Mada R Perdhana

Updates from Mada R Perdhana Toggle Comment Threads | Keyboard Shortcuts

Mada R Perdhana 02:34 on 27 February 2012 Permalink

日本語入門 [にほんごにゅうもん]
Yes, started from 3 weeks ago, I'm trying to learn Japanese. I follow a Japanese class, 2 times a week. We are using a book named Nihongo Nyuumon (日本語入門) or Introduction to Japanese. My teacher or so called as Sensei (先生) in Japanese is a professional Japanese tourist guide.

I will try to re-write what I've already learned, to help me to keep my knowledge and also to help another people who want to learn Japanese. The book itself was made by Yogyakarta 日本文化学院 (Nippon Bunka Gakuin). It was written by three Sensei (先生) from Japan, they are Yoshiteru Ito-Sensei, Kazuo Shiina-Sensei and Takayuki Tomita-Sensei on August 1974.

To write the Japanese, I'm using LibreOffice on Ubuntu Linux. I will make an article about how to activate Japanese writing on LibreOffice on another time. It help me a lot to type Kanji automagically (from hiragana to Kanji) [ひらがなから漢字へ]

First Chapter
IKKA (First Lesson) : Watashi To Anata [私とあなた]

Konnichi Wa [こんにちわ]
Watashi wa Yamada desu [私は山田です。]
Dozo yoroshiku [どおぞよろしく]
Watashi wa Nihonjin desu [私は日本人です。]
Watashi wa sensei desu [私は先生です。]

Anata wa Ali-san desu ka? [あなたわAliさんですか？]
Hai, watshi wa Ali desu. [はい、わたしわAliです。]
Anata wa Indonesiajin desu ka? [あなたはインドネシア人ですか?]
Hai, so desu. [はい、そうです。]
Anata wa sensei desu ka? [あなたは先生ですか?]
Iie, so dewa arimasen, Watashi wa gakusei desu, [いいえ、そおじゃありません。わたしわがくせいです。]

Kono hito wa dare desu ka? [この人は誰ですか?]
Sono hito wa Lee-san desu. [その人はLeeさんです。]
Sono hito wa dare desu ka? [その人は誰ですか?]
Kono hito wa Wanee-san desu. [この人はWaneeさんです。]
Ano hito wa dare desu ka? [あの人は誰ですか?]
Ano hito wa Nguyen-san desu. [あの人はNguyenさんです。]
Ali-san wa dono hito desu ka?[Aliさんわどの人ですか?]
Ali-san wa ano hito desu. [Aliさんわあの人です。]

Ali-san wa otoko desu. [Aliさんは男です。]
Nguyen-san mo otoko desu. [Nguyenさんも男です。]
Wanee-san wa otoko dewa arimasen. [Waneeさんわ男出羽ありません]
Wanee-san wa onna desu.[Waneeさんは女です。]

Ali-san to Nguyen-san wa otoko desu.
Ali-san mo Nguyen-san mo otoko desu.
Ali-san mo Nguyen-san mo Wanee-san mo gakusei desu.
Mada R Perdhana 16:23 on 24 November 2011 Permalink

Teach the student how to learn, and they will never forget you every time they learn a new things, So start to teach the student how to learn, and you will be amazed at the difference you can make.
Mada R Perdhana 16:37 on 25 April 2011 Permalink
Tags: programming

Fad programming… playing around with Python
Today I tried to summon my programming ability by playing around a little bit with Python. I try to make a simple application which trying to read a login page, then try to log into the page and then try to grab some menu inside the protected page, and automatically run the menu inside. For the best guinea pigs in this trial, I'm using Squirelmail. Here are the scenario, I will try to login into the mail system, using a real user account, then try to choose the compose message menu, send a message from it to an address. To make it more interesting I will using mySQL database to store the data, like the message, mail to and subject. Lets go start it!

First will prepare the tools to help me "finish" the job, I will using burpsuite, mozilla firefox add-ons, like firebug and elite proxy, and pico as the Python editor. To make my application read the html page, I'm using urllib and urllib2, to catch the cookie, I will using cookielib. Since I will try to read the hidden tag from the login form, I will use BeautifulSoup library. Here are the full code

Non SQL queries.
import urllib, urllib2, cookielib, re
from stripogram import html2text
from BeautifulSoup import BeautifulSoup

username = 'user'
password = 'pass123'
kepada = 'mrp.bpp@.gmail'
judul = 'test'
isi = 'test via daemon'
tek = ''

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
login_data = urllib.urlencode({'login_username' : username, 'secretkey' : password})
opener.open('http://mail.akakom/src/redirect.php', login_data)
resp = opener.open('http://mail.akakom/src/compose.php?mailbox=INBOX&startMessage=1')
data = resp.read()
soup = BeautifulSoup(data)
tokenId = soup.find('input')
value = tokenId['value']
email_data = urllib.urlencode({'smtoken' : value, 'send_to' : kepada, 'subject' : judul, 'body' : isi,'username' : username, 'smaction' : tek, 'send' : "Kirim"})
opener.open('http://mail.akakom/src/compose.php',email_data)
the code above is non sql queries application. I will try to explain the code:
import urllib, urllib2, cookielib, re
from stripogram import html2text
from BeautifulSoup import BeautifulSoup
Try to import all the libraries we need. I'm using the stripogram library to extract the html page, so the application will not dump the data with all the html source code. But it is optional for you, in this case, we no need to use it.
username = 'user'
password = 'pass123'
kepada = 'mada@akakom.ac.id'
judul = 'daemon'
isi = 'test via daemon'
tek = 'reply'
declare some variable in here, kepada for 'to', judul for 'subject', isi for 'message' and tek for action type (I will explain here more next).
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
save the cookies which might offered by the web page.
login_data = urllib.urlencode({'login_username' : username, 'secretkey' : password})
OK, now I set the variable from the login page, the red one is the name of the form variable. Where the heck I found this name? by using firebug. Just open the login page and run firebug. Or we also could use view source menu from Firefox but I'd rather to use firebug since it could minimize the messy things. So we have login_username and secretkey as the variables from the login form. urllib.urlencode is used to post our variable to the login page with urlencode type of data.
opener.open('http://mail.akakom/src/redirect.php', login_data)
try to open the login page. To get this kind of page, I'm using burpsuite. With burpsuite I could load the page per request. And when I hit the login button, the page call for another page with POST command, and it lead to a page name redirect.php. Another easy way is by looking into the page source and take a look at the html code like this

form name="login_form" method="post" action="redirect.php"

since the Squirelmail have no complicated login system , it would be enough for us using the view source menu, but in another case, on a more complex login system, you might need burpsuite to help you out.
resp = opener.open('http://mail.akakom/src/compose.php?mailbox=INBOX&startMessage=1')
data = resp.read()
Next I try to open the compose menu and grab the page then save it into a variable called data. So, now I have a full html page source from compose page inside the data variable.
soup = BeautifulSoup(data)
tokenId = soup.find('input')
value = tokenId['value']
Squirelmail has a unique delivery system. Its using a token (unique) every time the user send a mail. Since this thing generated randomly , we need to catch the token every time we want to send an email. Using the BeautifulSoup library, I'm trying to catch the token. So every time the page generate the token, I also could read it and send it to the mail system through the urlencode data. We can knew this by using burpsuite.

email_data = urllib.urlencode({'smtoken' : value, 'send_to' : kepada, 'subject' : judul, 'body' : isi,'username' : username, 'smaction' : tek, 'send' : "Kirim"})
opener.open('http://mail.akakom/src/compose.php',email_data)
now I try to send all the data already collected. If you notice, there is a variable named smaction inside the data. Squirelmail using smaction to identify the type of composed mail, whether it is a new one or reply one.If the variable set empty or '' then the system will read it as a new mail, if you type 'reply' then the system will mark it as a replied message. Then using urllib2 which already save the cookie, I try to send the data through the compose.php page. That's all, when I tried to run the application, it successfully send the data into my gmail account. Now the interesting part is to send data from mySQL server.

With SQL queries

Now lets get into the sql one. To make Python read the data from MySQL server, we need to use mysqldb library. Since I'm using Ubuntu , what I need to is apt-get python-mysqldb :). OK, here are the full code
import MySQLdb, urllib, urllib2, cookielib, re
from stripogram import html2text
from BeautifulSoup import BeautifulSoup

username = 'username'
password = 'pass123'
judul = 'Query SQL Server'
tek = ''

conn = MySQLdb.connect (host = "localhost",
                           user = "root",
                           passwd = "pass123",
                           db = "test")
cursor = conn.cursor ()

cursor.execute ("SELECT dari, kepada, isi, status FROM email WHERE status = '1'")
rows = cursor.fetchall ()
for row in rows:
        kepada = row[1]
        isi = row[2]

        cj = cookielib.CookieJar()
        opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
        login_data = urllib.urlencode({'login_username' : username, 'secretkey' : password})
        opener.open('http://mail.akakom/src/redirect.php', login_data)
        resp = opener.open('http://mail.akakom/src/compose.php?mailbox=INBOX&startMessage=1')
        data = resp.read()
        soup = BeautifulSoup(data)
        tokenId = soup.find('input')
        value = tokenId['value']
        email_data = urllib.urlencode({'smtoken' : value, 'send_to' : kepada, 'subject' : judul, 'body' : isi,'username' : username, 'smaction' : tek, 'send' : 'Kirim'})
        opener.open('http://mail.akakom/src/compose.php',email_data)

        print "%s, %s, %s, %s" % (row[0], row[1], row[2], row[3])
print "Jumlah data: %d" % cursor.rowcount
cursor.close ()
conn.close ()
The one I change the color is the syntax which relate with the MySQL queries, while the others is the same code already explain previously.The program will query the data from MySQL server the send it into the local variable. Using for statement I try to read all the data inside the database, row by row. More information about how using MySQldb in Python , please refer to this page.
Mada R Perdhana 12:27 on 30 March 2011 Permalink

The dangerous effect of upload feature
Two days ago, I tried to do some research with web application security. My main focus is targeting the upload feature of a website. Many website today using upload feature to interact with their user, for example on a job searcher website or educational website. From several trials that I've done with some website, almost 30% of the website using unsanitized upload feature, and the rest, mostly using a filtering upload feature.

