Domain: team-teso.net
Stories and comments across the archive that link to team-teso.net.
Comments · 9
-
Re:This is arranging deckchairs on the Titanic
Listen to the low-karma slashdot troll Sheepdot. Sure, he says a lot of obviously wrong things and gets called out on it, and whenever he does he refuses to justify himself and just insults the people who catch him. This is a sure sign of a truly powerful security and voting systems expert.
I mean, what does Bruce Schneier know? The world comes to slashdot trolls for its opinions, after all.
How can anyone fail to sense your hidden genius in your appreciation for half-baked security tools that have a history of failure traceable as far back as Phrack articles from 1993.
Yes, ladies and gentlemen, only on slashdot can a whiny, obnoxious, ignorant baby like Sheepdot treat experts like assholes and still get a free education in return:
--
"More recently, other implementations of LKMs for hiding processes,
files, and directories have come about that can get around the above
described methods of defeating standard root kits, as well as
cryptographic checksumming programs like "tripwire" that must trust the
operating system to present them with valid bits from disc and memory.
The Hacker's Choice (THC) from Germany has write-ups on loadable
kernel modules for Linux, FreeBSD, and Solaris, which describe this
methods of hiding out on a rooted box:
http://www.thehackerschoice.com/papers/LKM_HACKING .html
http://www.thehackerschoice.com/papers/bsdkern.htm l
http://www.thehackerschoice.com/papers/slkm-1.0.ht ml
TESO has another Linux LKM ("adore") along these same lines:
http://www.team-teso.net/releases.php
Using methods such as these, integrity checking programs like "tripwire"
and NIPC's "find_ddos" programs can be subverted, as the kernel could
not even be trusted to give correct results when searching process
tables, network structures, or file systems.
You might think that simply disabling LKM support in the kernel -- which
is still a good idea to improve security on a server whose configuration
will be stable -- is the final answer. Not exactly.
Another method of inserting code into running kernels -- even if LKM
support is not present -- is described by Silvio Cesare:
http://www.big.net.au/~silvio/runtime-kernel-kmem- patching.txt"
--
Too bad you can't run tripwire to protect your brain, Sheep. LOL. -
https steganographic, encrypted proxiesFrom http://doc.asf.ru/Tools%20&%20Utilities.htm
Corkscrew (Unix, Windows) : Tunnel SSH connections through an HTTP proxy.
Curl (Unix, Windows) : Utility who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, ...DesProxy (Unix, Windows) : Tunnel TCP connections through an HTTP proxy, eventually by converting SOCKS requests.
FizzBounce (Unix) : TCP redirector through HTTP proxies.
HTTPort (Windows) [Closed source]: Tunnel TCP connections through the HTTP protocol, by simulating a SOCKS server, and by eventually using an intermediate server.
HTTPTunnel (Unix, Windows) : Bidirectionnal tunnel through HTTP requests, eventually through an HTTP proxy.
LibCurl (Unix, Windows) : Library who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, and lots of languages: C, C++, Perl, ...MultiProxy (Windows) [Closed source]: HTTP proxies tester. MultiProxy can be used as a proxy server who use a different proxy for each request.
Numby (Unix) : Scanner for HTTP vulnerables proxies.
Proxomitron (Windows) [Closed source]: Scanner and redirector through HTTP proxies, who can also delete or modify informations contained in HTML transferred pages. For example, this permits to easily filter automatic popups, DHTML or JavaScript.
ProxyTools (Unix, Windows) : Set of Perl utilities, who permits to use, sort, test and search for HTTP proxies.
TransConnect (Unix) : Transparently tunnel TCP connections through an HTTP proxy.
Zylyx (Unix) : permits to access to files through HTTP proxy caches.
-
https steganographic, encrypted proxiesFrom http://doc.asf.ru/Tools%20&%20Utilities.htm
Corkscrew (Unix, Windows) : Tunnel SSH connections through an HTTP proxy.
Curl (Unix, Windows) : Utility who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, ...DesProxy (Unix, Windows) : Tunnel TCP connections through an HTTP proxy, eventually by converting SOCKS requests.
FizzBounce (Unix) : TCP redirector through HTTP proxies.
HTTPort (Windows) [Closed source]: Tunnel TCP connections through the HTTP protocol, by simulating a SOCKS server, and by eventually using an intermediate server.
HTTPTunnel (Unix, Windows) : Bidirectionnal tunnel through HTTP requests, eventually through an HTTP proxy.
LibCurl (Unix, Windows) : Library who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, and lots of languages: C, C++, Perl, ...MultiProxy (Windows) [Closed source]: HTTP proxies tester. MultiProxy can be used as a proxy server who use a different proxy for each request.
Numby (Unix) : Scanner for HTTP vulnerables proxies.
Proxomitron (Windows) [Closed source]: Scanner and redirector through HTTP proxies, who can also delete or modify informations contained in HTML transferred pages. For example, this permits to easily filter automatic popups, DHTML or JavaScript.
ProxyTools (Unix, Windows) : Set of Perl utilities, who permits to use, sort, test and search for HTTP proxies.
TransConnect (Unix) : Transparently tunnel TCP connections through an HTTP proxy.
Zylyx (Unix) : permits to access to files through HTTP proxy caches.
-
https steganographic, encrypted proxiesFrom http://doc.asf.ru/Tools%20&%20Utilities.htm
Corkscrew (Unix, Windows) : Tunnel SSH connections through an HTTP proxy.
Curl (Unix, Windows) : Utility who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, ...DesProxy (Unix, Windows) : Tunnel TCP connections through an HTTP proxy, eventually by converting SOCKS requests.
