Real (U|G)ID vs Effective (U|G)ID

Background

In *nix systems the User Id Number (UID) and the Group Id Number (GID) are integers used for identifying uniquely users and groups.

Take a look at /etc/passwd and /etc/group files (follow the links for more details about these files):

simo@xps:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
simo:x:1000:1000:simo,,,:/home/simo:/bin/bas\h
debian-tor:x:121:133::/var/lib/tor:/bin/false

We can infer:

User UID GID (primary)
simo 1000 1000
debian-tor 121 133

Their counterparts in the group file:

simo@xps:~$ cat /etc/group
root:x:0:
[...]
simo:x:1000:
vboxusers:x:130:simo
debian-tor:x:133:

Moreover you can see that the user “simo” belong also to the “vboxusers” group.

Real (U|G)ID vs Effective (U|G)ID

Every running process has at least 4 ID numbers associated with it:

  • the Real UID (RUID) identifies the user who launched the process.
  • the Real GID (RGID) identifies the primary group of the user that launched the process.
  • the Effective UID (EUID) and the Effective GID (EGID) are used to determine what resources the process can access.

These information can be found programmatically:

simo@xps:~/example$ cat ids.c 
#include 
#include 
int main()
{
 uid_t real_uid = getuid();
 uid_t effect_uid = geteuid();
 gid_t real_gid = getgid();
 gid_t effect_gid = getegid();
 printf("ruid=%d euid=%d\n", real_uid, effect_uid);
 printf("rgid=%d egid=%d\n", real_gid, effect_gid);
}

Usually the various ID have the same value when you run a program, but sometimes happens that a computer system needs to run programs with temporarily elevated privileges in order to perform a specific task.

The setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.

The setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.

The s(u|g)id bit on executables only changes the E(U|G)ID the executable will run as, and not the real(U|G)ID.

Get my hands dirty for an example:

$ gcc -Wall ids.c -o example
$ sudo chown root.root example 
$ ls -l
total 16
-rw-rw-r-- 1 simo simo 294  gen 17 16:21 ids.c
-rwxrwxr-x 1 root root 8816 gen 17 16:28 example
$ ./example 
ruid=1000 euid=1000
rgid=1000 egid=1000
$ sudo chmod 6771 example 
$ ls -l
total 16
-rw-rw-r-- 1 simo simo 294 gen 17 16:21 ids.c
-rwsrws--x 1 root root 8816 gen 17 16:29 example
$ ./example 
ruid=1000 euid=0
rgid=1000 egid=0
  1. I compiled the example;
  2. I changed the owner and the group from “simo” to “root”;
  3. I ran the program and I got the same ids;
  4. I set the setuid and the setgid, look the red “s“;
  5. Ids changes accordingly!

Hint: in addition to the restriction on s(u|g)id interpreted scripts (any executable text file beginning with “#!”), some shells (like bash) as an extra safety measure will set the EUID back to the RUID; in this case, you will need to wrap the call to the script within a C program and setuid(…) before executing the script.

Setup a Linux ARM 32bit virtual machine

We will use QEMU, and if you are under a Debian based distro you can install it with:

sudo apt-get install qemu-system-arm

Download the following files from here:

  • debian_wheezy_armel_standard.qcow2
  • initrd.img-3.2.0-4-versatile
  • vmlinuz-3.2.0-4-versatile

In a nutshell, use this command:

qemu-system-arm -L Bios -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -m 256 -net nic -net user -redir tcp:2222::22

SSH is already installed, so you can reach the vm with:

ssh root@localhost -p 2222

With password “root”.

If you need a 64bit version I wrote another post.

 

Install tor on Ubuntu 15.10

From command line:

sudo gedit /etc/apt/sources.list.d/tor.list

in this file write those lines:

deb http://deb.torproject.org/torproject.org wily main
deb-src http://deb.torproject.org/torproject.org wily main

save, then run:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get install tor deb.torproject.org-keyring

Now you can find a folder named “tor-browser_en-US” in your home folder that contains the Tor Browser.

It comes with readily configured Tor and a browser patched for better anonymity.

 

Enable HDMI audio Debian-Ubuntu

You plug the HDMI, the video works but you have no audio. Ok, go on.

PulseAudio is a sound system for POSIX OSes, meaning that it is a proxy for your sound applications. It allows you to do advanced operations on your sound data as it passes between your application and your hardware. Things like transferring the audio to a different machine, changing the sample format or channel count and mixing several sounds into one are easily achieved using a sound server. PulseAudio is an integral part of all relevant modern Linux distributions and used in various mobile devices by multiple vendors. PulseAudio is an integral part of all relevant modern Linux distributions and used in various mobile devices by multiple vendors.

List name or index number of possible sinks:

pacmd list-sinks

you should see a “*” near the index of the sink actually in use.

If you see only one sink you are in trouble, the system doesn’t recognize the device. Search away!

Otherwise connect the HDMI, take an mp3 and try:

pacmd set-default-sink sinkIndex
pulseaudio -k
pacmd set-default-sink -D

varying the value of sinkIndex using the values found with  pacmd list-sinks but be careful to close the program that you use to play the mp3.

List victim’s visited websites

This is the easy and cheaper way:

you also need a Linux distro with Ettercap and Wireshark.

From command line type:

ettercap -T -Q -M arp:remote -i iface -w log.pcap /victimip/ /gatewayip/

What are you doing?

-T text only interface, only printf

-Q  Super quiet mode

-M arp:remote perform a MITM attack using ARP poisoning. “remote” is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them.

-i iface force using the “iface” network interface

-w log.pcap write sniffed data to “log.pcap” file

 

Open Wireshark and import the .pcap file, then go to:

Statistics -> HTTP -> Load Distribution

In the box type:

 http.host

Now look at the “HTTP Requests by HTTP Hosts“.

This will show you all the sniffed in/out  HTTP type traffic.

But take a look about Xplico

Nmap scan (and someone else…) through proxy and proxy chaining

But nmap (or some other program) doesn’t support proxy… so you need proxychains.

If you are on a Debian-based simply type

apt-get install proxychains

Then edit

/etc/proxychains.conf

And add your proxy. If you want to learn the syntax, in the config file you can see some more examples.

I try to explain with a regex-like expression:

[http|socks4|socks5] ipaddress port username password

Be happy, Tor is configured by default!

It’s not all. Obviously proxychains is used primarily for proxy chaining.
How to configure it? Add more proxies to proxychain.conf !

Finally run your software, e.g.

proxychains nmap -T4 -A ipaddress