Lecture 1 Introduction. Basic Exploration Tools
Computer and Network Security 30th of September 2019 Computer Science and Engineering Department
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 1/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 2/52 On this class
I Computer and Network Security I offensive security, hacking, reverse engineering, runtime application security I programming/practical oriented I focus on binary exploitation (pwn levels in CTFs) I lecture: Monday, 6pm-8pm, room PR002, R˘azvan I labs: I Monday, 4pm-6pm, room PR706, S, tefania I Monday, 8pm-10pm, room PR706, Mihai I Monday, 8pm-10pm, room EG106, Adrian I Monday, 8pm-10pm, room EG306, Dennis I http://ocw.cs.pub.ro/cns/ I but first: https://ocw.cs.pub.ro/courses/cns/need-to-know I labs start on Monday, 30th of September 2019, 8pm I last instance of the first lab on Monday, 7th of October 2019, 4pm, room PR706
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 3/52 The Team
I R˘azvanDeaconescu: lectures, lecture tests, exam I Mihai Dumitru: labs, infrastructure
I S, tefania Popescu: labs I Dennis Plosceanu: labs
I Adrian S, endroiu: labs, assignments, lectures
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 4/52 Resources
I wiki (content): http://ocw.cs.pub.ro/cns/ I Moodle (news, deadlines, exam, dicussions, links to content, feedback) I SRIC (enrolable) I SCPD (enrolable) I common/meta (not-enrolable, actually used) I Facebook (news, trivia): http://facebook.com/cns.upb I mailing list (news, dicussions): https://ocw.cs.pub.ro/courses/cns/resources/mailing-list I assignment write-only mailing-list (assignments): http://cursuri.cs.pub.ro/cgi-bin/mailman/listinfo/oss-support I calendar & planning: https://ocw.cs.pub.ro/courses/cns/calendar I virtual machines (labs, assignments, CTFs): https://ocw.cs.pub.ro/courses/cns/resources/vm I CTF platform (assignments, labs): https://cns-ctf.security.cs.pub.ro/home I lab rooms: PR706, EG106, EG306 I team: to yell at
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 5/52 Lab Split
I happens on the acs.curs.pub.ro Discussion forum I threads for each of the 4 lab slots I almost complete I you need to be enroled I you can enrol by yourself by accessing the CNS acs.curs.pub.ro instance I limit is 16 students per lab slot
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 6/52 Class Keywords
I reverse engineering I shell execution I binary inspection I exploiting I stack overflow I runtime application security I buffer overflow I return oriented programming I shellcode I CTF (Capture the Flag)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 7/52 Table of Contents
planning: https://ocw.cs.pub.ro/courses/cns/calendar 1. Introduction. Basic Exploration Tools 2. Program Analysis 3. The Stack. Buffer Management 4. Exploiting. Shellcodes 5. Exploiting. Shellcodes (part 2) 6. Exploit Protection Mechanisms 7. Strings. Information Leaks 8. Return Oriented Programming 9. Return Oriented Programming (part 2) 10. Use After Free 11. Practical Attacks (part 1) 12. Practical Attacks (part 2) 13. Guest Lecture
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 8/52 Bibliography
I Robert Seacord – Secure Coding in C and C++, Addison Wesley Professional, 2005 I Robert Seacord – The CERT C Secure Coding Standard, Addison Wesley Professional, 2008 I Anton Chuvakin, Cyrus Peikari – Security Warrior, O’Reilly, 2004 I Grey Hat Hacking. The Ethical Hacker’s Handbook, 3rd Edition, McGraw Hill, 2011 I Enrico Perla, Massimiliano Oldani – A Guide to Kernel Exploitation, Syngress, 2011 I Jon Erickson – The Art of Exploitation, 2nd Edition, No Starch, 2008 I Michael A. Davis, Sean M. Bodmer, Aaron LeMasters – Hacking Exposed. Malware and Rootkits, McGraw Hill, 2010 I Bruce Schneier – Applied Cryptography, John Wiley & Sons, 1996
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 9/52 Grading
I 2 points – lab involvement I 4.5 points – 3 assignments I 2 points – lecture tests I 2.5 points – final exam
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 10/52 Tests during Lectures
I at the beginning of lectures 3, 5, 7, 9, 11, from the past two lectures I start at 6:05pm; please don’t be late I 10 minutes, 4 short questions I 0.4 points each
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 11/52 Final Exam
I one part is a multiple answer questions test (22 questions, 20 minutes) I the other part is an on paper test (60 minutes)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 12/52 CTF – Capture the Flag
I computer security competition I educational, practice I attack/defense vs. jeopardy I web, stegano/forensics, crypto, binary/reverse, pwn/exploit, protocol, misc I wargames I may equate assignment points
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 13/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 14/52 C Programming Language
I lingua franca of low-level programming I powerful enough to build amazing software and flexible enough to shoot yourself in the foot I close to hardware, everything is at some point coming from C code I direct access to memory management (buffers, strings, arrays, pointers): mixed blessing
