Monday, June 7, 2010
My Photography (This is not a security post)
These are my photography in Tehran/Sari (with canon A1100 IS):
Sunday, August 30, 2009
Hey Honey! New issue of Hakin9 is on the stand
The latest issue (2009/5) of Hakin9 (an IT security magazine) is now on the stands. This issue looks at 21st Century Hacking Techniques about Windows Timeline Analysis,Analyzing Malware Introduction to Advanced Topics,Hacking ASLR & Stack Canaries on Modern Linux and many Hi Tech subjects in Computer Security. Get more information by clicking on the cover below (if you cannot see the cover, then go to http://www.hakin9.org/en.
Saturday, August 1, 2009
The new issue of Hakin9 is on the stands now
The latest issue (2009/4) of Hakin9 (an IT security magazine) is now on the stands (I've personally seen it at my local Borders and Barnes & Noble stores -- not MicroCenter though). The current issue looks at computer forensics. There are also articles about self-signed digital certificates and malware analysis. Get more information by clicking on the cover below (if you cannot see the cover, then go to http://www.hakin9.org/en.
Monday, April 27, 2009
Break Tor’s Anonymity
Tor is anonymous commiunication network over the internet. In this paper that written by Xinwen Fu and Zhen Ling in Black Hat DC 2009 you can read a new class of attacks, protocol-level attacks, against Tor. Different from existing attacks, these attacks can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In protocol-level attacks, a malicious entry onion router may duplicate, modify,insert, or delete cells of a TCP stream from a sender. The manipulated cells traverse middle onion routers and arrive at an exit onion router along a circuit. you can download this white paper from Here.... Enjoy.
Tuesday, September 18, 2007
Assembly,The Basic of Reversing
Indeed: the basics!! This is all far from complete but covers about everything you need to know about assembler to start on your reversing journey! Assembler is the start and the end of all programming languages. After all, all languages are translated to assembler. In most languages we deal with relatively clear syntaxes. However, it's a completely other story in assembler where we use abbreviations and numbers and where it all seems so weird …
I. Pieces, bits and bytes:
• BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'
i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc.
• BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system'
• WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d).
• DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFFF (or 4294967295d).
• KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes.
• MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.
II. Registers:
Registers are “special places” in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.
On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:
EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended Counter Register
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer
Generally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:
EBP: EBP has mostly to do with stack and stack frames. Nothing you really need to worry about, when you start. ;)
ESP: ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)
EIP: EIP always points to the next instruction that is to be executed.
There's one more thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly.
The possibilities are:
A register looks generally this way:
So, EAX is the name of the 32bit register, AX is the name of the "Low Word" (16bit) of EAX and AL/AH (8bit) are the “names” of the "Low Part" and “High Part” of AX. BTW, 4 bytes is 1 DWORD, 2 bytes is 1 WORD.
REMARK: make sure you at least read the following about registers. It’s quite practical to know it although not that important.
All this makes it possible for us to make a distinction regarding size:
• i. byte-size registers: As the name says, these registers all exactly 1 byte in size. This does not mean that the whole (32bit) register is fully loaded with data! Eventually empty spaces in a register are just filled with zeroes. These are the byte-sized registers, all 1 byte or 8 bits in size:
o AL and AH
o BL and BH
o CL and CH
o DL and DH
• ii. word-size registers: Are 1 word (= 2 bytes = 16 bits) in size. A word-sized register is constructed of 2 byte-sized registers. Again, we can divide these regarding their purpose:
1.general purpose registers:
AX (word-sized) = AH + AL -> the '+' does *not* mean: 'add them up'. AH and AL exist independently, but together they form AX. This means that if you change AH or AL (or both), AX will change too!
-> 'accumulator': used to mathematical operations, store strings,..