I will not go for the unsanitized upload feature, it will be covered automatically. OK lets discuss about using an upload feature arbitrarily. As I said before, many website today using this feature, I will choose some website which offering for job vacancy. Lets consider I already found the site, then I tried to upload my file into the site, since I my backdoor application made with PHP, so I choose my backdoor.php file. But, something happen in here, the browse menu couldn't found (read) my PHP file, it only identify the PDF, DOC, DOCX, JPG and PNG file.

This would be a problem. Next, I tried to fire-up my Burpsuite. The reason is to catch any data transaction between the site and the browser. After setting my proxy to 8080, again I request the page and try to use upload button again. This time my Burpsuite response quickly with the request. I tried to examine the data. And, bingo, after a few forwarding data, I have this data

For more detail, I will paste it in here :

                $('#fileInput').uploadify({
                'uploader' : 'uploadify/uploadify.swf',
                'script'    : 'uploadify/uploadify.php',
                'cancelImg' : 'uploadify/cancel.png',
                'auto'      : true,
                'folder'    : '/upload',
               'multi'       : true,
               'queueSizeLimit': 3,
               'fileExt'   : '*.pdf;*.doc;*.docx;*.jpg;*.gif;*.png',
               'fileDesc'   : 'Files',
               onComplete: function (evt, queueID, fileObj, response, data) {
                   i++;
                   $("#filename").append("File " + fileObj.name + " Successfully Uploaded
");

See, this code prevent the user from uploading another file into the server. Now, using Burpsuite, I tried to change the Javascript syntax, so it will allow me to upload my PHP backdoor into the server. I simplify change the *.png into *.php and continue forward the packet until the page fully loaded. Next, I turn off my proxy and try to use the upload button again, and this time it successfully read the PHP file.

Well, now it's easly for me to upload my backdoor.php. After successfully upload my backdoor, the next thing to do is find the folder where my backdoor saved into. To do this, I'm using Dirbuster from OWASP. From the result I could knew that there is a folder name /upload/ inside the server. I tried to open the folder, and WOW, there is my backdoor application, listed inside the folder. Good, next I try to run my backdoor, and here what I got

+ Using method 0 [system()] on http://www.xxxxxxxxxxxxmi.com/upload/backdoor.php

www.xxxxxxxxxxxxxmi.com> uname -a
Linux zzzzzzzzzzhost.com 2.6.35.7-hhhhhhh #1 SMP Mon Dec 13 08:34:39 CST 2010 x86_64 x86_64 x86_64 GNU/Linux
www.xxxxxxxxxxxxxmi.com> pwd
/home/xyz/public_html/upload

The lesson is, always use a secure upload feature for your website , if it not to important, please using your email to receive the file (cv, resume etc).
Mada R Perdhana 07:01 on 12 January 2011 Permalink

Seminar, Demo, dan Bedah Buku: Harmless Hacking: Malware Analysis and Vulnerability Development
Beberapa tahun sebelum Internet secara luas tersedia untuk umum, mungkin 95% dari komputer yang ada di dunia saat itu masih berdiri sendiri-sendiri, yang berarti tidak terhubung ke jaringan komputer. Salah satu alat yang digunakan untuk berbagi informasi dan data saat itu adalah melalui disk. Virus komputer (Virii) yang ada saat itu menimbulkan kerusakan komputer masih belum begitu banyak dan penyebarannya pun terbatas. Munculnya Internet telah mengubah semua ini.

Saat ini, jutaan komputer di seluruh dunia bisa terkena virus dalam hitungan jam. Jenis-jenis malware menyebar sangat cepat dan kerusakan yang ditimbulkannya juga semakin meningkat. Jika komputer yang terhubung jaringan Internet dan memiliki proteksi yang buruk, maka kemungkinan dapat terinfeksi di bawah 4 menit, dan bila efek kerusakannya cukup parah, maka komputer benar-benar nonaktif atau tidak bisa dijalankan. Setidaknya ada salah dua dari beberapa tanda utama bahwa komputer terinfeksi dengan malware: Menjalankan file jahat (Running malicious files) – Komputer bisa terinfeksi ketika file jahat dijalankan atau dilihat. File-file ini dapat diterima melalui removable media seperti disket, CD, DVD atau flash drive. File-file berbahaya ini juga bisa diterima melalui transfer file Instant Messenger atau file yang dilampirkan dalam email. Mungkin Anda berkata kepada diri sendiri “Saya hanya perlu khawatir dengan program executable – File EXE.” Mungkin itu dulu. Tapi sekarang, hal ini tidak lagi terjadi. Ada banyak jenis file yang perlu menjadi kewaspadan banyak orang dan banyak daftar file yang berkembang setiap hari.

Websites Berbahaya (Malicious Websites) – ini adalah metode terbaru dan yang paling umum dalam menyebarkan malware. Sebuah situs web yang memiliki celah keamanan dapat disisipkan script – program kecil, yang dirancang untuk memaksa komputer pengguna men-download dan menjalankan malware. Seringkali pengguna tidak menyadari ketika jenis serangan malware terjadi sampai komputer telah terinfeksi dan menyebarkan malware, hingga dengan cepat melumpuhkan komputer pengguna.

Lalu, apa sih sebenarnya malware itu? Mengapa komputer dapat diserang malware? Apa dampak yang disebabkan malware? Bagaimana sih caranya mengatasi jenis-jenis serangan ini? Apa saja tools yang digunakan untuk menganalisanya? Pencegahan apa yang perlu dilakukan? Jenis-jenis kelemahan (vulnerabilty) apa saja sih yang perlu diantisipasi? Mau tahu jawabannya? Ikuti seminar, demo, dan bedah buku tentang “Harmless Hacking: Malware Analysis and Vulnerability Development,” oleh Mada R Perdana, penulis buku, praktisi digital forensic dan keamanan komputer di Kampus A – STIKOM Balikpapan Jl. KP Tendean 2A, Balikpapan Kalimantan Timur, pada hari Sabtu, 15 Januari 2011 pukul: 9.00 WITA – Selesai, gratis! Pendaftaran kilk DI SINI. Kapasitas terbatas hanya 100 orang, buruan!

http://stmikbpn.ac.id/web/2011/01/10/seminar-demo-dan-bedah-buku-harmless-hacking-malware-analisys-and-vulnerabilty-development/

Mada R Perdhana 18:23 on 24 December 2010 Permalink

Malware… oh malware

This afternoon, when I was working at my collage, I found an annoying nag screen from one of antivirus application which told me that the computer has been infected by a trojan. Since I had a curiousity with this kind of "software", I decide to play around with the malware a little.

I decide to download some standard application to help me analyze the malware. Here are some of the application :

CaptureBAT
TCPView
Ollydbg
Process Monitor
Telnet
Mandiant Red Curtain

Ok, the antivirus said that the application which was suspected as a trojan locate at C:\Windows\ and named with gwdrive32.exe. First I run the process monitor, try to end all the process. Next I run the captureBAT to watch the system with -n prefix, so captureBAT will also capture some network activity. Next I run the TCPView to watch the network process. From the tcpview and process monitor, it's clearly that beside the trojan itself there also a lot of malware application running at background process.

From mandian red curtain and ollydbg, I could know that the application was build with microsoft visual basic. Shortly after analyze for some hour, I came with some conclusion.

File Info

Name	Value
Size	143430
MD5	a3f85d336559620eefc5681a3a2e6d13
SHA1	37791dac9bf0b14354ec954e68de3b6adaab91fd
SHA256	38c99bb7db6637cd5416f203dcf50c8487ccef75bab2a035491e82a40bf44061
Process	Exited

• Keys Created

Name	Last Write Time
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer	2009.01.12 14:48:02.203
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	2009.01.12 14:48:02.234

• Values Created

Name	Type	Size	Value
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver Setup	REG_SZ	50	"C:\WINDOWS\gwdrive32.exe"
LM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup	REG_SZ	50	"C:\WINDOWS\gwdrive32.exe"
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\TEST\sample.exe	REG_SZ	92	"C:\TEST\sample.exe:*:C:\WINDOWS\gwdrive32.exe"

• Values Changed

Name	Type	Size	Value
LM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch	REG_DWORD/REG_DWORD	4/4	0x57/0x58

• Files Created

Name	Size	Last Write Time	Creation Time	Last Access Time	Attr
C:\WINDOWS\gwdrive32.exe	143430	2009.01.12 14:47:54.609	2009.01.12 14:48:02.187	2009.01.12 14:48:02.187	0x7

• Processes Created

PId	Process Name	Image Name
0x7cc	sample.exe	C:\TEST\sample.exe

• Processes Terminated

• Threads Created

PId	Process Name	TId	Start	Start Mem	Win32 Start	Win32 Start Mem
0x344	svchost.exe	0x170	0x7c810856	MEM_IMAGE	0x7c910760	MEM_IMAGE
0x7cc	sample.exe	0x7d0	0x7c810867	MEM_FREE	0x0	MEM_FREE

• Modules Loaded

• Windows Api Calls

PId	Image Name	Address	Function ( Parameters ) \| Return Value
0x7cc	C:\TEST\sample.exe	0x405f36	CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\WINDOWS\gwdrive32.exe", bFailIfExists: 0x0)\|0x1

• DNS Queries

DNS Query Text
aaaaaaaa.schooluni.us IN A +

• Description

Suspicious Actions Detected
Copies self to other locations
Creates autorun records
Creates files in windows system directory
Disables windows firewall

