Feb 28, 2014

IDA is powerful Debugger/Dis-assembler, you can read more in this link

The main road block for the installation is that IDA is a 32 bit application and so expects 32 bit libraries.
But your system being 64 bit will only have 64 bit libraries and so you have to install the 32 bit variant of the libraries that IDA requires.

I will walk you through the install steps.

Step 1: Download
Download the IDA files[link], of course it's a paid software and you can get only the demo version.

Step 2: Unzip
Unzip the files and try to run the executable 'idaq'
# ./idaq
and if your Ubuntu is 64 bit something similar may show up
./idaq: error while loading shared libraries: libgthread-2.0.so.0: cannot open shared object file: No such file or directory

Step 3: Install 32 bit libraries
So you have to install the 32 bit libraries, 64 bit version will be already present on your system by default.
Find the package that has libgthread-2.0.so.0
# dpkg -S libgthread-2.0.so.0
libglib2.0-0:amd64: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0
The package name 'libglib2.0-0:amd64' and 32 bit package will be 'libglib2.0-0:i386'
And install the package 'libglib2.0-0:i386'
#apt-get install libglib2.0-0:i386
Before trying to run IDA again you can find out all the libraries that are not found in the system using the below command
#ldd idaq | grep found

After installing all the missing libraries you can run IDA again [./idaq]

Feb 25, 2014

If you want reset your MySQL root password follow the below simple steps.

Stop MySQL server
# service mysql stop
Restart MySQL with option --skip-grant-tables, i.e permissions are not loaded and so disable networking
# /usr/sbin/mysql --skip-grant-tables --skip-networking
Now login to the mysql shell as root user, and no password
# mysql -u root
The user passwords are in the table mysql.user in password column update them
mysql>use mysql;
mysql>update user set password=password('inctfmysql') where user='root';
Now give the below command to commit the changes
mysql>flush privileges;
Restart the MySQL server
# service mysql restart

Feb 9, 2014

My Sever
OS:Ubuntu 12.04
IP: 192.168.56.100

My Client
OS:Ubuntu 13.04
IP 192.168.56.101

Task
Block the ping request from client to server, so that when client ping the server, client should not get any reply.

Solution
Add the below rule in iptable of the server
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 192.168.56.101 -j DROP

You have to specify the icmp-type as echo-request other wise the outgoing ping from server to client also will get blocked because when you ping client from server following happens
:-ICMP echo-request is send to client
:-ICMP echo-reply is send back from client to server(this get dropped if no icmp-type is indicated)

Save rules in iptables permanently
If you give iptables-save rules will be saved for the current session but will be gone once you reboot your machine. To save them permanently

  • Open '/etc/network/interfaces' file

vim /etc/network/interfaces

  • Append the below line along with your eth0 directives:

post-up /sbin/iptables-restore < /etc/iptables-up.rules

  • Now save the current iptable rules to '/etc/iptables-up.rules'

iptables-save > /etc/iptables-up.rules

About the flags used in the rule
-A: Append with the existing rules
-i: In interface name
-o: Out interface name
-p: protocol
-s: Source IP Address
-d: Destination IP Address
-j: Jump Target-> What to do when a packet that satisfy this rule comes (eg: ACCEPT, DROP, QUEUE, RETURN or name of a user specif chain)

Built in chain Names:
FORWARD:-For packets routed through the box
INPUT:-For packets coming into the box
OUTPUT:- For altering the locally generated packets before routing

Feb 6, 2014

Backup and Restore operation in MySQL Server.

Some handy MySQL tips before we move on:

How to log into mysql shell ?
Type the below command in the terminal
mysql --user=username --password=password

Know the version of my MySQL server ?
After you log in to mysql shell check out the first few lines, it will have the server version.

See all databases in mysql ?
From mysql shell, type the command 'show databases'.
mysql show databases

Set a database as working or current database ?
From mysql shell, type the command use database_name
mysql --user=username --password=password

See all the tables in my current selected database ?
From mysql shell, type the command 'show tables'
mysql show tables

How to take BackUp

To take back up of all databases
Type the the below in your terminal 
mysqldump --user=username --password=password --all-databases > alldbbck.sql

To take back up of a single database
Give the below command from your terminal
mysqldump --databases db1 > dump.sql
mysqldump  db1 > dump.sql

If we use '--databases' then the dump.sql will have 'CREATE DATABASE db1' and 'USE db1' statements, so while restoring this script you need not specify the target database name for recreation of tables, MySQL will create the database for you.

To take back up of a multiple database
Use the below command
mysqldump --databases db1 db2 db3 > dump.sql

How to Restore

If the dump script have create database and use statements (i.e created using --all-databases                  or --databases option) then it's not necessary to specify a database in which the backup is to be restored.
Fire the below command from your terminal:
mysql --user=username --password=password < dump.sql

MySQL will create the database for you as your script already have the 'CREATE DATABASE' statement.

Otherwise specify an existing database as destination database
mysql --user=username --password=password dump < dump.sql

This post covered the most basic and steps for backup and restore, a shot for the jump in guys..
Happy Hacking !!
Harden MySQL installation was a task in InCTF 2014 learning round. Below are the steps I used to harden MySQL installation on my Ubuntu 13.04 box.

Basic MySQL installation
sudo apt-get install mysql-server

Securing MySQL
Type the below command to start the secure setup script
sudo /usr/bin/mysql_secure_installation

This will launch the secure installation script

Setting root password:
If you had not set the root password at the time of installation systems asks you to set it now. I had already set the root password, so I'm skipping.

Remove anonymous users:
By default MySQL have anonymous login with no passwords, so remove it.

