Category Archives: Security

IDA Debugger: you don’t have the necessary privileges.

during reverse engineering session, I encountered error from IDA saying

“The debugger could not attach to the selected process. This can perhaps indicate the process was just terminated, or that you don’t have the necessary privileges.”

I was debugging a 64-bit console application under WinDBG, and I did start IDA as Administrator, but it still complaining about necessary privileges!

a quick solution I found is to run win64_remotex64 as administrator from \dbgsrv of your IDA installation and configure IDA to use a remote debugging session with a target host localhost

GDB init

Native GDB settings that help without third-party apps

audit keystrokes with pam

The pam_tty_audit PAM module is used to enable or disable TTY auditing. By default, the kernel does
not audit input on any TTY

this module is part of auditd and it takes  3 parameters

1 – disable  is a pattern to disable the module in specified users u can use =* to disable it globally

2 – enable  is a pattern to enable for specified users

3 – open_only to monitor fork apps

let’s assume we want to monitor keystrokes via incoming ssh connection

this is helpful because some bad users could remove their history or use screen command

we will use the pam_tty_audit inside the ssh pam file /etc/pam.d/sshd

 

add this the module to end of the file

 

 

to view users log

here is output example

tty report provides u with the userid example 0 ? 18 bash user id 0 for root

500 ? 28 bash user id 500 for tester account

Protect Boot & Single user mode

as a physical security is the main factor in our security perspective

we all need to protect unauthorised access to our Linux box after we protect bios

and we all know that anyone can rest the root password via accessing the single mode

so we have 3 ways 1st thing to disable single user mode entirely  2nd adding a password 3rd encrypt the disk with luks

single use mode configuration located under /etc/sysconfig/init

the last line of the init configuration instructs the user shell for single user mode

sushell  this shell allows access with full root privilege  we can change the shell type to control the single user mode

if we sit it /sbin/nologin no single user mode will be activated on the boot and the machine will continue booting to default run level 😉

we can set it to sulogin to make boot asks for the root password before it continues to give a full root access

 

we can add more password layer for grub configuration via adding password –encrypt HASH from grub-crypt command

one important thing an attacker can manipulate boot start services by pressing (i) in the boot sequence

an attacker can disable any running service example I disabled iptables in the boot 😀

Screen Shot 2015-08-17 at 3.32.33 AM

we can protect from this disaster by disable hotkeys in /etc/sysconfig/init

protect the console from reboot via ctrl-alt-delete

an attacker can press ctrl-alt-delete to your machine to make it reboot

to disable it we need to change the behaviour of this intercept in /etc/init/control-alt-delete.conf

by adding a comment to the exec line to disable reboot

Secure/Lock accounts with PAM tally2

pam_tally2 is a PAM module to allow interaction in users interfaces on numbers of failed login attempt it can reset count on success, can deny access if too many attempts fail.

this module is unique because it  not just reflect remote connection but also reflect the ttys and any system login method as it uses PAM

example from tty:

 

some parameters

  1. deny used to block access of numbers of failed attempts
  2. unlock_time used to set a time duration for blocked access in seconds
  3. even_deny_root root is excluded by default, you set this parameter to tell tally2 count for root too
  4. root_unlock_time same as unlock_time but  for root only

 

example PAM config:

 

to reflect the tty access we have to configure our tally2 module in /etc/pam.d/system-auth

 

here is our final layout for system-auth

to reflect the  remote connections  that use password example sshd

we config our /etc/pam.d/password-auth with tally

 

notice that we have done 2 things  one in auth interface that verifies the account and 2nd one in the account interface to reflect the permissions of the account

 

here is some output of /var/log/secure

 

as you see tally2 kills the connection 🙂

for manual interaction with tally2 counter

there is a command called pam_tally2

to remove a counter failures

 

 

password policy with pam_cracklib

cracklib pam module is a method to check the password against dictionary list and gives you availability to check the strength of the password and set rules to identify the poor passwords

 

here is the most important parameters for this module

  1.  minlen minimal password length
  2. dcredit maximum number of digits
  3. ucredit maximum uppercase letters
  4. lcredit maximum lower case letters
  5. ocredit maximum other letters not similar to the old one
  6. maxrepeat limit repeated letters
  7. reject_username check if the username inside the password to avoid this week accounts bob/bob or bob/bob123
  8. enforce_for_root this is the most important one, why? , because if you didn’t apply it users will just notice the warning and whatever password will be applied with the parameter will force the user to use our policy 😉
  9. dicpath set crack lib dictionary to specific passwords database base I recommend (rockyyou) database coz it contains many leaked passwords and used by many attackers to brute-force the system example dicpath=/var/wordlist/rockyyou.txt

 

time to deploy our password policy

we want to apply this for new password also we can force the users to update their passwords once they do log in via this command

this command has a high impact  it will find all users with a bash shell and  force them to update the password even the root  u can exclude the root by piping the output from grep and use grep -v root

example result

we will use the passwd module inside /etc/pam.d/passwd

to add our new policy

 

here is the output of different failed password change

BAD PASSWORD: is too similar to the old one
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a (reversed) dictionary word
BAD PASSWORD: it is too short

 

 

Pluggable Authentication Modules

Linux comes with Pam Modules to help you to interact with the running services in hardening way and custom the security of the service as you need.

PAM is extra Rules to Control user interfaces ( Auth, Account, Session)  layers for the applications

the applications/services should be compiled with libpam.so

here is an example for sshd service

Continue reading Pluggable Authentication Modules

AIDE : Intrusion Detection Environment

this article about Intrusion Detection for file system changes like modification changing owner extra, for critical files or directories in our environment

we using a software called AIDE

Advanced Intrusion Detections Environment
this software base on a library called mhash this lib used to calculate file hashes
and AIDE save the file info inside DB with base64 formate
the information that will be saved depends on the aide configuration file

example of default info for the Linux image file

let’s decode this Continue reading AIDE : Intrusion Detection Environment

removable disk could lead to privilege escalation

privilege escalation Linux with flash disk

removable media with setUID, setGID files could give privilege escalation
example copy nice command to ur flash storage and ask ur friend to print files in his system then run the command
nice like

it will say root

the problem occurs from a mounted partition without noexec,nosuid parameter

enjoy ur automount

and

happy hacking 😉