MagicalTux in Japan

Geekness brought me to Japan!

Archive for category Hacking

Microsoft.com: no whois server was harmed!

Aug 14

Posted by MagicalTux in Geek Attitude, Hacking | 9 Comments

Some French people are reporting without understanding what it is all about something almost as old as ICANN is: when you do a whois lookup on microsoft.com (for example) you get tons of unexpected replies… Reporting without knowledge (and without digging at least a bit about this) is like asking for a geek to slap his blog in your face.
This article will be a bit blunt, but that’s for your own good (next time try to at least search a bit on google/etc before saying whois servers were hacked).

Typical whois reply will look like:

   Server Name: MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
   Server Name: MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
   Server Name: MICROSOFT.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM
   Server Name: MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
   Server Name: MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
   Server Name: MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
   Server Name: MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET

Of course it might looks like the whois server was hacked, that’s what people with bad knowledge of internet would think (hint: almost everything is explained in RFCs). Read the rest of this entry »

Tags: , ,

五OS Success on Panasonic CF-R6

Apr 26

Posted by MagicalTux in Geek Attitude, Hacking | 1 Comment

After a few weeks of porting 五OS to 64bits and finally managed to get it running on QEmu, I tried running the resulting OS image on a real piece of hardware: my Panasonic CF-R6 from GeekStuff4U.

Of course as I don’t want to bother yet with USB drivers (that’s next in line in the TODO list, but for now we can somewhat survive without), I decided to use our blkdev/bios driver (legacy 16bits driver via BIOS interrupts, using core/x86emu 16bits emulator).
Same with graphics mode, don’t have a Intel driver yet, so we’ll use display/vesa_legacy 16bits driver (which also makes use of core/x86emu 16bits emulator to get graphics adapter’s bios working).

At first, I found out that the new compact bootloader wasn’t working properly. This was fixed by enabling Unreal Mode (a way of tricking the CPU into thinking ds and es segments are really mapped in 32bits mode while still being in 16bits mode).
The next problem I encountered was when the “hard disk” (the usb drive, in fact) was detected, we couldn’t display the size. I tracked this to some weird bug in our current printf() implementation that makes a real system freeze when displaying a float (it works seamlessly on virtual system). Removing the display of detected disk size fixed this problem too, but it’s not a permanent fix.

Once those two points were fixed, everything else worked. I could access our marvelous “shell”, type commands (I issued “lsmod”, “cat sample.txt” and “modp misc/helloworld”) and see that it was good.

My RTL-8139 network controller was detected and module nic/rtl8139 loaded, IPv4 enabled, and most things were working. I believe the next step will be to test the scheduler, optimize it, and start working on the TCP stack. At the same time, a cache system at VFS level and another at block device level should be implemented using a kernel generic cache allocator (that will automatically free physical pages when memory is needed), process switching should make use of CR0.TS to know when we need to switch MMX/SSE2 context, and the keyboard input should be improved.
At the same time, a generic HCI stack is needed for USB, and OHCI/EHCI/UHCI should be implemented (something has been started, but it’s far from complete).

Thanks for everyone who has been providing support to the project, I hope to be able to provide more impressive news soon ! :)

五OS revision 651 on CF-R6Previous tests for Revision651 on CF-R6

Tags: , ,

Port knocking, how would I do?

Mar 2

Posted by MagicalTux in Hacking | 1 Comment

As I saw some articles which seems rather unexact relating port knocking, I would like to add some parts of my own idea about this.

First, port knocking is not meant to be used alone…

Even if you use your daemon’s default port (let’s say port 22 for sshd), port knocking can protect you more than you can even imagine. Let’s take the following setup:

  • SSHd running on port 65122
  • Connections to port 65122 are replied with “connection refused” (via an icmp target rule)
  • In order to “open” port 65122, connection attempts must be made to ports 22448, 44228 and 22884 in this order. Any other order will blacklist the IP attempting to connect for 1 hour
  • More than 5 attempts to connect to port 65122 within 20 minutes will result in 1 hour blacklist

Now, if you’re that smart, just try to find your way in without the “passphrase” (which is 22448-44228-22884-65122). If you do too many attempts, you’ll end blacklisted. Let’s say you found out that port 65122 gets you banned when you connect, and have determined that you can make up to 5 attempts in 20 minutes. Let’s also say you know you have to knock exactly 3 ports to be able to connect.
You then have to test 65536^3 = 281474976710656 combinations, and can only test 5 in 20 minutes, that would require 70368744177660 minutes (133882694 years or so).

I can assume no decent system will be up for 133882694 years without any shift into security settings. You can parallelize that with different source IPs, but it will still last too long against people shifting every 3~6 months.

Tags: , ,

PHP DNS Daemon: performances

Feb 18

Posted by MagicalTux in Hacking, PHP | 11 Comments

Many people seems to have taken interest into my weird idea to write a PHP DNS daemon in PHP, so I decided to run some experiments. The first one was to setup ~200 domains to this dns server (including my blog’s one), the second one is to run queryperf against it, and against bind9 running on the same host, with the same configuration (ie. same domain list, no recursion, etc).