BX -> 'base': used in conjunction with the stack (see later)
CX -> 'counter'
DX -> 'data': mostly, here the remainder of mathematical operations is stored
DI -> 'destination index': i.e. a string will be copied to DI
SI -> 'source index': i.e. a string will be copied from SI
2.index registers:
BP -> 'base pointer': points to a specified position on the stack (see later)
SP -> 'stack pointer': points to a specified position on the stack (see later)
3. segment registers:
CS -> 'code segment': instructions an application has to execute (see later)
DS -> 'data segment': the data your application needs (see later)
ES -> 'extra segment': duh! (see later)
SS -> 'stack segment': here we'll find the stack (see later)
4.special:
IP -> 'instruction pointer': points to the next instruction. Just leave it alone ;)
• iii. Doubleword-size registers:
2 words = 4 bytes = 32 bits. EAX, EBX, ECX, EDX, EDI…
If you find an 'E' in front of a 16-bits register, it means that you are dealing with a 32-bits register. So, AX = 16-bits; EAX = the 32-bits version of EAX.
III. The flags:
Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.
• The Z-Flag:
The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later ;)
• The O-Flag:
The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.
• The C-Flag:
The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.
Best Regards,
Meghdad Shamsaei
I. Pieces, bits and bytes:
• BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'
i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc.
• BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system'
• WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d).
• DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFFF (or 4294967295d).
• KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes.
• MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.
II. Registers:
Registers are “special places” in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.
On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:
EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended Counter Register
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer
Generally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:
EBP: EBP has mostly to do with stack and stack frames. Nothing you really need to worry about, when you start. ;)
ESP: ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)
EIP: EIP always points to the next instruction that is to be executed.
There's one more thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly.
The possibilities are:
A register looks generally this way:
So, EAX is the name of the 32bit register, AX is the name of the "Low Word" (16bit) of EAX and AL/AH (8bit) are the “names” of the "Low Part" and “High Part” of AX. BTW, 4 bytes is 1 DWORD, 2 bytes is 1 WORD.
REMARK: make sure you at least read the following about registers. It’s quite practical to know it although not that important.
All this makes it possible for us to make a distinction regarding size:
• i. byte-size registers: As the name says, these registers all exactly 1 byte in size. This does not mean that the whole (32bit) register is fully loaded with data! Eventually empty spaces in a register are just filled with zeroes. These are the byte-sized registers, all 1 byte or 8 bits in size:
o AL and AH
o BL and BH
o CL and CH
o DL and DH
• ii. word-size registers: Are 1 word (= 2 bytes = 16 bits) in size. A word-sized register is constructed of 2 byte-sized registers. Again, we can divide these regarding their purpose:
1.general purpose registers:
AX (word-sized) = AH + AL -> the '+' does *not* mean: 'add them up'. AH and AL exist independently, but together they form AX. This means that if you change AH or AL (or both), AX will change too!
-> 'accumulator': used to mathematical operations, store strings,..
BX -> 'base': used in conjunction with the stack (see later)
CX -> 'counter'
DX -> 'data': mostly, here the remainder of mathematical operations is stored
DI -> 'destination index': i.e. a string will be copied to DI
SI -> 'source index': i.e. a string will be copied from SI
2.index registers:
BP -> 'base pointer': points to a specified position on the stack (see later)
SP -> 'stack pointer': points to a specified position on the stack (see later)
3. segment registers:
CS -> 'code segment': instructions an application has to execute (see later)
DS -> 'data segment': the data your application needs (see later)
ES -> 'extra segment': duh! (see later)
SS -> 'stack segment': here we'll find the stack (see later)
4.special:
IP -> 'instruction pointer': points to the next instruction. Just leave it alone ;)
• iii. Doubleword-size registers:
2 words = 4 bytes = 32 bits. EAX, EBX, ECX, EDX, EDI…
If you find an 'E' in front of a 16-bits register, it means that you are dealing with a 32-bits register. So, AX = 16-bits; EAX = the 32-bits version of EAX.
III. The flags:
Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.
• The Z-Flag:
The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later ;)
• The O-Flag:
The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.
• The C-Flag:
The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.
Best Regards,
Meghdad Shamsaei
Wednesday, September 5, 2007
IPAudit on your Server
IPAudit is a tool that will allow you to analyze all packets entering and leaving your network. It listens to a network device in promiscuous mode, just as an IDS sensor would, and provides details on hosts, ports, and protocols. It can be used to monitor bandwidth, connection pairs, detect compromises, discover botnets, and see whos scanning your network.
