One more in the list of technical posts! Yesterday was a day of 17 hrs in the lab (phew 🙂
So we were capturing packets but the packit tool did not randomize the source IPs enough so we were getting decent signatures for TCP traffic but not for ICMP! So looking at the signature generation I found that the checksum was also being used to get the hash value. But, when I stopped using the checksum values for generation of hash the signatures started coming properly. Antoine, somehow, thought that the IP addresses were affecting the has values that we got. But looking deeply into the code we saw that it was not the case. The conclusion (which is really surprising) is that packit was generating similar packets quite a few packets and that too from the same source IP (but they really should have been randomized!)…I don’t know whether this conclusion is correct??? May be some packit developers would be able to help me on this!
So now the challenge becomes to send those ICMP signatures across…but icmp_send() method requires skbuff structure…I looked at the net/ipv4/ipip.c file for the usage of icmp_send() methods but it is still not clear to me how it should be used!

-Rajat
Rajat’s Homepage

On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 

I will be speaking in Prof. Sengupta’s class at John Jay College of Criminal Justice at the City University of New York on Oct 28, 2010.  The topic of discussion will where does Digital Forensics fit in the big picture of organizations.  The talk will introduce the students to a variety of topics including choosing a career as a digital forensics investigator, their duties as an investigator, being successful as an investigator, case studies and real-life problems faced by the computer forensic investigators.

I was just browsing away when I stumbled upon Johnny Long’s GooScan. He says that this is a Linux only tool but it seems to compile (not without problems though) on cygwin.
I kept getting the following errors:

L:\tools\gooscan-v1.0.9>gcc gooscan.c
gooscan.c: In function `inet_send':
gooscan.c:575: error: `MSG_WAITALL' undeclared (first 
                       use in this function)
gooscan.c:575: error: (Each undeclared identifier is 
                       reported only once
gooscan.c:575: error: for each function it appears in.)

Then I read somewhere that MSG_WAITALL is not defined for Cygwin and that instead of that zero would work. There are many neater solutions to this…but I’m a hacker and I’ll do the stuff that’s easiest and hassle-free.
Some people say that the following will work:
#ifdef __CYGWIN__
#define MSG_WAITALL 0

So in order to compile this bad boy, you need to goto line 574 in your favorite editor.
It looks like this:
recv(sock, recvbuf, sizeof(recvbuf), MSG_WAITALL);

You need to make it look like this:
recv(sock, recvbuf, sizeof(recvbuf), 0);//MSG_WAITALL);

You are all set:
gcc gooscan.c -o gooscan.exe

Compilation works! But then I observed that the results were not coming well. However, if you run it through a local proxy such as burp it still works…I bet it has something to do with socket establishment and receiving and being incompatible with the MSG_WAITALL flag.
But as long as you can get the results … who cares? If someone figures out exactly how to make this work, please post it as a comment.

So the other day I was on a pen test and I got hold of the hashes. Since my laptop got fried I needed a new version of SMBProxy. There were a few issues that I had with the compilation though. I got a few errors in the file crypto.c.
Moreover, SMBProxy ues crypto library libdes written by Eric Young available here.
I give here a guide to compiling SMBProxy that worked for me.

First, compile and install libdes

1. Download libdes 4.01
2. tar zxvf libdes-4.01.tar.gz
3. cd libdes
4. make gcc
5. sudo make install

Now, you’ll find that the file libdes.a is now in /usr/local/lib.
Second, compile and install SMBProxy. Now here there were a couple of compilation errors that I had to deal with.
Here’s the diff output for crypto.c

trance@z0n3:~/Desktop$ diff smbproxy/crypto.c smbproxy-orig-src/crypto.c
40,41c40
< #include
< #define MD4_SIGNATURE_SIZE 16 --- >
46c45
<> static u_char Get7Bits(UCHAR *input, int startBit) {
58c57
<> static void MakeKey(UCHAR *key, UCHAR *des_key) {
74c73
<> void DesEncrypt(UCHAR *clear, UCHAR *key, UCHAR *cipher) {
85c84
<> void mkResponse(UCHAR **ntlmhash, UCHAR hash[MD4_SIGNATURE_SIZE], UCHAR* challenge) {
88c87
<> UCHAR ntlm_response[24];

Having done this there were still a few issues with the make comand.
The Makefile can be generated by running the following command:

trance@z0n3:~/Desktop/smbproxy-orig-src$ ./configure

Here’s the diff output of the Makefile:

trance@z0n3:~/Desktop$ diff smbproxy/Makefile smbproxy-orig-src/Makefile
10,11c10,11
< smbbf_include =" -Iinclude">
< libs ="">
—
> SMBBF_INCLUDE = -Iinclude
> LIBS = des
31c31
< $(LIBDES) $(LIBS)
—
> $(LIBDES)

The following libraries are required: openssl, openssl-dev, libdes for successfully compiling SMBProxy.

apt-get install openssl openssl-dev

tl,dr; Blue-Green deployments for critical uptime applications is a strong deployment strategy but if a deployment fixes critical security issues be sure that the definition of “deployment complete” is decommissioning of the “blue” environment and not just deployment of “green” successfully.

