Book Review: The Absolute Beginner's Guide to Binary

At one of the Defcon 101 talks given by 1o57, a complaint was made.  1o57's talk was called Hacking the Hacker, and was a rundown of skills that anyone who considers themselves to be a hacker should have, or be striving towards.  1o57 was concerned at the state of the hacker scene, in that many people he talked to couldn't even do a 4-bin binary count-up.

The talk was great, but left me concerned.  I picked up a copy of The Absolute Beginner's Guide to Binary by Greg Perry, as a refresher, and found it to be quite an enjoyable read.  Greg explains Binary, Bits, Bytes, and Hex in enough detail as to not leave anything out, yet at a level of readability that I would recommend it even to complete novices of base-2 math, and computers in general as a great text to fully explain the topic to them.

Mr. Perry also gives several topics throughout the book that he leaves to the reader as areas for farther research, which is something that I, personally, find to be very attractive.   It lets the reader branch out and expand their horizons in an organic way.  This is a fantastic learning style for hackers.  Thus, I would definitely recommend this book to anyone who is interested in computers, electronics, or digital communications, but needs a bit of work at the bits and bytes level.

Finding Unused IPs

I recently had a need to fit a new host onto a crowded network, without well documented address assignments.  This led me to several obvious answers, all of which required reading long lists of IP addresses while looking for gaps here and there.  Since reading through DNS zone files, or filtering Nmap ping sweep output didn't sound like much fun, I threw this little guy together.

#!/usr/bin/perl
#############################
## ipchecker.pl            ##
## (c)2012 Peter H. Ezetta ##
#############################


use strict;
use warnings;
use 5.010;

my @results;

foreach (`nmap -sP -v 192.168.0.*`) {
    chomp;
    push( @results, $_ ) if (/^Host/);
}

foreach (@results) {
    say if (/down/);
}

Change the address in the foreach loop to match the network you're scanning, and Nmap will run a ping scan like normal, with a nice little Perl wrapper to only give you the hosts that are down, instead of  up.

"Borrowing" A Screen Session

GNU Screen is a tool that most everyone reading this will be aware of.  In a nutshell, it's a terminal multiplexer, that is, it allows multiple virtual terminals to be brought up in one screen session.  Very useful when you're on the terminal.

Another purpose that is used quite often is to allow long running scripts to run on a remote server, without having to worry about your SSH session getting disconnected.  One would simply start a screen session, run their script, and detach from the screen session, leaving the script to do it's work.

This can occasionally be a problem when one system administrator has started a long running process, and for whatever reason, another system administrator needs to get into the screen session, when it's owner isn't present.  Attempting to su user, then attach to the screen session will lead to the following error:


[14:43:06] [peter@server ~]$ sudo su user
[sudo] password for peter: 
[14:43:45] [user@server /home/peter]$ screen -l
Cannot open your terminal '/dev/pts/2' - please check.
[14:43:53] [user@server /home/peter]$

A quick check of the permissions of /dev/pts/2 reveals the problem:


[14:43:53] [user@server /home/peter]$ cd /dev/pts/
[14:51:42] [user@server /dev/pts]$ ls -lsa 2
0 crw--w---- 1 peter tty 136, 2 2012-11-04 14:51 2

As we can see, the terminal I'm connected to is owned by my user, not effective user that we assumed with su user.  One solution would be to chmod +w /dev/pts/2, but allowing other users to connect to our pts device poses a security risk.  Enter script.

Script is used to create a typescript recording of everything that happens in a terminal, as long as script is running.  It will connect to a new tty device when it is called:

[15:00:20] [user@server ~]$ script test

Script started, file is test

[15:00:25] [user@server ~]$ tty

/dev/pts/3

[15:00:32] [user@server ~]$ ls -lsa /dev/pts/3

0 crw--w---- 1 user tty 136, 3 2012-11-04 15:00 /dev/pts/3

As you can see, by calling script, we have obtained a new pts device, and it's owned by user, not by peter.  This means that we can now screen -d -r to attach to user's screens, even in his absence.

One last note:  If you don't have a purpose for the typescript file that is generated by script, just give it /dev/null as an output file:  script /dev/null, which will throw away the typescript.

Lines of Code

This is going to be a short one.  The other day, one of my friends asked me for a quick way to tell how many lines of code were in a project directory.  Here was my solution (thank you, Perl!)

$ find . -name '*.pl' | xargs perl -e \
'my $x = 0; foreach (<>) { $x++ }; print "$x\n"'

Of course the *.pl can be changed to whatever extension you would like, and TIMTOWTDI, but I happen to be fond of foreach loops and the <> operator, so...

Loopback Filesystems Revisited

In a post quite some time ago, I discussed loopback filesystems.  Well, lo and behold, a few weeks ago, I had the opportunity to play with them again.  Xen, a Linux VM Hypervisor (http://www.xen.org) mounts up its disk images as loopbacks.

I found out rather quickly, that the default number of loopback devices available to the Kernel is 8.  When you have one image for disk, and one for swap on each domU (virtual guest), that means you can only cram 4 machines onto a single hypervisor by default...  That's just unacceptable.

