Category: Hacking 101

  • How SSH Nuke in Matrix Reloaded works

    In the movie Matrix Reloaded, we see Trinity use SSH Nuke to hack a compromised server. This script exploits the SSH CRC-32 vulnerability, specifically known as CVE-2001-0144, which affected older versions of the OpenSSH software. Here’s an explanation of how this vulnerability worked:

    Overview of the Vulnerability

    The SSH CRC-32 vulnerability exploited a flaw in the handling of CRC (Cyclic Redundancy Check) in the SSH protocol version 1. This vulnerability could allow an attacker to execute arbitrary code on a remote system running an affected SSH daemon (sshd).

    Technical Details

    1. CRC-32 Integrity Check:

      • The SSH protocol version 1 used a CRC-32 checksum to verify the integrity of data packets.
      • The purpose of CRC-32 was to detect accidental changes to raw data.
    2. Vulnerability in CRC-32 Compensation Attack Detector:

      • The vulnerability was found in the CRC-32 compensation attack detector function.
      • This function was supposed to prevent an attacker from tampering with the checksum to produce valid-looking but malicious packets.
    3. Exploiting the Buffer Overflow:

      • The flaw allowed for a buffer overflow in the CRC-32 compensation attack detector.
      • An attacker could craft a specially designed SSH packet with an incorrect CRC-32 checksum, which would bypass the integrity check and overflow the buffer.
      • By carefully controlling the data in the overflow, the attacker could overwrite memory and execute arbitrary code on the server.

    Steps of the Exploit

    1. Sending Malicious Packets:

      • The attacker sends a series of maliciously crafted packets to the SSH server.
      • These packets have incorrect CRC-32 checksums designed to exploit the overflow.
    2. Triggering the Overflow:

      • When the SSH server processes these packets, it incorrectly handles the CRC-32 checksums, leading to a buffer overflow.
    3. Executing Arbitrary Code:

      • The overflow allows the attacker to inject and execute arbitrary code on the SSH server.
      • This could provide the attacker with unauthorized access to the server, potentially with root privileges.

    Mitigation and Resolution

    • Patch and Update:

      • The vulnerability was addressed in later versions of OpenSSH.
      • Users were advised to upgrade to the latest version of OpenSSH to mitigate this vulnerability.
    • Switch to SSH Protocol Version 2:

      • The vulnerability only affected SSH protocol version 1.
      • Protocol version 2, which is more secure and does not have this flaw, became the recommended version to use.

    Conclusion

    The SSH CRC-32 vulnerability was a serious security flaw that could allow attackers to gain unauthorized access to systems by exploiting a buffer overflow in the SSH protocol version 1. The exploit involved crafting packets to bypass the integrity checks and trigger an overflow, leading to arbitrary code execution. This vulnerability highlights the importance of using updated and patched software versions and preferring more secure protocols, like SSH version 2.

  • See who is hosting a website

    To see who is hosting a website (e.g. netflix.com), you will need the IP address of the website and the WHOIS record for that IP address. You can obtain both from the command-line.

    Obtain the IP address for netflix.com:

    # Ping the website
    ping netflix.com
    # Alternatively, use traceroute and note the last IP address
    traceroute netflix.com

    For me, the command returned the IP address 52.209.235.141. Now, look up the WHOIS record for the IP address to see who owns it:

    # Look up the WHOIS record
    whois 52.209.235.141

    Here is the record I got from WHOIS for netflix:

    OrgName:        Amazon Technologies Inc.
    OrgId:          AT-88-Z
    Address:        410 Terry Ave N.
    City:           Seattle
    StateProv:      WA
    PostalCode:     98109
    Country:        US

    So, at the time of writing, it seems that netflix.com was hosted by Amazon.

  • How to chat between computers using netcat on Mac and Linux

    In our home we have a mix of Mac and Linux computers. My children have a Raspberry Pi in their room and I have a Mac at my desk. Today we chatted with each other through the Terminal running on both computers.

    Hi children!
    Dudududududududu
    Am I talking to a bird?
    ^v^

    (It was a very interesting conversation as you can see)

    How to chat using netcat

    You can chat between two Unix computers (e.g. Linux or Mac) only using the Terminal and netcat command (i.e. the command nc). The netcat command is slightly different on the two OS’es, but I’ll write the variation in comments.

    First, you open a terminal window on both computers:

    On a Mac, open e.g. the Terminal application

    Now, choose one computer to listen (computer #1) and the other to connect to the first (computer #2). We chose that my Mac would listen and the childrens Raspberry Pi would connect.

    Set up the listening computer

    On the first computer, start netcat listening for incoming messages on port 23456 (or whatever port you prefer). You’ll see that the command is slightly different on Mac and Linux.

    # On Mac: nc -l <PORT>
    nc -l 23456
    # On Linux: nc -l -p <PORT>
    nc -l -p 23456

    Check the IP address of the listening computer:

    ifconfig

    Look for an entry called "inet", which looks something like this:

    ...
    inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
    ...

    Shout the IP address you found into the house for all to hear!

    Hey, I’m listening on port 23456 and my IP address is 192.168.1.101 !!!

    Remember to shout the IP address you found, not the one I wrote above, since yours will probably be different… Now this computer is ready to chat!

    Set up the connecting computer

    On the second computer, use netcat to connect to the "listening" computer, using the IP address and port that the other person shouted to you.

    # Mac/Linux: nc <IP ADDR> <PORT>
    nc 192.168.1.101 23456

    Again, rememember that the IP address above is just an example. Most likely, the person shouted different numbers to you.

    Now the fun part: chat!

    Now either computer you can type messages and hit enter. The thing you typed will appear on the other computer. Remember to finish your message by hitting the enter key.

    hi, how are you? <enter>

    After you hit enter, the message will appear on the other computer, where the person might reply:

    hi, how are you?
    I am fine thank you. How are you doing? <enter>

    Experiment

    After you have exchanged a few pleasant greetings, you can start hacking. For example:

    • What happens if you receive a message while you are typing?
    • Does the output always look the same on both computers?
    • What happens if you send special characters (e.g. apple character on a Mac)?
      • You can generally type special characters by using modifier keys, such as alt/option. E.g. to type an Apple icon on a Mac (Danish keyboard) you’ll hit option + $/§.

    When you are done chatting you can exit netcat with ctrl + c. It doesn’t matter who does this first, the other side will exit as well.

  • How to discover devices on your network (Mac/Linux)

    There are several ways to check what devices are currently logged on to your network (e.g. WiFi at home).

    The first option is to use arp, which I have found works the best. There will be some cases where it does not work.

    In the following example, I’ll assume that your IP address is 192.168.1.xxx.

    Using nmap

    Scan network and try to guess OS:

    sudo nmap -sP 192.168.0.0/24 --osscan-guess

    Using arp and nmap

    First, scan your sub-network:

    # see you IP address using ifconfig, here it's assumed to be 192.168.1.0
    nmap 192.168.1.0/24

    Second, list devices in your ARP cache:

    arp -a

    If the output doesn’t look up to date, or if it’s missing an IP you believe should be there, ping the broadcast IP (typically the last result of arp -a ending with “.255”).

    # Assuming 239.255.255.250 was the last address in the output from arp -a
    ping 239.255.255.250

    Now, run arp -a again.

    ARP spoofing

    Notice that a malicious user can use arp spoofing to mix up the association between MAC addresses and IP addresses. This can be used for man-in-the-middle attacks.

    Other ways

    You could also use WireShark or even a third or fourth method, but I will not cover those here.