Installing and Configuring you IPAudit
IPAudit is a perl-based application and you can dowload it`s web base source file from here.
But first,you need to install some packege.
These package are: Libpcap Zlib,Libpng,gnuplot and perl time module.You can download this four last package from here.
After you install this package now you can install IPAudit.
Now you can make these line to Install IPAudit:
Useradd ipaudit
su ipaudit
cd /home/ipaudit
# tar zxvf ipaudit-web-1.0BETA9.tar.gz
cd ipaudit-web-1.0BETA9/compile
./configure
make
su root
make install
make install-cron
exit(Leave root and become ipaudit user again)
vi /home/ipaudit/ipaudit-web.conf
Change LOCALRANGE=127.0.0. and INTERFACE=eth1 as your favorite
Now you must add these lines to your httpd.conf file.
Now access to http://*your web server*/~ipaudit/
If your installation was successful you should now see a screen like this :
IPAudit's "Network Reports" are useful for many reasons. The thirty-minute and daily reports are exactly the same, except of course for the timeframe. By clicking on the link labeled "-last-" next to the "30min" link you will see the report for the last 30 minutes.
Have a fun
Best regards
Meghdad Shamsaei
Installing and Configuring you IPAudit
IPAudit is a perl-based application and you can dowload it`s web base source file from here.
But first,you need to install some packege.
These package are: Libpcap Zlib,Libpng,gnuplot and perl time module.You can download this four last package from here.
After you install this package now you can install IPAudit.
Now you can make these line to Install IPAudit:
Useradd ipaudit
su ipaudit
cd /home/ipaudit
# tar zxvf ipaudit-web-1.0BETA9.tar.gz
cd ipaudit-web-1.0BETA9/compile
./configure
make
su root
make install
make install-cron
exit(Leave root and become ipaudit user again)
vi /home/ipaudit/ipaudit-web.conf
Change LOCALRANGE=127.0.0. and INTERFACE=eth1 as your favorite
Now you must add these lines to your httpd.conf file.
Now access to http://*your web server*/~ipaudit/
If your installation was successful you should now see a screen like this :
IPAudit's "Network Reports" are useful for many reasons. The thirty-minute and daily reports are exactly the same, except of course for the timeframe. By clicking on the link labeled "-last-" next to the "30min" link you will see the report for the last 30 minutes.
Have a fun
Best regards
Meghdad Shamsaei
Wednesday, August 8, 2007
Install Tripwire on Fedora or Redhat AS4
Maybe once you secured your files and file systems,and now you need to ensure they stay that way.Tripwire is one of the best thing.Tripwire work on a policy-compliance model.You need to configure a policy covering all the objects you want to monitor and the changes to these objects in which you are interested.Taking this policy, Tripwire then initializes and generates a baseline database of all the file and objects covered by this policy. You next schedule a regular scan of the system, and if Tripwire detects a variation from the baseline, then it will be reported.This is in addition to the open-source version available at http://sourceforge.net/projects/tripwire/ and the commercial version available at the Tripwire site,http://www.tripwire.com. These branched versions of Tripwire tend to have subtle differences. Usually these differences are aimed at addressing the idiosyncrasies of a particular distribution; for example, the Tripwire version available for Red Hat moves and renames some commands to bring Tripwire in line with Red Hat’s conventions.Meanwhile I recommend you that first install the prerequisit of Tripwire.This requires are in follow:
In Fedora:
libstdc++.so.6(GLIBCXX_3.4)
libcrypto.so.6
libc.so.6(GLIBC_2.0)
libstdc++.so.6(CXXABI_1.3.1)
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
config(tripwire) = 2.4.1.1-1.fc5
libgcc_s.so.1(GLIBC_2.0)
libm.so.6(GLIBC_2.0)
libm.so.6
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
and in Redhat AS4:
libstdc++.so.6(GLIBCXX_3.4)
config(tripwire) = 2.3.1-22
libc.so.6(GLIBC_2.0)
gawk
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
libgcc_s.so.1(GLIBC_2.0)
libcrypto.so.4
grep
libm.so.6(GLIBC_2.0)
libm.so.6
tar
gzip
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
Now to install it use this command:
# rpm -Uvh tripwire-2.3.1-20.fdr.1.2.i386.rpm
TIP :: So, when do you install and initialize Tripwire? Well, I recommend you to install and initialize Tripwire after you have installed your operating system and applications and have applied any updates or patches but before you have connected your system to a production network. This ensures Tripwire can be configured with all the required files and binaries being monitored and reduces the risk that an attacker could penetrate your system before you enable Tripwire.
