Lecture 1 - Introduction. Basic Exploration Tools
Transcript of Lecture 1 - Introduction. Basic Exploration Tools
Lecture 1Introduction. Basic Exploration Tools
Computer and Network SecurityOctober 12, 2020
Computer Science and Engineering Department
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 1/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 2/51
On this class
I Computer and Network SecurityI offensive security, hacking, reverse engineering, runtime
application securityI programming/practical orientedI focus on binary exploitation (pwn levels in CTFs)I lecture: Monday, 4pm-6pm, room PR002, RazvanI labs:
I Monday, 2pm-4pm, RazvanI Monday, 6pm-8pm, Mihai, DennisI Thursday, 6pm-8pm, Adrian
I http://ocw.cs.pub.ro/cns/
I but first:https://ocw.cs.pub.ro/courses/cns/need-to-know
I labs start on Monday, October 12, 2020, 6pmI last instance of the first lab on Monday, October 10, 2020,
4pm, room PR706
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 3/51
The Team
I Razvan Deaconescu: lectures, lecture tests, exam
I Mihai Dumitru: labs, infrastructure
I Dennis Plosceanu: labs
I Adrian S, endroiu: labs, assignments, lectures
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 4/51
Resources
I wiki (content): http://ocw.cs.pub.ro/cns/
I MS Teams: live action
I Moodle (news, deadlines, exam, dicussions, links to content, feedback)I SRIC (not-enrolable, only used for feedback)I SCPD (not-enrolable, only used for feedback)I common/meta (enrolable, actually used)
I Facebook (news, trivia): http://facebook.com/cns.upb
I mailing list (news, dicussions):https://ocw.cs.pub.ro/courses/cns/resources/mailing-list
I assignment write-only mailing-list (assignments):http://cursuri.cs.pub.ro/cgi-bin/mailman/listinfo/oss-support
I calendar & planning: https://ocw.cs.pub.ro/courses/cns/calendar
I virtual machines (labs, assignments, CTFs):https://ocw.cs.pub.ro/courses/cns/resources/vm
I CTF platform (assignments, labs):https://cns-ctf.security.cs.pub.ro/home
I team: to yell at
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 5/51
Lab Split
I happens on the curs.upb.ro Discussion forum
I threads for each of the 4 lab slots
I almost complete
I you need to be enroled
I you can enrol by yourself by accessing the CNS curs.upb.roinstance
I limit is 16 students per lab slot
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 6/51
Class Keywords
I reverse engineering
I binary inspection
I stack overflow
I buffer overflow
I shellcode
I shell execution
I exploiting
I runtime application security
I return oriented programming
I CTF (Capture the Flag)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 7/51
Table of Contents
planning: https://ocw.cs.pub.ro/courses/cns/calendar
1. Introduction. Basic Exploration Tools
2. Program Analysis
3. The Stack. Buffer Management
4. Exploiting. Shellcodes
5. Exploiting. Shellcodes (part 2)
6. Exploit Protection Mechanisms
7. Strings. Information Leaks
8. Return Oriented Programming
9. Return Oriented Programming (part 2)
10. Use After Free
11. Practical Attacks (part 1)
12. Practical Attacks (part 2)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 8/51
Bibliography
I Robert Seacord – Secure Coding in C and C++, AddisonWesley Professional, 2005
I Robert Seacord – The CERT C Secure Coding Standard,Addison Wesley Professional, 2008
I Anton Chuvakin, Cyrus Peikari – Security Warrior, O’Reilly,2004
I Grey Hat Hacking. The Ethical Hacker’s Handbook, 3rdEdition, McGraw Hill, 2011
I Enrico Perla, Massimiliano Oldani – A Guide to KernelExploitation, Syngress, 2011
I Jon Erickson – The Art of Exploitation, 2nd Edition, NoStarch, 2008
I Michael A. Davis, Sean M. Bodmer, Aaron LeMasters –Hacking Exposed. Malware and Rootkits, McGraw Hill, 2010
I Bruce Schneier – Applied Cryptography, John Wiley & Sons,1996
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 9/51
Grading
I 2 points – lab involvement
I 4.5 points – 3 assignments
I 3.5 points – final exam
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 10/51
Final Exam
I oral exam
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 11/51
CTF – Capture the Flag
I computer security competition
I educational, practice
I attack/defense vs. jeopardy
I web, stegano/forensics, crypto, binary/reverse, pwn/exploit,protocol, misc
I wargames
I may equate assignment points
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 12/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 13/51
C Programming Language
I lingua franca of low-level programming
I powerful enough to build amazing software and flexibleenough to shoot yourself in the foot
I close to hardware, everything is at some point coming from Ccode
I direct access to memory management (buffers, strings, arrays,pointers): mixed blessing
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 14/51
Linux / Unix CLI. Shell Scripting
I move around quickly
I investigate, analyze system
I quickly develop, build, debug, analyze applications
I automate tasks
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 15/51
Assembly Language
I everything turns to machine code
I one may not have access to the source code, but it can bedisassembled
I hardware specific – the “guts” of the computer
I required knowledge to fully be able to exploit and protect thesystem
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 16/51
Data Representation
I binary, octal, hexadecimal
I ASCII
I signed / unsigned integers: size, range, 2’s complementrepresentation
I endianess
I there are 10 types of people in the world . . .
