Marian Marinov/HackMan

For the past few days I’m implementing various attacks related to the TCP protocol.

I just finished a TCP connection flooder which can bring almost any service to complete stop with as little as 75Kbit/s and 12 packets per second.

This is for one service only. But if you combine this with a second service, for example the SSH. You can render almost any server with some of its services down without raising any alarms on the network traffic monitoring systems. The flood is with small packets and not very intensive so if the administrators didn’t protected the ssh service on the machine, they would not be able to connect to the machine without serial or kvm console.

Attackers can use such techniques to disrupt all kinds of services.

There are a few more things I like to test and maybe I’ll include these attacks in the next Network Security course in FMI.

I was really glad that I didn’t had to write all of my DoS scripts in C. Actually Net::RawIP and Net::Pcap a perfect modules to write small network things in Perl.

I’ll do some benchmarks to see how good perl is in generating packets and how it compares with the C packet generators I have written.

Finally we got our Christmas tree. We had an argument with Toni about the tree. I wanted a normal natural tree and she wanted an artificial(plastic one). So I agreed with her, but the new tree has a bug. The top part of the tree doesn’t clip with the bottom, but since it was after 11pm I decided to fix the problem tomorrow, the problem was that I have to use the hammer to fix the stupid pipe

I can’t understand one thing, almost 20 years ago Stevens wrote the books for Unix network programing, which I consider to be the Bibles of network programing. And there are still people that don’t understand why they should do a full implementation with all the checks required when they are writing network applications.

And the most frightening thing is that almost all of the students graduating in CS majors don’t even know how to implement a network daemon without introducing a big security hole in the system.

The results from the first exam of Linux System Administration course are ready and are uploaded at http://training.iseca.org

What is interesting is that even with almost half of the questions not answered you can still get almost 20 point out of 50.

And one disappointing thing is that this year the girls have a slightly lower average results then previous years. Usually the girls have a lot higher grades then males.

Here are the stats:
Maximum points: 47
Minimum points: 18
Avarage points: 34.3

Male average points: 34.4
Female average points: 34.2

Average points per course:
—+——
1 | 37.5
2 | 38.7
3 | 33.0
4 | 35.0

While some people are changing the styles of their blogs to more clean and simple themes I decided that I will go with my favorite color and some nice picture
The main reason that made me change the looks of the blog is that many of the new posts are using the PRE tag and this causes the text to overlap with the right column.

I hope that this new theme will solve at lease some of these problems.

One of the problems when you are migrating a server is actually migrating the traffic from the old IPs to the new IPs.

Since we were doing that fairly often for some of our server I have used one very common trick, which was to use DNAT + SNAT to move the traffic from the old server to the new server, and from the new server back to the client.

However this presents one big issue, all clients are now coming from the IP address of the old server. This is a big problem for systems that authenticate by including the remote IP in connection with the user/password pair.

So I set out to find a way I can move all traffic for whatever TCP service I decide with keeping the source IPs.

The solution was fairly simple and this is what I’ll try to describe here.

So here is our setup:

• server A with IP: 112.0.0.15
• server B with IP: 213.0.0.12

In order to direct all web traffic going to server A we have to use two DNAT rules:

# iptables -t nat -I PREROUTING -j DNAT -d 112.0.0.15 -p tcp --dport 80 --to 213.0.0.12:80
# iptables -t nat -I PREROUTING -j DNAT -d 112.0.0.15 -p tcp --dport 443 --to 213.0.0.12:443

This is all we need to do on sever A. Most of the work is done on server B.

So, after the traffic has reached server B why we have problem?
The problem is because the DNAT from server A only changed the destination IP and so the source of the packet is still the IP of the client and not the IP of server A. So in order for the answering packet to be accepted on the client, the packet should be with source IP, the IP of server A, not the ip of server B. But after the packet is received on server B. The response is send directly to the client and here is where the problems begin.

Here is one of my solutions to this problem. You should build a tunnel between server A and B. I used OpenVPN for that tunnel and used tap devices in order to have full bridge functionality(this is very important since the packets that would be received from server B come from all kinds of IP ranges).
After we have the tunnel setup we should have some private network between A and B, for example:

• server A: 10.0.0.1
• server B: 10.0.0.2

What you should do now, on server B is simple:

1. Mark all the traffic coming from the tunnel interface with some mark, for example 4
2. Restore the marks of all packets as they exit the process and before the first routing decision
3. Move all packets to a separate routing table so their default gateway is now the VPN IP of server A and not the default gw of server B

How are all of these steps done:

1. Creating the routing table:
   # echo '250 forward' >> /etc/iproute2/rt_tables
2. Adding entries to the routing table:
   