Configuring Tripwire
In this section, you will see the base Tripwire configuration, and then I will show you how to initialize and run Tripwire. As you are going to configure Tripwire using the Red Hat Fedora RPM, some of the configuration options, especially their naming conventions, may differ from other versions of Tripwire. This is especially true of the source tarball version where many configuration options differ.
After installing Tripwire, the configuration for the tool will be installed into the
/etc/tripwire directory in the form of two files: twcfg.txt and twpol.txt. The twcfg.txt file contains the default configuration for Tripwire, including the location of the Tripwire binaries and policies. The twpol.txt file contains the Tripwire policy that tells Tripwire what to monitor.
Tripwire twcfg.txt
ROOT = /usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE = /etc/tripwire/site.key
Explaining Tripwire Policy
The twpol.txt file is the input file for the Tripwire policy for your host. This file will be used to create a proprietary file called a policy file. The policy determines what files and objects Tripwire will monitor for changes. It also specifies exactly what changes to those files and objects it will monitor. The RPM you have installed comes with a default policy. This policy is designed to monitor Red Hat Fedora systems. If you are running Tripwire on a different distribution, it may have come with a sample policy of its own. Either way you will need to change the policy to reflect exactly what objects you want to monitor on your system. I recommend you at least monitor important operating system files and directories, logging files, and the configuration files and binaries of your applications. Let’s look at the twpol.txt file. The file contains two types of items. It contains the directives and the rules that identify the individual files, and it contains the objects Tripwire is monitoring.
Tripwire Rules
A Tripwire rule is defined as a file or directory name and a property mask separated by the symbols ->. Additionally, it can have some optional rule attributes.
Tripwire Rule Structure
Let’s look at each part of the Tripwire rule. The first portion of the rule is the file or object you want to monitor. This could be a single file or an entire directory. If you specify a directory,then Tripwire will monitor the properties of that directory and the entire contents of that directory.You can have only one rule per object or file. If an object has more than one rule,Tripwire will fail with an error message and not conduct any scanning.
The file or object is then separated from the property mask by a space or tab and the -> symbols, followed by another space or tab. The property mask tells Tripwire exactly what change about the file or object you want to monitor. For example, you could monitor for a change to the user who owns the file, the size of the file, or the file’s permissions. Each property is indicated by a letter prefixed with either a plus (+) sign or aminus (-) sign. For example, the following line monitors the ownership of the /etc/passwd file:
/etc/passwd -> +u;
The u is the Tripwire property for object ownership, and the plus (+) sign indicates you want to monitor this property. You can add further properties to be monitored by adding property letters to your Tripwire rule. On the next line you add the property,s, which indicates file size:
/etc/passwd -> +su;
Now Tripwire will monitor for any changes to the /etc/passwd file’s ownership and its size.
Tripwire Property Masks
Property--------Description
a------------------Access time stamp.
b------------------Number of blocks.
c------------------Inode time stamp.
d------------------ID of the device on which the inode resides.
g------------------Owning group.
i------------------Inode number.
l------------------File increases in size.
m------------------Modification time stamp.
n------------------Number of links to the object.
p------------------Permissions.
r------------------ID of the device pointed to by inode. Valid only for device type objects.
s------------------File size.
t------------------File type.
u------------------Object owner.
C------------------CRC-32 hash value.
H------------------Haval hash value.
M------------------MD5 hash value.
S------------------SHA hash value.
The minus (-) sign prefixing a property indicates that you do not want to monitor for that property. In the next line I am monitoring the /etc/passwd file for its ownership and size, but I have explicitly told Tripwire that I do not care about its last modification time stamp.