First, the host:

  • CPU: 2x Intel Xeon E5405 (2GHz) ; a total of 8 cores
  • RAM: 8GB RAM (4x 2GB DDR2 @667Mhz)
  • Hard Disk: 2x1TB HDD (RAID 1, 3ware Inc 7xxx/8xxx-series PATA/SATA-RAID) ; total of 1TB usable
  • OS: Linux Gentoo 64bits 2008.0 (multilib) with Linux Kernel 2.6.27-gentoo-r2

The test itself will be a 1 million random queries generated by gen-data-queryperf.py with 40% of random domains.

Some words on results

First, I’d like to say that pinetd2 is still under development, some parts are still not implemented (the DNS server is able to act as a DNS server, that’s the important part for me), and also some optimizations weren’t done yet (for example a query will always cause the same SQL statements to be run, I could prepare those).
The fact I’m running SQLite means the SQL server isn’t able to cache results (the db file might be modified by anyone, anytime, however I don’t know the exact internals of SQLite), and I don’t cache anything either.

When I started writing DNSd, I didn’t especially try to go on performances, features were importants, and realtime was too. Many improvements to speed can still be done (I’m thinking “prepared statments” right now, but also caching domains list, etc) and would help to get those numbers closer to ISC BIND.

The fact DNSd is 1/4 the speed of BIND (2531.89 queries/sec instead of 10071.2 queries/seq, my dns server is runnnin at 25.14% the speed of bind) is impressive. I guess we’ll need more tests, with different backends (MySQL is also supported, in theory) and different hosts, but I was supposing the database overhead would be bigger than that (well, SQLite is fast, but I wasn’t expecting that fast).

To tell you the truth, I am surprised by those results, however these are results on a real host, really running domains (like my blog’s domain), which makes me believe those results are the closest I could get from DNSd performances on a real host.

Now, the raw test results with both bind and PHP DNSd, running from the same host (to avoid network latency, and since I got 8 cores with almost no CPU usage as it’s morning in France, it shouldn’t make a big difference).

Other test results with other hardwares are welcome. I’ll try running the same kind of tests on less powerful hardware too, just to see what I get.

Read the rest of this entry »

Tags: , , ,

Mantis BugTracker: exploited for defacement

Dec 20

Posted by MagicalTux in Hacking, News | 2 Comments

Cat ready to attack mantis

OpenOptimus’ website has been defaced because of an exploit in Mantis BugTracker, but mostly because I totally forgot to update this thing for ages.

The site has been taken down, since our little script-kiddie think he’s so smart he could host stuff there without root noticing anything (chmod 0000 owned him).

Tags: , ,

SSL server: how to autodetect SSL/non-SSL?

Dec 7

Posted by MagicalTux in Geek Attitude, Hacking, PHP | 2 Comments

For those of you who already played with Webmin, you probably noticed that connecting without SSL to the webmin interface (typically on port 10000) displays a message telling you how to access the SSL secured interface… on the same port.

Ever wondered how to accept both SSL and non-SSL connections on the same port?

Basically, to display such a message, we need to know if the client talking to us is speaking using SSL, or not. This is easily done by reading a few bytes from the stream, but if you do this, starting the crypto using for example stream_socket_enable_crypto() will fail, since OpenSSL won’t find the full client SSL handshake anymore.

PHP offers us a nice solution to fix this, using stream_socket_recvfrom(). By passing option STREAM_PEEK to this function, we can take a peek at the data pending in the socket, and try to determine if that’s SSL or not.

There, we can either try to parse a SSL packet, or instead try to find data we know there should be if the stream is not encrypted.

Doing this for the HTTP protocol is easy. The protocol is text based, and the first word we will get from the client will be something like “GET”, “POST” or “HEAD”. We just check if we got any of those. If we did, we got plain text connection. If we don’t, it means we are probably facing a real openssl client, and we can try to start negociating the link.

I wrote a little example you can download via SVN at http://ookoo.org/svn/snip/https_multi_serv/. Just run “gen_key.sh” in the ssl directory to get a SSL private key, then run the server with PHP. By default it will listen on port 8000, so direct your browser to localhost:8000 with or without SSL (both will work, this is the point of this server).

Feel free to use the code there, I commented it a bit so it should be somewhat helpful, and I officially release it under public domain (or BSD if “public domain” does not legally exists in your country).

By the way it’s also a nice example of async server using stream_select().

Of course it’s not possible to auto-magically determine if the client is talking SSL when he’s not talking first. You could wait for one or two seconds to see if something comes (ie. an SSL handshake) but it’s not really something that could be called good practice… So let’s just keep this for cases where the client talks first.

Tags: , , ,

五OS improvements

Jul 4

Posted by MagicalTux in Geek Attitude, General, Hacking, ooKoo | No Comments

Today, at 9h00 in Paris, France, for the first time in its short history, 五OS has been started on a real piece of hardware.

This is an important step for an OS that has been only written using emulators like QEmu and VirtualBox.

Tags: , ,