FizzBounce (Unix) : TCP redirector through HTTP proxies.
HTTPort (Windows) [Closed source]: Tunnel TCP connections through the HTTP protocol, by simulating a SOCKS server, and by eventually using an intermediate server.
HTTPTunnel (Unix, Windows) : Bidirectionnal tunnel through HTTP requests, eventually through an HTTP proxy.
LibCurl (Unix, Windows) : Library who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP,
... Also supports proxies, cookies, authentification, resumes, and lots of languages: C, C++, Perl, ...MultiProxy (Windows) [Closed source]: HTTP proxies tester. MultiProxy can be used as a proxy server who use a different proxy for each request.
Numby (Unix) : Scanner for HTTP vulnerables proxies.
Proxomitron (Windows) [Closed source]: Scanner and redirector through HTTP proxies, who can also delete or modify informations contained in HTML transferred pages. For example, this permits to easily filter automatic popups, DHTML or JavaScript.
ProxyTools (Unix, Windows) : Set of Perl utilities, who permits to use, sort, test and search for HTTP proxies.
TransConnect (Unix) : Transparently tunnel TCP connections through an HTTP proxy.
Zylyx (Unix) : permits to access to files through HTTP proxy caches.
-
Re:How to prove anything?
There is a whole bunch of reverse engineering methods that can be automated and performed on binary code. Team Teso held a lecture on such analysis for the purpose of automated buffer overflow detected and code injection on 19C3 in Berlin this year.
What they demonstrated was the use of a very small disassembler library, a set of subroutines to isolate basic blocks (blocks of code that are neither source nor target of any jump) and a set of graph algorithms as well as a plotting library. Using this, they were able to generate a pretty characteristic view on code structure and control flow, not exactly identical but very similar to a flowchart diagram of the code.
Kristian -
Re:How to prove anything?
There is a whole bunch of reverse engineering methods that can be automated and performed on binary code. Team Teso held a lecture on such analysis for the purpose of automated buffer overflow detected and code injection on 19C3 in Berlin this year.
What they demonstrated was the use of a very small disassembler library, a set of subroutines to isolate basic blocks (blocks of code that are neither source nor target of any jump) and a set of graph algorithms as well as a plotting library. Using this, they were able to generate a pretty characteristic view on code structure and control flow, not exactly identical but very similar to a flowchart diagram of the code.
Kristian -
Team Teso
The Teso people held a superb lecture on reverse engineering and systematically finding security problems in binary code at this years Chaos Congress in Berlin.
They demonstrated a way to automatically analyze and segment binary code into basic blocks. A basic block is a segment of binary code that is being executed from top to bottoms, that is, it does not contain any jumps out of the block and is not the target of a jump into the code.
Team Teso then performed graph algorithms and data flow analysis algorithms on the basic block graph their primary tool produced. This is where things get interesting for debugging.
For example, the teso people were able to trace which basic blocks are being touched during code execution. You can imagine this as a graph of the program where each basic block is a block (node) and each jump is a vertice between the blocks. Upon execution, each basic block is colored as the code is being executed.
They also were able to reconstruct C program structures from binary, and they were able to reconstruct where data comes from that ends up in a certain buffer in a structure. This allowed them to check for matching buffer sizes automatically (!) and to retrace how to inject data into a program that has mismatching buffer sizes somewhere on the inside. Makes for some very easy, instantaneous exploit generation.
For more information, have a look at their slides from the lecture.
Kristian -
Team Teso
The Teso people held a superb lecture on reverse engineering and systematically finding security problems in binary code at this years Chaos Congress in Berlin.
They demonstrated a way to automatically analyze and segment binary code into basic blocks. A basic block is a segment of binary code that is being executed from top to bottoms, that is, it does not contain any jumps out of the block and is not the target of a jump into the code.
Team Teso then performed graph algorithms and data flow analysis algorithms on the basic block graph their primary tool produced. This is where things get interesting for debugging.
For example, the teso people were able to trace which basic blocks are being touched during code execution. You can imagine this as a graph of the program where each basic block is a block (node) and each jump is a vertice between the blocks. Upon execution, each basic block is colored as the code is being executed.
They also were able to reconstruct C program structures from binary, and they were able to reconstruct where data comes from that ends up in a certain buffer in a structure. This allowed them to check for matching buffer sizes automatically (!) and to retrace how to inject data into a program that has mismatching buffer sizes somewhere on the inside. Makes for some very easy, instantaneous exploit generation.
For more information, have a look at their slides from the lecture.
Kristian -
Team Teso
The Teso people held a superb lecture on reverse engineering and systematically finding security problems in binary code at this years Chaos Congress in Berlin.
They demonstrated a way to automatically analyze and segment binary code into basic blocks. A basic block is a segment of binary code that is being executed from top to bottoms, that is, it does not contain any jumps out of the block and is not the target of a jump into the code.
Team Teso then performed graph algorithms and data flow analysis algorithms on the basic block graph their primary tool produced. This is where things get interesting for debugging.
For example, the teso people were able to trace which basic blocks are being touched during code execution. You can imagine this as a graph of the program where each basic block is a block (node) and each jump is a vertice between the blocks. Upon execution, each basic block is colored as the code is being executed.
They also were able to reconstruct C program structures from binary, and they were able to reconstruct where data comes from that ends up in a certain buffer in a structure. This allowed them to check for matching buffer sizes automatically (!) and to retrace how to inject data into a program that has mismatching buffer sizes somewhere on the inside. Makes for some very easy, instantaneous exploit generation.
For more information, have a look at their slides from the lecture.
Kristian