/etc/passwd -> +su-m;
In addition to the individual properties you can monitor for, you can also use property summaries. These property summaries are variables that represent particular combinations of properties. For example, Tripwire has a built-in property summary called $(Device), which contains the recommended properties for devices (or other types of files that Tripwire should not try to open). On the next line you can see the $(Device) property summary in a rule:
/dev/mapper/safe -> $(Device);
As I have described, each property summary represents different combinations of properties.The $(Device) property summary is equivalent to setting the properties in the following rule:
/dev/mapper/safe -> +pugsdr-intlbamcCMSH;
The previous line indicates that any rule that uses the $(Device) property summary will monitor files and objects for changes to their permissions, ownership, group owner, size and device, and inode ID monitored, but all other changes will be ignored.
Initializing and Running Tripwire
After you have configured Tripwire and created a suitable policy for your system, you need to set up and initialize Tripwire. Tripwire comes with a command,tripwire-setup-keyfiles, that you can use to perform this initial setup. The command is usually located in the directory /usr/sbin.
This command will create two keyfiles: the site key that signs your configuration and policy and the local key that protects your database and reports. You will be prompted to enter passphrases for both.
# /usr/sbin/tripwire-setup-keyfiles
------------------------------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.See the Tripwire manual for more information.
------------------------------------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
The tripwire-setup-keyfiles command will also create encrypted versions of your twcfg.txt and twpol.txt files, called tw.cfg and tw.pol, respectively. These files will be signed with your new site key and are located in the /etc/tripwire directory.
Initializing the Tripwire Database
# /usr/sbin/tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/yourosname.yourdomain.com.twd
The database was successfully generated.
The --init option initializes your Tripwire database, and you will be prompted to enter your local key passphrase to continue. The tripwire binary then parses the /etc/tripwire/tw.pol file and creates a baseline state for all the objects on your system you want to monitor.
Tripwire Integrity Check
# /usr/sbin/tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
...
Wrote report file: /var/lib/tripwire/report/yourosname.yourdomain.com-20040926-172711.twr
The Tripwire integrity check will display the results of the check to the screen and save it as a Tripwire report file.
Printing Reports with twprint
# twprint --print-report --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Note: Report is not encrypted.
Tripwire(R) 2.3.0 Integrity Check Report
Report Summary:
Host name: yourosname.yourdomain.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/yourosname.yourdomain.com.twd
Command line used: /usr/sbin/tripwire --check
Total objects scanned: 45606
Total violations found: 1
...
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
...
Modified Objects: 1
Modified object name: /var/lib/tripwire/yourosname.yourdomain.com.twd
Property: Expected Observed
* Mode -rw-r--r-- -rwxr-xr-x
Printing Tripwire Database Entry
# twprint --print-dbfile /etc/passwd
Object name: /etc/passwd
Property: Value:
------------- -----------
Object Type Regular File
Device Number 770
Inode Number 607017
Mode -rw-r--r--
Num Links 1
UID root (0)
GID root (0)
I have displayed the database entry for the file /etc/passwd using the --print-dbfile
option. If you use twprint --print-dbfile without an individual file specified, it will output the entire contents of the Tripwire database.
If you find violations in your report, you should first check if these are normal occurrences.During normal operations some files may change, be added to, or be removed from your system. You can adjust your Tripwire policy to reflect these normal changes using the tripwire command with the -update option. This option allows you to read in a report file,indicate which violations are in fact normal operational changes, and update the Tripwire policy to prevent it being triggered by these again.
Updating Tripwire Policy
# /usr/sbin/tripwire --update \ --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Tripwire Database Updates
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/var/lib/tripwire/yourosname.yourdomain.com.twd"
In finally I should say that I tested all of this commands and all are OK.
