abb's blog

Building libvirt with ESXi driver

Libvirt is a toolkit to manage virtual infrastructures. It is supposed to support VMWare ESXi hypervisor, but the package in Ubuntu 10 repository is compiled without necessary drivers (as of time of writing). One can find libvirt compilation instructions here, but they are not Ubuntu-specific nor mention ESXi.

JNetBridge: Java Library to Send/Receive Network Packets

I am releasing jnetbridge, which will be responsible for receiving and sending network packets in Marvin 0.92 (the current version, 0.91, still uses jpcap). It is based on JNetPcap (JNI adapter to libpcap/winpcap + protocol analyzer in Java). JNetBridge is a small piece of code on top of the massive JNetPcap library.

To cut the long story short, below is a bunch of files you may want to have a look at, if you are Java developer trying to implement some sort of a network bridge or a router.

    Self-encrypting (FDE) Hard Disks & Linux

    Recently I have upgraded to Dell Latitude E6510 with 4 cores / 8 threads processor, plenty of RAM, and a fast hard disk. Nevertheless, the interactive performance of Ubuntu becomes sloppy beyond any measure when a virtual machine or two start trashing the disks.

    There seems to be known performance problems in Linux kernel, like Bug 12309. And full disk encryption makes things even worse. It appears that new FDE technology will give laptop users a chance to move the burden of encryption to hard drives.

    Tapping 802.1x Links with Marvin

    While testing fat clients and appliances for resistance against man-in-the-middle attack I always had to mess with iptables/ebtables/socat to divert network connections. It is enough in most cases, but sometimes the setup gets too elaborate. To make my life easier, I have decided to write a tool, capable to divert and re-inject a network connections while preserving the original network addresses, including layer 2 ones. The tool is not complete yet, but it already can be used to tap into a wired network protected with 802.1x, so I've decided to publish it anyway.

    NAND Chip Reader/Writer Gadget

    During a recent hardware hacking test I have used a very nice gadget -- NAND Reader sold by Russian company Soft Center. The tool is intended to be used to recover files from damaged thumb drives, but I have repurposed it to read and write the content NAND chips holding embedded OS of the appliance under test.

    SSH Man-in-the-Middle Attack and Public-Key Authentication Method

    SSH is a protocol for secure remote login and other secure network services over insecure networks. To detect man-in-the-middle attacks SSH clients are supposed to check the host key of the server, for example by comparing it with a known good key.

    VMWare NATD Silent TTL Overwrite

    Bloody (excuse my French) VMware NAT daemon silently overwrites TTL of DNS records! It sets TTL of 0-TTL records it proxies to 5 seconds. Right, normally it is not something to complain about. But it suddenly becomes a big deal if you are busy checking how different browsers respond to DNS rebinding attack... Uhhrr...

    Apparently I'm not the first one who has noticed this, somebody else had the same experience with Fusion.

    DNS Rebinding Checklist

    Recently I have done a couple of tests which made me consider DNS rebinding attack in details. Considering relatively large number of "moving parts" involved into the attack, I figured it worth making a checklist which can be used to do this kind of evaluation. Below is the draft which I am working on. In particular I intend to add references and explanations/testing guidelines to the checklist. Not sure about PoC exploits.

    Build NetExpect on Ubuntu 10

    I came across a nice tool, potentially useful for pen testing: TCP/IP-aware version of TCL expect. Written by Eloy Paris from Cisco Systems it is currently distributed in sources only. I didn't have much time to play with it yet, but it looks very promising. Tomorrow will try to use it for SIP REGISTER flooding, currently done with sipp. (In a way, SIPP is similar to NetExpect, can execute send-expect scenarios, but seems to be focused on SIP protocol.)

    Windows Detours library for the people

    Microsoft Detours library can be used to attach a hook to system functions invoked by Windows programs. You can write an arbitrary code which will get invoked when a program tries, for example, send something over SSL, or get a current timestamp, and handle it as it pleases you instead of (or in addition to) passing it to standard Windows libraries.

    Hopefully notes below will be useful for fellas who, like myself, are not skilled Windows developers, but occasionally get thrown into the Windows world and need to intercept a function call or two.


    Subscribe to RSS - abb's blog