# ip r a 213.0.0.12 dev eth0 t forward
# ip r a 127/8 dev lo t forward
# ip r a 0/0 via 10.0.0.1 t forward

3. Make all packets marked with mark 4 to go trough the routing table:
   # ip ru a fwmark 4 t forward
4. Mark all incoming web packets from the VPN with mark 4:
   
# iptables -t mangle -A PREROUTING -j CONNMARK -i tap0 -p tcp --dport 80 --set-mark 4
# iptables -t mangle -A PREROUTING -j CONNMARK -i tap0 -p tcp --dport 443 --set-mark 4

5. Restore all packet marks as they leave the processes:
   # iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

And that should be it.
After this, you should receive all web traffic to server A as it was directly coming to server B.

For me, this book was more like a manual then a true in depth learning. It is a very good and easy to read book. One of the best things was that while reading the book it was actually making me to read more and more. I actually finished it in less then three or four days which is not normal for me, even for a topic in which I’m not novice. This is my first book from the Pragmatic series, but it seams like the best idea for learning the basics in some topic.

I have been using Git for more then a year before reading this book. I have made manuals and trainings within our company about Git. But this book opened my eyes and made me understand more than what I have learned with the online manuals. I think that the book organization was one of the main things that really guided my experience while reading the book. What I found after reading the book was, that even thou you can work without most of the information in the book, all that it describes makes your work easier, faster and smoother.

And the one thing that I really missed in this book was how to work and organize your project with some of the GUI applications available for Git.

Today I had to install MySQL Proxy on one of our servers.

What I found was that the current stable version 0.7.2 requires more resent version of Glib2 then what comes with CentOS 5.4.

So here is what I did in order to build it with a different version of glib2 then the default installation:

LUA: download & install from source

• Required packages: readline readline-devel
• yum install readline readline-devel

MySQL proxy requires:

• lua
• glib2 > 2.16
• libevent
• libevent-devel
• yum install libevent libevent-devel

Build glib:
./configure --prefix=/usr/local/glib2 --disable-selinux --disable-fam --enable-threads --enable-gc-friendly

Build mysql-proxy:

export GLIB_DIR='/usr/local/glib2'
export GLIB_CFLAGS="-I$GLIB_DIR/include/glib-2.0 -I$GLIB_DIR/lib/glib-2.0/include/"
export GMODULE_CFLAGS="-I$GLIB_DIR/include/glib-2.0 -I$GLIB_DIR/lib/glib-2.0/include/"
export GTHREAD_CFLAGS="-pthread -I$GLIB_DIR/include/glib-2.0 -I$GLIB_DIR/lib/glib-2.0/include/"
export GLIB_LIBS="-L$GLIB_DIR/lib -lglib-2.0"
export GMODULE_LIBS="-Wl,--export-dynamic -L$GLIB_DIR/lib -lgmodule-2.0 -ldl -lglib-2.0"
export GTHREAD_LIBS="-pthread -L$GLIB_DIR/lib -lgthread-2.0 -lglib-2.0"
./configure --prefix=/usr/local/mysql-proxy --with-lua
make -j4
make install


Един силно интелектуален разговор между мениджъри:

[hackman] Ще ви подаря моя снимка в цял ръст…
[hackman] Да си я сложите във вшата стая
[hackman] Само като я гледате и ще работите по-добре
<[dev]> а не може ли само гол от кръста на долу и в гръб
<[dev]> ще вдига мотивацията
<[dev]> и други неща
<[dev]> …
[hackman] много космясъл моя гъз… ама щом ще дига мотивацията…
[hackman] ще викна колегата с големия Canonc да направи снимката
<[dev]> хери фетиш
<[dev]> той да не зуумне много че да ти влезе оня ми ти обектив
<[dev]> като на слон

I started to use syscalls in Perl scripts a long time ago. One of the main issues I face every time I install a script on a new machine is creating Perl header files from the C headers.

It is supposed to be done very easy:

# cd /usr/include
# h2ph *.h
# h2ph */*.h

With this we should have our Perl headers generated… However I found that on many distributions, the system headers asm/unisd.h have their includes like this:

# ifdef __i386__
# include "unistd_32.h"
# else
# include "unistd_64.h"
# endif

This is a big problem as h2ph skips lines with quotes and it expects that the header files should be something like this:


# ifdef __i386__
# include <unistd_32.h>
# else
# include <unistd_64.h>
# endif


So I have to manually fix this stupid bug in order to use the syscalls I need.

What I mainly use from the syscalls are:

__NR_getpriority - used for renice
__NR_setpriority - used for renice
__NR_ioprio_get - used for ionice
__NR_ioprio_set - used for ionice