Best Regards
Meghdad Shamsaei
Meghdadshamsaei@yahoo.com
In Fedora:
libstdc++.so.6(GLIBCXX_3.4)
libcrypto.so.6
libc.so.6(GLIBC_2.0)
libstdc++.so.6(CXXABI_1.3.1)
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
config(tripwire) = 2.4.1.1-1.fc5
libgcc_s.so.1(GLIBC_2.0)
libm.so.6(GLIBC_2.0)
libm.so.6
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
and in Redhat AS4:
libstdc++.so.6(GLIBCXX_3.4)
config(tripwire) = 2.3.1-22
libc.so.6(GLIBC_2.0)
gawk
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
libgcc_s.so.1(GLIBC_2.0)
libcrypto.so.4
grep
libm.so.6(GLIBC_2.0)
libm.so.6
tar
gzip
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
Now to install it use this command:
# rpm -Uvh tripwire-2.3.1-20.fdr.1.2.i386.rpm
TIP :: So, when do you install and initialize Tripwire? Well, I recommend you to install and initialize Tripwire after you have installed your operating system and applications and have applied any updates or patches but before you have connected your system to a production network. This ensures Tripwire can be configured with all the required files and binaries being monitored and reduces the risk that an attacker could penetrate your system before you enable Tripwire.
Configuring Tripwire
In this section, you will see the base Tripwire configuration, and then I will show you how to initialize and run Tripwire. As you are going to configure Tripwire using the Red Hat Fedora RPM, some of the configuration options, especially their naming conventions, may differ from other versions of Tripwire. This is especially true of the source tarball version where many configuration options differ.
After installing Tripwire, the configuration for the tool will be installed into the
/etc/tripwire directory in the form of two files: twcfg.txt and twpol.txt. The twcfg.txt file contains the default configuration for Tripwire, including the location of the Tripwire binaries and policies. The twpol.txt file contains the Tripwire policy that tells Tripwire what to monitor.
Tripwire twcfg.txt
ROOT = /usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE = /etc/tripwire/site.key
Explaining Tripwire Policy
The twpol.txt file is the input file for the Tripwire policy for your host. This file will be used to create a proprietary file called a policy file. The policy determines what files and objects Tripwire will monitor for changes. It also specifies exactly what changes to those files and objects it will monitor. The RPM you have installed comes with a default policy. This policy is designed to monitor Red Hat Fedora systems. If you are running Tripwire on a different distribution, it may have come with a sample policy of its own. Either way you will need to change the policy to reflect exactly what objects you want to monitor on your system. I recommend you at least monitor important operating system files and directories, logging files, and the configuration files and binaries of your applications. Let’s look at the twpol.txt file. The file contains two types of items. It contains the directives and the rules that identify the individual files, and it contains the objects Tripwire is monitoring.
Tripwire Rules
A Tripwire rule is defined as a file or directory name and a property mask separated by the symbols ->. Additionally, it can have some optional rule attributes.
Tripwire Rule Structure
filename -> property mask (rule attribute = value);
Let’s look at each part of the Tripwire rule. The first portion of the rule is the file or object you want to monitor. This could be a single file or an entire directory. If you specify a directory,then Tripwire will monitor the properties of that directory and the entire contents of that directory.You can have only one rule per object or file. If an object has more than one rule,Tripwire will fail with an error message and not conduct any scanning.
The file or object is then separated from the property mask by a space or tab and the -> symbols, followed by another space or tab. The property mask tells Tripwire exactly what change about the file or object you want to monitor. For example, you could monitor for a change to the user who owns the file, the size of the file, or the file’s permissions. Each property is indicated by a letter prefixed with either a plus (+) sign or aminus (-) sign. For example, the following line monitors the ownership of the /etc/passwd file:
/etc/passwd -> +u;
The u is the Tripwire property for object ownership, and the plus (+) sign indicates you want to monitor this property. You can add further properties to be monitored by adding property letters to your Tripwire rule. On the next line you add the property,s, which indicates file size:
/etc/passwd -> +su;
Now Tripwire will monitor for any changes to the /etc/passwd file’s ownership and its size.
Tripwire Property Masks
Property--------Description
a------------------Access time stamp.
b------------------Number of blocks.
c------------------Inode time stamp.
d------------------ID of the device on which the inode resides.
g------------------Owning group.
i------------------Inode number.
l------------------File increases in size.
m------------------Modification time stamp.
n------------------Number of links to the object.
p------------------Permissions.
r------------------ID of the device pointed to by inode. Valid only for device type objects.
s------------------File size.
t------------------File type.
u------------------Object owner.
C------------------CRC-32 hash value.
H------------------Haval hash value.