• Mutexes Created or Opened

PId	Image Name	Address	Mutex Name
0x360	C:\WINDOWS\gwdrive32.exe	0x403d8a	jng28gdcrg2fcs
0x360	C:\WINDOWS\gwdrive32.exe	0x403daf	jng28gdcrg2fcs
0x360	C:\WINDOWS\gwdrive32.exe	0x771ba3ae	_!MSFTHISTORY!_
0x360	C:\WINDOWS\gwdrive32.exe	0x771bc21c	WininetConnectionMutex
0x360	C:\WINDOWS\gwdrive32.exe	0x771bc23d	WininetProxyRegistryMutex
0x360	C:\WINDOWS\gwdrive32.exe	0x771bc2dd	WininetStartupMutex
0x360	C:\WINDOWS\gwdrive32.exe	0x771d9710	c:!documents and settings!user!cookies!
0x360	C:\WINDOWS\gwdrive32.exe	0x771d9710	c:!documents and settings!user!local settings!history!history.ie5!
0x360	C:\WINDOWS\gwdrive32.exe	0x771d9710	c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x7cc	C:\TEST\sample.exe	0x771ba3ae	_!MSFTHISTORY!_
0x7cc	C:\TEST\sample.exe	0x771bc21c	WininetConnectionMutex
0x7cc	C:\TEST\sample.exe	0x771bc23d	WininetProxyRegistryMutex
0x7cc	C:\TEST\sample.exe	0x771bc2dd	WininetStartupMutex
0x7cc	C:\TEST\sample.exe	0x771d9710	c:!documents and settings!user!cookies!
0x7cc	C:\TEST\sample.exe	0x771d9710	c:!documents and settings!user!local settings!history!history.ie5!
0x7cc	C:\TEST\sample.exe	0x771d9710	c:!documents and settings!user!local settings!temporary internet files!content.ie5!

• Events Created or Opened

PId	Image Name	Address	Event Name
0x360	C:\WINDOWS\gwdrive32.exe	0x77a89422	Global\crypt32LogoffEvent
0x7cc	C:\TEST\sample.exe	0x77a89422	Global\crypt32LogoffEvent

Mada R Perdhana 06:15 on 24 November 2010 Permalink

What should I call this? Public Information Services or Ignorance?
The story began when this afternoon I meet two great hackers, Aat Shadewa and Adi Nugroho. Actually, we already arrange for a meeting to have some discussion about my book. This is the first time I meet Aat, I knew him from his book which most of them talking about hacking stuff. Short the stories, from book we move to another topic, about hacking scada system. Yes, we start the discussion with our concern about the security of most scada system in Indonesia, especially the one which used at PLN's infrastructure. Honestly, I'm not quite knew about this stuff. I learn about scada security around 1 year ago, but since I never learn it anymore. Well, back to the meeting, all of us agree that most of scada infrastructure in Indonesia had a poor security system. And that's quite disturbing.
After having some interesting discussion, me and Aat agree to make a book which take scada security as the topic, and Aat said we need some real scada system to test on, so it would make everyone who live in scada world, especially in Indonesia, get aware about how critical the security was. Well, since I don't have anough information about which system using scada, I ask Aat about which system we could research on. His answer quite make shock at that time, he said Jawa-Bali PLN' Scada Infrastucture, wow, Isn't hard to test on? He said no, since PLN "sent" his scada system running around on Internet. WTF?

Yes, Aat said that PLN has bring up their scada system online and send so many information on the public area. Well, this really got me shock at that time. If that in case, then I'm agree with him, we really need to tell PLN about how danger it is and they really need to stop their activity, by sending around their scada information around the public area. After get back into my home, I still thinking about finishing my book. After having Isya pray, I continue writing my book, finish some chapter, until the clock has running about 7 hours. My brain get stuck, I could not continue writing the book, event one word.Then at that time, I remember what Aat said about the PLN' scada infrastructure. I tried looking for some information about that project in google, and there come the address.
http://scada.pln-jawa-bali.co.id
At first I thought this only an information website about the scada project, but when I tried to open it. WTF, it's an online system, connected with the scada system and continually updated their data from the scada database... oh my God. I'm not a security expert or something like that, but on my n00b opinion this could be a big problem at the end. Well, as a newbie (a n00b's instinct ), I then, tried to do some information gathering around the scada system. Then I found more shocking stuff, even with google, I could download the scada manual, including with the design scheme (also the networking stuff).

I tried to check the site. Looks like it was made with PHP and read the database from the scada's databse system.I tried with the database utility, called DB 500. The menu throws me into another page.
http://scada.pln-jawa-bali.co.id/dbchar0.php?script=http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi=0CWAN7
Well, from the page link, I could guess that this could be a big problem. they had a "request page" style page queries.OK, I tried with a simple "breakpoint", by using a " ' "char.
http://scada.pln-jawa-bali.co.id/dbchar0.php?script=http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi='0CWAN7
there, I put right after the "=", and let see what we get here
Karakteristik Telemetering

Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 133

Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 135

Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 137

---

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 185

Daftar Bays di JCC

Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 230

Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 232

Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 234

---

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 282

Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 312

Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 314

Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 316

---

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 364
Oh my... this really disturbing... well, now I became more interesting with this web based interfacing, for your note, this is the second time I change from newbie into dummies, maybe this time I become an idiot. I then check the error message , where it said
Warning: ociparse() [function.ociparse]: ORA-0175
Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in
Warning: ociexecute() expects parameter 1 to be resource, boolean given in
From what I knew, all of these command are used for making a connection into an Oracle database. Well, now I have a valuable information, this system using oracle as it back-end system. With, some tricks, I tried to query the database banner, to have some information around it.
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE 9.2.0.1.0 Production
TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production
As I thought before, the system using oracle as the back-end system. And the worse thing is that the system runs on a Windows machine. As like most scada runs on. Now, I tried to "fish" another information from the system, what kind of server it's runs? still, using the link I tried to make it error, and hopefully, it will send some banner on the page.
http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi='0CWAN7
and the result
Forbidden
You don't have permission to access /dbchar0.php&lihat_gi='0CWAN7 on this server.

Apache/1.3.41 Server at scada.pln-jawa-bali.co.id Port 80
WTF! they even using an old Apache server, running on a Windows machine? and worse, the version's of the apache... I could not talking anymore

Anyone.. just anyone out there, if you think you know the people who runs or responsible with this system, please, I'm begging you, tell them, how their system would be a boomerang for them self. They don;t need to publish all this stuff through the net. Most of the society don't need the information about the scada system, all they know is paid the bill every month.

Well, maybe it's only me who to concern and worried about this all things, meanwhile, it's all only a bunch of data and no need to worried about.I really hope It is only a bunch of garbage data, no more than that. As your bonus I'd like o give some extra information: (yes, for you sir, the one who has responsibility with the scada system)
your local ip for the oracle db is 10.x.x.70
your db name is XXXX , yes only 5 char same with the Adminitrator username, only using 5 char
I knew all your system's user
I could get into you db, I could play around inside your Windows system. Please remember this, I'm ONLY A NEWBIE, there are a thousand SMART people out there, some are good and some are bad, which some of the bad guys would happy to play around with your system.

How if , I hack into your windows system, put some backdoor in there, "breed" my rootkit, hack the local network system, get into you scada system, and make some change in there? (if possible, since I don't have knowledge at all about this stuff).. but the bottom line is, what do you think about all that stuff?

We, who live in security world, also had some information about scada, some of them are "allowable" to hack, using a simple buffer over flow stuff, lets say

DATAC RealWin SCADA 1.06
or
CitectSCADA ODBC Server

which might happen to your system also.

Please, I'm begging you, If you think this information is classified, PROTECT IT, but if you think this information just a bunch of garbage, you may leave it.

------------------------------------------------------------------------------------------------------------
Dapat konfirmasi dari yang jaga sistem scada pln jawa bali : (Per tanggal 24 November 2010 Jam 4.30 Sore)
Sistem scada tidak terhubung langsung dengan database oracle dan web server. Oleh karena itu informasi yang ada di web tidak menjadi ancaman bagi sistem scada yang berjalan

Syukurlah jika begitu...
------------------------------------------------------------------------------------------------------------
I've just got information from the people behind the scada system, that the scada systems are not directly connected with the oracle database and the web server. So there is nothing to worried about.

Thanks God...
------------------------------------------------------------------------------------------------------------
Mada R Perdhana 04:19 on 19 November 2010 Permalink

USB Flashdisk Forensic (Advanced)
Sore ini saya dihubungi oleh seorang teman yang mengirimkan sebuah file image dari sebuah flashdisk. Beliau meminta saya untuk melakukan analisa terhadap file tersebut. Flashdisk tersebut berisi beberapa file, baik yang masih dapat dibaca maupun yang telah terhapus. Hints nya, semua file yang ada, baik yang telah terhapus maupun yangbelum terhapus, sengaja dikacau struktur filesystemnya, sehingga tidak akan terbaca secara normal. Selain itu, struktur filesystem dari flashdisk juga telah diacak menjadi tidak normal. Berhubung saya menggunakan Linux, maka kali ini saya akan menggunakan aplikasi berbasis open source untuk melakukan analisa. Resiko yang akan saya hadapi adalah, pengerjakan akan menjadi semi manual dan perhitungan matematis mau tidak mau harus saya lakukan pula (secara manual), duh. Baik, seilahkan duduk yang tenang dan membaca tulisan ini sampai selesai, Jika ada yang tidak anda mengerti, silahkan bertanya pada dosen sistem berkas (file system) yang ada dikampus anda. Welcome to my world :) (It tooks almost 9 hours for me to finish the case.. gee)

Pertama saya coba kumpulkan informasi seputar usb image.

root@bt:/media/oldcaine# fsstat usbkey.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: MSDOS5.0
Volume ID: 0xdc8c29fe
Volume Label (Boot Sector): NO NAME
Volume Label (Root Directory):
File System Type Label: FAT16