I disassembled code, addresses and hardware instructions areshown in hexadecimal
I one is required to easily convert hexadecimal to decimal andthe other way around
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 17/51
Operating Systems
I system and application inner workings
I process virtual address space
I application run time: CPU, memory, I/O usage
I system calls, kernel space
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 18/51
Process Investigation
I processes and resource usage: ps, pstree, pgrep, procfsfilesystem
I memory mappings: pmap
I open file descriptors: lsof
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 19/51
If You Feel Lacking
I this is a master class, you need to be on the level
I work, work, work
I C programming:https://ocw.cs.pub.ro/courses/programare
I Linux / Unix CLI, shell scripting:https://ocw.cs.pub.ro/courses/uso
I assembly language + hexadecimal:https://ocw.cs.pub.ro/courses/iocla
I operating systems + process investigation:https://ocw.cs.pub.ro/courses/so
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 20/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 21/51
Scripting Languages
I Python, Perl
I automation
I generate/print binary data and feed it to an executable
I generate strings, generate variating integers & addresses
I do redirects, make conversions, process strings
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 22/51
Python
I quick’n’dirty scripting language
I more powerful than shell scripting
I create binary payloads (use struct package)
I convert data
I work with strings
I work with files
I work with processes (use subprocess package)
I advanced exploit techniques (use pwn package)
I use Python3, FTW!!!
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 23/51
Hex Viewers and Editors
I dump and edit data in binary files (object files, executables,encrypted files)
I hexdump, xxd, od: make hexdumps
I hte: terminal hex editor
I ghex, Bless: GUI hex editor
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 24/51
GDB
I dynamic analysis
I default debugger on Unix systems
I may be used to trace programs, check variables and returnvalues
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 25/51
PEDA
I Python Exploit Development Assistance for GDB
I enhance GDB for exploit development
I improved commands
I improved views
I search for ROP gadgets
I generate shellcodes
I generate buffer cyclic patterns
I http://ropshell.com/peda/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 26/51
Binary Code Analysis
I inspect object and executable files
I disassembling: objdump
I forensics: strings
I executable parsing: readelf, nm
I dependencies: ldd
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 27/51
Call Tracing
I dynamic analysis
I capture system calls, function callls of program
I check out system call arguments
I check out system call return values
I see whether process blocks in a system call
I strace, ltrace
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 28/51
Advanced Disassemblers
I IDAI IDA 7.0 freewareI different executable formats for different processorsI debuggerI decompilerI interactiveI plugins
I GhidraI open sourceI similar to IDA
I radare2I disassemble, debugI static and dynamic analysisI CLI
I capstoneI “lightweight multi-platform, multi-architecture disassembly
framework”I open source
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 29/51
Other Binary-related Tools
I Binary Ninja: https://binary.ninja
I BinNavi: http://www.zynamics.com/binnavi.html
I Hopper: http://www.hopperapp.com/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 30/51
Emulators
I run executables for different architectures
I QEMU: emulates MIPS, ARM, PowerPC, SPARC
I Unicorn Engine, based on QEMU
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 31/51
pwntools
I CTF framework and exploit development library
I Python
I connections to local and remote processes
I packing / unpacking
I assemby and disassembly
I ELF manipulation
I shellcode generation
I Return Oriented Programming
I https://github.com/Gallopsled/pwntools
I https://docs.pwntools.com/en/stable/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 32/51
Others
I brain
I will
I perseverance
I will
I perseverance
I perseverance
I perseverance
I Did we mention perseverance?