Disallow remote root login:
To make sure some one brute force or guess your root user password and attempt to remotely login into your database server.

Remove default 'test' database:
MySQL is shipped with a default 'test' database that anyone can access, it's purely only for testing and should be removed.

Reload the privileges table:
To make all the changes reflect reload the privileges table.

Here are the 10 steps I did to harden apache2 server on my Ubuntu 13.04 box
Securing apache2 was a task in learning round 1 of InCTF '14.

Step 1 Disable Directory Listing

Directory Listing: If there is no "index" file in a directory of your website and if u give the URL to that directory in the browser it will list out the files in that directory. Directory listing will look like this


To disable directory listing:
Open file /etc/apache2/sites-available/000-default.conf
 
sudo vim /etc/apache2/sites-available/000-default.conf 

Find the line having the path of your website and c
hange the Indexes in Options to -Indexes
    <directory /var/www/php >
    Options -Indexes
    Order allow,deny
    Allow from all
   </directory>

Step 2 Prevent Server Information leakage

Version details of Apache server and Operating system will be shown by default in error pages, directory listing, HTTP request header. This is a security threat as an attacker can figure out which kind of attack he need to use from the version details. See the server and port details beneath the directory listing above.
To disable this information leakage:

Open the file "/etc/apache2/conf-available/security.conf"
sudo vim /etc/apache2/conf-available/security.conf

Set "ServerSignature Off" and "ServerTokens Prod"
ServerSignature Off
ServerTokens Prod

Restart Apache server
sudo service apache2 restart

Step 3 Run Apache as separate User and Group

First find out under which user Apache server is running:

ps -aux | grep --color apache2

The first column shows the user under which Apache process is running, if you had just plainly installed apache2 the user must be 'root' or 'www-data'. 
Wonder wat's this 'www-data' ? 'www-data' account can be used if you want php to be able to edit the contents of that file/folder.

We have to change the user running the Apache to a low privileged one. If the user 'Nobody' is the one that is coming to your mind don't give up to it because there will be many other process running under 'Nobody' user as it's the default daemon process account in linux system. 
If an attacker some how compromise your Apache server he will also get access to all other process. So it's always better to run a process under a separate low privilege account here we will create 'apache2' account.

Create a new group apache2
groupadd apache2

Create a new user apache2
useradd -d /var/www/ -g apache2 -s /bin/nologin apache2
-d-home directory
-g-The group name or number of the user's initial login group
-s-The name of the user's login shell [/bin/nologin = login disabled]

Open /etc/apache2/envvars
sudo vim /etc/apache2/envvars

Change  export APACHE_RUN_USER and export APACHE_RUN_GROUP
export APACHE_RUN_USER=apache2
export APACHE_RUN_GROUP=apache2

Now restart [reboot may be needed] and check the user under which Apache is running.

Step 4 Use mod_security and mod_evasive modules

mod_security is a web application firewall that can do HTTP Traffic Logging to a particular web application,Real-Time Monitoring and Attack Detection,Attack Prevention and Just-in-time Patching etc..For more details check out the mod_security project website here.

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. 

mod_security Installation

Install mod_security package
sudo apt-get install libapache2-modsecurity

Enable mod_security module within the apache2 configuration
sudo a2enmod mod-security

Verify it's enabled or not
apachectl -M | grep --color security

You should see a module named security2_module (shared) which indicates that the module was loaded.

mod_evasive Installation
sudo apt-get install libapache2-mod-evasive

Create log file directory for mod_evasive
mkdir /var/log/mod_evasive/
sudo chown apache2:apache2 /var/log/mod_evasive/

Create mod-evasive.conf file and configure ModEvasive
sudo vi /etc/apache2/mods-available/mod-evasive.conf

Add the below to mod-evasive.conf
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

Check if ModEvasive is enabled and restart Apache.
sudo a2enmod mod-evasive
service apache2 restart
apache2ctl -M | grep --color evasive

Step 5 Turn off Server Side Includes and CGI Execution

If server side includes / CGI execution is not required in your website then disable them because shell code can be executed in the server through poorly designed website.

In the file '/etc/apache2/sites-available/default' change or add 'Options -Includes'
'Options -ExecCGI' to your website section.

Step 6 File permissions

Your website root directory may have files that holds sensitive information so remove write permission from those files, so that data cannot be modifies through the website or using the website in any manner.

Permission bits: Read = 4, Write = 2, Execute = 1
So if you split the octal permission 745 into 3 sections, user, group and world, you have the following permissions.
User = 7 (4+2+1 or RWX)
Group = 4 (4 or R)
Others = 5 (4+1 or RX)
Permission to sensitive file can be modified using the below command
chmod 745 sensitive_file.txt

Step 7 File/Folder Ownership

One should never run any files in apache directory with root permission
To change the ownership to apache2 user and apache2 group use the below command
chown apache2:apache2 -R /var/www/

Step 8 Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in '/etc/apache2/sites-available/default'. Secure the root directory using the below settings.
<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>

Order is one of the below:[more details here]
Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.

Deny,Allow
First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

Step 9 Disable unwanted HTTP methods

Disable unwanted potentially risky HTTP1.1 method , usually a website may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive.
<Directory /var/www/php/ >
  <LimitExcept GET POST >
 deny from all
  </LimitExcept>
</Directory>

Restrictions applied to GET will apply to HEAD, and therefore if GET is unrestricted so HEAD will also be unrestricted.
The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response.

Step 10 Keep Apache Server updated

In Ubuntu you can trigger the system update process from the Software updater, which will have the Apache updates also.