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 15/52 Linux / Unix CLI. Shell Scripting
I move around quickly I investigate, analyze system I quickly develop, build, debug, analyze applications I automate tasks
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 16/52 Assembly Language
I everything turns to machine code I one may not have access to the source code, but it can be disassembled I hardware specific – the “guts” of the computer I required knowledge to fully be able to exploit and protect the system
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 17/52 Data Representation
I binary, octal, hexadecimal I ASCII I signed / unsigned integers: size, range, 2’s complement representation I endianess I there are 10 types of people in the world . . . I disassembled code, addresses and hardware instructions are shown in hexadecimal I one is required to easily convert hexadecimal to decimal and the other way around
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 18/52 Operating Systems
I system and application inner workings I process virtual address space I application run time: CPU, memory, I/O usage I system calls, kernel space
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 19/52 Process Investigation
I processes and resource usage: ps, pstree, pgrep, procfs filesystem I memory mappings: pmap I open file descriptors: lsof
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 20/52 If You Feel Lacking
I this is a master class, you need to be on the level I work, work, work I C programming: https://ocw.cs.pub.ro/courses/programare I Linux / Unix CLI, shell scripting: https://ocw.cs.pub.ro/courses/uso I assembly language + hexadecimal: https://ocw.cs.pub.ro/courses/iocla I operating systems + process investigation: https://ocw.cs.pub.ro/courses/so
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 21/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 22/52 Scripting Languages
I Python, Perl I automation I generate/print binary data and feed it to an executable I generate strings, generate variating integers & addresses I do redirects, make conversions, process strings
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 23/52 Python
I quick’n’dirty scripting language I more powerful than shell scripting I create binary payloads (use struct package) I convert data I work with strings I work with files I work with processes (use subprocess package) I advanced exploit techniques (use pwn package) I use Python3, FTW!!!
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 24/52 Hex Viewers and Editors
I dump and edit data in binary files (object files, executables, encrypted files) I hexdump, xxd, od: make hexdumps I hte: terminal hex editor I ghex, Bless: GUI hex editor
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 25/52 GDB
I dynamic analysis I default debugger on Unix systems I may be used to trace programs, check variables and return values
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 26/52 PEDA
I Python Exploit Development Assistance for GDB I enhance GDB for exploit development I improved commands I improved views I search for ROP gadgets I generate shellcodes I generate buffer cyclic patterns I http://ropshell.com/peda/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 27/52 Binary Code Analysis
I inspect object and executable files I disassembling: objdump I forensics: strings I executable parsing: readelf, nm I dependencies: ldd
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 28/52 Call Tracing
I dynamic analysis I capture system calls, function callls of program I check out system call arguments I check out system call return values I see whether process blocks in a system call I strace, ltrace
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 29/52 Advanced Disassemblers
I IDA I IDA 7.0 freeware I different executable formats for different processors I debugger I decompiler I interactive I plugins I Ghidra I open source I similar to IDA I radare2 I disassemble, debug I static and dynamic analysis I CLI I capstone I “lightweight multi-platform, multi-architecture disassembly framework” I open source
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 30/52 Other Binary-related Tools
I Binary Ninja: https://binary.ninja I BinNavi: http://www.zynamics.com/binnavi.html I Hopper: http://www.hopperapp.com/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 31/52 Emulators
I run executables for different architectures I QEMU: emulates MIPS, ARM, PowerPC, SPARC I Unicorn Engine, based on QEMU
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 32/52 pwntools
I CTF framework and exploit development library I Python I connections to local and remote processes I packing / unpacking I assemby and disassembly I ELF manipulation I shellcode generation I Return Oriented Programming I https://github.com/Gallopsled/pwntools I https://docs.pwntools.com/en/stable/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 33/52 Others
I brain I will I perseverance I will I perseverance I perseverance I perseverance I Did we mention perseverance?