Organizations have gotten used to following Continuous Integration/Continuous Deployment (CI/CD) for software releases. The use of cloud solutions such as AWS Code* utilities, Azure DevOps or Google Cloud Source repositories enables enterprises to quickly and securely accomplish CI/CD for software release cycles. Software upgrades undergo the same CI/CD tooling and the dev teams need to choose how to do the upgrades.

There are a few different ways development teams upgrade their applications – full cut-over (same infrastructure, new codebase deployed directly and migrated in one go), rolling deployments (same infra or new infra gradually upgrading all instances), immutable (brand new infra and code for each deployment and migrated in one go), blue-green deployment (same infra, simultaneously deployed in prod, gradually phasing out old instances upon successful tests from a section of traffic). The Blue-green deployment strategy has, therefore, become quite popular for modern software deployment.

What is a Blue-Green deployment?
When you release an application via Blue-Green deployment strategy you gradually shift traffic as tests succeed and your observability (Cloudwatch alarms, etc.) does not indicate any problems. You can do that via Containers (ECS/EKS/AKS/GKE) or AWS Lambda/Azure Functions/Google Cloud Functions and traffic shifting can be done with the help of DNS solutions (Route53/Azure DNS/Google Cloud DNS), Load balancing solutions (AWS Elastic Load Balancer/Azure Load Balancer/Cloud Load Balancing). Simplistically, take your current (blue) deployment and create a full stack (green) and use either DNS or load balancers to slice out a traffic section and test the “green” stack. This is all happening in production, by the way. Once everything looks good, direct all the traffic to green and decommission the “blue”. This helps maintain operational resilience and, therefore, this is a popular deployment strategy. AWS has solid whitepaper I recommend to review to dive in from a solution architecture standpoint if you are interested.

Security Considerations

Some critical security issues (e.g., remote code execution via Log4j, remote code execution via struts, etc.) demand immediate fixes because of their severity. If your blue-green deployments are going to take days and your tests will run over a very long period (say days) then any security fixes you make also will get fixed after a successful “green” deployment and “blue decommission” only. If during that window or prior, an attacker managed to get a foothold into the impacted “blue” environment, then even decommissioning of the “blue” becomes critical to claim the issue is fully remediated. Typically, when incident responders and security operations professionals breathe a sigh of relief is when the fix is deployed. Typically, the software engineering teams consider fix as deployed is when the “green” is fully handling all traffic (and its unrelated to the decommissioning of the “blue” environment). In this case, the incident responders need to remember its not the deployment time when the risk is truly mitigated, its mitigated after completion of cut-over to green and decommissioning of the blue. There is a subtle, yet important, difference here – and it really comes down to the use of shared vocabulary. As long as security operations and software development teams both have this shared definition of what deployment means, there are no misunderstandings.

This is not a post but nostalgia. This post is actually a transcript of the first interview of my life. It was for a top Indian Software Consultancy Company (referred to as “XYZ” from now on). I remember that it was July 9th, 2001 and it was a really rainy day in Bombay. While coming to the college I was totally drenched and was looking rather distraught! I cleared the aptitude test and then came the Big One – The Interview!
I went to the interview thinking that i wanted to completely screw up the interview (coz I was interested in some other company) so i went there casually dressed with a demonic smile on my face >:-) . In hindsight, I think the way I appeared for this interview was really gutsy for me and I probably couldn’t have done that had I been craving to get a job in this company. Here is the transcript of the interview.