Sectors before file system: 42

File System Layout (in sectors)
Total Range: 0 - 48971
* Reserved: 0 - 3
** Boot Sector: 0
* FAT 0: 4 - 193
* FAT 1: 194 - 383
* Data Area: 384 - 48971
** Root Directory: 384 - 415
** Cluster Area: 416 - 48971

METADATA INFORMATION
--------------------------------------------
Range: 2 - 777414
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 512
Total Cluster Range: 2 - 48557

FAT CONTENTS (in sectors)
--------------------------------------------
456-486 (31) -> EOF
487-491 (5) -> EOF
root@bt:/media/oldcaine

dari informasi yang ada kita tahu bahwa :
partisi menggunakan FAT16
cluster nya berukuran 512 byte
FAT 0 ada di posisi byte 2048 -> krn dimulai dari 4, jadi 4 x 512 byte
FAT 1 ada di posisi byte 99328
ROOT dir nya ada di byte 196608

setiap cluster terdiri atas 2 byte = 16bit = FAT16

kemudian coba untuk melihat, file apa saja yang ada di dalam image

root@bt:/media/oldcaine# fls /media/oldcaine/usbkey.img
r/r * 5:        _IMMYJ~1.DOC <-- * tanda file di delete, didukung ada character 0xE5 yaitu _
r/r 8: cover page.jpg <-- ada metadata FAT directory entry nya 8
r/r 11: Scheduled Visits.exe <-- di posisi 11
v/v 777411:     $MBR
v/v 777412:     $FAT1
v/v 777413:     $FAT2
d/d 777414:     $OrphanFiles
root@bt:/media/oldcaine#

menggunakan istat saya coba lihat metadata yang ada, mulai dari dg alamat 5
root@bt:/media/oldcaine# istat /media/oldcaine/usbkey.img 5
Directory Entry: 5
Not Allocated
File Attributes: File, Archive
Size: 20480
Name: _IMMYJ~1.DOC

Directory Entry Times:
Written:        Mon Apr 15 14:42:30 2002
Accessed:       Wed Sep 11 00:00:00 2002
Created:        Wed Sep 11 08:49:48 2002

Sectors:
416 417 418 419 420 421 422 423
424 425 426 427 428 429 430 431
432 433 434 435 436 437 438 439
440 441 442 443 444 445 446 447
448 449 450 451 452 453 454 455
root@bt:/media/oldcaine#

sekarang saya coba untuk me recovery file _IMMYJ~1.DOC nya. Sedikit teori, untuk setiap allocated cluster, 2 byte yang ada di setiap entry cluster berisi nilai dari alamt cluster berikutnya, jadi di nilai cluster yg ada di FAT Dir Entry akan berisi 1st cluster dari file. (ada di bukunya brian), looping cluster akan di akhiri dengan 0xFFFF. Sekarang saya coba akses ke ROOT Dir (FAT Dir Entry?) nya, dg menghitung clusternya, berarti ada di byte 196608, saya pakai hexa editor

root@bt:/media/oldcaine# xxd -s 196608 usbkey.img | more
0030000: e564 006f 0063 0000 00ff ff00 00bc ffff .d.o.c..........
0030010: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0030020: e54a 0069 006d 006d 0079 0000 00bc 2000 .J.i.m.m.y.... .
0030030: 4a00 7500 6e00 6700 6c00 0000 6500 2e00 J.u.n.g.l...e...
0030040: e549 4d4d 594a 7e31 444f 4320 0068 3846 .IMMYJ~1DOC .h8F
0030050: 2b2d 2b2d 0000 4f75 8f2c 0200 0050 0000 +-+-..Ou.,...P..
0030060: 4267 0000 00ff ffff ffff ff0f 00f4 ffff Bg..............
0030070: ffff ffff ffff ffff ffff

posisi ada di file yang terhapus. jika dilihat ke FAT cluster entry point / primary FAT (ada di byte ke 2048 --> FAT 0)

root@bt:/media/oldcaine# xxd -s 2048 usbkey.img | more
0000800: f8ff ffff 0000 0000 0000 0000 0000 0000 ................
0000810: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000820: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000830: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000840: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000850: 0000 0000 2b00 2c00 2d00 2e00 2f00 3000 ....

file tidak ada, krn 00 00 semua. sekarang saya coba untuk masuk ke ROOT Dir nya lagi.

root@bt:/media/oldcaine# xxd -s 196608 usbkey.img | more
0030000: e564 006f 0063 0000 00ff ff00 00bc ffff .d.o.c..........
0030010: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0030020: e54a 0069 006d 006d 0079 0000 00bc 2000 .J.i.m.m.y.... .
0030030: 4a00 7500 6e00 6700 6c00 0000 6500 2e00 J.u.n.g.l...e...
0030040: e549 4d4d 594a 7e31 444f 4320 0068 3846 .IMMYJ~1DOC .h8F
0030050: 2b2d 2b2d 0000 4f75 8f2c 0200 0050 0000 +-+-..Ou.,...P..
0030060: 4267 0000 00ff ffff ffff ff0f 00f4 ffff Bg..............
0030070: ffff ffff ffff ffff ffff

jika balik ke teori seputar FAT, maka kita tahu kalau awal filesector ada di 0x30040,

0030040: e549 4d4d 594a 7e31 444f 4320 0068 3846 .IMMYJ~1DOC .h8F ,

jika merujuk ke tabel FAT filesystem, jika ukuran file 20480

0030050: 2b2d 2b2d 0000 4f75 8f2c 0200 0050 0000 +-+-..Ou.,...P.. <--- 0x0050000 = 20480 ,sama dg hasil istat. saya coba replace karakter _ atau 0xE5 (yg menurut FAT dir table, adalah awal file yg terhapus)

skrg jika saya masuk ke awal DIR ROOT

0030000: e564 006f 0063 0000 00ff ff00 00bc ffff .d.o.c..........
0030010: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0030020: e54a 0069 006d 006d 0079 0000 00bc 2000 .J.i.m.m.y.... .
0030030: 4a00 7500 6e00 6700 6c00 0000 6500 2e00 J.u.n.g.l...e...
0030040: 4a49 4d4d 594a 7e31 444f 4320 0068 3846 JIMMYJ~1DOC .h8F
0030050: 2b2d 2b2d 0000 4f75 8f2c 0200 0050 0000 +-+-..Ou.,...P..
0030060: 4267 0000 00ff ffff ffff

0xE5 saya ganti dengan 0x4A atau J. sekarang saya mau bandingkan antara sebelum diubah dan setelah Entry dir saya ubah (dg mount ke file image), Filename nya mmg tidak saya gunakan standar 8.3 filename, krn akan ada teknik lain lagi.

sebelum :

root@bt:/media/oldcaine# mount usb_GCFA_case/usbkey.img /mnt/usb/ -o ro,noatime,loop
root@bt:/media/oldcaine# ls /mnt/usb/
Scheduled Visits.exe cover page.jpg
root@bt:/media/oldcaine# ls -al /mnt/usb/
total 37
drwxrwxrwx 2 root root 16384 Jan 1 1970 .
drwxr-xr-x 3 root root 4096 May 10 2009 ..
-rwxr-xr-x 1 root root 1000 May 24 2002 Scheduled Visits.exe
-rwxr-xr-x 1 root root 15585 Sep 11 2002 cover page.jpg
root@bt:/media/oldcaine#

setelah diubah start entry nya

root@bt:/media/oldcaine# mount usbkey.img /mnt/usb/ -o ro,noatime,loop
root@bt:/media/oldcaine# ls -al /mnt/usb/
total 57
drwxrwxrwx 2 root root 16384 Jan 1 1970 .
drwxr-xr-x 3 root root 4096 May 10 2009 ..
-rwxr-xr-x 1 root root 1000 May 24 2002 Scheduled Visits.exe
-rwxr-xr-x 1 root root 15585 Sep 11 2002 cover page.jpg
-rwxr-xr-x 1 root root 20480 Apr 15 2002 jimmyj~1.doc
root@bt:/media/oldcaine#

file yg di delete muncul.masalahnya adalah , ketika saya coba cek dengan file

root@bt:/media/oldcaine# file /mnt/usb/jimmyj~1.doc
/mnt/usb/jimmyj~1.doc: ERROR: cannot read `/mnt/usb/jimmyj~1.doc' (Input/output error)
root@bt:/media/oldcaine#

masalahnya adalah saya belum menyusun ulang FAT clusternya belum di map dengan benar krn masih berisi deleted cluster

root@bt:/media/oldcaine# xxd -s 2048 usbkey.img | more
0000800: f8ff ffff 0000 0000 0000 0000 0000 0000 ................
0000810: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000820: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000830: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000840: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000850: 0000 0000 2b00 2c00 2d00 2e00 2f00 3000 ....+.,.-.../.0.

dari informasi sebelumnya kita tahu bahwa cluster dimulai dari cluster 2.setiap cluster berisi 16bit. yang artinya setelah awal DIR ROOT di 2048 dilanjut dg awal FAT cluster(melanjutkan 2) 0x0300,0x0400 seterusnya hingga berlanjut hingga byte offset 0x00854 yg berisi 2b00, dengan hex editor

0000800: f8ff ffff 0300 0400 0500 0600 0700 0800 ................
0000810: 0900 0a00 0b00 0c00 0d00 0e00 0f00 1000 ................
0000820: 1100 1200 1300 1400 1500 1600 1700 1800 ................
0000830: 1900 1a00 1b00 1c00 1d00 1e00 1f00 2000 .............. .
0000840: 2100 2200 2300 2400 2500 2600 2700 2800 !.".#.$.%.&.'.(.
0000850: 2900 2a00 2b00 2c00 2d00 2e00 2f00 3000 ).*.+.,.-.../.0.
0000860: 3100 3200 3300 3400 3500 3600 3700 3800 1.2.3.4.5.6.7.8.
0000870: 3900 3a00 3b00 3c00 3d00 3e00 3f00 4000 9.:.;.<.=.>.?.@.
0000880: 4100 4200 4300 4400 4500 4600 4700 4800 A.B.C.D.E.F.G.H.
0000890: ffff 4a00 4b00 4c00 4d00 ffff 0000 0000 ..J.K.L.M.......