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 34/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 35/52 strings
I search for ASCII strings in binary data I strings /path/to/binary/file I man ascii to show ASCII table
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 36/52 Printing Binary/Hex Data
Let’s print shellcode from http://www.shell-storm.org/ shellcode/files/shellcode-827.php:
Shellcode Sample char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
Do it in several scripting languages:
Print Shellcode in Bash, Python, Perl (Bash) echo -e ’\x31\xc0\x50\x68\x2f...’ (Python) python -c ’print "\x31\xc0\x50\x68\x2f..."’ (Perl) perl -e ’print "\x31\xc0\x50\x68\x2f..."’
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 37/52 Printing Binary/Hex Data (2)
Dump binary data in hex and binary:
Using xxd $ echo -en ’\x31\xc0\x50\x68...’ | xxd 0000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e350 1.Ph//shh/bin..P 0000010: 5389 e1b0 0bcd 80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -g 4 0000000: 31c05068 2f2f7368 682f6269 6e89e350 1.Ph//shh/bin..P 0000010: 5389e1b0 0bcd80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -g 1 0000000: 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 1.Ph//shh/bin..P 0000010: 53 89 e1 b0 0b cd 80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -b 0000000: 00110001 11000000 01010000 01101000 00101111 00101111 1.Ph// 0000006: 01110011 01101000 01101000 00101111 01100010 01101001 shh/bi 000000c: 01101110 10001001 11100011 01010000 01010011 10001001 n..PS. 0000012: 11100001 10110000 00001011 11001101 10000000 .....
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 38/52 Using strace
I strace ./executable I strace -e write ./executable – print write syscalls I strace -e trace=file ./executable – print syscall taking a filename as argument I strace -f ./executable – trace child processes I strace -p PID – trace existing process by PID I strace -s strsize – trace using a different size for strings
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 39/52 ltrace
I see library calls I ltrace -p PID – trace process I ltrace -t – show timestamp
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 40/52 Passing Binary Data as Argument
I command $(python -c ’print ...’)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 41/52 Passing Binary Data as Standard Input
I python -c ’print ...’ | command I cat file - | command I cat <(python -c ’print ...’) - | command
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 42/52 List Open Files
I lsof I lsof -p PID – show open files for process I shows file descriptors: standard input/output, sockets, pipes
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 43/52 Process Address Space
I pmap I pmap PID – show address space mappings for process I shows permissions and addresses
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 44/52 Show Library Dependencies
I ldd /path/to/executable I useful to check if an executable may run on a given system, what library version is it using
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 45/52 Installing 32bit Development Libraries on Debian
Installing 32bit Development Libraries # dpkg --add-architecture i386 # apt update # apt install gcc-multilib g++-multilib libc6:i386 libc6-dev:i386 \ libstdc++6:i386 libstdc++6-dev:i386
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 46/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 47/52 io.netgarage.org – Level 1
I use objdump to disassemble binary I use man ascii or hex printing to print password
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 48/52 Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 49/52 Keywords
I offensive security I hex/binary data I runtime application security I Python I table of contents I strings I grading I objdump I CTF (Capture the Flag) I strace, ltrace I tools of the trade I ldd, lsof, pmap I hex editors I IDA I scripting language I Ghidra, radare2 I disassemblers I GDB, PEDA I exploration I pwntools
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 50/52 Useful Links
I http://reverseengineering.stackexchange.com/ I http://security.cs.pub.ro/hexcellents/wiki/ I http://web.cecs.pdx.edu/~jrb/cs201/lectures/ handouts/gdbcomm.txt I http://ctftime.org/ I https://picoctf.com/ I http://captf.com/practice-ctf/ I https://io.netgarage.org/ I http://www.overthewire.org/wargames/ I http://ctf365.com/ I PEDA: https://github.com/longld/peda I IDA: https://www.hex-rays.com/products/ida/ I Ghidra: https://ghidra-sre.org I Radare: http://rada.re/r/ I pwntools: https://docs.pwntools.com/en/stable/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 51/52 References
I Security Warrior I Chapter 1. Assembly Language I Chapter 2. Windows Reverse Engineering I Chapter 3. Linux Reverse Engineering I The Ethical Hacker’s Handbook, 3rd Edition I Chapter 10: Programming Survival Skills I Chapter 20: Passive Analysis I Chapter 21: Advanced Static Analysis with IDA Pro
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 52/52