I found two methods that worked, although one is a bit more painful than the other:

Hypervisor with Guests running in Production:

When you can't reboot the machine for whatever reason (in my case, it was running VM's that I didn't have any space to migrate, and couldn't shut down), you can modprobe the loop module again and pass it a parameter:

# modprobe loop max_loop=128

This is all fine and good, really, except for the fact that you don't get nodes created for the loop devices in /dev automatically, so you have to do some lovely work with mknod before you can use your new devices, even though the kernel is aware of them:

# mknod -m660 /dev/loop8 b 7 8

Loop devices have a major number of 7, so make sure to change both 8's to the appropriate value for your system.  The defaults on the systems I've been working with (Debian Lenny, Debian Squeeze, and Ubuntu Precise (12.04 LTS)) are to have 8 loop devices, loop0 - loop7.

Of course making 120 new loop devices by hand isn't exactly fun... Time for bash-fu!

# for x in `seq 8 128`; do mknod -m660 /dev/loop$x b 7 $x; done;

This gives us our 128 loopback devices (assuming you had 0-7 OOTB), with the nodes created in /dev.  If you reboot, they're gone, so make sure to add the options to /etc/modules.conf or wherever your flavor decided to keep the module options.

Hypervisor without Guests (or can be rebooted):

If the machine can be rebooted, the situation is much easier.  My solution was to pass the parameter to the kernel at boot time via GRUB.

Simply set the following in /etc/default/grub (for Debian based distros):

GRUB_CMDLINE_LINUX_DEFAULT="max_loop=128 quiet"

Then rebuild your GRUB config and reboot:

# update-grub && shutdown -r now

When the machine comes back up, GRUB will have passed the max_loop option to the kernel at boot, and the kernel will have automatically created all of your loopback devices for you.

Obviously, this is a significantly simpler operation than creating the nodes in place, and if you have the option to reboot, I would say go for it.

Part I

protosho v1.0 (almost)

Admittedly, I haven't been playing with Dettu[xX] too much over the last month, but I did come back to a stagnant code project that I started in late September or early October, and did a bit of general cleanup and prep work towards being something thats fit for (very adventurous) human consumption...

It doesn't have a working installer (I'd advise leaving Makefile.PL well alone unless you know what you're doing... it's not complete), it doesn't have any documentation other than the comments in the code, but if you can get it to run, it does it's job.

So, for the moment that no-one has been waiting for, I give you protosho:

https://github.com/protoCall7/protosho

This little baby is a CLI::Framework based SHODAN interface for the commandline.  It's written 100% in Perl 5.14, it's licensed under the BSD 3-clause, and at the moment, it kind of sucks.  But I've had a ton of fun playing with the results that it cranks out, so for anyone else out there who likes to tinker with Perl, or has a need for some SHODAN on the CLI, or is just feeling techno-masochistic, grab a git clone of it, and leave me a comment here, or on the Github issues board, and I'll help you through getting it installed.

In the meantime, you should also check out SHODAN @ http://www.shodanhq.com

proto

Victory!

After switching virtual network cards in my hypervisor, I was able to get RH7.1 online.  Textutils compiled as statically linked binaries just as expected, and ran like a mo-f'ing CHAMP on the dettuxx machine.  This allowed me to download coreutils-5.0 and compile/install it.

I ran into another circular dependency with awk (which was a pre-req of upgrading Bash), and was able to cross compile the latest gawk and get it installed just fine via the RH7.1 machine.  Now I'm going to try compiling binutils, as another pre-req of bash, and see what happens... Hopefully I won't have to cross compile too much more.

FML

FML... Just... network isn't supported...

Several failed attempts...

Apparently, in order to compile textutils, you need to have textutils installed...  Naturally (to me anyway), my first thought was Busybox.  I tried to compile it, no joy (unmet dependancies), I tried the appropriate binaries for my VM, also no joy... insta-segfault.

Fine, let's get the real sort util, and copy it over, perfect!  So I spend the next 20 minutes configuring another (32bit) VM to support SSH1 on the internal network (since, of course, the version of SSH with Dettuxx is ancient), and get scp working.  Copy the binary over, and it crashes complaining about libraries. File confirmed that it was dynamically linked, with libs that weren't installed in Dettuxx, no doubt.  Fine...

export CFLAGS="-static -O2 -g"
./configure --with-prefix=/home/peter/textutils_build
make
make install

This process went along nicely, and generated a statically linked set of textutils bins (the old textutils package wasn't exactly fun to find, mind you).  I scp these binaries over, and get:  "FATAL:  Kernel too old"

As we speak, I have RH7.1 installing in a VM, running a 2.4 kernel out of the box...  Wish me luck...

Back for more...?

So, all these years later, I decided to give DettuxX another try (I mean... we have VM's now... why not), and was able to get it installed, bootable, and on the interwebs last night...  Thats when I remembered just how much of a bitch it is.  I, by some act of God, was able to get gcc compiled, but that's about as far as I got before I started running into... problems.  In order to compile most things, you need to have sort (which was a part of textutils when the distro was released... now textutils has been rolled into coreutils).  Unfortunately, there's a circular dependancy there.  Textutils requires sort to successfully configure, and sort is a part of Textutils...  Guess it's time to evaluate busy box, and the prospect of cross compiling textutils on another machine and copying it over...  Joy...