XYZ: So Mr Rajat … tell me about urself and ur family in *short*
Me : In the year 1980 i was born in allahabad and spent the initial yrs of mylife in blah blah blah ….and completed my schooling in Shree Ram Welfare Society’s High School, Andheri(W), Mumbai . therafter i went to Sathaye College….(blah blah blah) and i came to this college thinking that this college would be good.
XYZ: & how did u find this college?
Me : (thinkin for a while and then with a heavy heart ) ok !
XYZ: Rajat y did u chose our company (XYZ) instead of other companies.
Me : i did not choose XYZ i’ve just come for this interview ! In fact u guys have come to our college (for on-campus placements) i haven’t come for this interview.
XYZ: but would u like to join our co.?
Me: i’ve come for this interview ! what does this indicate to u?
XYZ: give me one reason why u want to join XYZ?
Me: i don’t want join XYZ… i’ll goto any other co. that comes next…as a matter of fact any other co. will take me!
XYZ: Mr Rajat in this form (these guys had given us a form to fill in whichwe were supposed to write the salary we desired which i forgot to fill… oops faux pas ? well not quite) which we have given to u , uhaven’t mentioned the salary u want…. what r ur expectations?
Me : I want more!
XYZ: MORE !%#$%$#$ y do u want more?
Me: because i know i’m worth it!
XYZ: u say so but it is for us to see whether u r worth it!
Me: put me to test and i’ll prove i’m worth it !
XYZ: but why do u want more ?
Me : everybody wants more so what is wrong if i want more!(the guy seems to be pissed off to my delight)
XYZ: but u must be having some expectations , don’t u?
Me : yes of course , i have . but u r not gonna live up to them. u had made it quite clear the salary u’ll be offering to us … so it doesn’t matter what my expectations are u r gonna give only what *you* want to give us , so there rests the matter.
XYZ: tell me about this person whom u know & works in XYZ.
Me : He is my cousin and he stays at andheri.
XYZ: so what have u heard from him about our co. ?
Me : NOTHING!
XYZ: but u might have heard something at least!!!!!
ME : we meet at social gatherings and the last thing we want to speak about is XYZ!!!
XYZ: ok tell me about ur project … this assembler
Me : blah blah blah
XYZ: ok … so in ur form u write u want “A GOOD NETWORKING PROJECT PREFERABLY BASED ON NETWORK SECURITY” . what do u know about networking?
Me : NOTHING!
XYZ: (a very surprised Mr. Sleepy said) NOTHING !?!? then how can u say u want a project in it?
Me: well , i’ve attended a few seminars @ IIT and it ensured me that that was the only field i’m interested in.
XYZ: then ur interest may change after studying the subject!
Me : No, it won’t change!!!!
XYZ: wat do u know bout networkin?
Me: latest happenings … blah blah blah
XYZ: suppose that we don’t have a project in network securities for you then what will u do?
Me: i have written that it is my ambition to work on a networking project…AMBITIONS ARE NOT ALWAYS FULFILLED.
XYZ: Rajat … there is a rule in ur college that if u get 1 co. u r noteligible for the rest.we offer u 16k .. so if tomorrow infosys comes and offers u 20k wat will u do?
Me : I WILL GO !!!!!
XYZ: u’ll go !?! that means you are after money ?
Me : who said that !? i never said that ! i want more money but more important than that is the work environment & the kind of projects i get. if i getbetter projects there i’ll go money is secondary but still important .
XYZ: (as if trying to juistify a lesser salary) u know rajat that on paper their (Infosys) salary may look large but 20% blah blah blah ….. 12.5 % blahblah blah …6% blah blah blah … (and lots more statistics which lasted foran eternity as far as my viewpoint goes)
XYZ: do u realise that XYZ has a 3yr. service agreement or u r chargedRs.50,000/- . what are your feelings about that?
Me : it is absolutely wrong.
XYZ: why?
Me: The word “bond” itself says that u r “bound” to the co. no matter what.
XYZ: that is why we don’t call it a “bond” we call it a “service agreement”.
Me: ok…that’s just another name for it. i personally think that instead of”binding” people to ur co. u should create such an environment that people like to stay in ur co. with their wishes and so the co. will benefit if peoplework with their wishes.
XYZ: do u havre any questions for us?
Me: yes , sir i do! in ur qns a few minutes back u mentioned infosys and in ur pre-placement talks u said u r no.1 software co. of india. how can u say thatwhen all that we see in the newspapers is infosys and with u comparing urself to infosys?
XYZ: infosys is 12% blah blah blah … 19% blah blah blah …(and lots morestatistics that made me feel as miserable as our indian cricket team witheverything out of control)does that answer ur qn?
Me: ya! sir may i ask another question ?
XYZ: ya sure! (with some uneasiness)
Me: sir, this yr. we have seen our seniors get whole lot of “back out” letters! what r ur feelings about that?
XYZ: OUR FEELINGS !!??!
Me: i mean r u people going to do the same with us?
XYZ: (i think this was it and he lost his complete cool and he pointed to me & said sternly) till this date our company has not given any “back-out” letters to anybody.
Me: Thank u .sir. it was a pleasure!

This was the first interview of my life and I ended up getting selected for this company. It was a great experience working there and I realized that money is not everything! At the end of it I think I was not rude but dangerously honest in giving my answers and this plan could have backfired on me but it didn’t … may be I was lucky or may be this was destiny!