setelah disimpan. kembali saya mount usbkey.img nya

root@bt:/media/oldcaine# mount usbkey.img /mnt/usb/ -o ro,noatime,loop
root@bt:/media/oldcaine# ls -al /mnt/usb/
total 57
drwxrwxrwx 2 root root 16384 Jan 1 1970 .
drwxr-xr-x 3 root root 4096 May 10 2009 ..
-rwxr-xr-x 1 root root 1000 May 24 2002 Scheduled Visits.exe
-rwxr-xr-x 1 root root 15585 Sep 11 2002 cover page.jpg
-rwxr-xr-x 1 root root 20480 Apr 15 2002 jimmyj~1.doc
root@bt:/media/oldcaine# file /mnt/usb/jimmyj~1.doc
/mnt/usb/jimmyj~1.doc: Microsoft Office Document Microsoft Word Document
root@bt:/media/oldcaine#

dan skrg file telah teridentifikasi alias berhasil di recovery. dan untuk menguji apakah file berhasil direcover saya coba membacanya dengan perintah strings

root@bt:/media/oldcaine# strings /mnt/usb/jimmyj~1.doc | more
bjbj
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
Jimmy:
Dude, your pot must be the best
it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana
seeds? At least I know your growing it and not some guy in Columbia.
These kids, they tell me marijuana isn
t addictive, but they don
t stop buying from me. Man, I
m sure glad you told me about targeting the high school students. You must have some experience. It
s like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I
m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year!
I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, us
e the same password that you sent me before with that file. Talk to you later.
Thanks,
Joe
urn:schemas-microsoft-com:office:smarttags
Street
urn:schemas-microsoft-com:office:smarttags
address
urn:schemas-microsoft-com:office:smarttags
City
urn:schemas-microsoft-com:office:smarttags
place
urn:schemas-microsoft-com:office:smarttags
State
urn:schemas-microsoft-com:office:smarttags
PostalCode
^{d&
Jimmy Jungle
0000
Normal
0000tl
--more

data berhasil terbaca.

lanjut ke jpg

masih dalam posisi termount saya coba untuk mengecek file jpgnya

root@bt:/media/oldcaine# file /mnt/usb/cover\ page.jpg
/mnt/usb/cover page.jpg: ERROR: cannot read `/mnt/usb/cover page.jpg' (Input/output error)
root@bt:/media/oldcaine#

dari email yang saya terima, beliau mengatakan bahwa berhasil menggunakan

jpg :
# blkcat usbkey.img 456 31 > coverpage.jpg

file memang dapat terekstrak, tp masalahnya susunan filesystemnya masih bermasalah,terutama di metadata sector. karena ketika image di mount masih ngga bs di baca apalagi di copy (kecuali pakai blkcat, itu pn metanya juga masih lom sempurna)

root@bt:/media/oldcaine# istat usbkey.img 8
Directory Entry: 8
Allocated
File Attributes: File, Archive
Size: 15585
Name: COVERP~1.JPG

Directory Entry Times:
Written:        Wed Sep 11 08:30:52 2002
Accessed:       Wed Sep 11 00:00:00 2002
Created:        Wed Sep 11 08:50:26 2002

Sectors:
834 <-- hanya ada 1 sector? dg ukuran file 15585...
root@bt:/media/oldcaine#

masalahnya ada di FAT Dir entry.

0030060: 4267 0000 00ff ffff ffff ff0f 00f4 ffff Bg..............
0030070: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0030080: 0163 006f 0076 0065 0072 000f 00f4 2000 .c.o.v.e.r.... .
0030090: 7000 6100 6700 6500 2e00 0000 6a00 7000 p.a.g.e.....j.p.
00300a0: 434f 5645 5250 7e31 4a50 4720 006d 4d46 COVERP~1JPG .mMF
00300b0: 2b2d 2b2d 0000 da43 2b2d a401 e13c 0000 +-+-...C+-...<..

sama seperti kasus file doc, metadatanya masih dalam posisi ngaco.

dari info yang ada, FAT dimulai dari cluster 2, dan cluster 2 berada di sector 416. jadi jarak antara cluster dengan sector adalah 414. dan ketika kita komparasi cluster 420 ada di sector 834.

420 berasal dari offset 90 dari DIR ENTRY (ada dimanual filesystem FAT16), jika dilihat pada file jpg, sector ke 90 berada pada A4 01

00300b0: 2b2d 2b2d 0000 da43 2b2d a401 e13c 0000 +-+-...C+-...<..

dan A4 01 jika di desimalkan menjadi 420. sedangkan istat memunculkan angka 834 pada starting sectornya. dan dari perhitungan diatas kelihatan jika selisihnya 414.

jika kembali ke informasi awal :

FAT CONTENTS (in sectors)
--------------------------------------------
456-486 (31) -> EOF <-------------sectornya 456
487-491 (5) -> EOF
root@bt:/media/oldcaine

yang telah beliau gunakan : blkcat 456 31 <--sector 456, berarti jika sectornya 456 akan berada di cluster 42. jika di convert ke hex 42 menjadi 0x2A. sekarang saya coba mengganti A401 dengan nilai hexa 2A dalam satuan 16bit 002A, karena nilai masih dalam bigendian maka saya ubah jadi little endian 2A00

0030060: 4267 0000 00ff ffff ffff ff0f 00f4 ffff Bg..............
0030070: ffff ffff ffff ffff ffff 0000 ffff ffff ................
0030080: 0163 006f 0076 0065 0072 000f 00f4 2000 .c.o.v.e.r.... .
0030090: 7000 6100 6700 6500 2e00 0000 6a00 7000 p.a.g.e.....j.p.
00300a0: 434f 5645 5250 7e31 4a50 4720 006d 4d46 COVERP~1JPG .mMF
00300b0: 2b2d 2b2d 0000 da43 2b2d 2a00 e13c 0000 +-+-...C+-*..<..

skrg offset 90 berubah menjadi 2A00, saya akan coba mount lagi file image

root@bt:/media/oldcaine# mount usbkey.img /mnt/usb/ -o ro,noatime,loop
root@bt:/media/oldcaine# ls -al /mnt/usb/
total 57
drwxrwxrwx 2 root root 16384 Jan 1 1970 .
drwxr-xr-x 3 root root 4096 May 10 2009 ..
-rwxr-xr-x 1 root root 1000 May 24 2002 Scheduled Visits.exe
-rwxr-xr-x 1 root root 15585 Sep 11 2002 cover page.jpg
-rwxr-xr-x 1 root root 20480 Apr 15 2002 jimmyj~1.doc
root@bt:/media/oldcaine# file /mnt/usb/cover\ page.jpg
/mnt/usb/cover page.jpg: JPEG image data, JFIF standard 1.01
root@bt:/media/oldcaine#

sekarang file dikenali dan bs di copy. selanjutnya mengecek via istat

root@bt:/media/oldcaine# istat usbkey.img 8
Directory Entry: 8
Allocated
File Attributes: File, Archive
Size: 15585
Name: COVERP~1.JPG

Directory Entry Times:
Written:        Wed Sep 11 08:30:52 2002
Accessed:       Wed Sep 11 00:00:00 2002
Created:        Wed Sep 11 08:50:26 2002

Sectors:
456 457 458 459 460 461 462 463
464 465 466 467 468 469 470 471
472 473 474 475 476 477 478 479
480 481 482 483 484 485 486
root@bt:/media/oldcaine#

yup sekarang file sudah normal.

selanjutnya file ke 3 yaitu Scheduled Visits.exe

saya mulai dengan fls lagi

root@bt:/media/oldcaine# fls usbkey.img
r/r 5: JIMMYJ~1.DOC
r/r 8: cover page.jpg
r/r 11: Scheduled Visits.exe
v/v 777411:     $MBR
v/v 777412:     $FAT1
v/v 777413:     $FAT2
d/d 777414:     $OrphanFiles
root@bt:/media/oldcaine#

dan kemudian mngecek metadata file
root@bt:/media/oldcaine# istat usbkey.img 11
Directory Entry: 11
Allocated
File Attributes: File, Archive
Size: 1000
Name: SCHEDU~1.EXE

Directory Entry Times:
Written:        Fri May 24 08:20:32 2002
Accessed:       Wed Sep 11 00:00:00 2002
Created:        Wed Sep 11 08:50:38 2002

Sectors:
487 488
root@bt:/media/oldcaine#

sector file terlihat sangat tidak normal. berikutnya saya akan coba tipe filenya.image saya mount dulu

root@bt:/media/oldcaine# file /mnt/usb/Scheduled\ Visits.exe
/mnt/usb/Scheduled Visits.exe: Zip archive data, at least v2.0 to extract
root@bt:/media/oldcaine#

ternyata file zip

saya coba copy ke drive local saya dan melakukan unzip

root@bt:/media/oldcaine# cp /mnt/usb/Scheduled\ Visits.exe .
root@bt:/media/oldcaine# unzip Scheduled\ Visits.exe
Archive: Scheduled Visits.exe
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
note: Scheduled Visits.exe may be a plain executable, not an archive
unzip: cannot find zipfile directory in one of Scheduled Visits.exe or
        Scheduled Visits.exe.zip, and cannot find Scheduled Visits.exe.ZIP, period.
root@bt:/media/oldcaine#

ternyata error... berarti ada yang salah dengan file ini

sekarang saya mau coba dari mana istat mendapatkan nilai size dan sector diatas. seperti yang saya lakukan dg 2 file sebelumnya, saya coba untuk mengakses ke DIR ENTRY dari file

