0xfeedface Tech musings and rants

A few years back, I researched runtime process infection. I developed a shared library to ease code injection and hijacking. The project, libhijack, only got up to version 0.3 but was full-featured at 0.3. I now own a Macbook Pro and would like to try my hand at porting libhijack to DTrace. I'd like to research how to use DTrace for malicious purposes.

I'll report back when I learn a bit more.

For the past little while, I've had a few projects at an online security community called Binary Revolution (BinRev for short). I had the opportunity to cohost a radio show called BinRev Radio Remix. It was a lot of fun and I'll be looking forward to next month's show live at Defcon. Feedback for this episode can be sent to lattera@0xfeedface.org.

Show Notes:

• Introductions
• Show Overview
• Scheduling/next show information
• News
  • Google Wardriving
  • Hackers Wanted Documentary Leak
  • A new type of phishing attack
  • Froyo and Google TV
• Interview with PurpleJesus
  • How he got into and out of phreaking
  • Current research
• Interview with Livinded
  • Preparing for the administration of oCTF
• Goodbyes and reminders

I just bought some new networking equipment. I'll be upgrading the network this weekend. Please be patient through any downtime.

I've now integrated 0xfeedface.org with Google Apps. If you want to contact me, you can email me at lattera[at]0xfeedface.org. I also have a Google Wave account at that same address. That is also my Google Chat address. I'll be setting up accounts for our other users.

I realized that I've been posting a lot about OpenSolaris. Today's no exception. I've been attempting to set up a vuln-dev lab here at work using OpenSolaris, Crossbow, and xVM. I love the things crossbow lets me do. I can virtualize the entire network stack, creating virtual switches, virtual NICs, and virtual VLANs. These last two days, though, have been a bit of a challenge as I work through what I think is a bug.

To set the stage, I have to do a bit of explaining. I have two separate etherstubs (an etherstub is a virtual switch). One etherstub is called xenswitch1, which is responsible for the 192.168.3.0/24 virtual network. The other etherstub is called xenswitch2 and is responsible for the 192.168.4.0/24 virtual network. The host has a vnic on each network, with the IP of .1. Here's the console output in case what I just wrote doesn't make sense:

root@shawn-vulndev:~# dladm show-link
LINK CLASS MTU STATE BRIDGE OVER
nge0 phys 1500 up -- --
xenswitch1 etherstub 1500 unknown -- --
xenswitch2 etherstub 1500 unknown -- --
xenvnic0 vnic 9000 up -- xenswitch1
xenvnic1 vnic 9000 up -- xenswitch2
xvm29_0 vnic 1500 up -- xenswitch2
xvm30_0 vnic 1500 up -- xenswitch1
xvm31_0 vnic 1500 up -- xenswitch1
root@shawn-vulndev:~# ifconfig xenvnic0
xenvnic0: flags=1100843 mtu 9000 index 7
inet 192.168.3.1 netmask ffffff00 broadcast 192.168.3.255
ether 2:8:20:e6:fc:37
root@shawn-vulndev:~# ifconfig xenvnic1
xenvnic1: flags=1100843 mtu 9000 index 6
inet 192.168.4.1 netmask ffffff00 broadcast 192.168.4.255
ether 2:8:20:a3:e3:4

I have a VM on each etherstub as well. I have a Windows Server 2008 Enterprise VM on xenswitch1 with an IP of 192.168.3.3 and an Ubuntu Desktop 10.04 VM on xenswitch2 with an IP of 192.168.4.2. Both networks are fully NATed.

You would think that if I were to ping the Win2k8 VM from the Ubuntu VM, the ICMP packet would go outbound from xenvnic1 to xenvnic0. However, the bug I found is that if Ubuntu sends a packet to the 192.168.3.0/24 network, the packet goes outbound from the xenvnic0 interface. All other traffic is treated like normal and goes outbound from the xenvnic1 interface.

I haven't found a solution, yet. I hope the explanation of the issue was clear. I'm always looking for pointers in doing this better, especially in this situation.

