Tag Archives: Linux

Hiding Data: Slack Space on Linux

I am going to cover slack space in various operating systems. the first post would be about the slack space in Linux.

What is Slack Space?

Before going to explain slack space, one should know what blocks (on Linux) and clusters mean (on Windows).  Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Linux write nulls on slack space. This means to find data in slack space on Linux systems are rare. However, it is not impossible.

Today, I am going to show how to hide data on slack spaces using a tool called bmap.

Bmap

Bmap ,a data hiding tool, can utilize slack space in blocks to hide data.

It can  perform lots of functions interesting to the computer forensics community and the computer security community. However, in this article we will focus on its data hiding capability.

Installing Bmap

Click this link and save the tar.gz file on your Linux desktop.tar xvzf bmap-1.0.17.tar.gz

After untaring the file, we now can go inside of the directory and compile the program.
cd bmap-1.0.17
make

Optional: I placed bmap into /sbin so don’t need to go into the bmap directory each time I want to run the program.
ln -s yourBmapFilePath /sbin/bmap

Hiding Data on Slack Space

In the following example we will hide some text into slack space. Let’s see what options we have with bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named Ismail.txt. Let’s see what sectors this file uses.
bmap --mode map ismail.txt
3113400
3113401
3113402
3113403
3113404
3113405
3113406
3113407

As you can see from the output of bmap, ismail.txt uses 8 sectors starting from 3113400. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

echo "I'm hiding this and you cannot easily see it" | bmap --mode putslack ismail.txt
stuffing block 389175
file size was: 8
slack size: 4088
block size: 4096

Now check what we have in slack space:

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096
I'm hiding this and you cannot easily see it

(This command also gives the block number of the file, 389175)

We can now wipe the data we put on slack space.
bmap --mode wipe ismail.txt

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

Summary

Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.

TCPTraceroute to Bypass the Firewall filters

Introduction

The first step for penetration testers is getting information about the system. Traceroute is a great tool for this purpose.

Traceroute shows the route between you and the target machine.  Linux has a command line utility called traceroute.

traceroute

traceroute uses UDP.

Windows has a tool called tracert.

tracert

tracert uses ICMP.

It is quite common for firewalls to be configured to block ICMP or UDP and thereby prevent Traceroute from returning useable information.

One program designed to get around this issue is Michael Toren’s TCPTraceroute.

TCPTraceroute uses TCP SYNpackets insted of ICMP or UDP and is able to bypass common firewall filters.

Installation

TCPTraceroute is currently available for only Linux. You can install on your debian based machine by using apt-get:

<p style=”background: black; color: white”>
</p>ISMAIL

sudo apt-get install tcptraceroute

Example

tcptraceroute

Summary

As a penetration tester to gain information about the target system, you need to be familiar with several tools. One of these tools is tcptraceroute. It can bypass most of the firewalls since it uses TCP unlike tracert and traceroute.

Recent Open SSH Rumor + How to fix it

I love being in the  IT industry. You never get bored and you learn new stuff everyday. Recently there is a rumor for a possible vulnerability of OpenSSH. I was really interested, so I made a small research. It turns out just a rumor, but if you want to be really sure that your machine is safe, then I recommend you to upgrade openSSH package.

How to fix it?

In your Linux box ( I used Ubuntu in this example), type ssh- v to learn the version you have.  The latest stable version is 5.2 which is publicly available since february 09.  If your distro doesn’t provide this version, then you need to download it from source code, and compile it on your own.

Lets get our hand dirty and install it from source.

First let’s remove openssh from our linux box.

$apt-get remove openssh-client openssh-server

I didn’t use –purge option and remove my config files, since I want to keep them. (But I installed openssh with default option (ah!), then I need to figure out where new config files are, where  new sshd executable is etc, and do some tricks; however you can backup your config files and use –purge option and remove them completely, then paste your files in their new location which is /usr/local/bin, usr/local/sbin)

First go to their website and use wget to download the source (I choosed closest server for me):

$wget http://mirror.mcs.anl.gov/openssh/portable/openssh-5.2p1.tar.gz

Let’s now let’s install Zlib and OpenSSL which are prequisetes, (Probably you already have openssl so you can skip this step)

I installed zlib from it source.

$wget http://www.zlib.net/zlib-1.2.3.tar.gz

$tar xvfz zlib-1.2.3.tar.gz

$cd zlib-1.2.3.tar.gz

$./configure

$make install

And apt-get for openssl

$apt-get install openssl

Now we can tar our openssh package.

$tar xvfz openssh-5.2p1.tar.gz

Then go to inside of openssh-5.2p1 and run

$cd openssh-5.2p1

$./configure

Ahh, you should get some error, why?

You can check log file config.log in the directory. I found that we also need to install libcurl4-openssl-dev

After you install that package, then run

$./configure

$make

$make install ssh -v

Remember that this will install openssh with default option.

Now type $ssh -v, You should see OpenSSH 5.2p1 if you install it correctly. Since I installed openSSH with default option I need to make some changes to get ssh server is running. First, I see that my sshd executable is in /usr/local/sbin; however /etc/init.d/ssh script is looking for it in /sbin directory; so I copy sshd into that directory. Then I see that sshd check /usr/local/etc/sshd_config file not /etc/ssh/sshd_config file, so then I need to copy my previous sshd_config to /usr/local/etc/sshd_config

Finally it works! Even tough my new config files in the /usr/local/etc I am happy with that.

I hope this helps for ones who concern about their ssh server security.