00300c0: 4269 0074 0073 002e 0065 000f 0055 7800 Bi.t.s...e...Ux.
00300d0: 6500 0000 ffff ffff ffff 0000 ffff ffff e...............
00300e0: 0153 0063 0068 0065 0064 000f 0055 7500 .S.c.h.e.d...Uu.
00300f0: 6c00 6500 6400 2000 5600 0000 6900 7300 l.e.d. .V...i.s.
0030100: 5343 4845 4455 7e31 4558 4520 0053 5346 SCHEDU~1EXE .SSF
0030110: 2b2d 2b2d 0000 9042 b82c 4900 e803 0000 +-+-...B.,I.....

pada byte offset ke 90 terlihat bahwa nilai 16bit offset adalah 49 00 yang jika di ubah ke big endian menjadi 00 49, berikutnya di convert ke decimal menjadi 73 (dari 4x16^1 + 9x16^0)

karena selisih sector dan cluster adalah 414, maka sector dari file Sched.exe adalah 487, sesuai dg hasil dari istat. Berikutnya, besar file berasal dari offset 92 yaitu E8 03, yg diubah ke big endian menjadi 03 E8 yang jika di desimalkan menjadi 1000 ((3 x 16^2) + (E x 16^1) + (8 x 16^0) = (3 x 256) + (14 x 16) + 8 = 1000)

sekarang balik lagi ke hasil fstat, dimana dikatakan FAT dimulai dari sector 4, karena 1 sector nilainya 512 maka 512 x 4 = 2048, disinilah FAT berawal, pada byte offset 2048. jika dibuat tabel sederhana

offset      Sector     Cluster
2048         414         ---
2050         415         ---
2052         416         002

byte offset 2048 dan 2050 tidak memiliki cluster karena FAT memang dimulai dari cluster ke 2 (mmg dibuat spt ini oleh Microsoft, ada di wikipedia keterangn ttg FAT filesystem). sekaang saya coba untuk lihat FAT chainnya (krn filesystem FAT, cluster 1 berisi cluster berikutnya, dan cluster berikutnya berisi nilai dari cluster berikutnya..dst), skrg saya lakukan pembacaan di byte offset 2052.

root@bt:/media/oldcaine# xxd -s 2052 usbkey.img | more
0000804: 0300 0400 0500 0600 0700 0800 0900 0a00 ................
0000814: 0b00 0c00 0d00 0e00 0f00 1000 1100 1200 ................
0000824: 1300 1400 1500 1600 1700 1800 1900 1a00 ................
0000834: 1b00 1c00 1d00 1e00 1f00 2000 2100 2200 .......... .!.".
0000844: 2300 2400 2500 2600 2700 2800 2900 2a00 #.$.%.&.'.(.).*.
0000854: 2b00 2c00 2d00 2e00 2f00 3000 3100 3200 +.,.-.../.0.1.2.
0000864: 3300 3400 3500 3600 3700 3800 3900 3a00 3.4.5.6.7.8.9.:.
0000874: 3b00 3c00 3d00 3e00 3f00 4000 4100 4200 ;.<.=.>.?.@.A.B.
0000884: 4300 4400 4500 4600 4700 4800 ffff 4a00 C.D.E.F.G.H...J.
0000894: 4b00 4c00 4d00 ffff 0000 0000 0000 0000 K.L.M...........

terlihat nilainya 03 00 yang jika di desimalkan menjadi 3. Nilai ini memberi tahu bahwa setelah cluster FAT dimulai dari cluster 2, selanjut chain akan ke cluster 3, di dalam cluster 3 berisi 04 00, yang bernilai 4, menandakan bahwa setelah cluster 3, cluster berikut adalah 4, dst Kembali ke cluster chain dari Sched.exe terlihat bahwa cluster dimulai dari cluster 73 yaitu 4A 00

0000884: 4300 4400 4500 4600 4700 4800 ffff 4a00 C.D.E.F.G.H...J.
0000894: 4b00 4c00 4d00 ffff 0000 0000 0000 0000 K.L.M...........

jika 16bit offset ini diubah menjadi desimal maka akan menghasilkan nilai 74. dari sini diketahui bahwa cluster berikutnya adalah 74. dan di dalam cluster 74 terdapat nilai 4B 00 yang jika di desimalkan menjadi 75, seterusnya hingga 4D 00 , pada cluster 77 file berakhir (dengan adanya FFFF, di FAT16 FFFF menandakan akhir file). Selanjutnya, untuk mengeluarkan file zip, saya akan mencoba men carving file, melalu clusternya yaitu dari 73 hingga 77 yang berarti dari sector 487 hingga 491 (1 file zip) menggunakan blkcat

root@bt:/media/oldcaine# blkcat usbkey.img 487 5 > Sched.exe
root@bt:/media/oldcaine# file Sched.exe
Sched.exe: Zip archive data, at least v2.0 to extract
root@bt:/media/oldcaine#

selanjutnya saya akan mengunzip file dan kemudian menzip ulang file, untuk melihat ukuran zip file yang baru. Tujuannya untuk mengubah ukuran file yang sebenarnya dari file sched.exe yang berada di dalam image, sehingga ketika dilakukan mount, file akan dapat di copy atau dibaca dengan sempurna karena struktur FAT nya tidak lagi corrupt.

root@bt:/media/oldcaine# unzip Sched.exe
Archive: Sched.exe
[Sched.exe] Scheduled Visits.xls password:
   skipping: Scheduled Visits.xls    incorrect password
root@bt:/media/oldcaine#

ternyata file diproteksi dengan password. Biasanya, password disimpan di dalam flashdisk, saya coba untuk mencari kemungkinan itu dengan menggunakan perintah strings

root@bt:/media/oldcaine# strings usbkey.img | more
MSDOS5.0
NO NAME    FAT16   3
|8N$}$
|&f;
r9&8-t
at2Nt
NTLDR
Remove disks or other media.
Disk error
Press any key to restart
JIMMYJ~1DOC
... snip
pw=goodtimes
Scheduled Visits.xls
5kUM
... snip
g#6U
H@@     +U
Scheduled Visits.xlsPK
root@bt:/media/oldcaine#

terdapat string pw=goodtimes, saya coba mengekstraks file zip lagi dengan password tersebut

root@bt:/media/oldcaine# unzip Sched.exe
Archive: Sched.exe
[Sched.exe] Scheduled Visits.xls password:
inflating: Scheduled Visits.xls
root@bt:/media/oldcaine#

berhasil.

sekarang saya akan coba zip ulang file tersebut dan melihat ukurannya.

root@bt:/media/oldcaine# zip Sched2.zip Scheduled\ Visits.xls
adding: Scheduled Visits.xls (deflated 87%)
root@bt:/media/oldcaine# file Sched2.zip
Sched2.zip: Zip archive data, at least v2.0 to extract
root@bt:/media/oldcaine# ls -al Sched2.zip
-rw-r--r-- 1 root root 2428 Nov 19 02:28 Sched2.zip
root@bt:/media/oldcaine#

baik sekarang ukuran file adalah 2428 berbeda dengan hasil istat yang hanya sebesar 1000. Selanjutnya saya akan mengubah ukuran yang ada di dalam file image dari 1000 menjadi 2428.Pertama saya ubah dahulu desimal 2428 menjadi hexa 097C. kemudian mengubahnya menjadi little endian 7c 09, pada offset byte ke 92 dari file saya ubah nilai E8 03 menjadi 7C 09

dari

0030100: 5343 4845 4455 7e31 4558 4520 0053 5346 SCHEDU~1EXE .SSF
0030110: 2b2d 2b2d 0000 9042 b82c 4900 e803 0000 +-+-...B.,I.....

menjadi

0030100: 5343 4845 4455 7e31 4558 4520 0053 5346 SCHEDU~1EXE .SSF
0030110: 2b2d 2b2d 0000 9042 b82c 4900 7c09 0000 +-+-...B.,I.|...

kemudian saya mount ulang image yang ada

root@bt:/media/oldcaine# mount usbkey.img /mnt/usb/ -o ro,noatime,loop
root@bt:/media/oldcaine# cp /mnt/usb/
Scheduled Visits.exe cover page.jpg        jimmyj~1.doc
root@bt:/media/oldcaine# cp /mnt/usb/Scheduled\ Visits.exe Sched_baru.exe
root@bt:/media/oldcaine# file Sched_baru.exe
Sched_baru.exe: Zip archive data, at least v2.0 to extract
root@bt:/media/oldcaine# ls -al Sched_baru.exe
-rwxr-xr-x 1 root root 2428 Nov 19 02:35 Sched_baru.exe
root@bt:/media/oldcaine# unzip Sched_baru.exe
Archive: Sched_baru.exe
[Sched_baru.exe] Scheduled Visits.xls password:
replace Scheduled Visits.xls? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: Scheduled Visits.xls
root@bt:/media/oldcaine# file Scheduled\ Visits.xls
Scheduled Visits.xls: Microsoft Office Document
root@bt:/media/oldcaine#

Selesai. Jika anda tertarik untuk melakukan analisa, saya dapat mengirimkan file image tersebut, sebagai bahan latihan.
Mada R Perdhana 01:12 on 18 November 2010 Permalink

I’m not a newbie anymore… now I become a dummies
The story began about 2 months ago. When I was trying to connect my internet through my gsm modem using one of Indonesian telecoms service provider. After trying to connect my modem into internet (desperately), I decide to check what is going on with my connection. I started to contact the costumer service, and they said that my credit is insufficient to do the internet connection. Well , it's my fault, I forget to buy the voucher. After borrow some money from my friend (around 100.000 IDR), I bought the voucher, and trying to start the internet connection again. And horey! the connection back to normal again... but only for 4 hour!