M------------------MD5 hash value.
S------------------SHA hash value.
The minus (-) sign prefixing a property indicates that you do not want to monitor for that property. In the next line I am monitoring the /etc/passwd file for its ownership and size, but I have explicitly told Tripwire that I do not care about its last modification time stamp.
/etc/passwd -> +su-m;
In addition to the individual properties you can monitor for, you can also use property summaries. These property summaries are variables that represent particular combinations of properties. For example, Tripwire has a built-in property summary called $(Device), which contains the recommended properties for devices (or other types of files that Tripwire should not try to open). On the next line you can see the $(Device) property summary in a rule:
/dev/mapper/safe -> $(Device);
As I have described, each property summary represents different combinations of properties.The $(Device) property summary is equivalent to setting the properties in the following rule:
/dev/mapper/safe -> +pugsdr-intlbamcCMSH;
The previous line indicates that any rule that uses the $(Device) property summary will monitor files and objects for changes to their permissions, ownership, group owner, size and device, and inode ID monitored, but all other changes will be ignored.
Initializing and Running Tripwire
After you have configured Tripwire and created a suitable policy for your system, you need to set up and initialize Tripwire. Tripwire comes with a command,tripwire-setup-keyfiles, that you can use to perform this initial setup. The command is usually located in the directory /usr/sbin.
This command will create two keyfiles: the site key that signs your configuration and policy and the local key that protects your database and reports. You will be prompted to enter passphrases for both.
# /usr/sbin/tripwire-setup-keyfiles
------------------------------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.See the Tripwire manual for more information.
------------------------------------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
The tripwire-setup-keyfiles command will also create encrypted versions of your twcfg.txt and twpol.txt files, called tw.cfg and tw.pol, respectively. These files will be signed with your new site key and are located in the /etc/tripwire directory.
Initializing the Tripwire Database
# /usr/sbin/tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/yourosname.yourdomain.com.twd
The database was successfully generated.
The --init option initializes your Tripwire database, and you will be prompted to enter your local key passphrase to continue. The tripwire binary then parses the /etc/tripwire/tw.pol file and creates a baseline state for all the objects on your system you want to monitor.
Tripwire Integrity Check
# /usr/sbin/tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
...
Wrote report file: /var/lib/tripwire/report/yourosname.yourdomain.com-20040926-172711.twr
The Tripwire integrity check will display the results of the check to the screen and save it as a Tripwire report file.
Printing Reports with twprint
# twprint --print-report --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Note: Report is not encrypted.
Tripwire(R) 2.3.0 Integrity Check Report
Report Summary:
Host name: yourosname.yourdomain.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/yourosname.yourdomain.com.twd
Command line used: /usr/sbin/tripwire --check
Total objects scanned: 45606
Total violations found: 1
...
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
...
Modified Objects: 1
Modified object name: /var/lib/tripwire/yourosname.yourdomain.com.twd
Property: Expected Observed
* Mode -rw-r--r-- -rwxr-xr-x
Printing Tripwire Database Entry
# twprint --print-dbfile /etc/passwd
Object name: /etc/passwd
Property: Value:
------------- -----------
Object Type Regular File
Device Number 770
Inode Number 607017
Mode -rw-r--r--
Num Links 1
UID root (0)
GID root (0)
I have displayed the database entry for the file /etc/passwd using the --print-dbfile
option. If you use twprint --print-dbfile without an individual file specified, it will output the entire contents of the Tripwire database.
If you find violations in your report, you should first check if these are normal occurrences.During normal operations some files may change, be added to, or be removed from your system. You can adjust your Tripwire policy to reflect these normal changes using the tripwire command with the -update option. This option allows you to read in a report file,indicate which violations are in fact normal operational changes, and update the Tripwire policy to prevent it being triggered by these again.
Updating Tripwire Policy
# /usr/sbin/tripwire --update \ --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Tripwire Database Updates
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/var/lib/tripwire/yourosname.yourdomain.com.twd"
In finally I should say that I tested all of this commands and all are OK.
Best Regards
Meghdad Shamsaei
Meghdadshamsaei@yahoo.com
Subscribe to:
Posts (Atom)