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 33/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 34/51
strings
I search for ASCII strings in binary data
I strings /path/to/binary/file
I man ascii to show ASCII table
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 35/51
Printing Binary/Hex Data
Let’s print shellcode from http://www.shell-storm.org/
shellcode/files/shellcode-827.php:
Shellcode Sample
char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69""\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
Do it in several scripting languages:
Print Shellcode in Bash, Python, Perl
(Bash) echo -e ’\x31\xc0\x50\x68\x2f...’(Python) python -c ’print "\x31\xc0\x50\x68\x2f..."’(Perl) perl -e ’print "\x31\xc0\x50\x68\x2f..."’
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 36/51
Printing Binary/Hex Data (2)
Dump binary data in hex and binary:
Using xxd
$ echo -en ’\x31\xc0\x50\x68...’ | xxd
0000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e350 1.Ph//shh/bin..P
0000010: 5389 e1b0 0bcd 80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -g 4
0000000: 31c05068 2f2f7368 682f6269 6e89e350 1.Ph//shh/bin..P
0000010: 5389e1b0 0bcd80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -g 1
0000000: 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 1.Ph//shh/bin..P
0000010: 53 89 e1 b0 0b cd 80 S......
$ echo -en ’\x31\xc0\x50\x68...’ | xxd -b
0000000: 00110001 11000000 01010000 01101000 00101111 00101111 1.Ph//
0000006: 01110011 01101000 01101000 00101111 01100010 01101001 shh/bi
000000c: 01101110 10001001 11100011 01010000 01010011 10001001 n..PS.
0000012: 11100001 10110000 00001011 11001101 10000000 .....
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 37/51
Using strace
I strace ./executable
I strace -e write ./executable – print write syscalls
I strace -e trace=file ./executable – print syscalltaking a filename as argument
I strace -f ./executable – trace child processes
I strace -p PID – trace existing process by PID
I strace -s strsize – trace using a different size for strings
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 38/51
ltrace
I see library calls
I ltrace -p PID – trace process
I ltrace -t – show timestamp
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 39/51
Passing Binary Data as Argument
I command $(python -c ’print ...’)
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 40/51
Passing Binary Data as Standard Input
I python -c ’print ...’ | command
I cat file - | command
I cat <(python -c ’print ...’) - | command
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 41/51
List Open Files
I lsof
I lsof -p PID – show open files for process
I shows file descriptors: standard input/output, sockets, pipes
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 42/51
Process Address Space
I pmap
I pmap PID – show address space mappings for process
I shows permissions and addresses
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 43/51
Show Library Dependencies
I ldd /path/to/executable
I useful to check if an executable may run on a given system,what library version is it using
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 44/51
Installing 32bit Development Libraries on Debian
Installing 32bit Development Libraries
# dpkg --add-architecture i386
# apt update
# apt install gcc-multilib g++-multilib libc6:i386 libc6-dev:i386 \libstdc++6:i386 libstdc++6-dev:i386
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 45/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 46/51
io.netgarage.org – Level 1
I use objdump to disassemble binary
I use man ascii or hex printing to print password
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 47/51
Outline
Introduction
Things You Need to Know
Tools of the Trade (That You May or May Now Know)
Basic Tools for Exploration
Demo
Conclusion
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 48/51
Keywords
I offensive security
I runtime application security
I table of contents
I grading
I CTF (Capture the Flag)
I tools of the trade
I hex editors
I scripting language
I disassemblers
I exploration
I hex/binary data
I Python
I strings
I objdump
I strace, ltrace
I ldd, lsof, pmap
I IDA
I Ghidra, radare2
I GDB, PEDA
I pwntools
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 49/51
Useful Links
I http://reverseengineering.stackexchange.com/
I http://security.cs.pub.ro/hexcellents/wiki/
I http://web.cecs.pdx.edu/~jrb/cs201/lectures/
handouts/gdbcomm.txt
I http://ctftime.org/
I https://picoctf.com/
I http://captf.com/practice-ctf/
I https://io.netgarage.org/
I http://www.overthewire.org/wargames/
I http://ctf365.com/
I PEDA: https://github.com/longld/pedaI IDA: https://www.hex-rays.com/products/ida/I Ghidra: https://ghidra-sre.org
I Radare: http://rada.re/r/
I pwntools: https://docs.pwntools.com/en/stable/
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 50/51
References
I Security WarriorI Chapter 1. Assembly LanguageI Chapter 2. Windows Reverse EngineeringI Chapter 3. Linux Reverse Engineering
I The Ethical Hacker’s Handbook, 3rd EditionI Chapter 10: Programming Survival SkillsI Chapter 20: Passive AnalysisI Chapter 21: Advanced Static Analysis with IDA Pro
CSE Dep, ACS, UPB Lecture 1, Introduction. Basic Exploration Tools 51/51