Well, at first I thought the problem came from my gprs modem. I tried to disconnect and connect the modem for all night long but still no result. Next day, I decide to contact the customer service again, and they said I need to wait for 24 hours. Well then, i have no choice at all. After 24 hours, I tried to connect the modem again but still have the same problem, I could not get into the internet. The again I decide to contact the customer service again, and they said I need to wait for 24 hours x 7 days.. What the h...

Short the stories, after waiting 7 days of bored times, I decide to connect my modem again and the result still the same, at that point I think there must be something wrong with the modem. I decide to borrow another modem from my friend, and the result still the same. Then I tried to change my card with another sim card from the same provider (again, I borrow the card from my friend), but at this this I could connect to the internet.. oh sh*t.

Well, after all what happened to me, at the next day I decide to contact the customer service again, and as I thought before, they ask me to wait for 24 hours x 7 days again!. I decide to waiting again, and after waiting for one week they ask me to wait for 1 week again. Now the time limit for my card has ended, and my 100.000 IDR is missing as the time limit's of the sim card has been ended. I tried to protest but still useless. And this is the point where I changed, from a newbie into a dummies.Yes, now I became a dummies, I lost my mind and knowledge, and there come the dark side

I started to think about how to take revenge. Yes, I try to take back the things that supposed to be mine.My mind keep running, as I remember the modems gave me some IP number although I could not connect to the internet. So,this is my entry point. I tried to fire up my BT 4, call the wvdial and got connected, I have the IP address.

local IP address x.x.x.x
Remote IP address z.z.z.z
Primary DNS address a.a.a.a
Secondary DNS address b.b.b.b

this good! after that I tried to nslookup into some address. but looks like I got no connection.Well, I tried fire up my mtr but still no connection. I tried to changed my destination address, this time I choose the IP address from the DNS, both primary and secondary. And what an interesting info I got, now the IP address changed into local address in every hop. It is no longer 10.x.x.x but It's change into 192.x.x.x , seems promising for me, now I became more serious.
I the decide to do some scanning for each hop I got. and it started showing me some live host with various device. After finish do some scanning to each network. then I tried to check each service by nc-ing to each port that popped up along the scanning session. I got many strange port number, and some of them gave me an interesting banner via nc. form NSN to SGSN :)

Well, now I have some target in here, I starting to crack all the service one by one all over the night, the result seems worth enough. Now I could login into some machine, which on my opinion this must be the "router" device from the provider. Well, at first I have some problem running the console but I have google who always ready to answer all my question :) , short the stories, I play a little while inside the machine (on every machine I could get into). Runs some command which useful for me, such as capture traffic, dump configuration, backup setting or firmware , even on some machine I could dump the database structure :)

For the shake of ethical and for my own security, I could not give you the name of the company neither the real configuration strings but I will give you some "teaser"
SGSN_RTT
        "REPORT_TIME" TIMESTAMP,
         "IMSI" VARCHAR(16),
        "IMEI" VARCHAR(16),
        "RA_ACCESS_TYPE" TINYUINT,
        "RNC_ID" SMALLUINT,
        "CGI_LAC" SMALLUINT,
        "CGI_RAC" TINYUINT,
        "PHYSICAL_PAPU_ID" TINYUINT,
        "PAPU_ID" TINYUINT,
        "APN" VARCHAR(101)
.... long list...
and also
TrafDbep [NNNNNN]
Job info : XXCCZZZZZ
job id: 0xXBCCC,
SGSN_RTT event exporting finished.
Total data size BBBBBBBBBB
Time: ZZZ BBB XXX 2010
Host: YYY-TRAFFIC0000000
Process: NNNNN
Location: XXXXX
Product version:Z.X.X.CC

and more
SR:(OFAM=2A)AND(NUM=0BXCD,0BCCB,0BCD4,0BZE5,0BDDC)
GMG_G6JX.PAC XX/NN ZZZZ 2010 SGXENVJ7.PAC 5.5-0
"G99"
#H16"
BLACKBERRY
MNCNXNX
MCCMNZB
HSDPA
GPRS
XXCBNMM
#
more

Not enough space for a full dump. Generating a partial dump
msgbuf: 0x%x[0x%x] = %d
(added)
(%0x%x > %0x%x)
text + data + bss + rest: [0x%x - 0x%x]
INCOMPLETE CORE DUMP:
Dumping 0x%x pages of memory to sec 0x%x, 0x%x sectors
Updating header at addr 0x%x to sec 0x%x, 0x%x sectors
more..

SGSN SG6 DX200 CD9
3GSGSN CD5
FLEXI ISN rel 3.2 SW Rel. 3.9.2NET-FCS21 CD5

Well I think it's enough, it's for my own safety. Now, I'm no more a newbie, the dark side has take over my mind and I become a dummies :(
Mada R Perdhana 02:18 on 16 November 2010 Permalink
Open Source Forensics Fundamental Course
I'm planning to open my computer forensic course. For beginning, I would like to teach about using open source tools for handling computer forensic case. Since I don't have place to teach on, the course would be on site training.

The purpose of this short course is to provide an introduction to the GNU/Linux (Linux) operating system as a forensic tool for computer crime investigators and forensic examiners. This course also try to follows the philosophy that a hands-on approach is the best way to learn. GNU/Linux operating system utilities and specialized forensic tools available to investigators for forensic analysis are presented with practical exercises.

I will provide the course with some forensic materials which will be used along the course, such as some disk image, some log files, and of course some Linux distribution used for digital forensic stuff. The course should take 1 - 3 days. All student should prepare their own laptop or pc. Different from another general course, I will not provide course module (I'm too lazy to make such things), but I will provide the student with some material which I collect for my own collection, ex:article, ebook, etc.
Generally the course outline would be :

Linux installation
- Overview Linux distribution
- Ubuntu installation
- Desktop environment
- Configuration Ubuntu
Linux disk, partition and file system
- Knowing disk
- Knowing partition
- Using modules
- Knowing file system
Linux boot sequence (simplified)
- Booting the kernel
- Knowing runlevel
- Global start-up script
- Service start-up script
- Bash
Linux basic command
- Linux at terminal
- Another useful commands
- File permissions
- Knowing meta character
- Some hints
- Pipes and redirection
- Super user
CLI Editor
- Introduction pico
- Introduction to another CLI editor
Mounting file system
- Knowing mount command
- File system table
Linux and forensic (basic)
- Useful command for forensic
- Analysis organization
- Determining disk structure
- Imaging evidence disk
- Knowing loopback device
- File hash
- Analysis
- Unallocated and slack space
Common forensic issues
- Handling large disk
- Preparing image disk
- Obtaining disk information (Chain of custody)
Advanced Linux forensic
- Command line
- More with dd
- Splitting file and image
- Compression
- Data carving
- Partition carving
- Determining the Subject Disk File System Structure
- dd and nc
Forensic tools
- Introduction sleuthkit
- Exercise 1,2,3,4 and 5 with sleuthkit
- LIBEWF (Expert Witness Files)
- Introduction to SMART
Introduction to Linux forensic distribution
- Introduction to various Linux distribution for DF
Who should attend
- Law enforcement
- Computer crime-related investigator
- System administrator
- Professional security consultant
- Newbie
For more information you may contact me directly by email at 6d72702e62707040676d61696c2e636f6d (you might use this link to covert the hex code)
Mada R Perdhana 00:28 on 16 November 2010 Permalink

Mayday..mayday.. we got mrp-bpp.net down in here!!!
Once again, mrp-bpp.net got down. For the last three days, my domain name, has been permanently shutdown. As I remember this is the third time mrp-bpp.net has been deactivated.Instead of taking care about this domain name stuff, I would rather to move my site into blogspot. Yes, from now on, I'm officially using blogspot as my log pad. And I will use infosecnewbie.blogspot.com as my domain name.

While mrp-bpp.net still got down, for the last three days, I was preparing to finish my first book, which will take a topic about information security, especially about malware and exploit development. Sounds in advanced ? Don't worry, as I explained before on my first post, I will only talk about newbies stuff (since I'm a newbie), and same with my book, it will only talk about newbie stuff, not more. Then why I took that topics, it's all about marketing :). Hopefully it will finish by the end of this month. And the book will written with Indonesian language.Maybe next, I will try to write it in English.

OK, I will tell you a little things about the book itself. I will not tell you the title, I will only tell you about the stuff inside the book (generally). The book will bring you into the world of reverse engineering, Yes! you will know about what RE is and why we do it.Oh, now you want to know what RE is? let see what wiki said about it :

Reverse engineering is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g., a mechanical device, electronic component, or software program) apart and analyzing its workings in detail to be used in maintenance, or to try to make a new device or program that does the same thing without using or simply duplicating (without understanding) any part of the original.
In IT world, we are using a specific term, we used to call it as Reverse Code Engineering, we use this term since, reverse engineering in IT world relate with software or computer application.Well, enough for the RCE stuff, we move on the next chapter on my book, I try to explain about malware and all stuff around it. So what is the connection between both of that things?? well you need to read my book to find it out or try to google it.

And on the next chapter, I tried to explain about the "life cycle" of exploit. About how we could find it, how to develop it, from a vulnerability (bug) into an exploit application which could running a payload inside someone else system. Sounds difficult? No, It is not. I'm using a simple language to explain about the stuff and using a live example, so even my 2 years-old daughter could make her own exploit application.

The last chapter, I will wrap it all and try to explain on how we could using metasploit to make our job goes easiest.

That's it. I already told you about my book. Hopefully by the end of this month I could finish it and send it to the publisher.
Mada R Perdhana 13:41 on 11 November 2010 Permalink
Tags: Tips

Dear Sir, this is my answer…
Back to a few years ago, my Linux mentor ask me about how to cheat intruder from chrooted the system, and this is my answer.Once you've understand what is chroot jail and already set up the chroot jail (read my article about what is chroot jail), you can begin using it. This involves configuring the server to operate in the jail, starting the server so that it runs in the jail, and controlling outside access to the jail. This section describes how to do these things, and it concludes with an example of running a name server in a chroot jail.

