- Take over control of a program with a buffer overflow
- Perform ret2libc with a Buffer Overflow because of restricted return pointer
- Buffer overflow for the Stack () level
-
The following steps are performed to take over control of a program with a buffer overflow on the stack() level by overwriting the restricted return pointer:
-
The C program to exploit the buffer:
- GDB C compiler is used here to look into address and assembly code:
- “list” command is used to look the code in GDB compiler
- “list” command is used to look the code in GDB compiler
- “Hello” and “excess payload” is injected as arguments and segmentation fault is observed.
- It is clear that the address of the return value is partially overwritten.
- Another payload reveals that the return address is completely overwritten as “0x41414141”, which can be checked with “info registers” gdb command
- So, we have found a way to break the code.
- Now, we can take over control by overwriting the buffer with address of shell code to exploit.
- After monitoring the registers, we gained access with terminal to ask for executing our shell code.
- Now, we can exit the gdb compiler and gain root access to successfully gain access over the system.
- Here we execute the vulnerable code with malicious payload
- Successfully, the access is gained through root access
- The exploit is successful where the shadow file reveals the user passwords with other private data that belongs to the user.
- Take over control of a program with a buffer overflow - Computerphile (YouTube Tutorial)
- Binary Exploitation / Memory Corruption by LiveOverflow (YouTube Playlist)
- Buffer Overflow challenge - Source
- Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F (YouTube Tutorial)
- Stack based Buffer Overflow Attack Demo - Article
- Heap Overflow Attack Demo - Article
- The following buffer overflow vulnerabilities were demonstrated successfully
- Take over control of a program with a buffer overflow
- Perform ret2libc with a Buffer Overflow because of restricted return pointer
- Buffer overflow for the Stack () level
- Demonstrate the following exploitation of OWASP vulnerabilities
- OWASP insecure deserialization
- Hands on sensitive data exposure
- Broken authentication and session management
- The following OWASP vulnerabilities were exploited successfully
- OWASP insecure deserialization
- Hands on sensitive data exposure
- Broken authentication and session management
- Demonstrate web application assessment using following tools
- OpenVAS
- Vega
- Skipfish
- Wapiti
- OpenVAS – Open Vulnerability Assessment Scanner
- OpenVAS is a full-featured vulnerability scanner.
- Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
- The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates.
- OpenVAS Installation:
- Update the Kali Linux VM using the following commands
sudo apt-get updatesudo apt-get upgradesudo apt-get dist-upgrade
- Download and Install OpenVAS using the following command
sudo apt-get install openvas
- From Vulnerability Analysis Tools use Initial OpenVAS to initialize and configure OpenVAS
- From Vulnerability Analysis Tools use start OpenVAS server to open on a browser
- Update the Kali Linux VM using the following commands
- The following tools were successfully used to demonstrate application assessment
- OpenVAS
- Vega
- Skipfish
- Wapiti
- Demonstrate the following
- DNS cache poisoning
- DOS using ARP cache poisoning
- MIM attack using ARP cache poisoning
- What is DNS cache poisoning? | DNS spoofing
- DNS cache poisoning (Youtube Tutorial 1)
- DNS cache poisoning (Youtube Tutorial 2)
- DOS using ARP cache poisoning
- The following demonstrations were successfully performed:
- DNS cache poisoning
- DOS using ARP cache poisoning
- MIM attack using ARP cache poisoning
- Demonstrate the following SQL Injection operations
- Send SQL map post request injection by using burp suite proxy
- Bypass login page using SQL injection
- Detect and exploit SQL injection flaws using SQL map
- The following SQL Injection operations were successfully demonstrated
- Send SQL map post request injection by using burp suite proxy
- Bypass login page using SQL injection
- Detect and exploit SQL injection flaws using SQL map
- Demonstrate the following
- Running a XSS attack and how to defend it
- Cross site scripting - filter bypass techniques
- How to Exploit Stored, Reflected and DOM XSS
- A XSS attack was successfully demonstrated and learnt defending it.
- Cross site scripting was implemented with filter bypass techniques.
- Stored, reflected and DOM was exploited successfully.
- Demonstrate the following
- XPath injection using webgoat
- Command injection using webgoat
- SQL injection and database backdoor using webgoat
- WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
- Install OWASP WebGoat using jar file for Kali Linux
- OWASP WebGoat (Official Website)
- Introduction to WebGoat - Download and run it on Kali Linux (Youtube Tutorial)
- Basic SQL injection using web goat (Youtube Tutorial)
- OWASP BWA WebGoat Challenge: Injection Flaws
- The following injection attacks were successfully demonstrated using webgoat
- XPath injection
- Command injection
- SQL injection and database backdoor
- Demonstrate Advanced Client-Side Exploitation using BeEF
- BeEF is short for The Browser Exploitation Framework.
- It is a penetration testing tool that focuses on the web browser.
- BeEF framework is used whenever any application is vulnerable to cross-site scripting (Clint-side exploit).
- Set up Kali Linux VM as the attacking machine and Metasploitable 2 VM as the vulnerable machine.
- Check the IP address of Metasploitable 2 VM vulnerable machine using ifconfig command.
- BeEF official website
- Metasploitable 2 Documentation
- Metasploitable 2 - Rapid7 (official) Download Page
- Metasploitable 2 - SourceForge Download Page
- Installing a Metasploitable 2 VM and VirtualBox (Youtube Tutorial)
- Client-Side Exploitation using BeEF (Youtube Tutorial)
- Advanced Client-Side Exploitation using BeEF is successfully demonstrated.
- How Israel Rules The World Of Cyber Security | VICE on HBO
- WANNACRY: The World's Largest Ransomware Attack (Documentary)