I've been tasked with designing and implementing a set of systems to serve as a NAS and a dedicated virus scanning machine. Three systems will be involved: a Windows Server 2003 box acting as a domain controller, a Windows Server 2008 box acting as a dedicated virus scanning machine for file uploads, and an OpenSolaris NAS. The OpenSolaris NAS will be authenticating via Active Directory and serving files over CIFS/SMB.

Because of how large this project is, I decided first to test configurations in a lab. When Windows Server acts as a domain controller, it likes to take full control over the network. It likes to serve DHCP, DNS, NTP, and act as the gateway. I needed to be able to have the virtual lab, then, on its own private network. I first tried VirtualBox, since it can natively do host-based networking. However, I learned that VirtualBox's support for host-based networking is practically broken in OpenSolaris hosts. Naturally, I turned to xVM.

Prior to choosing xVM, I knew OpenSolaris's cool networking feature Crossbow could do some pretty cool things. Crossbow can simulate a virtual layer three ethernet switch and I can set up virtual NICs (VNICs) and VLANs. Using crossbow and this tutorial, I was able to set up a private network to host my lab. I won't dive into the details in how to do it, since it's laid out really nicely in that tutorial (complete with pictures, yay!). One thing it didn't discuss, however, is that in order for your VNIC configuration to persist upon reboots, you cannot use NWAM. You have to disable NWAM via svcadm disable network/physical:nwam and set up oldschool static IP configuration via /etc/hostname.[vnic] and svcadm enable network/physical:default.

To sum up, OpenSolaris mixed with xVM and Crossbow provides an amazing virtual machine and lab solution. Crossbow is so simple to use and easy to integrate with other technologies, like xVM.

Over the past few years working as a software engineer and security analyst, I've learned a few things about server administration. One I'd like to write about today is filesystem organization and planning. The company I work for has been in business for around six to eight years. They spent quite a few thousand dollars in buying a few Intel-based servers running Windows Server 2003. After years of use, our development server has no space left and often crashes due to lack of harddrive space.

One reason why we're having space issues is because we don't have any rules regarding organization. Often, we spend at least a half hour each day looking for the latest copy of one file. Sometimes that file is documentation, others it's a necessary DLL. We have multiple versions of files stored in multiple locations on multiple drives. Figuring out which file in which directory on which drive to grab can be a daunting task.

Take a lesson from someone who has spent countless hours looking for files: keep your servers organized. Especially if those servers are to remain in production for greater than five years. Maintain strategy for expansion.

After not doing much hobbyist programming for around a year, I started programming in C again. I gotta say that I love it. I'm rewriting an IRC bot I wrote in python a while ago. Concepts that were foreign to me now seems logical and easy to understand. Maybe I'll create a code section for various bits of code I've written. Most of the projects I've done over the years have stalled out. I make no promises as to the cleanliness or vulnerability-free-ness of the code I'll post.

The code repository has been set up. Take a look.

I just put up a page for videos. I have the Defcon 17 videos and will be watching them. I'll post to the new Videos page talks that I found interesting. There's currently one talk from BlackHat USA 2009: Moxie Marlinspike's Defeat SSL talk.

HP announced yesterday that they will acquire Palm for $1.2 billion. Palm has been a leader in handheld consumer electronics for many successful years. With the transition from PDAs to smartphones, Palm has had to reinvent its business strategy. The iPhone craze changed the landscape of consumer electronics. Palm entered the smartphone market too late with its Palm Pre and Palm Pre Plus line. Those I know who own a Palm Pre are very happy with WebOS, Palm's smartphone OS.

By the time WebOS was released, Android and iPhone were already way ahead in features and capabilities. Android and iPhone still provides a better smartphone experience than WebOS.

It's still unclear what HP intends to do with Palm's technologies. I hope that HP will convert the WebOS lineup to Android and opensource WebOS. Neither of those will probably happen, but it's what I'd like to see.