Running a Server in a chroot Jail If you're running a server with explicit chroot() support, chances are it includes one or more configuration options relating to chroot operation. For instance, ProFTPd's <Anonymous> directive automatically sets up the server to operate from the specified directory as a chroot jail. You should consult your server's documentation to learn what configuration options invoke chroot operation, and set them appropriately. If you're configuring a server that lacks explicit chroot support, you should begin with a working configuration from the main Linux environment.

Test the server outside of its jail to be sure the basic configuration works. You can then copy the configuration files to a chroot jail, and that configuration should continue working with few or no changes. Once the environment is correctly configured, you should be able to run the server by using the chroot command, which has the following syntax: chroot /new/root server-name [server-options] The /new/root directory is the chroot jail directory, server-name is the name of the server (complete with path, if necessary), and server-options is any options the server needs. Note that you specify the path to server-name relative to its new root. For instance, if the program file is /opt/chroot/bin/server, with /opt/chroot as the jail directory, you'd type the following to launch the server: # chroot /opt/chroot /bin/server If your server normally starts through a SysV startup script or a local startup script, you'll have to modify the startup script to include the chroot command, or disable the startup script and find some other way to start the server.

If the server normally runs from a super server, you'll need to set up the super server within the chroot environment along with the target server, alter the super server launch command to incorporate a chroot call, or change the server startup method to use a SysV or local startup script. Controlling Local Access to the chroot Environment The chroot jail sets up one-way protections—programs within the chroot jail cannot influence the system outside of the jail. You might want to limit access in the other direction, as well. For instance, you might want to set up a server in a chroot jail and use restrictive permissions on the chroot jail directories to prevent unauthorized users from reading the files in those directories.

You can do this by setting the ownership on the chroot jail to root, setting the group ownership to a special group, and using 0640 (rw-r——-) permissions on the files in the directory tree. You can then run the server as a user in the special group you create for this purpose. The result is that the server can read but not write files within the chroot jail, and outside of the jail, only root can read or write files within the tree. Of course, you may need to loosen some of these permissions if the server must be able to write files. Attention! As a general rule, you shouldn't give the server write access to all the files or directories in its jail. In the case of a server compromise, this would allow the server to rewrite critical configuration files and utilities in a way that might cause problems. If a server normally runs as root, the risk of giving it full write access to all files in the jail is no greater than the risk of running the server as root outside of the jail, but for a server that doesn't run as root, giving ownership of program files to the server can increase the risk, at least within the chroot environment.

An Example: Running BIND in a chroot Jail The preceding description may be helpful in setting up a chroot jail, but it may be even more helpful to ground the topic with a more concrete example. Therefore, this section describes the installation of the Berkeley Internet Name Domain (BIND) in a chroot jail. You should know how to administering a domain via DNS, before proceeding. This example doesn't change the default BIND configuration except to move it to a chroot jail, though, so you don't need to be familiar with the intricacies of name server configuration. This section uses a Debian 2.2 installation as an example. The procedures used will differ slightly for other distributions because of different package management systems and different default configuration files. NOTE This example uses the chroot command to run BIND in its jail. To begin the process, we need the standard BIND package installed. This can be done in many ways with Debian, but for this example, I used apt-get: # apt-get install bind This installs the standard Debian BIND package in the normal way. The installation script runs, and asks if you want to add the local machine as a name server to /etc/resolv.conf. For testing purposes, I did not do this, but this detail is unimportant for demonstration purposes. When done, Debian runs BIND, which you can verify as follows: # ps aux | grep named root 7656 0.0 1.5 2184 1492 ? S 13:29 0:00 \ /usr/sbin/named # host awl.com localhost awl.com A 165.193.123.224 The second command serves to verify that BIND is installed and working; it calls the host command to locate the IP address of awl.com using the server on localhost. You can substitute any other hostname you like for awl.com, or use your server's true name or IP address instead of localhost. If you get a command not found error, you must install the dnsutils package in Debian to get the host program. (This program may be in a package of another name, such as bind-utils, in other distributions.)

Now that you've verified that the server is working, you can shut it down: # /etc/init.d/bind stop After shutting down the server, the next step is creating a chroot directory tree. This example uses /opt/chroot as the chroot jail directory. Thus, we begin by creating the jail directory tree and moving the BIND files into that tree: # mkdir -p /opt/chroot/usr/sbin /opt/chroot/var/cache/bind # mkdir /opt/chroot/lib /opt/chroot/etc # cp /usr/sbin/named /opt/chroot/usr/sbin # cp -rp /etc/bind/ /opt/chroot/etc NOTE This procedure shows configuring BIND to run using the chroot command, but in fact BIND includes built-in chroot() support, so there is a slightly easier way to do it, as described shortly. Even if you use the easier method, though, you'll need to set up the chroot jail directory tree and copy the configuration files to it. You may omit named itself, though. These commands set up the basics of the BIND directory tree and copy the named server and configuration files in /etc/bind to the appropriate directories in the chroot jail. If you were installing a server from scratch, you would probably have to do some investigation to learn precisely what files you'd need to copy, and you might end up creating these files and directories in a piecemeal fashion.

One particularly important bit of detective work is locating the support libraries upon which the server relies. You can do this, and copy the libraries, using ldd, as follows: # ldd /usr/sbin/named libc.so.6 => /lib/libc.so.6 (0x40017000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) # cp /lib/libc.so.6 /lib/ld-linux.so.2 /opt/chroot/lib At this point, you can test your configuration: # chroot /opt/chroot /usr/sbin/named # host awl.com localhost awl.com A 165.193.123.224 If this doesn't work, check that only one instance of named is running, and that you created or copied all the necessary files. You can then modify the BIND startup script (/etc/init.d/bind in Debian) to start the server via the chroot command, or disable the SysV startup script and start the server in some other way. Many SysV startup scripts use wrapper programs (such as start-stop-daemon and ndc in Debian) to do their work, and these programs may create files in still more directories, such as /var/run, so you must copy these files and directories to within the chroot jail: # mkdir -p /opt/chroot/sbin /opt/chroot/var/run # cp /usr/sbin/ndc /opt/chroot/usr/sbin # cp /sbin/start-stop-daemon /opt/chroot/sbin You can edit the SysV startup script by adding chroot /opt/chroot before every instance of both start-stop-daemon and ndc.

Unfortunately, your work still isn't done, because start-stop-daemon relies on the /proc filesystem, which isn't available in the chroot directory tree. You can edit your /etc/fstab file to make it available—copy the existing line for /proc and rename it so that it mounts at /opt/chroot/proc. You must then type mount -a to mount the duplicate /proc within the chroot jail. WARNING As noted earlier, the /proc filesystem is potentially very powerful, so a better approach is to edit the SysV startup script so that it doesn't use start-stop-daemon, or abandon the SysV startup script entirely and use some other method of starting the server. At this point, you should be able to start the server using the SysV startup script and test it in its final configuration: # /etc/init.d/bind start # host xxx.com localhost xxx.com A 165.193.123.224 If you want to be sure the server is running from the chroot environment, you can delete the original program file (in /usr/sbin) and its configuration files (in /etc/bind), then restart the server. If your tests still work, you can be confident that the server is running from its chroot jail. As an alternative to running BIND with the chroot command, you can use the -t option to named, which activates named's internal chroot() call. For instance, you can launch the server in this way: # /usr/sbin/named -t /opt/chroot This approach is simpler than the preceding one because you don't need to copy as many files to the chroot jail directory; you can omit named and the libraries upon which it depends. You must still copy the named configuration files, though (in /etc/bind in this example), because named's -t option causes it to lock itself in its chroot jail before reading its configuration file. Using named's -t option also has the advantage of requiring fewer changes to the SysV startup scripts; you need only pass the -t /opt/chroot option through to the server by placing this option at the end of the start-stop-daemon call, preceded by a double dash (--). There's then no need to duplicate the /proc filesystem within the chroot jail.

Of course, the exact procedures you use will be different for other servers or other distributions. Nonetheless, the basic outline should be similar to what's described here. You might also want to make some further changes to the chroot environment, such as changing the permissions on the directories or reconfiguring the server to run as a user other than root (the default for BIND under DEBIAN). If you don't want to get busy an confused with this article, you may use a program that will automatically building and running chroot jail daemon called makejail.

Planet KPLI Balikpapan

Kontributor Planet KLAB

Berlangganan Planet KLAB

Hosted in:

Updates from Mada R Perdhana Toggle Comment Threads | Keyboard Shortcuts

Mada R Perdhana 02:34 on 27 February 2012 Permalink

Mada R Perdhana 16:23 on 24 November 2011 Permalink

Mada R Perdhana 16:37 on 25 April 2011 Permalink Tags: programming

Mada R Perdhana 12:27 on 30 March 2011 Permalink

Mada R Perdhana 07:01 on 12 January 2011 Permalink

Mada R Perdhana 18:23 on 24 December 2010 Permalink

File Info

• Keys Created

• Values Created

• Values Changed

• Processes Created

• Processes Terminated

• Threads Created

• Modules Loaded

• Windows Api Calls

• DNS Queries

• Description

• Mutexes Created or Opened

• Events Created or Opened

Mada R Perdhana 06:15 on 24 November 2010 Permalink

Karakteristik Telemetering

Daftar Bays di JCC

DATAC RealWin SCADA 1.06

CitectSCADA ODBC Server

Mada R Perdhana 04:19 on 19 November 2010 Permalink

Mada R Perdhana 01:12 on 18 November 2010 Permalink

Mada R Perdhana 02:18 on 16 November 2010 Permalink

Mada R Perdhana 00:28 on 16 November 2010 Permalink

Mada R Perdhana 13:41 on 11 November 2010 Permalink Tags: Tips

Mada R Perdhana 16:37 on 25 April 2011 Permalink
Tags: programming

Mada R Perdhana 13:41 on 11 November 2010 Permalink
Tags: Tips